1 policy_module(domain, 1.8.1)
3 ########################################
9 ## Allow all domains to use other domains file descriptors
13 gen_tunable(allow_domain_fd_use, true)
17 ## Allow all domains to have the kernel load modules
21 gen_tunable(domain_kernel_load_modules, false)
25 ## Control the ability to mmap a low area of the address space,
26 ## as configured by /proc/sys/kernel/mmap_min_addr.
29 gen_tunable(mmap_low_allowed, false)
31 # Mark process types as domains
34 # Transitions only allowed from domains to other domains
35 neverallow domain ~domain:process { transition dyntransition };
37 # Domains that are unconfined
38 attribute unconfined_domain_type;
40 # Domains that can mmap low memory.
41 attribute mmap_low_domain_type;
42 neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
44 # Domains that can set their current context
45 # (perform dynamic transitions)
46 attribute set_curr_context;
48 # enabling setcurrent breaks process tranquility. If you do not
49 # know what this means or do not understand the implications of a
50 # dynamic transition, you should not be using it!!!
51 neverallow { domain -set_curr_context } self:process setcurrent;
53 # entrypoint executables
56 # widely-inheritable file descriptors
60 # constraint related attributes
63 # [1] types that can change SELinux identity on transition
64 attribute can_change_process_identity;
66 # [2] types that can change SELinux role on transition
67 attribute can_change_process_role;
69 # [3] types that can change the SELinux identity on a filesystem
70 # object or a socket object on a create or relabel
71 attribute can_change_object_identity;
73 # [3] types that can change to system_u:system_r
74 attribute can_system_change;
76 # [4] types that have attribute 1 can change the SELinux
77 # identity only if the target domain has this attribute.
78 # Types that have attribute 2 can change the SELinux role
79 # only if the target domain has this attribute.
80 attribute process_user_target;
83 # [5] types used for cron daemons
84 attribute cron_source_domain;
85 # [6] types used for cron jobs
86 attribute cron_job_domain;
88 # [7] types that are unconditionally exempt from
89 # SELinux identity and role change constraints
90 attribute process_uncond_exempt; # add userhelperdomain to this one
92 neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
93 neverallow ~{ domain unlabeled_t } *:process *;
95 ########################################
97 # Rules applied to all domains
100 # read /proc/(pid|self) entries
101 allow domain self:dir list_dir_perms;
102 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
103 allow domain self:file rw_file_perms;
104 kernel_read_proc_symlinks(domain)
105 kernel_read_crypto_sysctls(domain)
107 # Every domain gets the key ring, so we should default
108 # to no one allowed to look at it; afs kernel support creates
110 kernel_dontaudit_search_key(domain)
111 kernel_dontaudit_link_key(domain)
112 kernel_dontaudit_search_debugfs(domain)
114 # create child processes in the domain
115 allow domain self:process { fork getsched sigchld };
117 # Use trusted objects in /dev
120 term_use_controlling_term(domain)
122 # list the root directory
123 files_list_root(domain)
125 # All executables should be able to search the directory they are in
126 corecmd_search_bin(domain)
128 tunable_policy(`domain_kernel_load_modules',`
129 kernel_request_load_module(domain)
132 tunable_policy(`global_ssp',`
133 # enable reading of urandom for all domains:
134 # this should be enabled when all programs
135 # are compiled with ProPolice/SSP
136 # stack smashing protection.
137 dev_read_urand(domain)
145 libs_use_ld_so(domain)
146 libs_use_shared_libs(domain)
147 libs_read_lib_files(domain)
151 setrans_translate_context(domain)
154 # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
156 xserver_dontaudit_use_xdm_fds(domain)
157 xserver_dontaudit_rw_xdm_pipes(domain)
158 xserver_dontaudit_append_xdm_home_files(domain)
159 xserver_dontaudit_write_log(domain)
162 ########################################
164 # Unconfined access to this module
167 # unconfined access also allows constraints, but this
168 # is handled in the interface as typeattribute cannot
169 # be used on an attribute.
171 # Use/sendto/connectto sockets created by any domain.
172 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
174 # Use descriptors and pipes created by any domain.
175 allow unconfined_domain_type domain:fd use;
176 allow unconfined_domain_type domain:fifo_file rw_file_perms;
178 allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
180 # Act upon any other process.
181 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
183 # Create/access any System V IPC objects.
184 allow unconfined_domain_type domain:{ sem msgq shm } *;
185 allow unconfined_domain_type domain:msg { send receive };
188 allow unconfined_domain_type domain:dir list_dir_perms;
189 allow unconfined_domain_type domain:file rw_file_perms;
190 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
192 # act on all domains keys
193 allow unconfined_domain_type domain:key *;
195 # receive from all domains over labeled networking
196 domain_all_recvfrom_all_domains(unconfined_domain_type)
198 selinux_getattr_fs(domain)
199 selinux_search_fs(domain)
200 selinux_dontaudit_read_fs(domain)
202 seutil_dontaudit_read_config(domain)
207 ifdef(`distro_redhat',`
208 files_search_mnt(domain)
210 unconfined_use_fds(domain)
214 # these seem questionable:
217 abrt_domtrans_helper(domain)
218 abrt_read_pid_files(domain)
219 abrt_read_state(domain)
221 abrt_stream_connect(domain)
226 rpm_read_pipes(domain)
227 rpm_search_log(domain)
228 rpm_append_tmp_files(domain)
229 rpm_dontaudit_leaks(domain)
230 rpm_read_script_tmp_files(domain)
231 rpm_inherited_fifo(domain)
235 sosreport_append_tmp_files(domain)
238 tunable_policy(`allow_domain_fd_use',`
239 # Allow all domains to use fds past to them
240 allow domain domain:fd use;
244 cron_dontaudit_write_system_job_tmp_files(domain)
245 cron_rw_pipes(domain)
246 cron_rw_system_job_pipes(domain)
249 ifdef(`hide_broken_symptoms',`
250 dontaudit domain self:udp_socket listen;
251 allow domain domain:key { link search };
255 ifdef(`hide_broken_symptoms',`
256 afs_rw_udp_sockets(domain)
265 unconfined_dontaudit_rw_pipes(domain)
266 unconfined_sigchld(domain)
270 dontaudit can_change_object_identity can_change_object_identity:key link;