]>
Commit | Line | Data |
---|---|---|
0de0ea5c | 1 | policy_module(domain, 1.9.1) |
960373dd | 2 | |
fd89e19f CP |
3 | ######################################## |
4 | # | |
5 | # Declarations | |
6 | # | |
3eaa9939 DW |
7 | ## <desc> |
8 | ## <p> | |
9 | ## Allow all domains to use other domains file descriptors | |
10 | ## </p> | |
11 | ## </desc> | |
12 | # | |
5946923f | 13 | gen_tunable(allow_domain_fd_use, true) |
3eaa9939 DW |
14 | |
15 | ## <desc> | |
16 | ## <p> | |
17 | ## Allow all domains to have the kernel load modules | |
18 | ## </p> | |
19 | ## </desc> | |
20 | # | |
21 | gen_tunable(domain_kernel_load_modules, false) | |
fd89e19f | 22 | |
623e4f08 DG |
23 | ## <desc> |
24 | ## <p> | |
25 | ## Control the ability to mmap a low area of the address space, | |
26 | ## as configured by /proc/sys/kernel/mmap_min_addr. | |
27 | ## </p> | |
28 | ## </desc> | |
29 | gen_tunable(mmap_low_allowed, false) | |
30 | ||
b4cd1533 CP |
31 | # Mark process types as domains |
32 | attribute domain; | |
33 | ||
2e863f8a CP |
34 | # Transitions only allowed from domains to other domains |
35 | neverallow domain ~domain:process { transition dyntransition }; | |
36 | ||
605ba285 | 37 | # Domains that are unconfined |
95501942 | 38 | attribute unconfined_domain_type; |
605ba285 | 39 | |
41337aa8 CP |
40 | # Domains that can mmap low memory. |
41 | attribute mmap_low_domain_type; | |
42 | neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; | |
43 | ||
2e863f8a CP |
44 | # Domains that can set their current context |
45 | # (perform dynamic transitions) | |
46 | attribute set_curr_context; | |
47 | ||
48 | # enabling setcurrent breaks process tranquility. If you do not | |
49 | # know what this means or do not understand the implications of a | |
50 | # dynamic transition, you should not be using it!!! | |
51 | neverallow { domain -set_curr_context } self:process setcurrent; | |
52 | ||
960373dd CP |
53 | # entrypoint executables |
54 | attribute entry_type; | |
55 | ||
8a0da108 CP |
56 | # widely-inheritable file descriptors |
57 | attribute privfd; | |
58 | ||
2e863f8a | 59 | # |
8bd67899 | 60 | # constraint related attributes |
2e863f8a CP |
61 | # |
62 | ||
63 | # [1] types that can change SELinux identity on transition | |
8bd67899 | 64 | attribute can_change_process_identity; |
2e863f8a CP |
65 | |
66 | # [2] types that can change SELinux role on transition | |
8bd67899 | 67 | attribute can_change_process_role; |
2e863f8a CP |
68 | |
69 | # [3] types that can change the SELinux identity on a filesystem | |
70 | # object or a socket object on a create or relabel | |
8bd67899 CP |
71 | attribute can_change_object_identity; |
72 | ||
2e863f8a CP |
73 | # [3] types that can change to system_u:system_r |
74 | attribute can_system_change; | |
a154cd45 | 75 | |
2e863f8a CP |
76 | # [4] types that have attribute 1 can change the SELinux |
77 | # identity only if the target domain has this attribute. | |
78 | # Types that have attribute 2 can change the SELinux role | |
79 | # only if the target domain has this attribute. | |
80 | attribute process_user_target; | |
81 | ||
82 | # For cron jobs | |
83 | # [5] types used for cron daemons | |
84 | attribute cron_source_domain; | |
85 | # [6] types used for cron jobs | |
86 | attribute cron_job_domain; | |
87 | ||
88 | # [7] types that are unconditionally exempt from | |
89 | # SELinux identity and role change constraints | |
90 | attribute process_uncond_exempt; # add userhelperdomain to this one | |
2a3478cf | 91 | |
e0dfbdf1 | 92 | neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; |
2e863f8a | 93 | neverallow ~{ domain unlabeled_t } *:process *; |
3cfd4876 CP |
94 | |
95 | ######################################## | |
96 | # | |
