# # Define the constraints # # constrain class_set perm_set expression ; # # expression : ( expression ) # | not expression # | expression and expression # | expression or expression # | u1 op u2 # | r1 role_op r2 # | t1 op t2 # | u1 op names # | u2 op names # | r1 op names # | r2 op names # | t1 op names # | t2 op names # # op : == | != # role_op : == | != | eq | dom | domby | incomp # # names : name | { name_list } # name_list : name | name_list name # define(`basic_ubac_conditions',` ifdef(`enable_ubac',` u1 == u2 or u1 == system_u or u2 == system_u or t1 != ubac_constrained_type or t2 != ubac_constrained_type ') ') define(`basic_ubac_constraint',` ifdef(`enable_ubac',` constrain $1 all_$1_perms ( basic_ubac_conditions ); ') ') define(`exempted_ubac_constraint',` ifdef(`enable_ubac',` constrain $1 all_$1_perms ( basic_ubac_conditions or t1 == $2 ); ') ') ######################################## # # File rules # exempted_ubac_constraint(dir, ubacfile) exempted_ubac_constraint(file, ubacfile) exempted_ubac_constraint(lnk_file, ubacfile) exempted_ubac_constraint(fifo_file, ubacfile) exempted_ubac_constraint(sock_file, ubacfile) exempted_ubac_constraint(chr_file, ubacfile) exempted_ubac_constraint(blk_file, ubacfile) # SELinux object identity change constraint: constrain dir_file_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == can_change_object_identity ); ######################################## # # Process rules # ifdef(`enable_ubac',` constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit } ( basic_ubac_conditions or t1 == ubacproc ); ') constrain process { transition noatsecure siginh rlimitinh } ( u1 == u2 or ( t1 == can_change_process_identity and t2 == process_user_target ) or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) or ( t1 == can_system_change and u2 == system_u ) or ( t1 == process_uncond_exempt ) ); constrain process { transition noatsecure siginh rlimitinh } ( r1 == r2 or ( t1 == can_change_process_role and t2 == process_user_target ) or ( t1 == cron_source_domain and t2 == cron_job_domain ) or ( t1 == can_system_change and r2 == system_r ) or ( t1 == process_uncond_exempt ) ); constrain process dyntransition ( u1 == u2 or ( t1 == can_change_process_identity and t2 == process_user_target ) ); constrain process dyntransition ( r1 == r2 or ( t1 == can_change_process_identity and t2 == process_user_target ) ); # These permissions do not have ubac constraints: # fork # setexec # setfscreate # setcurrent # execmem # execstack # execheap # setkeycreate # setsockcreate ######################################## # # File descriptor rules # exempted_ubac_constraint(fd, ubacfd) ######################################## # # Socket rules # exempted_ubac_constraint(socket, ubacsock) exempted_ubac_constraint(tcp_socket, ubacsock) exempted_ubac_constraint(udp_socket, ubacsock) exempted_ubac_constraint(rawip_socket, ubacsock) exempted_ubac_constraint(netlink_socket, ubacsock) exempted_ubac_constraint(packet_socket, ubacsock) exempted_ubac_constraint(key_socket, ubacsock) exempted_ubac_constraint(unix_stream_socket, ubacsock) exempted_ubac_constraint(unix_dgram_socket, ubacsock) exempted_ubac_constraint(netlink_route_socket, ubacsock) exempted_ubac_constraint(netlink_firewall_socket, ubacsock) exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock) exempted_ubac_constraint(netlink_nflog_socket, ubacsock) exempted_ubac_constraint(netlink_xfrm_socket, ubacsock) exempted_ubac_constraint(netlink_selinux_socket, ubacsock) exempted_ubac_constraint(netlink_audit_socket, ubacsock) exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock) exempted_ubac_constraint(netlink_dnrt_socket, ubacsock) exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock) exempted_ubac_constraint(appletalk_socket, ubacsock) exempted_ubac_constraint(dccp_socket, ubacsock) exempted_ubac_constraint(tun_socket, ubacsock) constrain socket_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == can_change_object_identity ); ######################################## # # SysV IPC rules exempted_ubac_constraint(sem, ubacipc) exempted_ubac_constraint(msg, ubacipc) exempted_ubac_constraint(msgq, ubacipc) exempted_ubac_constraint(shm, ubacipc) exempted_ubac_constraint(ipc, ubacipc) ######################################## # # SE-X Windows rules # exempted_ubac_constraint(x_drawable, ubacxwin) exempted_ubac_constraint(x_screen, ubacxwin) exempted_ubac_constraint(x_gc, ubacxwin) exempted_ubac_constraint(x_font, ubacxwin) exempted_ubac_constraint(x_colormap, ubacxwin) exempted_ubac_constraint(x_property, ubacxwin) exempted_ubac_constraint(x_selection, ubacxwin) exempted_ubac_constraint(x_cursor, ubacxwin) exempted_ubac_constraint(x_client, ubacxwin) exempted_ubac_constraint(x_device, ubacxwin) exempted_ubac_constraint(x_server, ubacxwin) exempted_ubac_constraint(x_extension, ubacxwin) exempted_ubac_constraint(x_resource, ubacxwin) exempted_ubac_constraint(x_event, ubacxwin) exempted_ubac_constraint(x_synthetic_event, ubacxwin) exempted_ubac_constraint(x_application_data, ubacxwin) ######################################## # # D-BUS rules # exempted_ubac_constraint(dbus, ubacdbus) ######################################## # # Key rules # exempted_ubac_constraint(key, ubackey) ######################################## # # Database rules # exempted_ubac_constraint(db_database, ubacdb) exempted_ubac_constraint(db_table, ubacdb) exempted_ubac_constraint(db_procedure, ubacdb) exempted_ubac_constraint(db_column, ubacdb) exempted_ubac_constraint(db_tuple, ubacdb) exempted_ubac_constraint(db_blob, ubacdb) basic_ubac_constraint(association) basic_ubac_constraint(peer) # these classes have no UBAC restrictions #class security #class system #class capability #class memprotect #class passwd # userspace #class node #class netif #class packet #class capability2 #class nscd # userspace #class context # userspace undefine(`basic_ubac_constraint') undefine(`basic_ubac_conditions') undefine(`exempted_ubac_constraint')