refpolicy/policy/modules/system/selinuxutil.te

   1
   2 policy_module(selinuxutil,1.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 attribute can_write_binary_policy;
  10 attribute can_relabelto_binary_policy;
  11
  12 type checkpolicy_t, can_write_binary_policy;
  13 domain_type(checkpolicy_t)
  14 role system_r types checkpolicy_t;
  15
  16 type checkpolicy_exec_t;
  17 domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
  18
  19 #
  20 # default_context_t is the type applied to
  21 # /etc/selinux/*/contexts/*
  22 #
  23 type default_context_t;
  24 files_type(default_context_t)
  25
  26 #
  27 # file_context_t is the type applied to
  28 # /etc/selinux/*/contexts/files
  29 #
  30 type file_context_t;
  31 files_type(file_context_t)
  32
  33 type load_policy_t;
  34 domain_type(load_policy_t)
  35 role system_r types load_policy_t;
  36
  37 type load_policy_exec_t;
  38 domain_entry_file(load_policy_t,load_policy_exec_t)
  39
  40 type newrole_t; # mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
  41 domain_role_change_exempt(newrole_t)
  42 domain_obj_id_change_exempt(newrole_t)
  43 domain_type(newrole_t)
  44 domain_wide_inherit_fd(newrole_t)
  45
  46 type newrole_exec_t;
  47 domain_entry_file(newrole_t,newrole_exec_t)
  48
  49 #
  50 # policy_config_t is the type of /etc/security/selinux/*
  51 # the security server policy configuration.
  52 #
  53 type policy_config_t;
  54 files_type(policy_config_t)
  55 kernel_list_from(policy_config_t)
  56 kernel_read_file_from(policy_config_t)
  57
  58 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
  59 neverallow ~can_write_binary_policy policy_config_t:file { write append };
  60
  61 #
  62 # policy_src_t is the type of the policy source
  63 # files.
  64 #
  65 type policy_src_t;
  66 files_type(policy_src_t)
  67
  68 type restorecon_t, can_relabelto_binary_policy;
  69 type restorecon_exec_t;
  70 domain_obj_id_change_exempt(restorecon_t)
  71 init_system_domain(restorecon_t,restorecon_exec_t)
  72 role system_r types restorecon_t;
  73
  74 type run_init_t;
  75 domain_type(run_init_t)
  76
  77 type run_init_exec_t;
  78 domain_entry_file(run_init_t,run_init_exec_t)
  79
  80 #
  81 # selinux_config_t is the type applied to
  82 # /etc/selinux/config
  83 #
  84 type selinux_config_t;
  85 files_type(selinux_config_t)
  86 kernel_list_from(selinux_config_t)
  87 kernel_read_file_from(selinux_config_t)
  88
  89 type setfiles_t, can_relabelto_binary_policy;
  90 domain_obj_id_change_exempt(setfiles_t)
  91 domain_type(setfiles_t)
  92 role system_r types setfiles_t;
  93
  94 type setfiles_exec_t;
  95 domain_entry_file(setfiles_t,setfiles_exec_t)
  96
  97 ########################################
  98 #
  99 # Checkpolicy local policy
 100 #
 101
 102 allow checkpolicy_t self:capability dac_override;
 103
 104 # able to create and modify binary policy files
 105 allow checkpolicy_t policy_config_t:dir rw_dir_perms;
 106 allow checkpolicy_t policy_config_t:file create_file_perms;
 107
 108 # allow test policies to be created in src directories
 109 allow checkpolicy_t policy_src_t:dir rw_dir_perms;
 110 type_transition checkpolicy_t policy_src_t:file policy_config_t;
 111
 112 # only allow read of policy source files
 113 allow checkpolicy_t policy_src_t:dir r_dir_perms;
 114 allow checkpolicy_t policy_src_t:file r_file_perms;
 115 allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