97 | # Rules applied to all domains | |
98 | # | |
99 | ||
1f6524ae | 100 | # read /proc/(pid|self) entries |
ef659a47 CP |
101 | allow domain self:dir list_dir_perms; |
102 | allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; | |
3cfd4876 | 103 | allow domain self:file rw_file_perms; |
1f6524ae | 104 | kernel_read_proc_symlinks(domain) |
3eaa9939 DW |
105 | kernel_read_crypto_sysctls(domain) |
106 | ||
495df416 CP |
107 | # Every domain gets the key ring, so we should default |
108 | # to no one allowed to look at it; afs kernel support creates | |
109 | # a keyring | |
110 | kernel_dontaudit_search_key(domain) | |
111 | kernel_dontaudit_link_key(domain) | |
3eaa9939 | 112 | kernel_dontaudit_search_debugfs(domain) |
3cfd4876 CP |
113 | |
114 | # create child processes in the domain | |
3eaa9939 | 115 | allow domain self:process { fork getsched sigchld }; |
3cfd4876 CP |
116 | |
117 | # Use trusted objects in /dev | |
1a725aa0 | 118 | dev_read_cpu_online(domain) |
3cfd4876 CP |
119 | dev_rw_null(domain) |
120 | dev_rw_zero(domain) | |
121 | term_use_controlling_term(domain) | |
122 | ||
123 | # list the root directory | |
124 | files_list_root(domain) | |
fb52482a DW |
125 | # allow all domains to search through default_t directory, since users sometimes |
126 | # place labels within these directories. (samba_share_t) for example. | |
127 | files_search_default(domain) | |
3cfd4876 | 128 | |
3eaa9939 DW |
129 | # All executables should be able to search the directory they are in |
130 | corecmd_search_bin(domain) | |
131 | ||
132 | tunable_policy(`domain_kernel_load_modules',` | |
133 | kernel_request_load_module(domain) | |
134 | ') | |
135 | ||
3cfd4876 CP |
136 | tunable_policy(`global_ssp',` |
137 | # enable reading of urandom for all domains: | |
138 | # this should be enabled when all programs | |
139 | # are compiled with ProPolice/SSP | |
140 | # stack smashing protection. | |
141 | dev_read_urand(domain) | |
142 | ') | |
b518fc2e | 143 | |
3eaa9939 DW |
144 | optional_policy(` |
145 | afs_rw_cache(domain) | |
146 | ') | |
147 | ||
8fddd0b9 MG |
148 | optional_policy(` |
149 | libs_use_ld_so(domain) | |
150 | libs_use_shared_libs(domain) | |
151 | libs_read_lib_files(domain) | |
152 | ') | |
6e68e6bb | 153 | |
165b42d2 CP |
154 | optional_policy(` |
155 | setrans_translate_context(domain) | |
156 | ') | |
157 | ||
495df416 CP |
158 | # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains. |
159 | optional_policy(` | |
160 | xserver_dontaudit_use_xdm_fds(domain) | |
161 | xserver_dontaudit_rw_xdm_pipes(domain) | |
3eaa9939 DW |
162 | xserver_dontaudit_append_xdm_home_files(domain) |
163 | xserver_dontaudit_write_log(domain) | |
495df416 CP |
164 | ') |
165 | ||
b518fc2e CP |
166 | ######################################## |
167 | # | |
168 | # Unconfined access to this module | |
169 | # | |
170 | ||
171 | # unconfined access also allows constraints, but this | |
172 | # is handled in the interface as typeattribute cannot | |
173 | # be used on an attribute. | |
174 | ||
175 | # Use/sendto/connectto sockets created by any domain. | |
176 | allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; | |
177 | ||
178 | # Use descriptors and pipes created by any domain. | |
179 | allow unconfined_domain_type domain:fd use; | |
180 | allow unconfined_domain_type domain:fifo_file rw_file_perms; | |
181 | ||
3eaa9939 DW |
182 | allow unconfined_domain_type unconfined_domain_type:dbus send_msg; |
183 | ||
b518fc2e | 184 | # Act upon any other process. |
995bdbb1 | 185 | allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; |
186 | tunable_policy(`deny_ptrace',`',` | |
187 | allow unconfined_domain_type domain:process ptrace; | |
188 | ') | |
b518fc2e CP |
189 | |
