policy_module(domain,1.5.0)

########################################

#

# Declarations

#

# Mark process types as domains

attribute domain;

# Transitions only allowed from domains to other domains

neverallow domain ~domain:process { transition dyntransition };

# Domains that are unconfined

attribute unconfined_domain_type;

# Domains that can mmap low memory.

attribute mmap_low_domain_type;

neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;

# Domains that can set their current context

# (perform dynamic transitions)

attribute set_curr_context;

# enabling setcurrent breaks process tranquility.  If you do not

# know what this means or do not understand the implications of a

# dynamic transition, you should not be using it!!!

neverallow { domain -set_curr_context } self:process setcurrent;

# entrypoint executables

attribute entry_type;

# widely-inheritable file descriptors

attribute privfd;

#

# constraint related attributes

#

# [1] types that can change SELinux identity on transition

attribute can_change_process_identity;

# [2] types that can change SELinux role on transition

attribute can_change_process_role;

# [3] types that can change the SELinux identity on a filesystem

# object or a socket object on a create or relabel

attribute can_change_object_identity;

# [3] types that can change to system_u:system_r

attribute can_system_change;

# [4] types that have attribute 1 can change the SELinux

# identity only if the target domain has this attribute.

# Types that have attribute 2 can change the SELinux role

# only if the target domain has this attribute.

attribute process_user_target;

# For cron jobs

# [5] types used for cron daemons

attribute cron_source_domain;

# [6] types used for cron jobs

attribute cron_job_domain;

# [7] types that are unconditionally exempt from

# SELinux identity and role change constraints

attribute process_uncond_exempt;	# add userhelperdomain to this one

neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;

neverallow ~{ domain unlabeled_t } *:process *;

########################################

#

# Rules applied to all domains

#

# read /proc/(pid|self) entries

allow domain self:dir list_dir_perms;

allow domain self:lnk_file { read_lnk_file_perms lock ioctl };

allow domain self:file rw_file_perms;

kernel_read_proc_symlinks(domain)

# Every domain gets the key ring, so we should default

# to no one allowed to look at it; afs kernel support creates

# a keyring

kernel_dontaudit_search_key(domain)

kernel_dontaudit_link_key(domain)

# create child processes in the domain

allow domain self:process { fork sigchld };

# Use trusted objects in /dev

dev_rw_null(domain)

dev_rw_zero(domain)

term_use_controlling_term(domain)

# list the root directory

files_list_root(domain)

tunable_policy(`global_ssp',`

	# enable reading of urandom for all domains:

	# this should be enabled when all programs

	# are compiled with ProPolice/SSP

	# stack smashing protection.

	dev_read_urand(domain)

')

optional_policy(`

	setrans_translate_context(domain)

')

# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.

optional_policy(`

	xserver_dontaudit_use_xdm_fds(domain)

	xserver_dontaudit_rw_xdm_pipes(domain)

')

########################################

#

# Unconfined access to this module

#

# unconfined access also allows constraints, but this

# is handled in the interface as typeattribute cannot

# be used on an attribute.

# Use/sendto/connectto sockets created by any domain.

allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;

# Use descriptors and pipes created by any domain.

allow unconfined_domain_type domain:fd use;

allow unconfined_domain_type domain:fifo_file rw_file_perms;

# Act upon any other process.

allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };

# Create/access any System V IPC objects.

allow unconfined_domain_type domain:{ sem msgq shm } *;

allow unconfined_domain_type domain:msg { send receive };

# For /proc/pid

allow unconfined_domain_type domain:dir list_dir_perms;

allow unconfined_domain_type domain:file read_file_perms;

allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };

# act on all domains keys

allow unconfined_domain_type domain:key *;

# receive from all domains over labeled networking

domain_all_recvfrom_all_domains(unconfined_domain_type)