]>
Commit | Line | Data |
---|---|---|
0de0ea5c | 1 | policy_module(domain, 1.9.1) |
960373dd | 2 | |
fd89e19f CP |
3 | ######################################## |
4 | # | |
5 | # Declarations | |
6 | # | |
3eaa9939 DW |
7 | ## <desc> |
8 | ## <p> | |
9 | ## Allow all domains to use other domains file descriptors | |
10 | ## </p> | |
11 | ## </desc> | |
12 | # | |
5946923f | 13 | gen_tunable(allow_domain_fd_use, true) |
3eaa9939 DW |
14 | |
15 | ## <desc> | |
16 | ## <p> | |
17 | ## Allow all domains to have the kernel load modules | |
18 | ## </p> | |
19 | ## </desc> | |
20 | # | |
21 | gen_tunable(domain_kernel_load_modules, false) | |
fd89e19f | 22 | |
623e4f08 DG |
23 | ## <desc> |
24 | ## <p> | |
25 | ## Control the ability to mmap a low area of the address space, | |
26 | ## as configured by /proc/sys/kernel/mmap_min_addr. | |
27 | ## </p> | |
28 | ## </desc> | |
29 | gen_tunable(mmap_low_allowed, false) | |
30 | ||
b4cd1533 CP |
31 | # Mark process types as domains |
32 | attribute domain; | |
33 | ||
2e863f8a CP |
34 | # Transitions only allowed from domains to other domains |
35 | neverallow domain ~domain:process { transition dyntransition }; | |
36 | ||
605ba285 | 37 | # Domains that are unconfined |
95501942 | 38 | attribute unconfined_domain_type; |
605ba285 | 39 | |
41337aa8 CP |
40 | # Domains that can mmap low memory. |
41 | attribute mmap_low_domain_type; | |
42 | neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; | |
43 | ||
2e863f8a CP |
44 | # Domains that can set their current context |
45 | # (perform dynamic transitions) | |
46 | attribute set_curr_context; | |
47 | ||
48 | # enabling setcurrent breaks process tranquility. If you do not | |
49 | # know what this means or do not understand the implications of a | |
50 | # dynamic transition, you should not be using it!!! | |
51 | neverallow { domain -set_curr_context } self:process setcurrent; | |
52 | ||
960373dd CP |
53 | # entrypoint executables |
54 | attribute entry_type; | |
55 | ||
8a0da108 CP |
56 | # widely-inheritable file descriptors |
57 | attribute privfd; | |
58 | ||
2e863f8a | 59 | # |
8bd67899 | 60 | # constraint related attributes |
2e863f8a CP |
61 | # |
62 | ||
63 | # [1] types that can change SELinux identity on transition | |
8bd67899 | 64 | attribute can_change_process_identity; |
2e863f8a CP |
65 | |
66 | # [2] types that can change SELinux role on transition | |
8bd67899 | 67 | attribute can_change_process_role; |
2e863f8a CP |
68 | |
69 | # [3] types that can change the SELinux identity on a filesystem | |
70 | # object or a socket object on a create or relabel | |
8bd67899 CP |
71 | attribute can_change_object_identity; |
72 | ||
2e863f8a CP |
73 | # [3] types that can change to system_u:system_r |
74 | attribute can_system_change; | |
a154cd45 | 75 | |
2e863f8a CP |
76 | # [4] types that have attribute 1 can change the SELinux |
77 | # identity only if the target domain has this attribute. | |
78 | # Types that have attribute 2 can change the SELinux role | |
79 | # only if the target domain has this attribute. | |
80 | attribute process_user_target; | |
81 | ||
82 | # For cron jobs | |
83 | # [5] types used for cron daemons | |
84 | attribute cron_source_domain; | |
85 | # [6] types used for cron jobs | |
86 | attribute cron_job_domain; | |
87 | ||
88 | # [7] types that are unconditionally exempt from | |
89 | # SELinux identity and role change constraints | |
