policy/modules/apps/sandbox.te

   1 policy_module(sandbox,1.0.0)
   2 dbus_stub()
   3 attribute sandbox_domain;
   4 attribute sandbox_x_domain;
   5 attribute sandbox_web_type;
   6 attribute sandbox_file_type;
   7 attribute sandbox_tmpfs_type;
   8 attribute sandbox_type;
   9
  10 type sandbox_exec_t;
  11 files_type(sandbox_exec_t)
  12
  13 type sandbox_file_t, sandbox_file_type;
  14 files_type(sandbox_file_t)
  15 typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
  16
  17 ########################################
  18 #
  19 # Declarations
  20 #
  21
  22 sandbox_domain_template(sandbox)
  23 sandbox_x_domain_template(sandbox_min)
  24 sandbox_x_domain_template(sandbox_x)
  25 sandbox_x_domain_template(sandbox_web)
  26 sandbox_x_domain_template(sandbox_net)
  27
  28 type sandbox_xserver_t;
  29 domain_type(sandbox_xserver_t)
  30 xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
  31
  32 type sandbox_xserver_tmpfs_t;
  33 files_tmpfs_file(sandbox_xserver_tmpfs_t)
  34
  35 type sandbox_devpts_t;
  36 term_pty(sandbox_devpts_t)
  37 files_type(sandbox_devpts_t)
  38
  39 ########################################
  40 #
  41 # sandbox xserver policy
  42 #
  43 allow sandbox_xserver_t self:process { execmem execstack };
  44 allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
  45 allow sandbox_xserver_t self:shm create_shm_perms;
  46 allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
  47
  48 manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
  49 manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
  50 manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
  51 allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
  52
  53 manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
  54 manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
  55 manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
  56 manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
  57 manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
  58 fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
  59
  60 kernel_dontaudit_request_load_module(sandbox_xserver_t)
  61
  62 corecmd_exec_bin(sandbox_xserver_t)
  63 corecmd_exec_shell(sandbox_xserver_t)
  64
  65 corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
  66 corenet_all_recvfrom_netlabel(sandbox_xserver_t)
  67 corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
  68 corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
  69 corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
  70 corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
  71 corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
  72 corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
  73 corenet_tcp_bind_generic_node(sandbox_xserver_t)
  74 corenet_tcp_bind_xserver_port(sandbox_xserver_t)
  75 corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
  76 corenet_sendrecv_all_client_packets(sandbox_xserver_t)
  77
  78 dev_rwx_zero(sandbox_xserver_t)
  79
  80 files_read_config_files(sandbox_xserver_t)
  81 files_read_usr_files(sandbox_xserver_t)
  82 files_search_home(sandbox_xserver_t)
  83 fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
  84 fs_list_inotifyfs(sandbox_xserver_t)
  85 fs_search_auto_mountpoints(sandbox_xserver_t)
  86
  87 miscfiles_read_fonts(sandbox_xserver_t)
  88 miscfiles_read_localization(sandbox_xserver_t)
  89
  90 kernel_read_system_state(sandbox_xserver_t)
  91
  92 selinux_validate_context(sandbox_xserver_t)
  93 selinux_compute_access_vector(sandbox_xserver_t)
  94 selinux_compute_create_context(sandbox_xserver_t)
  95
  96 auth_use_nsswitch(sandbox_xserver_t)
  97
  98 logging_send_syslog_msg(sandbox_xserver_t)
  99 logging_send_audit_msgs(sandbox_xserver_t)
 100
 101 userdom_use_inherited_user_terminals(sandbox_xserver_t)
 102 userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
 103
 104 xserver_entry_type(sandbox_xserver_t)
 105
 106 optional_policy(`
 107         dbus_system_bus_client(sandbox_xserver_t)
 108
 109         optional_policy(`
 110                 hal_dbus_chat(sandbox_xserver_t)
 111         ')
 112 ')
 113
 114 ########################################
 115 #
 116 # sandbox local policy
 117 #
 118
 119 allow sandbox_domain self:fifo_file manage_file_perms;
 120 allow sandbox_domain self:sem create_sem_perms;
 121 allow sandbox_domain self:shm create_shm_perms;
 122 allow sandbox_domain self:msgq create_msgq_perms;
