]>
Commit | Line | Data |
---|---|---|
cca4b7e6 | 1 | policy_module(kernel, 1.13.3) |
960373dd | 2 | |
995d6fea DW |
3 | ## <desc> |
4 | ## <p> | |
5 | ## disallow programs and users from transitioning to insmod domain. | |
6 | ## </p> | |
7 | ## </desc> | |
8 | gen_bool(secure_mode_insmod,false) | |
9 | ||
ff7bc148 CP |
10 | ######################################## |
11 | # | |
12 | # Declarations | |
13 | # | |
14 | ||
18f25afd | 15 | # assertion related attributes |
a266e3cc CP |
16 | attribute can_load_kernmodule; |
17 | attribute can_receive_kernel_messages; | |
e276b8e5 | 18 | attribute can_dump_kernel; |
a266e3cc | 19 | |
b518fc2e | 20 | neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; |
712566ee | 21 | |
d2506343 CP |
22 | # domains with unconfined access to kernel resources |
23 | attribute kern_unconfined; | |
24 | ||
25 | # regular entries in proc | |
26 | attribute proc_type; | |
27 | ||
28 | # sysctls | |
29 | attribute sysctl_type; | |
30 | ||
9fd4b818 CP |
31 | role system_r; |
32 | role sysadm_r; | |
33 | role staff_r; | |
34 | role user_r; | |
18d59e15 | 35 | |
350b6ab7 CP |
36 | # here until order dependence is fixed: |
37 | role unconfined_r; | |
38 | ||
18d59e15 CP |
39 | ifdef(`enable_mls',` |
40 | role secadm_r; | |
2dbd3824 | 41 | role auditadm_r; |
18d59e15 | 42 | ') |
9fd4b818 | 43 | |
a266e3cc | 44 | # |
b4cd1533 CP |
45 | # kernel_t is the domain of kernel threads. |
46 | # It is also the target type when checking permissions in the system class. | |
e276b8e5 | 47 | # |
f0574fa9 | 48 | type kernel_t, can_load_kernmodule; |
fb0a3a98 | 49 | domain_base_type(kernel_t) |
f0574fa9 CP |
50 | mls_rangetrans_source(kernel_t) |
51 | role system_r types kernel_t; | |
e070dd2d | 52 | sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) |
b4cd1533 | 53 | |
a1fcff33 CP |
54 | # |
55 | # DebugFS | |
56 | # | |
57 | ||
58 | type debugfs_t; | |
59 | fs_type(debugfs_t) | |
688db17c DW |
60 | files_mountpoint(debugfs_t) |
61 | ||
a1fcff33 | 62 | allow debugfs_t self:filesystem associate; |
e02c61cf | 63 | genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) |
a1fcff33 | 64 | |
93784927 CP |
65 | # |
66 | # kvmFS | |
67 | # | |
68 | ||
69 | type kvmfs_t; | |
70 | fs_type(kvmfs_t) | |
71 | genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0) | |
72 | ||
b4cd1533 CP |
73 | # |
74 | # Procfs types | |
75 | # | |
76 | ||
d2506343 | 77 | type proc_t, proc_type; |
c9428d33 | 78 | files_mountpoint(proc_t) |
cbca03f5 | 79 | fs_type(proc_t) |
e02c61cf CP |
80 | genfscon proc / gen_context(system_u:object_r:proc_t,s0) |
81 | genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0) | |
b4cd1533 | 82 | |
7d4161cd CP |
83 | type proc_afs_t, proc_type; |
84 | genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0) | |
85 | ||
b4cd1533 | 86 | # kernel message interface |
d2506343 | 87 | type proc_kmsg_t, proc_type; |
e070dd2d | 88 | genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh) |
b518fc2e | 89 | neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr; |
b4cd1533 CP |
90 | |
91 | # /proc kcore: inaccessible | |
d2506343 | 92 | type proc_kcore_t, proc_type; |
e276b8e5 | 93 | neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr; |
