2 policy_module(selinuxutil, 1.11.2)
8 ########################################
13 attribute can_write_binary_policy;
14 attribute can_relabelto_binary_policy;
17 # selinux_config_t is the type applied to
20 # cjp: this is out of order due to rules
21 # in the domain_type interface
23 type selinux_config_t;
24 files_type(selinux_config_t)
26 type checkpolicy_t, can_write_binary_policy;
27 type checkpolicy_exec_t;
28 application_domain(checkpolicy_t, checkpolicy_exec_t)
29 role system_r types checkpolicy_t;
32 # default_context_t is the type applied to
33 # /etc/selinux/*/contexts/*
35 type default_context_t;
36 files_type(default_context_t)
39 # file_context_t is the type applied to
40 # /etc/selinux/*/contexts/files
43 files_type(file_context_t)
46 type load_policy_exec_t;
47 application_domain(load_policy_t,load_policy_exec_t)
48 role system_r types load_policy_t;
52 application_domain(newrole_t,newrole_exec_t)
53 domain_role_change_exemption(newrole_t)
54 domain_obj_id_change_exemption(newrole_t)
55 domain_interactive_fd(newrole_t)
58 # policy_config_t is the type of /etc/security/selinux/*
59 # the security server policy configuration.
62 files_type(policy_config_t)
64 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
65 #neverallow ~can_write_binary_policy policy_config_t:file { write append };
68 # policy_src_t is the type of the policy source
72 files_type(policy_src_t)
75 type restorecond_exec_t;
76 init_daemon_domain(restorecond_t,restorecond_exec_t)
77 domain_obj_id_change_exemption(restorecond_t)
78 role system_r types restorecond_t;
80 type restorecond_var_run_t;
81 files_pid_file(restorecond_var_run_t)
85 application_domain(run_init_t,run_init_exec_t)
86 domain_system_change_exemption(run_init_t)
87 role system_r types run_init_t;
91 application_domain(semanage_t,semanage_exec_t)
92 domain_interactive_fd(semanage_t)
93 role system_r types semanage_t;
95 type semanage_store_t;
96 files_type(semanage_store_t)
98 type semanage_read_lock_t;
99 files_type(semanage_read_lock_t)
102 files_tmp_file(semanage_tmp_t)
104 type semanage_trans_lock_t;
105 files_type(semanage_trans_lock_t)
107 type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
108 type setfiles_exec_t alias restorecon_exec_t;
109 init_system_domain(setfiles_t,setfiles_exec_t)
110 domain_obj_id_change_exemption(setfiles_t)
112 ########################################
114 # Checkpolicy local policy
117 allow checkpolicy_t self:capability dac_override;
119 # able to create and modify binary policy files
120 manage_files_pattern(checkpolicy_t,policy_config_t,policy_config_t)
122 # allow test policies to be created in src directories
123 filetrans_add_pattern(checkpolicy_t,policy_src_t,policy_config_t,file)
125 # only allow read of policy source files
126 read_files_pattern(checkpolicy_t,policy_src_t,policy_src_t)
127 read_lnk_files_pattern(checkpolicy_t,policy_src_t,policy_src_t)
128 allow checkpolicy_t selinux_config_t:dir search_dir_perms;
130 domain_use_interactive_fds(checkpolicy_t)
132 files_list_usr(checkpolicy_t)
133 # directory search permissions for path to source and binary policy files
134 files_search_etc(checkpolicy_t)
136 fs_getattr_xattr_fs(checkpolicy_t)
138 term_use_console(checkpolicy_t)
140 init_use_fds(checkpolicy_t)
141 init_use_script_ptys(checkpolicy_t)
143 userdom_use_user_terminals(checkpolicy_t)
144 userdom_use_all_users_fds(checkpolicy_t)
146 ifdef(`distro_ubuntu',`
148 unconfined_domain(checkpolicy_t)
152 ########################################
154 # Load_policy local policy
157 allow load_policy_t self:capability dac_override;
159 # only allow read of policy config files
160 read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
162 domain_use_interactive_fds(load_policy_t)
165 files_read_etc_files(load_policy_t)
166 files_read_etc_runtime_files(load_policy_t)
168 fs_getattr_xattr_fs(load_policy_t)
170 mls_file_read_all_levels(load_policy_t)
172 selinux_load_policy(load_policy_t)
173 selinux_set_boolean(load_policy_t)
175 term_use_console(load_policy_t)
176 term_list_ptys(load_policy_t)
178 init_use_script_fds(load_policy_t)
179 init_use_script_ptys(load_policy_t)
181 miscfiles_read_localization(load_policy_t)
183 seutil_libselinux_linked(load_policy_t)
185 userdom_use_user_terminals(load_policy_t)
186 userdom_use_all_users_fds(load_policy_t)
188 ifdef(`distro_ubuntu',`
190 unconfined_domain(load_policy_t)
194 ifdef(`hide_broken_symptoms',`
195 # cjp: cover up stray file descriptors.