 123 allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
 124 allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
 125 dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 126
 127 dev_rw_all_inherited_chr_files(sandbox_domain)
 128 dev_rw_all_inherited_blk_files(sandbox_domain)
 129
 130 can_exec(sandbox_domain, sandbox_file_t)
 131 allow sandbox_domain sandbox_file_t:filesystem getattr;
 132 manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
 133 manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
 134 manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
 135 manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
 136 manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
 137 dontaudit sandbox_domain sandbox_file_t:dir mounton;
 138
 139 gen_require(`
 140         type usr_t, lib_t, locale_t;
 141         type var_t, var_run_t, rpm_log_t, locale_t;
 142         attribute exec_type, configfile;
 143 ')
 144
 145 files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
 146 files_entrypoint_all_files(sandbox_domain)
 147
 148 files_read_config_files(sandbox_domain)
 149 files_read_usr_files(sandbox_domain)
 150 files_read_var_files(sandbox_domain)
 151 files_dontaudit_search_all_dirs(sandbox_domain)
 152
 153 miscfiles_read_localization(sandbox_domain)
 154
 155 kernel_dontaudit_read_system_state(sandbox_domain)
 156 corecmd_exec_all_executables(sandbox_domain)
 157
 158 userdom_dontaudit_use_user_terminals(sandbox_domain)
 159
 160 mta_dontaudit_read_spool_symlinks(sandbox_domain)
 161
 162 ########################################
 163 #
 164 # sandbox_x_domain local policy
 165 #
 166 allow sandbox_x_domain self:fifo_file manage_file_perms;
 167 allow sandbox_x_domain self:sem create_sem_perms;
 168 allow sandbox_x_domain self:shm create_shm_perms;
 169 allow sandbox_x_domain self:msgq create_msgq_perms;
 170 allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
 171 allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
 172
 173 allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
 174
 175 allow sandbox_x_domain self:process { signal_perms getsched setsched setpgid execstack execmem };
 176 dontaudit sandbox_x_domain sandbox_x_domain:process signal;
 177 dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
 178
 179 allow sandbox_x_domain self:shm create_shm_perms;
 180 allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
 181 allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
 182 allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
 183 dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 184
 185 allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
 186 term_create_pty(sandbox_x_domain,sandbox_devpts_t)
 187
 188 can_exec(sandbox_x_domain, sandbox_file_t)
 189 allow sandbox_x_domain sandbox_file_t:filesystem getattr;
 190 manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
 191 manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
 192 manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
 193 manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
 194 manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
 195
 196 domain_dontaudit_read_all_domains_state(sandbox_x_domain)
 197
 198 files_search_home(sandbox_x_domain)
 199 files_dontaudit_list_all_mountpoints(sandbox_x_domain)
 200
 201 kernel_getattr_proc(sandbox_x_domain)
 202 kernel_read_network_state(sandbox_x_domain)
 203 kernel_read_system_state(sandbox_x_domain)
 204
 205 corecmd_exec_all_executables(sandbox_x_domain)
 206
 207 dev_read_urand(sandbox_x_domain)
 208 dev_dontaudit_read_rand(sandbox_x_domain)
 209 dev_read_sysfs(sandbox_x_domain)
 210
 211 files_entrypoint_all_files(sandbox_x_domain)
 212 files_read_config_files(sandbox_x_domain)
 213 files_read_usr_files(sandbox_x_domain)
 214 files_read_usr_symlinks(sandbox_x_domain)
 215
 216 fs_getattr_tmpfs(sandbox_x_domain)
 217 fs_getattr_xattr_fs(sandbox_x_domain)
 218 fs_list_inotifyfs(sandbox_x_domain)
 219 fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
 220
 221 auth_dontaudit_read_login_records(sandbox_x_domain)
 222 auth_dontaudit_write_login_records(sandbox_x_domain)
 223 auth_use_nsswitch(sandbox_x_domain)
 224 auth_search_pam_console_data(sandbox_x_domain)
 225
 226 init_read_utmp(sandbox_x_domain)
 227 init_dontaudit_write_utmp(sandbox_x_domain)
 228
 229 miscfiles_read_localization(sandbox_x_domain)
 230 miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
 231
