##############################

#

# Assertions for the type enforcement (TE) configuration.

#

#

# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  

#

##################################

#

# Access vector assertions.

#

# An access vector assertion specifies permissions that should not be in

# an access vector based on a source type, a target type, and a class.

# If any of the specified permissions are in the corresponding access

# vector, then the policy compiler will reject the policy configuration.

# Currently, there is only one kind of access vector assertion, neverallow, 

# but support for the other kinds of vectors could be easily added.  Access 

# vector assertions use the same syntax as access vector rules.

#

#

# Verify that every type that can be entered by

# a domain is also tagged as a domain.

#

neverallow domain ~domain:process { transition dyntransition };

#

# Verify that only the insmod_t and kernel_t domains 

# have the sys_module capability.

#

neverallow {domain -privsysmod -unrestricted } self:capability sys_module;

#

# Verify that executable types, the system dynamic loaders, and the

# system shared libraries can only be modified by administrators.

#

neverallow {domain  -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };

neverallow {domain  ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;

#

# Verify that only appropriate domains can access /etc/shadow

neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;

neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;

#

# Verify that only appropriate domains can write to /etc (IE mess with

# /etc/passwd)

neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;

neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;

neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };

#

# Verify that other system software can only be modified by administrators.

#

neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };

neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };

#

# Verify that only certain domains have access to the raw disk devices.

#

neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };

#

# Verify that only the X server and klogd have access to memory devices.

#

neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };

#

# Verify that only domains with the privlog attribute can actually syslog

#

neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };

#

# Verify that /proc/kmsg is only accessible to klogd.

#

neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;

#

# Verify that /proc/kcore is inaccessible.

#

neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;

#

# Verify that sysctl variables are only changeable

# by initrc and administrators.

#

neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };

neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };

neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };

neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };

neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };

neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };

neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };

neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };

#

# Verify that certain domains are limited to only being

# entered by their entrypoint types and to only executing

# the dynamic loader without a transition to another domain.

#

define(`assert_execute', `

    ifelse($#, 0, , 

           $#, 1, 

           ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',

           `assert_execute($1) assert_execute(shift($@))')')

ifdef(`getty.te', `assert_execute(getty)')

ifdef(`klogd.te', `assert_execute(klogd)')

ifdef(`tcpd.te', `assert_execute(tcpd)')

ifdef(`portmap.te', `assert_execute(portmap)')

ifdef(`syslogd.te', `assert_execute(syslogd)')

ifdef(`rpcd.te', `assert_execute(rpcd)')

ifdef(`rlogind.te', `assert_execute(rlogind)')

ifdef(`ypbind.te', `assert_execute(ypbind)')

ifdef(`xfs.te', `assert_execute(xfs)')

ifdef(`gpm.te', `assert_execute(gpm)')

ifdef(`ifconfig.te', `assert_execute(ifconfig)')

ifdef(`iptables.te', `assert_execute(iptables)')

ifdef(`login.te', `

neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;

neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;

')

#

# Verify that the passwd domain can only be entered by its

# entrypoint type and can only execute the dynamic loader

# and the ordinary passwd program without a transition to another domain.

#

ifdef(`passwd.te', `

neverallow passwd_t ~passwd_exec_t:file entrypoint;

neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;

neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;

')

#

# Verify that only the admin domains and initrc_t have setenforce.

#

neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;

#

# Verify that only the kernel and load_policy_t have load_policy.

#

neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;

#

# for gross mistakes in policy

neverallow * domain:dir ~r_dir_perms;

neverallow * domain:file_class_set ~rw_file_perms;

neverallow { domain unlabeled_t } file_type:process *;

neverallow ~{ domain unlabeled_t } *:process *;