]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/kernel/domain.te
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' of http://oss.tresys.com/git/refpolicy
[people/stevee/selinux-policy.git] / policy / modules / kernel / domain.te
1 policy_module(domain, 1.8.1)
2
3 ########################################
4 #
5 # Declarations
6 #
7 ## <desc>
8 ## <p>
9 ## Allow all domains to use other domains file descriptors
10 ## </p>
11 ## </desc>
12 #
13 gen_tunable(allow_domain_fd_use, true)
14
15 ## <desc>
16 ## <p>
17 ## Allow all domains to have the kernel load modules
18 ## </p>
19 ## </desc>
20 #
21 gen_tunable(domain_kernel_load_modules, false)
22
23 ## <desc>
24 ## <p>
25 ## Control the ability to mmap a low area of the address space,
26 ## as configured by /proc/sys/kernel/mmap_min_addr.
27 ## </p>
28 ## </desc>
29 gen_tunable(mmap_low_allowed, false)
30
31 # Mark process types as domains
32 attribute domain;
33
34 # Transitions only allowed from domains to other domains
35 neverallow domain ~domain:process { transition dyntransition };
36
37 # Domains that are unconfined
38 attribute unconfined_domain_type;
39
40 # Domains that can mmap low memory.
41 attribute mmap_low_domain_type;
42 neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
43
44 # Domains that can set their current context
45 # (perform dynamic transitions)
46 attribute set_curr_context;
47
48 # enabling setcurrent breaks process tranquility. If you do not
49 # know what this means or do not understand the implications of a
50 # dynamic transition, you should not be using it!!!
51 neverallow { domain -set_curr_context } self:process setcurrent;
52
53 # entrypoint executables
54 attribute entry_type;
55
56 # widely-inheritable file descriptors
57 attribute privfd;
58
59 #
60 # constraint related attributes
61 #
62
63 # [1] types that can change SELinux identity on transition
64 attribute can_change_process_identity;
65
66 # [2] types that can change SELinux role on transition
67 attribute can_change_process_role;
68
69 # [3] types that can change the SELinux identity on a filesystem
70 # object or a socket object on a create or relabel
71 attribute can_change_object_identity;
72
73 # [3] types that can change to system_u:system_r
74 attribute can_system_change;
75
76 # [4] types that have attribute 1 can change the SELinux
77 # identity only if the target domain has this attribute.
78 # Types that have attribute 2 can change the SELinux role
79 # only if the target domain has this attribute.
80 attribute process_user_target;
81
82 # For cron jobs
83 # [5] types used for cron daemons
84 attribute cron_source_domain;
85 # [6] types used for cron jobs
86 attribute cron_job_domain;
87
88 # [7] types that are unconditionally exempt from
89 # SELinux identity and role change constraints
90 attribute process_uncond_exempt; # add userhelperdomain to this one
91
92 neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
93 neverallow ~{ domain unlabeled_t } *:process *;
94
95 ########################################
96 #
97 # Rules applied to all domains
98 #
99
100 # read /proc/(pid|self) entries
101 allow domain self:dir list_dir_perms;
102 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
103 allow domain self:file rw_file_perms;
104 kernel_read_proc_symlinks(domain)
105 kernel_read_crypto_sysctls(domain)
106
107 # Every domain gets the key ring, so we should default
108 # to no one allowed to look at it; afs kernel support creates
109 # a keyring
110 kernel_dontaudit_search_key(domain)
111 kernel_dontaudit_link_key(domain)
112 kernel_dontaudit_search_debugfs(domain)
113
114 # create child processes in the domain
115 allow domain self:process { fork getsched sigchld };
116
117 # Use trusted objects in /dev
118 dev_rw_null(domain)
119 dev_rw_zero(domain)
120 term_use_controlling_term(domain)
121
122 # list the root directory
123 files_list_root(domain)
124
125 # All executables should be able to search the directory they are in
126 corecmd_search_bin(domain)
127
128 tunable_policy(`domain_kernel_load_modules',`
129 kernel_request_load_module(domain)
130 ')
131
132 tunable_policy(`global_ssp',`
133 # enable reading of urandom for all domains:
134 # this should be enabled when all programs
135 # are compiled with ProPolice/SSP
136 # stack smashing protection.
137 dev_read_urand(domain)
138 ')
139
140 optional_policy(`
141 afs_rw_cache(domain)
142 ')
143
144 optional_policy(`
145 libs_use_ld_so(domain)
146 libs_use_shared_libs(domain)
147 libs_read_lib_files(domain)
148 ')
149
150 optional_policy(`
151 setrans_translate_context(domain)
152 ')
153
154 # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
155 optional_policy(`
156 xserver_dontaudit_use_xdm_fds(domain)
157 xserver_dontaudit_rw_xdm_pipes(domain)
158 xserver_dontaudit_append_xdm_home_files(domain)
159 xserver_dontaudit_write_log(domain)
160 ')
161
162 ########################################
163 #
164 # Unconfined access to this module
165 #
166
167 # unconfined access also allows constraints, but this
168 # is handled in the interface as typeattribute cannot
169 # be used on an attribute.
170
171 # Use/sendto/connectto sockets created by any domain.
172 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
173
174 # Use descriptors and pipes created by any domain.
175 allow unconfined_domain_type domain:fd use;
176 allow unconfined_domain_type domain:fifo_file rw_file_perms;
177
178 allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
179
180 # Act upon any other process.
181 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
182
183 # Create/access any System V IPC objects.
184 allow unconfined_domain_type domain:{ sem msgq shm } *;
185 allow unconfined_domain_type domain:msg { send receive };
186
187 # For /proc/pid
188 allow unconfined_domain_type domain:dir list_dir_perms;
189 allow unconfined_domain_type domain:file rw_file_perms;
190 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
191
192 # act on all domains keys
193 allow unconfined_domain_type domain:key *;
194
195 # receive from all domains over labeled networking
196 domain_all_recvfrom_all_domains(unconfined_domain_type)
197
198 selinux_getattr_fs(domain)
199 selinux_search_fs(domain)
200 selinux_dontaudit_read_fs(domain)
201
202 seutil_dontaudit_read_config(domain)
203
204 init_sigchld(domain)
205 init_signull(domain)
206
207 ifdef(`distro_redhat',`
208 files_search_mnt(domain)
209 optional_policy(`
210 unconfined_use_fds(domain)
211 ')
212 ')
213
214 # these seem questionable:
215
216 optional_policy(`
217 abrt_domtrans_helper(domain)
218 abrt_read_pid_files(domain)
219 abrt_read_state(domain)
220 abrt_signull(domain)
221 abrt_stream_connect(domain)
222 ')
223
224 optional_policy(`
225 rpm_use_fds(domain)
226 rpm_read_pipes(domain)
227 rpm_search_log(domain)
228 rpm_append_tmp_files(domain)
229 rpm_dontaudit_leaks(domain)
230 rpm_read_script_tmp_files(domain)
231 rpm_inherited_fifo(domain)
232 ')
233
234 optional_policy(`
235 sosreport_append_tmp_files(domain)
236 ')
237
238 tunable_policy(`allow_domain_fd_use',`
239 # Allow all domains to use fds past to them
240 allow domain domain:fd use;
241 ')
242
243 optional_policy(`
244 cron_dontaudit_write_system_job_tmp_files(domain)
245 cron_rw_pipes(domain)
246 cron_rw_system_job_pipes(domain)
247 ')
248
249 ifdef(`hide_broken_symptoms',`
250 dontaudit domain self:udp_socket listen;
251 allow domain domain:key { link search };
252 ')
253
254 optional_policy(`
255 ifdef(`hide_broken_symptoms',`
256 afs_rw_udp_sockets(domain)
257 ')
258 ')
259
260 optional_policy(`
261 ssh_rw_pipes(domain)
262 ')
263
264 optional_policy(`
265 unconfined_dontaudit_rw_pipes(domain)
266 unconfined_sigchld(domain)
267 ')
268
269 # broken kernel
270 dontaudit can_change_object_identity can_change_object_identity:key link;
The IPFire selinux policy.