2 policy_module(selinuxutil,1.0)
4 ########################################
9 attribute can_write_binary_policy;
10 attribute can_relabelto_binary_policy;
12 type checkpolicy_t, can_write_binary_policy;
13 domain_type(checkpolicy_t)
14 role system_r types checkpolicy_t;
16 type checkpolicy_exec_t;
17 domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
20 # default_context_t is the type applied to
21 # /etc/selinux/*/contexts/*
23 type default_context_t;
24 files_type(default_context_t)
27 # file_context_t is the type applied to
28 # /etc/selinux/*/contexts/files
31 files_type(file_context_t)
34 domain_type(load_policy_t)
35 role system_r types load_policy_t;
37 type load_policy_exec_t;
38 domain_entry_file(load_policy_t,load_policy_exec_t)
40 type newrole_t; # mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
41 domain_role_change_exempt(newrole_t)
42 domain_obj_id_change_exempt(newrole_t)
43 domain_type(newrole_t)
44 domain_wide_inherit_fd(newrole_t)
47 domain_entry_file(newrole_t,newrole_exec_t)
50 # policy_config_t is the type of /etc/security/selinux/*
51 # the security server policy configuration.
54 files_type(policy_config_t)
55 kernel_list_from(policy_config_t)
56 kernel_read_file_from(policy_config_t)
58 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
59 neverallow ~can_write_binary_policy policy_config_t:file { write append };
62 # policy_src_t is the type of the policy source
66 files_type(policy_src_t)
68 type restorecon_t, can_relabelto_binary_policy;
69 type restorecon_exec_t;
70 domain_obj_id_change_exempt(restorecon_t)
71 init_system_domain(restorecon_t,restorecon_exec_t)
72 role system_r types restorecon_t;
75 domain_type(run_init_t)
78 domain_entry_file(run_init_t,run_init_exec_t)
81 # selinux_config_t is the type applied to
84 type selinux_config_t;
85 files_type(selinux_config_t)
86 kernel_list_from(selinux_config_t)
87 kernel_read_file_from(selinux_config_t)
89 type setfiles_t, can_relabelto_binary_policy;
90 domain_obj_id_change_exempt(setfiles_t)
91 domain_type(setfiles_t)
92 role system_r types setfiles_t;
95 domain_entry_file(setfiles_t,setfiles_exec_t)
97 ########################################
99 # Checkpolicy local policy
102 allow checkpolicy_t self:capability dac_override;
104 # able to create and modify binary policy files
105 allow checkpolicy_t policy_config_t:dir rw_dir_perms;
106 allow checkpolicy_t policy_config_t:file create_file_perms;
108 # allow test policies to be created in src directories
109 allow checkpolicy_t policy_src_t:dir rw_dir_perms;
110 type_transition checkpolicy_t policy_src_t:file policy_config_t;
112 # only allow read of policy source files
113 allow checkpolicy_t policy_src_t:dir r_dir_perms;
114 allow checkpolicy_t policy_src_t:file r_file_perms;
115 allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
116 allow checkpolicy_t selinux_config_t:dir search;
118 fs_getattr_xattr_fs(checkpolicy_t)
120 term_use_console(checkpolicy_t)
122 domain_use_wide_inherit_fd(checkpolicy_t)
124 # directory search permissions for path to source and binary policy files
125 files_search_etc(checkpolicy_t)
127 init_use_fd(checkpolicy_t)
128 init_use_script_pty(checkpolicy_t)
130 libs_use_ld_so(checkpolicy_t)
131 libs_use_shared_libs(checkpolicy_t)
133 userdom_use_all_user_fd(checkpolicy_t)
135 ########################################
137 # Load_policy local policy
140 allow load_policy_t self:capability dac_override;
142 # only allow read of policy config files
143 allow load_policy_t policy_src_t:dir search;
144 allow load_policy_t policy_config_t:dir r_dir_perms;
145 allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
147 allow load_policy_t selinux_config_t:dir r_dir_perms;
148 allow load_policy_t selinux_config_t:file r_file_perms;
149 allow load_policy_t selinux_config_t:lnk_file r_file_perms;
151 fs_getattr_xattr_fs(load_policy_t)
153 selinux_get_fs_mount(load_policy_t)
154 selinux_load_policy(load_policy_t)
155 selinux_set_boolean(load_policy_t)
157 term_use_console(load_policy_t)
158 term_list_ptys(load_policy_t)
160 init_use_script_fd(load_policy_t)
161 init_use_script_pty(load_policy_t)
163 domain_use_wide_inherit_fd(load_policy_t)
165 files_search_etc(load_policy_t)
167 libs_use_ld_so(load_policy_t)
168 libs_use_shared_libs(load_policy_t)
170 miscfiles_read_localization(load_policy_t)
172 userdom_use_all_user_fd(load_policy_t)
