|
Chris PeBenito |
1c9f9a |
## <summary>Core policy for domains.</summary>
|
|
Chris PeBenito |
274547 |
## <required val="true">
|
|
Chris PeBenito |
274547 |
## Contains the concept of a domain.
|
|
Chris PeBenito |
274547 |
## </required>
|
|
Chris PeBenito |
e181fe |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
2e863f |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Make the specified type usable as a basic domain.
|
|
Chris PeBenito |
2e863f |
## </summary>
|
|
Chris PeBenito |
2e863f |
## <desc>
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## Make the specified type usable as a basic domain.
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## This is primarily used for kernel threads;
|
|
Chris PeBenito |
2e863f |
## generally the domain_type() interface is
|
|
Chris PeBenito |
2e863f |
## more appropriate for userland processes.
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## </desc>
|
|
Chris PeBenito |
2e863f |
## <param name="type">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Type to be used as a basic domain type.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2e863f |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
fb0a3a |
interface(`domain_base_type',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 domain;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
2e863f |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Make the specified type usable as a domain.
|
|
Chris PeBenito |
2e863f |
## </summary>
|
|
Chris PeBenito |
88daf1 |
## <desc>
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
## Make the specified type usable as a domain. This,
|
|
Chris PeBenito |
88daf1 |
## or an interface that calls this interface, must be
|
|
Chris PeBenito |
88daf1 |
## used on all types that are used as domains.
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
## Related interfaces:
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
## application_domain()
|
|
Chris PeBenito |
88daf1 |
## init_daemon_domain()
|
|
Chris PeBenito |
88daf1 |
## init_domaion()
|
|
Chris PeBenito |
88daf1 |
## init_ranged_daemon_domain()
|
|
Chris PeBenito |
88daf1 |
## init_ranged_domain()
|
|
Chris PeBenito |
88daf1 |
## init_ranged_system_domain()
|
|
Chris PeBenito |
88daf1 |
## init_script_domain()
|
|
Chris PeBenito |
88daf1 |
## init_system_domain()
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
## Example:
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
## type mydomain_t;
|
|
Chris PeBenito |
88daf1 |
## domain_type(mydomain_t)
|
|
Chris PeBenito |
88daf1 |
## type myfile_t;
|
|
Chris PeBenito |
88daf1 |
## files_type(myfile_t)
|
|
Chris PeBenito |
88daf1 |
## allow mydomain_t myfile_t:file read_file_perms;
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
## </desc>
|
|
Chris PeBenito |
2e863f |
## <param name="type">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Type to be used as a domain type.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2e863f |
## </param>
|
|
Chris PeBenito |
88daf1 |
## <infoflow type="none"/>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_type',`
|
|
Chris PeBenito |
0c73cd |
# start with basic domain
|
|
Chris PeBenito |
fb0a3a |
domain_base_type($1)
|
|
Chris PeBenito |
a9a20d |
|
|
Chris PeBenito |
495df4 |
ifdef(`distro_redhat',`
|
|
Chris PeBenito |
495df4 |
optional_policy(`
|
|
Chris PeBenito |
495df4 |
unconfined_use_fds($1)
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
3cfd48 |
# send init a sigchld and signull
|
|
Chris PeBenito |
bb7170 |
optional_policy(`
|
|
Chris PeBenito |
3cfd48 |
init_sigchld($1)
|
|
Chris PeBenito |
3cfd48 |
init_signull($1)
|
|
Chris PeBenito |
3cfd48 |
')
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
3cfd48 |
# these seem questionable:
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
bb7170 |
optional_policy(`
|
|
Chris PeBenito |
1c1ac6 |
rpm_use_fds($1)
|
|
Chris PeBenito |
1815ba |
rpm_read_pipes($1)
|
|
Chris PeBenito |
0c73cd |
')
|
|
Chris PeBenito |
2db2c7 |
|
|
Chris PeBenito |
bb7170 |
optional_policy(`
|
|
Chris PeBenito |
495df4 |
selinux_dontaudit_getattr_fs($1)
|
|
Chris PeBenito |
30705b |
selinux_dontaudit_read_fs($1)
|
|
Chris PeBenito |
2db2c7 |
')
|
|
Chris PeBenito |
2db2c7 |
|
|
Chris PeBenito |
bb7170 |
optional_policy(`
|
|
Chris PeBenito |
2db2c7 |
seutil_dontaudit_read_config($1)
|
|
Chris PeBenito |
2db2c7 |
')
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
2e863f |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Make the specified type usable as
|
|
Chris PeBenito |
2e863f |
## an entry point for the domain.
|
|
Chris PeBenito |
2e863f |
## </summary>
|
|
Chris PeBenito |
2e863f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Domain to be entered.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2e863f |
## </param>
|
|
Chris PeBenito |
2e863f |
## <param name="type">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Type of program used for entering
|
|
Chris PeBenito |
2e863f |
## the domain.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2e863f |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_entry_file',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute entry_type;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 $2:file entrypoint;
|
|
Chris PeBenito |
ef659a |
allow $1 $2:file { mmap_file_perms ioctl lock };
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
0c73cd |
typeattribute $2 entry_type;
|
|
Chris PeBenito |
fb63d0 |
|
|
Chris PeBenito |
fb63d0 |
corecmd_executable_file($2)
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Make the file descriptors of the specified
|
|
Chris PeBenito |
ac9db9 |
## domain for interactive use (widely inheritable)
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## <param name="domain">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
15722e |
interface(`domain_interactive_fd',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute privfd;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 privfd;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Allow the specified domain to perform
|
|
Chris PeBenito |
ac9db9 |
## dynamic transitions.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## <desc>
|
|
Chris PeBenito |
ac9db9 |
##
|
|
Chris PeBenito |
ac9db9 |
## Allow the specified domain to perform
|
|
Chris PeBenito |
ac9db9 |
## dynamic transitions.
|
|
Chris PeBenito |
ac9db9 |
##
|
|
Chris PeBenito |
ac9db9 |
##
|
|
Chris PeBenito |
ac9db9 |
## This violates process tranquility, and it
|
|
Chris PeBenito |
ac9db9 |
## is strongly suggested that this not be used.
|
|
Chris PeBenito |
ac9db9 |
##
|
|
Chris PeBenito |
ac9db9 |
## </desc>
|
|
Chris PeBenito |
ac9db9 |
## <param name="domain">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
007ca5 |
#
|
|
Chris PeBenito |
007ca5 |
interface(`domain_dyntrans_type',`
|
|
Chris PeBenito |
007ca5 |
gen_require(`
|
|
Chris PeBenito |
007ca5 |
attribute set_curr_context;
|
|
Chris PeBenito |
007ca5 |
')
|
|
Chris PeBenito |
007ca5 |
|
|
Chris PeBenito |
007ca5 |
typeattribute $1 set_curr_context;
|
|
Chris PeBenito |
007ca5 |
')