e070dd2d | 94 | genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) |
b4cd1533 | 95 | |
d2506343 | 96 | type proc_mdstat_t, proc_type; |
e02c61cf | 97 | genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) |
b4cd1533 | 98 | |
d2506343 | 99 | type proc_net_t, proc_type; |
e02c61cf | 100 | genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) |
b4cd1533 | 101 | |
a3cf80d8 | 102 | type proc_xen_t, proc_type; |
a65fd90a | 103 | files_mountpoint(proc_xen_t) |
a3cf80d8 CP |
104 | genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) |
105 | ||
b4cd1533 CP |
106 | # |
107 | # Sysctl types | |
108 | # | |
109 | ||
d2506343 CP |
110 | # /proc/sys directory, base directory of sysctls |
111 | type sysctl_t, sysctl_type; | |
112 | files_mountpoint(sysctl_t) | |
e02c61cf CP |
113 | sid sysctl gen_context(system_u:object_r:sysctl_t,s0) |
114 | genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0) | |
d2506343 | 115 | |
b4cd1533 | 116 | # /proc/irq directory and files |
d2506343 | 117 | type sysctl_irq_t, sysctl_type; |
e02c61cf | 118 | genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) |
b4cd1533 CP |
119 | |
120 | # /proc/net/rpc directory and files | |
d2506343 | 121 | type sysctl_rpc_t, sysctl_type; |
e02c61cf | 122 | genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) |
b4cd1533 | 123 | |
a65fd90a CP |
124 | # /proc/sys/crypto directory and files |
125 | type sysctl_crypto_t, sysctl_type; | |
126 | genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0) | |
127 | ||
b4cd1533 | 128 | # /proc/sys/fs directory and files |
d2506343 | 129 | type sysctl_fs_t, sysctl_type; |
c9428d33 | 130 | files_mountpoint(sysctl_fs_t) |
e02c61cf | 131 | genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) |
b4cd1533 CP |
132 | |
133 | # /proc/sys/kernel directory and files | |
d2506343 | 134 | type sysctl_kernel_t, sysctl_type; |
e02c61cf | 135 | genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) |
b4cd1533 CP |
136 | |
137 | # /proc/sys/kernel/modprobe file | |
d2506343 | 138 | type sysctl_modprobe_t, sysctl_type; |
e02c61cf | 139 | genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0) |
b4cd1533 CP |
140 | |
141 | # /proc/sys/kernel/hotplug file | |
d2506343 | 142 | type sysctl_hotplug_t, sysctl_type; |
e02c61cf | 143 | genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0) |
b4cd1533 CP |
144 | |
145 | # /proc/sys/net directory and files | |
d2506343 | 146 | type sysctl_net_t, sysctl_type; |
e02c61cf | 147 | genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) |
b4cd1533 CP |
148 | |
149 | # /proc/sys/net/unix directory and files | |
d2506343 | 150 | type sysctl_net_unix_t, sysctl_type; |
e02c61cf | 151 | genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) |
b4cd1533 CP |
152 | |
153 | # /proc/sys/vm directory and files | |
d2506343 | 154 | type sysctl_vm_t, sysctl_type; |
e02c61cf | 155 | genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) |
b4cd1533 CP |
156 | |
157 | # /proc/sys/dev directory and files | |
d2506343 | 158 | type sysctl_dev_t, sysctl_type; |
e02c61cf | 159 | genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) |
a266e3cc | 160 | |
d2506343 CP |
