]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/apps/sandbox.te
projects / people / stevee / selinux-policy.git / blob
? search:


f5cb481aea4f0573a2636417891b8a34eecc5496
[people/stevee/selinux-policy.git] / policy / modules / apps / sandbox.te
1 policy_module(sandbox,1.0.0)
2 dbus_stub()
3 attribute sandbox_domain;
4 attribute sandbox_x_domain;
5 attribute sandbox_web_type;
6 attribute sandbox_file_type;
7 attribute sandbox_tmpfs_type;
8 attribute sandbox_type;
9
10 type sandbox_exec_t;
11 files_type(sandbox_exec_t)
12
13 type sandbox_file_t, sandbox_file_type;
14 files_type(sandbox_file_t)
15 typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
16
17 ########################################
18 #
19 # Declarations
20 #
21
22 sandbox_domain_template(sandbox)
23 sandbox_x_domain_template(sandbox_min)
24 sandbox_x_domain_template(sandbox_x)
25 sandbox_x_domain_template(sandbox_web)
26 sandbox_x_domain_template(sandbox_net)
27
28 type sandbox_xserver_t;
29 domain_type(sandbox_xserver_t)
30 xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
31
32 type sandbox_xserver_tmpfs_t;
33 files_tmpfs_file(sandbox_xserver_tmpfs_t)
34
35 type sandbox_devpts_t;
36 term_pty(sandbox_devpts_t)
37 files_type(sandbox_devpts_t)
38
39 ########################################
40 #
41 # sandbox xserver policy
42 #
43 allow sandbox_xserver_t self:process execstack;
44
45 tunable_policy(`deny_execmem',`',`
46 allow sandbox_xserver_t self:process execmem;
47 ')
48
49 allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
50 allow sandbox_xserver_t self:shm create_shm_perms;
51 allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
52
53 manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
54 manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
55 manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
56 allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
57
58 manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
59 manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
60 manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
61 manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
62 manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
63 fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
64
65 kernel_dontaudit_request_load_module(sandbox_xserver_t)
66 kernel_read_system_state(sandbox_xserver_t)
67
68 corecmd_exec_bin(sandbox_xserver_t)
69 corecmd_exec_shell(sandbox_xserver_t)
70
71 corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
72 corenet_all_recvfrom_netlabel(sandbox_xserver_t)
73 corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
74 corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
75 corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
76 corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
77 corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
78 corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
79 corenet_tcp_bind_generic_node(sandbox_xserver_t)
80 corenet_tcp_bind_xserver_port(sandbox_xserver_t)
81 corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
82 corenet_sendrecv_all_client_packets(sandbox_xserver_t)
83
84 dev_read_sysfs(sandbox_xserver_t)
85 dev_rwx_zero(sandbox_xserver_t)
86 dev_read_urand(sandbox_xserver_t)
87
88 domain_use_interactive_fds(sandbox_xserver_t)
89
90 files_read_config_files(sandbox_xserver_t)
91 files_read_usr_files(sandbox_xserver_t)
92 files_search_home(sandbox_xserver_t)
93 fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
94 fs_list_inotifyfs(sandbox_xserver_t)
95 fs_search_auto_mountpoints(sandbox_xserver_t)
96
97 miscfiles_read_fonts(sandbox_xserver_t)
98 miscfiles_read_localization(sandbox_xserver_t)
99
100 selinux_validate_context(sandbox_xserver_t)
101 selinux_compute_access_vector(sandbox_xserver_t)
102 selinux_compute_create_context(sandbox_xserver_t)
103
104 auth_use_nsswitch(sandbox_xserver_t)
105
106 logging_send_syslog_msg(sandbox_xserver_t)
107 logging_send_audit_msgs(sandbox_xserver_t)
108
109 userdom_use_inherited_user_terminals(sandbox_xserver_t)
110 userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
111
112 xserver_entry_type(sandbox_xserver_t)
113
114 optional_policy(`
115 dbus_system_bus_client(sandbox_xserver_t)
116
117 optional_policy(`
118 hal_dbus_chat(sandbox_xserver_t)
