[people/stevee/selinux-policy.git] / policy / modules / kernel / kernel.te

policy_module(kernel, 1.13.3)

## <desc>
## <p>
## disallow programs and users from transitioning to insmod domain.
## </p>
## </desc>
gen_bool(secure_mode_insmod,false)

########################################
#
# Declarations
#

# assertion related attributes
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
attribute can_dump_kernel;

neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;

# domains with unconfined access to kernel resources
attribute kern_unconfined;

# regular entries in proc
attribute proc_type;

# sysctls
attribute sysctl_type;

role system_r;
role sysadm_r;
role staff_r;
role user_r;

# here until order dependence is fixed:
role unconfined_r;

ifdef(`enable_mls',`
	role secadm_r;
	role auditadm_r;
')

#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)

#
# DebugFS
#

type debugfs_t;
fs_type(debugfs_t)
files_mountpoint(debugfs_t)

allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)

#
# kvmFS
#

type kvmfs_t;
fs_type(kvmfs_t)
genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)

#
# Procfs types
#

type proc_t, proc_type;
files_mountpoint(proc_t)
fs_type(proc_t)
genfscon proc / gen_context(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)

type proc_afs_t, proc_type;
genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)

# kernel message interface
type proc_kmsg_t, proc_type;
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;

# /proc kcore: inaccessible
type proc_kcore_t, proc_type;
neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)

type proc_mdstat_t, proc_type;
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)

type proc_net_t, proc_type;
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)

type proc_xen_t, proc_type;
files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)

#
# Sysctl types
#

# /proc/sys directory, base directory of sysctls
type sysctl_t, sysctl_type;
files_mountpoint(sysctl_t)
sid sysctl gen_context(system_u:object_r:sysctl_t,s0)
genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)

# /proc/irq directory and files
type sysctl_irq_t, sysctl_type;
genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)

# /proc/net/rpc directory and files
type sysctl_rpc_t, sysctl_type;
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)

# /proc/sys/crypto directory and files
type sysctl_crypto_t, sysctl_type;
genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)

# /proc/sys/fs directory and files
type sysctl_fs_t, sysctl_type;
files_mountpoint(sysctl_fs_t)
genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)

# /proc/sys/kernel directory and files
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)

# /proc/sys/kernel/modprobe file
type sysctl_modprobe_t, sysctl_type;
genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)

# /proc/sys/kernel/hotplug file
type sysctl_hotplug_t, sysctl_type;
genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)

# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)

# /proc/sys/net/unix directory and files
type sysctl_net_unix_t, sysctl_type;
genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)

# /proc/sys/vm directory and files
type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)

# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)

#
# unlabeled_t is the type of unlabeled objects.
# Objects that have no known labeling information or that
# have labels that are no longer valid are treated as having this type.
#
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
fs_associate(unlabeled_t)

# These initial sids are no longer used, and can be removed:
sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid init		gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_net		gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_net_unix	gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s0)
sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)

########################################
#
# kernel local policy
#

allow kernel_t self:capability ~{ sys_ptrace };
tunable_policy(`deny_ptrace',`',`
	allow kernel_t self:capability sys_ptrace;
')

allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms;
allow kernel_t self:msg { send receive };
allow kernel_t self:msgq create_msgq_perms;
allow kernel_t self:unix_dgram_socket create_socket_perms;
allow kernel_t self:unix_stream_socket create_stream_socket_perms;
allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file rw_fifo_file_perms;
allow kernel_t self:sock_file read_sock_file_perms;
allow kernel_t self:fd use;

allow kernel_t debugfs_t:dir search_dir_perms;

allow kernel_t proc_t:dir list_dir_perms;
allow kernel_t proc_t:file read_file_perms;
allow kernel_t proc_t:lnk_file read_lnk_file_perms;

allow kernel_t proc_net_t:dir list_dir_perms;
allow kernel_t proc_net_t:file read_file_perms;

allow kernel_t proc_mdstat_t:file read_file_perms;

allow kernel_t proc_kcore_t:file getattr;

allow kernel_t proc_kmsg_t:file getattr;

allow kernel_t sysctl_kernel_t:dir list_dir_perms;
allow kernel_t sysctl_kernel_t:file read_file_perms;
allow kernel_t sysctl_t:dir list_dir_perms;

# Other possible mount points for the root fs are in files
allow kernel_t unlabeled_t:dir mounton;
# Kernel-generated traffic e.g., TCP resets on
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;

