Chris PeBenito e181fe
Chris PeBenito fb63d0
policy_module(domain,1.1.2)
Chris PeBenito 960373
Chris PeBenito fd89e1
########################################
Chris PeBenito fd89e1
#
Chris PeBenito fd89e1
# Declarations
Chris PeBenito fd89e1
#
Chris PeBenito fd89e1
Chris PeBenito b4cd15
# Mark process types as domains
Chris PeBenito b4cd15
attribute domain;
Chris PeBenito b4cd15
Chris PeBenito 2e863f
# Transitions only allowed from domains to other domains
Chris PeBenito 2e863f
neverallow domain ~domain:process { transition dyntransition };
Chris PeBenito 2e863f
Chris PeBenito 605ba2
# Domains that are unconfined
Chris PeBenito 955019
attribute unconfined_domain_type;
Chris PeBenito 605ba2
Chris PeBenito 2e863f
# Domains that can set their current context
Chris PeBenito 2e863f
# (perform dynamic transitions)
Chris PeBenito 2e863f
attribute set_curr_context;
Chris PeBenito 2e863f
Chris PeBenito 2e863f
# enabling setcurrent breaks process tranquility.  If you do not
Chris PeBenito 2e863f
# know what this means or do not understand the implications of a
Chris PeBenito 2e863f
# dynamic transition, you should not be using it!!!
Chris PeBenito 2e863f
neverallow { domain -set_curr_context } self:process setcurrent;
Chris PeBenito 2e863f
Chris PeBenito 960373
# entrypoint executables
Chris PeBenito 960373
attribute entry_type;
Chris PeBenito 960373
Chris PeBenito 8a0da1
# widely-inheritable file descriptors
Chris PeBenito 8a0da1
attribute privfd;
Chris PeBenito 8a0da1
Chris PeBenito 2e863f
#
Chris PeBenito 8bd678
# constraint related attributes
Chris PeBenito 2e863f
#
Chris PeBenito 2e863f
Chris PeBenito 2e863f
# [1] types that can change SELinux identity on transition
Chris PeBenito 8bd678
attribute can_change_process_identity;
Chris PeBenito 2e863f
Chris PeBenito 2e863f
# [2] types that can change SELinux role on transition
Chris PeBenito 8bd678
attribute can_change_process_role;
Chris PeBenito 2e863f
Chris PeBenito 2e863f
# [3] types that can change the SELinux identity on a filesystem
Chris PeBenito 2e863f
# object or a socket object on a create or relabel
Chris PeBenito 8bd678
attribute can_change_object_identity;
Chris PeBenito 8bd678
Chris PeBenito 2e863f
# [3] types that can change to system_u:system_r
Chris PeBenito 2e863f
attribute can_system_change;
