||SE Linux Moduleargus1.0--%netlink_audit_socket nlmsg_relay append bind connectcreatewrite relabelfromioctl name_bindnlmsg_readpriv nlmsg_writesendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen nlmsg_read tcp_socket append bind connectcreatewrite relabelfrom acceptfrom connecttoioctl name_bind node_bindnewconnsendtorecv_msgsend_msggetattrsetattracceptgetopt name_connectreadsetoptshutdownrecvfromlock relabelto listen msgq associatecreatewrite unix_readdestroygetattrsetattrread enqueue unix_writedirrmdir appendcreateexecutewrite relabelfrom link unlinkioctl remove_namegetattrsetattradd_namereparentread renamesearchlock relabeltomountonquotaonswapon blk_file appendcreateexecutewrite relabelfrom link unlinkioctlgetattrsetattrread renamelock relabeltomountonquotaonswapon chr_file appendcreateexecutewrite relabelfrom link unlinkioctl entrypointgetattrsetattrexecmodread renamelock relabeltoexecute_no_transmountonquotaonswapon ipc associatecreatewrite unix_readdestroygetattrsetattrread unix_write lnk_file appendcreateexecutewrite relabelfrom link unlinkioctlgetattrsetattrread renamelock relabeltomountonquotaonswaponprocessgetcapsetcapsigstopsigchldshareexecheap setcurrent setfscreate setkeycreatesiginh dyntransition transitionfork getsession noatsecuresigkillsignull setrlimitgetattr getschedsetexec setsched getpgid setpgidptrace execstack rlimitinh setsockcreatesignalexecmemfduse+packetflow_outsendrecv relabeltoflow_insocket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen fifo_file appendcreateexecutewrite relabelfrom link unlinkioctlgetattrsetattrread renamelock relabeltomountonquotaonswaponfile appendcreateexecutewrite relabelfrom link unlinkioctl entrypointgetattrsetattrexecmodread renamelock relabeltoexecute_no_transmountonquotaonswaponnode rawip_recvtcp_recvudp_recv rawip_sendtcp_sendudp_send enforce_dest"netlink_nflog_socket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listenpaxmprotectemutramprandmmappageexecrandexecsegmexec,keycreatewriteviewlinksetattrreadsearch!netlink_tcpdiag_socket append bind connectcreatewrite relabelfromioctl name_bind nlmsg_writesendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen nlmsg_readunix_stream_socket append bind connectcreatewrite relabelfrom acceptfrom connecttoioctl name_bindnewconnsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listennetlink_route_socket append bind connectcreatewrite relabelfromioctl name_bind nlmsg_writesendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen nlmsg_read shm associatecreatewrite unix_readdestroygetattrsetattrread lock unix_write$netlink_selinux_socket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen capability setpcapfownersys_bootsys_tty_confignet_raw sys_admin sys_chroot sys_module sys_rawio dac_override ipc_ownerkilldac_read_search sys_pacct net_broadcast net_bind_servicesys_nicesys_timefsetidmknodsetgidsetuidlease net_admin audit_write linux_immutable sys_ptrace audit_controlipc_lock sys_resourcechown&netlink_ip6fw_socket append bind connectcreatewrite relabelfromioctl name_bind nlmsg_writesendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen nlmsg_read netlink_firewall_socket append bind connectcreatewrite relabelfromioctl name_bind nlmsg_writesendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen nlmsg_read sock_file appendcreateexecutewrite relabelfrom link unlinkioctlgetattrsetattrread renamelock relabeltomountonquotaonswaponunix_dgram_socket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen)netlink_kobject_uevent_socket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen  filesystem associate quotaget relabelfrom transitiongetattr quotamodmountremountunmount relabelto#netlink_xfrm_socket append bind connectcreatewrite relabelfromioctl name_bind nlmsg_writesendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen nlmsg_read'netlink_dnrt_socket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen-nscdgethostgetgrp shmemhostshmempwdgetpwdshmemgrp key_socket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listennetif rawip_recvtcp_recvudp_recv rawip_sendtcp_sendudp_send packet_socket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listenmsgsendreceive udp_socket append bind connectcreatewrite relabelfromioctl name_bind node_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen*appletalk_socket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen rawip_socket append bind connectcreatewrite relabelfromioctl name_bind node_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen (association setcontextsendtorecvfrompolmatchnetlink_socket append bind connectcreatewrite relabelfromioctl name_bindsendtorecv_msgsend_msggetattrsetattracceptgetoptreadsetoptshutdownrecvfromlock relabelto listen sem associatecreatewrite unix_readdestroygetattrsetattrread unix_writesystemipc_info syslog_readsyslog_console syslog_mod securitycompute_member compute_usercompute_create setenforce check_context setcheckreqprotcompute_relabel setbool load_policy setsecparam compute_avobject_r@@@system_r@@@@@33 @@direct_init@nscd_var_run_t @@Pfile_type @@exec_type @node_type !@unlabeled_t @port_type @selinux_config_t @@entry_type0@hi_reserved_port_t ,@sysctl_type.@devlog_t/@devpts_t@initrc_t1@locale_t@argus_t%@etc_t#@ld_so_t)@proc_t @rpm_t@tmpfs_t @argus_exec_t@@direct_init_entry @argus_log_t $@ld_so_cache_t @netif_type -@proc_net_t @var_log_t@direct_run_init@argus_var_run_t 2@net_conf_t+@sysctl_kernel_t @@@usercanread*@sysctl_t @init_t"@lib_t@nscd_t&@shlib_t@tmp_t(@usr_t@var_t @argus_conf_t@@daemon@@logfile@@pidfile'@textrel_shlib_t @security_t @unconfined_t 3@syslogd_t @var_run_t@@domainargus_disable_transs0@c0c1023@@@@@@S @@ @@@@S  @@ @@@@X@@@@@ @@@@@@ @ W@@@@@ @@@ @@@@@@ @@@@@@ @@@@X@@ @@@@@@ @@@@ J@@@@@@@@@@@@@@@@@@@@@@@@S @@@@@@ @@@@@@@@@@@@X@@@@@@@@@@@@@@@@@@X@@@@@@@@@@@@ W@@@@@@@@@@@@@@@@@@@@@@@@W@@@@@@[@@@@@@@@@@@@W@@@@@@@@@@@@@@@@@@@@@@@@@S@@@@@@@S@@@@@@@ @@@@@@W@@@@@@@@@@@@@@@@@@W@@@@@@@@@@@?@@@@@ @@@@@@@@@@@@@@@@@@@@+@@@@@@@@@@@@@S@@@@@@S@@@@@@ S@@@@@@ S@@@@@@S @@@@@@S@@@@@@S@@@@@@S@@@@@@ S@@@@@`@ S@@@@@`@S @@@@@@@@@@@@@@@@@@@@@@@@@S@@@@@@S@@@@@@S@@@@@@S@@@@@@ @@@@@@S@@@@@@@@@@@@S@@@@@@S@@@@@$@@@@@ @@@@@@@@@@@ @@@@@ @@@@@ @@@@@ @@@@@ @ @@@@@@@ @@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,@@@@?@@@@@@@@@@?@@@@@@@@@@@@@@?@@@@@@@@@@?@@?@@?@@?@@@@?@@@@@@@@@@@@?@@@@@@@@?@@@@?@@@@@@?@@@@?@@?@@@@@@@@@@P@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@,@@@@?@@@@@@@@@@?@@@@@@@@@@@@@@?@@@@@@@@@@?@@?@@?@@?@@@@?@@@@@@@@@@@@?@@@@@@@@?@@@@?@@@@@@?@@@@?@@?@@@@@@@@@@@@@@@@@@@@@@@@ S@@@@@@@@@@@@@,@@@@?@@@@@@@@@@?@@@@@@@@@@@@@@?@@@@@@@@@@?@@?@@?@@?@@@@?@@@@@@@@@@@@?@@@@@@@@?@@@@?@@@@@@?@@@@?@@?@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,@@@@?@@@@@@@@@@?@@@@@@@@@@@@@@?@@@@@@@@@@?@@?@@?@@?@@@@?@@@@@@@@@@@@?@@@@@@@@?@@@@?@@@@@@?@@@@?@@?@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,@@@@?@@@@@@@@@@?@@@@@@@@@@@@@@?@@@@@@@@@@?@@?@@?@@?@@@@?@@@@@@@@@@@@?@@@@@@@@?@@@@?@@@@@@?@@@@?@@?@@@@@@@@@@@@ @@@@@?@@@@@@@@@@@@@-@@@@@@@@@@@@-8@@@@@@@@@@@@@@@@@@S@@@@@@ W@@@@@@@@@@@@@@@@@@@-@@@@?@@@@@@@@@@?@@@@@@@@@@@@@@?@@@@@@@@@@?@@?@@?@@?@@@@?@@@@@@@@@@@@?@@@@@@@@?@@@@?@@@@@@?@@@@?@@?@@@@@@?@@@@@@@@-netlink_audit_socket tcp_socketmsgqdirblk_filechr_fileipclnk_fileprocessfdpacketsocket fifo_filefilenodenetlink_nflog_socketpaxkeynetlink_tcpdiag_socketunix_stream_socketnetlink_route_socketshmnetlink_selinux_socket capabilitynetlink_ip6fw_socketnetlink_firewall_socket sock_fileunix_dgram_socketnetlink_kobject_uevent_socket filesystemnetlink_xfrm_socketnetlink_dnrt_socketnscd key_socketnetif packet_socketmsg udp_socketappletalk_socket rawip_socket associationnetlink_socketsemsystemsecurityobject_rsystem_r3 direct_initnscd_var_run_t file_type exec_type node_type unlabeled_t port_typeselinux_config_t entry_typehi_reserved_port_t sysctl_typedevlog_tdevpts_tinitrc_tlocale_targus_tetc_tld_so_tproc_trpm_ttmpfs_t argus_exec_tdirect_init_entry argus_log_t ld_so_cache_t netif_type proc_net_t var_log_tdirect_run_initargus_var_run_t net_conf_tsysctl_kernel_t usercanreadsysctl_tinit_tlib_tnscd_tshlib_ttmp_tusr_tvar_t argus_conf_tdaemonlogfilepidfiletextrel_shlib_t security_t unconfined_t syslogd_t var_run_tdomainargus_disable_transs0c0c1023| ######################################## # # Macros for switching between source policy # and loadable policy module support # ############################## # # For adding the module statement # ############################## # # For use in interfaces, to optionally insert a require block # # helper function, since m4 wont expand macros # if a line is a comment (#): ############################## # # In the future interfaces should be in loadable modules # # template(name,rules) # ############################## # # In the future interfaces should be in loadable modules # # interface(name,rules) # ############################## # # Optional policy handling # ############################## # # Determine if we should use the default # tunable value as specified by the policy # or if the override value should be used # ############################## # # Extract booleans out of an expression. # This needs to be reworked so expressions # with parentheses can work. ############################## # # Tunable declaration # ############################## # # Tunable policy handling # ######################################## # # Helper macros # # # shiftn(num,list...) # # shift the list num times # # # ifndef(expr,true_block,false_block) # # m4 does not have this. # # # __endline__ # # dummy macro to insert a newline. used for # errprint, so the close parentheses can be # indented correctly. # ######################################## # # refpolwarn(message) # # print a warning message # ######################################## # # refpolerr(message) # # print an error message. does not # make anything fail. # ######################################## # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories]) # ######################################## # # gen_context(context,mls_sensitivity,[mcs_categories]) # ######################################## # # can_exec(domain,executable) # ######################################## # # gen_bool(name,default_value) # ######################################## # # gen_cats(N) # # declares categores c0 to c(N-1) # ######################################## # # gen_sens(N) # # declares sensitivites s0 to s(N-1) with dominance # in increasing numeric order with s0 lowest, s(N-1) highest # ######################################## # # gen_levels(N,M) # # levels from s0 to (N-1) with categories c0 to (M-1) # ######################################## # # Basic level names for system low and high # ######################################## # # Support macros for sets of object classes and permissions # # This file should only have object class and permission set macros - they # can only reference object classes and/or permissions. # # All directory and file classes # # # All non-directory file classes. # # # Non-device file classes. # # # Device file classes. # # # All socket classes. # # # Datagram socket classes. # # # Stream socket classes. # # # Unprivileged socket classes (exclude rawip, netlink, packet). # ######################################## # # Macros for sets of permissions # # # Permissions for getting file attributes. # # # Permissions for executing files. # # # Permissions for reading files and their attributes. # # # Permissions for reading and executing files. # # # Permissions for reading and appending to files. # # # Permissions for linking, unlinking and renaming files. # # # Permissions for creating lnk_files. # # # Permissions for creating and using files. # # # Permissions for reading directories and their attributes. # # # Permissions for reading and writing directories and their attributes. # # # Permissions for reading and adding names to directories. # # # Permissions for creating and using directories. # # # Permissions to mount and unmount file systems. # # # Permissions for using sockets. # # # Permissions for creating and using sockets. # # # Permissions for using stream sockets. # # # Permissions for creating and using stream sockets. # # # Permissions for creating and using sockets. # # # Permissions for creating and using sockets. # # # Permissions for creating and using netlink sockets. # # # Permissions for using netlink sockets for operations that modify state. # # # Permissions for using netlink sockets for operations that observe state. # # # Permissions for sending all signals. # # # Permissions for sending and receiving network packets. # # # Permissions for using System V IPC # ######################################## # # New permission sets # # # Directory # # # File # # # Use (read and write) terminals # # # Sockets # # argus labeling policy # file: argus.fc /usr/sbin/argus -- system_u:object_r:argus_exec_t:s0 /etc/argus.conf -- system_u:object_r:argus_conf_t:s0 /var/log/argus(/.*)? system_u:object_r:argus_log_t:s0 /var/run/argus(.*)? system_u:object_r:argus_var_run_t:s0