 232 mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
 233
 234 selinux_get_fs_mount(sandbox_x_domain)
 235 selinux_validate_context(sandbox_x_domain)
 236 selinux_compute_access_vector(sandbox_x_domain)
 237 selinux_compute_create_context(sandbox_x_domain)
 238 selinux_compute_relabel_context(sandbox_x_domain)
 239 selinux_compute_user_contexts(sandbox_x_domain)
 240 seutil_read_default_contexts(sandbox_x_domain)
 241
 242 term_getattr_pty_fs(sandbox_x_domain)
 243 term_use_ptmx(sandbox_x_domain)
 244 term_search_ptys(sandbox_x_domain)
 245
 246 application_dontaudit_signal(sandbox_x_domain)
 247 application_dontaudit_sigkill(sandbox_x_domain)
 248
 249 logging_send_syslog_msg(sandbox_x_domain)
 250 logging_dontaudit_search_logs(sandbox_x_domain)
 251
 252 miscfiles_read_fonts(sandbox_x_domain)
 253
 254 storage_dontaudit_rw_fuse(sandbox_x_domain)
 255
 256 optional_policy(`
 257         consolekit_dbus_chat(sandbox_x_domain)
 258 ')
 259
 260 optional_policy(`
 261         cups_stream_connect(sandbox_x_domain)
 262         cups_read_rw_config(sandbox_x_domain)
 263 ')
 264
 265 optional_policy(`
 266         dbus_system_bus_client(sandbox_x_domain)
 267 ')
 268
 269 optional_policy(`
 270         gnome_read_gconf_config(sandbox_x_domain)
 271 ')
 272
 273 optional_policy(`
 274         nscd_dontaudit_search_pid(sandbox_x_domain)
 275 ')
 276
 277 optional_policy(`
 278         sssd_dontaudit_search_lib(sandbox_x_domain)
 279 ')
 280
 281 optional_policy(`
 282         udev_read_db(sandbox_x_domain)
 283 ')
 284
 285 userdom_dontaudit_use_user_terminals(sandbox_x_domain)
 286 userdom_read_user_home_content_symlinks(sandbox_x_domain)
 287 userdom_search_user_home_content(sandbox_x_domain)
 288
 289 fs_search_auto_mountpoints(sandbox_x_domain)
 290
 291 tunable_policy(`use_nfs_home_dirs',`
 292         fs_search_auto_mountpoints(sandbox_x_domain)
 293         fs_search_nfs(sandbox_xserver_t)
 294         fs_read_nfs_files(sandbox_xserver_t)
 295         fs_manage_nfs_dirs(sandbox_x_domain)
 296         fs_manage_nfs_files(sandbox_x_domain)
 297         fs_exec_nfs_files(sandbox_x_domain)
 298 ')
 299
 300 tunable_policy(`use_samba_home_dirs',`
 301         fs_search_cifs(sandbox_xserver_t)
 302         fs_read_cifs_files(sandbox_xserver_t)
 303         fs_manage_cifs_dirs(sandbox_x_domain)
 304         fs_manage_cifs_files(sandbox_x_domain)
 305         fs_exec_cifs_files(sandbox_x_domain)
 306 ')
 307
 308 tunable_policy(`use_fusefs_home_dirs',`
 309         fs_search_fusefs(sandbox_xserver_t)
 310         fs_read_fusefs_files(sandbox_xserver_t)
 311         fs_manage_fusefs_dirs(sandbox_x_domain)
 312         fs_manage_fusefs_files(sandbox_x_domain)
 313         fs_exec_fusefs_files(sandbox_x_domain)
 314 ')
 315
 316 files_search_home(sandbox_x_t)
 317 userdom_use_user_ptys(sandbox_x_t)
 318
 319 ########################################
 320 #
 321 # sandbox_x_client_t local policy
 322 #
 323 allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
 324 allow sandbox_x_client_t self:udp_socket create_socket_perms;
 325 allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
 326 allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
 327
 328 dev_read_rand(sandbox_x_client_t)
 329
 330 corenet_tcp_connect_ipp_port(sandbox_x_client_t)
 331
 332 auth_use_nsswitch(sandbox_x_client_t)
 333
 334 optional_policy(`
 335         hal_dbus_chat(sandbox_x_client_t)
 336 ')
 337
 338 optional_policy(`
 339         nsplugin_read_rw_files(sandbox_x_client_t)
 340 ')
 341
 342 ########################################
 343 #
 344 # sandbox_web_client_t local policy
 345 #
 346 typeattribute sandbox_web_client_t sandbox_web_type;
 347
 348 allow sandbox_web_type self:capability { setuid setgid };
 349 allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
 350 dontaudit sandbox_web_type self:process setrlimit;
 351
 352 allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
 353 allow sandbox_web_type self:udp_socket create_socket_perms;
 354 allow sandbox_web_type self:dbus { acquire_svc send_msg };
 355 allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
 356
 357 kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
 358 kernel_request_load_module(sandbox_web_type)
 359
 360 dev_read_rand(sandbox_web_type)
 361 dev_write_sound(sandbox_web_type)
 362 dev_read_sound(sandbox_web_type)
 363
 364 corenet_all_recvfrom_unlabeled(sandbox_web_type)
 365 corenet_all_recvfrom_netlabel(sandbox_web_type)
