|
Chris PeBenito |
785ee7 |
policy_module(domain, 1.8.1)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Declarations
|
|
Chris PeBenito |
17de1b |
#
|
|
Dan Walsh |
3eaa99 |
## <desc>
|
|
Dan Walsh |
3eaa99 |
##
|
|
Dan Walsh |
3eaa99 |
## Allow all domains to use other domains file descriptors
|
|
Dan Walsh |
3eaa99 |
##
|
|
Dan Walsh |
3eaa99 |
## </desc>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
gen_tunable(allow_domain_fd_use, true)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
## <desc>
|
|
Dan Walsh |
3eaa99 |
##
|
|
Dan Walsh |
3eaa99 |
## Allow all domains to have the kernel load modules
|
|
Dan Walsh |
3eaa99 |
##
|
|
Dan Walsh |
3eaa99 |
## </desc>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
gen_tunable(domain_kernel_load_modules, false)
|
|
Chris PeBenito |
17de1b |
|
|
Dominick Grift |
623e4f |
## <desc>
|
|
Dominick Grift |
623e4f |
##
|
|
Dominick Grift |
623e4f |
## Control the ability to mmap a low area of the address space,
|
|
Dominick Grift |
623e4f |
## as configured by /proc/sys/kernel/mmap_min_addr.
|
|
Dominick Grift |
623e4f |
##
|
|
Dominick Grift |
623e4f |
## </desc>
|
|
Dominick Grift |
623e4f |
gen_tunable(mmap_low_allowed, false)
|
|
Dominick Grift |
623e4f |
|
|
Chris PeBenito |
17de1b |
# Mark process types as domains
|
|
Chris PeBenito |
17de1b |
attribute domain;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Transitions only allowed from domains to other domains
|
|
Chris PeBenito |
17de1b |
neverallow domain ~domain:process { transition dyntransition };
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Domains that are unconfined
|
|
Chris PeBenito |
17de1b |
attribute unconfined_domain_type;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
41337a |
# Domains that can mmap low memory.
|
|
Chris PeBenito |
41337a |
attribute mmap_low_domain_type;
|
|
Chris PeBenito |
41337a |
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
|
|
Chris PeBenito |
41337a |
|
|
Chris PeBenito |
17de1b |
# Domains that can set their current context
|
|
Chris PeBenito |
17de1b |
# (perform dynamic transitions)
|
|
Chris PeBenito |
17de1b |
attribute set_curr_context;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# enabling setcurrent breaks process tranquility. If you do not
|
|
Chris PeBenito |
17de1b |
# know what this means or do not understand the implications of a
|
|
Chris PeBenito |
17de1b |
# dynamic transition, you should not be using it!!!
|
|
Chris PeBenito |
17de1b |
neverallow { domain -set_curr_context } self:process setcurrent;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# entrypoint executables
|
|
Chris PeBenito |
17de1b |
attribute entry_type;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# widely-inheritable file descriptors
|
|
Chris PeBenito |
17de1b |
attribute privfd;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# constraint related attributes
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# [1] types that can change SELinux identity on transition
|
|
Chris PeBenito |
17de1b |
attribute can_change_process_identity;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# [2] types that can change SELinux role on transition
|
|
Chris PeBenito |
17de1b |
attribute can_change_process_role;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# [3] types that can change the SELinux identity on a filesystem
|
|
Chris PeBenito |
17de1b |
# object or a socket object on a create or relabel
|
|
Chris PeBenito |
17de1b |
attribute can_change_object_identity;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# [3] types that can change to system_u:system_r
|
|
Chris PeBenito |
17de1b |
attribute can_system_change;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# [4] types that have attribute 1 can change the SELinux