|
|
Chris PeBenito |
007ca5 |
|
|
Chris PeBenito |
007ca5 |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
3774e4 |
## Makes caller and execption to the constraint
|
|
Chris PeBenito |
3774e4 |
## preventing changing to the system user
|
|
Chris PeBenito |
3774e4 |
## identity and system role.
|
|
Chris PeBenito |
3774e4 |
## </summary>
|
|
Chris PeBenito |
3774e4 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
3774e4 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
3774e4 |
## </param>
|
|
Chris PeBenito |
3774e4 |
#
|
|
Chris PeBenito |
1815ba |
interface(`domain_system_change_exemption',`
|
|
Chris PeBenito |
3774e4 |
gen_require(`
|
|
Chris PeBenito |
3774e4 |
attribute can_system_change;
|
|
Chris PeBenito |
3774e4 |
')
|
|
Chris PeBenito |
3774e4 |
|
|
Chris PeBenito |
3774e4 |
typeattribute $1 can_system_change;
|
|
Chris PeBenito |
3774e4 |
')
|
|
Chris PeBenito |
3774e4 |
|
|
Chris PeBenito |
3774e4 |
########################################
|
|
Chris PeBenito |
3774e4 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Makes caller an exception to the constraint preventing
|
|
Chris PeBenito |
414e41 |
## changing of user identity.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The process type to make an exception to the constraint.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
8bd678 |
#
|
|
Chris PeBenito |
1815ba |
interface(`domain_subj_id_change_exemption',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute can_change_process_identity;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
8bd678 |
|
|
Chris PeBenito |
8bd678 |
typeattribute $1 can_change_process_identity;
|
|
Chris PeBenito |
8bd678 |
')
|
|
Chris PeBenito |
8bd678 |
|
|
Chris PeBenito |
8bd678 |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Makes caller an exception to the constraint preventing
|
|
Chris PeBenito |
414e41 |
## changing of role.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The process type to make an exception to the constraint.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
8bd678 |
#
|
|
Chris PeBenito |
1815ba |
interface(`domain_role_change_exemption',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute can_change_process_role;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
8bd678 |
|
|
Chris PeBenito |
8bd678 |
typeattribute $1 can_change_process_role;
|
|
Chris PeBenito |
8bd678 |
')
|
|
Chris PeBenito |
8bd678 |
|
|
Chris PeBenito |
8bd678 |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Makes caller an exception to the constraint preventing
|
|
Chris PeBenito |
414e41 |
## changing the user identity in object contexts.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The process type to make an exception to the constraint.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
8bd678 |
#
|
|
Chris PeBenito |
1815ba |
interface(`domain_obj_id_change_exemption',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute can_change_object_identity;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
8bd678 |
|
|
Chris PeBenito |
8bd678 |
typeattribute $1 can_change_object_identity;
|
|
Chris PeBenito |
8bd678 |
')
|
|
Chris PeBenito |
8bd678 |
|
|
Chris PeBenito |
8bd678 |
########################################
|
|
Chris PeBenito |
2e863f |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Make the specified domain the target of
|
|
Chris PeBenito |
2e863f |
## the user domain exception of the
|
|
Chris PeBenito |
2e863f |
## SELinux role and identity change
|
|
Chris PeBenito |
2e863f |
## constraints.
|
|
Chris PeBenito |
2e863f |
## </summary>
|
|
Chris PeBenito |
2e863f |
## <desc>
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## Make the specified domain the target of
|
|
Chris PeBenito |
2e863f |
## the user domain exception of the
|
|
Chris PeBenito |
2e863f |
## SELinux role and identity change
|
|
Chris PeBenito |
2e863f |
## constraints.
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## This interface is needed to decouple
|
|
Chris PeBenito |
2e863f |
## the user domains from the base module.
|
|
Chris PeBenito |
2e863f |
## It should not be used other than on
|
|
Chris PeBenito |
2e863f |
## user domains.
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## </desc>
|
|
Chris PeBenito |
2e863f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Domain target for user exemption.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2e863f |
## </param>
|
|
Chris PeBenito |
2e863f |
#
|
|
Chris PeBenito |
2e863f |
interface(`domain_user_exemption_target',`
|
|
Chris PeBenito |
2e863f |
gen_require(`
|
|
Chris PeBenito |
2e863f |
attribute process_user_target;
|
|
Chris PeBenito |
2e863f |
')
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
typeattribute $1 process_user_target;
|
|
Chris PeBenito |
2e863f |
')
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
########################################
|
|
Chris PeBenito |
2e863f |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Make the specified domain the source of
|
|
Chris PeBenito |
2e863f |
## the cron domain exception of the
|
|
Chris PeBenito |
2e863f |
## SELinux role and identity change
|
|
Chris PeBenito |
2e863f |
## constraints.
|
|
Chris PeBenito |
2e863f |
## </summary>
|
|
Chris PeBenito |
2e863f |
## <desc>
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## Make the specified domain the source of
|
|
Chris PeBenito |
2e863f |
## the cron domain exception of the
|
|
Chris PeBenito |
2e863f |
## SELinux role and identity change
|
|
Chris PeBenito |
2e863f |
## constraints.
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## This interface is needed to decouple
|
|
Chris PeBenito |
2e863f |
## the cron domains from the base module.
|
|
Chris PeBenito |
2e863f |
## It should not be used other than on
|
|
Chris PeBenito |
2e863f |
## cron domains.
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## </desc>
|
|
Chris PeBenito |
2e863f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Domain target for user exemption.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2e863f |
## </param>
|
|
Chris PeBenito |
2e863f |
#
|
|
Chris PeBenito |
2e863f |
interface(`domain_cron_exemption_source',`
|
|
Chris PeBenito |
2e863f |
gen_require(`
|
|
Chris PeBenito |
2e863f |
attribute cron_source_domain;
|
|
Chris PeBenito |
2e863f |
')
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
typeattribute $1 cron_source_domain;
|
|
Chris PeBenito |
2e863f |
')
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
########################################
|
|
Chris PeBenito |
2e863f |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Make the specified domain the target of
|
|
Chris PeBenito |
2e863f |
## the cron domain exception of the
|
|
Chris PeBenito |
2e863f |
## SELinux role and identity change
|
|
Chris PeBenito |
2e863f |
## constraints.
|
|
Chris PeBenito |
2e863f |
## </summary>
|
|
Chris PeBenito |
2e863f |
## <desc>
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## Make the specified domain the target of
|
|
Chris PeBenito |
2e863f |
## the cron domain exception of the
|
|
Chris PeBenito |
2e863f |
## SELinux role and identity change
|
|
Chris PeBenito |
2e863f |
## constraints.
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## This interface is needed to decouple
|
|
Chris PeBenito |
2e863f |
## the cron domains from the base module.
|
|
Chris PeBenito |
2e863f |
## It should not be used other than on
|
|
Chris PeBenito |
2e863f |
## user cron jobs.
|
|
Chris PeBenito |
2e863f |
##
|
|
Chris PeBenito |
2e863f |
## </desc>
|
|
Chris PeBenito |
2e863f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2e863f |
## Domain target for user exemption.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2e863f |
## </param>
|
|
Chris PeBenito |
2e863f |
#
|
|
Chris PeBenito |
2e863f |
interface(`domain_cron_exemption_target',`
|
|
Chris PeBenito |
2e863f |
gen_require(`
|
|
Chris PeBenito |
2e863f |
attribute cron_job_domain;
|
|
Chris PeBenito |
2e863f |
')
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
typeattribute $1 cron_job_domain;
|
|
Chris PeBenito |
2e863f |
')
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
########################################
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Inherit and use file descriptors from
