Blame refpolicy/policy/modules/system/domain.te
|
Chris PeBenito |
e181fe |
|
|
Chris PeBenito |
960373 |
policy_module(domain,1.0)
|
|
Chris PeBenito |
960373 |
|
|
Chris PeBenito |
b4cd15 |
# Mark process types as domains
|
|
Chris PeBenito |
b4cd15 |
attribute domain;
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
960373 |
# entrypoint executables
|
|
Chris PeBenito |
960373 |
attribute entry_type;
|
|
Chris PeBenito |
960373 |
|
|
Chris PeBenito |
8a0da1 |
# widely-inheritable file descriptors
|
|
Chris PeBenito |
8a0da1 |
attribute privfd;
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
007ca5 |
# Domains that can set their current context
|
|
Chris PeBenito |
007ca5 |
# (perform dynamic transitions)
|
|
Chris PeBenito |
007ca5 |
attribute set_curr_context;
|
|
Chris PeBenito |
007ca5 |
|
|
Chris PeBenito |
8bd678 |
# constraint related attributes
|
|
Chris PeBenito |
8bd678 |
attribute can_change_process_identity;
|
|
Chris PeBenito |
8bd678 |
attribute can_change_process_role;
|
|
Chris PeBenito |
8bd678 |
attribute can_change_object_identity;
|
|
Chris PeBenito |
8bd678 |
|
|
Chris PeBenito |
2a3478 |
# Transitions only allowed from domains to other domains
|
|
Chris PeBenito |
b4cd15 |
neverallow domain ~domain:process { transition dyntransition };
|
|
Chris PeBenito |
a154cd |
|
|
Chris PeBenito |
a154cd |
# enabling setcurrent breaks process tranquility. If you do not
|
|
Chris PeBenito |
a154cd |
# know what this means or do not understand the implications of a
|
|
Chris PeBenito |
a154cd |
# dynamic transition, you should not be using it!!!
|
|
Chris PeBenito |
007ca5 |
neverallow { domain -set_curr_context } self:process setcurrent;
|
|
Chris PeBenito |
2a3478 |
|
|
Chris PeBenito |
2a3478 |
# Files with domain types are currently only proc files
|
|
Chris PeBenito |
2a3478 |
neverallow * domain:dir ~r_dir_perms;
|
|
Chris PeBenito |
2a3478 |
neverallow * domain:file_class_set ~rw_file_perms;
|