|
|
Chris PeBenito |
17de1b |
# identity only if the target domain has this attribute.
|
|
Chris PeBenito |
17de1b |
# Types that have attribute 2 can change the SELinux role
|
|
Chris PeBenito |
17de1b |
# only if the target domain has this attribute.
|
|
Chris PeBenito |
17de1b |
attribute process_user_target;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# For cron jobs
|
|
Chris PeBenito |
17de1b |
# [5] types used for cron daemons
|
|
Chris PeBenito |
17de1b |
attribute cron_source_domain;
|
|
Chris PeBenito |
17de1b |
# [6] types used for cron jobs
|
|
Chris PeBenito |
17de1b |
attribute cron_job_domain;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# [7] types that are unconditionally exempt from
|
|
Chris PeBenito |
17de1b |
# SELinux identity and role change constraints
|
|
Chris PeBenito |
17de1b |
attribute process_uncond_exempt; # add userhelperdomain to this one
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
|
|
Chris PeBenito |
17de1b |
neverallow ~{ domain unlabeled_t } *:process *;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Rules applied to all domains
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# read /proc/(pid|self) entries
|
|
Chris PeBenito |
ef659a |
allow domain self:dir list_dir_perms;
|
|
Chris PeBenito |
ef659a |
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
|
|
Chris PeBenito |
17de1b |
allow domain self:file rw_file_perms;
|
|
Chris PeBenito |
17de1b |
kernel_read_proc_symlinks(domain)
|
|
Dan Walsh |
3eaa99 |
kernel_read_crypto_sysctls(domain)
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
495df4 |
# Every domain gets the key ring, so we should default
|
|
Chris PeBenito |
495df4 |
# to no one allowed to look at it; afs kernel support creates
|
|
Chris PeBenito |
495df4 |
# a keyring
|
|
Chris PeBenito |
495df4 |
kernel_dontaudit_search_key(domain)
|
|
Chris PeBenito |
495df4 |
kernel_dontaudit_link_key(domain)
|
|
Dan Walsh |
3eaa99 |
kernel_dontaudit_search_debugfs(domain)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# create child processes in the domain
|
|
Dan Walsh |
3eaa99 |
allow domain self:process { fork getsched sigchld };
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Use trusted objects in /dev
|
|
Chris PeBenito |
17de1b |
dev_rw_null(domain)
|
|
Chris PeBenito |
17de1b |
dev_rw_zero(domain)
|
|
Chris PeBenito |
17de1b |
term_use_controlling_term(domain)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# list the root directory
|
|
Chris PeBenito |
17de1b |
files_list_root(domain)
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
3eaa99 |
# All executables should be able to search the directory they are in
|
|
Dan Walsh |
3eaa99 |
corecmd_search_bin(domain)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
tunable_policy(`domain_kernel_load_modules',`
|
|
Dan Walsh |
3eaa99 |
kernel_request_load_module(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
17de1b |
tunable_policy(`global_ssp',`
|
|
Chris PeBenito |
17de1b |
# enable reading of urandom for all domains:
|
|
Chris PeBenito |
17de1b |
# this should be enabled when all programs
|
|
Chris PeBenito |
17de1b |
# are compiled with ProPolice/SSP
|
|
Chris PeBenito |
17de1b |
# stack smashing protection.
|
|
Chris PeBenito |
17de1b |
dev_read_urand(domain)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
afs_rw_cache(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Chris PeBenito |
6e68e6 |
libs_use_ld_so(domain)
|
|
Chris PeBenito |
6e68e6 |
libs_use_shared_libs(domain)
|
|
Dan Walsh |
3eaa99 |
libs_read_lib_files(domain)
|
|
Chris PeBenito |
6e68e6 |
')
|
|
Chris PeBenito |
6e68e6 |
|
|
Chris PeBenito |
6e68e6 |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
setrans_translate_context(domain)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
495df4 |
# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
|
|
Chris PeBenito |
495df4 |
optional_policy(`
|
|
Chris PeBenito |
495df4 |
xserver_dontaudit_use_xdm_fds(domain)
|
|
Chris PeBenito |
495df4 |
xserver_dontaudit_rw_xdm_pipes(domain)
|
|
Dan Walsh |
3eaa99 |
xserver_dontaudit_append_xdm_home_files(domain)
|
|
Dan Walsh |
3eaa99 |
xserver_dontaudit_write_log(domain)
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Unconfined access to this module
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# unconfined access also allows constraints, but this
|
|
Chris PeBenito |
17de1b |
# is handled in the interface as typeattribute cannot
|
|
Chris PeBenito |
17de1b |
# be used on an attribute.
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Use/sendto/connectto sockets created by any domain.
|
|
Chris PeBenito |
17de1b |
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Use descriptors and pipes created by any domain.
|
|
Chris PeBenito |
17de1b |
allow unconfined_domain_type domain:fd use;
|
|
Chris PeBenito |
17de1b |
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
3eaa99 |
allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
17de1b |
# Act upon any other process.
|
|
Chris PeBenito |
17de1b |
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Create/access any System V IPC objects.
|
|
Chris PeBenito |
17de1b |
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
|
Chris PeBenito |
17de1b |
allow unconfined_domain_type domain:msg { send receive };
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# For /proc/pid
|
|
Chris PeBenito |
ef659a |
allow unconfined_domain_type domain:dir list_dir_perms;
|
|
Chris PeBenito |
a65fd9 |
allow unconfined_domain_type domain:file rw_file_perms;
|
|
Chris PeBenito |
ef659a |
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
|
Chris PeBenito |
d82267 |
|
|
Chris PeBenito |
d82267 |
# act on all domains keys
|
|
Chris PeBenito |
d82267 |
allow unconfined_domain_type domain:key *;
|
|
Chris PeBenito |
bdccba |
|
|
Chris PeBenito |
bdccba |
# receive from all domains over labeled networking
|
|
Chris PeBenito |
bdccba |
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
selinux_getattr_fs(domain)
|
|
Dan Walsh |
3eaa99 |
selinux_search_fs(domain)
|
|
Dan Walsh |
3eaa99 |
selinux_dontaudit_read_fs(domain)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
seutil_dontaudit_read_config(domain)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
init_sigchld(domain)
|
|
Dan Walsh |
3eaa99 |
init_signull(domain)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
ifdef(`distro_redhat',`
|
|
Dan Walsh |
3eaa99 |
files_search_mnt(domain)
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
unconfined_use_fds(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
# these seem questionable:
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
abrt_domtrans_helper(domain)
|
|
Dan Walsh |
3eaa99 |
abrt_read_pid_files(domain)
|
|
Dan Walsh |
3eaa99 |
abrt_read_state(domain)
|
|
Dan Walsh |
3eaa99 |
abrt_signull(domain)
|
|
Dan Walsh |
3eaa99 |
abrt_stream_connect(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
rpm_use_fds(domain)
|
|
Dan Walsh |
3eaa99 |
rpm_read_pipes(domain)
|
|
Dan Walsh |
3eaa99 |
rpm_search_log(domain)
|
|
Dan Walsh |
3eaa99 |
rpm_append_tmp_files(domain)
|
|
Dan Walsh |
3eaa99 |
rpm_dontaudit_leaks(domain)
|
|
Dan Walsh |
3eaa99 |
rpm_read_script_tmp_files(domain)
|
|
Dan Walsh |
3eaa99 |
rpm_inherited_fifo(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
sosreport_append_tmp_files(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
tunable_policy(`allow_domain_fd_use',`
|
|
Dan Walsh |
3eaa99 |
# Allow all domains to use fds past to them
|
|
Dan Walsh |
3eaa99 |
allow domain domain:fd use;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
cron_dontaudit_write_system_job_tmp_files(domain)
|
|
Dan Walsh |
3eaa99 |
cron_rw_pipes(domain)
|
|
Dan Walsh |
3eaa99 |
cron_rw_system_job_pipes(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
ifdef(`hide_broken_symptoms',`
|
|
Dan Walsh |
3eaa99 |
dontaudit domain self:udp_socket listen;
|
|
Dan Walsh |
3eaa99 |
allow domain domain:key { link search };
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
dfe675 |
hal_dontaudit_read_pid_files(domain)
|
|
Dan Walsh |
dfe675 |
')
|
|
Dan Walsh |
dfe675 |
|
|
Dan Walsh |
dfe675 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
ifdef(`hide_broken_symptoms',`
|
|
Dan Walsh |
3eaa99 |
afs_rw_udp_sockets(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
ssh_rw_pipes(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
unconfined_dontaudit_rw_pipes(domain)
|
|
Dan Walsh |
3eaa99 |
unconfined_sigchld(domain)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
# broken kernel
|
|
Dan Walsh |
3eaa99 |
dontaudit can_change_object_identity can_change_object_identity:key link;
|