HEX
Server: Apache
System: Linux vps-cdc32557.vps.ovh.ca 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64
User: hanode (1017)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /usr/share/selinux/devel/include/system/
Upload Files
File: //usr/share/selinux/devel/include/system/miscfiles.if
## <summary>Miscellaneous files.</summary>

########################################
## <summary>
##	Make the specified type usable as a cert file.
## </summary>
## <desc>
##	<p>
##	Make the specified type usable for cert files.
##	This will also make the type usable for files, making
##	calls to files_type() redundant.  Failure to use this interface
##	for a temporary file may result in problems with
##	cert management tools.
##	</p>
##	<p>
##	Related interfaces:
##	</p>
##	<ul>
##		<li>files_type()</li>
##	</ul>
##	<p>
##	Example:
##	</p>
##	<p>
##	type mycertfile_t;
##	cert_type(mycertfile_t)
##	allow mydomain_t mycertfile_t:file read_file_perms;
##	files_search_etc(mydomain_t)
##	</p>
## </desc>
## <param name="type">
##	<summary>
##	Type to be used for files.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`miscfiles_cert_type',`
	gen_require(`
		attribute cert_type;
	')

	typeattribute $1 cert_type;
	files_type($1)
')

########################################
## <summary>
##	Make the specified type usable
##	as a SSL/TLS private key file.
## </summary>
## <desc>
##	<p>
##	Make the specified type usable for SSL/TLS private key files.
##	This will also make the type usable for files, making
##	calls to files_type() redundant.  Failure to use this interface
##	for a temporary file may result in problems with
##	SSL/TLS private key management tools.
##	</p>
##	<p>
##	Related interfaces:
##	</p>
##	<ul>
##		<li>files_type()</li>
##	</ul>
##	<p>
##	Example:
##	</p>
##	<p>
##	type mytlsprivkeyfile_t;
##	tls_privkey_type(mytlsprivkeyfile_t)
##	allow mydomain_t mytlsprivkeyfile_t:file read_file_perms;
##	files_search_etc(mydomain_t)
##	</p>
## </desc>
## <param name="type">
##	<summary>
##	Type to be used for files.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`miscfiles_tls_privkey_type',`
	gen_require(`
		attribute tls_privkey_type;
	')

	typeattribute $1 tls_privkey_type;
	files_type($1)
')

########################################
## <summary>
##	Read all SSL/TLS certificates.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_all_certs',`
	gen_require(`
		attribute cert_type;
	')

	allow $1 cert_type:dir list_dir_perms;
	read_files_pattern($1, cert_type, cert_type)
	read_lnk_files_pattern($1, cert_type, cert_type)
')

########################################
## <summary>
##	Read generic SSL/TLS certificates.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_generic_certs',`
	gen_require(`
		type cert_t;
	')

	allow $1 cert_t:dir list_dir_perms;
	read_files_pattern($1, cert_t, cert_t)
	read_lnk_files_pattern($1, cert_t, cert_t)
')

########################################
## <summary>
##	Do not audit attempts to read generic SSL/TLS certificates.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_read_generic_certs',`
	gen_require(`
		type cert_t;
	')

	dontaudit $1 cert_t:dir list_dir_perms;
	dontaudit $1 cert_t:file read_file_perms;
	dontaudit $1 cert_t:lnk_file read_lnk_file_perms;
')

########################################
## <summary>
##	Manage generic SSL/TLS certificates.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_manage_generic_cert_dirs',`
	gen_require(`
		type cert_t;
	')

	manage_dirs_pattern($1, cert_t, cert_t)
')

########################################
## <summary>
##	Manage generic SSL/TLS certificates.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_generic_cert_files',`
	gen_require(`
		type cert_t;
	')

	manage_files_pattern($1, cert_t, cert_t)
	read_lnk_files_pattern($1, cert_t, cert_t)
')

########################################
## <summary>
##	Read generic SSL/TLS private
##	keys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_generic_tls_privkey',`
	gen_require(`
		type tls_privkey_t;
	')

	allow $1 tls_privkey_t:dir list_dir_perms;
	read_files_pattern($1, tls_privkey_t, tls_privkey_t)
	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')

########################################
## <summary>
##	Manage generic SSL/TLS private
##	keys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_manage_generic_tls_privkey_dirs',`
	gen_require(`
		type tls_privkey_t;
	')

	manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t)
')

########################################
## <summary>
##	Manage generic SSL/TLS private
##	keys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_generic_tls_privkey_files',`
	gen_require(`
		type tls_privkey_t;
	')

	manage_files_pattern($1, tls_privkey_t, tls_privkey_t)
	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')

########################################
## <summary>
##	Manage generic SSL/TLS private
##	keys.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_generic_tls_privkey_symlinks',`
	gen_require(`
		type tls_privkey_t;
	')

	manage_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
')

########################################
## <summary>
##	Read fonts.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_fonts',`
	gen_require(`
		type fonts_t, fonts_cache_t;
	')