161 | # |
162 | # unlabeled_t is the type of unlabeled objects. | |
163 | # Objects that have no known labeling information or that | |
164 | # have labels that are no longer valid are treated as having this type. | |
165 | # | |
166 | type unlabeled_t; | |
ed17ee53 | 167 | fs_associate(unlabeled_t) |
e070dd2d | 168 | sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) |
3eaa9939 | 169 | fs_associate(unlabeled_t) |
d2506343 CP |
170 | |
171 | # These initial sids are no longer used, and can be removed: | |
e070dd2d | 172 | sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) |
e02c61cf | 173 | sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) |
e070dd2d CP |
174 | sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) |
175 | sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) | |
b518fc2e | 176 | sid init gen_context(system_u:object_r:unlabeled_t,s0) |
e070dd2d | 177 | sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) |
e070dd2d CP |
178 | sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) |
179 | sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) | |
e02c61cf CP |
180 | sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0) |
181 | sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0) | |
182 | sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0) | |
183 | sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0) | |
184 | sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0) | |
185 | sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0) | |
186 | sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0) | |
e070dd2d | 187 | sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) |
d2506343 | 188 | |
a266e3cc CP |
189 | ######################################## |
190 | # | |
191 | # kernel local policy | |
192 | # | |
193 | ||
995bdbb1 | 194 | allow kernel_t self:capability ~{ sys_ptrace }; |
195 | tunable_policy(`deny_ptrace',`',` | |
196 | allow kernel_t self:capability sys_ptrace; | |
197 | ') | |
198 | ||
c3812748 | 199 | allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
c2c00bee CP |
200 | allow kernel_t self:shm create_shm_perms; |
201 | allow kernel_t self:sem create_sem_perms; | |
a266e3cc | 202 | allow kernel_t self:msg { send receive }; |
c2c00bee CP |
203 | allow kernel_t self:msgq create_msgq_perms; |
204 | allow kernel_t self:unix_dgram_socket create_socket_perms; | |
205 | allow kernel_t self:unix_stream_socket create_stream_socket_perms; | |
a266e3cc CP |
206 | allow kernel_t self:unix_dgram_socket sendto; |
207 | allow kernel_t self:unix_stream_socket connectto; | |
ef659a47 CP |
208 | allow kernel_t self:fifo_file rw_fifo_file_perms; |
209 | allow kernel_t self:sock_file read_sock_file_perms; | |
a266e3cc CP |
210 | allow kernel_t self:fd use; |
211 | ||
a65fd90a CP |
212 | allow kernel_t debugfs_t:dir search_dir_perms; |
213 | ||
ef659a47 CP |
214 | allow kernel_t proc_t:dir list_dir_perms; |
215 | allow kernel_t proc_t:file read_file_perms; | |
216 | allow kernel_t proc_t:lnk_file read_lnk_file_perms; | |
72fcec8c | 217 | |
ef659a47 CP |
218 | allow kernel_t proc_net_t:dir list_dir_perms; |
219 | allow kernel_t proc_net_t:file read_file_perms; | |
72fcec8c | 220 | |