|
|
Chris PeBenito |
ac9db9 |
## domains with interactive programs.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
88daf1 |
## <desc>
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
## Allow the specified domain to inherit and use file
|
|
Chris PeBenito |
88daf1 |
## descriptors from domains with interactive programs.
|
|
Chris PeBenito |
88daf1 |
## This does not allow access to the objects being referenced
|
|
Chris PeBenito |
88daf1 |
## by the file descriptors.
|
|
Chris PeBenito |
88daf1 |
##
|
|
Chris PeBenito |
88daf1 |
## </desc>
|
|
Chris PeBenito |
ac9db9 |
## <param name="domain">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
88daf1 |
## <infoflow type="read" weight="1"/>
|
|
Chris PeBenito |
a2d824 |
#
|
|
Chris PeBenito |
15722e |
interface(`domain_use_interactive_fds',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute privfd;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 privfd:fd use;
|
|
Chris PeBenito |
a2d824 |
')
|
|
Chris PeBenito |
a2d824 |
|
|
Chris PeBenito |
a2d824 |
########################################
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Do not audit attempts to inherit file
|
|
Chris PeBenito |
ac9db9 |
## descriptors from domains with interactive
|
|
Chris PeBenito |
ac9db9 |
## programs.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## <param name="domain">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
3ce6cb |
#
|
|
Chris PeBenito |
15722e |
interface(`domain_dontaudit_use_interactive_fds',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute privfd;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
dontaudit $1 privfd:fd use;
|
|
Chris PeBenito |
3ce6cb |
')
|
|
Chris PeBenito |
3ce6cb |
|
|
Chris PeBenito |
3ce6cb |
########################################
|
|
Chris PeBenito |
ebdc3b |
## <summary>
|
|
Chris PeBenito |
ebdc3b |
## Send a SIGCHLD signal to domains whose file
|
|
Chris PeBenito |
ebdc3b |
## discriptors are widely inheritable.
|
|
Chris PeBenito |
ebdc3b |
## </summary>
|
|
Chris PeBenito |
ebdc3b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ebdc3b |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ebdc3b |
## </param>
|
|
Chris PeBenito |
ebdc3b |
#
|
|
Chris PeBenito |
ebdc3b |
# cjp: this was added because of newrole
|
|
Chris PeBenito |
15722e |
interface(`domain_sigchld_interactive_fds',`
|
|
Chris PeBenito |
ebdc3b |
gen_require(`
|
|
Chris PeBenito |
ebdc3b |
attribute privfd;
|
|
Chris PeBenito |
ebdc3b |
')
|
|
Chris PeBenito |
ebdc3b |
|
|
Chris PeBenito |
d1b9d9 |
allow $1 privfd:process sigchld;
|
|
Chris PeBenito |
ebdc3b |
')
|
|
Chris PeBenito |
ebdc3b |
|
|
Chris PeBenito |
ebdc3b |
########################################
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Set the nice level of all domains.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## <param name="domain">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
5817e3 |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_setpriority_all_domains',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 domain:process setsched;
|
|
Chris PeBenito |
5817e3 |
')
|
|
Chris PeBenito |
5817e3 |
|
|
Chris PeBenito |
5817e3 |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Send general signals to all domains.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_signal_all_domains',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 domain:process signal;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Send a null signal to all domains.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
1c9f9a |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_signull_all_domains',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 domain:process signull;
|
|
Chris PeBenito |
1c9f9a |
')
|
|
Chris PeBenito |
1c9f9a |
|
|
Chris PeBenito |
1c9f9a |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Send a stop signal to all domains.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
c6fd1f |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_sigstop_all_domains',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 domain:process sigstop;
|
|
Chris PeBenito |
c6fd1f |
')
|
|
Chris PeBenito |
c6fd1f |
|
|
Chris PeBenito |
c6fd1f |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Send a child terminated signal to all domains.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_sigchld_all_domains',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 domain:process sigchld;
|
|
Chris PeBenito |
c6fd1f |
')
|
|
Chris PeBenito |
c6fd1f |
|
|
Chris PeBenito |
c6fd1f |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Send a kill signal to all domains.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_kill_all_domains',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 domain:process sigkill;
|
|
Chris PeBenito |
0c73cd |
allow $1 self:capability kill;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
9fd4b8 |
|
|
Chris PeBenito |
605ba2 |
########################################
|
|
Chris PeBenito |
605ba2 |
## <summary>
|
|
Chris PeBenito |
605ba2 |
## Search the process state directory (/proc/pid) of all domains.
|
|
Chris PeBenito |
605ba2 |
## </summary>
|
|
Chris PeBenito |
605ba2 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
605ba2 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
605ba2 |
## </param>
|
|
Chris PeBenito |
605ba2 |
#
|
|
Chris PeBenito |
605ba2 |
interface(`domain_search_all_domains_state',`
|
|
Chris PeBenito |
605ba2 |
gen_require(`
|
|
Chris PeBenito |
605ba2 |
attribute domain;
|
|
Chris PeBenito |
605ba2 |
')
|
|
Chris PeBenito |
605ba2 |
|
|
Chris PeBenito |
605ba2 |
kernel_search_proc($1)
|
|
Chris PeBenito |
a65fd9 |
allow $1 domain:dir search_dir_perms;
|
|
Chris PeBenito |
605ba2 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
2ec4c9 |
## <summary>
|
|
Chris PeBenito |
9fd4b8 |
## Do not audit attempts to search the process
|
|
Chris PeBenito |
9fd4b8 |
## state directory (/proc/pid) of all domains.
|
|
Chris PeBenito |
9fd4b8 |
## </summary>
|
|
Chris PeBenito |
9fd4b8 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
9fd4b8 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
9fd4b8 |
## </param>
|
|
Chris PeBenito |
9fd4b8 |
#
|
|
Chris PeBenito |
9fd4b8 |
interface(`domain_dontaudit_search_all_domains_state',`
|
|
Chris PeBenito |
9fd4b8 |
gen_require(`
|
|
Chris PeBenito |
9fd4b8 |
attribute domain;
|
|
Chris PeBenito |
9fd4b8 |
')
|
|
Chris PeBenito |
9fd4b8 |
|
|
Chris PeBenito |
9fd4b8 |
dontaudit $1 domain:dir search_dir_perms;
|
|
Chris PeBenito |
9fd4b8 |
')
|
|
Chris PeBenito |
9fd4b8 |
|
|
Chris PeBenito |
9fd4b8 |
########################################
|
|
Chris PeBenito |
9fd4b8 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Read the process state (/proc/pid) of all domains.
|
|
Chris PeBenito |
2ec4c9 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
605ba2 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_read_all_domains_state',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
605ba2 |
kernel_search_proc($1)
|
|
Chris PeBenito |
c0868a |
allow $1 domain:dir list_dir_perms;
|
|
Chris PeBenito |
0bfccd |
read_files_pattern($1, domain, domain)
|
|
Chris PeBenito |
0bfccd |
read_lnk_files_pattern($1, domain, domain)
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
ccc597 |
########################################
|
|
Chris PeBenito |
ccc597 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Get the attributes of all domains.
|
|
Chris PeBenito |
ccc597 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ccc597 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
ccc597 |
#
|
|
Chris PeBenito |
ccc597 |
interface(`domain_getattr_all_domains',`
|
|
Chris PeBenito |
ccc597 |
gen_require(`
|
|
Chris PeBenito |
ccc597 |
attribute domain;
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
ccc597 |
|
|
Chris PeBenito |
ccc597 |
allow $1 domain:process getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
d490eb |
########################################
|
|
Chris PeBenito |
2ec4c9 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Dontaudit geting the attributes of all domains.
