rpms / selinux-policy

Clone
Source Code
GIT

Blame policy/constraints

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   4765a595e8d044cc8d14e78f4bca9b61c8bd2200
  2.   policy
  3.   constraints
Blob History Raw
Dan Walsh 9afb2b
Chris PeBenito 134191 
#
Chris PeBenito 134191 
# Define the constraints
Chris PeBenito 134191 
#
Chris PeBenito 134191 
# constrain class_set perm_set expression ;
Chris PeBenito 134191 
#
Chris PeBenito 134191 
# expression : ( expression )
Chris PeBenito 134191 
#	     | not expression
Chris PeBenito 134191 
#	     | expression and expression
Chris PeBenito 134191 
#	     | expression or expression
Chris PeBenito 134191 
#	     | u1 op u2
Chris PeBenito 134191 
#	     | r1 role_op r2
Chris PeBenito 134191 
#	     | t1 op t2
Chris PeBenito 134191 
#	     | u1 op names
Chris PeBenito 134191 
#	     | u2 op names
Chris PeBenito 134191 
#	     | r1 op names
Chris PeBenito 134191 
#	     | r2 op names
Chris PeBenito 134191 
#	     | t1 op names
Chris PeBenito 134191 
#	     | t2 op names
Chris PeBenito 134191 
#
Chris PeBenito 134191 
# op : == | !=
Chris PeBenito 134191 
# role_op : == | != | eq | dom | domby | incomp
Chris PeBenito 134191 
#
Chris PeBenito 134191 
# names : name | { name_list }
Chris PeBenito 134191 
# name_list : name | name_list name
Chris PeBenito 134191 
#
Chris PeBenito 134191
Chris PeBenito 296273 
define(`basic_ubac_conditions',`
Chris PeBenito 296273 
	ifdef(`enable_ubac',`
Chris PeBenito 296273 
		u1 == u2
Chris PeBenito 296273 
		or u1 == system_u
Chris PeBenito 296273 
		or u2 == system_u
Chris PeBenito 296273 
		or t1 != ubac_constrained_type
Chris PeBenito 296273 
		or t2 != ubac_constrained_type
Chris PeBenito 296273 
	')
Chris PeBenito 296273 
')
Chris PeBenito 296273
Chris PeBenito 296273 
define(`basic_ubac_constraint',`
Chris PeBenito 296273 
	ifdef(`enable_ubac',`
Chris PeBenito 296273 
		constrain $1 all_$1_perms
Chris PeBenito 296273 
		(
Chris PeBenito 296273 
			basic_ubac_conditions
Chris PeBenito 296273 
		);
Chris PeBenito 296273 
	')
Chris PeBenito 296273 
')
Chris PeBenito 296273
Chris PeBenito 296273 
define(`exempted_ubac_constraint',`
Chris PeBenito 296273 
	ifdef(`enable_ubac',`
Chris PeBenito 296273 
		constrain $1 all_$1_perms
Chris PeBenito 296273 
		(
Chris PeBenito 296273 
			basic_ubac_conditions
Chris PeBenito 296273 
			or t1 == $2
Chris PeBenito 296273 
		);
Chris PeBenito 296273 
	')
Chris PeBenito 296273 
')
Chris PeBenito 296273
Chris PeBenito 296273 
########################################
Chris PeBenito 134191 
#
Chris PeBenito 296273 
# File rules
Chris PeBenito 134191 
#
Chris PeBenito 296273
Chris PeBenito 296273 
exempted_ubac_constraint(dir, ubacfile)
Chris PeBenito 296273 
exempted_ubac_constraint(file, ubacfile)
Chris PeBenito 296273 
exempted_ubac_constraint(lnk_file, ubacfile)
Chris PeBenito 296273 
exempted_ubac_constraint(fifo_file, ubacfile)
Chris PeBenito 296273 
exempted_ubac_constraint(sock_file, ubacfile)
Chris PeBenito 296273 
exempted_ubac_constraint(chr_file, ubacfile)
Chris PeBenito 296273 
exempted_ubac_constraint(blk_file, ubacfile)
Chris PeBenito 296273
Justin P. Mattock 5b6bd0 
# SELinux object identity change constraint:
Chris PeBenito 296273 
constrain dir_file_class_set { create relabelto relabelfrom }
Chris PeBenito 350b6a 
(
Chris PeBenito 350b6a 
	u1 == u2
Chris PeBenito 296273 
	or t1 == can_change_object_identity
Chris PeBenito 296273 
);
Chris PeBenito 2e863f
Chris PeBenito 296273 
########################################
Chris PeBenito 296273 
#
Chris PeBenito 296273 
