diff options
Diffstat (limited to 'policy/modules/contrib/rpm.if')
-rw-r--r-- | policy/modules/contrib/rpm.if | 666 |
1 files changed, 0 insertions, 666 deletions
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if deleted file mode 100644 index 0628d50d..00000000 --- a/policy/modules/contrib/rpm.if +++ /dev/null @@ -1,666 +0,0 @@ -## <summary>Redhat package manager.</summary> - -######################################## -## <summary> -## Execute rpm in the rpm domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpm_domtrans',` - gen_require(` - type rpm_t, rpm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpm_exec_t, rpm_t) -') - -######################################## -## <summary> -## Execute debuginfo install -## in the rpm domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpm_debuginfo_domtrans',` - gen_require(` - type rpm_t, debuginfo_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, debuginfo_exec_t, rpm_t) -') - -######################################## -## <summary> -## Execute rpm scripts in the rpm script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`rpm_domtrans_script',` - gen_require(` - type rpm_script_t; - ') - - corecmd_shell_domtrans($1, rpm_script_t) - - allow rpm_script_t $1:fd use; - allow rpm_script_t $1:fifo_file rw_fifo_file_perms; - allow rpm_script_t $1:process sigchld; -') - -######################################## -## <summary> -## Execute rpm in the rpm domain, -## and allow the specified roles the -## rpm domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rpm_run',` - gen_require(` - attribute_role rpm_roles; - ') - - rpm_domtrans($1) - roleattribute $2 rpm_roles; -') - -######################################## -## <summary> -## Execute the rpm in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_exec',` - gen_require(` - type rpm_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rpm_exec_t) -') - -######################################## -## <summary> -## Send null signals to rpm. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_signull',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:process signull; -') - -######################################## -## <summary> -## Inherit and use file descriptors from rpm. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_use_fds',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fd use; -') - -######################################## -## <summary> -## Read rpm unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_pipes',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file read_fifo_file_perms; -') - -######################################## -## <summary> -## Read and write rpm unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_rw_pipes',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Send and receive messages from -## rpm over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_dbus_chat',` - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - allow $1 rpm_t:dbus send_msg; - allow rpm_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Do not audit attempts to send and -## receive messages from rpm over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`rpm_dontaudit_dbus_chat',` - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - dontaudit $1 rpm_t:dbus send_msg; - dontaudit rpm_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Send and receive messages from -## rpm script over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_script_dbus_chat',` - gen_require(` - type rpm_script_t; - class dbus send_msg; - ') - - allow $1 rpm_script_t:dbus send_msg; - allow rpm_script_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Search rpm log directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_search_log',` - gen_require(` - type rpm_log_t; - ') - - logging_search_logs($1) - allow $1 rpm_log_t:dir search_dir_perms; -') - -##################################### -## <summary> -## Append rpm log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_append_log',` - gen_require(` - type rpm_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_log',` - gen_require(` - type rpm_log_t; - ') - - logging_rw_generic_log_dirs($1) - allow $1 rpm_log_t:file manage_file_perms; -') - -######################################## -## <summary> -## Inherit and use rpm script file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_use_script_fds',` - gen_require(` - type rpm_script_t; - ') - - allow $1 rpm_script_t:fd use; -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm script temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_script_tmp_files',` - gen_require(` - type rpm_script_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -') - -##################################### -## <summary> -## Append rpm temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_append_tmp_files',` - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_tmp_files',` - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -') - -######################################## -## <summary> -## Read rpm script temporary files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_script_tmp_files',` - gen_require(` - type rpm_script_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -') - -######################################## -## <summary> -## Read rpm cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_cache',` - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var($1) - allow $1 rpm_var_cache_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_cache',` - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) -') - -######################################## -## <summary> -## Read rpm lib content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 rpm_var_lib_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## <summary> -## Delete rpm lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_delete_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## rpm lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## <summary> -## Do not audit attempts to create, read, -## write, and delete rpm lib content. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`rpm_dontaudit_manage_db',` - gen_require(` - type rpm_var_lib_t; - ') - - dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; - dontaudit $1 rpm_var_lib_t:file manage_file_perms; - dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; -') - -##################################### -## <summary> -## Read rpm pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_read_pid_files',` - gen_require(` - type rpm_var_run_t; - ') - - read_files_pattern($1, rpm_var_run_t, rpm_var_run_t) - files_search_pids($1) -') - -##################################### -## <summary> -## Create, read, write, and delete -## rpm pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_manage_pid_files',` - gen_require(` - type rpm_var_run_t; - ') - - manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t) - files_search_pids($1) -') - -###################################### -## <summary> -## Create files in pid directories -## with the rpm pid file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`rpm_pid_filetrans',` - refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.') - rpm_pid_filetrans_rpm_pid($1, file) -') - -######################################## -## <summary> -## Create specified objects in pid directories -## with the rpm pid file type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`rpm_pid_filetrans_rpm_pid',` - gen_require(` - type rpm_var_run_t; - ') - - files_pid_filetrans($1, rpm_var_run_t, $3, $4) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an rpm environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`rpm_admin',` - gen_require(` - type rpm_t, rpm_script_t, rpm_initrc_exec_t; - type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; - type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; - type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; - ') - - allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { rpm_t rpm_script_t }) - - init_labeled_script_domtrans($1, rpm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpm_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, rpm_file_t) - - files_list_var($1) - admin_pattern($1, rpm_cache_t) - - files_list_tmp($1) - admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) - - files_list_var_lib($1) - admin_pattern($1, rpm_var_lib_t) - - files_search_locks($1) - admin_pattern($1, rpm_lock_t) - - logging_list_logs($1) - admin_pattern($1, rpm_log_t) - - files_list_pids($1) - admin_pattern($1, rpm_var_run_t) - - fs_search_tmpfs($1) - admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t } - - rpm_run($1, $2) -') |