|
|
Chris PeBenito |
ac9aa2 |
## </summary>
|
|
Chris PeBenito |
ac9aa2 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9aa2 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ac9aa2 |
## </param>
|
|
Chris PeBenito |
ac9aa2 |
#
|
|
Chris PeBenito |
ac9aa2 |
interface(`domain_dontaudit_getattr_all_domains',`
|
|
Chris PeBenito |
ac9aa2 |
gen_require(`
|
|
Chris PeBenito |
ac9aa2 |
attribute domain;
|
|
Chris PeBenito |
ac9aa2 |
')
|
|
Chris PeBenito |
ac9aa2 |
|
|
Chris PeBenito |
ac9aa2 |
dontaudit $1 domain:process getattr;
|
|
Chris PeBenito |
ac9aa2 |
')
|
|
Chris PeBenito |
ac9aa2 |
|
|
Chris PeBenito |
ac9aa2 |
########################################
|
|
Chris PeBenito |
ac9aa2 |
## <summary>
|
|
Chris PeBenito |
ccc597 |
## Read the process state (/proc/pid) of all confined domains.
|
|
Chris PeBenito |
605ba2 |
## </summary>
|
|
Chris PeBenito |
605ba2 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
605ba2 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
605ba2 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
605ba2 |
#
|
|
Chris PeBenito |
605ba2 |
interface(`domain_read_confined_domains_state',`
|
|
Chris PeBenito |
605ba2 |
gen_require(`
|
|
Chris PeBenito |
955019 |
attribute domain, unconfined_domain_type;
|
|
Chris PeBenito |
605ba2 |
')
|
|
Chris PeBenito |
605ba2 |
|
|
Chris PeBenito |
605ba2 |
kernel_search_proc($1)
|
|
Chris PeBenito |
c0868a |
allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
|
|
Chris PeBenito |
0bfccd |
read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
|
|
Chris PeBenito |
0bfccd |
read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
|
|
Chris PeBenito |
605ba2 |
|
|
Chris PeBenito |
c0868a |
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
|
|
Chris PeBenito |
0b36a2 |
dontaudit $1 unconfined_domain_type:file read_file_perms;
|
|
Chris PeBenito |
a65fd9 |
dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
ccc597 |
|
|
Chris PeBenito |
ccc597 |
########################################
|
|
Chris PeBenito |
ccc597 |
## <summary>
|
|
Chris PeBenito |
ccc597 |
## Get the attributes of all confined domains.
|
|
Chris PeBenito |
ccc597 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ccc597 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
ccc597 |
#
|
|
Chris PeBenito |
ccc597 |
interface(`domain_getattr_confined_domains',`
|
|
Chris PeBenito |
ccc597 |
gen_require(`
|
|
Chris PeBenito |
955019 |
attribute domain, unconfined_domain_type;
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
ccc597 |
|
|
Chris PeBenito |
955019 |
allow $1 { domain -unconfined_domain_type }:process getattr;
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
ccc597 |
|
|
Chris PeBenito |
ccc597 |
########################################
|
|
Chris PeBenito |
ccc597 |
## <summary>
|
|
Chris PeBenito |
1f91e1 |
## Ptrace all domains.
|
|
Chris PeBenito |
1f91e1 |
## </summary>
|
|
Chris PeBenito |
1f91e1 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
1f91e1 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
1f91e1 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
1f91e1 |
#
|
|
Chris PeBenito |
1f91e1 |
interface(`domain_ptrace_all_domains',`
|
|
Chris PeBenito |
1f91e1 |
gen_require(`
|
|
Chris PeBenito |
1f91e1 |
attribute domain;
|
|
Chris PeBenito |
1f91e1 |
')
|
|
Chris PeBenito |
1f91e1 |
|
|
Chris PeBenito |
1f91e1 |
allow $1 domain:process ptrace;
|
|
Chris PeBenito |
60caa3 |
allow domain $1:process sigchld;
|
|
Chris PeBenito |
1f91e1 |
')
|
|
Chris PeBenito |
1f91e1 |
|
|
Chris PeBenito |
1f91e1 |
########################################
|
|
Chris PeBenito |
1f91e1 |
## <summary>
|
|
Chris PeBenito |
ccc597 |
## Do not audit attempts to ptrace all domains.
|
|
Chris PeBenito |
ccc597 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## <desc>
|
|
Chris PeBenito |
ccc597 |
##
|
|
Chris PeBenito |
ccc597 |
## Do not audit attempts to ptrace all domains.
|
|
Chris PeBenito |
ccc597 |
##
|
|
Chris PeBenito |
ccc597 |
##
|
|
Chris PeBenito |
ccc597 |
## Generally this needs to be suppressed because procps tries to access
|
|
Chris PeBenito |
ccc597 |
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
Chris PeBenito |
ccc597 |
## (2.4 and 2.6).
|
|
Chris PeBenito |
ccc597 |
##
|
|
Chris PeBenito |
ccc597 |
## </desc>
|
|
Chris PeBenito |
ccc597 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## </param>
|
|
Chris PeBenito |
ccc597 |
#
|
|
Chris PeBenito |
ccc597 |
interface(`domain_dontaudit_ptrace_all_domains',`
|
|
Chris PeBenito |
ccc597 |
gen_require(`
|
|
Chris PeBenito |
ccc597 |
attribute domain;
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
ccc597 |
|
|
Chris PeBenito |
ccc597 |
dontaudit $1 domain:process ptrace;
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
ccc597 |
|
|
Chris PeBenito |
ccc597 |
########################################
|
|
Chris PeBenito |
ccc597 |
## <summary>
|
|
Chris PeBenito |
ccc597 |
## Do not audit attempts to ptrace confined domains.
|
|
Chris PeBenito |
ccc597 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## <desc>
|
|
Chris PeBenito |
ccc597 |
##
|
|
Chris PeBenito |
ccc597 |
## Do not audit attempts to ptrace confined domains.
|
|
Chris PeBenito |
ccc597 |
##
|
|
Chris PeBenito |
ccc597 |
##
|
|
Chris PeBenito |
ccc597 |
## Generally this needs to be suppressed because procps tries to access
|
|
Chris PeBenito |
ccc597 |
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
Chris PeBenito |
ccc597 |
## (2.4 and 2.6).
|
|
Chris PeBenito |
ccc597 |
##
|
|
Chris PeBenito |
ccc597 |
## </desc>
|
|
Chris PeBenito |
ccc597 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## </param>
|
|
Chris PeBenito |
ccc597 |
#
|
|
Chris PeBenito |
ccc597 |
interface(`domain_dontaudit_ptrace_confined_domains',`
|
|
Chris PeBenito |
ccc597 |
gen_require(`
|
|
Chris PeBenito |
955019 |
attribute domain, unconfined_domain_type;
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
605ba2 |
|
|
Chris PeBenito |
955019 |
dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
|
|
Chris PeBenito |
605ba2 |
')
|
|
Chris PeBenito |
605ba2 |
|
|
Chris PeBenito |
605ba2 |
########################################
|
|
Chris PeBenito |
605ba2 |
## <summary>
|
|
Chris PeBenito |
2ec4c9 |
## Do not audit attempts to read the process
|
|
Chris PeBenito |
2ec4c9 |
## state (/proc/pid) of all domains.
|
|
Chris PeBenito |
2ec4c9 |
## </summary>
|
|
Chris PeBenito |
2ec4c9 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2ec4c9 |
## </param>
|
|
Chris PeBenito |
2ec4c9 |
#
|
|
Chris PeBenito |
2ec4c9 |
interface(`domain_dontaudit_read_all_domains_state',`
|
|
Chris PeBenito |
2ec4c9 |
gen_require(`
|
|
Chris PeBenito |
2ec4c9 |
attribute domain;
|
|
Chris PeBenito |
2ec4c9 |
')
|
|
Chris PeBenito |
2ec4c9 |
|
|
Chris PeBenito |
c0868a |
dontaudit $1 domain:dir list_dir_perms;
|
|
Chris PeBenito |
0b36a2 |
dontaudit $1 domain:lnk_file read_lnk_file_perms;
|
|
Chris PeBenito |
c0868a |
dontaudit $1 domain:file read_file_perms;
|
|
Chris PeBenito |
ac9aa2 |
|
|
Chris PeBenito |
ac9aa2 |
# cjp: these should be removed:
|
|
Chris PeBenito |
0b36a2 |
dontaudit $1 domain:sock_file read_sock_file_perms;
|
|
Chris PeBenito |
0b36a2 |
dontaudit $1 domain:fifo_file read_fifo_file_perms;
|
|
Chris PeBenito |
2ec4c9 |
')
|
|
Chris PeBenito |
2ec4c9 |
|
|
Chris PeBenito |
2ec4c9 |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts to read the process state
|
|
Chris PeBenito |
414e41 |
## directories of all domains.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
d490eb |
#
|
|
Chris PeBenito |
1815ba |
interface(`domain_dontaudit_list_all_domains_state',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
c0868a |
dontaudit $1 domain:dir list_dir_perms;
|
|
Chris PeBenito |
d490eb |
')
|
|
Chris PeBenito |
d490eb |
|
|
Chris PeBenito |
d490eb |
########################################
|
|
Chris PeBenito |
2ec4c9 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the session ID of all domains.
