1 policy_module(domain, 1.9.1)
3 ########################################
9 ## Allow all domains to use other domains file descriptors
13 gen_tunable(allow_domain_fd_use, true)
17 ## Allow all domains to have the kernel load modules
21 gen_tunable(domain_kernel_load_modules, false)
25 ## Control the ability to mmap a low area of the address space,
26 ## as configured by /proc/sys/kernel/mmap_min_addr.
29 gen_tunable(mmap_low_allowed, false)
31 # Mark process types as domains
34 # Transitions only allowed from domains to other domains
35 neverallow domain ~domain:process { transition dyntransition };
37 # Domains that are unconfined
38 attribute unconfined_domain_type;
40 # Domains that can mmap low memory.
41 attribute mmap_low_domain_type;
42 neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
44 # Domains that can set their current context
45 # (perform dynamic transitions)
46 attribute set_curr_context;
48 # enabling setcurrent breaks process tranquility. If you do not
49 # know what this means or do not understand the implications of a
50 # dynamic transition, you should not be using it!!!
51 neverallow { domain -set_curr_context } self:process setcurrent;
53 # entrypoint executables
56 # widely-inheritable file descriptors
60 # constraint related attributes
63 # [1] types that can change SELinux identity on transition
64 attribute can_change_process_identity;
66 # [2] types that can change SELinux role on transition
67 attribute can_change_process_role;
69 # [3] types that can change the SELinux identity on a filesystem
70 # object or a socket object on a create or relabel
71 attribute can_change_object_identity;
73 # [3] types that can change to system_u:system_r
74 attribute can_system_change;
76 # [4] types that have attribute 1 can change the SELinux
77 # identity only if the target domain has this attribute.
78 # Types that have attribute 2 can change the SELinux role
79 # only if the target domain has this attribute.
80 attribute process_user_target;
83 # [5] types used for cron daemons
84 attribute cron_source_domain;
85 # [6] types used for cron jobs
86 attribute cron_job_domain;
88 # [7] types that are unconditionally exempt from
89 # SELinux identity and role change constraints
90 attribute process_uncond_exempt; # add userhelperdomain to this one
92 neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
93 neverallow ~{ domain unlabeled_t } *:process *;
95 ########################################
97 # Rules applied to all domains
100 # read /proc/(pid|self) entries
101 allow domain self:dir list_dir_perms;
102 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
103 allow domain self:file rw_file_perms;
104 kernel_read_proc_symlinks(domain)
105 kernel_read_crypto_sysctls(domain)
107 # Every domain gets the key ring, so we should default
108 # to no one allowed to look at it; afs kernel support creates
110 kernel_dontaudit_search_key(domain)
111 kernel_dontaudit_link_key(domain)
112 kernel_dontaudit_search_debugfs(domain)
114 # create child processes in the domain
115 allow domain self:process { fork getsched sigchld };
117 # Use trusted objects in /dev
118 dev_read_cpu_online(domain)
121 term_use_controlling_term(domain)
123 # list the root directory
124 files_list_root(domain)
125 # allow all domains to search through default_t directory, since users sometimes
126 # place labels within these directories. (samba_share_t) for example.
127 files_search_default(domain)
129 # All executables should be able to search the directory they are in
130 corecmd_search_bin(domain)
132 tunable_policy(`domain_kernel_load_modules',`
133 kernel_request_load_module(domain)
136 tunable_policy(`global_ssp',`
137 # enable reading of urandom for all domains:
138 # this should be enabled when all programs
139 # are compiled with ProPolice/SSP
140 # stack smashing protection.
141 dev_read_urand(domain)
149 libs_use_ld_so(domain)
150 libs_use_shared_libs(domain)
151 libs_read_lib_files(domain)
155 setrans_translate_context(domain)
158 # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
160 xserver_dontaudit_use_xdm_fds(domain)
161 xserver_dontaudit_rw_xdm_pipes(domain)
162 xserver_dontaudit_append_xdm_home_files(domain)
163 xserver_dontaudit_write_log(domain)
166 ########################################
168 # Unconfined access to this module
171 # unconfined access also allows constraints, but this
172 # is handled in the interface as typeattribute cannot
173 # be used on an attribute.
175 # Use/sendto/connectto sockets created by any domain.
176 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
178 # Use descriptors and pipes created by any domain.
179 allow unconfined_domain_type domain:fd use;
180 allow unconfined_domain_type domain:fifo_file rw_file_perms;
182 allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
184 # Act upon any other process.
