policy/modules/system/selinuxutil.te

   1 policy_module(selinuxutil, 1.14.0)
   2
   3 gen_require(`
   4         bool secure_mode;
   5 ')
   6
   7 ########################################
   8 #
   9 # Declarations
  10 #
  11
  12 attribute can_write_binary_policy;
  13 attribute can_relabelto_binary_policy;
  14
  15 #
  16 # selinux_config_t is the type applied to
  17 # /etc/selinux/config
  18 #
  19 # cjp: this is out of order due to rules
  20 # in the domain_type interface
  21 # (fix dup decl)
  22 type selinux_config_t;
  23 files_type(selinux_config_t)
  24
  25 type selinux_var_lib_t;
  26 files_type(selinux_var_lib_t)
  27
  28 type checkpolicy_t, can_write_binary_policy;
  29 type checkpolicy_exec_t;
  30 application_domain(checkpolicy_t, checkpolicy_exec_t)
  31 role system_r types checkpolicy_t;
  32
  33 #
  34 # default_context_t is the type applied to
  35 # /etc/selinux/*/contexts/*
  36 #
  37 type default_context_t;
  38 files_type(default_context_t)
  39
  40 #
  41 # file_context_t is the type applied to
  42 # /etc/selinux/*/contexts/files
  43 #
  44 type file_context_t;
  45 files_type(file_context_t)
  46
  47 type load_policy_t;
  48 type load_policy_exec_t;
  49 application_domain(load_policy_t, load_policy_exec_t)
  50 role system_r types load_policy_t;
  51
  52 type newrole_t;
  53 type newrole_exec_t;
  54 application_domain(newrole_t, newrole_exec_t)
  55 domain_role_change_exemption(newrole_t)
  56 domain_obj_id_change_exemption(newrole_t)
  57 domain_interactive_fd(newrole_t)
  58
  59 #
  60 # policy_config_t is the type of /etc/security/selinux/*
  61 # the security server policy configuration.
  62 #
  63 #type policy_config_t;
  64 #files_type(policy_config_t)
  65 typealias semanage_store_t alias policy_config_t;
  66
  67 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
  68 #neverallow ~can_write_binary_policy policy_config_t:file { write append };
  69
  70 #
  71 # policy_src_t is the type of the policy source
  72 # files.
  73 #
  74 type policy_src_t;
  75 files_type(policy_src_t)
  76
  77 type restorecond_t;
  78 type restorecond_exec_t;
  79 init_daemon_domain(restorecond_t, restorecond_exec_t)
  80 domain_obj_id_change_exemption(restorecond_t)
  81
  82 type restorecond_var_run_t;
  83 files_pid_file(restorecond_var_run_t)
  84
  85 type run_init_t;
  86 type run_init_exec_t;
  87 application_domain(run_init_t, run_init_exec_t)
  88 domain_system_change_exemption(run_init_t)
  89 role system_r types run_init_t;
  90
  91 type semanage_t;
  92 type semanage_exec_t;
  93 application_domain(semanage_t, semanage_exec_t)
  94 dbus_system_domain(semanage_t, semanage_exec_t)
  95 domain_interactive_fd(semanage_t)
  96 role system_r types semanage_t;
  97
  98 type setsebool_t;
  99 type setsebool_exec_t;
 100 init_system_domain(setsebool_t, setsebool_exec_t)
 101
 102 type semanage_store_t;
 103 files_type(semanage_store_t)
 104
 105 type semanage_read_lock_t;
 106 files_type(semanage_read_lock_t)
 107
 108 type semanage_tmp_t;
 109 files_tmp_file(semanage_tmp_t)
 110
 111 type semanage_trans_lock_t;
 112 files_type(semanage_trans_lock_t)
 113
 114 type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
 115 type setfiles_exec_t alias restorecon_exec_t;
 116 init_system_domain(setfiles_t, setfiles_exec_t)
 117 domain_obj_id_change_exemption(setfiles_t)
 118
 119 type setfiles_mac_t;
 120 domain_type(setfiles_mac_t)
 121 domain_entry_file(setfiles_mac_t, setfiles_exec_t)
 122 domain_obj_id_change_exemption(setfiles_mac_t)
 123
 124 ########################################
 125 #
 126 # Checkpolicy local policy
 127 #
 128
 129 allow checkpolicy_t self:capability dac_override;
 130
 131 # able to create and modify binary policy files
 132 manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
 133
 134 # allow test policies to be created in src directories
 135 filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
 136
 137 # only allow read of policy source files
 138 read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
 139 read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
 140 allow checkpolicy_t selinux_config_t:dir search_dir_perms;
 141
 142 domain_use_interactive_fds(checkpolicy_t)
 143