ef659a47 | 221 | allow kernel_t proc_mdstat_t:file read_file_perms; |
72fcec8c | 222 | |
a266e3cc | 223 | allow kernel_t proc_kcore_t:file getattr; |
72fcec8c | 224 | |
a266e3cc | 225 | allow kernel_t proc_kmsg_t:file getattr; |
72fcec8c | 226 | |
ef659a47 CP |
227 | allow kernel_t sysctl_kernel_t:dir list_dir_perms; |
228 | allow kernel_t sysctl_kernel_t:file read_file_perms; | |
229 | allow kernel_t sysctl_t:dir list_dir_perms; | |
a266e3cc | 230 | |
72fcec8c CP |
231 | # Other possible mount points for the root fs are in files |
232 | allow kernel_t unlabeled_t:dir mounton; | |
233 | # Kernel-generated traffic e.g., TCP resets on | |
234 | # connections with invalidated labels: | |
235 | allow kernel_t unlabeled_t:packet send; | |
605ba285 | 236 | |
7722c29e | 237 | # Allow unlabeled network traffic |
308baad2 | 238 | allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; |
7722c29e CP |
239 | corenet_in_generic_if(unlabeled_t) |
240 | corenet_in_generic_node(unlabeled_t) | |
308baad2 | 241 | |
19006686 CP |
242 | corenet_all_recvfrom_unlabeled(kernel_t) |
243 | corenet_all_recvfrom_netlabel(kernel_t) | |
a154cd45 CP |
244 | # Kernel-generated traffic e.g., ICMP replies: |
245 | corenet_raw_sendrecv_all_if(kernel_t) | |
246 | corenet_raw_sendrecv_all_nodes(kernel_t) | |
bf080a46 | 247 | corenet_raw_send_generic_if(kernel_t) |
a154cd45 | 248 | # Kernel-generated traffic e.g., TCP resets: |
0fd9dc55 CP |
249 | corenet_tcp_sendrecv_all_if(kernel_t) |
250 | corenet_tcp_sendrecv_all_nodes(kernel_t) | |
bf080a46 | 251 | corenet_raw_send_generic_node(kernel_t) |
006e9982 | 252 | corenet_send_all_packets(kernel_t) |
a154cd45 | 253 | |
605ba285 CP |
254 | dev_read_sysfs(kernel_t) |
255 | dev_search_usbfs(kernel_t) | |
03a6e039 CP |
256 | # devtmpfs handling: |
257 | dev_create_generic_dirs(kernel_t) | |
258 | dev_delete_generic_dirs(kernel_t) | |
2e10172e DW |
259 | dev_create_all_blk_files(kernel_t) |
260 | dev_delete_all_blk_files(kernel_t) | |
261 | dev_create_all_chr_files(kernel_t) | |
262 | dev_delete_all_chr_files(kernel_t) | |
d6e1ef29 | 263 | dev_mounton(kernel_t) |
72eaebd0 | 264 | dev_filetrans_all_named_dev(kernel_t) |
2e10172e | 265 | storage_filetrans_all_named_dev(kernel_t) |
72eaebd0 | 266 | term_filetrans_all_named_dev(kernel_t) |
a154cd45 | 267 | |
e276b8e5 | 268 | # Mount root file system. Used when loading a policy |
a154cd45 CP |
269 | # from initrd, then mounting the root filesystem |
270 | fs_mount_all_fs(kernel_t) | |
67b6207a | 271 | fs_unmount_all_fs(kernel_t) |
a154cd45 | 272 | |
605ba285 CP |
273 | selinux_load_policy(kernel_t) |
274 | ||
3eaa9939 DW |
275 | term_use_all_terms(kernel_t) |
276 | term_use_ptmx(kernel_t) | |
605ba285 | 277 | |
c9428d33 | 278 | corecmd_exec_shell(kernel_t) |
8021cb4f | 279 | corecmd_list_bin(kernel_t) |
a154cd45 | 280 | # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. |
c9428d33 | 281 | corecmd_exec_bin(kernel_t) |
a154cd45 CP |
282 | |
283 | domain_signal_all_domains(kernel_t) | |
605ba285 | 284 | domain_search_all_domains_state(kernel_t) |
588ffaeb | 285 | |
c9428d33 | 286 | files_list_root(kernel_t) |
712566ee | 287 | files_list_etc(kernel_t) |
c9428d33 CP |
288 | files_list_home(kernel_t) |
