3 # Define the constraints
5 # constrain class_set perm_set expression ;
7 # expression : ( expression )
9 # | expression and expression
10 # | expression or expression
22 # role_op : == | != | eq | dom | domby | incomp
24 # names : name | { name_list }
25 # name_list : name | name_list name
28 define(`basic_ubac_conditions',`
33 or t1 != ubac_constrained_type
34 or t2 != ubac_constrained_type
38 define(`basic_ubac_constraint',`
40 constrain $1 all_$1_perms
47 define(`exempted_ubac_constraint',`
49 constrain $1 all_$1_perms
57 ########################################
62 exempted_ubac_constraint(dir, ubacfile)
63 exempted_ubac_constraint(file, ubacfile)
64 exempted_ubac_constraint(lnk_file, ubacfile)
65 exempted_ubac_constraint(fifo_file, ubacfile)
66 exempted_ubac_constraint(sock_file, ubacfile)
67 exempted_ubac_constraint(chr_file, ubacfile)
68 exempted_ubac_constraint(blk_file, ubacfile)
70 # SELinux object identity change constraint:
71 constrain dir_file_class_set { create relabelto relabelfrom }
74 or t1 == can_change_object_identity
77 ########################################
83 constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
90 constrain process { transition noatsecure siginh rlimitinh }
93 or ( t1 == can_change_process_identity and t2 == process_user_target )
94 or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
95 or ( t1 == can_system_change and u2 == system_u )
96 or ( t1 == process_uncond_exempt )
99 constrain process { transition noatsecure siginh rlimitinh }
102 or ( t1 == can_change_process_role and t2 == process_user_target )
103 or ( t1 == cron_source_domain and t2 == cron_job_domain )
104 or ( t1 == can_system_change and r2 == system_r )
105 or ( t1 == process_uncond_exempt )
108 constrain process dyntransition
111 or ( t1 == can_change_process_identity and t2 == process_user_target )
114 constrain process dyntransition
117 or ( t1 == can_change_process_identity and t2 == process_user_target )
121 # These permissions do not have ubac constraints:
132 ########################################
134 # File descriptor rules
137 exempted_ubac_constraint(fd, ubacfd)
139 ########################################
144 exempted_ubac_constraint(socket, ubacsock)
145 exempted_ubac_constraint(tcp_socket, ubacsock)
146 exempted_ubac_constraint(udp_socket, ubacsock)
147 exempted_ubac_constraint(rawip_socket, ubacsock)
148 exempted_ubac_constraint(netlink_socket, ubacsock)
149 exempted_ubac_constraint(packet_socket, ubacsock)
150 exempted_ubac_constraint(key_socket, ubacsock)
151 exempted_ubac_constraint(unix_stream_socket, ubacsock)
152 exempted_ubac_constraint(unix_dgram_socket, ubacsock)
153 exempted_ubac_constraint(netlink_route_socket, ubacsock)
154 exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
155 exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
156 exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
157 exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
158 exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
159 exempted_ubac_constraint(netlink_audit_socket, ubacsock)
160 exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
161 exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
162 exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
163 exempted_ubac_constraint(appletalk_socket, ubacsock)
164 exempted_ubac_constraint(dccp_socket, ubacsock)
165 exempted_ubac_constraint(tun_socket, ubacsock)
167 constrain socket_class_set { create relabelto relabelfrom }
170 or t1 == can_change_object_identity
173 ########################################
177 exempted_ubac_constraint(sem, ubacipc)
178 exempted_ubac_constraint(msg, ubacipc)
179 exempted_ubac_constraint(msgq, ubacipc)
180 exempted_ubac_constraint(shm, ubacipc)
181 exempted_ubac_constraint(ipc, ubacipc)
183 ########################################
188 exempted_ubac_constraint(x_drawable, ubacxwin)
189 exempted_ubac_constraint(x_screen, ubacxwin)
190 exempted_ubac_constraint(x_gc, ubacxwin)
191 exempted_ubac_constraint(x_font, ubacxwin)
192 exempted_ubac_constraint(x_colormap, ubacxwin)
193 exempted_ubac_constraint(x_property, ubacxwin)
194 exempted_ubac_constraint(x_selection, ubacxwin)
195 exempted_ubac_constraint(x_cursor, ubacxwin)
196 exempted_ubac_constraint(x_client, ubacxwin)
197 exempted_ubac_constraint(x_device, ubacxwin)
198 exempted_ubac_constraint(x_server, ubacxwin)
199 exempted_ubac_constraint(x_extension, ubacxwin)
200 exempted_ubac_constraint(x_resource, ubacxwin)
201 exempted_ubac_constraint(x_event, ubacxwin)
202 exempted_ubac_constraint(x_synthetic_event, ubacxwin)
203 exempted_ubac_constraint(x_application_data, ubacxwin)
205 ########################################
210 exempted_ubac_constraint(dbus, ubacdbus)
212 ########################################
217 exempted_ubac_constraint(key, ubackey)
219 ########################################
224 exempted_ubac_constraint(db_database, ubacdb)
225 exempted_ubac_constraint(db_table, ubacdb)
226 exempted_ubac_constraint(db_procedure, ubacdb)
227 exempted_ubac_constraint(db_column, ubacdb)
228 exempted_ubac_constraint(db_tuple, ubacdb)
229 exempted_ubac_constraint(db_blob, ubacdb)
233 basic_ubac_constraint(association)
234 basic_ubac_constraint(peer)
237 # these classes have no UBAC restrictions
242 #class passwd # userspace
247 #class nscd # userspace
248 #class context # userspace
252 undefine(`basic_ubac_constraint')
253 undefine(`basic_ubac_conditions')
254 undefine(`exempted_ubac_constraint')