]>
Commit | Line | Data |
---|---|---|
0de0ea5c | 1 | policy_module(domain, 1.9.1) |
960373dd | 2 | |
fd89e19f CP |
3 | ######################################## |
4 | # | |
5 | # Declarations | |
6 | # | |
3eaa9939 DW |
7 | ## <desc> |
8 | ## <p> | |
9 | ## Allow all domains to use other domains file descriptors | |
10 | ## </p> | |
11 | ## </desc> | |
12 | # | |
5946923f | 13 | gen_tunable(allow_domain_fd_use, true) |
3eaa9939 DW |
14 | |
15 | ## <desc> | |
16 | ## <p> | |
17 | ## Allow all domains to have the kernel load modules | |
18 | ## </p> | |
19 | ## </desc> | |
20 | # | |
21 | gen_tunable(domain_kernel_load_modules, false) | |
fd89e19f | 22 | |
623e4f08 DG |
23 | ## <desc> |
24 | ## <p> | |
25 | ## Control the ability to mmap a low area of the address space, | |
26 | ## as configured by /proc/sys/kernel/mmap_min_addr. | |
27 | ## </p> | |
28 | ## </desc> | |
29 | gen_tunable(mmap_low_allowed, false) | |
30 | ||
b4cd1533 CP |
31 | # Mark process types as domains |
32 | attribute domain; | |
33 | ||
2e863f8a CP |
34 | # Transitions only allowed from domains to other domains |
35 | neverallow domain ~domain:process { transition dyntransition }; | |
36 | ||
605ba285 | 37 | # Domains that are unconfined |
95501942 | 38 | attribute unconfined_domain_type; |
605ba285 | 39 | |
41337aa8 CP |
40 | # Domains that can mmap low memory. |
41 | attribute mmap_low_domain_type; | |
42 | neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; | |
43 | ||
2e863f8a CP |
44 | # Domains that can set their current context |
45 | # (perform dynamic transitions) | |
46 | attribute set_curr_context; | |
47 | ||
48 | # enabling setcurrent breaks process tranquility. If you do not | |
49 | # know what this means or do not understand the implications of a | |
50 | # dynamic transition, you should not be using it!!! | |
51 | neverallow { domain -set_curr_context } self:process setcurrent; | |
52 | ||
960373dd CP |
53 | # entrypoint executables |
54 | attribute entry_type; | |
55 | ||
8a0da108 CP |
56 | # widely-inheritable file descriptors |
57 | attribute privfd; | |
58 | ||
2e863f8a | 59 | # |
8bd67899 | 60 | # constraint related attributes |
2e863f8a CP |
61 | # |
62 | ||
63 | # [1] types that can change SELinux identity on transition | |
8bd67899 | 64 | attribute can_change_process_identity; |
2e863f8a CP |
65 | |
66 | # [2] types that can change SELinux role on transition | |
8bd67899 | 67 | attribute can_change_process_role; |
2e863f8a CP |
68 | |
69 | # [3] types that can change the SELinux identity on a filesystem | |
70 | # object or a socket object on a create or relabel | |
8bd67899 CP |
71 | attribute can_change_object_identity; |
72 | ||
2e863f8a CP |
73 | # [3] types that can change to system_u:system_r |
74 | attribute can_system_change; | |
a154cd45 | 75 | |
2e863f8a CP |
76 | # [4] types that have attribute 1 can change the SELinux |
77 | # identity only if the target domain has this attribute. | |
78 | # Types that have attribute 2 can change the SELinux role | |
79 | # only if the target domain has this attribute. | |
80 | attribute process_user_target; | |
81 | ||
82 | # For cron jobs | |
83 | # [5] types used for cron daemons | |
84 | attribute cron_source_domain; | |
85 | # [6] types used for cron jobs | |
86 | attribute cron_job_domain; | |
87 | ||
88 | # [7] types that are unconditionally exempt from | |
89 | # SELinux identity and role change constraints | |
90 | attribute process_uncond_exempt; # add userhelperdomain to this one | |
2a3478cf | 91 | |
e0dfbdf1 | 92 | neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; |
2e863f8a | 93 | neverallow ~{ domain unlabeled_t } *:process *; |
3cfd4876 CP |
94 | |
95 | ######################################## | |
96 | # | |
97 | # Rules applied to all domains | |
