[people/stevee/selinux-policy.git] / policy / constraints


#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression ) 
#	     | not expression
#	     | expression and expression
#	     | expression or expression
#	     | u1 op u2
#	     | r1 role_op r2
#	     | t1 op t2
#	     | u1 op names
#	     | u2 op names
#	     | r1 op names
#	     | r2 op names
#	     | t1 op names
#	     | t2 op names
#
# op : == | != 
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name		
#

define(`basic_ubac_conditions',`
	ifdef(`enable_ubac',`
		u1 == u2
		or u1 == system_u
		or u2 == system_u
		or t1 != ubac_constrained_type
		or t2 != ubac_constrained_type
	')
')

define(`basic_ubac_constraint',`
	ifdef(`enable_ubac',`
		constrain $1 all_$1_perms
		(
			basic_ubac_conditions
		);
	')
')

define(`exempted_ubac_constraint',`
	ifdef(`enable_ubac',`
		constrain $1 all_$1_perms
		(
			basic_ubac_conditions
			or t1 == $2
		);
	')
')

########################################
#
# File rules
#

exempted_ubac_constraint(dir, ubacfile)
exempted_ubac_constraint(file, ubacfile)
exempted_ubac_constraint(lnk_file, ubacfile)
exempted_ubac_constraint(fifo_file, ubacfile)
exempted_ubac_constraint(sock_file, ubacfile)
exempted_ubac_constraint(chr_file, ubacfile)
exempted_ubac_constraint(blk_file, ubacfile)

# SELinux object identity change constraint:
constrain dir_file_class_set { create relabelto relabelfrom } 
(
	u1 == u2
	or t1 == can_change_object_identity
);

########################################
#
# Process rules
#

ifdef(`enable_ubac',`
	constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
	(
		basic_ubac_conditions
		or t1 == ubacproc
	);
')

constrain process { transition noatsecure siginh rlimitinh }
(
	u1 == u2
	or ( t1 == can_change_process_identity and t2 == process_user_target )
       	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
	or ( t1 == can_system_change and u2 == system_u )
	or ( t1 == process_uncond_exempt )
);

constrain process { transition noatsecure siginh rlimitinh }
(
	r1 == r2 
	or ( t1 == can_change_process_role and t2 == process_user_target )
   	or ( t1 == cron_source_domain and t2 == cron_job_domain )
	or ( t1 == can_system_change and r2 == system_r )
	or ( t1 == process_uncond_exempt )
);

constrain process dyntransition
(
	u1 == u2 and r1 == r2
);

# These permissions do not have ubac constraints:
# fork
# setexec
# setfscreate
# setcurrent
# execmem
# execstack
# execheap
# setkeycreate
# setsockcreate

########################################
#
# File descriptor rules
#

exempted_ubac_constraint(fd, ubacfd)

########################################
#
# Socket rules
#

exempted_ubac_constraint(socket, ubacsock)
exempted_ubac_constraint(tcp_socket, ubacsock)
exempted_ubac_constraint(udp_socket, ubacsock)
exempted_ubac_constraint(rawip_socket, ubacsock)
exempted_ubac_constraint(netlink_socket, ubacsock)
exempted_ubac_constraint(packet_socket, ubacsock)
exempted_ubac_constraint(key_socket, ubacsock)
exempted_ubac_constraint(unix_stream_socket, ubacsock)
exempted_ubac_constraint(unix_dgram_socket, ubacsock)
exempted_ubac_constraint(netlink_route_socket, ubacsock)
exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
exempted_ubac_constraint(netlink_audit_socket, ubacsock)
exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
exempted_ubac_constraint(appletalk_socket, ubacsock)
exempted_ubac_constraint(dccp_socket, ubacsock)
exempted_ubac_constraint(tun_socket, ubacsock)

constrain socket_class_set { create relabelto relabelfrom } 
(
	u1 == u2
	or t1 == can_change_object_identity
);

########################################
#
# SysV IPC rules

exempted_ubac_constraint(sem, ubacipc)
exempted_ubac_constraint(msg, ubacipc)
exempted_ubac_constraint(msgq, ubacipc)
exempted_ubac_constraint(shm, ubacipc)
exempted_ubac_constraint(ipc, ubacipc)

########################################
#
# SE-X Windows rules
#

exempted_ubac_constraint(x_drawable, ubacxwin)
exempted_ubac_constraint(x_screen, ubacxwin)
exempted_ubac_constraint(x_gc, ubacxwin)
exempted_ubac_constraint(x_font, ubacxwin)
exempted_ubac_constraint(x_colormap, ubacxwin)
exempted_ubac_constraint(x_property, ubacxwin)
exempted_ubac_constraint(x_selection, ubacxwin)
exempted_ubac_constraint(x_cursor, ubacxwin)
exempted_ubac_constraint(x_client, ubacxwin)
exempted_ubac_constraint(x_device, ubacxwin)
exempted_ubac_constraint(x_server, ubacxwin)
exempted_ubac_constraint(x_extension, ubacxwin)
exempted_ubac_constraint(x_resource, ubacxwin)
exempted_ubac_constraint(x_event, ubacxwin)
exempted_ubac_constraint(x_synthetic_event, ubacxwin)
exempted_ubac_constraint(x_application_data, ubacxwin)