289 | files_read_usr_files(kernel_t) | |
3eaa9939 DW |
290 | files_manage_mounttab(kernel_t) |
291 | files_manage_generic_spool_dirs(kernel_t) | |
588ffaeb | 292 | |
9779f092 | 293 | mcs_process_set_categories(kernel_t) |
3eaa9939 DW |
294 | mcs_file_read_all(kernel_t) |
295 | mcs_file_write_all(kernel_t) | |
5218e768 | 296 | mcs_socket_write_all_levels(kernel_t) |
9779f092 | 297 | |
f0574fa9 CP |
298 | mls_process_read_up(kernel_t) |
299 | mls_process_write_down(kernel_t) | |
9e388253 | 300 | mls_file_downgrade(kernel_t) |
67b6207a | 301 | mls_file_write_all_levels(kernel_t) |
e276b8e5 | 302 | mls_file_read_all_levels(kernel_t) |
3eaa9939 DW |
303 | mls_socket_write_all_levels(kernel_t) |
304 | mls_fd_share_all_levels(kernel_t) | |
305 | ||
6b19be33 CP |
306 | ifdef(`distro_redhat',` |
307 | # Bugzilla 222337 | |
308 | fs_rw_tmpfs_chr_files(kernel_t) | |
309 | ') | |
310 | ||
3eaa9939 | 311 | |
a11cc065 DW |
312 | optional_policy(` |
313 | apache_filetrans_home_content(kernel_t) | |
314 | ') | |
315 | ||
a11cc065 DW |
316 | optional_policy(` |
317 | kerberos_filetrans_home_content(kernel_t) | |
318 | ') | |
319 | ||
bb7170f6 | 320 | optional_policy(` |
18cc016f CP |
321 | hotplug_search_config(kernel_t) |
322 | ') | |
323 | ||
bb7170f6 | 324 | optional_policy(` |
18cc016f | 325 | init_sigchld(kernel_t) |
f9fad030 | 326 | init_dyntrans(kernel_t) |
18cc016f CP |
327 | ') |
328 | ||
bb7170f6 | 329 | optional_policy(` |
18cc016f CP |
330 | libs_use_ld_so(kernel_t) |
331 | libs_use_shared_libs(kernel_t) | |
332 | ') | |
333 | ||
bb7170f6 | 334 | optional_policy(` |
18cc016f | 335 | logging_send_syslog_msg(kernel_t) |
c4b9f69a DW |
336 | logging_manage_generic_logs(kernel_t) |
337 | ') | |
338 | ||
a11cc065 DW |
339 | optional_policy(` |
340 | mta_filetrans_home_content(kernel_t) | |
341 | ') | |
342 | ||
343 | optional_policy(` | |
344 | ssh_filetrans_home_content(kernel_t) | |
345 | ') | |
346 | ||
c4b9f69a DW |
347 | optional_policy(` |
348 | userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) | |
18cc016f CP |
349 | ') |
350 | ||
bb7170f6 | 351 | optional_policy(` |
34e722f3 CP |
352 | nis_use_ypbind(kernel_t) |
353 | ') | |
354 | ||
bb7170f6 | 355 | optional_policy(` |
ff8f0a63 | 356 | # nfs kernel server needs kernel UDP access. It is less risky and painful |
43989f82 CP |
357 | # to just give it everything. |
358 | allow kernel_t self:tcp_socket create_stream_socket_perms; | |
03776270 | 359 | allow kernel_t self:udp_socket create_socket_perms; |
43989f82 | 360 | |
e276b8e5 | 361 | # nfs kernel server needs kernel UDP access. It is less risky and painful |
43989f82 | 362 | # to just give it everything. |
668b3093 | 363 | corenet_udp_sendrecv_generic_if(kernel_t) |
c1262146 | 364 | corenet_udp_sendrecv_generic_node(kernel_t) |
43989f82 | 365 | corenet_udp_sendrecv_all_ports(kernel_t) |
c1262146 | 366 | corenet_udp_bind_generic_node(kernel_t) |
b8373ee1 | 367 | corenet_sendrecv_portmap_client_packets(kernel_t) |
35a4b349 | 368 | corenet_sendrecv_generic_server_packets(kernel_t) |
43989f82 | 369 | |
ed38ca9f CP |
370 | fs_getattr_xattr_fs(kernel_t) |
371 | ||
43989f82 CP |
372 | auth_dontaudit_getattr_shadow(kernel_t) |
373 | ||
