Chris PeBenito 785ee7
policy_module(domain, 1.8.1)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Declarations
Chris PeBenito 17de1b
#
Dan Walsh 3eaa99
## <desc>
Dan Walsh 3eaa99
## 

Dan Walsh 3eaa99
## Allow all domains to use other domains file descriptors
Dan Walsh 3eaa99
## 

Dan Walsh 3eaa99
## </desc>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
gen_tunable(allow_domain_fd_use, true)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
## <desc>
Dan Walsh 3eaa99
## 

Dan Walsh 3eaa99
## Allow all domains to have the kernel load modules
Dan Walsh 3eaa99
## 

Dan Walsh 3eaa99
## </desc>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
gen_tunable(domain_kernel_load_modules, false)
Chris PeBenito 17de1b
Dominick Grift 623e4f
## <desc>
Dominick Grift 623e4f
## 

Dominick Grift 623e4f
##	Control the ability to mmap a low area of the address space,
Dominick Grift 623e4f
##	as configured by /proc/sys/kernel/mmap_min_addr.
Dominick Grift 623e4f
## 

Dominick Grift 623e4f
## </desc>
Dominick Grift 623e4f
gen_tunable(mmap_low_allowed, false)
Dominick Grift 623e4f
Chris PeBenito 17de1b
# Mark process types as domains
Chris PeBenito 17de1b
attribute domain;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# Transitions only allowed from domains to other domains
Chris PeBenito 17de1b
neverallow domain ~domain:process { transition dyntransition };
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# Domains that are unconfined
Chris PeBenito 17de1b
attribute unconfined_domain_type;
Chris PeBenito 17de1b
Chris PeBenito 41337a
# Domains that can mmap low memory.
Chris PeBenito 41337a
attribute mmap_low_domain_type;
Chris PeBenito 41337a
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
Chris PeBenito 41337a
Chris PeBenito 17de1b
# Domains that can set their current context
Chris PeBenito 17de1b
# (perform dynamic transitions)
Chris PeBenito 17de1b
attribute set_curr_context;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# enabling setcurrent breaks process tranquility.  If you do not
Chris PeBenito 17de1b
# know what this means or do not understand the implications of a
Chris PeBenito 17de1b
# dynamic transition, you should not be using it!!!
Chris PeBenito 17de1b
neverallow { domain -set_curr_context } self:process setcurrent;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# entrypoint executables
Chris PeBenito 17de1b
attribute entry_type;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# widely-inheritable file descriptors
Chris PeBenito 17de1b
attribute privfd;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# constraint related attributes
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# [1] types that can change SELinux identity on transition
Chris PeBenito 17de1b
attribute can_change_process_identity;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# [2] types that can change SELinux role on transition
Chris PeBenito 17de1b
attribute can_change_process_role;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# [3] types that can change the SELinux identity on a filesystem
Chris PeBenito 17de1b
# object or a socket object on a create or relabel
Chris PeBenito 17de1b
attribute can_change_object_identity;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# [3] types that can change to system_u:system_r
Chris PeBenito 17de1b
attribute can_system_change;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# [4] types that have attribute 1 can change the SELinux
Chris PeBenito 17de1b
# identity only if the target domain has this attribute.
Chris PeBenito 17de1b
# Types that have attribute 2 can change the SELinux role
Chris PeBenito 17de1b
# only if the target domain has this attribute.
Chris PeBenito 17de1b
attribute process_user_target;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# For cron jobs
Chris PeBenito 17de1b
# [5] types used for cron daemons
Chris PeBenito 17de1b
attribute cron_source_domain;
Chris PeBenito 17de1b
# [6] types used for cron jobs
Chris PeBenito 17de1b
attribute cron_job_domain;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# [7] types that are unconditionally exempt from