|
|
Chris PeBenito |
2ec4c9 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
d490eb |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_getsession_all_domains',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 domain:process getsession;
|
|
Chris PeBenito |
d490eb |
')
|
|
Chris PeBenito |
d490eb |
|
|
Chris PeBenito |
960373 |
########################################
|
|
Chris PeBenito |
157c69 |
## <summary>
|
|
Chris PeBenito |
2ec4c9 |
## Do not audit attempts to get the
|
|
Chris PeBenito |
2ec4c9 |
## session ID of all domains.
|
|
Chris PeBenito |
2ec4c9 |
## </summary>
|
|
Chris PeBenito |
2ec4c9 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2ec4c9 |
## </param>
|
|
Chris PeBenito |
2ec4c9 |
#
|
|
Chris PeBenito |
2ec4c9 |
interface(`domain_dontaudit_getsession_all_domains',`
|
|
Chris PeBenito |
2ec4c9 |
gen_require(`
|
|
Chris PeBenito |
2ec4c9 |
attribute domain;
|
|
Chris PeBenito |
2ec4c9 |
')
|
|
Chris PeBenito |
2ec4c9 |
|
|
Chris PeBenito |
9d3bdc |
dontaudit $1 domain:process getsession;
|
|
Chris PeBenito |
2ec4c9 |
')
|
|
Chris PeBenito |
2ec4c9 |
|
|
Chris PeBenito |
2ec4c9 |
########################################
|
|
Chris PeBenito |
2ec4c9 |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Get the process group ID of all domains.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## <param name="domain">
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Domain allowed access.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## </param>
|
|
Chris PeBenito |
1f6d97 |
#
|
|
Chris PeBenito |
1f6d97 |
interface(`domain_getpgid_all_domains',`
|
|
Chris PeBenito |
1f6d97 |
gen_require(`
|
|
Chris PeBenito |
1f6d97 |
attribute domain;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
allow $1 domain:process getpgid;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
########################################
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Get the scheduler information of all domains.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## <param name="domain">
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Domain allowed access.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## </param>
|
|
Chris PeBenito |
1f6d97 |
#
|
|
Chris PeBenito |
1f6d97 |
interface(`domain_getsched_all_domains',`
|
|
Chris PeBenito |
1f6d97 |
gen_require(`
|
|
Chris PeBenito |
1f6d97 |
attribute domain;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
allow $1 domain:process getsched;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
########################################
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
2ec4c9 |
## Get the attributes of all domains
|
|
Chris PeBenito |
2ec4c9 |
## sockets, for all socket types.
|
|
Chris PeBenito |
2ec4c9 |
## </summary>
|
|
Chris PeBenito |
2ec4c9 |
## <desc>
|
|
Chris PeBenito |
2ec4c9 |
##
|
|
Chris PeBenito |
2ec4c9 |
## Get the attributes of all domains
|
|
Chris PeBenito |
2ec4c9 |
## sockets, for all socket types.
|
|
Chris PeBenito |
2ec4c9 |
##
|
|
Chris PeBenito |
2ec4c9 |
##
|
|
Chris PeBenito |
2ec4c9 |
## This is commonly used for domains
|
|
Chris PeBenito |
2ec4c9 |
## that can use lsof on all domains.
|
|
Chris PeBenito |
2ec4c9 |
##
|
|
Chris PeBenito |
2ec4c9 |
## </desc>
|
|
Chris PeBenito |
2ec4c9 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2ec4c9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2ec4c9 |
## </param>
|
|
Chris PeBenito |
2ec4c9 |
#
|
|
Chris PeBenito |
2ec4c9 |
interface(`domain_getattr_all_sockets',`
|
|
Chris PeBenito |
2ec4c9 |
gen_require(`
|
|
Chris PeBenito |
e52af2 |
attribute domain;
|
|
Chris PeBenito |
2ec4c9 |
')
|
|
Chris PeBenito |
2ec4c9 |
|
|
Chris PeBenito |
2ec4c9 |
allow $1 domain:socket_class_set getattr;
|
|
Chris PeBenito |
2ec4c9 |
')
|
|
Chris PeBenito |
2ec4c9 |
|
|
Chris PeBenito |
2ec4c9 |
########################################
|
|
Chris PeBenito |
2ec4c9 |
## <summary>
|
|
Chris PeBenito |
157c69 |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
157c69 |
## of all domains sockets, for all socket types.
|
|
Chris PeBenito |
157c69 |
## </summary>
|
|
Chris PeBenito |
157c69 |
## <desc>
|
|
Chris PeBenito |
157c69 |
##
|
|
Chris PeBenito |
157c69 |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
157c69 |
## of all domains sockets, for all socket types.
|
|
Chris PeBenito |
157c69 |
##
|
|
Chris PeBenito |
157c69 |
##
|
|
Chris PeBenito |
157c69 |
## This interface was added for PCMCIA cardmgr
|
|
Chris PeBenito |
157c69 |
## and is probably excessive.
|
|
Chris PeBenito |
157c69 |
##
|
|
Chris PeBenito |
157c69 |
## </desc>
|
|
Chris PeBenito |
157c69 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
157c69 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
157c69 |
## </param>
|
|
Chris PeBenito |
157c69 |
#
|
|
Chris PeBenito |
157c69 |
interface(`domain_dontaudit_getattr_all_sockets',`
|
|
Chris PeBenito |
157c69 |
gen_require(`
|
|
Chris PeBenito |
e52af2 |
attribute domain;
|
|
Chris PeBenito |
157c69 |
')
|
|
Chris PeBenito |
157c69 |
|
|
Chris PeBenito |
157c69 |
dontaudit $1 domain:socket_class_set getattr;
|
|
Chris PeBenito |
157c69 |
')
|
|
Chris PeBenito |
157c69 |
|
|
Chris PeBenito |
157c69 |
########################################
|
|
Chris PeBenito |
a5f339 |
## <summary>
|
|
Chris PeBenito |
a5f339 |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
a5f339 |
## of all domains TCP sockets.
|
|
Chris PeBenito |
a5f339 |
## </summary>
|
|
Chris PeBenito |
a5f339 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a5f339 |
## </param>
|
|
Chris PeBenito |
a5f339 |
#
|
|
Chris PeBenito |
a5f339 |
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
|
|
Chris PeBenito |
a5f339 |
gen_require(`
|
|
Chris PeBenito |
a5f339 |
attribute domain;
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
dontaudit $1 domain:tcp_socket getattr;
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
########################################
|
|
Chris PeBenito |
a5f339 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
414e41 |
## of all domains UDP sockets.
|
|
Chris PeBenito |
a5f339 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
f5c42b |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_dontaudit_getattr_all_udp_sockets',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
dontaudit $1 domain:udp_socket getattr;
|
|
Chris PeBenito |
f5c42b |
')