	# cjp: fonts can be in either of these dirs
	files_search_usr($1)
	libs_search_lib($1)

	allow $1 fonts_t:dir list_dir_perms;
	read_files_pattern($1, fonts_t, fonts_t)
	allow $1 fonts_t:file map;
	read_lnk_files_pattern($1, fonts_t, fonts_t)

	allow $1 fonts_cache_t:dir list_dir_perms;
	read_files_pattern($1, fonts_cache_t, fonts_cache_t)
	allow $1 fonts_cache_t:file map;
	read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
')

########################################
## <summary>
##	Set the attributes on a fonts directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_setattr_fonts_dirs',`
	gen_require(`
		type fonts_t;
	')

	allow $1 fonts_t:dir setattr;
')

########################################
## <summary>
##	Do not audit attempts to set the attributes
##	on a fonts directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
	gen_require(`
		type fonts_t;
	')

	dontaudit $1 fonts_t:dir setattr;
')

########################################
## <summary>
##	Do not audit attempts to write fonts.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_write_fonts',`
	gen_require(`
		type fonts_t;
	')

	dontaudit $1 fonts_t:dir { write setattr };
	dontaudit $1 fonts_t:file write;
')

########################################
## <summary>
##	Create, read, write, and delete fonts.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_fonts',`
	gen_require(`
		type fonts_t;
	')

	# cjp: fonts can be in either of these dirs
	files_search_usr($1)
	libs_search_lib($1)

	manage_dirs_pattern($1, fonts_t, fonts_t)
	manage_files_pattern($1, fonts_t, fonts_t)
	manage_lnk_files_pattern($1, fonts_t, fonts_t)
')

########################################
## <summary>
##	Watch fonts directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_watch_fonts_dirs',`
	gen_require(`
		type fonts_t;
	')

	allow $1 fonts_t:dir watch;
')

########################################
## <summary>
##	Set the attributes on a fonts cache directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_setattr_fonts_cache_dirs',`
	gen_require(`
		type fonts_cache_t;
	')

	allow $1 fonts_cache_t:dir setattr;
')

########################################
## <summary>
##	Do not audit attempts to set the attributes
##	on a fonts cache directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
	gen_require(`
		type fonts_cache_t;
	')

	dontaudit $1 fonts_cache_t:dir setattr;
')

########################################
## <summary>
##	Create, read, write, and delete fonts cache.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_fonts_cache',`
	gen_require(`
		type fonts_cache_t;
	')

	files_search_var($1)

	manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
	manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
	manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
')

########################################
## <summary>
##	Read hardware identification data.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_read_hwdata',`
	gen_require(`
		type hwdata_t;
	')

	allow $1 hwdata_t:dir list_dir_perms;
	read_files_pattern($1, hwdata_t, hwdata_t)
	read_lnk_files_pattern($1, hwdata_t, hwdata_t)
')

########################################
## <summary>
##	Allow process to setattr localization info
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_setattr_localization',`
	gen_require(`
		type locale_t;
	')

	files_search_usr($1)
	allow $1 locale_t:dir list_dir_perms;
	allow $1 locale_t:file setattr;
')

########################################
## <summary>
##	Allow process to read localization information.
## </summary>
## <desc>
##	<p>
##	Allow the specified domain to read the localization files.
##	This is typically for time zone configuration files, such as
##	/etc/localtime and files in /usr/share/zoneinfo.
##	Typically, any domain which needs to know the GMT/UTC
##	offset of the current timezone will need access
##	to these files. Generally, it should be safe for any
##	domain to read these files.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`miscfiles_read_localization',`
	gen_require(`
		type locale_t;
	')

	files_read_etc_symlinks($1)
	files_search_usr($1)
	allow $1 locale_t:dir list_dir_perms;
	read_files_pattern($1, locale_t, locale_t)
	read_lnk_files_pattern($1, locale_t, locale_t)
	allow $1 locale_t:file map;
')

########################################
## <summary>
##	Allow process to write localization info
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_rw_localization',`
	gen_require(`
		type locale_t;
	')

	files_search_usr($1)
	allow $1 locale_t:dir list_dir_perms;
	rw_files_pattern($1, locale_t, locale_t)
')

########################################
## <summary>
##	Allow process to relabel localization info
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_relabel_localization',`
	gen_require(`
		type locale_t;
	')

	files_search_usr($1)
	relabel_files_pattern($1, locale_t, locale_t)
')

########################################
## <summary>
##	Allow process to read legacy time localization info
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_legacy_read_localization',`
	gen_require(`
		type locale_t;
	')

	miscfiles_read_localization($1)
	allow $1 locale_t:file execute;
')

########################################
## <summary>
##	Watch time localization info
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_watch_localization',`
	gen_require(`
		type locale_t;
	')

	allow $1 locale_t:dir watch;
	allow $1 locale_t:file watch;
')

########################################
## <summary>
##	Search man pages.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_search_man_pages',`
	gen_require(`
		type man_t, man_cache_t;
	')

	allow $1 { man_cache_t man_t }:dir search_dir_perms;
	files_search_usr($1)
')