 116 allow checkpolicy_t selinux_config_t:dir search;
 117
 118 fs_getattr_xattr_fs(checkpolicy_t)
 119
 120 term_use_console(checkpolicy_t)
 121
 122 domain_use_wide_inherit_fd(checkpolicy_t)
 123
 124 # directory search permissions for path to source and binary policy files
 125 files_search_etc(checkpolicy_t)
 126
 127 init_use_fd(checkpolicy_t)
 128 init_use_script_pty(checkpolicy_t)
 129
 130 libs_use_ld_so(checkpolicy_t)
 131 libs_use_shared_libs(checkpolicy_t)
 132
 133 userdom_use_all_user_fd(checkpolicy_t)
 134
 135 ########################################
 136 #
 137 # Load_policy local policy
 138 #
 139
 140 allow load_policy_t self:capability dac_override;
 141
 142 # only allow read of policy config files
 143 allow load_policy_t policy_src_t:dir search;
 144 allow load_policy_t policy_config_t:dir r_dir_perms;
 145 allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
 146
 147 allow load_policy_t selinux_config_t:dir r_dir_perms;
 148 allow load_policy_t selinux_config_t:file r_file_perms;
 149 allow load_policy_t selinux_config_t:lnk_file r_file_perms;
 150
 151 fs_getattr_xattr_fs(load_policy_t)
 152
 153 selinux_get_fs_mount(load_policy_t)
 154 selinux_load_policy(load_policy_t)
 155 selinux_set_boolean(load_policy_t)
 156
 157 term_use_console(load_policy_t)
 158 term_list_ptys(load_policy_t)
 159
 160 init_use_script_fd(load_policy_t)
 161 init_use_script_pty(load_policy_t)
 162
 163 domain_use_wide_inherit_fd(load_policy_t)
 164
 165 files_search_etc(load_policy_t)
 166
 167 libs_use_ld_so(load_policy_t)
 168 libs_use_shared_libs(load_policy_t)
 169
 170 miscfiles_read_localization(load_policy_t)
 171
 172 userdom_use_all_user_fd(load_policy_t)
 173
 174 ########################################
 175 #
 176 # Newrole local policy
 177 #
 178
 179 allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
 180
 181 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 182 allow newrole_t self:process setexec;
 183 allow newrole_t self:fd use;
 184 allow newrole_t self:fifo_file rw_file_perms;
 185 allow newrole_t self:unix_dgram_socket sendto;
 186 allow newrole_t self:unix_stream_socket connectto;
 187 allow newrole_t self:shm create_shm_perms;
 188 allow newrole_t self:sem create_sem_perms;
 189 allow newrole_t self:msgq create_msgq_perms;
 190 allow newrole_t self:msg { send receive };
 191
 192 allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
 193 allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
 194 allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
 195
 196 kernel_read_system_state(newrole_t)
 197 kernel_read_kernel_sysctl(newrole_t)
 198
 199 dev_read_urand(newrole_t)
 200
 201 fs_getattr_xattr_fs(newrole_t)
 202 fs_search_auto_mountpoints(newrole_t)
 203
 204 selinux_get_fs_mount(newrole_t)
 205 selinux_validate_context(newrole_t)
 206 selinux_compute_access_vector(newrole_t)
 207 selinux_compute_create_context(newrole_t)
 208 selinux_compute_relabel_context(newrole_t)
 209 selinux_compute_user_contexts(newrole_t)
 210
 211 term_use_all_user_ttys(newrole_t)
 212 term_use_all_user_ptys(newrole_t)
 213 term_relabel_all_user_ttys(newrole_t)
 214 term_relabel_all_user_ptys(newrole_t)
 215
 216 auth_domtrans_chk_passwd(newrole_t)
 217
 218 domain_use_wide_inherit_fd(newrole_t)
 219 # for when the user types "exec newrole" at the command line:
 220 domain_sigchld_wide_inherit_fd(newrole_t)
 221
 222 # Write to utmp.