98 | # | |
99 | ||
1f6524ae | 100 | # read /proc/(pid|self) entries |
ef659a47 CP |
101 | allow domain self:dir list_dir_perms; |
102 | allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; | |
3cfd4876 | 103 | allow domain self:file rw_file_perms; |
1f6524ae | 104 | kernel_read_proc_symlinks(domain) |
3eaa9939 DW |
105 | kernel_read_crypto_sysctls(domain) |
106 | ||
495df416 CP |
107 | # Every domain gets the key ring, so we should default |
108 | # to no one allowed to look at it; afs kernel support creates | |
109 | # a keyring | |
110 | kernel_dontaudit_search_key(domain) | |
111 | kernel_dontaudit_link_key(domain) | |
3eaa9939 | 112 | kernel_dontaudit_search_debugfs(domain) |
3cfd4876 CP |
113 | |
114 | # create child processes in the domain | |
3eaa9939 | 115 | allow domain self:process { fork getsched sigchld }; |
3cfd4876 CP |
116 | |
117 | # Use trusted objects in /dev | |
118 | dev_rw_null(domain) | |
119 | dev_rw_zero(domain) | |
120 | term_use_controlling_term(domain) | |
121 | ||
122 | # list the root directory | |
123 | files_list_root(domain) | |
fb52482a DW |
124 | # allow all domains to search through default_t directory, since users sometimes |
125 | # place labels within these directories. (samba_share_t) for example. | |
126 | files_search_default(domain) | |
3cfd4876 | 127 | |
3eaa9939 DW |
128 | # All executables should be able to search the directory they are in |
129 | corecmd_search_bin(domain) | |
130 | ||
131 | tunable_policy(`domain_kernel_load_modules',` | |
132 | kernel_request_load_module(domain) | |
133 | ') | |
134 | ||
3cfd4876 CP |
135 | tunable_policy(`global_ssp',` |
136 | # enable reading of urandom for all domains: | |
137 | # this should be enabled when all programs | |
138 | # are compiled with ProPolice/SSP | |
139 | # stack smashing protection. | |
140 | dev_read_urand(domain) | |
141 | ') | |
b518fc2e | 142 | |
3eaa9939 DW |
143 | optional_policy(` |
144 | afs_rw_cache(domain) | |
145 | ') | |
146 | ||
6e68e6bb CP |
147 | optional_policy(` |
148 | libs_use_ld_so(domain) | |
149 | libs_use_shared_libs(domain) | |
3eaa9939 | 150 | libs_read_lib_files(domain) |
6e68e6bb CP |
151 | ') |
152 | ||
165b42d2 CP |
153 | optional_policy(` |
154 | setrans_translate_context(domain) | |
155 | ') | |
156 | ||
495df416 CP |
157 | # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains. |
158 | optional_policy(` | |
159 | xserver_dontaudit_use_xdm_fds(domain) | |
160 | xserver_dontaudit_rw_xdm_pipes(domain) | |
3eaa9939 DW |
161 | xserver_dontaudit_append_xdm_home_files(domain) |
162 | xserver_dontaudit_write_log(domain) | |
495df416 CP |
163 | ') |
164 | ||
b518fc2e CP |
165 | ######################################## |
166 | # | |
167 | # Unconfined access to this module | |
168 | # | |
169 | ||
170 | # unconfined access also allows constraints, but this | |
171 | # is handled in the interface as typeattribute cannot | |
172 | # be used on an attribute. | |
173 | ||
174 | # Use/sendto/connectto sockets created by any domain. | |
175 | allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; | |
176 | ||
177 | # Use descriptors and pipes created by any domain. | |
178 | allow unconfined_domain_type domain:fd use; | |
179 | allow unconfined_domain_type domain:fifo_file rw_file_perms; | |
180 | ||
3eaa9939 DW |
181 | allow unconfined_domain_type unconfined_domain_type:dbus send_msg; |
182 | ||
b518fc2e CP |
183 | # Act upon any other process. |
184 | allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; | |
185 | ||
186 | # Create/access any System V IPC objects. | |
187 | allow unconfined_domain_type domain:{ sem msgq shm } *; | |
188 | allow unconfined_domain_type domain:msg { send receive }; | |
189 | ||
190 | # For /proc/pid | |
