-#
-# Define m4 macros for the constraints
-#
-
#
# Define the constraints
#
# SELinux process identity change constraint:
#
constrain process transition
- ( u1 == u2 or
+ ( u1 == u2
ifdef(`targeted_policy',`
- t1 == can_change_process_identity
+ or t1 == can_change_process_identity
',`
- ( t1 == can_change_process_identity and t2 == userdomain )
- ifdef(`crond.te',`
- or (
- t1 == crond_t
- and (
- t2 == user_crond_domain
- or u2 == system_u
- )
- )
- ')
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
- ifdef(`userhelper.te',`
- or (t1 == userhelperdomain)
- ')
+ or ( t1 == cron_source_domain
+ and ( t2 == cron_job_domain or u2 == system_u )
+ )
+
+ or (t1 == process_uncond_exempt)
- ifdef(`TODO',`
- or (t1 == priv_system_role and u2 == system_u )
- ') dnl end TODO
+ or (t1 == can_system_change and u2 == system_u )
')
);
# SELinux process role change constraint:
#
constrain process transition
- ( r1 == r2 or
+ ( r1 == r2
+
ifdef(`targeted_policy',`
- t1 == can_change_process_role
+ or t1 == can_change_process_role
',`
- ( t1 == can_change_process_role and t2 == userdomain )
+ or ( t1 == can_change_process_role and t2 == process_user_target )
- ifdef(`crond.te',`
- or (t1 == crond_t and t2 == user_crond_domain)
- ')
+ or ( t1 == cron_source_domain and t2 == cron_job_domain )
- ifdef(`userhelper.te',`
- or (t1 == userhelperdomain)
- ')
+ or ( t1 == process_uncond_exempt )
ifdef(`postfix.te',`
ifdef(`direct_sysadm_daemon',`
')
')
- ifdef(`TODO',`
- or (t1 == priv_system_role and r2 == system_r )
- ') dnl end TODO
+ or (t1 == can_system_change and r2 == system_r )
')
);
# SELinux dynamic transition constraint:
#
constrain process dyntransition
- ( u1 == u2 and r1 == r2);
+ ( u1 == u2 and r1 == r2 );
#
# SElinux object identity change constraint:
type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t)
- type $1_crond_t; # user_crond_domain;
- domain_type($1_crond_t);
+ type $1_crond_t;
+ domain_type($1_crond_t)
+ domain_cron_exemption_target($1_crond_t)
corecmd_shell_entry_type($1_crond_t)
role $3 types $1_crond_t;
type crond_exec_t;
init_daemon_domain(crond_t,crond_exec_t)
domain_wide_inherit_fd(crond_t)
+domain_cron_exemption_source(crond_t)
type crond_log_t;
logging_log_file(crond_log_t)
#
template(`ssh_server_template', `
type $1_t, ssh_server;
+ domain_type($1_t)
role system_r types $1_t;
type $1_devpts_t;
## </required>
########################################
-#
-# domain_base_domain_type(domain)
+## <summary>
+## Make the specified type usable as a basic domain.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable as a basic domain.
+## </p>
+## <p>
+## This is primarily used for kernel threads;
+## generally the domain_type() interface is
+## more appropriate for userland processes.
+## </p>
+## </desc>
+## <param name="type">
+## Type to be used as a basic domain type.
+## </param>
#
interface(`domain_base_type',`
gen_require(`
# allow $1 to create child processes in this domain
allow $1 self:process { fork sigchld };
-
- # Files with domain types are currently only proc files
- # self is excepted since domains and files can have
- # the same type in SEFramework
- # cjp: perhaps this should be a conditional exception,
- # so it is excepted only on SEFramework policies
- neverallow $1 { domain -$1 }:dir ~r_dir_perms;
- neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms;
')
########################################
-#
-# domain_type(domain)
+## <summary>
+## Make the specified type usable as a domain.
+## </summary>
+## <param name="type">
+## Type to be used as a domain type.
+## </param>
#
interface(`domain_type',`
# start with basic domain
')
########################################
-#
-# domain_entry_file(domain,entrypointfile)
+## <summary>
+## Make the specified type usable as
+## an entry point for the domain.
+## </summary>
+## <param name="domain">
+## Domain to be entered.
+## </param>
+## <param name="type">
+## Type of program used for entering
+## the domain.
+## </param>
#
interface(`domain_entry_file',`
gen_require(`
')
files_type($2)
+
allow $1 $2:file entrypoint;
+ allow $1 $2:file rx_file_perms;
+
typeattribute $2 entry_type;
')
typeattribute $1 can_change_object_identity;
')
+########################################
+## <summary>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the user domains from the base module.
+## It should not be used other than on
+## user domains.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain target for user exemption.
+## </param>
+#
+interface(`domain_user_exemption_target',`
+ gen_require(`
+ attribute process_user_target;
+ ')
+
+ typeattribute $1 process_user_target;
+')
+
+########################################
+## <summary>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## cron domains.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_source',`
+ gen_require(`
+ attribute cron_source_domain;
+ ')
+
+ typeattribute $1 cron_source_domain;
+')
+
+########################################
+## <summary>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## user cron jobs.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_target',`
+ gen_require(`
+ attribute cron_job_domain;
+ ')
+
+ typeattribute $1 cron_job_domain;
+')
+
########################################
#
# domain_use_wide_inherit_fd(domain)
# Mark process types as domains
attribute domain;
+# Transitions only allowed from domains to other domains
+neverallow domain ~domain:process { transition dyntransition };
+
+# Domains that can set their current context
+# (perform dynamic transitions)
+attribute set_curr_context;
+
+# enabling setcurrent breaks process tranquility. If you do not
+# know what this means or do not understand the implications of a
+# dynamic transition, you should not be using it!!!
+neverallow { domain -set_curr_context } self:process setcurrent;
+
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
-# Domains that can set their current context
-# (perform dynamic transitions)
-attribute set_curr_context;
-
+#
# constraint related attributes
+#
+
+# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;
+
+# [2] types that can change SELinux role on transition
attribute can_change_process_role;
+
+# [3] types that can change the SELinux identity on a filesystem
+# object or a socket object on a create or relabel
attribute can_change_object_identity;
-# Transitions only allowed from domains to other domains
-neverallow domain ~domain:process { transition dyntransition };
+# [3] types that can change to system_u:system_r
+attribute can_system_change;
-# enabling setcurrent breaks process tranquility. If you do not
-# know what this means or do not understand the implications of a
-# dynamic transition, you should not be using it!!!
-neverallow { domain -set_curr_context } self:process setcurrent;
+# [4] types that have attribute 1 can change the SELinux
+# identity only if the target domain has this attribute.
+# Types that have attribute 2 can change the SELinux role
+# only if the target domain has this attribute.
+attribute process_user_target;
+
+# For cron jobs
+# [5] types used for cron daemons
+attribute cron_source_domain;
+# [6] types used for cron jobs
+attribute cron_job_domain;
+
+# [7] types that are unconditionally exempt from
+# SELinux identity and role change constraints
+attribute process_uncond_exempt; # add userhelperdomain to this one
# TODO:
# cjp: also need to except correctly for SEFramework
-#neverallow { domain unlabeled_t } file_type:process *;
-#neverallow ~{ domain unlabeled_t } *:process *;
+neverallow { domain unlabeled_t } file_type:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
type $1_t, userdomain;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
+ domain_user_exemption_target($1_t)
role $1_r types $1_t;
allow system_r $1_r;