90 | attribute process_uncond_exempt; # add userhelperdomain to this one | |
2a3478cf | 91 | |
e0dfbdf1 | 92 | neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; |
2e863f8a | 93 | neverallow ~{ domain unlabeled_t } *:process *; |
3cfd4876 CP |
94 | |
95 | ######################################## | |
96 | # | |
97 | # Rules applied to all domains | |
98 | # | |
99 | ||
1f6524ae | 100 | # read /proc/(pid|self) entries |
ef659a47 CP |
101 | allow domain self:dir list_dir_perms; |
102 | allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; | |
3cfd4876 | 103 | allow domain self:file rw_file_perms; |
1f6524ae | 104 | kernel_read_proc_symlinks(domain) |
3eaa9939 DW |
105 | kernel_read_crypto_sysctls(domain) |
106 | ||
495df416 CP |
107 | # Every domain gets the key ring, so we should default |
108 | # to no one allowed to look at it; afs kernel support creates | |
109 | # a keyring | |
110 | kernel_dontaudit_search_key(domain) | |
111 | kernel_dontaudit_link_key(domain) | |
3eaa9939 | 112 | kernel_dontaudit_search_debugfs(domain) |
3cfd4876 CP |
113 | |
114 | # create child processes in the domain | |
3eaa9939 | 115 | allow domain self:process { fork getsched sigchld }; |
3cfd4876 CP |
116 | |
117 | # Use trusted objects in /dev | |
118 | dev_rw_null(domain) | |
119 | dev_rw_zero(domain) | |
120 | term_use_controlling_term(domain) | |
121 | ||
122 | # list the root directory | |
123 | files_list_root(domain) | |
fb52482a DW |
124 | # allow all domains to search through default_t directory, since users sometimes |
125 | # place labels within these directories. (samba_share_t) for example. | |
126 | files_search_default(domain) | |
3cfd4876 | 127 | |
3eaa9939 DW |
128 | # All executables should be able to search the directory they are in |
129 | corecmd_search_bin(domain) | |
130 | ||
131 | tunable_policy(`domain_kernel_load_modules',` | |
132 | kernel_request_load_module(domain) | |
133 | ') | |
134 | ||
3cfd4876 CP |
135 | tunable_policy(`global_ssp',` |
136 | # enable reading of urandom for all domains: | |
137 | # this should be enabled when all programs | |
138 | # are compiled with ProPolice/SSP | |
139 | # stack smashing protection. | |
140 | dev_read_urand(domain) | |
141 | ') | |
b518fc2e | 142 | |
3eaa9939 DW |
143 | optional_policy(` |
144 | afs_rw_cache(domain) | |
145 | ') | |
146 | ||
b96b2004 DW |
147 | libs_use_ld_so(domain) |
148 | libs_use_shared_libs(domain) | |
149 | libs_read_lib_files(domain) | |
6e68e6bb | 150 | |
165b42d2 CP |
151 | optional_policy(` |
152 | setrans_translate_context(domain) | |
153 | ') | |
154 | ||
495df416 CP |
155 | # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains. |
156 | optional_policy(` | |
157 | xserver_dontaudit_use_xdm_fds(domain) | |
158 | xserver_dontaudit_rw_xdm_pipes(domain) | |
3eaa9939 DW |
159 | xserver_dontaudit_append_xdm_home_files(domain) |
160 | xserver_dontaudit_write_log(domain) | |
495df416 CP |
161 | ') |
162 | ||
b518fc2e CP |
163 | ######################################## |
164 | # | |
165 | # Unconfined access to this module | |
166 | # | |
167 | ||
168 | # unconfined access also allows constraints, but this | |
169 | # is handled in the interface as typeattribute cannot | |
170 | # be used on an attribute. | |
171 | ||
172 | # Use/sendto/connectto sockets created by any domain. | |
173 | allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; | |
174 | ||
175 | # Use descriptors and pipes created by any domain. | |