 144 files_list_usr(checkpolicy_t)
 145 # directory search permissions for path to source and binary policy files
 146 files_search_etc(checkpolicy_t)
 147
 148 fs_getattr_xattr_fs(checkpolicy_t)
 149
 150 term_use_console(checkpolicy_t)
 151
 152 init_use_fds(checkpolicy_t)
 153 init_use_script_ptys(checkpolicy_t)
 154
 155 userdom_use_user_terminals(checkpolicy_t)
 156 userdom_use_all_users_fds(checkpolicy_t)
 157
 158 ifdef(`distro_ubuntu',`
 159         optional_policy(`
 160                 unconfined_domain(checkpolicy_t)
 161         ')
 162 ')
 163
 164 ########################################
 165 #
 166 # Load_policy local policy
 167 #
 168
 169 allow load_policy_t self:capability dac_override;
 170
 171 # only allow read of policy config files
 172 read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
 173
 174 domain_use_interactive_fds(load_policy_t)
 175
 176 # for mcs.conf
 177 files_read_etc_files(load_policy_t)
 178 files_read_etc_runtime_files(load_policy_t)
 179
 180 fs_getattr_xattr_fs(load_policy_t)
 181
 182 mls_file_read_all_levels(load_policy_t)
 183
 184 selinux_load_policy(load_policy_t)
 185 selinux_set_all_booleans(load_policy_t)
 186
 187 term_use_console(load_policy_t)
 188 term_list_ptys(load_policy_t)
 189
 190 init_use_script_fds(load_policy_t)
 191 init_use_script_ptys(load_policy_t)
 192 init_write_script_pipes(load_policy_t)
 193
 194 miscfiles_read_localization(load_policy_t)
 195
 196 seutil_libselinux_linked(load_policy_t)
 197
 198 userdom_use_user_terminals(load_policy_t)
 199 userdom_use_all_users_fds(load_policy_t)
 200
 201 ifdef(`distro_ubuntu',`
 202         optional_policy(`
 203                 unconfined_domain(load_policy_t)
 204         ')
 205 ')
 206
 207 ifdef(`hide_broken_symptoms',`
 208         # cjp: cover up stray file descriptors.
 209         dontaudit load_policy_t selinux_config_t:file write;
 210
 211         optional_policy(`
 212                 unconfined_dontaudit_read_pipes(load_policy_t)
 213         ')
 214 ')
 215
 216 ########################################
 217 #
 218 # Newrole local policy
 219 #
 220
 221 allow newrole_t self:capability { fowner setuid setgid dac_override };
 222 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 223 allow newrole_t self:process setexec;
 224 allow newrole_t self:fd use;
 225 allow newrole_t self:fifo_file rw_fifo_file_perms;
 226 allow newrole_t self:sock_file read_sock_file_perms;
 227 allow newrole_t self:shm create_shm_perms;
 228 allow newrole_t self:sem create_sem_perms;
 229 allow newrole_t self:msgq create_msgq_perms;
 230 allow newrole_t self:msg { send receive };
 231 allow newrole_t self:unix_dgram_socket sendto;
 232 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
 233 logging_send_audit_msgs(newrole_t)
 234
 235 read_files_pattern(newrole_t, default_context_t, default_context_t)
 236 read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
 237
 238 kernel_read_system_state(newrole_t)
 239 kernel_read_kernel_sysctls(newrole_t)
 240
 241 corecmd_list_bin(newrole_t)
 242 corecmd_read_bin_symlinks(newrole_t)
 243
 244 dev_read_urand(newrole_t)
 245
 246 domain_use_interactive_fds(newrole_t)
 247 # for when the user types "exec newrole" at the command line:
 248 domain_sigchld_interactive_fds(newrole_t)
 249
 250 files_read_etc_files(newrole_t)
 251 files_read_var_files(newrole_t)
 252 files_read_var_symlinks(newrole_t)
 253
 254 fs_getattr_xattr_fs(newrole_t)
 255 fs_search_auto_mountpoints(newrole_t)
 256
 257 mls_file_read_all_levels(newrole_t)
 258 mls_file_write_all_levels(newrole_t)
 259 mls_file_upgrade(newrole_t)
 260 mls_file_downgrade(newrole_t)
 261 mls_process_set_level(newrole_t)
 262 mls_fd_share_all_levels(newrole_t)
 263
 264 selinux_validate_context(newrole_t)
 265 selinux_compute_access_vector(newrole_t)
 266 selinux_compute_create_context(newrole_t)
 267 selinux_compute_relabel_context(newrole_t)
 268 selinux_compute_user_contexts(newrole_t)
 269
 270 term_use_all_ttys(newrole_t)
 271 term_use_all_ptys(newrole_t)
 272 term_relabel_all_ttys(newrole_t)
 273 term_relabel_all_ptys(newrole_t)
 274 term_getattr_unallocated_ttys(newrole_t)
 275 term_dontaudit_use_unallocated_ttys(newrole_t)
 276
 277 auth_use_pam(newrole_t)
 278
 279 # Write to utmp.