190 | # Create/access any System V IPC objects. | |
191 | allow unconfined_domain_type domain:{ sem msgq shm } *; | |
192 | allow unconfined_domain_type domain:msg { send receive }; | |
193 | ||
194 | # For /proc/pid | |
ef659a47 | 195 | allow unconfined_domain_type domain:dir list_dir_perms; |
a65fd90a | 196 | allow unconfined_domain_type domain:file rw_file_perms; |
ef659a47 | 197 | allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; |
d8226758 CP |
198 | |
199 | # act on all domains keys | |
200 | allow unconfined_domain_type domain:key *; | |
bdccbacd | 201 | |
b96b2004 DW |
202 | dev_filetrans_all_named_dev(unconfined_domain_type) |
203 | ||
bdccbacd CP |
204 | # receive from all domains over labeled networking |
205 | domain_all_recvfrom_all_domains(unconfined_domain_type) | |
3eaa9939 | 206 | |
b96b2004 DW |
207 | storage_filetrans_all_named_dev(unconfined_domain_type) |
208 | ||
209 | term_filetrans_all_named_dev(unconfined_domain_type) | |
210 | ||
951d25a5 | 211 | optional_policy(` |
11578593 DW |
212 | auth_filetrans_named_content(unconfined_domain_type) |
213 | auth_filetrans_admin_home_content(unconfined_domain_type) | |
214 | auth_filetrans_home_content(unconfined_domain_type) | |
951d25a5 | 215 | ') |
b96b2004 DW |
216 | |
217 | optional_policy(` | |
218 | alsa_filetrans_named_content(unconfined_domain_type) | |
219 | ') | |
220 | ||
221 | optional_policy(` | |
222 | apache_filetrans_home_content(unconfined_domain_type) | |
223 | ') | |
224 | ||
225 | optional_policy(` | |
226 | bootloader_filetrans_config(unconfined_domain_type) | |
227 | ') | |
228 | ||
229 | optional_policy(` | |
230 | gnome_filetrans_admin_home_content(unconfined_domain_type) | |
231 | ') | |
232 | ||
233 | optional_policy(` | |
234 | devicekit_filetrans_named_content(unconfined_domain_type) | |
235 | ') | |
236 | ||
237 | optional_policy(` | |
238 | dnsmasq_filetrans_named_content(unconfined_domain_type) | |
239 | ') | |
240 | ||
241 | optional_policy(` | |
242 | kerberos_filetrans_named_content(unconfined_domain_type) | |
243 | ') | |
244 | ||
951d25a5 DW |
245 | optional_policy(` |
246 | libs_filetrans_named_content(unconfined_domain_type) | |
247 | ') | |
248 | ||
249 | optional_policy(` | |
250 | miscfiles_filetrans_named_content(unconfined_domain_type) | |
251 | ') | |
252 | ||
b96b2004 DW |
253 | optional_policy(` |
254 | mta_filetrans_named_content(unconfined_domain_type) | |
255 | ') | |
256 | ||
951d25a5 DW |
257 | optional_policy(` |
258 | modules_filetrans_named_content(unconfined_domain_type) | |
259 | ') | |
260 | ||
74cf2139 DW |
261 | optional_policy(` |
262 | mozilla_filetrans_home_content(unconfined_domain_type) | |
263 | ') | |
264 | ||
b96b2004 DW |
265 | optional_policy(` |
266 | networkmanager_filetrans_named_content(unconfined_domain_type) | |
267 | ') | |
268 | ||
269 | optional_policy(` | |
270 | nx_filetrans_named_content(unconfined_domain_type) | |
271 | ') | |
272 | ||
7dd47a9a DW |
273 | optional_policy(` |
274 | postfix_filetrans_named_content(unconfined_domain_type) | |
275 | ') | |
276 | ||
b96b2004 DW |
277 | optional_policy(` |
278 | pulseaudio_filetrans_home_content(unconfined_domain_type) | |
279 | pulseaudio_filetrans_admin_home_content(unconfined_domain_type) | |
280 | ') | |
281 | ||
282 | optional_policy(` | |
283 | quota_filetrans_named_content(unconfined_domain_type) | |
284 | ') | |
285 | ||
951d25a5 DW |
286 | optional_policy(` |
287 | sysnet_filetrans_named_content(unconfined_domain_type) | |
288 | ') | |
289 | ||
290 | optional_policy(` | |
291 | userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) | |
55a7fd92 | 292 | userdom_filetrans_home_content(unconfined_domain_type) |
951d25a5 DW |
293 | ') |
294 | ||
b96b2004 DW |
