policy/constraints

   1
   2 #
   3 # Define the constraints
   4 #
   5 # constrain class_set perm_set expression ;
   6 #
   7 # expression : ( expression )
   8 #            | not expression
   9 #            | expression and expression
  10 #            | expression or expression
  11 #            | u1 op u2
  12 #            | r1 role_op r2
  13 #            | t1 op t2
  14 #            | u1 op names
  15 #            | u2 op names
  16 #            | r1 op names
  17 #            | r2 op names
  18 #            | t1 op names
  19 #            | t2 op names
  20 #
  21 # op : == | !=
  22 # role_op : == | != | eq | dom | domby | incomp
  23 #
  24 # names : name | { name_list }
  25 # name_list : name | name_list name
  26 #
  27
  28 define(`basic_ubac_conditions',`
  29         ifdef(`enable_ubac',`
  30                 u1 == u2
  31                 or u1 == system_u
  32                 or u2 == system_u
  33                 or t1 != ubac_constrained_type
  34                 or t2 != ubac_constrained_type
  35         ')
  36 ')
  37
  38 define(`basic_ubac_constraint',`
  39         ifdef(`enable_ubac',`
  40                 constrain $1 all_$1_perms
  41                 (
  42                         basic_ubac_conditions
  43                 );
  44         ')
  45 ')
  46
  47 define(`exempted_ubac_constraint',`
  48         ifdef(`enable_ubac',`
  49                 constrain $1 all_$1_perms
  50                 (
  51                         basic_ubac_conditions
  52                         or t1 == $2
  53                 );
  54         ')
  55 ')
  56
  57 ########################################
  58 #
  59 # File rules
  60 #
  61
  62 exempted_ubac_constraint(dir, ubacfile)
  63 exempted_ubac_constraint(file, ubacfile)
  64 exempted_ubac_constraint(lnk_file, ubacfile)
  65 exempted_ubac_constraint(fifo_file, ubacfile)
  66 exempted_ubac_constraint(sock_file, ubacfile)
  67 exempted_ubac_constraint(chr_file, ubacfile)
  68 exempted_ubac_constraint(blk_file, ubacfile)
  69
  70 # SELinux object identity change constraint:
  71 constrain dir_file_class_set { create relabelto relabelfrom }
  72 (
  73         u1 == u2
  74         or t1 == can_change_object_identity
  75 );
  76
  77 ########################################
  78 #
  79 # Process rules
  80 #
  81
  82 ifdef(`enable_ubac',`
  83         constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
  84         (
  85                 basic_ubac_conditions
  86                 or t1 == ubacproc
  87         );
  88 ')
  89
  90 constrain process { transition noatsecure siginh rlimitinh }
  91 (
  92         u1 == u2
  93         or ( t1 == can_change_process_identity and t2 == process_user_target )
  94         or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
  95         or ( t1 == can_system_change and u2 == system_u )
  96         or ( t1 == process_uncond_exempt )
  97 );
  98
  99 constrain process { transition noatsecure siginh rlimitinh }
 100 (
 101         r1 == r2
 102         or ( t1 == can_change_process_role and t2 == process_user_target )
 103         or ( t1 == cron_source_domain and t2 == cron_job_domain )
 104         or ( t1 == can_system_change and r2 == system_r )
 105         or ( t1 == process_uncond_exempt )
 106 );
 107
 108 constrain process dyntransition
 109 (
 110         u1 == u2
 111         or ( t1 == can_change_process_identity and t2 == process_user_target )
 112 );
 113
 114 constrain process dyntransition
 115 (
 116         r1 == r2
 117         or ( t1 == can_change_process_identity and t2 == process_user_target )
 118 );
 119
 120
 121 # These permissions do not have ubac constraints:
 122 # fork
 123 # setexec
 124 # setfscreate
 125 # setcurrent
 126 # execmem
 127 # execstack
 128 # execheap
 129 # setkeycreate
 130 # setsockcreate
 131
 132 ########################################
 133 #
 134 # File descriptor rules
 135 #
 136
 137 exempted_ubac_constraint(fd, ubacfd)
 138