 280 init_rw_utmp(newrole_t)
 281 init_use_fds(newrole_t)
 282
 283 miscfiles_read_localization(newrole_t)
 284
 285 seutil_libselinux_linked(newrole_t)
 286
 287 userdom_use_unpriv_users_fds(newrole_t)
 288 # for some PAM modules and for cwd
 289 userdom_dontaudit_search_user_home_content(newrole_t)
 290 userdom_search_user_home_dirs(newrole_t)
 291
 292 optional_policy(`
 293         xserver_dontaudit_exec_xauth(newrole_t)
 294 ')
 295
 296 ifdef(`distro_ubuntu',`
 297         optional_policy(`
 298                 unconfined_domain(newrole_t)
 299         ')
 300 ')
 301
 302 # if secure mode is enabled, then newrole
 303 # can only transition to unprivileged users
 304 if(secure_mode) {
 305         userdom_spec_domtrans_unpriv_users(newrole_t)
 306 } else {
 307         userdom_spec_domtrans_all_users(newrole_t)
 308 }
 309
 310 tunable_policy(`allow_polyinstantiation',`
 311         files_polyinstantiate_all(newrole_t)
 312 ')
 313
 314 ########################################
 315 #
 316 # Restorecond local policy
 317 #
 318
 319 allow restorecond_t self:capability { dac_override dac_read_search fowner };
 320 allow restorecond_t self:fifo_file rw_fifo_file_perms;
 321
 322 allow restorecond_t restorecond_var_run_t:file manage_file_perms;
 323 files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
 324
 325 kernel_use_fds(restorecond_t)
 326 kernel_rw_pipes(restorecond_t)
 327 kernel_read_system_state(restorecond_t)
 328
 329 files_dontaudit_read_all_symlinks(restorecond_t)
 330
 331 fs_relabelfrom_noxattr_fs(restorecond_t)
 332 fs_dontaudit_list_nfs(restorecond_t)
 333 fs_getattr_xattr_fs(restorecond_t)
 334 fs_list_inotifyfs(restorecond_t)
 335
 336 selinux_validate_context(restorecond_t)
 337 selinux_compute_access_vector(restorecond_t)
 338 selinux_compute_create_context(restorecond_t)
 339 selinux_compute_relabel_context(restorecond_t)
 340 selinux_compute_user_contexts(restorecond_t)
 341
 342 auth_relabel_all_files_except_shadow(restorecond_t )
 343 auth_read_all_files_except_shadow(restorecond_t)
 344 auth_use_nsswitch(restorecond_t)
 345
 346 locallogin_dontaudit_use_fds(restorecond_t)
 347
 348 logging_send_syslog_msg(restorecond_t)
 349
 350 miscfiles_read_localization(restorecond_t)
 351
 352 seutil_libselinux_linked(restorecond_t)
 353
 354 userdom_read_user_home_content_symlinks(restorecond_t)
 355
 356 ifdef(`distro_ubuntu',`
 357         optional_policy(`
 358                 unconfined_domain(restorecond_t)
 359         ')
 360 ')
 361
 362 optional_policy(`
 363         rpm_use_script_fds(restorecond_t)
 364 ')
 365
 366 #################################
 367 #
 368 # Run_init local policy
 369 #
 370
 371 allow run_init_t self:process setexec;
 372 allow run_init_t self:capability setuid;
 373 allow run_init_t self:fifo_file rw_file_perms;
 374 logging_send_audit_msgs(run_init_t)
 375
 376 # often the administrator runs such programs from a directory that is owned
 377 # by a different user or has restrictive SE permissions, do not want to audit
 378 # the failed access to the current directory
 379 dontaudit run_init_t self:capability { dac_override dac_read_search };
 380
 381 corecmd_exec_bin(run_init_t)
 382 corecmd_exec_shell(run_init_t)
 383
 384 dev_dontaudit_list_all_dev_nodes(run_init_t)
 385
 386 domain_use_interactive_fds(run_init_t)
 387
 388 files_read_etc_files(run_init_t)
 389 files_dontaudit_search_all_dirs(run_init_t)
 390
 391 fs_getattr_xattr_fs(run_init_t)
 392
 393 mls_rangetrans_source(run_init_t)
 394
 395 selinux_validate_context(run_init_t)
 396 selinux_compute_access_vector(run_init_t)
 397 selinux_compute_create_context(run_init_t)
 398 selinux_compute_relabel_context(run_init_t)
 399 selinux_compute_user_contexts(run_init_t)
 400
 401 auth_use_nsswitch(run_init_t)
 402 auth_domtrans_chk_passwd(run_init_t)
 403 auth_domtrans_upd_passwd(run_init_t)
 404 auth_dontaudit_read_shadow(run_init_t)