196 dontaudit load_policy_t selinux_config_t:file write;
199 unconfined_dontaudit_read_pipes(load_policy_t)
203 ########################################
205 # Newrole local policy
208 allow newrole_t self:capability { fowner setuid setgid dac_override };
209 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
210 allow newrole_t self:process setexec;
211 allow newrole_t self:fd use;
212 allow newrole_t self:fifo_file rw_fifo_file_perms;
213 allow newrole_t self:sock_file read_sock_file_perms;
214 allow newrole_t self:shm create_shm_perms;
215 allow newrole_t self:sem create_sem_perms;
216 allow newrole_t self:msgq create_msgq_perms;
217 allow newrole_t self:msg { send receive };
218 allow newrole_t self:unix_dgram_socket sendto;
219 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
220 allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
222 read_files_pattern(newrole_t,default_context_t,default_context_t)
223 read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
225 kernel_read_system_state(newrole_t)
226 kernel_read_kernel_sysctls(newrole_t)
228 corecmd_list_bin(newrole_t)
229 corecmd_read_bin_symlinks(newrole_t)
231 dev_read_urand(newrole_t)
233 domain_use_interactive_fds(newrole_t)
234 # for when the user types "exec newrole" at the command line:
235 domain_sigchld_interactive_fds(newrole_t)
237 files_read_etc_files(newrole_t)
238 files_read_var_files(newrole_t)
239 files_read_var_symlinks(newrole_t)
241 fs_getattr_xattr_fs(newrole_t)
242 fs_search_auto_mountpoints(newrole_t)
244 mls_file_read_all_levels(newrole_t)
245 mls_file_write_all_levels(newrole_t)
246 mls_file_upgrade(newrole_t)
247 mls_file_downgrade(newrole_t)
248 mls_process_set_level(newrole_t)
249 mls_fd_share_all_levels(newrole_t)
251 selinux_validate_context(newrole_t)
252 selinux_compute_access_vector(newrole_t)
253 selinux_compute_create_context(newrole_t)
254 selinux_compute_relabel_context(newrole_t)
255 selinux_compute_user_contexts(newrole_t)
257 term_use_all_user_ttys(newrole_t)
258 term_use_all_user_ptys(newrole_t)
259 term_relabel_all_user_ttys(newrole_t)
260 term_relabel_all_user_ptys(newrole_t)
261 term_getattr_unallocated_ttys(newrole_t)
262 term_dontaudit_use_unallocated_ttys(newrole_t)
264 auth_use_nsswitch(newrole_t)
265 auth_domtrans_chk_passwd(newrole_t)
266 auth_domtrans_upd_passwd(newrole_t)
267 auth_rw_faillog(newrole_t)
270 init_rw_utmp(newrole_t)
271 init_use_fds(newrole_t)
273 logging_send_syslog_msg(newrole_t)
275 miscfiles_read_localization(newrole_t)
277 seutil_libselinux_linked(newrole_t)
279 # for some PAM modules and for cwd
280 userdom_dontaudit_search_user_home_content(newrole_t)
281 userdom_search_user_home_dirs(newrole_t)
283 ifdef(`distro_ubuntu',`
285 unconfined_domain(newrole_t)
289 # if secure mode is enabled, then newrole
290 # can only transition to unprivileged users
292 userdom_spec_domtrans_unpriv_users(newrole_t)
294 userdom_spec_domtrans_all_users(newrole_t)
297 tunable_policy(`allow_polyinstantiation',`
298 files_polyinstantiate_all(newrole_t)
301 ########################################
303 # Restorecond local policy
306 allow restorecond_t self:capability { dac_override dac_read_search fowner };
307 allow restorecond_t self:fifo_file rw_fifo_file_perms;
309 allow restorecond_t restorecond_var_run_t:file manage_file_perms;
310 files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
312 kernel_use_fds(restorecond_t)
313 kernel_rw_pipes(restorecond_t)
314 kernel_read_system_state(restorecond_t)
316 fs_relabelfrom_noxattr_fs(restorecond_t)
317 fs_dontaudit_list_nfs(restorecond_t)
318 fs_getattr_xattr_fs(restorecond_t)
319 fs_list_inotifyfs(restorecond_t)
321 selinux_validate_context(restorecond_t)
322 selinux_compute_access_vector(restorecond_t)
323 selinux_compute_create_context(restorecond_t)
324 selinux_compute_relabel_context(restorecond_t)
