1 policy_module(selinuxutil, 1.14.0)
7 ########################################
12 attribute can_write_binary_policy;
13 attribute can_relabelto_binary_policy;
16 # selinux_config_t is the type applied to
19 # cjp: this is out of order due to rules
20 # in the domain_type interface
22 type selinux_config_t;
23 files_type(selinux_config_t)
25 type selinux_var_lib_t;
26 files_type(selinux_var_lib_t)
28 type checkpolicy_t, can_write_binary_policy;
29 type checkpolicy_exec_t;
30 application_domain(checkpolicy_t, checkpolicy_exec_t)
31 role system_r types checkpolicy_t;
34 # default_context_t is the type applied to
35 # /etc/selinux/*/contexts/*
37 type default_context_t;
38 files_type(default_context_t)
41 # file_context_t is the type applied to
42 # /etc/selinux/*/contexts/files
45 files_type(file_context_t)
48 type load_policy_exec_t;
49 application_domain(load_policy_t, load_policy_exec_t)
50 role system_r types load_policy_t;
54 application_domain(newrole_t, newrole_exec_t)
55 domain_role_change_exemption(newrole_t)
56 domain_obj_id_change_exemption(newrole_t)
57 domain_interactive_fd(newrole_t)
60 # policy_config_t is the type of /etc/security/selinux/*
61 # the security server policy configuration.
63 #type policy_config_t;
64 #files_type(policy_config_t)
65 typealias semanage_store_t alias policy_config_t;
67 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
68 #neverallow ~can_write_binary_policy policy_config_t:file { write append };
71 # policy_src_t is the type of the policy source
75 files_type(policy_src_t)
78 type restorecond_exec_t;
79 init_daemon_domain(restorecond_t, restorecond_exec_t)
80 domain_obj_id_change_exemption(restorecond_t)
82 type restorecond_var_run_t;
83 files_pid_file(restorecond_var_run_t)
87 application_domain(run_init_t, run_init_exec_t)
88 domain_system_change_exemption(run_init_t)
89 role system_r types run_init_t;
93 application_domain(semanage_t, semanage_exec_t)
94 dbus_system_domain(semanage_t, semanage_exec_t)
95 domain_interactive_fd(semanage_t)
96 role system_r types semanage_t;
99 type setsebool_exec_t;
100 init_system_domain(setsebool_t, setsebool_exec_t)
102 type semanage_store_t;
103 files_type(semanage_store_t)
105 type semanage_read_lock_t;
106 files_type(semanage_read_lock_t)
109 files_tmp_file(semanage_tmp_t)
111 type semanage_trans_lock_t;
112 files_type(semanage_trans_lock_t)
114 type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
115 type setfiles_exec_t alias restorecon_exec_t;
116 init_system_domain(setfiles_t, setfiles_exec_t)
117 domain_obj_id_change_exemption(setfiles_t)
120 domain_type(setfiles_mac_t)
121 domain_entry_file(setfiles_mac_t, setfiles_exec_t)
122 domain_obj_id_change_exemption(setfiles_mac_t)
124 ########################################
126 # Checkpolicy local policy
129 allow checkpolicy_t self:capability dac_override;
131 # able to create and modify binary policy files
132 manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
134 # allow test policies to be created in src directories
135 filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
137 # only allow read of policy source files
138 read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
139 read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
140 allow checkpolicy_t selinux_config_t:dir search_dir_perms;
142 domain_use_interactive_fds(checkpolicy_t)
144 files_list_usr(checkpolicy_t)
145 # directory search permissions for path to source and binary policy files
146 files_search_etc(checkpolicy_t)
148 fs_getattr_xattr_fs(checkpolicy_t)
150 term_use_console(checkpolicy_t)
152 init_use_fds(checkpolicy_t)
153 init_use_script_ptys(checkpolicy_t)
155 userdom_use_user_terminals(checkpolicy_t)
156 userdom_use_all_users_fds(checkpolicy_t)
158 ifdef(`distro_ubuntu',`
160 unconfined_domain(checkpolicy_t)
164 ########################################
166 # Load_policy local policy
169 allow load_policy_t self:capability dac_override;
171 # only allow read of policy config files
172 read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
174 domain_use_interactive_fds(load_policy_t)
177 files_read_etc_files(load_policy_t)
178 files_read_etc_runtime_files(load_policy_t)
180 fs_getattr_xattr_fs(load_policy_t)
182 mls_file_read_all_levels(load_policy_t)
184 selinux_load_policy(load_policy_t)
185 selinux_set_all_booleans(load_policy_t)
187 term_use_console(load_policy_t)
188 term_list_ptys(load_policy_t)
190 init_use_script_fds(load_policy_t)
191 init_use_script_ptys(load_policy_t)
192 init_write_script_pipes(load_policy_t)
194 miscfiles_read_localization(load_policy_t)
196 seutil_libselinux_linked(load_policy_t)
198 userdom_use_user_terminals(load_policy_t)
199 userdom_use_all_users_fds(load_policy_t)
201 ifdef(`distro_ubuntu',`
203 unconfined_domain(load_policy_t)
207 ifdef(`hide_broken_symptoms',`
208 # cjp: cover up stray file descriptors.
209 dontaudit load_policy_t selinux_config_t:file write;
212 unconfined_dontaudit_read_pipes(load_policy_t)
216 ########################################
218 # Newrole local policy
221 allow newrole_t self:capability { fowner setuid setgid dac_override };
222 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
223 allow newrole_t self:process setexec;
224 allow newrole_t self:fd use;
225 allow newrole_t self:fifo_file rw_fifo_file_perms;
226 allow newrole_t self:sock_file read_sock_file_perms;
227 allow newrole_t self:shm create_shm_perms;
228 allow newrole_t self:sem create_sem_perms;
229 allow newrole_t self:msgq create_msgq_perms;
230 allow newrole_t self:msg { send receive };
231 allow newrole_t self:unix_dgram_socket sendto;
232 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
233 logging_send_audit_msgs(newrole_t)
235 read_files_pattern(newrole_t, default_context_t, default_context_t)
236 read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
238 kernel_read_system_state(newrole_t)
239 kernel_read_kernel_sysctls(newrole_t)
241 corecmd_list_bin(newrole_t)
242 corecmd_read_bin_symlinks(newrole_t)
244 dev_read_urand(newrole_t)
246 domain_use_interactive_fds(newrole_t)
247 # for when the user types "exec newrole" at the command line:
248 domain_sigchld_interactive_fds(newrole_t)
250 files_read_etc_files(newrole_t)
251 files_read_var_files(newrole_t)
252 files_read_var_symlinks(newrole_t)
254 fs_getattr_xattr_fs(newrole_t)
255 fs_search_auto_mountpoints(newrole_t)
257 mls_file_read_all_levels(newrole_t)
258 mls_file_write_all_levels(newrole_t)
259 mls_file_upgrade(newrole_t)
260 mls_file_downgrade(newrole_t)
261 mls_process_set_level(newrole_t)
262 mls_fd_share_all_levels(newrole_t)
264 selinux_validate_context(newrole_t)
265 selinux_compute_access_vector(newrole_t)
266 selinux_compute_create_context(newrole_t)
267 selinux_compute_relabel_context(newrole_t)
268 selinux_compute_user_contexts(newrole_t)
270 term_use_all_ttys(newrole_t)
271 term_use_all_ptys(newrole_t)
272 term_relabel_all_ttys(newrole_t)
273 term_relabel_all_ptys(newrole_t)
274 term_getattr_unallocated_ttys(newrole_t)
275 term_dontaudit_use_unallocated_ttys(newrole_t)
277 auth_use_pam(newrole_t)
280 init_rw_utmp(newrole_t)
281 init_use_fds(newrole_t)
283 miscfiles_read_localization(newrole_t)
285 seutil_libselinux_linked(newrole_t)
287 userdom_use_unpriv_users_fds(newrole_t)
288 # for some PAM modules and for cwd
289 userdom_dontaudit_search_user_home_content(newrole_t)
290 userdom_search_user_home_dirs(newrole_t)
293 xserver_dontaudit_exec_xauth(newrole_t)
296 ifdef(`distro_ubuntu',`
298 unconfined_domain(newrole_t)
302 # if secure mode is enabled, then newrole
303 # can only transition to unprivileged users
305 userdom_spec_domtrans_unpriv_users(newrole_t)
307 userdom_spec_domtrans_all_users(newrole_t)
310 tunable_policy(`allow_polyinstantiation',`
311 files_polyinstantiate_all(newrole_t)
314 ########################################
316 # Restorecond local policy
319 allow restorecond_t self:capability { dac_override dac_read_search fowner };
320 allow restorecond_t self:fifo_file rw_fifo_file_perms;
322 allow restorecond_t restorecond_var_run_t:file manage_file_perms;
323 files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
325 kernel_use_fds(restorecond_t)
326 kernel_rw_pipes(restorecond_t)
327 kernel_read_system_state(restorecond_t)
329 files_dontaudit_read_all_symlinks(restorecond_t)
331 fs_relabelfrom_noxattr_fs(restorecond_t)
332 fs_dontaudit_list_nfs(restorecond_t)
333 fs_getattr_xattr_fs(restorecond_t)
334 fs_list_inotifyfs(restorecond_t)
336 selinux_validate_context(restorecond_t)
337 selinux_compute_access_vector(restorecond_t)
338 selinux_compute_create_context(restorecond_t)
339 selinux_compute_relabel_context(restorecond_t)
340 selinux_compute_user_contexts(restorecond_t)
342 auth_relabel_all_files_except_shadow(restorecond_t )
343 auth_read_all_files_except_shadow(restorecond_t)
344 auth_use_nsswitch(restorecond_t)
346 locallogin_dontaudit_use_fds(restorecond_t)
348 logging_send_syslog_msg(restorecond_t)
350 miscfiles_read_localization(restorecond_t)
352 seutil_libselinux_linked(restorecond_t)
354 userdom_read_user_home_content_symlinks(restorecond_t)
356 ifdef(`distro_ubuntu',`