# Process rules
Chris PeBenito 296273 
#
Chris PeBenito c98340
Chris PeBenito 23d5ab 
ifdef(`enable_ubac',`
Chris PeBenito 23d5ab 
	constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
Chris PeBenito 23d5ab 
	(
Chris PeBenito 23d5ab 
		basic_ubac_conditions
Chris PeBenito 23d5ab 
		or t1 == ubacproc
Chris PeBenito 23d5ab 
	);
Chris PeBenito 23d5ab 
')
Chris PeBenito bd56da
Chris PeBenito 296273 
constrain process { transition noatsecure siginh rlimitinh }
Chris PeBenito 296273 
(
Chris PeBenito 296273 
	u1 == u2
Chris PeBenito 296273 
	or ( t1 == can_change_process_identity and t2 == process_user_target )
Dan Walsh a61cba 
       	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
Chris PeBenito 350b6a 
	or ( t1 == can_system_change and u2 == system_u )
Chris PeBenito 350b6a 
	or ( t1 == process_uncond_exempt )
Chris PeBenito 350b6a 
);
Chris PeBenito 134191
Chris PeBenito 296273 
constrain process { transition noatsecure siginh rlimitinh }
Chris PeBenito 350b6a 
(
Chris PeBenito f657cb 
	r1 == r2
Chris PeBenito f657cb 
	or ( t1 == can_change_process_role and t2 == process_user_target )
Dan Walsh a61cba 
   	or ( t1 == cron_source_domain and t2 == cron_job_domain )
Chris PeBenito f657cb 
	or ( t1 == can_system_change and r2 == system_r )
Chris PeBenito 350b6a 
	or ( t1 == process_uncond_exempt )
Chris PeBenito 350b6a 
);
Chris PeBenito 134191
Chris PeBenito 134191 
constrain process dyntransition
Chris PeBenito bd56da 
(
Chris PeBenito bd56da 
	u1 == u2 and r1 == r2
Chris PeBenito bd56da 
);
Chris PeBenito 134191
Chris PeBenito 296273 
# These permissions do not have ubac constraints:
Chris PeBenito 296273 
# fork
Chris PeBenito 296273 
# setexec
Chris PeBenito 296273 
# setfscreate
Chris PeBenito 296273 
# setcurrent
Chris PeBenito 296273 
# execmem
Chris PeBenito 296273 
# execstack
Chris PeBenito 296273 
# execheap
Chris PeBenito 296273 
# setkeycreate
Chris PeBenito 296273 
# setsockcreate
Chris PeBenito 296273
Chris PeBenito 296273 
########################################
Chris PeBenito 134191 
#
Chris PeBenito 296273 
# File descriptor rules
Chris PeBenito 134191 
#
Chris PeBenito bd56da
Chris PeBenito 296273 
exempted_ubac_constraint(fd, ubacfd)
Chris PeBenito 296273
Chris PeBenito 296273 
########################################
Chris PeBenito 296273 
#
Chris PeBenito 296273 
# Socket rules
Chris PeBenito 296273 
#
Chris PeBenito 296273
Chris PeBenito 296273 
exempted_ubac_constraint(socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(tcp_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(udp_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(rawip_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(packet_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(key_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(unix_stream_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(unix_dgram_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_route_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_audit_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(appletalk_socket, ubacsock)
Chris PeBenito 296273 
exempted_ubac_constraint(dccp_socket, ubacsock)
Chris PeBenito 134191
Chris PeBenito 134191 
constrain socket_class_set { create relabelto relabelfrom }
Chris PeBenito bd56da 
(
Chris PeBenito bd56da 
	u1 == u2
Chris PeBenito bd56da 
	or t1 == can_change_object_identity
Chris PeBenito bd56da 
);
Chris PeBenito 296273
Chris PeBenito 296273 
########################################
Chris PeBenito 296273 
#
Chris PeBenito 296273 
# SysV IPC rules
Chris PeBenito 296273
Chris PeBenito 296273 
