policy/modules/kernel/domain.te

   1 policy_module(domain, 1.9.1)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7 ## <desc>
   8 ## <p>
   9 ## Allow all domains to use other domains file descriptors
  10 ## </p>
  11 ## </desc>
  12 #
  13 gen_tunable(allow_domain_fd_use, true)
  14
  15 ## <desc>
  16 ## <p>
  17 ## Allow all domains to have the kernel load modules
  18 ## </p>
  19 ## </desc>
  20 #
  21 gen_tunable(domain_kernel_load_modules, false)
  22
  23 ## <desc>
  24 ## <p>
  25 ##      Control the ability to mmap a low area of the address space,
  26 ##      as configured by /proc/sys/kernel/mmap_min_addr.
  27 ## </p>
  28 ## </desc>
  29 gen_tunable(mmap_low_allowed, false)
  30
  31 # Mark process types as domains
  32 attribute domain;
  33
  34 # Transitions only allowed from domains to other domains
  35 neverallow domain ~domain:process { transition dyntransition };
  36
  37 # Domains that are unconfined
  38 attribute unconfined_domain_type;
  39
  40 # Domains that can mmap low memory.
  41 attribute mmap_low_domain_type;
  42 neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
  43
  44 # Domains that can set their current context
  45 # (perform dynamic transitions)
  46 attribute set_curr_context;
  47
  48 # enabling setcurrent breaks process tranquility.  If you do not
  49 # know what this means or do not understand the implications of a
  50 # dynamic transition, you should not be using it!!!
  51 neverallow { domain -set_curr_context } self:process setcurrent;
  52
  53 # entrypoint executables
  54 attribute entry_type;
  55
  56 # widely-inheritable file descriptors
  57 attribute privfd;
  58
  59 #
  60 # constraint related attributes
  61 #
  62
  63 # [1] types that can change SELinux identity on transition
  64 attribute can_change_process_identity;
  65
  66 # [2] types that can change SELinux role on transition
  67 attribute can_change_process_role;
  68
  69 # [3] types that can change the SELinux identity on a filesystem
  70 # object or a socket object on a create or relabel
  71 attribute can_change_object_identity;
  72
  73 # [3] types that can change to system_u:system_r
  74 attribute can_system_change;
  75
  76 # [4] types that have attribute 1 can change the SELinux
  77 # identity only if the target domain has this attribute.
  78 # Types that have attribute 2 can change the SELinux role
  79 # only if the target domain has this attribute.
  80 attribute process_user_target;
  81
  82 # For cron jobs
  83 # [5] types used for cron daemons
  84 attribute cron_source_domain;
  85 # [6] types used for cron jobs
  86 attribute cron_job_domain;
  87
  88 # [7] types that are unconditionally exempt from
  89 # SELinux identity and role change constraints
  90 attribute process_uncond_exempt;        # add userhelperdomain to this one
  91
  92 neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
  93 neverallow ~{ domain unlabeled_t } *:process *;
  94
  95 ########################################
  96 #
  97 # Rules applied to all domains
  98 #
  99
 100 # read /proc/(pid|self) entries
 101 allow domain self:dir list_dir_perms;
 102 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
 103 allow domain self:file rw_file_perms;
 104 kernel_read_proc_symlinks(domain)
 105 kernel_read_crypto_sysctls(domain)
 106
 107 # Every domain gets the key ring, so we should default
 108 # to no one allowed to look at it; afs kernel support creates
 109 # a keyring
 110 kernel_dontaudit_search_key(domain)
 111 kernel_dontaudit_link_key(domain)
 112 kernel_dontaudit_search_debugfs(domain)
 113
 114 # create child processes in the domain
 115 allow domain self:process { fork getsched sigchld };
 116
 117 # Use trusted objects in /dev
 118 dev_read_cpu_online(domain)
 119 dev_rw_null(domain)
 120 dev_rw_zero(domain)
 121 term_use_controlling_term(domain)
 122
 123 # list the root directory
 124 files_list_root(domain)
 125 # allow all domains to search through default_t directory, since users sometimes
 126 # place labels within these directories.  (samba_share_t) for example.
 127 files_search_default(domain)
 128
 129 # All executables should be able to search the directory they are in
 130 corecmd_search_bin(domain)
 131
 132 tunable_policy(`domain_kernel_load_modules',`
 133         kernel_request_load_module(domain)
 134 ')
 135
 136 tunable_policy(`global_ssp',`
 137         # enable reading of urandom for all domains:
 138         # this should be enabled when all programs
 139         # are compiled with ProPolice/SSP
 140         # stack smashing protection.