119 ')
120 ')
121
122 ########################################
123 #
124 # sandbox local policy
125 #
126
127 allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
128 tunable_policy(`deny_execmem',`',`
129 allow sandbox_domain self:process execmem;
130 ')
131
132 allow sandbox_domain self:fifo_file manage_file_perms;
133 allow sandbox_domain self:sem create_sem_perms;
134 allow sandbox_domain self:shm create_shm_perms;
135 allow sandbox_domain self:msgq create_msgq_perms;
136 allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
137 allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
138 dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
139
140 dev_rw_all_inherited_chr_files(sandbox_domain)
141 dev_rw_all_inherited_blk_files(sandbox_domain)
142
143 can_exec(sandbox_domain, sandbox_file_t)
144 allow sandbox_domain sandbox_file_t:filesystem getattr;
145 manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
146 manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
147 manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
148 manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
149 manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
150 dontaudit sandbox_domain sandbox_file_t:dir mounton;
151
152 gen_require(`
153 type usr_t, lib_t, locale_t;
154 type var_t, var_run_t, rpm_log_t, locale_t;
155 attribute exec_type, configfile;
156 ')
157
158 kernel_dontaudit_read_system_state(sandbox_domain)
159
160 corecmd_exec_all_executables(sandbox_domain)
161
162 files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
163 files_entrypoint_all_files(sandbox_domain)
164
165 files_read_config_files(sandbox_domain)
166 files_read_usr_files(sandbox_domain)
167 files_read_var_files(sandbox_domain)
168 files_dontaudit_search_all_dirs(sandbox_domain)
169
170 miscfiles_read_localization(sandbox_domain)
171
172 userdom_dontaudit_use_user_terminals(sandbox_domain)
173
174 mta_dontaudit_read_spool_symlinks(sandbox_domain)
175
176 ########################################
177 #
178 # sandbox_x_domain local policy
179 #
180 allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
181 tunable_policy(`deny_execmem',`',`
182 allow sandbox_x_domain self:process execmem;
183 ')
184
185 allow sandbox_x_domain self:fifo_file manage_file_perms;
186 allow sandbox_x_domain self:sem create_sem_perms;
187 allow sandbox_x_domain self:shm create_shm_perms;
188 allow sandbox_x_domain self:msgq create_msgq_perms;
189 allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
190 allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
191 allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
192
193 dontaudit sandbox_x_domain sandbox_x_domain:process signal;
194 dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
195 dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
196
197 allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
198
199 allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
200 term_create_pty(sandbox_x_domain,sandbox_devpts_t)
201
202 can_exec(sandbox_x_domain, sandbox_file_t)
203 allow sandbox_x_domain sandbox_file_t:filesystem getattr;
204 manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
205 manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
206 manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
207 manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
208 manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
209 dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
210
211 kernel_getattr_proc(sandbox_x_domain)
212 kernel_read_network_state(sandbox_x_domain)
213 kernel_read_system_state(sandbox_x_domain)
214 kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain)
215
216 domain_dontaudit_read_all_domains_state(sandbox_x_domain)
217
218 corecmd_exec_all_executables(sandbox_x_domain)
219
220 dev_read_urand(sandbox_x_domain)
221 dev_dontaudit_read_rand(sandbox_x_domain)
222 dev_read_sysfs(sandbox_x_domain)
223
224 files_search_home(sandbox_x_domain)
225 files_dontaudit_list_all_mountpoints(sandbox_x_domain)
226 files_entrypoint_all_files(sandbox_x_domain)
227 files_read_config_files(sandbox_x_domain)
228 files_read_usr_files(sandbox_x_domain)
229 files_read_usr_symlinks(sandbox_x_domain)
230
231 fs_getattr_tmpfs(sandbox_x_domain)
232 fs_getattr_xattr_fs(sandbox_x_domain)