174 ########################################
176 # Newrole local policy
179 allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
181 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
182 allow newrole_t self:process setexec;
183 allow newrole_t self:fd use;
184 allow newrole_t self:fifo_file rw_file_perms;
185 allow newrole_t self:unix_dgram_socket sendto;
186 allow newrole_t self:unix_stream_socket connectto;
187 allow newrole_t self:shm create_shm_perms;
188 allow newrole_t self:sem create_sem_perms;
189 allow newrole_t self:msgq create_msgq_perms;
190 allow newrole_t self:msg { send receive };
192 allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
193 allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
194 allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
196 kernel_read_system_state(newrole_t)
197 kernel_read_kernel_sysctl(newrole_t)
199 dev_read_urand(newrole_t)
201 fs_getattr_xattr_fs(newrole_t)
202 fs_search_auto_mountpoints(newrole_t)
204 selinux_get_fs_mount(newrole_t)
205 selinux_validate_context(newrole_t)
206 selinux_compute_access_vector(newrole_t)
207 selinux_compute_create_context(newrole_t)
208 selinux_compute_relabel_context(newrole_t)
209 selinux_compute_user_contexts(newrole_t)
211 term_use_all_user_ttys(newrole_t)
212 term_use_all_user_ptys(newrole_t)
213 term_relabel_all_user_ttys(newrole_t)
214 term_relabel_all_user_ptys(newrole_t)
216 auth_domtrans_chk_passwd(newrole_t)
218 domain_use_wide_inherit_fd(newrole_t)
219 # for when the user types "exec newrole" at the command line:
220 domain_sigchld_wide_inherit_fd(newrole_t)
223 init_rw_script_pid(newrole_t)
225 files_read_etc_files(newrole_t)
226 files_read_var_files(newrole_t)
228 libs_use_ld_so(newrole_t)
229 libs_use_shared_libs(newrole_t)
231 logging_send_syslog_msg(newrole_t)
233 miscfiles_read_localization(newrole_t)
235 userdom_use_unpriv_users_fd(newrole_t)
236 # for some PAM modules and for cwd
237 userdom_dontaudit_search_all_users_home(newrole_t)
239 # if secure mode is enabled, then newrole
240 # can only transition to unprivileged users
242 userdom_spec_domtrans_unpriv_users(newrole_t)
244 userdom_spec_domtrans_all_users(newrole_t)
247 optional_policy(`nis.te',`
248 nis_use_ypbind(newrole_t)
251 optional_policy(`nscd.te',`
252 nscd_use_socket(newrole_t)
256 ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
259 ########################################
261 # Restorecon local policy
264 allow restorecon_t self:capability { dac_override dac_read_search fowner };
266 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
267 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
268 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
270 kernel_use_fd(restorecon_t)
271 kernel_rw_pipe(restorecon_t)
272 kernel_read_system_state(restorecon_t)
274 # cjp: why is this needed?
275 dev_rw_generic_file(restorecon_t)
277 fs_getattr_xattr_fs(restorecon_t)
278 fs_list_all(restorecon_t)
280 selinux_get_fs_mount(restorecon_t)
281 selinux_validate_context(restorecon_t)
282 selinux_compute_access_vector(restorecon_t)
283 selinux_compute_create_context(restorecon_t)
284 selinux_compute_relabel_context(restorecon_t)
285 selinux_compute_user_contexts(restorecon_t)
287 term_use_unallocated_tty(restorecon_t)
289 init_use_fd(restorecon_t)
290 init_use_script_pty(restorecon_t)
292 domain_use_wide_inherit_fd(restorecon_t)
294 files_read_etc_runtime_files(restorecon_t)
295 files_read_etc_files(restorecon_t)
297 libs_use_ld_so(restorecon_t)
298 libs_use_shared_libs(restorecon_t)
300 logging_send_syslog_msg(restorecon_t)
302 userdom_use_all_user_fd(restorecon_t)
305 kernel_relabel_unlabeled(restorecon_t)
306 dev_relabel_all_dev_nodes(restorecon_t)
308 files_relabel_all_files(restorecon_t)
309 files_list_all_dirs(restorecon_t)
310 # this is to satisfy the assertion:
311 auth_relabelto_shadow(restorecon_t)
313 ifdef(`distro_redhat', `
314 fs_use_tmpfs_chr_dev(restorecon_t)
315 fs_use_tmpfs_blk_dev(restorecon_t)
316 fs_relabel_tmpfs_blk_dev(restorecon_t)
317 fs_relabel_tmpfs_chr_dev(restorecon_t)
320 ifdef(`hide_broken_symptoms',`
321 udev_donaudit_rw_unix_dgram_socket(restorecon_t)
324 optional_policy(`hotplug.te',`
325 hotplug_use_fd(restorecon_t)
329 # for upgrading glibc and other shared objects - without this the upgrade
330 # scripts will put things in a state such that restorecon can not be run!