# Allow unlabeled network traffic
allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)

corenet_all_recvfrom_unlabeled(kernel_t)
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_if(kernel_t)
# Kernel-generated traffic e.g., TCP resets:
corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)

dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
# devtmpfs handling:
dev_create_generic_dirs(kernel_t)
dev_delete_generic_dirs(kernel_t)
dev_create_all_blk_files(kernel_t)
dev_delete_all_blk_files(kernel_t)
dev_create_all_chr_files(kernel_t)
dev_delete_all_chr_files(kernel_t)
dev_mounton(kernel_t)
dev_filetrans_all_named_dev(kernel_t)
storage_filetrans_all_named_dev(kernel_t)
term_filetrans_all_named_dev(kernel_t)

# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)

selinux_load_policy(kernel_t)

term_use_all_terms(kernel_t)
term_use_ptmx(kernel_t)

corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecmd_exec_bin(kernel_t)

domain_signal_all_domains(kernel_t)
domain_search_all_domains_state(kernel_t)

files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
files_manage_mounttab(kernel_t)
files_manage_generic_spool_dirs(kernel_t)

mcs_process_set_categories(kernel_t)
mcs_file_read_all(kernel_t)
mcs_file_write_all(kernel_t)
mcs_socket_write_all_levels(kernel_t)

mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
mls_file_downgrade(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
mls_socket_write_all_levels(kernel_t) 
mls_fd_share_all_levels(kernel_t) 

ifdef(`distro_redhat',`
	# Bugzilla 222337
	fs_rw_tmpfs_chr_files(kernel_t)
')


optional_policy(`
	apache_filetrans_home_content(kernel_t)
')

optional_policy(`
	kerberos_filetrans_home_content(kernel_t)
')

optional_policy(`
	hotplug_search_config(kernel_t)
')

optional_policy(`
	init_sigchld(kernel_t)
	init_dyntrans(kernel_t)
')

optional_policy(`
	libs_use_ld_so(kernel_t)
	libs_use_shared_libs(kernel_t)
')

optional_policy(`
	logging_send_syslog_msg(kernel_t)
	logging_manage_generic_logs(kernel_t)
')

optional_policy(`
	mta_filetrans_home_content(kernel_t)
')

optional_policy(`
	ssh_filetrans_home_content(kernel_t)
')

optional_policy(`
	userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
')

optional_policy(`
	nis_use_ypbind(kernel_t)
')

optional_policy(`
	# nfs kernel server needs kernel UDP access. It is less risky and painful
	# to just give it everything.
	allow kernel_t self:tcp_socket create_stream_socket_perms;
	allow kernel_t self:udp_socket create_socket_perms;

	# nfs kernel server needs kernel UDP access. It is less risky and painful
	# to just give it everything.
	corenet_udp_sendrecv_generic_if(kernel_t)
	corenet_udp_sendrecv_generic_node(kernel_t)
	corenet_udp_sendrecv_all_ports(kernel_t)
	corenet_udp_bind_generic_node(kernel_t)
	corenet_sendrecv_portmap_client_packets(kernel_t)
	corenet_sendrecv_generic_server_packets(kernel_t)

	fs_getattr_xattr_fs(kernel_t)

	auth_dontaudit_getattr_shadow(kernel_t)

	sysnet_read_config(kernel_t)

	rpc_manage_nfs_ro_content(kernel_t)
	rpc_manage_nfs_rw_content(kernel_t)
	rpc_udp_rw_nfs_sockets(kernel_t)

	tunable_policy(`nfs_export_all_ro',`
		fs_getattr_noxattr_fs(kernel_t)
		fs_list_noxattr_fs(kernel_t)
		fs_read_noxattr_fs_files(kernel_t)
		fs_read_noxattr_fs_symlinks(kernel_t)

		files_read_non_security_files(kernel_t)
	')

	tunable_policy(`nfs_export_all_rw',`
		fs_getattr_noxattr_fs(kernel_t)
		fs_list_noxattr_fs(kernel_t)
		fs_read_noxattr_fs_files(kernel_t)
		fs_read_noxattr_fs_symlinks(kernel_t)

		files_manage_non_security_files(kernel_t)
	')
')

optional_policy(`
	seutil_read_config(kernel_t)
	seutil_read_bin_policy(kernel_t)
')

optional_policy(`
	unconfined_domain_noaudit(kernel_t)
')

optional_policy(`
	virt_filetrans_home_content(kernel_t)
')

optional_policy(`
	xserver_xdm_manage_spool(kernel_t)
	xserver_filetrans_home_content(kernel_t)
')