176 | allow unconfined_domain_type domain:fd use; | |
177 | allow unconfined_domain_type domain:fifo_file rw_file_perms; | |
178 | ||
3eaa9939 DW |
179 | allow unconfined_domain_type unconfined_domain_type:dbus send_msg; |
180 | ||
b518fc2e CP |
181 | # Act upon any other process. |
182 | allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; | |
183 | ||
184 | # Create/access any System V IPC objects. | |
185 | allow unconfined_domain_type domain:{ sem msgq shm } *; | |
186 | allow unconfined_domain_type domain:msg { send receive }; | |
187 | ||
188 | # For /proc/pid | |
ef659a47 | 189 | allow unconfined_domain_type domain:dir list_dir_perms; |
a65fd90a | 190 | allow unconfined_domain_type domain:file rw_file_perms; |
ef659a47 | 191 | allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; |
d8226758 CP |
192 | |
193 | # act on all domains keys | |
194 | allow unconfined_domain_type domain:key *; | |
bdccbacd | 195 | |
b96b2004 DW |
196 | dev_filetrans_all_named_dev(unconfined_domain_type) |
197 | ||
bdccbacd CP |
198 | # receive from all domains over labeled networking |
199 | domain_all_recvfrom_all_domains(unconfined_domain_type) | |
3eaa9939 | 200 | |
b96b2004 DW |
201 | storage_filetrans_all_named_dev(unconfined_domain_type) |
202 | ||
203 | term_filetrans_all_named_dev(unconfined_domain_type) | |
204 | ||
205 | authlogin_filetrans_named_content(unconfined_domain_type) | |
206 | ||
207 | lib_filetrans_named_content(unconfined_domain_type) | |
208 | ||
209 | miscfiles_filetrans_named_content(unconfined_domain_type) | |
210 | ||
211 | modules_filetrans_named_content(unconfined_domain_type) | |
212 | ||
213 | sysnet_filetrans_named_content(unconfined_domain_type) | |
214 | ||
215 | userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) | |
216 | ||
217 | optional_policy(` | |
218 | alsa_filetrans_named_content(unconfined_domain_type) | |
219 | ') | |
220 | ||
221 | optional_policy(` | |
222 | apache_filetrans_home_content(unconfined_domain_type) | |
223 | ') | |
224 | ||
225 | optional_policy(` | |
226 | bootloader_filetrans_config(unconfined_domain_type) | |
227 | ') | |
228 | ||
229 | optional_policy(` | |
230 | gnome_filetrans_admin_home_content(unconfined_domain_type) | |
231 | ') | |
232 | ||
233 | optional_policy(` | |
234 | devicekit_filetrans_named_content(unconfined_domain_type) | |
235 | ') | |
236 | ||
237 | optional_policy(` | |
238 | dnsmasq_filetrans_named_content(unconfined_domain_type) | |
239 | ') | |
240 | ||
241 | optional_policy(` | |
242 | kerberos_filetrans_named_content(unconfined_domain_type) | |
243 | ') | |
244 | ||
245 | optional_policy(` | |
246 | mta_filetrans_named_content(unconfined_domain_type) | |
247 | ') | |
248 | ||
249 | optional_policy(` | |
250 | networkmanager_filetrans_named_content(unconfined_domain_type) | |
251 | ') | |
252 | ||
253 | optional_policy(` | |
254 | nx_filetrans_named_content(unconfined_domain_type) | |
255 | ') | |
256 | ||
257 | optional_policy(` | |
258 | pulseaudio_filetrans_home_content(unconfined_domain_type) | |
259 | pulseaudio_filetrans_admin_home_content(unconfined_domain_type) | |
260 | ') | |
261 | ||
262 | optional_policy(` | |
263 | quota_filetrans_named_content(unconfined_domain_type) | |
264 | ') | |
265 | ||
266 | optional_policy(` | |
267 | virt_filetrans_home_content(unconfined_domain_type) | |
268 | ') | |
269 | ||
270 | optional_policy(` | |
271 | ssh_filetrans_admin_home_content(unconfined_domain_type) | |
272 | ') | |
273 | ||
