Skip to content
This repository has been archived by the owner on Jul 2, 2018. It is now read-only.

InterfaceNaming

Jump to bottom
Corey Garst edited this page May 27, 2014 · 2 revisions

#Reference Policy Interface and Template Naming Conventions

All Reference Policy interfaces and templates should use the following naming convention.

modulename[_modifier]_verb_predicate()

modulename modifier The name of the module, or for Describe variations of a common modules with long names, an interface. The most common use is abbreviation of the module name. If the modifier dontaudit. (optional) an abbreviation is used, it must be
consistent throughout the module.
e.g., apache, samba, and corenet
(for corenetwork).

##Common File Interface Elements

These are applicable for all file object classes (file, lnk_file, sock_file, fifo_file, blk_file, chr_file).

Verbs

getattr

Get the attributes of an object, such as stat().

setattr

Set the attributes of an object, such as chmod().

read

Read an object.

append

Append only to an object.

write

Write an object.

rw

Read and write an object.

create

Create an object.

delete

Delete an object.

manage

Create, read, write, and delete an object.

relabelfrom

Relabel from the object's type

relabelto

Relabel to the object's type

relabel

Relabel to and from the object's type

exec

Execute a file in the caller's domain (no domain transition; file only).

Predicates

files

Ordinary files

symlinks

Symbolic links

pipes

(Un)named Pipes/FIFOs

sockets

(Un)named sockets for unix domain sockets.

chr_files

Character device nodes

blk_files

Block device nodes

##Common Directory Interface Elements

Verbs

getattr

Get the attributes of a directory.

setattr

Set the attributes of a directory.

search

Search a directory, but not get a list of directory entries.

list

Read the list of directory entries.

rw

Add and remove directory entries.

manage

Add and remove directory entries, create and delete directories.

mounton

Filesystems can be mounted on this directory.

Predicates

dirs

Directories

##Common Process Interface Elements

Verbs

sigchld

Send a SIGCHLD signal.

sigstop

Send a SIGSTOP signal.

signull

Send a null signal.

kill

Send a kill signal (SIGKILL).

domtrans

Execute a program and perform a domain transition.

run

Execute a program and perform a domain transition. Allow the target domain to read and write the specified terminal, and allow the specified role the target domain. This is used with interactive programs.

Predicates

The predicate of process interfaces usually is the common name of the domain, e.g., smbd or nmbd.

##Common Networking Interface Elements

Modifiers

tcp

Internet domain TCP sockets

udp

Internet domain UCP sockets

raw

Internet domain raw IP sockets

stream

Unix domain stream sockets

dgram

Unix domain datagram sockets

Verbs

send

Send network traffic on the network object.

receive

Receive network traffic on the network object.

sendrecv

Send and receive network traffic on the network object.

bind

Bind a socket to a port or node.

connect

Connect to another process or port.

Predicates

if

Network interfaces

node

Network nodes

port

Network ports

packets

Network packets

##Common Filesystem Interface Elements

Verbs

getattr

Get the attributes of the filesystem

mount

Mount the filesystem

unmount

Unmount the filesystem

remount

Remount the filesystem (change mount options)

associate

Associate a file type to the filesystem

Predicates

The predicate of filesystem interfaces is usually the filesystem type, e.g., tmpfs or cifs.

Clone this wiki locally