policy/modules/system/selinuxutil.te

   1
   2 policy_module(selinuxutil, 1.11.2)
   3
   4 gen_require(`
   5         bool secure_mode;
   6 ')
   7
   8 ########################################
   9 #
  10 # Declarations
  11 #
  12
  13 attribute can_write_binary_policy;
  14 attribute can_relabelto_binary_policy;
  15
  16 #
  17 # selinux_config_t is the type applied to
  18 # /etc/selinux/config
  19 #
  20 # cjp: this is out of order due to rules
  21 # in the domain_type interface
  22 # (fix dup decl)
  23 type selinux_config_t;
  24 files_type(selinux_config_t)
  25
  26 type checkpolicy_t, can_write_binary_policy;
  27 type checkpolicy_exec_t;
  28 application_domain(checkpolicy_t, checkpolicy_exec_t)
  29 role system_r types checkpolicy_t;
  30
  31 #
  32 # default_context_t is the type applied to
  33 # /etc/selinux/*/contexts/*
  34 #
  35 type default_context_t;
  36 files_type(default_context_t)
  37
  38 #
  39 # file_context_t is the type applied to
  40 # /etc/selinux/*/contexts/files
  41 #
  42 type file_context_t;
  43 files_type(file_context_t)
  44
  45 type load_policy_t;
  46 type load_policy_exec_t;
  47 application_domain(load_policy_t,load_policy_exec_t)
  48 role system_r types load_policy_t;
  49
  50 type newrole_t;
  51 type newrole_exec_t;
  52 application_domain(newrole_t,newrole_exec_t)
  53 domain_role_change_exemption(newrole_t)
  54 domain_obj_id_change_exemption(newrole_t)
  55 domain_interactive_fd(newrole_t)
  56
  57 #
  58 # policy_config_t is the type of /etc/security/selinux/*
  59 # the security server policy configuration.
  60 #
  61 type policy_config_t;
  62 files_type(policy_config_t)
  63
  64 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
  65 #neverallow ~can_write_binary_policy policy_config_t:file { write append };
  66
  67 #
  68 # policy_src_t is the type of the policy source
  69 # files.
  70 #
  71 type policy_src_t;
  72 files_type(policy_src_t)
  73
  74 type restorecond_t;
  75 type restorecond_exec_t;
  76 init_daemon_domain(restorecond_t,restorecond_exec_t)
  77 domain_obj_id_change_exemption(restorecond_t)
  78 role system_r types restorecond_t;
  79
  80 type restorecond_var_run_t;
  81 files_pid_file(restorecond_var_run_t)
  82
  83 type run_init_t;
  84 type run_init_exec_t;
  85 application_domain(run_init_t,run_init_exec_t)
  86 domain_system_change_exemption(run_init_t)
  87 role system_r types run_init_t;
  88
  89 type semanage_t;
  90 type semanage_exec_t;
  91 application_domain(semanage_t,semanage_exec_t)
  92 domain_interactive_fd(semanage_t)
  93 role system_r types semanage_t;
  94
  95 type semanage_store_t;
  96 files_type(semanage_store_t)
  97
  98 type semanage_read_lock_t;
  99 files_type(semanage_read_lock_t)
 100
 101 type semanage_tmp_t;
 102 files_tmp_file(semanage_tmp_t)
 103
 104 type semanage_trans_lock_t;
 105 files_type(semanage_trans_lock_t)
 106
 107 type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
 108 type setfiles_exec_t alias restorecon_exec_t;
 109 init_system_domain(setfiles_t,setfiles_exec_t)
 110 domain_obj_id_change_exemption(setfiles_t)
 111
 112 ########################################
 113 #
 114 # Checkpolicy local policy
 115 #
 116
 117 allow checkpolicy_t self:capability dac_override;
 118
 119 # able to create and modify binary policy files
 120 manage_files_pattern(checkpolicy_t,policy_config_t,policy_config_t)
 121
 122 # allow test policies to be created in src directories
 123 filetrans_add_pattern(checkpolicy_t,policy_src_t,policy_config_t,file)
 124
 125 # only allow read of policy source files
 126 read_files_pattern(checkpolicy_t,policy_src_t,policy_src_t)
 127 read_lnk_files_pattern(checkpolicy_t,policy_src_t,policy_src_t)
 128 allow checkpolicy_t selinux_config_t:dir search_dir_perms;
 129
 130 domain_use_interactive_fds(checkpolicy_t)
 131
 132 files_list_usr(checkpolicy_t)
 133 # directory search permissions for path to source and binary policy files
 134 files_search_etc(checkpolicy_t)
 135
 136 fs_getattr_xattr_fs(checkpolicy_t)
 137
 138 term_use_console(checkpolicy_t)
 139
 140 init_use_fds(checkpolicy_t)