295 | optional_policy(` |
296 | virt_filetrans_home_content(unconfined_domain_type) | |
297 | ') | |
298 | ||
299 | optional_policy(` | |
300 | ssh_filetrans_admin_home_content(unconfined_domain_type) | |
301 | ') | |
302 | ||
3eaa9939 DW |
303 | selinux_getattr_fs(domain) |
304 | selinux_search_fs(domain) | |
305 | selinux_dontaudit_read_fs(domain) | |
306 | ||
a9c4f705 DW |
307 | optional_policy(` |
308 | seutil_dontaudit_read_config(domain) | |
309 | ') | |
3eaa9939 | 310 | |
a9c4f705 DW |
311 | optional_policy(` |
312 | init_sigchld(domain) | |
313 | init_signull(domain) | |
314 | ') | |
3eaa9939 DW |
315 | |
316 | ifdef(`distro_redhat',` | |
317 | files_search_mnt(domain) | |
318 | optional_policy(` | |
319 | unconfined_use_fds(domain) | |
320 | ') | |
321 | ') | |
322 | ||
323 | # these seem questionable: | |
324 | ||
325 | optional_policy(` | |
326 | abrt_domtrans_helper(domain) | |
327 | abrt_read_pid_files(domain) | |
328 | abrt_read_state(domain) | |
329 | abrt_signull(domain) | |
0e7fbb58 DW |
330 | abrt_append_cache(domain) |
331 | abrt_rw_fifo_file(domain) | |
3eaa9939 DW |
332 | ') |
333 | ||
334 | optional_policy(` | |
335 | rpm_use_fds(domain) | |
336 | rpm_read_pipes(domain) | |
337 | rpm_search_log(domain) | |
338 | rpm_append_tmp_files(domain) | |
339 | rpm_dontaudit_leaks(domain) | |
340 | rpm_read_script_tmp_files(domain) | |
341 | rpm_inherited_fifo(domain) | |
342 | ') | |
343 | ||
344 | optional_policy(` | |
345 | sosreport_append_tmp_files(domain) | |
346 | ') | |
347 | ||
348 | tunable_policy(`allow_domain_fd_use',` | |
349 | # Allow all domains to use fds past to them | |
350 | allow domain domain:fd use; | |
351 | ') | |
352 | ||
353 | optional_policy(` | |
354 | cron_dontaudit_write_system_job_tmp_files(domain) | |
355 | cron_rw_pipes(domain) | |
356 | cron_rw_system_job_pipes(domain) | |
357 | ') | |
358 | ||
359 | ifdef(`hide_broken_symptoms',` | |
360 | dontaudit domain self:udp_socket listen; | |
361 | allow domain domain:key { link search }; | |
54f9ea9e | 362 | dontaudit domain domain:socket_class_set { read write }; |
c7c7cd24 | 363 | dontaudit domain self:capability sys_module; |
3eaa9939 DW |
364 | ') |
365 | ||
dfe675b8 DW |
366 | optional_policy(` |
367 | hal_dontaudit_read_pid_files(domain) | |
368 | ') | |
369 | ||
5dd938af DW |
370 | optional_policy(` |
371 | ipsec_match_default_spd(domain) | |
372 | ') | |
373 | ||
3eaa9939 DW |
374 | optional_policy(` |
375 | ifdef(`hide_broken_symptoms',` | |
376 | afs_rw_udp_sockets(domain) | |
377 | ') | |
378 | ') | |
379 | ||
380 | optional_policy(` | |
381 | ssh_rw_pipes(domain) | |
382 | ') | |
383 | ||
384 | optional_policy(` | |
385 | unconfined_dontaudit_rw_pipes(domain) | |
386 | unconfined_sigchld(domain) | |
387 | ') | |
388 | ||
389 | # broken kernel | |
390 | dontaudit can_change_object_identity can_change_object_identity:key link; | |
54f9ea9e | 391 | |
e15a6502 DW |
392 | ifdef(`distro_redhat',` |
393 | optional_policy(` | |
394 | unconfined_use_fds(domain) | |
395 | ') | |
396 | ') | |
397 | ||
398 | # send init a sigchld and signull | |
399 | optional_policy(` | |
400 | init_sigchld(domain) | |
401 | init_signull(domain) | |
402 | ') | |
403 | ||
404 | # these seem questionable: | |
405 | ||
406 | optional_policy(` | |
407 | rpm_use_fds(domain) | |
408 | rpm_read_pipes(domain) | |
409 | ') | |
410 | ||
411 | optional_policy(` | |
412 | selinux_dontaudit_getattr_fs(domain) | |
413 | selinux_dontaudit_read_fs(domain) | |
414 | ') | |
415 | ||
416 | optional_policy(` | |
417 | seutil_dontaudit_read_config(domain) | |
418 | ') | |
b8df5447 DW |
419 | |
420 | dontaudit domain domain:process { noatsecure siginh rlimitinh } ; | |
995bdbb1 | 421 | dontaudit domain self:capability sys_ptrace; |