 223 init_rw_script_pid(newrole_t)
 224
 225 files_read_etc_files(newrole_t)
 226 files_read_var_files(newrole_t)
 227
 228 libs_use_ld_so(newrole_t)
 229 libs_use_shared_libs(newrole_t)
 230
 231 logging_send_syslog_msg(newrole_t)
 232
 233 miscfiles_read_localization(newrole_t)
 234
 235 userdom_use_unpriv_users_fd(newrole_t)
 236 # for some PAM modules and for cwd
 237 userdom_dontaudit_search_all_users_home(newrole_t)
 238
 239 # if secure mode is enabled, then newrole
 240 # can only transition to unprivileged users
 241 if(secure_mode) {
 242         userdom_spec_domtrans_unpriv_users(newrole_t)
 243 } else {
 244         userdom_spec_domtrans_all_users(newrole_t)
 245 }
 246
 247 optional_policy(`nis.te',`
 248         nis_use_ypbind(newrole_t)
 249 ')
 250
 251 optional_policy(`nscd.te',`
 252         nscd_use_socket(newrole_t)
 253 ')
 254
 255 ifdef(`TODO',`
 256 ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
 257 ') dnl ifdef TODO
 258
 259 ########################################
 260 #
 261 # Restorecon local policy
 262 #
 263
 264 allow restorecon_t self:capability { dac_override dac_read_search fowner };
 265
 266 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
 267 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
 268 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 269
 270 kernel_use_fd(restorecon_t)
 271 kernel_rw_pipe(restorecon_t)
 272 kernel_read_system_state(restorecon_t)
 273
 274 # cjp: why is this needed?
 275 dev_rw_generic_file(restorecon_t)
 276
 277 fs_getattr_xattr_fs(restorecon_t)
 278 fs_list_all(restorecon_t)
 279
 280 selinux_get_fs_mount(restorecon_t)
 281 selinux_validate_context(restorecon_t)
 282 selinux_compute_access_vector(restorecon_t)
 283 selinux_compute_create_context(restorecon_t)
 284 selinux_compute_relabel_context(restorecon_t)
 285 selinux_compute_user_contexts(restorecon_t)
 286
 287 term_use_unallocated_tty(restorecon_t)
 288
 289 init_use_fd(restorecon_t)
 290 init_use_script_pty(restorecon_t)
 291
 292 domain_use_wide_inherit_fd(restorecon_t)
 293
 294 files_read_etc_runtime_files(restorecon_t)
 295 files_read_etc_files(restorecon_t)
 296
 297 libs_use_ld_so(restorecon_t)
 298 libs_use_shared_libs(restorecon_t)
 299
 300 logging_send_syslog_msg(restorecon_t)
 301
 302 userdom_use_all_user_fd(restorecon_t)
 303
 304 # relabeling rules
 305 kernel_relabel_unlabeled(restorecon_t)
 306 dev_relabel_all_dev_nodes(restorecon_t)
 307
 308 files_relabel_all_files(restorecon_t)
 309 files_list_all_dirs(restorecon_t)
 310 # this is to satisfy the assertion:
 311 auth_relabelto_shadow(restorecon_t)
 312
 313 ifdef(`distro_redhat', `
 314         fs_use_tmpfs_chr_dev(restorecon_t)
 315         fs_use_tmpfs_blk_dev(restorecon_t)
 316         fs_relabel_tmpfs_blk_dev(restorecon_t)
 317         fs_relabel_tmpfs_chr_dev(restorecon_t)
 318 ')
 319
 320 ifdef(`hide_broken_symptoms',`
 321         udev_donaudit_rw_unix_dgram_socket(restorecon_t)
 322 ')
 323
 324 optional_policy(`hotplug.te',`
 325         hotplug_use_fd(restorecon_t)
 326 ')
 327
 328 ifdef(`TODO',`
 329 # for upgrading glibc and other shared objects - without this the upgrade
 330 # scripts will put things in a state such that restorecon can not be run!