########################################
#
# Unlabeled process local policy
#

optional_policy(`
	# If you load a new policy that removes active domains, processes can
	# get stuck if you do not allow unlabeled processes to signal init.
	# If you load an incompatible policy, you should probably reboot,
	# since you may have compromised system security.
	init_sigchld(unlabeled_t)
')

########################################
#
# Rules for unconfined acccess to this module
#

allow kern_unconfined proc_type:{ dir file lnk_file } *;

allow kern_unconfined sysctl_type:{ dir file } *;

allow kern_unconfined kernel_t:system *;

allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };

gen_require(`
	bool secure_mode_insmod;
')

if( ! secure_mode_insmod ) {
    allow can_load_kernmodule self:capability sys_module;
    # load_module() calls stop_machine() which
    # calls sched_setscheduler()
    allow can_load_kernmodule self:capability sys_nice;
    kernel_setsched(can_load_kernmodule)
}
Commit	Line	Data
cca4b7e6	1	policy_module(kernel, 1.13.3)
960373dd	2
995d6fea DW	3	## <desc>
	4	## <p>
	5	## disallow programs and users from transitioning to insmod domain.
	6	## </p>
	7	## </desc>
	8	gen_bool(secure_mode_insmod,false)
	9
ff7bc148 CP	10	########################################
	11	#
	12	# Declarations
	13	#
	14
18f25afd	15	# assertion related attributes
a266e3cc CP	16	attribute can_load_kernmodule;
a266e3cc CP	17	attribute can_receive_kernel_messages;
e276b8e5	18	attribute can_dump_kernel;
a266e3cc	19
b518fc2e	20	neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
712566ee	21
d2506343 CP	22	# domains with unconfined access to kernel resources
	23	attribute kern_unconfined;
	24
	25	# regular entries in proc
	26	attribute proc_type;
	27
	28	# sysctls
	29	attribute sysctl_type;
	30
9fd4b818 CP	31	role system_r;
	32	role sysadm_r;
	33	role staff_r;
	34	role user_r;
18d59e15	35
350b6ab7 CP	36	# here until order dependence is fixed:
	37	role unconfined_r;
	38
18d59e15 CP	39	ifdef(`enable_mls',`
18d59e15 CP	40	role secadm_r;
2dbd3824	41	role auditadm_r;
18d59e15	42	')
9fd4b818	43
a266e3cc	44	#
b4cd1533 CP	45	# kernel_t is the domain of kernel threads.
b4cd1533 CP	46	# It is also the target type when checking permissions in the system class.
e276b8e5	47	#
f0574fa9	48	type kernel_t, can_load_kernmodule;
fb0a3a98	49	domain_base_type(kernel_t)
f0574fa9 CP	50	mls_rangetrans_source(kernel_t)
f0574fa9 CP	51	role system_r types kernel_t;
e070dd2d	52	sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
b4cd1533	53
a1fcff33 CP	54	#
	55	# DebugFS
	56	#
	57
	58	type debugfs_t;
	59	fs_type(debugfs_t)
688db17c DW	60	files_mountpoint(debugfs_t)
688db17c DW	61
a1fcff33	62	allow debugfs_t self:filesystem associate;
e02c61cf	63	genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
a1fcff33	64
93784927 CP	65	#
	66	# kvmFS
	67	#
	68
	69	type kvmfs_t;
	70	fs_type(kvmfs_t)
	71	genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
	72
b4cd1533 CP	73	#
	74	# Procfs types
	75	#
	76
d2506343	77	type proc_t, proc_type;
c9428d33	78	files_mountpoint(proc_t)
cbca03f5	79	fs_type(proc_t)
e02c61cf CP	80	genfscon proc / gen_context(system_u:object_r:proc_t,s0)
e02c61cf CP	81	genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
b4cd1533	82
7d4161cd CP	83	type proc_afs_t, proc_type;
	84	genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
	85
b4cd1533	86	# kernel message interface
d2506343	87	type proc_kmsg_t, proc_type;
e070dd2d	88	genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
b518fc2e	89	neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
b4cd1533 CP	90