331 allow restorecon_t lib_t:file { read execute };
334 #################################
336 # Run_init local policy
339 selinux_get_fs_mount(run_init_t)
340 selinux_validate_context(run_init_t)
341 selinux_compute_access_vector(run_init_t)
342 selinux_compute_create_context(run_init_t)
343 selinux_compute_relabel_context(run_init_t)
344 selinux_compute_user_contexts(run_init_t)
346 ifdef(`targeted_policy',`',`
347 allow run_init_t self:process setexec;
348 allow run_init_t self:capability setuid;
350 allow run_init_t self:fifo_file rw_file_perms;
352 # often the administrator runs such programs from a directory that is owned
353 # by a different user or has restrictive SE permissions, do not want to audit
354 # the failed access to the current directory
355 dontaudit run_init_t self:capability { dac_override dac_read_search };
357 fs_getattr_xattr_fs(run_init_t)
359 dev_dontaudit_list_all_dev_nodes(run_init_t)
361 term_dontaudit_list_ptys(run_init_t)
363 auth_domtrans_chk_passwd(run_init_t)
364 auth_dontaudit_read_shadow(run_init_t)
366 corecmd_exec_bin(run_init_t)
367 corecmd_exec_shell(run_init_t)
369 domain_use_wide_inherit_fd(run_init_t)
371 files_read_etc_files(run_init_t)
372 files_dontaudit_search_all_dirs(run_init_t)
374 init_domtrans_script(run_init_t)
376 init_rw_script_pid(run_init_t)
378 libs_use_ld_so(run_init_t)
379 libs_use_shared_libs(run_init_t)
381 seutil_read_config(run_init_t)
382 seutil_read_default_contexts(run_init_t)
384 miscfiles_read_localization(run_init_t)
386 logging_send_syslog_msg(run_init_t)
387 ') dnl end ifdef targeted policy
390 ifdef(`distro_gentoo', `
391 # Gentoo integrated run_init+open_init_pty-runscript:
392 domain_entry_file(run_init_t,initrc_exec_t)
393 domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
397 ########################################
399 # Setfiles local policy
402 allow setfiles_t self:capability { dac_override dac_read_search fowner };
404 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
405 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
406 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
408 kernel_read_system_state(setfiles_t)
409 kernel_list_unlabeled(setfiles_t)
411 fs_getattr_xattr_fs(setfiles_t)
412 fs_list_all(setfiles_t)
414 selinux_get_fs_mount(setfiles_t)
415 selinux_validate_context(setfiles_t)
416 selinux_compute_access_vector(setfiles_t)
417 selinux_compute_create_context(setfiles_t)
418 selinux_compute_relabel_context(setfiles_t)
419 selinux_compute_user_contexts(setfiles_t)
421 term_use_all_user_ttys(setfiles_t)
422 term_use_all_user_ptys(setfiles_t)
423 term_use_unallocated_tty(setfiles_t)
425 init_use_fd(setfiles_t)
426 init_use_script_fd(setfiles_t)
427 init_use_script_pty(setfiles_t)
429 domain_use_wide_inherit_fd(setfiles_t)
431 libs_use_ld_so(setfiles_t)
432 libs_use_shared_libs(setfiles_t)
434 files_read_etc_runtime_files(setfiles_t)
435 files_read_etc_files(setfiles_t)
437 logging_send_syslog_msg(setfiles_t)
439 miscfiles_read_localization(setfiles_t)
441 userdom_use_all_user_fd(setfiles_t)
442 # for config files in a home directory
443 userdom_read_all_user_files(setfiles_t)
446 kernel_relabel_unlabeled(setfiles_t)
447 dev_relabel_all_dev_nodes(setfiles_t)
448 files_list_all_dirs(setfiles_t)
449 files_relabel_all_files(setfiles_t)
450 # this is to satisfy the assertion:
451 auth_relabelto_shadow(setfiles_t)
454 # for upgrading glibc and other shared objects - without this the upgrade
455 # scripts will put things in a state such that setfiles can not be run!
456 allow setfiles_t lib_t:file { read execute };