 331 allow restorecon_t lib_t:file { read execute };
 332 ') dnl endif TODO
 333
 334 #################################
 335 #
 336 # Run_init local policy
 337 #
 338
 339 selinux_get_fs_mount(run_init_t)
 340 selinux_validate_context(run_init_t)
 341 selinux_compute_access_vector(run_init_t)
 342 selinux_compute_create_context(run_init_t)
 343 selinux_compute_relabel_context(run_init_t)
 344 selinux_compute_user_contexts(run_init_t)
 345
 346 ifdef(`targeted_policy',`',`
 347         allow run_init_t self:process setexec;
 348         allow run_init_t self:capability setuid;
 349
 350         allow run_init_t self:fifo_file rw_file_perms;
 351
 352         # often the administrator runs such programs from a directory that is owned
 353         # by a different user or has restrictive SE permissions, do not want to audit
 354         # the failed access to the current directory
 355         dontaudit run_init_t self:capability { dac_override dac_read_search };
 356
 357         fs_getattr_xattr_fs(run_init_t)
 358
 359         dev_dontaudit_list_all_dev_nodes(run_init_t)
 360
 361         term_dontaudit_list_ptys(run_init_t)
 362
 363         auth_domtrans_chk_passwd(run_init_t)
 364         auth_dontaudit_read_shadow(run_init_t)
 365
 366         corecmd_exec_bin(run_init_t)
 367         corecmd_exec_shell(run_init_t)
 368
 369         domain_use_wide_inherit_fd(run_init_t)
 370
 371         files_read_etc_files(run_init_t)
 372         files_dontaudit_search_all_dirs(run_init_t)
 373
 374         init_domtrans_script(run_init_t)
 375         # for utmp
 376         init_rw_script_pid(run_init_t)
 377
 378         libs_use_ld_so(run_init_t)
 379         libs_use_shared_libs(run_init_t)
 380
 381         seutil_read_config(run_init_t)
 382         seutil_read_default_contexts(run_init_t)
 383
 384         miscfiles_read_localization(run_init_t)
 385
 386         logging_send_syslog_msg(run_init_t)
 387 ') dnl end ifdef targeted policy
 388
 389 ifdef(`TODO',`
 390 ifdef(`distro_gentoo', `
 391         # Gentoo integrated run_init+open_init_pty-runscript:
 392         domain_entry_file(run_init_t,initrc_exec_t)
 393         domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 394 ')
 395 ') dnl end TODO
 396
 397 ########################################
 398 #
 399 # Setfiles local policy
 400 #
 401
 402 allow setfiles_t self:capability { dac_override dac_read_search fowner };
 403
 404 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
 405 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
 406 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 407
 408 kernel_read_system_state(setfiles_t)
 409 kernel_list_unlabeled(setfiles_t)
 410
 411 fs_getattr_xattr_fs(setfiles_t)
 412 fs_list_all(setfiles_t)
 413
 414 selinux_get_fs_mount(setfiles_t)
 415 selinux_validate_context(setfiles_t)
 416 selinux_compute_access_vector(setfiles_t)
 417 selinux_compute_create_context(setfiles_t)
 418 selinux_compute_relabel_context(setfiles_t)
 419 selinux_compute_user_contexts(setfiles_t)
 420
 421 term_use_all_user_ttys(setfiles_t)
 422 term_use_all_user_ptys(setfiles_t)
 423 term_use_unallocated_tty(setfiles_t)
 424
 425 init_use_fd(setfiles_t)
 426 init_use_script_fd(setfiles_t)
 427 init_use_script_pty(setfiles_t)
 428
 429 domain_use_wide_inherit_fd(setfiles_t)
 430
 431 libs_use_ld_so(setfiles_t)
 432 libs_use_shared_libs(setfiles_t)
 433
 434 files_read_etc_runtime_files(setfiles_t)
 435 files_read_etc_files(setfiles_t)
 436
 437 logging_send_syslog_msg(setfiles_t)
 438
 439 miscfiles_read_localization(setfiles_t)
 440
 441 userdom_use_all_user_fd(setfiles_t)
 442 # for config files in a home directory
 443 userdom_read_all_user_files(setfiles_t)
 444
 445 # relabeling rules
 446 kernel_relabel_unlabeled(setfiles_t)
 447 dev_relabel_all_dev_nodes(setfiles_t)
 448 files_list_all_dirs(setfiles_t)
 449 files_relabel_all_files(setfiles_t)
 450 # this is to satisfy the assertion:
 451 auth_relabelto_shadow(setfiles_t)
 452
 453 ifdef(`TODO',`
 454 # for upgrading glibc and other shared objects - without this the upgrade
 455 # scripts will put things in a state such that setfiles can not be run!
 456 allow setfiles_t lib_t:file { read execute };
 457 ') dnl endif TODO