ef659a47 | 191 | allow unconfined_domain_type domain:dir list_dir_perms; |
a65fd90a | 192 | allow unconfined_domain_type domain:file rw_file_perms; |
ef659a47 | 193 | allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; |
d8226758 CP |
194 | |
195 | # act on all domains keys | |
196 | allow unconfined_domain_type domain:key *; | |
bdccbacd CP |
197 | |
198 | # receive from all domains over labeled networking | |
199 | domain_all_recvfrom_all_domains(unconfined_domain_type) | |
3eaa9939 DW |
200 | |
201 | selinux_getattr_fs(domain) | |
202 | selinux_search_fs(domain) | |
203 | selinux_dontaudit_read_fs(domain) | |
204 | ||
a9c4f705 DW |
205 | optional_policy(` |
206 | seutil_dontaudit_read_config(domain) | |
207 | ') | |
3eaa9939 | 208 | |
a9c4f705 DW |
209 | optional_policy(` |
210 | init_sigchld(domain) | |
211 | init_signull(domain) | |
212 | ') | |
3eaa9939 DW |
213 | |
214 | ifdef(`distro_redhat',` | |
215 | files_search_mnt(domain) | |
216 | optional_policy(` | |
217 | unconfined_use_fds(domain) | |
218 | ') | |
219 | ') | |
220 | ||
221 | # these seem questionable: | |
222 | ||
223 | optional_policy(` | |
224 | abrt_domtrans_helper(domain) | |
225 | abrt_read_pid_files(domain) | |
226 | abrt_read_state(domain) | |
227 | abrt_signull(domain) | |
3eaa9939 DW |
228 | ') |
229 | ||
230 | optional_policy(` | |
231 | rpm_use_fds(domain) | |
232 | rpm_read_pipes(domain) | |
233 | rpm_search_log(domain) | |
234 | rpm_append_tmp_files(domain) | |
235 | rpm_dontaudit_leaks(domain) | |
236 | rpm_read_script_tmp_files(domain) | |
237 | rpm_inherited_fifo(domain) | |
238 | ') | |
239 | ||
240 | optional_policy(` | |
241 | sosreport_append_tmp_files(domain) | |
242 | ') | |
243 | ||
244 | tunable_policy(`allow_domain_fd_use',` | |
245 | # Allow all domains to use fds past to them | |
246 | allow domain domain:fd use; | |
247 | ') | |
248 | ||
249 | optional_policy(` | |
250 | cron_dontaudit_write_system_job_tmp_files(domain) | |
251 | cron_rw_pipes(domain) | |
252 | cron_rw_system_job_pipes(domain) | |
253 | ') | |
254 | ||
255 | ifdef(`hide_broken_symptoms',` | |
256 | dontaudit domain self:udp_socket listen; | |
257 | allow domain domain:key { link search }; | |
54f9ea9e | 258 | dontaudit domain domain:socket_class_set { read write }; |
c7c7cd24 | 259 | dontaudit domain self:capability sys_module; |
3eaa9939 DW |
260 | ') |
261 | ||
dfe675b8 DW |
262 | optional_policy(` |
263 | hal_dontaudit_read_pid_files(domain) | |
264 | ') | |
265 | ||
5dd938af DW |
266 | optional_policy(` |
267 | ipsec_match_default_spd(domain) | |
268 | ') | |
269 | ||
3eaa9939 DW |
270 | optional_policy(` |
271 | ifdef(`hide_broken_symptoms',` | |
272 | afs_rw_udp_sockets(domain) | |
273 | ') | |
274 | ') | |
275 | ||
276 | optional_policy(` | |
277 | ssh_rw_pipes(domain) | |
278 | ') | |
279 | ||
280 | optional_policy(` | |
281 | unconfined_dontaudit_rw_pipes(domain) | |
282 | unconfined_sigchld(domain) | |
283 | ') | |
284 | ||
285 | # broken kernel | |
286 | dontaudit can_change_object_identity can_change_object_identity:key link; | |
54f9ea9e | 287 | |
e15a6502 DW |
288 | ifdef(`distro_redhat',` |
289 | optional_policy(` | |
290 | unconfined_use_fds(domain) | |
291 | ') | |
292 | ') | |
293 | ||
294 | # send init a sigchld and signull | |
295 | optional_policy(` | |
296 | init_sigchld(domain) | |
297 | init_signull(domain) | |
298 | ') | |
299 | ||
300 | # these seem questionable: | |
301 | ||
302 | optional_policy(` | |
303 | rpm_use_fds(domain) | |
304 | rpm_read_pipes(domain) | |
305 | ') | |
306 | ||
307 | optional_policy(` | |
308 | selinux_dontaudit_getattr_fs(domain) | |
309 | selinux_dontaudit_read_fs(domain) | |
310 | ') | |
311 | ||
312 | optional_policy(` | |
313 | seutil_dontaudit_read_config(domain) | |
314 | ') |