 141 init_use_script_ptys(checkpolicy_t)
 142
 143 userdom_use_user_terminals(checkpolicy_t)
 144 userdom_use_all_users_fds(checkpolicy_t)
 145
 146 ifdef(`distro_ubuntu',`
 147         optional_policy(`
 148                 unconfined_domain(checkpolicy_t)
 149         ')
 150 ')
 151
 152 ########################################
 153 #
 154 # Load_policy local policy
 155 #
 156
 157 allow load_policy_t self:capability dac_override;
 158
 159 # only allow read of policy config files
 160 read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
 161
 162 domain_use_interactive_fds(load_policy_t)
 163
 164 # for mcs.conf
 165 files_read_etc_files(load_policy_t)
 166 files_read_etc_runtime_files(load_policy_t)
 167
 168 fs_getattr_xattr_fs(load_policy_t)
 169
 170 mls_file_read_all_levels(load_policy_t)
 171
 172 selinux_load_policy(load_policy_t)
 173 selinux_set_boolean(load_policy_t)
 174
 175 term_use_console(load_policy_t)
 176 term_list_ptys(load_policy_t)
 177
 178 init_use_script_fds(load_policy_t)
 179 init_use_script_ptys(load_policy_t)
 180
 181 miscfiles_read_localization(load_policy_t)
 182
 183 seutil_libselinux_linked(load_policy_t)
 184
 185 userdom_use_user_terminals(load_policy_t)
 186 userdom_use_all_users_fds(load_policy_t)
 187
 188 ifdef(`distro_ubuntu',`
 189         optional_policy(`
 190                 unconfined_domain(load_policy_t)
 191         ')
 192 ')
 193
 194 ifdef(`hide_broken_symptoms',`
 195         # cjp: cover up stray file descriptors.
 196         dontaudit load_policy_t selinux_config_t:file write;
 197
 198         optional_policy(`
 199                 unconfined_dontaudit_read_pipes(load_policy_t)
 200         ')
 201 ')
 202
 203 ########################################
 204 #
 205 # Newrole local policy
 206 #
 207
 208 allow newrole_t self:capability { fowner setuid setgid dac_override };
 209 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 210 allow newrole_t self:process setexec;
 211 allow newrole_t self:fd use;
 212 allow newrole_t self:fifo_file rw_fifo_file_perms;
 213 allow newrole_t self:sock_file read_sock_file_perms;
 214 allow newrole_t self:shm create_shm_perms;
 215 allow newrole_t self:sem create_sem_perms;
 216 allow newrole_t self:msgq create_msgq_perms;
 217 allow newrole_t self:msg { send receive };
 218 allow newrole_t self:unix_dgram_socket sendto;
 219 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
 220 allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 221
 222 read_files_pattern(newrole_t,default_context_t,default_context_t)
 223 read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
 224
 225 kernel_read_system_state(newrole_t)
 226 kernel_read_kernel_sysctls(newrole_t)
 227
 228 corecmd_list_bin(newrole_t)
 229 corecmd_read_bin_symlinks(newrole_t)
 230
 231 dev_read_urand(newrole_t)
 232
 233 domain_use_interactive_fds(newrole_t)
 234 # for when the user types "exec newrole" at the command line:
 235 domain_sigchld_interactive_fds(newrole_t)
 236
 237 files_read_etc_files(newrole_t)
 238 files_read_var_files(newrole_t)
 239 files_read_var_symlinks(newrole_t)
 240
 241 fs_getattr_xattr_fs(newrole_t)
 242 fs_search_auto_mountpoints(newrole_t)
 243
 244 mls_file_read_all_levels(newrole_t)
 245 mls_file_write_all_levels(newrole_t)
 246 mls_file_upgrade(newrole_t)
 247 mls_file_downgrade(newrole_t)
 248 mls_process_set_level(newrole_t)
 249 mls_fd_share_all_levels(newrole_t)
 250
 251 selinux_validate_context(newrole_t)
 252 selinux_compute_access_vector(newrole_t)
 253 selinux_compute_create_context(newrole_t)
 254 selinux_compute_relabel_context(newrole_t)
 255 selinux_compute_user_contexts(newrole_t)
 256
 257 term_use_all_user_ttys(newrole_t)
 258 term_use_all_user_ptys(newrole_t)
 259 term_relabel_all_user_ttys(newrole_t)
 260 term_relabel_all_user_ptys(newrole_t)
 261 term_getattr_unallocated_ttys(newrole_t)
 262 term_dontaudit_use_unallocated_ttys(newrole_t)
 263
 264 auth_use_nsswitch(newrole_t)
 265 auth_domtrans_chk_passwd(newrole_t)
 266 auth_domtrans_upd_passwd(newrole_t)
 267 auth_rw_faillog(newrole_t)
 268
 269 # Write to utmp.