|
|
Chris PeBenito |
f5c42b |
|
|
Chris PeBenito |
f5c42b |
########################################
|
|
Chris PeBenito |
a5f339 |
## <summary>
|
|
Chris PeBenito |
a5f339 |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
a5f339 |
## all domains UDP sockets.
|
|
Chris PeBenito |
a5f339 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
f5c42b |
#
|
|
Chris PeBenito |
a5f339 |
interface(`domain_dontaudit_rw_all_udp_sockets',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
a5f339 |
dontaudit $1 domain:udp_socket { read write };
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
########################################
|
|
Chris PeBenito |
a5f339 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Do not audit attempts to get attribues of
|
|
Chris PeBenito |
4483ee |
## all domains IPSEC key management sockets.
|
|
Chris PeBenito |
4483ee |
## </summary>
|
|
Chris PeBenito |
4483ee |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4483ee |
## </param>
|
|
Chris PeBenito |
4483ee |
#
|
|
Chris PeBenito |
4483ee |
interface(`domain_dontaudit_getattr_all_key_sockets',`
|
|
Chris PeBenito |
4483ee |
gen_require(`
|
|
Chris PeBenito |
4483ee |
attribute domain;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
dontaudit $1 domain:key_socket getattr;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
09741b |
|
|
Chris PeBenito |
09741b |
########################################
|
|
Chris PeBenito |
09741b |
## <summary>
|
|
Chris PeBenito |
09741b |
## Do not audit attempts to get attribues of
|
|
Chris PeBenito |
09741b |
## all domains packet sockets.
|
|
Chris PeBenito |
09741b |
## </summary>
|
|
Chris PeBenito |
09741b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
09741b |
## </param>
|
|
Chris PeBenito |
09741b |
#
|
|
Chris PeBenito |
09741b |
interface(`domain_dontaudit_getattr_all_packet_sockets',`
|
|
Chris PeBenito |
09741b |
gen_require(`
|
|
Chris PeBenito |
09741b |
attribute domain;
|
|
Chris PeBenito |
09741b |
')
|
|
Chris PeBenito |
09741b |
|
|
Chris PeBenito |
09741b |
dontaudit $1 domain:packet_socket getattr;
|
|
Chris PeBenito |
09741b |
')
|
|
Chris PeBenito |
09741b |
|
|
Chris PeBenito |
09741b |
########################################
|
|
Chris PeBenito |
09741b |
## <summary>
|
|
Chris PeBenito |
09741b |
## Do not audit attempts to get attribues of
|
|
Chris PeBenito |
09741b |
## all domains raw sockets.
|
|
Chris PeBenito |
09741b |
## </summary>
|
|
Chris PeBenito |
09741b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
09741b |
## </param>
|
|
Chris PeBenito |
09741b |
#
|
|
Chris PeBenito |
09741b |
interface(`domain_dontaudit_getattr_all_raw_sockets',`
|
|
Chris PeBenito |
09741b |
gen_require(`
|
|
Chris PeBenito |
09741b |
attribute domain;
|
|
Chris PeBenito |
09741b |
')
|
|
Chris PeBenito |
09741b |
|
|
Chris PeBenito |
09741b |
dontaudit $1 domain:rawip_socket getattr;
|
|
Chris PeBenito |
09741b |
')
|
|
Chris PeBenito |
09741b |
|
|
Chris PeBenito |
4483ee |
########################################
|
|
Chris PeBenito |
4483ee |
## <summary>
|
|
Chris PeBenito |
a5f339 |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
a5f339 |
## all domains key sockets.
|
|
Chris PeBenito |
a5f339 |
## </summary>
|
|
Chris PeBenito |
a5f339 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a5f339 |
## </param>
|
|
Chris PeBenito |
a5f339 |
#
|
|
Chris PeBenito |
a5f339 |
interface(`domain_dontaudit_rw_all_key_sockets',`
|
|
Chris PeBenito |
a5f339 |
gen_require(`
|
|
Chris PeBenito |
a5f339 |
attribute domain;
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
dontaudit $1 domain:key_socket { read write };
|
|
Chris PeBenito |
f5c42b |
')
|
|
Chris PeBenito |
f5c42b |
|
|
Chris PeBenito |
f5c42b |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
414e41 |
## of all domains unix datagram sockets.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
f5c42b |
#
|
|
Chris PeBenito |
09741b |
interface(`domain_dontaudit_getattr_all_dgram_sockets',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
dontaudit $1 domain:unix_dgram_socket getattr;
|
|
Chris PeBenito |
f5c42b |
')
|
|
Chris PeBenito |
f5c42b |
|
|
Chris PeBenito |
f5c42b |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Get the attributes
|
|
Chris PeBenito |
1f6d97 |
## of all domains unix datagram sockets.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## <param name="domain">
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Domain allowed access.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## </param>
|
|
Chris PeBenito |
1f6d97 |
#
|
|
Chris PeBenito |
1f6d97 |
interface(`domain_getattr_all_stream_sockets',`
|
|
Chris PeBenito |
1f6d97 |
gen_require(`
|
|
Chris PeBenito |
1f6d97 |
attribute domain;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
allow $1 domain:unix_stream_socket getattr;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
########################################
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
09741b |
## of all domains unix datagram sockets.
|
|
Chris PeBenito |
09741b |
## </summary>
|
|
Chris PeBenito |
09741b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
09741b |
## </param>
|
|
Chris PeBenito |
09741b |
#
|
|
Chris PeBenito |
09741b |
interface(`domain_dontaudit_getattr_all_stream_sockets',`
|
|
Chris PeBenito |
09741b |
gen_require(`
|
|
Chris PeBenito |
09741b |
attribute domain;
|
|
Chris PeBenito |
09741b |
')
|
|
Chris PeBenito |
09741b |
|
|
Chris PeBenito |
09741b |
dontaudit $1 domain:unix_stream_socket getattr;
|
|
Chris PeBenito |
09741b |
')
|
|
Chris PeBenito |
09741b |
|
|
Chris PeBenito |
09741b |
########################################
|
|
Chris PeBenito |
09741b |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Get the attributes of all domains
|
|
Chris PeBenito |
1f6d97 |
## unnamed pipes.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## <desc>
|
|
Chris PeBenito |
1f6d97 |
##
|
|
Chris PeBenito |
1f6d97 |
## Get the attributes of all domains
|
|
Chris PeBenito |
1f6d97 |
## unnamed pipes.
|
|
Chris PeBenito |
1f6d97 |
##
|
|
Chris PeBenito |
1f6d97 |
##
|
|
Chris PeBenito |
1f6d97 |
## This is commonly used for domains
|
|
Chris PeBenito |
1f6d97 |
## that can use lsof on all domains.
|
|
Chris PeBenito |
1f6d97 |
##
|
|
Chris PeBenito |
1f6d97 |
## </desc>
|
|
Chris PeBenito |
1f6d97 |
## <param name="domain">
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Domain allowed access.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## </param>
|
|
Chris PeBenito |
1f6d97 |
#
|
|
Chris PeBenito |
1f6d97 |
interface(`domain_getattr_all_pipes',`
|
|
Chris PeBenito |
1f6d97 |
gen_require(`
|
|
Chris PeBenito |
1f6d97 |
attribute domain;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
allow $1 domain:fifo_file getattr;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
########################################
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
09741b |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
414e41 |
## of all domains unnamed pipes.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
f5c42b |
#
|
|
Chris PeBenito |
09741b |
interface(`domain_dontaudit_getattr_all_pipes',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute domain;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
dontaudit $1 domain:fifo_file getattr;
|
|
Chris PeBenito |
f5c42b |
')
|
|
Chris PeBenito |
f5c42b |
|
|
Chris PeBenito |
f5c42b |
########################################
|
|
Chris PeBenito |
e78430 |
## <summary>
|
|
Chris PeBenito |
6b19be |
## Allow specified type to set context of all
|
|
Chris PeBenito |
6b19be |
## domains IPSEC associations.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## <param name="type">
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain allowed access.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## </param>
|
|
Chris PeBenito |
6b19be |
#
|
|
Chris PeBenito |
6b19be |
interface(`domain_ipsec_setcontext_all_domains',`
|
|
Chris PeBenito |
6b19be |
gen_require(`
|
|
Chris PeBenito |
6b19be |
attribute domain;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
allow $1 domain:association setcontext;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