233 fs_list_inotifyfs(sandbox_x_domain)
234 fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
235
236 auth_dontaudit_read_login_records(sandbox_x_domain)
237 auth_dontaudit_write_login_records(sandbox_x_domain)
238 auth_search_pam_console_data(sandbox_x_domain)
239
240 init_read_utmp(sandbox_x_domain)
241 init_dontaudit_write_utmp(sandbox_x_domain)
242
243 libs_dontaudit_setattr_lib_files(sandbox_x_domain)
244
245 miscfiles_read_localization(sandbox_x_domain)
246 miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
247
248 mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
249
250 selinux_get_fs_mount(sandbox_x_domain)
251 selinux_validate_context(sandbox_x_domain)
252 selinux_compute_access_vector(sandbox_x_domain)
253 selinux_compute_create_context(sandbox_x_domain)
254 selinux_compute_relabel_context(sandbox_x_domain)
255 selinux_compute_user_contexts(sandbox_x_domain)
256 seutil_read_default_contexts(sandbox_x_domain)
257
258 term_getattr_pty_fs(sandbox_x_domain)
259 term_use_ptmx(sandbox_x_domain)
260 term_search_ptys(sandbox_x_domain)
261
262 application_dontaudit_signal(sandbox_x_domain)
263 application_dontaudit_sigkill(sandbox_x_domain)
264
265 logging_send_syslog_msg(sandbox_x_domain)
266 logging_dontaudit_search_logs(sandbox_x_domain)
267
268 miscfiles_read_fonts(sandbox_x_domain)
269
270 storage_dontaudit_rw_fuse(sandbox_x_domain)
271
272 optional_policy(`
273 consolekit_dbus_chat(sandbox_x_domain)
274 ')
275
276 optional_policy(`
277 cups_stream_connect(sandbox_x_domain)
278 cups_read_rw_config(sandbox_x_domain)
279 ')
280
281 optional_policy(`
282 dbus_system_bus_client(sandbox_x_domain)
283 ')
284
285 optional_policy(`
286 devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
287 ')
288
289 optional_policy(`
290 gnome_read_gconf_config(sandbox_x_domain)
291 ')
292
293 optional_policy(`
294 nscd_dontaudit_search_pid(sandbox_x_domain)
295 ')
296
297 optional_policy(`
298 sssd_dontaudit_search_lib(sandbox_x_domain)
299 ')
300
301 optional_policy(`
302 udev_read_db(sandbox_x_domain)
303 ')
304
305 userdom_dontaudit_use_user_terminals(sandbox_x_domain)
306 userdom_read_user_home_content_symlinks(sandbox_x_domain)
307 userdom_search_user_home_content(sandbox_x_domain)
308
309 fs_search_auto_mountpoints(sandbox_x_domain)
310
311 tunable_policy(`use_nfs_home_dirs',`
312 fs_search_auto_mountpoints(sandbox_x_domain)
313 fs_search_nfs(sandbox_xserver_t)
314 fs_read_nfs_files(sandbox_xserver_t)
315 fs_manage_nfs_dirs(sandbox_x_domain)
316 fs_manage_nfs_files(sandbox_x_domain)
317 fs_exec_nfs_files(sandbox_x_domain)
318 ')
319
320 tunable_policy(`use_samba_home_dirs',`
321 fs_search_cifs(sandbox_xserver_t)
322 fs_read_cifs_files(sandbox_xserver_t)
323 fs_manage_cifs_dirs(sandbox_x_domain)
324 fs_manage_cifs_files(sandbox_x_domain)
325 fs_exec_cifs_files(sandbox_x_domain)
326 ')
327
328 tunable_policy(`use_fusefs_home_dirs',`
329 fs_search_fusefs(sandbox_xserver_t)
330 fs_read_fusefs_files(sandbox_xserver_t)
331 fs_manage_fusefs_dirs(sandbox_x_domain)
332 fs_manage_fusefs_files(sandbox_x_domain)
333 fs_exec_fusefs_files(sandbox_x_domain)
334 ')
335
336 files_search_home(sandbox_x_t)
337 userdom_use_user_ptys(sandbox_x_t)
338
339 ########################################
340 #
341 # sandbox_x_client_t local policy
342 #
343 allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
344 allow sandbox_x_client_t self:udp_socket create_socket_perms;
345 allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
346
347 dev_read_rand(sandbox_x_client_t)
348
349 corenet_tcp_connect_ipp_port(sandbox_x_client_t)
350
351 auth_use_nsswitch(sandbox_x_client_t)
352
353 optional_policy(`
354 hal_dbus_chat(sandbox_x_client_t)
355 ')
356
357 ########################################
358 #
359 # sandbox_web_client_t local policy
360 #
361 typeattribute sandbox_web_client_t sandbox_web_type;
362
363 auth_use_nsswitch(sandbox_web_client_t)
364
365 allow sandbox_web_type self:capability { setuid setgid };
366 allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
367 dontaudit sandbox_web_type self:process setrlimit;
368
369 allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
370 allow sandbox_web_type self:udp_socket create_socket_perms;
371 allow sandbox_web_type self:dbus { acquire_svc send_msg };