 270 init_rw_utmp(newrole_t)
 271 init_use_fds(newrole_t)
 272
 273 logging_send_syslog_msg(newrole_t)
 274
 275 miscfiles_read_localization(newrole_t)
 276
 277 seutil_libselinux_linked(newrole_t)
 278
 279 # for some PAM modules and for cwd
 280 userdom_dontaudit_search_user_home_content(newrole_t)
 281 userdom_search_user_home_dirs(newrole_t)
 282
 283 ifdef(`distro_ubuntu',`
 284         optional_policy(`
 285                 unconfined_domain(newrole_t)
 286         ')
 287 ')
 288
 289 # if secure mode is enabled, then newrole
 290 # can only transition to unprivileged users
 291 if(secure_mode) {
 292         userdom_spec_domtrans_unpriv_users(newrole_t)
 293 } else {
 294         userdom_spec_domtrans_all_users(newrole_t)
 295 }
 296
 297 tunable_policy(`allow_polyinstantiation',`
 298         files_polyinstantiate_all(newrole_t)
 299 ')
 300
 301 ########################################
 302 #
 303 # Restorecond local policy
 304 #
 305
 306 allow restorecond_t self:capability { dac_override dac_read_search fowner };
 307 allow restorecond_t self:fifo_file rw_fifo_file_perms;
 308
 309 allow restorecond_t restorecond_var_run_t:file manage_file_perms;
 310 files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
 311
 312 kernel_use_fds(restorecond_t)
 313 kernel_rw_pipes(restorecond_t)
 314 kernel_read_system_state(restorecond_t)
 315
 316 fs_relabelfrom_noxattr_fs(restorecond_t)
 317 fs_dontaudit_list_nfs(restorecond_t)
 318 fs_getattr_xattr_fs(restorecond_t)
 319 fs_list_inotifyfs(restorecond_t)
 320
 321 selinux_validate_context(restorecond_t)
 322 selinux_compute_access_vector(restorecond_t)
 323 selinux_compute_create_context(restorecond_t)
 324 selinux_compute_relabel_context(restorecond_t)
 325 selinux_compute_user_contexts(restorecond_t)
 326
 327 auth_relabel_all_files_except_shadow(restorecond_t )
 328 auth_read_all_files_except_shadow(restorecond_t)
 329 auth_use_nsswitch(restorecond_t)
 330
 331 locallogin_dontaudit_use_fds(restorecond_t)
 332
 333 logging_send_syslog_msg(restorecond_t)
 334
 335 miscfiles_read_localization(restorecond_t)
 336
 337 seutil_libselinux_linked(restorecond_t)
 338
 339 ifdef(`distro_ubuntu',`
 340         optional_policy(`
 341                 unconfined_domain(restorecond_t)
 342         ')
 343 ')
 344
 345 optional_policy(`
 346         rpm_use_script_fds(restorecond_t)
 347 ')
 348
 349 #################################
 350 #
 351 # Run_init local policy
 352 #
 353
 354 allow run_init_t self:process setexec;
 355 allow run_init_t self:capability setuid;
 356 allow run_init_t self:fifo_file rw_file_perms;
 357 allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 358
 359 # often the administrator runs such programs from a directory that is owned
 360 # by a different user or has restrictive SE permissions, do not want to audit
 361 # the failed access to the current directory
 362 dontaudit run_init_t self:capability { dac_override dac_read_search };
 363
 364 corecmd_exec_bin(run_init_t)
 365 corecmd_exec_shell(run_init_t)
 366
 367 dev_dontaudit_list_all_dev_nodes(run_init_t)
 368
 369 domain_use_interactive_fds(run_init_t)
 370
 371 files_read_etc_files(run_init_t)
 372 files_dontaudit_search_all_dirs(run_init_t)
 373
 374 fs_getattr_xattr_fs(run_init_t)
 375
 376 mls_rangetrans_source(run_init_t)
 377
 378 selinux_validate_context(run_init_t)
 379 selinux_compute_access_vector(run_init_t)
 380 selinux_compute_create_context(run_init_t)
 381 selinux_compute_relabel_context(run_init_t)
 382 selinux_compute_user_contexts(run_init_t)
 383
 384 auth_use_nsswitch(run_init_t)