########################################
#
# D-BUS rules
#

exempted_ubac_constraint(dbus, ubacdbus)

########################################
#
# Key rules
#

exempted_ubac_constraint(key, ubackey)

########################################
#
# Database rules
#

exempted_ubac_constraint(db_database, ubacdb)
exempted_ubac_constraint(db_table, ubacdb)
exempted_ubac_constraint(db_procedure, ubacdb)
exempted_ubac_constraint(db_column, ubacdb)
exempted_ubac_constraint(db_tuple, ubacdb)
exempted_ubac_constraint(db_blob, ubacdb)


basic_ubac_constraint(association)
basic_ubac_constraint(peer)


# these classes have no UBAC restrictions
#class security
#class system
#class capability
#class memprotect
#class passwd			# userspace
#class node
#class netif
#class packet
#class capability2
#class nscd			# userspace
#class context			# userspace


undefine(`basic_ubac_constraint')
undefine(`basic_ubac_conditions')
undefine(`exempted_ubac_constraint')
Commit	Line	Data
134191be	1
134191be CP	2	#
	3	# Define the constraints
	4	#
	5	# constrain class_set perm_set expression ;
	6	#
	7	# expression : ( expression )
	8	# \| not expression
	9	# \| expression and expression
	10	# \| expression or expression
	11	# \| u1 op u2
	12	# \| r1 role_op r2
	13	# \| t1 op t2
	14	# \| u1 op names
	15	# \| u2 op names
	16	# \| r1 op names
	17	# \| r2 op names
	18	# \| t1 op names
	19	# \| t2 op names
	20	#
	21	# op : == \| !=
	22	# role_op : == \| != \| eq \| dom \| domby \| incomp
	23	#
	24	# names : name \| { name_list }
	25	# name_list : name \| name_list name
	26	#
	27
296273a7 CP	28	define(`basic_ubac_conditions',`
	29	ifdef(`enable_ubac',`
	30	u1 == u2
	31	or u1 == system_u
	32	or u2 == system_u
	33	or t1 != ubac_constrained_type
	34	or t2 != ubac_constrained_type
	35	')
	36	')
	37
	38	define(`basic_ubac_constraint',`
	39	ifdef(`enable_ubac',`
	40	constrain $1 all_$1_perms
	41	(
	42	basic_ubac_conditions
	43	);
	44	')
	45	')
	46
	47	define(`exempted_ubac_constraint',`
	48	ifdef(`enable_ubac',`
	49	constrain $1 all_$1_perms
	50	(
	51	basic_ubac_conditions
	52	or t1 == $2
	53	);
	54	')
	55	')
	56
	57	########################################
134191be	58	#
296273a7	59	# File rules
134191be	60	#
296273a7 CP	61
	62	exempted_ubac_constraint(dir, ubacfile)
	63	exempted_ubac_constraint(file, ubacfile)
	64	exempted_ubac_constraint(lnk_file, ubacfile)
	65	exempted_ubac_constraint(fifo_file, ubacfile)
	66	exempted_ubac_constraint(sock_file, ubacfile)
	67	exempted_ubac_constraint(chr_file, ubacfile)
	68	exempted_ubac_constraint(blk_file, ubacfile)
	69
5b6bd092	70	# SELinux object identity change constraint:
296273a7	71	constrain dir_file_class_set { create relabelto relabelfrom }
350b6ab7 CP	72	(
350b6ab7 CP	73	u1 == u2
296273a7 CP	74	or t1 == can_change_object_identity
296273a7 CP	75	);
2e863f8a	76
296273a7 CP	77	########################################
	78	#
	79	# Process rules
	80	#
c98340cf	81
23d5ab8d CP	82	ifdef(`enable_ubac',`
	83	constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
	84	(
	85	basic_ubac_conditions
	86	or t1 == ubacproc
	87	);
	88	')
bd56da4a	89
296273a7 CP	90	constrain process { transition noatsecure siginh rlimitinh }
	91	(
	92	u1 == u2
	93	or ( t1 == can_change_process_identity and t2 == process_user_target )
	94	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
350b6ab7	95	or ( t1 == can_system_change and u2 == system_u )
350b6ab7 CP	96	or ( t1 == process_uncond_exempt )
350b6ab7 CP	97	);
134191be	98
296273a7	99	constrain process { transition noatsecure siginh rlimitinh }
350b6ab7	100	(
f657cb14 CP	101	r1 == r2
	102	or ( t1 == can_change_process_role and t2 == process_user_target )
	103	or ( t1 == cron_source_domain and t2 == cron_job_domain )
	104	or ( t1 == can_system_change and r2 == system_r )
350b6ab7 CP	105	or ( t1 == process_uncond_exempt )
350b6ab7 CP	106	);
134191be	107
134191be	108	constrain process dyntransition
bd56da4a CP	109	(
	110	u1 == u2 and r1 == r2
	111	);
134191be	112
296273a7 CP	113	# These permissions do not have ubac constraints:
	114	# fork
	115	# setexec
	116	# setfscreate
	117	# setcurrent
	118	# execmem
	119	# execstack
	120	# execheap
	121	# setkeycreate
	122	# setsockcreate