Chris PeBenito 17de1b
# SELinux identity and role change constraints
Chris PeBenito 17de1b
attribute process_uncond_exempt;	# add userhelperdomain to this one
Chris PeBenito 17de1b
Chris PeBenito 17de1b
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
Chris PeBenito 17de1b
neverallow ~{ domain unlabeled_t } *:process *;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Rules applied to all domains
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# read /proc/(pid|self) entries
Chris PeBenito ef659a
allow domain self:dir list_dir_perms;
Chris PeBenito ef659a
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
Chris PeBenito 17de1b
allow domain self:file rw_file_perms;
Chris PeBenito 17de1b
kernel_read_proc_symlinks(domain)
Dan Walsh 3eaa99
kernel_read_crypto_sysctls(domain)
Dan Walsh 3eaa99
Chris PeBenito 495df4
# Every domain gets the key ring, so we should default
Chris PeBenito 495df4
# to no one allowed to look at it; afs kernel support creates
Chris PeBenito 495df4
# a keyring
Chris PeBenito 495df4
kernel_dontaudit_search_key(domain)
Chris PeBenito 495df4
kernel_dontaudit_link_key(domain)
Dan Walsh 3eaa99
kernel_dontaudit_search_debugfs(domain)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# create child processes in the domain
Dan Walsh 3eaa99
allow domain self:process { fork getsched sigchld };
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# Use trusted objects in /dev
Chris PeBenito 17de1b
dev_rw_null(domain)
Chris PeBenito 17de1b
dev_rw_zero(domain)
Chris PeBenito 17de1b
term_use_controlling_term(domain)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# list the root directory
Chris PeBenito 17de1b
files_list_root(domain)
Dan Walsh fb5248
# allow all domains to search through default_t directory, since users sometimes
Dan Walsh fb5248
# place labels within these directories.  (samba_share_t) for example.
Dan Walsh fb5248
files_search_default(domain)
Chris PeBenito 17de1b
Dan Walsh 3eaa99
# All executables should be able to search the directory they are in
Dan Walsh 3eaa99
corecmd_search_bin(domain)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
tunable_policy(`domain_kernel_load_modules',`
Dan Walsh 3eaa99
	kernel_request_load_module(domain)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Chris PeBenito 17de1b
tunable_policy(`global_ssp',`
Chris PeBenito 17de1b
	# enable reading of urandom for all domains:
Chris PeBenito 17de1b
	# this should be enabled when all programs
Chris PeBenito 17de1b
	# are compiled with ProPolice/SSP
Chris PeBenito 17de1b
	# stack smashing protection.
Chris PeBenito 17de1b
	dev_read_urand(domain)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
optional_policy(`
Dan Walsh 3eaa99
	afs_rw_cache(domain)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
optional_policy(`
Chris PeBenito 6e68e6
	libs_use_ld_so(domain)
Chris PeBenito 6e68e6
	libs_use_shared_libs(domain)
Dan Walsh 3eaa99
	libs_read_lib_files(domain)
Chris PeBenito 6e68e6
')
Chris PeBenito 6e68e6
Chris PeBenito 6e68e6
optional_policy(`
Chris PeBenito 17de1b
	setrans_translate_context(domain)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 495df4
# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
Chris PeBenito 495df4
optional_policy(`
Chris PeBenito 495df4
	xserver_dontaudit_use_xdm_fds(domain)
Chris PeBenito 495df4
	xserver_dontaudit_rw_xdm_pipes(domain)
Dan Walsh 3eaa99
	xserver_dontaudit_append_xdm_home_files(domain)
Dan Walsh 3eaa99
	xserver_dontaudit_write_log(domain)
Chris PeBenito 495df4
')
Chris PeBenito 495df4
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Unconfined access to this module
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# unconfined access also allows constraints, but this
Chris PeBenito 17de1b
# is handled in the interface as typeattribute cannot
Chris PeBenito 17de1b
# be used on an attribute.
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# Use/sendto/connectto sockets created by any domain.
Chris PeBenito 17de1b