 385 auth_domtrans_chk_passwd(run_init_t)
 386 auth_domtrans_upd_passwd(run_init_t)
 387 auth_dontaudit_read_shadow(run_init_t)
 388
 389 init_spec_domtrans_script(run_init_t)
 390 # for utmp
 391 init_rw_utmp(run_init_t)
 392
 393 logging_send_syslog_msg(run_init_t)
 394
 395 miscfiles_read_localization(run_init_t)
 396
 397 seutil_libselinux_linked(run_init_t)
 398 seutil_read_default_contexts(run_init_t)
 399
 400 userdom_use_user_terminals(run_init_t)
 401
 402 ifndef(`direct_sysadm_daemon',`
 403         ifdef(`distro_gentoo',`
 404                 # Gentoo integrated run_init:
 405                 init_script_file_entry_type(run_init_t)
 406         ')
 407 ')
 408
 409 ifdef(`distro_ubuntu',`
 410         optional_policy(`
 411                 unconfined_domain(run_init_t)
 412         ')
 413 ')
 414
 415 optional_policy(`
 416         daemontools_domtrans_start(run_init_t)
 417 ')
 418
 419 ########################################
 420 #
 421 # semodule local policy
 422 #
 423
 424 allow semanage_t self:capability { dac_override audit_write };
 425 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 426 allow semanage_t self:unix_dgram_socket create_socket_perms;
 427 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 428
 429 allow semanage_t policy_config_t:file rw_file_perms;
 430
 431 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 432 allow semanage_t semanage_tmp_t:file manage_file_perms;
 433 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 434
 435 kernel_read_system_state(semanage_t)
 436 kernel_read_kernel_sysctls(semanage_t)
 437
 438 corecmd_exec_bin(semanage_t)
 439
 440 dev_read_urand(semanage_t)
 441
 442 domain_use_interactive_fds(semanage_t)
 443
 444 files_read_etc_files(semanage_t)
 445 files_read_etc_runtime_files(semanage_t)
 446 files_read_usr_files(semanage_t)
 447 files_list_pids(semanage_t)
 448
 449 mls_file_write_all_levels(semanage_t)
 450 mls_file_read_all_levels(semanage_t)
 451
 452 selinux_validate_context(semanage_t)
 453 selinux_get_enforce_mode(semanage_t)
 454 selinux_getattr_fs(semanage_t)
 455 # for setsebool:
 456 selinux_set_boolean(semanage_t)
 457
 458 term_use_all_terms(semanage_t)
 459
 460 # Running genhomedircon requires this for finding all users
 461 auth_use_nsswitch(semanage_t)
 462
 463 locallogin_use_fds(semanage_t)
 464
 465 logging_send_syslog_msg(semanage_t)
 466
 467 miscfiles_read_localization(semanage_t)
 468
 469 seutil_libselinux_linked(semanage_t)
 470 seutil_manage_file_contexts(semanage_t)
 471 seutil_manage_config(semanage_t)
 472 seutil_domtrans_setfiles(semanage_t)
 473 seutil_domtrans_loadpolicy(semanage_t)
 474 seutil_manage_bin_policy(semanage_t)
 475 seutil_use_newrole_fds(semanage_t)
 476 seutil_manage_module_store(semanage_t)
 477 seutil_get_semanage_trans_lock(semanage_t)
 478 seutil_get_semanage_read_lock(semanage_t)
 479 # netfilter_contexts:
 480 seutil_manage_default_contexts(semanage_t)
 481
 482 ifdef(`distro_debian',`
 483         files_read_var_lib_files(semanage_t)
 484         files_read_var_lib_symlinks(semanage_t)
 485 ')
 486
 487 ifdef(`distro_ubuntu',`
 488         optional_policy(`
 489                 unconfined_domain(semanage_t)
 490         ')
 491 ')
 492
 493 # cjp: need a more general way to handle this:
 494 ifdef(`enable_mls',`
 495         # read secadm tmp files
 496 ',`
 497         # Handle pp files created in homedir and /tmp
 498         userdom_read_user_home_content_files(semanage_t)
 499         userdom_read_user_tmp_files(semanage_t)
 500 ')
 501
 502 ########################################