########################################
## <summary>
##	Do not audit attempts to search man pages.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`miscfiles_dontaudit_search_man_pages',`
	gen_require(`
		type man_t, man_cache_t;
	')

	dontaudit $1 { man_cache_t man_t }:dir search_dir_perms;
')

########################################
## <summary>
##	Read man pages
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_man_pages',`
	gen_require(`
		type man_t, man_cache_t;
	')

	files_search_usr($1)
	allow $1 { man_cache_t man_t }:dir list_dir_perms;
	read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
	read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')

########################################
## <summary>
##	Delete man pages
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
# cjp: added for tmpreaper
#
interface(`miscfiles_delete_man_pages',`
	gen_require(`
		type man_t, man_cache_t;
	')

	files_search_usr($1)
	allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms };
	delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
	delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
	delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')

########################################
## <summary>
##	Create, read, write, and delete man pages
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_manage_man_pages',`
	gen_require(`
		type man_t, man_cache_t;
	')

	files_search_usr($1)
	manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
	manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
	read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
')

########################################
## <summary>
##	Read man cache content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_read_man_cache',`
	gen_require(`
		type man_cache_t;
	')

	files_search_var($1)
	allow $1 man_cache_t:dir list_dir_perms;
	allow $1 man_cache_t:file read_file_perms;
	allow $1 man_cache_t:lnk_file read_lnk_file_perms;
')

########################################
## <summary>
##	Map man cache content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_map_man_cache',`
	gen_require(`
		type man_cache_t;
	')

	allow $1 man_cache_t:file map;
')

########################################
## <summary>
##	Create, read, write, and delete
##	man cache content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_manage_man_cache',`
	gen_require(`
		type man_cache_t;
	')

	files_search_var($1)
	allow $1 man_cache_t:dir manage_dir_perms;
	allow $1 man_cache_t:file manage_file_perms;
	allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
')

########################################
## <summary>
##      Relabel from and to man cache.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`miscfiles_relabel_man_cache',`
	gen_require(`
		type man_cache_t;
	')

	relabel_dirs_pattern($1, man_cache_t, man_cache_t)
	relabel_files_pattern($1, man_cache_t, man_cache_t)
')

########################################
## <summary>
##	Read public files used for file
##	transfer services.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_public_files',`
	gen_require(`
		type public_content_t, public_content_rw_t;
	')

	allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
	read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
	read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
')

########################################
## <summary>
##	Create, read, write, and delete public files
##	and directories used for file transfer services.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_public_files',`
	gen_require(`
		type public_content_rw_t;
	')

	manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t)
	manage_files_pattern($1, public_content_rw_t, public_content_rw_t)
	manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
')

########################################
## <summary>
##	Watch public files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_watch_public_dirs',`
	gen_require(`
		type public_content_rw_t;
	')

	allow $1 public_content_rw_t:dir watch;
')

########################################
## <summary>
##	Read TeX data
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_read_tetex_data',`
	gen_require(`
		type tetex_data_t;
	')

	files_search_var($1)
	files_search_var_lib($1)

	# cjp: TeX data can be in either of the above dirs
	allow $1 tetex_data_t:dir list_dir_perms;
	read_files_pattern($1, tetex_data_t, tetex_data_t)
	read_lnk_files_pattern($1, tetex_data_t, tetex_data_t)
')

########################################
## <summary>
##	Execute TeX data programs in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_exec_tetex_data',`
	gen_require(`
		type tetex_data_t;
	')

	files_search_var($1)
	files_search_var_lib($1)

	# cjp: TeX data can be in either of the above dirs
	allow $1 tetex_data_t:dir list_dir_perms;
	exec_files_pattern($1, tetex_data_t, tetex_data_t)
')

########################################
## <summary>
##	Let test files be an entry point for
##	a specified domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_domain_entry_test_files',`
	gen_require(`
		type test_file_t;
	')

	domain_entry_file($1, test_file_t)
')

########################################
## <summary>
##	Read test files and directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_read_test_files',`
	gen_require(`
		type test_file_t;
	')

	read_files_pattern($1, test_file_t, test_file_t)
	read_lnk_files_pattern($1, test_file_t, test_file_t)
')

########################################
## <summary>
##	Execute test files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_exec_test_files',`
	gen_require(`
		type test_file_t;
	')

	exec_files_pattern($1, test_file_t, test_file_t)
	read_lnk_files_pattern($1, test_file_t, test_file_t)
')

########################################
## <summary>
##	Create files in etc directories
##	with localization file type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`miscfiles_etc_filetrans_localization',`
	gen_require(`
		type locale_t;
	')

	files_etc_filetrans($1, locale_t, file)

')

########################################
## <summary>
##	Create, read, write, and delete localization
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_localization',`
	gen_require(`
		type locale_t;
	')

	manage_dirs_pattern($1, locale_t, locale_t)
	manage_files_pattern($1, locale_t, locale_t)
	manage_lnk_files_pattern($1, locale_t, locale_t)
')
@ Telegram