3eaa9939 DW |
274 | selinux_getattr_fs(domain) |
275 | selinux_search_fs(domain) | |
276 | selinux_dontaudit_read_fs(domain) | |
277 | ||
a9c4f705 DW |
278 | optional_policy(` |
279 | seutil_dontaudit_read_config(domain) | |
280 | ') | |
3eaa9939 | 281 | |
a9c4f705 DW |
282 | optional_policy(` |
283 | init_sigchld(domain) | |
284 | init_signull(domain) | |
285 | ') | |
3eaa9939 DW |
286 | |
287 | ifdef(`distro_redhat',` | |
288 | files_search_mnt(domain) | |
289 | optional_policy(` | |
290 | unconfined_use_fds(domain) | |
291 | ') | |
292 | ') | |
293 | ||
294 | # these seem questionable: | |
295 | ||
296 | optional_policy(` | |
297 | abrt_domtrans_helper(domain) | |
298 | abrt_read_pid_files(domain) | |
299 | abrt_read_state(domain) | |
300 | abrt_signull(domain) | |
0e7fbb58 DW |
301 | abrt_append_cache(domain) |
302 | abrt_rw_fifo_file(domain) | |
3eaa9939 DW |
303 | ') |
304 | ||
305 | optional_policy(` | |
306 | rpm_use_fds(domain) | |
307 | rpm_read_pipes(domain) | |
308 | rpm_search_log(domain) | |
309 | rpm_append_tmp_files(domain) | |
310 | rpm_dontaudit_leaks(domain) | |
311 | rpm_read_script_tmp_files(domain) | |
312 | rpm_inherited_fifo(domain) | |
313 | ') | |
314 | ||
315 | optional_policy(` | |
316 | sosreport_append_tmp_files(domain) | |
317 | ') | |
318 | ||
319 | tunable_policy(`allow_domain_fd_use',` | |
320 | # Allow all domains to use fds past to them | |
321 | allow domain domain:fd use; | |
322 | ') | |
323 | ||
324 | optional_policy(` | |
325 | cron_dontaudit_write_system_job_tmp_files(domain) | |
326 | cron_rw_pipes(domain) | |
327 | cron_rw_system_job_pipes(domain) | |
328 | ') | |
329 | ||
330 | ifdef(`hide_broken_symptoms',` | |
331 | dontaudit domain self:udp_socket listen; | |
332 | allow domain domain:key { link search }; | |
54f9ea9e | 333 | dontaudit domain domain:socket_class_set { read write }; |
c7c7cd24 | 334 | dontaudit domain self:capability sys_module; |
3eaa9939 DW |
335 | ') |
336 | ||
dfe675b8 DW |
337 | optional_policy(` |
338 | hal_dontaudit_read_pid_files(domain) | |
339 | ') | |
340 | ||
5dd938af DW |
341 | optional_policy(` |
342 | ipsec_match_default_spd(domain) | |
343 | ') | |
344 | ||
3eaa9939 DW |
345 | optional_policy(` |
346 | ifdef(`hide_broken_symptoms',` | |
347 | afs_rw_udp_sockets(domain) | |
348 | ') | |
349 | ') | |
350 | ||
351 | optional_policy(` | |
352 | ssh_rw_pipes(domain) | |
353 | ') | |
354 | ||
355 | optional_policy(` | |
356 | unconfined_dontaudit_rw_pipes(domain) | |
357 | unconfined_sigchld(domain) | |
358 | ') | |
359 | ||
360 | # broken kernel | |
361 | dontaudit can_change_object_identity can_change_object_identity:key link; | |
54f9ea9e | 362 | |
e15a6502 DW |
363 | ifdef(`distro_redhat',` |
364 | optional_policy(` | |
365 | unconfined_use_fds(domain) | |
366 | ') | |
367 | ') | |
368 | ||
369 | # send init a sigchld and signull | |
370 | optional_policy(` | |
371 | init_sigchld(domain) | |
372 | init_signull(domain) | |
373 | ') | |
374 | ||
375 | # these seem questionable: | |
376 | ||
377 | optional_policy(` | |
378 | rpm_use_fds(domain) | |
379 | rpm_read_pipes(domain) | |
380 | ') | |
381 | ||
382 | optional_policy(` | |
383 | selinux_dontaudit_getattr_fs(domain) | |
384 | selinux_dontaudit_read_fs(domain) | |
385 | ') | |
386 | ||
387 | optional_policy(` | |
388 | seutil_dontaudit_read_config(domain) | |
389 | ') | |
b8df5447 DW |
390 | |
391 | dontaudit domain domain:process { noatsecure siginh rlimitinh } ; |