	123
	124	########################################
134191be	125	#
296273a7	126	# File descriptor rules
134191be	127	#
bd56da4a	128
296273a7 CP	129	exempted_ubac_constraint(fd, ubacfd)
	130
	131	########################################
	132	#
	133	# Socket rules
	134	#
	135
	136	exempted_ubac_constraint(socket, ubacsock)
	137	exempted_ubac_constraint(tcp_socket, ubacsock)
	138	exempted_ubac_constraint(udp_socket, ubacsock)
	139	exempted_ubac_constraint(rawip_socket, ubacsock)
	140	exempted_ubac_constraint(netlink_socket, ubacsock)
	141	exempted_ubac_constraint(packet_socket, ubacsock)
	142	exempted_ubac_constraint(key_socket, ubacsock)
	143	exempted_ubac_constraint(unix_stream_socket, ubacsock)
	144	exempted_ubac_constraint(unix_dgram_socket, ubacsock)
	145	exempted_ubac_constraint(netlink_route_socket, ubacsock)
	146	exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
	147	exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
	148	exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
	149	exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
	150	exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
	151	exempted_ubac_constraint(netlink_audit_socket, ubacsock)
	152	exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
	153	exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
	154	exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
	155	exempted_ubac_constraint(appletalk_socket, ubacsock)
	156	exempted_ubac_constraint(dccp_socket, ubacsock)
9711c7bd	157	exempted_ubac_constraint(tun_socket, ubacsock)
134191be CP	158
134191be CP	159	constrain socket_class_set { create relabelto relabelfrom }
bd56da4a CP	160	(
bd56da4a CP	161	u1 == u2
bd56da4a CP	162	or t1 == can_change_object_identity
bd56da4a CP	163	);
296273a7 CP	164
	165	########################################
	166	#
	167	# SysV IPC rules
	168
	169	exempted_ubac_constraint(sem, ubacipc)
	170	exempted_ubac_constraint(msg, ubacipc)
	171	exempted_ubac_constraint(msgq, ubacipc)
	172	exempted_ubac_constraint(shm, ubacipc)
	173	exempted_ubac_constraint(ipc, ubacipc)
	174
	175	########################################
	176	#
	177	# SE-X Windows rules
	178	#
	179
	180	exempted_ubac_constraint(x_drawable, ubacxwin)
	181	exempted_ubac_constraint(x_screen, ubacxwin)
	182	exempted_ubac_constraint(x_gc, ubacxwin)
	183	exempted_ubac_constraint(x_font, ubacxwin)
	184	exempted_ubac_constraint(x_colormap, ubacxwin)
	185	exempted_ubac_constraint(x_property, ubacxwin)
	186	exempted_ubac_constraint(x_selection, ubacxwin)
	187	exempted_ubac_constraint(x_cursor, ubacxwin)
	188	exempted_ubac_constraint(x_client, ubacxwin)
	189	exempted_ubac_constraint(x_device, ubacxwin)
	190	exempted_ubac_constraint(x_server, ubacxwin)
	191	exempted_ubac_constraint(x_extension, ubacxwin)
	192	exempted_ubac_constraint(x_resource, ubacxwin)
	193	exempted_ubac_constraint(x_event, ubacxwin)
	194	exempted_ubac_constraint(x_synthetic_event, ubacxwin)
	195	exempted_ubac_constraint(x_application_data, ubacxwin)
	196
	197	########################################
	198	#
	199	# D-BUS rules
	200	#
	201
	202	exempted_ubac_constraint(dbus, ubacdbus)
	203
	204	########################################
	205	#
	206	# Key rules
	207	#
	208
	209	exempted_ubac_constraint(key, ubackey)
	210
	211	########################################
	212	#
	213	# Database rules
	214	#
	215
	216	exempted_ubac_constraint(db_database, ubacdb)
	217	exempted_ubac_constraint(db_table, ubacdb)
	218	exempted_ubac_constraint(db_procedure, ubacdb)
	219	exempted_ubac_constraint(db_column, ubacdb)
	220	exempted_ubac_constraint(db_tuple, ubacdb)
	221	exempted_ubac_constraint(db_blob, ubacdb)
	222
	223
	224
	225	basic_ubac_constraint(association)
	226	basic_ubac_constraint(peer)
	227
228
229	# these classes have no UBAC restrictions
230	#class security
231	#class system
232	#class capability
233	#class memprotect
234	#class passwd # userspace
235	#class node
236	#class netif
237	#class packet
238	#class capability2
239	#class nscd # userspace
240	#class context # userspace
241
242
243
244	undefine(`basic_ubac_constraint')
245	undefine(`basic_ubac_conditions')
246	undefine(`exempted_ubac_constraint')