b4cd1533 CP	91	# /proc kcore: inaccessible
d2506343	92	type proc_kcore_t, proc_type;
e276b8e5	93	neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
e070dd2d	94	genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
b4cd1533	95
d2506343	96	type proc_mdstat_t, proc_type;
e02c61cf	97	genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
b4cd1533	98
d2506343	99	type proc_net_t, proc_type;
e02c61cf	100	genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
b4cd1533	101
a3cf80d8	102	type proc_xen_t, proc_type;
a65fd90a	103	files_mountpoint(proc_xen_t)
a3cf80d8 CP	104	genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
a3cf80d8 CP	105
b4cd1533 CP	106	#
	107	# Sysctl types
	108	#
	109
d2506343 CP	110	# /proc/sys directory, base directory of sysctls
	111	type sysctl_t, sysctl_type;
	112	files_mountpoint(sysctl_t)
e02c61cf CP	113	sid sysctl gen_context(system_u:object_r:sysctl_t,s0)
e02c61cf CP	114	genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
d2506343	115
b4cd1533	116	# /proc/irq directory and files
d2506343	117	type sysctl_irq_t, sysctl_type;
e02c61cf	118	genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
b4cd1533 CP	119
b4cd1533 CP	120	# /proc/net/rpc directory and files
d2506343	121	type sysctl_rpc_t, sysctl_type;
e02c61cf	122	genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
b4cd1533	123
a65fd90a CP	124	# /proc/sys/crypto directory and files
	125	type sysctl_crypto_t, sysctl_type;
	126	genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
	127
b4cd1533	128	# /proc/sys/fs directory and files
d2506343	129	type sysctl_fs_t, sysctl_type;
c9428d33	130	files_mountpoint(sysctl_fs_t)
e02c61cf	131	genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
b4cd1533 CP	132
b4cd1533 CP	133	# /proc/sys/kernel directory and files
d2506343	134	type sysctl_kernel_t, sysctl_type;
e02c61cf	135	genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
b4cd1533 CP	136
b4cd1533 CP	137	# /proc/sys/kernel/modprobe file
d2506343	138	type sysctl_modprobe_t, sysctl_type;
e02c61cf	139	genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
b4cd1533 CP	140
b4cd1533 CP	141	# /proc/sys/kernel/hotplug file
d2506343	142	type sysctl_hotplug_t, sysctl_type;
e02c61cf	143	genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
b4cd1533 CP	144
b4cd1533 CP	145	# /proc/sys/net directory and files
d2506343	146	type sysctl_net_t, sysctl_type;
e02c61cf	147	genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
b4cd1533 CP	148
b4cd1533 CP	149	# /proc/sys/net/unix directory and files
d2506343	150	type sysctl_net_unix_t, sysctl_type;
e02c61cf	151	genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
b4cd1533 CP	152
b4cd1533 CP	153	# /proc/sys/vm directory and files
d2506343	154	type sysctl_vm_t, sysctl_type;
e02c61cf	155	genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
b4cd1533 CP	156
b4cd1533 CP	157	# /proc/sys/dev directory and files
d2506343	158	type sysctl_dev_t, sysctl_type;
e02c61cf	159	genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
a266e3cc	160
d2506343 CP	161	#
	162	# unlabeled_t is the type of unlabeled objects.
	163	# Objects that have no known labeling information or that
	164	# have labels that are no longer valid are treated as having this type.
	165	#
	166	type unlabeled_t;
ed17ee53	167	fs_associate(unlabeled_t)
e070dd2d	168	sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
3eaa9939	169	fs_associate(unlabeled_t)
d2506343 CP	170
d2506343 CP	171	# These initial sids are no longer used, and can be removed:
e070dd2d	172	sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
e02c61cf	173	sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