372
373 kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
374 kernel_request_load_module(sandbox_web_type)
375
376 dev_read_rand(sandbox_web_type)
377 dev_write_sound(sandbox_web_type)
378 dev_read_sound(sandbox_web_type)
379
380 corenet_all_recvfrom_unlabeled(sandbox_web_type)
381 corenet_all_recvfrom_netlabel(sandbox_web_type)
382 corenet_tcp_sendrecv_generic_if(sandbox_web_type)
383 corenet_raw_sendrecv_generic_if(sandbox_web_type)
384 corenet_tcp_sendrecv_generic_node(sandbox_web_type)
385 corenet_raw_sendrecv_generic_node(sandbox_web_type)
386 corenet_tcp_sendrecv_http_port(sandbox_web_type)
387 corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
388 corenet_tcp_sendrecv_squid_port(sandbox_web_type)
389 corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
390 corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
391 corenet_tcp_connect_http_port(sandbox_web_type)
392 corenet_tcp_connect_http_cache_port(sandbox_web_type)
393 corenet_tcp_connect_squid_port(sandbox_web_type)
394 corenet_tcp_connect_flash_port(sandbox_web_type)
395 corenet_tcp_connect_ftp_port(sandbox_web_type)
396 corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
397 corenet_tcp_connect_ipp_port(sandbox_web_type)
398 corenet_tcp_connect_streaming_port(sandbox_web_type)
399 corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
400 corenet_tcp_connect_speech_port(sandbox_web_type)
401 corenet_tcp_connect_generic_port(sandbox_web_type)
402 corenet_tcp_connect_soundd_port(sandbox_web_type)
403 corenet_tcp_connect_speech_port(sandbox_web_type)
404 corenet_sendrecv_http_client_packets(sandbox_web_type)
405 corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
406 corenet_sendrecv_squid_client_packets(sandbox_web_type)
407 corenet_sendrecv_ftp_client_packets(sandbox_web_type)
408 corenet_sendrecv_ipp_client_packets(sandbox_web_type)
409 corenet_sendrecv_generic_client_packets(sandbox_web_type)
410
411 corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
412 corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
413
414 files_dontaudit_getattr_all_dirs(sandbox_web_type)
415
416 fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
417 fs_dontaudit_getattr_all_fs(sandbox_web_type)
418
419 storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
420
421 dbus_system_bus_client(sandbox_web_type)
422 dbus_read_config(sandbox_web_type)
423 selinux_get_fs_mount(sandbox_web_type)
424 selinux_validate_context(sandbox_web_type)
425 selinux_compute_access_vector(sandbox_web_type)
426 selinux_compute_create_context(sandbox_web_type)
427 selinux_compute_relabel_context(sandbox_web_type)
428 selinux_compute_user_contexts(sandbox_web_type)
429 seutil_read_default_contexts(sandbox_web_type)
430
431 userdom_rw_user_tmpfs_files(sandbox_web_type)
432 userdom_delete_user_tmpfs_files(sandbox_web_type)
433
434 optional_policy(`
435 alsa_read_rw_config(sandbox_web_type)
436 ')
437
438 optional_policy(`
439 bluetooth_dontaudit_dbus_chat(sandbox_web_type)
440 ')
441
442 optional_policy(`
443 hal_dbus_chat(sandbox_web_type)
444 ')
445
446 optional_policy(`
447 pulseaudio_stream_connect(sandbox_web_type)
448 allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
449 ')
450
451 optional_policy(`
452 rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
453 ')
454
455 optional_policy(`
456 networkmanager_dontaudit_dbus_chat(sandbox_web_type)
457 ')
458
459 optional_policy(`
460 udev_read_state(sandbox_web_type)
461 ')
462
463 ########################################
464 #
465 # sandbox_net_client_t local policy
466 #
467 typeattribute sandbox_net_client_t sandbox_web_type;
468
469 corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
470 corenet_all_recvfrom_netlabel(sandbox_net_client_t)
471 corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
472 corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
473 corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
474 corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
475 corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
476 corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
477 corenet_tcp_connect_all_ports(sandbox_net_client_t)
478 corenet_sendrecv_all_client_packets(sandbox_net_client_t)
479
480 auth_use_nsswitch(sandbox_net_client_t)
The IPFire selinux policy.