 405
 406 init_spec_domtrans_script(run_init_t)
 407 # for utmp
 408 init_rw_utmp(run_init_t)
 409
 410 logging_send_syslog_msg(run_init_t)
 411
 412 miscfiles_read_localization(run_init_t)
 413
 414 seutil_libselinux_linked(run_init_t)
 415 seutil_read_default_contexts(run_init_t)
 416
 417 userdom_use_user_terminals(run_init_t)
 418
 419 ifndef(`direct_sysadm_daemon',`
 420         ifdef(`distro_gentoo',`
 421                 # Gentoo integrated run_init:
 422                 init_script_file_entry_type(run_init_t)
 423         ')
 424 ')
 425
 426 optional_policy(`
 427         rpm_domtrans(run_init_t)
 428 ')
 429
 430 ifdef(`distro_ubuntu',`
 431         optional_policy(`
 432                 unconfined_domain(run_init_t)
 433         ')
 434 ')
 435
 436 optional_policy(`
 437         daemontools_domtrans_start(run_init_t)
 438 ')
 439
 440 ########################################
 441 #
 442 # semodule local policy
 443 #
 444
 445 seutil_semanage_policy(semanage_t)
 446 allow semanage_t self:fifo_file rw_fifo_file_perms;
 447
 448 manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
 449 manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
 450
 451 selinux_set_all_booleans(semanage_t)
 452 can_exec(semanage_t, semanage_exec_t)
 453
 454 # Admins are creating pp files in random locations
 455 auth_read_all_files_except_shadow(semanage_t)
 456
 457 seutil_manage_file_contexts(semanage_t)
 458 seutil_manage_config(semanage_t)
 459 seutil_domtrans_setfiles(semanage_t)
 460
 461 # netfilter_contexts:
 462 seutil_manage_default_contexts(semanage_t)
 463
 464 ifdef(`distro_debian',`
 465         files_read_var_lib_files(semanage_t)
 466         files_read_var_lib_symlinks(semanage_t)
 467 ')
 468
 469 optional_policy(`
 470         setrans_initrc_domtrans(semanage_t)
 471         domain_system_change_exemption(semanage_t)
 472         consoletype_exec(semanage_t)
 473 ')
 474
 475 ifdef(`distro_ubuntu',`
 476         optional_policy(`
 477                 unconfined_domain(semanage_t)
 478         ')
 479 ')
 480
 481 optional_policy(`
 482         #signal mcstrans on reload
 483         init_spec_domtrans_script(semanage_t)
 484 ')
 485
 486 # cjp: need a more general way to handle this:
 487 ifdef(`enable_mls',`
 488         # read secadm tmp files
 489 ',`
 490         # Handle pp files created in homedir and /tmp
 491         userdom_read_user_home_content_files(semanage_t)
 492         userdom_read_user_tmp_files(semanage_t)
 493 ')
 494
 495 userdom_search_admin_dir(semanage_t)
 496
 497 ####################################n####
 498 #
 499 # setsebool local policy
 500 #
 501 seutil_semanage_policy(setsebool_t)
 502 selinux_set_all_booleans(setsebool_t)
 503
 504 init_dontaudit_use_fds(setsebool_t)
 505
 506 # Bug in semanage
 507 seutil_domtrans_setfiles(setsebool_t)
 508 seutil_manage_file_contexts(setsebool_t)
 509 seutil_manage_default_contexts(setsebool_t)
 510 seutil_manage_config(setsebool_t)
 511
 512 ########################################
 513 #
 514 # Setfiles local policy
 515 #
 516
 517 seutil_setfiles(setfiles_t)
 518 # During boot in Rawhide
 519 term_use_generic_ptys(setfiles_t)
 520
 521 seutil_setfiles(setfiles_mac_t)
 522 allow setfiles_mac_t self:capability2 mac_admin;
 523 kernel_relabelto_unlabeled(setfiles_mac_t)
 524
 525 optional_policy(`
 526         files_dontaudit_write_isid_chr_files(setfiles_mac_t)
 527         livecd_dontaudit_leaks(setfiles_mac_t)
 528         livecd_rw_tmp_files(setfiles_mac_t)
 529         dev_dontaudit_write_all_chr_files(setfiles_mac_t)
 530 ')
 531
 532 ifdef(`hide_broken_symptoms',`
 533         optional_policy(`
 534                 setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
 535                 setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
 536         ')
 537 ')
 538
 539 optional_policy(`
 540         unconfined_domain(setfiles_mac_t)
 541 ')