e070dd2d CP	174	sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
e070dd2d CP	175	sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
b518fc2e	176	sid init gen_context(system_u:object_r:unlabeled_t,s0)
e070dd2d	177	sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
e070dd2d CP	178	sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
e070dd2d CP	179	sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
e02c61cf CP	180	sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
	181	sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
	182	sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
	183	sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
	184	sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
	185	sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
	186	sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
e070dd2d	187	sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
d2506343	188
a266e3cc CP	189	########################################
	190	#
	191	# kernel local policy
	192	#
	193
995bdbb1	194	allow kernel_t self:capability ~{ sys_ptrace };
	195	tunable_policy(`deny_ptrace',`',`
	196	allow kernel_t self:capability sys_ptrace;
	197	')
	198
c3812748	199	allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
c2c00bee CP	200	allow kernel_t self:shm create_shm_perms;
c2c00bee CP	201	allow kernel_t self:sem create_sem_perms;
a266e3cc	202	allow kernel_t self:msg { send receive };
c2c00bee CP	203	allow kernel_t self:msgq create_msgq_perms;
	204	allow kernel_t self:unix_dgram_socket create_socket_perms;
	205	allow kernel_t self:unix_stream_socket create_stream_socket_perms;
a266e3cc CP	206	allow kernel_t self:unix_dgram_socket sendto;
a266e3cc CP	207	allow kernel_t self:unix_stream_socket connectto;
ef659a47 CP	208	allow kernel_t self:fifo_file rw_fifo_file_perms;
ef659a47 CP	209	allow kernel_t self:sock_file read_sock_file_perms;
a266e3cc CP	210	allow kernel_t self:fd use;
a266e3cc CP	211
a65fd90a CP	212	allow kernel_t debugfs_t:dir search_dir_perms;
a65fd90a CP	213
ef659a47 CP	214	allow kernel_t proc_t:dir list_dir_perms;
	215	allow kernel_t proc_t:file read_file_perms;
	216	allow kernel_t proc_t:lnk_file read_lnk_file_perms;
72fcec8c	217
ef659a47 CP	218	allow kernel_t proc_net_t:dir list_dir_perms;
ef659a47 CP	219	allow kernel_t proc_net_t:file read_file_perms;
72fcec8c	220
ef659a47	221	allow kernel_t proc_mdstat_t:file read_file_perms;
72fcec8c	222
a266e3cc	223	allow kernel_t proc_kcore_t:file getattr;
72fcec8c	224
a266e3cc	225	allow kernel_t proc_kmsg_t:file getattr;
72fcec8c	226
ef659a47 CP	227	allow kernel_t sysctl_kernel_t:dir list_dir_perms;
	228	allow kernel_t sysctl_kernel_t:file read_file_perms;
	229	allow kernel_t sysctl_t:dir list_dir_perms;
a266e3cc	230
72fcec8c CP	231	# Other possible mount points for the root fs are in files
	232	allow kernel_t unlabeled_t:dir mounton;
	233	# Kernel-generated traffic e.g., TCP resets on
	234	# connections with invalidated labels:
	235	allow kernel_t unlabeled_t:packet send;
605ba285	236
7722c29e	237	# Allow unlabeled network traffic
308baad2	238	allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
7722c29e CP	239	corenet_in_generic_if(unlabeled_t)
7722c29e CP	240	corenet_in_generic_node(unlabeled_t)
308baad2	241
19006686 CP	242	corenet_all_recvfrom_unlabeled(kernel_t)
19006686 CP	243	corenet_all_recvfrom_netlabel(kernel_t)
a154cd45 CP	244	# Kernel-generated traffic e.g., ICMP replies:
	245	corenet_raw_sendrecv_all_if(kernel_t)
	246	corenet_raw_sendrecv_all_nodes(kernel_t)
bf080a46	247	corenet_raw_send_generic_if(kernel_t)
a154cd45	248	# Kernel-generated traffic e.g., TCP resets:
