Chris PeBenito 134191
Chris PeBenito 134191
#
Chris PeBenito 134191
# Define the constraints
Chris PeBenito 134191
#
Chris PeBenito 134191
# constrain class_set perm_set expression ;
Chris PeBenito 134191
#
Chris PeBenito 134191
# expression : ( expression ) 
Chris PeBenito 134191
#	     | not expression
Chris PeBenito 134191
#	     | expression and expression
Chris PeBenito 134191
#	     | expression or expression
Chris PeBenito 134191
#	     | u1 op u2
Chris PeBenito 134191
#	     | r1 role_op r2
Chris PeBenito 134191
#	     | t1 op t2
Chris PeBenito 134191
#	     | u1 op names
Chris PeBenito 134191
#	     | u2 op names
Chris PeBenito 134191
#	     | r1 op names
Chris PeBenito 134191
#	     | r2 op names
Chris PeBenito 134191
#	     | t1 op names
Chris PeBenito 134191
#	     | t2 op names
Chris PeBenito 134191
#
Chris PeBenito 134191
# op : == | != 
Chris PeBenito 134191
# role_op : == | != | eq | dom | domby | incomp
Chris PeBenito 134191
#
Chris PeBenito 134191
# names : name | { name_list }
Chris PeBenito 134191
# name_list : name | name_list name		
Chris PeBenito 134191
#
Chris PeBenito 134191
Chris PeBenito 296273
define(`basic_ubac_conditions',`
Chris PeBenito 296273
	ifdef(`enable_ubac',`
Chris PeBenito 296273
		u1 == u2
Chris PeBenito 296273
		or u1 == system_u
Chris PeBenito 296273
		or u2 == system_u
Chris PeBenito 296273
		or t1 != ubac_constrained_type
Chris PeBenito 296273
		or t2 != ubac_constrained_type
Chris PeBenito 296273
	')
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
define(`basic_ubac_constraint',`
Chris PeBenito 296273
	ifdef(`enable_ubac',`
Chris PeBenito 296273
		constrain $1 all_$1_perms
Chris PeBenito 296273
		(
Chris PeBenito 296273
			basic_ubac_conditions
Chris PeBenito 296273
		);
Chris PeBenito 296273
	')
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
define(`exempted_ubac_constraint',`
Chris PeBenito 296273
	ifdef(`enable_ubac',`
Chris PeBenito 296273
		constrain $1 all_$1_perms
Chris PeBenito 296273
		(
Chris PeBenito 296273
			basic_ubac_conditions
Chris PeBenito 296273
			or t1 == $2
Chris PeBenito 296273
		);
Chris PeBenito 296273
	')
Chris PeBenito 296273
')
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 134191
#
Chris PeBenito 296273
# File rules
Chris PeBenito 134191
#
Chris PeBenito 296273
Chris PeBenito 296273
exempted_ubac_constraint(dir, ubacfile)
Chris PeBenito 296273
exempted_ubac_constraint(file, ubacfile)
Chris PeBenito 296273
exempted_ubac_constraint(lnk_file, ubacfile)
Chris PeBenito 296273
exempted_ubac_constraint(fifo_file, ubacfile)
Chris PeBenito 296273
exempted_ubac_constraint(sock_file, ubacfile)
Chris PeBenito 296273
exempted_ubac_constraint(chr_file, ubacfile)
Chris PeBenito 296273
exempted_ubac_constraint(blk_file, ubacfile)
Chris PeBenito 296273
Chris PeBenito 296273
# SElinux object identity change constraint:
Chris PeBenito 296273
constrain dir_file_class_set { create relabelto relabelfrom } 
Chris PeBenito 350b6a
(
Chris PeBenito 350b6a
	u1 == u2
Chris PeBenito 296273
	or t1 == can_change_object_identity
Chris PeBenito 296273
);
Chris PeBenito 2e863f
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# Process rules
Chris PeBenito 296273
#
Chris PeBenito c98340
Chris PeBenito 296273
constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
Chris PeBenito 296273
(
Chris PeBenito 296273
	basic_ubac_conditions
Chris PeBenito 296273
	or t1 == ubacproc
Chris PeBenito 296273
);
Chris PeBenito bd56da
Chris PeBenito 296273
constrain process { transition noatsecure siginh rlimitinh }
Chris PeBenito 296273
(
Chris PeBenito 296273
	u1 == u2
Chris PeBenito 296273
	or ( t1 == can_change_process_identity and t2 == process_user_target )
Chris PeBenito 296273
       	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
Chris PeBenito 350b6a
	or ( t1 == can_system_change and u2 == system_u )
Chris PeBenito 350b6a
	or ( t1 == process_uncond_exempt )
Chris PeBenito 350b6a
);
Chris PeBenito 134191
Chris PeBenito 296273
constrain process { transition noatsecure siginh rlimitinh }
Chris PeBenito 350b6a
(
Chris PeBenito 296273
	r1 == r2
Chris PeBenito 296273
	or ( t1 == can_change_process_identity and t2 == process_user_target )
Chris PeBenito 296273
	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
Chris PeBenito 296273
	or ( t1 == can_system_change and u2 == system_u )
Chris PeBenito 350b6a
	or ( t1 == process_uncond_exempt )
Chris PeBenito 350b6a
);
Chris PeBenito 134191
Chris PeBenito 134191
constrain process dyntransition
Chris PeBenito bd56da
(
Chris PeBenito bd56da
	u1 == u2 and r1 == r2
Chris PeBenito bd56da
);
Chris PeBenito 134191
Chris PeBenito 296273
# These permissions do not have ubac constraints:
Chris PeBenito 296273
# fork
Chris PeBenito 296273
# setexec
Chris PeBenito 296273
# setfscreate
Chris PeBenito 296273
# setcurrent
Chris PeBenito 296273