358 unconfined_domain(restorecond_t)
363 rpm_use_script_fds(restorecond_t)
366 #################################
368 # Run_init local policy
371 allow run_init_t self:process setexec;
372 allow run_init_t self:capability setuid;
373 allow run_init_t self:fifo_file rw_file_perms;
374 logging_send_audit_msgs(run_init_t)
376 # often the administrator runs such programs from a directory that is owned
377 # by a different user or has restrictive SE permissions, do not want to audit
378 # the failed access to the current directory
379 dontaudit run_init_t self:capability { dac_override dac_read_search };
381 corecmd_exec_bin(run_init_t)
382 corecmd_exec_shell(run_init_t)
384 dev_dontaudit_list_all_dev_nodes(run_init_t)
386 domain_use_interactive_fds(run_init_t)
388 files_read_etc_files(run_init_t)
389 files_dontaudit_search_all_dirs(run_init_t)
391 fs_getattr_xattr_fs(run_init_t)
393 mls_rangetrans_source(run_init_t)
395 selinux_validate_context(run_init_t)
396 selinux_compute_access_vector(run_init_t)
397 selinux_compute_create_context(run_init_t)
398 selinux_compute_relabel_context(run_init_t)
399 selinux_compute_user_contexts(run_init_t)
401 auth_use_nsswitch(run_init_t)
402 auth_domtrans_chk_passwd(run_init_t)
403 auth_domtrans_upd_passwd(run_init_t)
404 auth_dontaudit_read_shadow(run_init_t)
406 init_spec_domtrans_script(run_init_t)
408 init_rw_utmp(run_init_t)
410 logging_send_syslog_msg(run_init_t)
412 miscfiles_read_localization(run_init_t)
414 seutil_libselinux_linked(run_init_t)
415 seutil_read_default_contexts(run_init_t)
417 userdom_use_user_terminals(run_init_t)
419 ifndef(`direct_sysadm_daemon',`
420 ifdef(`distro_gentoo',`
421 # Gentoo integrated run_init:
422 init_script_file_entry_type(run_init_t)
427 rpm_domtrans(run_init_t)
430 ifdef(`distro_ubuntu',`
432 unconfined_domain(run_init_t)
437 daemontools_domtrans_start(run_init_t)
440 ########################################
442 # semodule local policy
445 seutil_semanage_policy(semanage_t)
446 allow semanage_t self:fifo_file rw_fifo_file_perms;
448 manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
449 manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
451 selinux_set_all_booleans(semanage_t)
452 can_exec(semanage_t, semanage_exec_t)
454 # Admins are creating pp files in random locations
455 auth_read_all_files_except_shadow(semanage_t)
457 seutil_manage_file_contexts(semanage_t)
458 seutil_manage_config(semanage_t)
459 seutil_domtrans_setfiles(semanage_t)
461 # netfilter_contexts:
462 seutil_manage_default_contexts(semanage_t)
464 ifdef(`distro_debian',`
465 files_read_var_lib_files(semanage_t)
466 files_read_var_lib_symlinks(semanage_t)
470 setrans_initrc_domtrans(semanage_t)
471 domain_system_change_exemption(semanage_t)
472 consoletype_exec(semanage_t)
475 ifdef(`distro_ubuntu',`
477 unconfined_domain(semanage_t)
482 #signal mcstrans on reload
483 init_spec_domtrans_script(semanage_t)
486 # cjp: need a more general way to handle this:
488 # read secadm tmp files
490 # Handle pp files created in homedir and /tmp
491 userdom_read_user_home_content_files(semanage_t)
492 userdom_read_user_tmp_files(semanage_t)
495 userdom_search_admin_dir(semanage_t)
497 ####################################n####
499 # setsebool local policy
501 seutil_semanage_policy(setsebool_t)
502 selinux_set_all_booleans(setsebool_t)
504 init_dontaudit_use_fds(setsebool_t)
507 seutil_domtrans_setfiles(setsebool_t)
508 seutil_manage_file_contexts(setsebool_t)
509 seutil_manage_default_contexts(setsebool_t)
510 seutil_manage_config(setsebool_t)
512 ########################################
514 # Setfiles local policy
517 seutil_setfiles(setfiles_t)
518 # During boot in Rawhide
519 term_use_generic_ptys(setfiles_t)
521 seutil_setfiles(setfiles_mac_t)
522 allow setfiles_mac_t self:capability2 mac_admin;
523 kernel_relabelto_unlabeled(setfiles_mac_t)
526 files_dontaudit_write_isid_chr_files(setfiles_mac_t)
527 livecd_dontaudit_leaks(setfiles_mac_t)
528 livecd_rw_tmp_files(setfiles_mac_t)
529 dev_dontaudit_write_all_chr_files(setfiles_mac_t)
532 ifdef(`hide_broken_symptoms',`
534 setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
535 setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
540 unconfined_domain(setfiles_mac_t)