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# Use descriptors and pipes created by any domain.
Chris PeBenito 17de1b
allow unconfined_domain_type domain:fd use;
Chris PeBenito 17de1b
allow unconfined_domain_type domain:fifo_file rw_file_perms;
Chris PeBenito 17de1b
Dan Walsh 3eaa99
allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
Dan Walsh 3eaa99
Chris PeBenito 17de1b
# Act upon any other process.
Chris PeBenito 17de1b
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# Create/access any System V IPC objects.
Chris PeBenito 17de1b
allow unconfined_domain_type domain:{ sem msgq shm } *;
Chris PeBenito 17de1b
allow unconfined_domain_type domain:msg { send receive };
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# For /proc/pid
Chris PeBenito ef659a
allow unconfined_domain_type domain:dir list_dir_perms;
Chris PeBenito a65fd9
allow unconfined_domain_type domain:file rw_file_perms;
Chris PeBenito ef659a
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
Chris PeBenito d82267
Chris PeBenito d82267
# act on all domains keys
Chris PeBenito d82267
allow unconfined_domain_type domain:key *;
Chris PeBenito bdccba
Chris PeBenito bdccba
# receive from all domains over labeled networking
Chris PeBenito bdccba
domain_all_recvfrom_all_domains(unconfined_domain_type)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
selinux_getattr_fs(domain)
Dan Walsh 3eaa99
selinux_search_fs(domain)
Dan Walsh 3eaa99
selinux_dontaudit_read_fs(domain)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
seutil_dontaudit_read_config(domain)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
init_sigchld(domain)
Dan Walsh 3eaa99
init_signull(domain)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
ifdef(`distro_redhat',`
Dan Walsh 3eaa99
	files_search_mnt(domain)
Dan Walsh 3eaa99
	optional_policy(`
Dan Walsh 3eaa99
		unconfined_use_fds(domain)
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
# these seem questionable:
Dan Walsh 3eaa99
Dan Walsh 3eaa99
optional_policy(`
Dan Walsh 3eaa99
	abrt_domtrans_helper(domain)
Dan Walsh 3eaa99
	abrt_read_pid_files(domain)
Dan Walsh 3eaa99
	abrt_read_state(domain)
Dan Walsh 3eaa99
	abrt_signull(domain)
Dan Walsh 3eaa99
	abrt_stream_connect(domain)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
optional_policy(`
Dan Walsh 3eaa99
	rpm_use_fds(domain)
Dan Walsh 3eaa99
	rpm_read_pipes(domain)
Dan Walsh 3eaa99
	rpm_search_log(domain)
Dan Walsh 3eaa99
	rpm_append_tmp_files(domain)
Dan Walsh 3eaa99
	rpm_dontaudit_leaks(domain)
Dan Walsh 3eaa99
	rpm_read_script_tmp_files(domain)
Dan Walsh 3eaa99
	rpm_inherited_fifo(domain)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
optional_policy(`
Dan Walsh 3eaa99
	sosreport_append_tmp_files(domain)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
tunable_policy(`allow_domain_fd_use',`
Dan Walsh 3eaa99
	# Allow all domains to use fds past to them
Dan Walsh 3eaa99
	allow domain domain:fd use;
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
optional_policy(`
Dan Walsh 3eaa99
	cron_dontaudit_write_system_job_tmp_files(domain)
Dan Walsh 3eaa99
	cron_rw_pipes(domain)
Dan Walsh 3eaa99
	cron_rw_system_job_pipes(domain)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
ifdef(`hide_broken_symptoms',`
Dan Walsh 3eaa99
	dontaudit domain self:udp_socket listen;
Dan Walsh 3eaa99
	allow domain domain:key { link search };
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
optional_policy(`
Dan Walsh dfe675
	hal_dontaudit_read_pid_files(domain)
Dan Walsh dfe675
')
Dan Walsh dfe675
Dan Walsh dfe675
optional_policy(`
Dan Walsh 3eaa99
	ifdef(`hide_broken_symptoms',`
Dan Walsh 3eaa99
		afs_rw_udp_sockets(domain)
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
optional_policy(`
Dan Walsh 3eaa99
	ssh_rw_pipes(domain)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
optional_policy(`
Dan Walsh 3eaa99
	unconfined_dontaudit_rw_pipes(domain)
Dan Walsh 3eaa99
	unconfined_sigchld(domain)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
# broken kernel
Dan Walsh 3eaa99
dontaudit can_change_object_identity can_change_object_identity:key link;