|
Chris PeBenito |
e181fe |
|
|
Chris PeBenito |
fb63d0 |
policy_module(domain,1.1.2)
|
|
Chris PeBenito |
960373 |
|
|
Chris PeBenito |
fd89e1 |
########################################
|
|
Chris PeBenito |
fd89e1 |
#
|
|
Chris PeBenito |
fd89e1 |
# Declarations
|
|
Chris PeBenito |
fd89e1 |
#
|
|
Chris PeBenito |
fd89e1 |
|
|
Chris PeBenito |
b4cd15 |
# Mark process types as domains
|
|
Chris PeBenito |
b4cd15 |
attribute domain;
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
2e863f |
# Transitions only allowed from domains to other domains
|
|
Chris PeBenito |
2e863f |
neverallow domain ~domain:process { transition dyntransition };
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
605ba2 |
# Domains that are unconfined
|
|
Chris PeBenito |
955019 |
attribute unconfined_domain_type;
|
|
Chris PeBenito |
605ba2 |
|
|
Chris PeBenito |
2e863f |
# Domains that can set their current context
|
|
Chris PeBenito |
2e863f |
# (perform dynamic transitions)
|
|
Chris PeBenito |
2e863f |
attribute set_curr_context;
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
# enabling setcurrent breaks process tranquility. If you do not
|
|
Chris PeBenito |
2e863f |
# know what this means or do not understand the implications of a
|
|
Chris PeBenito |
2e863f |
# dynamic transition, you should not be using it!!!
|
|
Chris PeBenito |
2e863f |
neverallow { domain -set_curr_context } self:process setcurrent;
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
960373 |
# entrypoint executables
|
|
Chris PeBenito |
960373 |
attribute entry_type;
|
|
Chris PeBenito |
960373 |
|
|
Chris PeBenito |
8a0da1 |
# widely-inheritable file descriptors
|
|
Chris PeBenito |
8a0da1 |
attribute privfd;
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
2e863f |
#
|
|
Chris PeBenito |
8bd678 |
# constraint related attributes
|
|
Chris PeBenito |
2e863f |
#
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
# [1] types that can change SELinux identity on transition
|
|
Chris PeBenito |
8bd678 |
attribute can_change_process_identity;
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
# [2] types that can change SELinux role on transition
|
|
Chris PeBenito |
8bd678 |
attribute can_change_process_role;
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
# [3] types that can change the SELinux identity on a filesystem
|
|
Chris PeBenito |
2e863f |
# object or a socket object on a create or relabel
|
|
Chris PeBenito |
8bd678 |
attribute can_change_object_identity;
|
|
Chris PeBenito |
8bd678 |
|
|
Chris PeBenito |
2e863f |
# [3] types that can change to system_u:system_r
|
|
Chris PeBenito |
2e863f |
attribute can_system_change;