 503 #
 504 # Setfiles local policy
 505 #
 506
 507 allow setfiles_t self:capability { dac_override dac_read_search fowner };
 508 dontaudit setfiles_t self:capability sys_tty_config;
 509 allow setfiles_t self:fifo_file rw_file_perms;
 510
 511 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
 512 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
 513 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
 514
 515 kernel_read_system_state(setfiles_t)
 516 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
 517 kernel_relabelfrom_unlabeled_files(setfiles_t)
 518 kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
 519 kernel_relabelfrom_unlabeled_pipes(setfiles_t)
 520 kernel_relabelfrom_unlabeled_sockets(setfiles_t)
 521 kernel_use_fds(setfiles_t)
 522 kernel_rw_pipes(setfiles_t)
 523 kernel_rw_unix_dgram_sockets(setfiles_t)
 524 kernel_dontaudit_list_all_proc(setfiles_t)
 525 kernel_dontaudit_list_all_sysctls(setfiles_t)
 526
 527 dev_relabel_all_dev_nodes(setfiles_t)
 528
 529 domain_use_interactive_fds(setfiles_t)
 530 domain_dontaudit_search_all_domains_state(setfiles_t)
 531
 532 files_read_etc_runtime_files(setfiles_t)
 533 files_read_etc_files(setfiles_t)
 534 files_list_all(setfiles_t)
 535 files_relabel_all_files(setfiles_t)
 536
 537 fs_getattr_xattr_fs(setfiles_t)
 538 fs_list_all(setfiles_t)
 539 fs_search_auto_mountpoints(setfiles_t)
 540 fs_relabelfrom_noxattr_fs(setfiles_t)
 541
 542 mls_file_read_all_levels(setfiles_t)
 543 mls_file_write_all_levels(setfiles_t)
 544 mls_file_upgrade(setfiles_t)
 545 mls_file_downgrade(setfiles_t)
 546
 547 selinux_validate_context(setfiles_t)
 548 selinux_compute_access_vector(setfiles_t)
 549 selinux_compute_create_context(setfiles_t)
 550 selinux_compute_relabel_context(setfiles_t)
 551 selinux_compute_user_contexts(setfiles_t)
 552
 553 term_use_all_user_ttys(setfiles_t)
 554 term_use_all_user_ptys(setfiles_t)
 555 term_use_unallocated_ttys(setfiles_t)
 556
 557 # this is to satisfy the assertion:
 558 auth_relabelto_shadow(setfiles_t)
 559
 560 init_use_fds(setfiles_t)
 561 init_use_script_fds(setfiles_t)
 562 init_use_script_ptys(setfiles_t)
 563 init_exec_script_files(setfiles_t)
 564
 565 logging_send_syslog_msg(setfiles_t)
 566
 567 miscfiles_read_localization(setfiles_t)
 568
 569 seutil_libselinux_linked(setfiles_t)
 570
 571 userdom_use_all_users_fds(setfiles_t)
 572 # for config files in a home directory
 573 userdom_read_user_home_content_files(setfiles_t)
 574
 575 ifdef(`distro_debian',`
 576         # udev tmpfs is populated with static device nodes
 577         # and then relabeled afterwards; thus
 578         # /dev/console has the tmpfs type
 579         fs_rw_tmpfs_chr_files(setfiles_t)
 580 ')
 581
 582 ifdef(`distro_redhat', `
 583         fs_rw_tmpfs_chr_files(setfiles_t)
 584         fs_rw_tmpfs_blk_files(setfiles_t)
 585         fs_relabel_tmpfs_blk_file(setfiles_t)
 586         fs_relabel_tmpfs_chr_file(setfiles_t)
 587 ')
 588
 589 ifdef(`distro_ubuntu',`
 590         optional_policy(`
 591                 unconfined_domain(setfiles_t)
 592         ')
 593 ')
 594
 595 ifdef(`hide_broken_symptoms',`
 596         optional_policy(`
 597                 udev_dontaudit_rw_dgram_sockets(setfiles_t)
 598         ')
 599
 600         # cjp: cover up stray file descriptors.
 601         optional_policy(`
 602                 unconfined_dontaudit_read_pipes(setfiles_t)
 603                 unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
 604         ')
 605 ')
 606
 607 optional_policy(`
 608         hotplug_use_fds(setfiles_t)
 609 ')