0fd9dc55 CP	249	corenet_tcp_sendrecv_all_if(kernel_t)
0fd9dc55 CP	250	corenet_tcp_sendrecv_all_nodes(kernel_t)
bf080a46	251	corenet_raw_send_generic_node(kernel_t)
006e9982	252	corenet_send_all_packets(kernel_t)
a154cd45	253
605ba285 CP	254	dev_read_sysfs(kernel_t)
605ba285 CP	255	dev_search_usbfs(kernel_t)
03a6e039 CP	256	# devtmpfs handling:
	257	dev_create_generic_dirs(kernel_t)
	258	dev_delete_generic_dirs(kernel_t)
2e10172e DW	259	dev_create_all_blk_files(kernel_t)
	260	dev_delete_all_blk_files(kernel_t)
	261	dev_create_all_chr_files(kernel_t)
	262	dev_delete_all_chr_files(kernel_t)
d6e1ef29	263	dev_mounton(kernel_t)
72eaebd0	264	dev_filetrans_all_named_dev(kernel_t)
2e10172e	265	storage_filetrans_all_named_dev(kernel_t)
72eaebd0	266	term_filetrans_all_named_dev(kernel_t)
a154cd45	267
e276b8e5	268	# Mount root file system. Used when loading a policy
a154cd45 CP	269	# from initrd, then mounting the root filesystem
a154cd45 CP	270	fs_mount_all_fs(kernel_t)
67b6207a	271	fs_unmount_all_fs(kernel_t)
a154cd45	272
605ba285 CP	273	selinux_load_policy(kernel_t)
605ba285 CP	274
3eaa9939 DW	275	term_use_all_terms(kernel_t)
3eaa9939 DW	276	term_use_ptmx(kernel_t)
605ba285	277
c9428d33	278	corecmd_exec_shell(kernel_t)
8021cb4f	279	corecmd_list_bin(kernel_t)
a154cd45	280	# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
c9428d33	281	corecmd_exec_bin(kernel_t)
a154cd45 CP	282
a154cd45 CP	283	domain_signal_all_domains(kernel_t)
605ba285	284	domain_search_all_domains_state(kernel_t)
588ffaeb	285
c9428d33	286	files_list_root(kernel_t)
712566ee	287	files_list_etc(kernel_t)
c9428d33 CP	288	files_list_home(kernel_t)
c9428d33 CP	289	files_read_usr_files(kernel_t)
3eaa9939 DW	290	files_manage_mounttab(kernel_t)
3eaa9939 DW	291	files_manage_generic_spool_dirs(kernel_t)
588ffaeb	292
9779f092	293	mcs_process_set_categories(kernel_t)
3eaa9939 DW	294	mcs_file_read_all(kernel_t)
3eaa9939 DW	295	mcs_file_write_all(kernel_t)
5218e768	296	mcs_socket_write_all_levels(kernel_t)
9779f092	297
f0574fa9 CP	298	mls_process_read_up(kernel_t)
f0574fa9 CP	299	mls_process_write_down(kernel_t)
9e388253	300	mls_file_downgrade(kernel_t)
67b6207a	301	mls_file_write_all_levels(kernel_t)
e276b8e5	302	mls_file_read_all_levels(kernel_t)
3eaa9939 DW	303	mls_socket_write_all_levels(kernel_t)
	304	mls_fd_share_all_levels(kernel_t)
	305
6b19be33 CP	306	ifdef(`distro_redhat',`
	307	# Bugzilla 222337
	308	fs_rw_tmpfs_chr_files(kernel_t)
	309	')
	310
3eaa9939	311
a11cc065 DW	312	optional_policy(`
	313	apache_filetrans_home_content(kernel_t)
	314	')
	315
a11cc065 DW	316	optional_policy(`
	317	kerberos_filetrans_home_content(kernel_t)
	318	')
	319
bb7170f6	320	optional_policy(`
18cc016f CP	321	hotplug_search_config(kernel_t)
	322	')
	323
bb7170f6	324	optional_policy(`
18cc016f	325	init_sigchld(kernel_t)
f9fad030	326	init_dyntrans(kernel_t)
18cc016f CP	327	')
18cc016f CP	328
bb7170f6	329	optional_policy(`
18cc016f CP	330	libs_use_ld_so(kernel_t)
	331	libs_use_shared_libs(kernel_t)
	332	')
	333
bb7170f6	334	optional_policy(`
18cc016f	335	logging_send_syslog_msg(kernel_t)
c4b9f69a DW	336	logging_manage_generic_logs(kernel_t)
	337	')
	338
a11cc065 DW	339	optional_policy(`
	340	mta_filetrans_home_content(kernel_t)
	341	')
	342
	343	optional_policy(`
	344	ssh_filetrans_home_content(kernel_t)
	345	')
	346
c4b9f69a DW	347	optional_policy(`
c4b9f69a DW	348	userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
18cc016f CP	349	')
18cc016f CP	350
bb7170f6	351	optional_policy(`
34e722f3 CP	352	nis_use_ypbind(kernel_t)
	353	')
	354
bb7170f6	355	optional_policy(`
ff8f0a63	356	# nfs kernel server needs kernel UDP access. It is less risky and painful