|
|
Chris PeBenito |
a154cd |
|
|
Chris PeBenito |
2e863f |
# [4] types that have attribute 1 can change the SELinux
|
|
Chris PeBenito |
2e863f |
# identity only if the target domain has this attribute.
|
|
Chris PeBenito |
2e863f |
# Types that have attribute 2 can change the SELinux role
|
|
Chris PeBenito |
2e863f |
# only if the target domain has this attribute.
|
|
Chris PeBenito |
2e863f |
attribute process_user_target;
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
# For cron jobs
|
|
Chris PeBenito |
2e863f |
# [5] types used for cron daemons
|
|
Chris PeBenito |
2e863f |
attribute cron_source_domain;
|
|
Chris PeBenito |
2e863f |
# [6] types used for cron jobs
|
|
Chris PeBenito |
2e863f |
attribute cron_job_domain;
|
|
Chris PeBenito |
2e863f |
|
|
Chris PeBenito |
2e863f |
# [7] types that are unconditionally exempt from
|
|
Chris PeBenito |
2e863f |
# SELinux identity and role change constraints
|
|
Chris PeBenito |
2e863f |
attribute process_uncond_exempt; # add userhelperdomain to this one
|
|
Chris PeBenito |
2a3478 |
|
|
Chris PeBenito |
e0dfbd |
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
|
|
Chris PeBenito |
2e863f |
neverallow ~{ domain unlabeled_t } *:process *;
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
3cfd48 |
########################################
|
|
Chris PeBenito |
3cfd48 |
#
|
|
Chris PeBenito |
3cfd48 |
# Rules applied to all domains
|
|
Chris PeBenito |
3cfd48 |
#
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
3cfd48 |
# read /proc/pid entries
|
|
Chris PeBenito |
3cfd48 |
allow domain self:dir r_dir_perms;
|
|
Chris PeBenito |
3cfd48 |
allow domain self:lnk_file r_file_perms;
|
|
Chris PeBenito |
3cfd48 |
allow domain self:file rw_file_perms;
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
3cfd48 |
# create child processes in the domain
|
|
Chris PeBenito |
3cfd48 |
allow domain self:process { fork sigchld };
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
3cfd48 |
# Use trusted objects in /dev
|
|
Chris PeBenito |
3cfd48 |
dev_rw_null(domain)
|
|
Chris PeBenito |
3cfd48 |
dev_rw_zero(domain)
|
|
Chris PeBenito |
3cfd48 |
term_use_controlling_term(domain)
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
3cfd48 |
# list the root directory
|
|
Chris PeBenito |
3cfd48 |
files_list_root(domain)
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
3cfd48 |
ifdef(`targeted_policy',`
|
|
Chris PeBenito |
3cfd48 |
# RBAC is disabled in the targeted policy,
|
|
Chris PeBenito |
3cfd48 |
# as only one role is used, system_r.
|
|
Chris PeBenito |
3cfd48 |
role system_r types domain;
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
3cfd48 |
# FIXME:
|
|
Chris PeBenito |
3cfd48 |
# workaround until role dominance is fixed in
|
|
Chris PeBenito |
3cfd48 |
# the module compiler
|
|
Chris PeBenito |
3cfd48 |
role secadm_r types domain;
|
|
Chris PeBenito |
3cfd48 |
role sysadm_r types domain;
|
|
Chris PeBenito |
3cfd48 |
role user_r types domain;
|
|
Chris PeBenito |
3cfd48 |
role staff_r types domain;
|
|
Chris PeBenito |
3cfd48 |
')
|
|
Chris PeBenito |
3cfd48 |
|
|
Chris PeBenito |
3cfd48 |
tunable_policy(`global_ssp',`
|
|
Chris PeBenito |
3cfd48 |
# enable reading of urandom for all domains:
|
|
Chris PeBenito |
3cfd48 |
# this should be enabled when all programs
|
|
Chris PeBenito |
3cfd48 |
# are compiled with ProPolice/SSP
|
|
Chris PeBenito |
3cfd48 |
# stack smashing protection.
|
|
Chris PeBenito |
3cfd48 |
dev_read_urand(domain)
|
|
Chris PeBenito |
3cfd48 |
')
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
########################################
|
|
Chris PeBenito |
b518fc |
#
|
|
Chris PeBenito |
b518fc |
# Unconfined access to this module
|
|
Chris PeBenito |
b518fc |
#
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
# unconfined access also allows constraints, but this
|
|
Chris PeBenito |
b518fc |
# is handled in the interface as typeattribute cannot
|
|
Chris PeBenito |
b518fc |
# be used on an attribute.
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
# Use/sendto/connectto sockets created by any domain.
|
|
Chris PeBenito |
b518fc |
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
# Use descriptors and pipes created by any domain.
|
|
Chris PeBenito |
b518fc |
allow unconfined_domain_type domain:fd use;
|
|
Chris PeBenito |
b518fc |
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
# Act upon any other process.
|
|
Chris PeBenito |
b518fc |
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
# Create/access any System V IPC objects.
|
|
Chris PeBenito |
b518fc |
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
|
Chris PeBenito |
b518fc |
allow unconfined_domain_type domain:msg { send receive };
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
# For /proc/pid
|
|
Chris PeBenito |
b518fc |
allow unconfined_domain_type domain:dir r_dir_perms;
|
|
Chris PeBenito |
b518fc |
allow unconfined_domain_type domain:file r_file_perms;
|
|
Chris PeBenito |
b518fc |
allow unconfined_domain_type domain:lnk_file r_file_perms;
|