185 allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
186 tunable_policy(`deny_ptrace',`',`
187 allow unconfined_domain_type domain:process ptrace;
190 # Create/access any System V IPC objects.
191 allow unconfined_domain_type domain:{ sem msgq shm } *;
192 allow unconfined_domain_type domain:msg { send receive };
195 allow unconfined_domain_type domain:dir list_dir_perms;
196 allow unconfined_domain_type domain:file rw_file_perms;
197 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
199 # act on all domains keys
200 allow unconfined_domain_type domain:key *;
202 dev_filetrans_all_named_dev(unconfined_domain_type)
204 # receive from all domains over labeled networking
205 domain_all_recvfrom_all_domains(unconfined_domain_type)
207 storage_filetrans_all_named_dev(unconfined_domain_type)
209 term_filetrans_all_named_dev(unconfined_domain_type)
212 auth_filetrans_named_content(unconfined_domain_type)
213 auth_filetrans_admin_home_content(unconfined_domain_type)
214 auth_filetrans_home_content(unconfined_domain_type)
218 alsa_filetrans_named_content(unconfined_domain_type)
222 apache_filetrans_home_content(unconfined_domain_type)
226 bootloader_filetrans_config(unconfined_domain_type)
230 gnome_filetrans_admin_home_content(unconfined_domain_type)
234 devicekit_filetrans_named_content(unconfined_domain_type)
238 dnsmasq_filetrans_named_content(unconfined_domain_type)
242 kerberos_filetrans_named_content(unconfined_domain_type)
246 libs_filetrans_named_content(unconfined_domain_type)
250 miscfiles_filetrans_named_content(unconfined_domain_type)
254 mta_filetrans_named_content(unconfined_domain_type)
258 modules_filetrans_named_content(unconfined_domain_type)
262 networkmanager_filetrans_named_content(unconfined_domain_type)
266 nx_filetrans_named_content(unconfined_domain_type)
270 postfix_filetrans_named_content(unconfined_domain_type)
274 pulseaudio_filetrans_home_content(unconfined_domain_type)
275 pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
279 quota_filetrans_named_content(unconfined_domain_type)
283 sysnet_filetrans_named_content(unconfined_domain_type)
287 userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
288 userdom_filetrans_home_content(unconfined_domain_type)
292 virt_filetrans_home_content(unconfined_domain_type)
296 ssh_filetrans_admin_home_content(unconfined_domain_type)
299 selinux_getattr_fs(domain)
300 selinux_search_fs(domain)
301 selinux_dontaudit_read_fs(domain)
304 seutil_dontaudit_read_config(domain)
312 ifdef(`distro_redhat',`
313 files_search_mnt(domain)
315 unconfined_use_fds(domain)
319 # these seem questionable:
322 abrt_domtrans_helper(domain)
323 abrt_read_pid_files(domain)
324 abrt_read_state(domain)
326 abrt_append_cache(domain)
327 abrt_rw_fifo_file(domain)
332 rpm_read_pipes(domain)
333 rpm_search_log(domain)
334 rpm_append_tmp_files(domain)
335 rpm_dontaudit_leaks(domain)
336 rpm_read_script_tmp_files(domain)
337 rpm_inherited_fifo(domain)
341 sosreport_append_tmp_files(domain)
344 tunable_policy(`allow_domain_fd_use',`
345 # Allow all domains to use fds past to them
346 allow domain domain:fd use;
350 cron_dontaudit_write_system_job_tmp_files(domain)
351 cron_rw_pipes(domain)
352 cron_rw_system_job_pipes(domain)
355 ifdef(`hide_broken_symptoms',`
356 dontaudit domain self:udp_socket listen;
357 allow domain domain:key { link search };
358 dontaudit domain domain:socket_class_set { read write };
359 dontaudit domain self:capability sys_module;
363 hal_dontaudit_read_pid_files(domain)
367 ipsec_match_default_spd(domain)
371 ifdef(`hide_broken_symptoms',`
372 afs_rw_udp_sockets(domain)
381 unconfined_dontaudit_rw_pipes(domain)
382 unconfined_sigchld(domain)
386 dontaudit can_change_object_identity can_change_object_identity:key link;
388 ifdef(`distro_redhat',`
390 unconfined_use_fds(domain)
394 # send init a sigchld and signull
400 # these seem questionable:
404 rpm_read_pipes(domain)
408 selinux_dontaudit_getattr_fs(domain)
409 selinux_dontaudit_read_fs(domain)
413 seutil_dontaudit_read_config(domain)
416 dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
417 dontaudit domain self:capability sys_ptrace;