 141         dev_read_urand(domain)
 142 ')
 143
 144 optional_policy(`
 145         afs_rw_cache(domain)
 146 ')
 147
 148 optional_policy(`
 149         libs_use_ld_so(domain)
 150         libs_use_shared_libs(domain)
 151         libs_read_lib_files(domain)
 152 ')
 153
 154 optional_policy(`
 155         setrans_translate_context(domain)
 156 ')
 157
 158 # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
 159 optional_policy(`
 160         xserver_dontaudit_use_xdm_fds(domain)
 161         xserver_dontaudit_rw_xdm_pipes(domain)
 162         xserver_dontaudit_append_xdm_home_files(domain)
 163         xserver_dontaudit_write_log(domain)
 164 ')
 165
 166 ########################################
 167 #
 168 # Unconfined access to this module
 169 #
 170
 171 # unconfined access also allows constraints, but this
 172 # is handled in the interface as typeattribute cannot
 173 # be used on an attribute.
 174
 175 # Use/sendto/connectto sockets created by any domain.
 176 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
 177
 178 # Use descriptors and pipes created by any domain.
 179 allow unconfined_domain_type domain:fd use;
 180 allow unconfined_domain_type domain:fifo_file rw_file_perms;
 181
 182 allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
 183
 184 # Act upon any other process.
 185 allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
 186 tunable_policy(`deny_ptrace',`',`
 187         allow unconfined_domain_type domain:process ptrace;
 188 ')
 189
 190 # Create/access any System V IPC objects.
 191 allow unconfined_domain_type domain:{ sem msgq shm } *;
 192 allow unconfined_domain_type domain:msg { send receive };
 193
 194 # For /proc/pid
 195 allow unconfined_domain_type domain:dir list_dir_perms;
 196 allow unconfined_domain_type domain:file rw_file_perms;
 197 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 198
 199 # act on all domains keys
 200 allow unconfined_domain_type domain:key *;
 201
 202 dev_filetrans_all_named_dev(unconfined_domain_type)
 203
 204 # receive from all domains over labeled networking
 205 domain_all_recvfrom_all_domains(unconfined_domain_type)
 206
 207 storage_filetrans_all_named_dev(unconfined_domain_type)
 208
 209 term_filetrans_all_named_dev(unconfined_domain_type)
 210
 211 optional_policy(`
 212         auth_filetrans_named_content(unconfined_domain_type)
 213         auth_filetrans_admin_home_content(unconfined_domain_type)
 214         auth_filetrans_home_content(unconfined_domain_type)
 215 ')
 216
 217 optional_policy(`
 218         alsa_filetrans_named_content(unconfined_domain_type)
 219 ')
 220
 221 optional_policy(`
 222         apache_filetrans_home_content(unconfined_domain_type)
 223 ')
 224
 225 optional_policy(`
 226         bootloader_filetrans_config(unconfined_domain_type)
 227 ')
 228
 229 optional_policy(`
 230         gnome_filetrans_admin_home_content(unconfined_domain_type)
 231 ')
 232
 233 optional_policy(`
 234         devicekit_filetrans_named_content(unconfined_domain_type)
 235 ')
 236
 237 optional_policy(`
 238         dnsmasq_filetrans_named_content(unconfined_domain_type)
 239 ')
 240
 241 optional_policy(`
 242         kerberos_filetrans_named_content(unconfined_domain_type)
 243 ')
 244
 245 optional_policy(`
 246         libs_filetrans_named_content(unconfined_domain_type)
 247 ')
 248
 249 optional_policy(`
 250         miscfiles_filetrans_named_content(unconfined_domain_type)
 251 ')
 252
 253 optional_policy(`
 254         mta_filetrans_named_content(unconfined_domain_type)
 255 ')
 256
 257 optional_policy(`
 258         modules_filetrans_named_content(unconfined_domain_type)
 259 ')
 260
 261 optional_policy(`
 262         networkmanager_filetrans_named_content(unconfined_domain_type)
 263 ')
 264
 265 optional_policy(`
 266         nx_filetrans_named_content(unconfined_domain_type)
 267 ')
 268
 269 optional_policy(`
 270         postfix_filetrans_named_content(unconfined_domain_type)