 366 corenet_tcp_sendrecv_generic_if(sandbox_web_type)
 367 corenet_raw_sendrecv_generic_if(sandbox_web_type)
 368 corenet_tcp_sendrecv_generic_node(sandbox_web_type)
 369 corenet_raw_sendrecv_generic_node(sandbox_web_type)
 370 corenet_tcp_sendrecv_http_port(sandbox_web_type)
 371 corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
 372 corenet_tcp_sendrecv_squid_port(sandbox_web_type)
 373 corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
 374 corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
 375 corenet_tcp_connect_http_port(sandbox_web_type)
 376 corenet_tcp_connect_http_cache_port(sandbox_web_type)
 377 corenet_tcp_connect_squid_port(sandbox_web_type)
 378 corenet_tcp_connect_flash_port(sandbox_web_type)
 379 corenet_tcp_connect_ftp_port(sandbox_web_type)
 380 corenet_tcp_connect_ipp_port(sandbox_web_type)
 381 corenet_tcp_connect_streaming_port(sandbox_web_type)
 382 corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
 383 corenet_tcp_connect_speech_port(sandbox_web_type)
 384 corenet_tcp_connect_generic_port(sandbox_web_type)
 385 corenet_tcp_connect_soundd_port(sandbox_web_type)
 386 corenet_tcp_connect_speech_port(sandbox_web_type)
 387 corenet_sendrecv_http_client_packets(sandbox_web_type)
 388 corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
 389 corenet_sendrecv_squid_client_packets(sandbox_web_type)
 390 corenet_sendrecv_ftp_client_packets(sandbox_web_type)
 391 corenet_sendrecv_ipp_client_packets(sandbox_web_type)
 392 corenet_sendrecv_generic_client_packets(sandbox_web_type)
 393
 394 corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
 395 corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
 396
 397 files_dontaudit_getattr_all_dirs(sandbox_web_type)
 398
 399 fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
 400 fs_dontaudit_getattr_all_fs(sandbox_web_type)
 401
 402 storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
 403
 404 auth_use_nsswitch(sandbox_web_type)
 405
 406 dbus_system_bus_client(sandbox_web_type)
 407 dbus_read_config(sandbox_web_type)
 408 selinux_get_fs_mount(sandbox_web_type)
 409 selinux_validate_context(sandbox_web_type)
 410 selinux_compute_access_vector(sandbox_web_type)
 411 selinux_compute_create_context(sandbox_web_type)
 412 selinux_compute_relabel_context(sandbox_web_type)
 413 selinux_compute_user_contexts(sandbox_web_type)
 414 seutil_read_default_contexts(sandbox_web_type)
 415
 416 userdom_rw_user_tmpfs_files(sandbox_web_type)
 417 userdom_delete_user_tmpfs_files(sandbox_web_type)
 418
 419 optional_policy(`
 420         alsa_read_rw_config(sandbox_web_type)
 421 ')
 422
 423 optional_policy(`
 424         bluetooth_dontaudit_dbus_chat(sandbox_web_type)
 425 ')
 426
 427 optional_policy(`
 428         hal_dbus_chat(sandbox_web_type)
 429 ')
 430
 431 optional_policy(`
 432         nsplugin_read_rw_files(sandbox_web_type)
 433         nsplugin_rw_exec(sandbox_web_type)
 434 ')
 435
 436 optional_policy(`
 437         pulseaudio_stream_connect(sandbox_web_type)
 438         allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
 439 ')
 440
 441 optional_policy(`
 442         rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
 443 ')
 444
 445 optional_policy(`
 446         networkmanager_dontaudit_dbus_chat(sandbox_web_type)
 447 ')
 448
 449 optional_policy(`
 450         udev_read_state(sandbox_web_type)
 451 ')
 452
 453 ########################################
 454 #
 455 # sandbox_net_client_t local policy
 456 #
 457 typeattribute sandbox_net_client_t sandbox_web_type;
 458
 459 corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
 460 corenet_all_recvfrom_netlabel(sandbox_net_client_t)
 461 corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
 462 corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
 463 corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
 464 corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
 465 corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
 466 corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
 467 corenet_tcp_connect_all_ports(sandbox_net_client_t)
 468 corenet_sendrecv_all_client_packets(sandbox_net_client_t)
 469
 470 optional_policy(`
 471         mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
 472         mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
 473         mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
 474         mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
 475 ')