########################################
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
e78430 |
## Get the attributes of entry point
|
|
Chris PeBenito |
e78430 |
## files for all domains.
|
|
Chris PeBenito |
e78430 |
## </summary>
|
|
Chris PeBenito |
e78430 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
e78430 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e78430 |
## </param>
|
|
Chris PeBenito |
960373 |
#
|
|
Chris PeBenito |
e78430 |
interface(`domain_getattr_all_entry_files',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute entry_type;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
c0868a |
allow $1 entry_type:lnk_file read_lnk_file_perms;
|
|
Chris PeBenito |
c0868a |
allow $1 entry_type:file getattr;
|
|
Chris PeBenito |
960373 |
')
|
|
Chris PeBenito |
f1470e |
|
|
Chris PeBenito |
f1470e |
########################################
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Read the entry point files for all domains.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## <param name="domain">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
f1470e |
#
|
|
Chris PeBenito |
199895 |
interface(`domain_read_all_entry_files',`
|
|
Chris PeBenito |
77c124 |
gen_require(`
|
|
Chris PeBenito |
77c124 |
attribute entry_type;
|
|
Chris PeBenito |
77c124 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
c0868a |
allow $1 entry_type:lnk_file read_lnk_file_perms;
|
|
Chris PeBenito |
c0868a |
allow $1 entry_type:file read_file_perms;
|
|
Chris PeBenito |
f1470e |
')
|
|
Chris PeBenito |
f1470e |
|
|
Chris PeBenito |
9726b3 |
########################################
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Execute the entry point files for all
|
|
Chris PeBenito |
ac9db9 |
## domains in the caller domain.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## <param name="domain">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
e78430 |
#
|
|
Chris PeBenito |
e78430 |
interface(`domain_exec_all_entry_files',`
|
|
Chris PeBenito |
e78430 |
gen_require(`
|
|
Chris PeBenito |
e78430 |
attribute entry_type;
|
|
Chris PeBenito |
e78430 |
')
|
|
Chris PeBenito |
e78430 |
|
|
Chris PeBenito |
0bfccd |
can_exec($1, entry_type)
|
|
Chris PeBenito |
e78430 |
')
|
|
Chris PeBenito |
e78430 |
|
|
Chris PeBenito |
e78430 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
6b19be |
## dontaudit checking for execute on all entry point files
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## <param name="domain">
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
6b19be |
## Domain to not audit.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## </param>
|
|
Chris PeBenito |
6b19be |
#
|
|
Chris PeBenito |
6b19be |
interface(`domain_dontaudit_exec_all_entry_files',`
|
|
Chris PeBenito |
6b19be |
gen_require(`
|
|
Chris PeBenito |
6b19be |
attribute entry_type;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
dontaudit $1 entry_type:file exec_file_perms;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
########################################
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
2c2435 |
## Create, read, write, and delete all
|
|
Chris PeBenito |
2c2435 |
## entrypoint files.
|
|
Chris PeBenito |
2c2435 |
## </summary>
|
|
Chris PeBenito |
2c2435 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2c2435 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2c2435 |
## </param>
|
|
Chris PeBenito |
2c2435 |
#
|
|
Chris PeBenito |
2c2435 |
# cjp: added for prelink
|
|
Chris PeBenito |
2c2435 |
interface(`domain_manage_all_entry_files',`
|
|
Chris PeBenito |
2c2435 |
gen_require(`
|
|
Chris PeBenito |
2c2435 |
attribute entry_type;
|
|
Chris PeBenito |
2c2435 |
')
|
|
Chris PeBenito |
2c2435 |
|
|
Chris PeBenito |
2c2435 |
allow $1 entry_type:file manage_file_perms;
|
|
Chris PeBenito |
2c2435 |
')
|
|
Chris PeBenito |
2c2435 |
|
|
Chris PeBenito |
2c2435 |
########################################
|
|
Chris PeBenito |
2c2435 |
## <summary>
|
|
Chris PeBenito |
2c2435 |
## Relabel to and from all entry point
|
|
Chris PeBenito |
2c2435 |
## file types.
|
|
Chris PeBenito |
2c2435 |
## </summary>
|
|
Chris PeBenito |
2c2435 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2c2435 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2c2435 |
## </param>
|
|
Chris PeBenito |
2c2435 |
#
|
|
Chris PeBenito |
2c2435 |
# cjp: added for prelink
|
|
Chris PeBenito |
2c2435 |
interface(`domain_relabel_all_entry_files',`
|
|
Chris PeBenito |
2c2435 |
gen_require(`
|
|
Chris PeBenito |
2c2435 |
attribute entry_type;
|
|
Chris PeBenito |
2c2435 |
')
|
|
Chris PeBenito |
2c2435 |
|
|
Chris PeBenito |
c0868a |
allow $1 entry_type:file relabel_file_perms;
|
|
Chris PeBenito |
2c2435 |
')
|
|
Chris PeBenito |
2c2435 |
|
|
Chris PeBenito |
2c2435 |
########################################
|
|
Chris PeBenito |
2c2435 |
## <summary>
|
|
Chris PeBenito |
2c2435 |
## Mmap all entry point files as executable.
|
|
Chris PeBenito |
2c2435 |
## </summary>
|
|
Chris PeBenito |
2c2435 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2c2435 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2c2435 |
## </param>
|
|
Chris PeBenito |
2c2435 |
#
|
|
Chris PeBenito |
2c2435 |
# cjp: added for prelink
|
|
Chris PeBenito |
2c2435 |
interface(`domain_mmap_all_entry_files',`
|
|
Chris PeBenito |
2c2435 |
gen_require(`
|
|
Chris PeBenito |
2c2435 |
attribute entry_type;
|
|
Chris PeBenito |
2c2435 |
')
|
|
Chris PeBenito |
2c2435 |
|
|
Chris PeBenito |
c0868a |
allow $1 entry_type:file mmap_file_perms;
|
|
Chris PeBenito |
2c2435 |
')
|
|
Chris PeBenito |
2c2435 |
|
|
Chris PeBenito |
2c2435 |
########################################
|
|
Chris PeBenito |
2c2435 |
## <summary>
|
|
Chris PeBenito |
fb63d0 |
## Execute an entry_type in the specified domain.
|
|
Chris PeBenito |
7c2f5a |
## </summary>
|
|
Chris PeBenito |
7c2f5a |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain allowed to transition.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
7c2f5a |
## </param>
|
|
Chris PeBenito |
8f3a0a |
## <param name="target_domain">
|
|
Chris PeBenito |
8f3a0a |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## The type of the new process.