Chris PeBenito a154cd
Chris PeBenito 2e863f
# [4] types that have attribute 1 can change the SELinux
Chris PeBenito 2e863f
# identity only if the target domain has this attribute.
Chris PeBenito 2e863f
# Types that have attribute 2 can change the SELinux role
Chris PeBenito 2e863f
# only if the target domain has this attribute.
Chris PeBenito 2e863f
attribute process_user_target;
Chris PeBenito 2e863f
Chris PeBenito 2e863f
# For cron jobs
Chris PeBenito 2e863f
# [5] types used for cron daemons
Chris PeBenito 2e863f
attribute cron_source_domain;
Chris PeBenito 2e863f
# [6] types used for cron jobs
Chris PeBenito 2e863f
attribute cron_job_domain;
Chris PeBenito 2e863f
Chris PeBenito 2e863f
# [7] types that are unconditionally exempt from
Chris PeBenito 2e863f
# SELinux identity and role change constraints
Chris PeBenito 2e863f
attribute process_uncond_exempt;	# add userhelperdomain to this one
Chris PeBenito 2a3478
Chris PeBenito e0dfbd
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
Chris PeBenito 2e863f
neverallow ~{ domain unlabeled_t } *:process *;
Chris PeBenito 3cfd48
Chris PeBenito 3cfd48
########################################
Chris PeBenito 3cfd48
#
Chris PeBenito 3cfd48
# Rules applied to all domains
Chris PeBenito 3cfd48
#
Chris PeBenito 3cfd48
Chris PeBenito 3cfd48
# read /proc/pid entries
Chris PeBenito 3cfd48
allow domain self:dir r_dir_perms;
Chris PeBenito 3cfd48
allow domain self:lnk_file r_file_perms;
Chris PeBenito 3cfd48
allow domain self:file rw_file_perms;
Chris PeBenito 3cfd48
Chris PeBenito 3cfd48
# create child processes in the domain
Chris PeBenito 3cfd48
allow domain self:process { fork sigchld };
Chris PeBenito 3cfd48
Chris PeBenito 3cfd48
# Use trusted objects in /dev
Chris PeBenito 3cfd48
dev_rw_null(domain)
Chris PeBenito 3cfd48
dev_rw_zero(domain)
Chris PeBenito 3cfd48
term_use_controlling_term(domain)
Chris PeBenito 3cfd48
Chris PeBenito 3cfd48
# list the root directory
Chris PeBenito 3cfd48
files_list_root(domain)
Chris PeBenito 3cfd48
Chris PeBenito 3cfd48
ifdef(`targeted_policy',`
Chris PeBenito 3cfd48
	# RBAC is disabled in the targeted policy,
Chris PeBenito 3cfd48
	# as only one role is used, system_r.
Chris PeBenito 3cfd48
	role system_r types domain;
Chris PeBenito 3cfd48
Chris PeBenito 3cfd48
	# FIXME:
Chris PeBenito 3cfd48
	# workaround until role dominance is fixed in
Chris PeBenito 3cfd48
	# the module compiler
Chris PeBenito 3cfd48
	role secadm_r types domain;
Chris PeBenito 3cfd48
	role sysadm_r types domain;
Chris PeBenito 3cfd48
	role user_r types domain;
Chris PeBenito 3cfd48
	role staff_r types domain;
Chris PeBenito 3cfd48
')
Chris PeBenito 3cfd48
Chris PeBenito 3cfd48
tunable_policy(`global_ssp',`
Chris PeBenito 3cfd48
	# enable reading of urandom for all domains:
Chris PeBenito 3cfd48
	# this should be enabled when all programs
Chris PeBenito 3cfd48
	# are compiled with ProPolice/SSP
Chris PeBenito 3cfd48
	# stack smashing protection.
Chris PeBenito 3cfd48
	dev_read_urand(domain)
Chris PeBenito 3cfd48
')
Chris PeBenito b518fc
Chris PeBenito b518fc
########################################
Chris PeBenito b518fc
#
Chris PeBenito b518fc
# Unconfined access to this module
Chris PeBenito b518fc
#
Chris PeBenito b518fc
Chris PeBenito b518fc
# unconfined access also allows constraints, but this
Chris PeBenito b518fc
# is handled in the interface as typeattribute cannot
Chris PeBenito b518fc
# be used on an attribute.
Chris PeBenito b518fc
Chris PeBenito b518fc
# Use/sendto/connectto sockets created by any domain.
Chris PeBenito b518fc
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
Chris PeBenito b518fc
Chris PeBenito b518fc
# Use descriptors and pipes created by any domain.
Chris PeBenito b518fc
allow unconfined_domain_type domain:fd use;
Chris PeBenito b518fc
allow unconfined_domain_type domain:fifo_file rw_file_perms;
Chris PeBenito b518fc
Chris PeBenito b518fc
# Act upon any other process.
Chris PeBenito b518fc
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
Chris PeBenito b518fc
Chris PeBenito b518fc
# Create/access any System V IPC objects.
Chris PeBenito b518fc
allow unconfined_domain_type domain:{ sem msgq shm } *;
Chris PeBenito b518fc
allow unconfined_domain_type domain:msg { send receive };
Chris PeBenito b518fc
Chris PeBenito b518fc
# For /proc/pid
Chris PeBenito b518fc
allow unconfined_domain_type domain:dir r_dir_perms;
Chris PeBenito b518fc
allow unconfined_domain_type domain:file r_file_perms;
Chris PeBenito b518fc
allow unconfined_domain_type domain:lnk_file r_file_perms;