 271 ')
 272
 273 optional_policy(`
 274         pulseaudio_filetrans_home_content(unconfined_domain_type)
 275         pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
 276 ')
 277
 278 optional_policy(`
 279         quota_filetrans_named_content(unconfined_domain_type)
 280 ')
 281
 282 optional_policy(`
 283         sysnet_filetrans_named_content(unconfined_domain_type)
 284 ')
 285
 286 optional_policy(`
 287         userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
 288         userdom_filetrans_home_content(unconfined_domain_type)
 289 ')
 290
 291 optional_policy(`
 292         virt_filetrans_home_content(unconfined_domain_type)
 293 ')
 294
 295 optional_policy(`
 296         ssh_filetrans_admin_home_content(unconfined_domain_type)
 297 ')
 298
 299 selinux_getattr_fs(domain)
 300 selinux_search_fs(domain)
 301 selinux_dontaudit_read_fs(domain)
 302
 303 optional_policy(`
 304         seutil_dontaudit_read_config(domain)
 305 ')
 306
 307 optional_policy(`
 308         init_sigchld(domain)
 309         init_signull(domain)
 310 ')
 311
 312 ifdef(`distro_redhat',`
 313         files_search_mnt(domain)
 314         optional_policy(`
 315                 unconfined_use_fds(domain)
 316         ')
 317 ')
 318
 319 # these seem questionable:
 320
 321 optional_policy(`
 322         abrt_domtrans_helper(domain)
 323         abrt_read_pid_files(domain)
 324         abrt_read_state(domain)
 325         abrt_signull(domain)
 326         abrt_append_cache(domain)
 327         abrt_rw_fifo_file(domain)
 328 ')
 329
 330 optional_policy(`
 331         rpm_use_fds(domain)
 332         rpm_read_pipes(domain)
 333         rpm_search_log(domain)
 334         rpm_append_tmp_files(domain)
 335         rpm_dontaudit_leaks(domain)
 336         rpm_read_script_tmp_files(domain)
 337         rpm_inherited_fifo(domain)
 338 ')
 339
 340 optional_policy(`
 341         sosreport_append_tmp_files(domain)
 342 ')
 343
 344 tunable_policy(`allow_domain_fd_use',`
 345         # Allow all domains to use fds past to them
 346         allow domain domain:fd use;
 347 ')
 348
 349 optional_policy(`
 350         cron_dontaudit_write_system_job_tmp_files(domain)
 351         cron_rw_pipes(domain)
 352         cron_rw_system_job_pipes(domain)
 353 ')
 354
 355 ifdef(`hide_broken_symptoms',`
 356         dontaudit domain self:udp_socket listen;
 357         allow domain domain:key { link search };
 358         dontaudit domain domain:socket_class_set { read write };
 359         dontaudit domain self:capability sys_module;
 360 ')
 361
 362 optional_policy(`
 363         hal_dontaudit_read_pid_files(domain)
 364 ')
 365
 366 optional_policy(`
 367         ipsec_match_default_spd(domain)
 368 ')
 369
 370 optional_policy(`
 371         ifdef(`hide_broken_symptoms',`
 372                 afs_rw_udp_sockets(domain)
 373         ')
 374 ')
 375
 376 optional_policy(`
 377         ssh_rw_pipes(domain)
 378 ')
 379
 380 optional_policy(`
 381         unconfined_dontaudit_rw_pipes(domain)
 382         unconfined_sigchld(domain)
 383 ')
 384
 385 # broken kernel
 386 dontaudit can_change_object_identity can_change_object_identity:key link;
 387
 388 ifdef(`distro_redhat',`
 389         optional_policy(`
 390                 unconfined_use_fds(domain)
 391         ')
 392 ')
 393
 394 # send init a sigchld and signull
 395 optional_policy(`
 396         init_sigchld(domain)
 397         init_signull(domain)
 398 ')
 399
 400 # these seem questionable:
 401
 402 optional_policy(`
 403         rpm_use_fds(domain)
 404         rpm_read_pipes(domain)
 405 ')
 406
 407 optional_policy(`
 408         selinux_dontaudit_getattr_fs(domain)
 409         selinux_dontaudit_read_fs(domain)
 410 ')
 411
 412 optional_policy(`
 413         seutil_dontaudit_read_config(domain)
 414 ')
 415
 416 dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
 417 dontaudit domain self:capability sys_ptrace;