|
|
Chris PeBenito |
8f3a0a |
## </summary>
|
|
Chris PeBenito |
8f3a0a |
## </param>
|
|
Chris PeBenito |
7c2f5a |
#
|
|
Chris PeBenito |
7c2f5a |
# cjp: added for userhelper
|
|
Chris PeBenito |
1815ba |
interface(`domain_entry_file_spec_domtrans',`
|
|
Chris PeBenito |
7c2f5a |
gen_require(`
|
|
Chris PeBenito |
7c2f5a |
attribute entry_type;
|
|
Chris PeBenito |
7c2f5a |
')
|
|
Chris PeBenito |
7c2f5a |
|
|
Chris PeBenito |
0bfccd |
domain_transition_pattern($1, entry_type, $2)
|
|
Chris PeBenito |
7c2f5a |
')
|
|
Chris PeBenito |
7c2f5a |
|
|
Chris PeBenito |
7c2f5a |
########################################
|
|
Chris PeBenito |
7c2f5a |
## <summary>
|
|
Dominick Grift |
623e4f |
## Ability to mmap a low area of the address
|
|
Dominick Grift |
623e4f |
## space conditionally, as configured by
|
|
Dominick Grift |
623e4f |
## /proc/sys/kernel/mmap_min_addr.
|
|
Chris PeBenito |
ff8f0a |
## Preventing such mappings helps protect against
|
|
Chris PeBenito |
ff8f0a |
## exploiting null deref bugs in the kernel.
|
|
Chris PeBenito |
41337a |
## </summary>
|
|
Chris PeBenito |
41337a |
## <param name="domain">
|
|
Dominick Grift |
623e4f |
## <summary>
|
|
Dominick Grift |
705f70 |
## Domain allowed access.
|
|
Dominick Grift |
623e4f |
## </summary>
|
|
Chris PeBenito |
41337a |
## </param>
|
|
Chris PeBenito |
41337a |
#
|
|
Chris PeBenito |
41337a |
interface(`domain_mmap_low',`
|
|
Chris PeBenito |
41337a |
gen_require(`
|
|
Chris PeBenito |
41337a |
attribute mmap_low_domain_type;
|
|
Dominick Grift |
623e4f |
bool mmap_low_allowed;
|
|
Chris PeBenito |
41337a |
')
|
|
Chris PeBenito |
41337a |
|
|
Dominick Grift |
623e4f |
typeattribute $1 mmap_low_domain_type;
|
|
Dominick Grift |
623e4f |
|
|
Dominick Grift |
623e4f |
if ( mmap_low_allowed ) {
|
|
Dominick Grift |
623e4f |
allow $1 self:memprotect mmap_zero;
|
|
Dominick Grift |
623e4f |
}
|
|
Dominick Grift |
623e4f |
')
|
|
Dominick Grift |
623e4f |
|
|
Dominick Grift |
623e4f |
########################################
|
|
Dominick Grift |
623e4f |
## <summary>
|
|
Dominick Grift |
623e4f |
## Ability to mmap a low area of the address
|
|
Dominick Grift |
623e4f |
## space unconditionally, as configured
|
|
Dominick Grift |
623e4f |
## by /proc/sys/kernel/mmap_min_addr.
|
|
Dominick Grift |
623e4f |
## Preventing such mappings helps protect against
|
|
Dominick Grift |
623e4f |
## exploiting null deref bugs in the kernel.
|
|
Dominick Grift |
623e4f |
## </summary>
|
|
Dominick Grift |
623e4f |
## <param name="domain">
|
|
Dominick Grift |
623e4f |
## <summary>
|
|
Dominick Grift |
623e4f |
## Domain allowed access.
|
|
Dominick Grift |
623e4f |
## </summary>
|
|
Chris PeBenito |
41337a |
## </param>
|
|
Chris PeBenito |
41337a |
#
|
|
Dominick Grift |
623e4f |
interface(`domain_mmap_low_uncond',`
|
|
Chris PeBenito |
41337a |
gen_require(`
|
|
Chris PeBenito |
41337a |
attribute mmap_low_domain_type;
|
|
Chris PeBenito |
41337a |
')
|
|
Chris PeBenito |
41337a |
|
|
Chris PeBenito |
41337a |
typeattribute $1 mmap_low_domain_type;
|
|
Dominick Grift |
623e4f |
|
|
Dominick Grift |
623e4f |
allow $1 self:memprotect mmap_zero;
|
|
Chris PeBenito |
41337a |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
########################################
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
a56055 |
## Allow specified type to receive labeled
|
|
Chris PeBenito |
a56055 |
## networking packets from all domains, over
|
|
Chris PeBenito |
a56055 |
## all protocols (TCP, UDP, etc)
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## <param name="type">
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
a56055 |
## Domain allowed access.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## </param>
|
|
Chris PeBenito |
495df4 |
#
|
|
Chris PeBenito |
a56055 |
interface(`domain_all_recvfrom_all_domains',`
|
|
Chris PeBenito |
495df4 |
gen_require(`
|
|
Chris PeBenito |
495df4 |
attribute domain;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
a56055 |
|
|
Chris PeBenito |
0bfccd |
corenet_all_recvfrom_labeled($1, domain)
|
|
Chris PeBenito |
a56055 |
')
|
|
Chris PeBenito |
a56055 |
|
|
Chris PeBenito |
a56055 |
########################################
|
|
Chris PeBenito |
a56055 |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Send generic signals to the unconfined domain.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## <param name="domain">
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
1f6d97 |
## Domain allowed access.
|
|
Chris PeBenito |
1f6d97 |
## </summary>
|
|
Chris PeBenito |
1f6d97 |
## </param>
|
|
Chris PeBenito |
1f6d97 |
#
|
|
Chris PeBenito |
1f6d97 |
interface(`domain_unconfined_signal',`
|
|
Chris PeBenito |
1f6d97 |
gen_require(`
|
|
Chris PeBenito |
1f6d97 |
attribute unconfined_domain_type;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
allow $1 unconfined_domain_type:process signal;
|
|
Chris PeBenito |
1f6d97 |
')
|
|
Chris PeBenito |
1f6d97 |
|
|
Chris PeBenito |
1f6d97 |
########################################
|
|
Chris PeBenito |
1f6d97 |
## <summary>
|
|
Chris PeBenito |
a56055 |
## Unconfined access to domains.
|
|
Chris PeBenito |
a56055 |
## </summary>
|
|
Chris PeBenito |
a56055 |
## <param name="domain">
|
|
Chris PeBenito |
a56055 |
## <summary>
|
|
Chris PeBenito |
a56055 |
## Domain allowed access.
|
|
Chris PeBenito |
a56055 |
## </summary>
|
|
Chris PeBenito |
a56055 |
## </param>
|
|
Chris PeBenito |
a56055 |
#
|
|
Chris PeBenito |
a56055 |
interface(`domain_unconfined',`
|
|
Chris PeBenito |
a56055 |
gen_require(`
|
|
Chris PeBenito |
a56055 |
attribute set_curr_context;
|
|
Chris PeBenito |
a56055 |
attribute can_change_object_identity;
|
|
Chris PeBenito |
a56055 |
attribute unconfined_domain_type;
|
|
Chris PeBenito |
a56055 |
attribute process_uncond_exempt;
|
|
Chris PeBenito |
a56055 |
')
|
|
Chris PeBenito |
a56055 |
|
|
Chris PeBenito |
a56055 |
typeattribute $1 unconfined_domain_type;
|
|
Chris PeBenito |
a56055 |
|
|
Chris PeBenito |
a56055 |
# pass constraints
|
|
Chris PeBenito |
a56055 |
typeattribute $1 can_change_object_identity;
|
|
Chris PeBenito |
a56055 |
typeattribute $1 set_curr_context;
|
|
Chris PeBenito |
a56055 |
typeattribute $1 process_uncond_exempt;
|
|
Chris PeBenito |
495df4 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
########################################
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Do not audit attempts to read or write
|
|
Dan Walsh |
3eaa99 |
## all leaked sockets.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## <param name="domain">
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Domain allowed access.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## </param>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
interface(`domain_dontaudit_leaks',`
|
|
Dan Walsh |
3eaa99 |
gen_require(`
|
|
Dan Walsh |
3eaa99 |
attribute domain;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
dontaudit $1 domain:socket_class_set { read write };
|
|
Dan Walsh |
3eaa99 |
')
|