# execmem
Chris PeBenito 296273
# execstack
Chris PeBenito 296273
# execheap
Chris PeBenito 296273
# setkeycreate
Chris PeBenito 296273
# setsockcreate
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 134191
#
Chris PeBenito 296273
# File descriptor rules
Chris PeBenito 134191
#
Chris PeBenito bd56da
Chris PeBenito 296273
exempted_ubac_constraint(fd, ubacfd)
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# Socket rules
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
exempted_ubac_constraint(socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(tcp_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(udp_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(rawip_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(packet_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(key_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(unix_stream_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(unix_dgram_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_route_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_audit_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(appletalk_socket, ubacsock)
Chris PeBenito 296273
exempted_ubac_constraint(dccp_socket, ubacsock)
Chris PeBenito 134191
Chris PeBenito 134191
constrain socket_class_set { create relabelto relabelfrom } 
Chris PeBenito bd56da
(
Chris PeBenito bd56da
	u1 == u2
Chris PeBenito bd56da
	or t1 == can_change_object_identity
Chris PeBenito bd56da
);
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# SysV IPC rules
Chris PeBenito 296273
Chris PeBenito 296273
exempted_ubac_constraint(sem, ubacipc)
Chris PeBenito 296273
exempted_ubac_constraint(msg, ubacipc)
Chris PeBenito 296273
exempted_ubac_constraint(msgq, ubacipc)
Chris PeBenito 296273
exempted_ubac_constraint(shm, ubacipc)
Chris PeBenito 296273
exempted_ubac_constraint(ipc, ubacipc)
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# SE-X Windows rules
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
exempted_ubac_constraint(x_drawable, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_screen, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_gc, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_font, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_colormap, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_property, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_selection, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_cursor, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_client, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_device, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_server, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_extension, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_resource, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_event, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_synthetic_event, ubacxwin)
Chris PeBenito 296273
exempted_ubac_constraint(x_application_data, ubacxwin)
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# D-BUS rules
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
exempted_ubac_constraint(dbus, ubacdbus)
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# Key rules
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
exempted_ubac_constraint(key, ubackey)
Chris PeBenito 296273
Chris PeBenito 296273
########################################
Chris PeBenito 296273
#
Chris PeBenito 296273
# Database rules
Chris PeBenito 296273
#
Chris PeBenito 296273
Chris PeBenito 296273
exempted_ubac_constraint(db_database, ubacdb)
Chris PeBenito 296273
exempted_ubac_constraint(db_table, ubacdb)
Chris PeBenito 296273
exempted_ubac_constraint(db_procedure, ubacdb)
Chris PeBenito 296273
exempted_ubac_constraint(db_column, ubacdb)
Chris PeBenito 296273
exempted_ubac_constraint(db_tuple, ubacdb)
Chris PeBenito 296273
exempted_ubac_constraint(db_blob, ubacdb)
Chris PeBenito 296273
Chris PeBenito 296273
Chris PeBenito 296273
Chris PeBenito 296273
basic_ubac_constraint(association)
Chris PeBenito 296273
basic_ubac_constraint(peer)
Chris PeBenito 296273
Chris PeBenito 296273
Chris PeBenito 296273
# these classes have no UBAC restrictions
Chris PeBenito 296273
#class security
Chris PeBenito 296273
#class system
Chris PeBenito 296273
#class capability
Chris PeBenito 296273
#class memprotect
Chris PeBenito 296273
#class passwd			# userspace
Chris PeBenito 296273
#class node
Chris PeBenito 296273
#class netif
Chris PeBenito 296273
#class packet
Chris PeBenito 296273
#class capability2
Chris PeBenito 296273
#class nscd			# userspace
Chris PeBenito 296273
#class context			# userspace
Chris PeBenito 296273
Chris PeBenito 296273
Chris PeBenito 296273
Chris PeBenito 296273
undefine(`basic_ubac_constraint')
Chris PeBenito 296273
undefine(`basic_ubac_conditions')
Chris PeBenito 296273
undefine(`exempted_ubac_constraint')