374 | sysnet_read_config(kernel_t) | |
375 | ||
376 | rpc_manage_nfs_ro_content(kernel_t) | |
377 | rpc_manage_nfs_rw_content(kernel_t) | |
e276b8e5 | 378 | rpc_udp_rw_nfs_sockets(kernel_t) |
43989f82 CP |
379 | |
380 | tunable_policy(`nfs_export_all_ro',` | |
ed38ca9f CP |
381 | fs_getattr_noxattr_fs(kernel_t) |
382 | fs_list_noxattr_fs(kernel_t) | |
383 | fs_read_noxattr_fs_files(kernel_t) | |
384 | fs_read_noxattr_fs_symlinks(kernel_t) | |
385 | ||
c8edea58 | 386 | files_read_non_security_files(kernel_t) |
43989f82 CP |
387 | ') |
388 | ||
389 | tunable_policy(`nfs_export_all_rw',` | |
ed38ca9f CP |
390 | fs_getattr_noxattr_fs(kernel_t) |
391 | fs_list_noxattr_fs(kernel_t) | |
392 | fs_read_noxattr_fs_files(kernel_t) | |
393 | fs_read_noxattr_fs_symlinks(kernel_t) | |
43989f82 | 394 | |
c8edea58 | 395 | files_manage_non_security_files(kernel_t) |
43989f82 CP |
396 | ') |
397 | ') | |
398 | ||
bb7170f6 | 399 | optional_policy(` |
18cc016f | 400 | seutil_read_config(kernel_t) |
1815bad1 | 401 | seutil_read_bin_policy(kernel_t) |
18cc016f CP |
402 | ') |
403 | ||
350b6ab7 | 404 | optional_policy(` |
e276b8e5 | 405 | unconfined_domain_noaudit(kernel_t) |
350b6ab7 CP |
406 | ') |
407 | ||
a11cc065 DW |
408 | optional_policy(` |
409 | virt_filetrans_home_content(kernel_t) | |
410 | ') | |
411 | ||
3eaa9939 DW |
412 | optional_policy(` |
413 | xserver_xdm_manage_spool(kernel_t) | |
a11cc065 | 414 | xserver_filetrans_home_content(kernel_t) |
3eaa9939 DW |
415 | ') |
416 | ||
588ffaeb CP |
417 | ######################################## |
418 | # | |
419 | # Unlabeled process local policy | |
420 | # | |
421 | ||
bb7170f6 | 422 | optional_policy(` |
18cc016f CP |
423 | # If you load a new policy that removes active domains, processes can |
424 | # get stuck if you do not allow unlabeled processes to signal init. | |
425 | # If you load an incompatible policy, you should probably reboot, | |
426 | # since you may have compromised system security. | |
427 | init_sigchld(unlabeled_t) | |
428 | ') | |
b518fc2e CP |
429 | |
430 | ######################################## | |
431 | # | |
432 | # Rules for unconfined acccess to this module | |
433 | # | |
434 | ||
6b19be33 | 435 | allow kern_unconfined proc_type:{ dir file lnk_file } *; |
b518fc2e | 436 | |
8152a788 | 437 | allow kern_unconfined sysctl_type:{ dir file } *; |
b518fc2e CP |
438 | |
439 | allow kern_unconfined kernel_t:system *; | |
440 | ||
441 | allow kern_unconfined unlabeled_t:dir_file_class_set *; | |
442 | allow kern_unconfined unlabeled_t:filesystem *; | |
443 | allow kern_unconfined unlabeled_t:association *; | |
c5657a26 | 444 | allow kern_unconfined unlabeled_t:packet *; |
995bdbb1 | 445 | allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap }; |
995d6fea DW |
446 | |
447 | gen_require(` | |
448 | bool secure_mode_insmod; | |
449 | ') | |
450 | ||
451 | if( ! secure_mode_insmod ) { | |
452 | allow can_load_kernmodule self:capability sys_module; | |
453 | # load_module() calls stop_machine() which | |
454 | # calls sched_setscheduler() | |
455 | allow can_load_kernmodule self:capability sys_nice; | |
456 | kernel_setsched(can_load_kernmodule) | |
8c7bd1ff | 457 | } |
995d6fea | 458 |