43989f82 CP	357	# to just give it everything.
43989f82 CP	358	allow kernel_t self:tcp_socket create_stream_socket_perms;
03776270	359	allow kernel_t self:udp_socket create_socket_perms;
43989f82	360
e276b8e5	361	# nfs kernel server needs kernel UDP access. It is less risky and painful
43989f82	362	# to just give it everything.
668b3093	363	corenet_udp_sendrecv_generic_if(kernel_t)
c1262146	364	corenet_udp_sendrecv_generic_node(kernel_t)
43989f82	365	corenet_udp_sendrecv_all_ports(kernel_t)
c1262146	366	corenet_udp_bind_generic_node(kernel_t)
b8373ee1	367	corenet_sendrecv_portmap_client_packets(kernel_t)
35a4b349	368	corenet_sendrecv_generic_server_packets(kernel_t)
43989f82	369
ed38ca9f CP	370	fs_getattr_xattr_fs(kernel_t)
ed38ca9f CP	371
43989f82 CP	372	auth_dontaudit_getattr_shadow(kernel_t)
	373
	374	sysnet_read_config(kernel_t)
	375
	376	rpc_manage_nfs_ro_content(kernel_t)
	377	rpc_manage_nfs_rw_content(kernel_t)
e276b8e5	378	rpc_udp_rw_nfs_sockets(kernel_t)
43989f82 CP	379
43989f82 CP	380	tunable_policy(`nfs_export_all_ro',`
ed38ca9f CP	381	fs_getattr_noxattr_fs(kernel_t)
	382	fs_list_noxattr_fs(kernel_t)
	383	fs_read_noxattr_fs_files(kernel_t)
	384	fs_read_noxattr_fs_symlinks(kernel_t)
	385
c8edea58	386	files_read_non_security_files(kernel_t)
43989f82 CP	387	')
	388
	389	tunable_policy(`nfs_export_all_rw',`
ed38ca9f CP	390	fs_getattr_noxattr_fs(kernel_t)
	391	fs_list_noxattr_fs(kernel_t)
	392	fs_read_noxattr_fs_files(kernel_t)
	393	fs_read_noxattr_fs_symlinks(kernel_t)
43989f82	394
c8edea58	395	files_manage_non_security_files(kernel_t)
43989f82 CP	396	')
	397	')
	398
bb7170f6	399	optional_policy(`
18cc016f	400	seutil_read_config(kernel_t)
1815bad1	401	seutil_read_bin_policy(kernel_t)
18cc016f CP	402	')
18cc016f CP	403
350b6ab7	404	optional_policy(`
e276b8e5	405	unconfined_domain_noaudit(kernel_t)
350b6ab7 CP	406	')
350b6ab7 CP	407
a11cc065 DW	408	optional_policy(`
	409	virt_filetrans_home_content(kernel_t)
	410	')
	411
3eaa9939 DW	412	optional_policy(`
3eaa9939 DW	413	xserver_xdm_manage_spool(kernel_t)
a11cc065	414	xserver_filetrans_home_content(kernel_t)
3eaa9939 DW	415	')
3eaa9939 DW	416
588ffaeb CP	417	########################################
	418	#
	419	# Unlabeled process local policy
	420	#
	421
bb7170f6	422	optional_policy(`
18cc016f CP	423	# If you load a new policy that removes active domains, processes can
	424	# get stuck if you do not allow unlabeled processes to signal init.
	425	# If you load an incompatible policy, you should probably reboot,
	426	# since you may have compromised system security.
	427	init_sigchld(unlabeled_t)
	428	')
b518fc2e CP	429
	430	########################################
	431	#
	432	# Rules for unconfined acccess to this module
	433	#
	434
6b19be33	435	allow kern_unconfined proc_type:{ dir file lnk_file } *;
b518fc2e	436
8152a788	437	allow kern_unconfined sysctl_type:{ dir file } *;
b518fc2e CP	438
	439	allow kern_unconfined kernel_t:system *;
	440
	441	allow kern_unconfined unlabeled_t:dir_file_class_set *;
	442	allow kern_unconfined unlabeled_t:filesystem *;
	443	allow kern_unconfined unlabeled_t:association *;
c5657a26	444	allow kern_unconfined unlabeled_t:packet *;
995bdbb1	445	allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
995d6fea DW	446
	447	gen_require(`
	448	bool secure_mode_insmod;
	449	')
	450
	451	if( ! secure_mode_insmod ) {
	452	allow can_load_kernmodule self:capability sys_module;
	453	# load_module() calls stop_machine() which
	454	# calls sched_setscheduler()
	455	allow can_load_kernmodule self:capability sys_nice;
	456	kernel_setsched(can_load_kernmodule)
8c7bd1ff	457	}
995d6fea	458