325 selinux_compute_user_contexts(restorecond_t)
327 auth_relabel_all_files_except_shadow(restorecond_t )
328 auth_read_all_files_except_shadow(restorecond_t)
329 auth_use_nsswitch(restorecond_t)
331 locallogin_dontaudit_use_fds(restorecond_t)
333 logging_send_syslog_msg(restorecond_t)
335 miscfiles_read_localization(restorecond_t)
337 seutil_libselinux_linked(restorecond_t)
339 ifdef(`distro_ubuntu',`
341 unconfined_domain(restorecond_t)
346 rpm_use_script_fds(restorecond_t)
349 #################################
351 # Run_init local policy
354 allow run_init_t self:process setexec;
355 allow run_init_t self:capability setuid;
356 allow run_init_t self:fifo_file rw_file_perms;
357 allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
359 # often the administrator runs such programs from a directory that is owned
360 # by a different user or has restrictive SE permissions, do not want to audit
361 # the failed access to the current directory
362 dontaudit run_init_t self:capability { dac_override dac_read_search };
364 corecmd_exec_bin(run_init_t)
365 corecmd_exec_shell(run_init_t)
367 dev_dontaudit_list_all_dev_nodes(run_init_t)
369 domain_use_interactive_fds(run_init_t)
371 files_read_etc_files(run_init_t)
372 files_dontaudit_search_all_dirs(run_init_t)
374 fs_getattr_xattr_fs(run_init_t)
376 mls_rangetrans_source(run_init_t)
378 selinux_validate_context(run_init_t)
379 selinux_compute_access_vector(run_init_t)
380 selinux_compute_create_context(run_init_t)
381 selinux_compute_relabel_context(run_init_t)
382 selinux_compute_user_contexts(run_init_t)
384 auth_use_nsswitch(run_init_t)
385 auth_domtrans_chk_passwd(run_init_t)
386 auth_domtrans_upd_passwd(run_init_t)
387 auth_dontaudit_read_shadow(run_init_t)
389 init_spec_domtrans_script(run_init_t)
391 init_rw_utmp(run_init_t)
393 logging_send_syslog_msg(run_init_t)
395 miscfiles_read_localization(run_init_t)
397 seutil_libselinux_linked(run_init_t)
398 seutil_read_default_contexts(run_init_t)
400 userdom_use_user_terminals(run_init_t)
402 ifndef(`direct_sysadm_daemon',`
403 ifdef(`distro_gentoo',`
404 # Gentoo integrated run_init:
405 init_script_file_entry_type(run_init_t)
409 ifdef(`distro_ubuntu',`
411 unconfined_domain(run_init_t)
416 daemontools_domtrans_start(run_init_t)
419 ########################################
421 # semodule local policy
424 allow semanage_t self:capability { dac_override audit_write };
425 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
426 allow semanage_t self:unix_dgram_socket create_socket_perms;
427 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
429 allow semanage_t policy_config_t:file rw_file_perms;
431 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
432 allow semanage_t semanage_tmp_t:file manage_file_perms;
433 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
435 kernel_read_system_state(semanage_t)
436 kernel_read_kernel_sysctls(semanage_t)
438 corecmd_exec_bin(semanage_t)
440 dev_read_urand(semanage_t)
442 domain_use_interactive_fds(semanage_t)
444 files_read_etc_files(semanage_t)
445 files_read_etc_runtime_files(semanage_t)
446 files_read_usr_files(semanage_t)
447 files_list_pids(semanage_t)
449 mls_file_write_all_levels(semanage_t)
450 mls_file_read_all_levels(semanage_t)
452 selinux_validate_context(semanage_t)
453 selinux_get_enforce_mode(semanage_t)
454 selinux_getattr_fs(semanage_t)
456 selinux_set_boolean(semanage_t)
458 term_use_all_terms(semanage_t)
460 # Running genhomedircon requires this for finding all users
461 auth_use_nsswitch(semanage_t)
463 locallogin_use_fds(semanage_t)
465 logging_send_syslog_msg(semanage_t)
467 miscfiles_read_localization(semanage_t)
469 seutil_libselinux_linked(semanage_t)
470 seutil_manage_file_contexts(semanage_t)
471 seutil_manage_config(semanage_t)
472 seutil_domtrans_setfiles(semanage_t)