exempted_ubac_constraint(sem, ubacipc)
Chris PeBenito 296273 
exempted_ubac_constraint(msg, ubacipc)
Chris PeBenito 296273 
exempted_ubac_constraint(msgq, ubacipc)
Chris PeBenito 296273 
exempted_ubac_constraint(shm, ubacipc)
Chris PeBenito 296273 
exempted_ubac_constraint(ipc, ubacipc)
Chris PeBenito 296273
Chris PeBenito 296273 
########################################
Chris PeBenito 296273 
#
Dan Walsh a61cba 
# SE-X Windows rules
Chris PeBenito 296273 
#
Chris PeBenito 296273
Chris PeBenito 296273 
exempted_ubac_constraint(x_drawable, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_screen, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_gc, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_font, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_colormap, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_property, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_selection, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_cursor, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_client, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_device, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_server, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_extension, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_resource, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_event, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_synthetic_event, ubacxwin)
Chris PeBenito 296273 
exempted_ubac_constraint(x_application_data, ubacxwin)
Chris PeBenito 296273
Chris PeBenito 296273 
########################################
Chris PeBenito 296273 
#
Chris PeBenito 296273 
# D-BUS rules
Chris PeBenito 296273 
#
Chris PeBenito 296273
Chris PeBenito 296273 
exempted_ubac_constraint(dbus, ubacdbus)
Chris PeBenito 296273
Chris PeBenito 296273 
########################################
Chris PeBenito 296273 
#
Chris PeBenito 296273 
# Key rules
Chris PeBenito 296273 
#
Chris PeBenito 296273
Chris PeBenito 296273 
exempted_ubac_constraint(key, ubackey)
Chris PeBenito 296273
Chris PeBenito 296273 
########################################
Chris PeBenito 296273 
#
Chris PeBenito 296273 
# Database rules
Chris PeBenito 296273 
#
Chris PeBenito 296273
Chris PeBenito 296273 
exempted_ubac_constraint(db_database, ubacdb)
Chris PeBenito 296273 
exempted_ubac_constraint(db_table, ubacdb)
Chris PeBenito 296273 
exempted_ubac_constraint(db_procedure, ubacdb)
Chris PeBenito 296273 
exempted_ubac_constraint(db_column, ubacdb)
Chris PeBenito 296273 
exempted_ubac_constraint(db_tuple, ubacdb)
Chris PeBenito 296273 
exempted_ubac_constraint(db_blob, ubacdb)
Chris PeBenito 296273
Dan Walsh a61cba
Dan Walsh a61cba
Chris PeBenito 296273 
basic_ubac_constraint(association)
Chris PeBenito 296273 
basic_ubac_constraint(peer)
Chris PeBenito 296273
Dan Walsh a61cba
Dan Walsh a61cba 
# these classes have no UBAC restrictions
Dan Walsh a61cba 
#class security
Dan Walsh a61cba 
#class system
Dan Walsh a61cba 
#class capability
Dan Walsh a61cba 
#class memprotect
Dan Walsh a61cba 
#class passwd			# userspace
Dan Walsh a61cba 
#class node
Dan Walsh a61cba 
#class netif
Dan Walsh a61cba 
#class packet
Dan Walsh a61cba 
#class capability2
Dan Walsh a61cba 
#class nscd			# userspace
Dan Walsh a61cba 
#class context			# userspace
Dan Walsh a61cba
Dan Walsh a61cba
Chris PeBenito 296273
Chris PeBenito 296273 
undefine(`basic_ubac_constraint')
Chris PeBenito 296273 
undefine(`basic_ubac_conditions')
Chris PeBenito 296273 
undefine(`exempted_ubac_constraint')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation