-policy_module(kernel,1.5.2)
+policy_module(kernel, 1.12.0)
########################################
#
# assertion related attributes
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
+attribute can_dump_kernel;
neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
role staff_r;
role user_r;
+# here until order dependence is fixed:
+role unconfined_r;
+
ifdef(`enable_mls',`
role secadm_r;
role auditadm_r;
#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
-#
+#
type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+#
+# cgroup fs
+#
+
+type cgroup_t;
+fs_type(cgroup_t)
+allow cgroup_t self:filesystem associate;
+genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
#
# DebugFS
#
genfscon proc / gen_context(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
+type proc_afs_t, proc_type;
+genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
+
# kernel message interface
type proc_kmsg_t, proc_type;
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
# /proc kcore: inaccessible
type proc_kcore_t, proc_type;
-neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
+neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type;
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
type proc_xen_t, proc_type;
+files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
#
type sysctl_rpc_t, sysctl_type;
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
+# /proc/sys/crypto directory and files
+type sysctl_crypto_t, sysctl_type;
+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
+
# /proc/sys/fs directory and files
type sysctl_fs_t, sysctl_type;
files_mountpoint(sysctl_fs_t)
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid init gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid netmsg gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
allow kernel_t self:unix_stream_socket create_stream_socket_perms;
allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
-allow kernel_t self:fifo_file rw_file_perms;
-allow kernel_t self:sock_file r_file_perms;
+allow kernel_t self:fifo_file rw_fifo_file_perms;
+allow kernel_t self:sock_file read_sock_file_perms;
allow kernel_t self:fd use;
-allow kernel_t proc_t:dir r_dir_perms;
-allow kernel_t proc_t:{ lnk_file file } r_file_perms;
+allow kernel_t debugfs_t:dir search_dir_perms;
+
+allow kernel_t proc_t:dir list_dir_perms;
+allow kernel_t proc_t:file read_file_perms;
+allow kernel_t proc_t:lnk_file read_lnk_file_perms;
-allow kernel_t proc_net_t:dir r_dir_perms;
-allow kernel_t proc_net_t:file r_file_perms;
+allow kernel_t proc_net_t:dir list_dir_perms;
+allow kernel_t proc_net_t:file read_file_perms;
-allow kernel_t proc_mdstat_t:file r_file_perms;
+allow kernel_t proc_mdstat_t:file read_file_perms;
allow kernel_t proc_kcore_t:file getattr;
allow kernel_t proc_kmsg_t:file getattr;
-allow kernel_t sysctl_kernel_t:dir r_dir_perms;
-allow kernel_t sysctl_kernel_t:file r_file_perms;
-allow kernel_t sysctl_t:dir r_dir_perms;
+allow kernel_t sysctl_kernel_t:dir list_dir_perms;
+allow kernel_t sysctl_kernel_t:file read_file_perms;
+allow kernel_t sysctl_t:dir list_dir_perms;
# Other possible mount points for the root fs are in files
allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
-corenet_non_ipsec_sendrecv(kernel_t)
+# Allow unlabeled network traffic
+allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+corenet_in_generic_if(unlabeled_t)
+corenet_in_generic_node(unlabeled_t)
+
+corenet_all_recvfrom_unlabeled(kernel_t)
+corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
-corenet_raw_send_multicast_node(kernel_t)
corenet_send_all_packets(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
-
-# Mount root file system. Used when loading a policy
+# devtmpfs handling:
+dev_create_generic_dirs(kernel_t)
+dev_delete_generic_dirs(kernel_t)
+dev_create_generic_blk_files(kernel_t)
+dev_delete_generic_blk_files(kernel_t)
+dev_create_generic_chr_files(kernel_t)
+dev_delete_generic_chr_files(kernel_t)
+# work around until devtmpfs has device_t type
+dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
+
+# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
+fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
+mls_file_write_all_levels(kernel_t)
+mls_file_read_all_levels(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
')
-ifdef(`targeted_policy',`
- unconfined_domain(kernel_t)
-')
-
-tunable_policy(`read_default_t',`
- files_list_default(kernel_t)
- files_read_default_files(kernel_t)
- files_read_default_symlinks(kernel_t)
- files_read_default_sockets(kernel_t)
- files_read_default_pipes(kernel_t)
-')
-
optional_policy(`
hotplug_search_config(kernel_t)
')
')
optional_policy(`
- # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
allow kernel_t self:udp_socket create_socket_perms;
- # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
- corenet_udp_sendrecv_all_if(kernel_t)
- corenet_udp_sendrecv_all_nodes(kernel_t)
+ corenet_udp_sendrecv_generic_if(kernel_t)
+ corenet_udp_sendrecv_generic_node(kernel_t)
corenet_udp_sendrecv_all_ports(kernel_t)
- corenet_udp_bind_all_nodes(kernel_t)
+ corenet_udp_bind_generic_node(kernel_t)
corenet_sendrecv_portmap_client_packets(kernel_t)
corenet_sendrecv_generic_server_packets(kernel_t)
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
- rpc_udp_rw_nfs_sockets(kernel_t)
+ rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
seutil_read_bin_policy(kernel_t)
')
+optional_policy(`
+ unconfined_domain_noaudit(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
#
-ifdef(`targeted_policy',`
- allow unlabeled_t self:filesystem associate;
-')
-
optional_policy(`
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init.
allow kern_unconfined proc_type:{ dir file lnk_file } *;
-allow kern_unconfined sysctl_t:{ dir file } *;
+allow kern_unconfined sysctl_type:{ dir file } *;
allow kern_unconfined kernel_t:system *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
-
-kernel_rw_all_sysctls(kern_unconfined)