473 seutil_domtrans_loadpolicy(semanage_t)
474 seutil_manage_bin_policy(semanage_t)
475 seutil_use_newrole_fds(semanage_t)
476 seutil_manage_module_store(semanage_t)
477 seutil_get_semanage_trans_lock(semanage_t)
478 seutil_get_semanage_read_lock(semanage_t)
479 # netfilter_contexts:
480 seutil_manage_default_contexts(semanage_t)
482 ifdef(`distro_debian',`
483 files_read_var_lib_files(semanage_t)
484 files_read_var_lib_symlinks(semanage_t)
487 ifdef(`distro_ubuntu',`
489 unconfined_domain(semanage_t)
493 # cjp: need a more general way to handle this:
495 # read secadm tmp files
497 # Handle pp files created in homedir and /tmp
498 userdom_read_user_home_content_files(semanage_t)
499 userdom_read_user_tmp_files(semanage_t)
502 ########################################
504 # Setfiles local policy
507 allow setfiles_t self:capability { dac_override dac_read_search fowner };
508 dontaudit setfiles_t self:capability sys_tty_config;
509 allow setfiles_t self:fifo_file rw_file_perms;
511 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
512 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
513 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
515 kernel_read_system_state(setfiles_t)
516 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
517 kernel_relabelfrom_unlabeled_files(setfiles_t)
518 kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
519 kernel_relabelfrom_unlabeled_pipes(setfiles_t)
520 kernel_relabelfrom_unlabeled_sockets(setfiles_t)
521 kernel_use_fds(setfiles_t)
522 kernel_rw_pipes(setfiles_t)
523 kernel_rw_unix_dgram_sockets(setfiles_t)
524 kernel_dontaudit_list_all_proc(setfiles_t)
525 kernel_dontaudit_list_all_sysctls(setfiles_t)
527 dev_relabel_all_dev_nodes(setfiles_t)
529 domain_use_interactive_fds(setfiles_t)
530 domain_dontaudit_search_all_domains_state(setfiles_t)
532 files_read_etc_runtime_files(setfiles_t)
533 files_read_etc_files(setfiles_t)
534 files_list_all(setfiles_t)
535 files_relabel_all_files(setfiles_t)
537 fs_getattr_xattr_fs(setfiles_t)
538 fs_list_all(setfiles_t)
539 fs_search_auto_mountpoints(setfiles_t)
540 fs_relabelfrom_noxattr_fs(setfiles_t)
542 mls_file_read_all_levels(setfiles_t)
543 mls_file_write_all_levels(setfiles_t)
544 mls_file_upgrade(setfiles_t)
545 mls_file_downgrade(setfiles_t)
547 selinux_validate_context(setfiles_t)
548 selinux_compute_access_vector(setfiles_t)
549 selinux_compute_create_context(setfiles_t)
550 selinux_compute_relabel_context(setfiles_t)
551 selinux_compute_user_contexts(setfiles_t)
553 term_use_all_user_ttys(setfiles_t)
554 term_use_all_user_ptys(setfiles_t)
555 term_use_unallocated_ttys(setfiles_t)
557 # this is to satisfy the assertion:
558 auth_relabelto_shadow(setfiles_t)
560 init_use_fds(setfiles_t)
561 init_use_script_fds(setfiles_t)
562 init_use_script_ptys(setfiles_t)
563 init_exec_script_files(setfiles_t)
565 logging_send_syslog_msg(setfiles_t)
567 miscfiles_read_localization(setfiles_t)
569 seutil_libselinux_linked(setfiles_t)
571 userdom_use_all_users_fds(setfiles_t)
572 # for config files in a home directory
573 userdom_read_user_home_content_files(setfiles_t)
575 ifdef(`distro_debian',`
576 # udev tmpfs is populated with static device nodes
577 # and then relabeled afterwards; thus
578 # /dev/console has the tmpfs type
579 fs_rw_tmpfs_chr_files(setfiles_t)
582 ifdef(`distro_redhat', `
583 fs_rw_tmpfs_chr_files(setfiles_t)
584 fs_rw_tmpfs_blk_files(setfiles_t)
585 fs_relabel_tmpfs_blk_file(setfiles_t)
586 fs_relabel_tmpfs_chr_file(setfiles_t)
589 ifdef(`distro_ubuntu',`
591 unconfined_domain(setfiles_t)
595 ifdef(`hide_broken_symptoms',`
597 udev_dontaudit_rw_dgram_sockets(setfiles_t)
600 # cjp: cover up stray file descriptors.
602 unconfined_dontaudit_read_pipes(setfiles_t)
603 unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
608 hotplug_use_fds(setfiles_t)