diff options
| author | John Turner <jturner.usa@gmail.com> | 2025-08-16 14:43:06 -0400 |
|---|---|---|
| committer | John Turner <jturner.usa@gmail.com> | 2025-08-16 14:43:06 -0400 |
| commit | 58ffeaf9b49e662e49d24a2d71dcdc9fac2949f8 (patch) | |
| tree | 84c645e32aac8eb468f41df33fbac7b0a8584887 /src/subj.cil | |
| parent | cfd55472db08f37b2123c350ce76fb3d916d25f6 (diff) | |
| download | selinux-policy-58ffeaf9b49e662e49d24a2d71dcdc9fac2949f8.tar.gz | |
auto format all files
Diffstat (limited to 'src/subj.cil')
| -rw-r--r-- | src/subj.cil | 292 |
1 files changed, 146 insertions, 146 deletions
diff --git a/src/subj.cil b/src/subj.cil index fe4f788..60ddc04 100644 --- a/src/subj.cil +++ b/src/subj.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (classmap state (ps read)) @@ -10,230 +10,230 @@ (block subj - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow typeattr not_typeattr (process (dyntransition transition))) - (neverallow typeattr not_typeattr - (process2 (nnp_transition nosuid_transition))) + (neverallow typeattr not_typeattr (process (dyntransition transition))) + (neverallow typeattr not_typeattr + (process2 (nnp_transition nosuid_transition))) - (dontaudit typeattr typeattr (process (noatsecure rlimitinh siginh))) + (dontaudit typeattr typeattr (process (noatsecure rlimitinh siginh))) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro getrlimit_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (getrlimit)))) + (macro getrlimit_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (getrlimit)))) - (macro getsched_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (getsched)))) + (macro getsched_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (getsched)))) - (macro nnptransition_all_processes ((type ARG1)) - (allow ARG1 typeattr (process2 (nnp_transition)))) + (macro nnptransition_all_processes ((type ARG1)) + (allow ARG1 typeattr (process2 (nnp_transition)))) - (macro noatsecure_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (noatsecure)))) + (macro noatsecure_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (noatsecure)))) - (macro nosuidtransition_all_processes ((type ARG1)) - (allow ARG1 typeattr (process2 (nosuid_transition)))) + (macro nosuidtransition_all_processes ((type ARG1)) + (allow ARG1 typeattr (process2 (nosuid_transition)))) - (macro ps_all_states ((type ARG1)) - (allow ARG1 typeattr (state (ps)))) + (macro ps_all_states ((type ARG1)) + (allow ARG1 typeattr (state (ps)))) - (macro ptrace_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (ptrace)))) + (macro ptrace_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (ptrace)))) - (macro read_all_states ((type ARG1)) - (allow ARG1 typeattr (state (read)))) + (macro read_all_states ((type ARG1)) + (allow ARG1 typeattr (state (read)))) - (macro readinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr readinherited_fifo_file)) + (macro readinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readinherited_fifo_file)) - (macro readwriteinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr readwriteinherited_fifo_file)) + (macro readwriteinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_fifo_file)) - (macro rlimitinh_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (rlimitinh)))) + (macro rlimitinh_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (rlimitinh)))) - (macro setrlimit_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (setrlimit)))) + (macro setrlimit_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (setrlimit)))) - (macro setsched_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (setsched)))) + (macro setsched_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (setsched)))) - (macro sigchld_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (sigchld)))) + (macro sigchld_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (sigchld)))) - (macro sigkill_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (sigkill)))) + (macro sigkill_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (sigkill)))) - (macro signal_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (signal)))) + (macro signal_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (signal)))) - (macro signull_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (signull)))) + (macro signull_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (signull)))) - (macro sigstop_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (sigstop)))) + (macro sigstop_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (sigstop)))) - (macro transition_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (transition)))) + (macro transition_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (transition)))) - (macro writeinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr writeinherited_fifo_file))) + (macro writeinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_fifo_file))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (type subj) - (call .subj.type (subj))) + (type subj) + (call .subj.type (subj))) - (block entry + (block entry - (macro entrypoint_all_files ((type ARG1)) - (allow ARG1 typeattr (file (entrypoint)))) + (macro entrypoint_all_files ((type ARG1)) + (allow ARG1 typeattr (file (entrypoint)))) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_files) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow subj.typeattr not_typeattr (file (entrypoint)))) + (neverallow subj.typeattr not_typeattr (file (entrypoint)))) - (block execheap + (block execheap - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr self (process (execheap)))) + (neverallow not_typeattr self (process (execheap)))) - (block execstack + (block execstack - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr self (process (execstack)))) + (neverallow not_typeattr self (process (execstack)))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro getrlimit_subj_processes ((type ARG1)) - (allow ARG1 subj (process (getrlimit)))) + (macro getrlimit_subj_processes ((type ARG1)) + (allow ARG1 subj (process (getrlimit)))) - (macro getsched_subj_processes ((type ARG1)) - (allow ARG1 subj (process (getsched)))) + (macro getsched_subj_processes ((type ARG1)) + (allow ARG1 subj (process (getsched)))) - (macro nnptransition_subj_processes ((type ARG1)) - (allow ARG1 subj (process2 (nnp_transition)))) + (macro nnptransition_subj_processes ((type ARG1)) + (allow ARG1 subj (process2 (nnp_transition)))) - (macro noatsecure_subj_processes ((type ARG1)) - (allow ARG1 subj (process (noatsecure)))) + (macro noatsecure_subj_processes ((type ARG1)) + (allow ARG1 subj (process (noatsecure)))) - (macro nosuidtransition_subj_processes ((type ARG1)) - (allow ARG1 subj (process2 (nosuid_transition)))) + (macro nosuidtransition_subj_processes ((type ARG1)) + (allow ARG1 subj (process2 (nosuid_transition)))) - (macro ps_subj_states ((type ARG1)) - (allow ARG1 subj (state (ps)))) + (macro ps_subj_states ((type ARG1)) + (allow ARG1 subj (state (ps)))) - (macro ptrace_subj_processes ((type ARG1)) - (allow ARG1 subj (process (ptrace)))) + (macro ptrace_subj_processes ((type ARG1)) + (allow ARG1 subj (process (ptrace)))) - (macro read_subj_states ((type ARG1)) - (allow ARG1 subj (state (read)))) + (macro read_subj_states ((type ARG1)) + (allow ARG1 subj (state (read)))) - (macro readinherited_subj_fifo_files ((type ARG1)) - (allow ARG1 subj readinherited_fifo_file)) + (macro readinherited_subj_fifo_files ((type ARG1)) + (allow ARG1 subj readinherited_fifo_file)) - (macro readwriteinherited_subj_fifo_files ((type ARG1)) - (allow ARG1 subj readwriteinherited_fifo_file)) + (macro readwriteinherited_subj_fifo_files ((type ARG1)) + (allow ARG1 subj readwriteinherited_fifo_file)) - (macro rlimitinh_subj_processes ((type ARG1)) - (allow ARG1 subj (process (rlimitinh)))) + (macro rlimitinh_subj_processes ((type ARG1)) + (allow ARG1 subj (process (rlimitinh)))) - (macro setrlimit_subj_processes ((type ARG1)) - (allow ARG1 subj (process (setrlimit)))) + (macro setrlimit_subj_processes ((type ARG1)) + (allow ARG1 subj (process (setrlimit)))) - (macro setsched_subj_processes ((type ARG1)) - (allow ARG1 subj (process (setsched)))) + (macro setsched_subj_processes ((type ARG1)) + (allow ARG1 subj (process (setsched)))) - (macro sigchld_subj_processes ((type ARG1)) - (allow ARG1 subj (process (sigchld)))) + (macro sigchld_subj_processes ((type ARG1)) + (allow ARG1 subj (process (sigchld)))) - (macro sigkill_subj_processes ((type ARG1)) - (allow ARG1 subj (process (sigkill)))) + (macro sigkill_subj_processes ((type ARG1)) + (allow ARG1 subj (process (sigkill)))) - (macro signal_subj_processes ((type ARG1)) - (allow ARG1 subj (process (signal)))) + (macro signal_subj_processes ((type ARG1)) + (allow ARG1 subj (process (signal)))) - (macro signull_subj_processes ((type ARG1)) - (allow ARG1 subj (process (signull)))) + (macro signull_subj_processes ((type ARG1)) + (allow ARG1 subj (process (signull)))) - (macro sigstop_subj_processes ((type ARG1)) - (allow ARG1 subj (process (sigstop)))) + (macro sigstop_subj_processes ((type ARG1)) + (allow ARG1 subj (process (sigstop)))) - (macro transition_subj_processes ((type ARG1)) - (allow ARG1 subj (process (transition)))) + (macro transition_subj_processes ((type ARG1)) + (allow ARG1 subj (process (transition)))) - (macro writeinherited_subj_fifo_files ((type ARG1)) - (allow ARG1 subj writeinherited_fifo_file))) + (macro writeinherited_subj_fifo_files ((type ARG1)) + (allow ARG1 subj writeinherited_fifo_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .subj.base_template) - (blockinherit .subj.macro_template)) + (blockinherit .subj.base_template) + (blockinherit .subj.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr subj.entry.typeattr (file (entrypoint))) + (allow typeattr subj.entry.typeattr (file (entrypoint))) - (allow typeattr subj.typeattr (process (all))) - ;; nosuid_transition should not be needed and indicates - ;; misconfiguration. when used properly it is worth blocking this - ;; access to prevent domain transitions on untrusted removeable - ;; storage. just be sure to always mount untrusted remote storage - ;; with nosuid, because otherwise this does not work. - (allow typeattr subj.typeattr (process2 (not nosuid_transition))) + (allow typeattr subj.typeattr (process (all))) + ;; nosuid_transition should not be needed and indicates + ;; misconfiguration. when used properly it is worth blocking this + ;; access to prevent domain transitions on untrusted removeable + ;; storage. just be sure to always mount untrusted remote storage + ;; with nosuid, because otherwise this does not work. + (allow typeattr subj.typeattr (process2 (not nosuid_transition))) - (allow typeattr subj.typeattr (fifo_file (not (execmod map mounton)))) - (allow typeattr subj.typeattr list_dir) - (allow typeattr subj.typeattr mounton_file) - (allow typeattr subj.typeattr read_lnk_file) - (allow typeattr subj.typeattr readwrite_file) + (allow typeattr subj.typeattr (fifo_file (not (execmod map mounton)))) + (allow typeattr subj.typeattr list_dir) + (allow typeattr subj.typeattr mounton_file) + (allow typeattr subj.typeattr read_lnk_file) + (allow typeattr subj.typeattr readwrite_file) - (call execheap.type (typeattr)) - (call execstack.type (typeattr)))) + (call execheap.type (typeattr)) + (call execstack.type (typeattr)))) (in unconfined |