 139 ########################################
 140 #
 141 # Socket rules
 142 #
 143
 144 exempted_ubac_constraint(socket, ubacsock)
 145 exempted_ubac_constraint(tcp_socket, ubacsock)
 146 exempted_ubac_constraint(udp_socket, ubacsock)
 147 exempted_ubac_constraint(rawip_socket, ubacsock)
 148 exempted_ubac_constraint(netlink_socket, ubacsock)
 149 exempted_ubac_constraint(packet_socket, ubacsock)
 150 exempted_ubac_constraint(key_socket, ubacsock)
 151 exempted_ubac_constraint(unix_stream_socket, ubacsock)
 152 exempted_ubac_constraint(unix_dgram_socket, ubacsock)
 153 exempted_ubac_constraint(netlink_route_socket, ubacsock)
 154 exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
 155 exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
 156 exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
 157 exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
 158 exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
 159 exempted_ubac_constraint(netlink_audit_socket, ubacsock)
 160 exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
 161 exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
 162 exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
 163 exempted_ubac_constraint(appletalk_socket, ubacsock)
 164 exempted_ubac_constraint(dccp_socket, ubacsock)
 165 exempted_ubac_constraint(tun_socket, ubacsock)
 166
 167 constrain socket_class_set { create relabelto relabelfrom }
 168 (
 169         u1 == u2
 170         or t1 == can_change_object_identity
 171 );
 172
 173 ########################################
 174 #
 175 # SysV IPC rules
 176
 177 exempted_ubac_constraint(sem, ubacipc)
 178 exempted_ubac_constraint(msg, ubacipc)
 179 exempted_ubac_constraint(msgq, ubacipc)
 180 exempted_ubac_constraint(shm, ubacipc)
 181 exempted_ubac_constraint(ipc, ubacipc)
 182
 183 ########################################
 184 #
 185 # SE-X Windows rules
 186 #
 187
 188 exempted_ubac_constraint(x_drawable, ubacxwin)
 189 exempted_ubac_constraint(x_screen, ubacxwin)
 190 exempted_ubac_constraint(x_gc, ubacxwin)
 191 exempted_ubac_constraint(x_font, ubacxwin)
 192 exempted_ubac_constraint(x_colormap, ubacxwin)
 193 exempted_ubac_constraint(x_property, ubacxwin)
 194 exempted_ubac_constraint(x_selection, ubacxwin)
 195 exempted_ubac_constraint(x_cursor, ubacxwin)
 196 exempted_ubac_constraint(x_client, ubacxwin)
 197 exempted_ubac_constraint(x_device, ubacxwin)
 198 exempted_ubac_constraint(x_server, ubacxwin)
 199 exempted_ubac_constraint(x_extension, ubacxwin)
 200 exempted_ubac_constraint(x_resource, ubacxwin)
 201 exempted_ubac_constraint(x_event, ubacxwin)
 202 exempted_ubac_constraint(x_synthetic_event, ubacxwin)
 203 exempted_ubac_constraint(x_application_data, ubacxwin)
 204
 205 ########################################
 206 #
 207 # D-BUS rules
 208 #
 209
 210 exempted_ubac_constraint(dbus, ubacdbus)
 211
 212 ########################################
 213 #
 214 # Key rules
 215 #
 216
 217 exempted_ubac_constraint(key, ubackey)
 218
 219 ########################################
 220 #
 221 # Database rules
 222 #
 223
 224 exempted_ubac_constraint(db_database, ubacdb)
 225 exempted_ubac_constraint(db_table, ubacdb)
 226 exempted_ubac_constraint(db_procedure, ubacdb)
 227 exempted_ubac_constraint(db_column, ubacdb)
 228 exempted_ubac_constraint(db_tuple, ubacdb)
 229 exempted_ubac_constraint(db_blob, ubacdb)
 230
 231
 232
 233 basic_ubac_constraint(association)
 234 basic_ubac_constraint(peer)
 235
 236
 237 # these classes have no UBAC restrictions
 238 #class security
 239 #class system
 240 #class capability
 241 #class memprotect
 242 #class passwd                   # userspace
 243 #class node
 244 #class netif
 245 #class packet
 246 #class capability2
 247 #class nscd                     # userspace
 248 #class context                  # userspace
 249
 250
 251
 252 undefine(`basic_ubac_constraint')
 253 undefine(`basic_ubac_conditions')
 254 undefine(`exempted_ubac_constraint')