|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the kernel_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# kernel_t is the domain of kernel threads.
|
|
Chris PeBenito |
0fbfa5 |
# It is also the target type when checking permissions in the system class.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
c0c701 |
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types kernel_t;
|
|
Chris PeBenito |
0fbfa5 |
general_domain_access(kernel_t)
|
|
Chris PeBenito |
0fbfa5 |
general_proc_read_access(kernel_t)
|
|
Chris PeBenito |
0fbfa5 |
base_file_read_access(kernel_t)
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(kernel_t)
|
|
Chris PeBenito |
0fbfa5 |
can_exec(kernel_t, shell_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities.
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t self:capability *;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
605ba2 |
r_dir_file(kernel_t, sysfs_t)
|
|
Chris PeBenito |
605ba2 |
allow kernel_t { usbfs_t usbdevfs_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run init in the init_t domain.
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(kernel_t, init_exec_t, init_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
cf6a7d |
ifdef(`mls_policy', `
|
|
Chris PeBenito |
cf6a7d |
# run init with maximum MLS range
|
|
Chris PeBenito |
77f6e2 |
range_transition kernel_t init_exec_t s0 - s9:c0.c255;
|
|
Chris PeBenito |
cf6a7d |
')
|
|
Chris PeBenito |
cf6a7d |
|
|
Chris PeBenito |
0fbfa5 |
# Share state with the init process.
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t init_t:process share;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Mount and unmount file systems.
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t fs_type:filesystem mount_fs_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Send signal to any process.
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t domain:process signal;
|
|
Chris PeBenito |
605ba2 |
allow kernel_t domain:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access the console.
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t device_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t console_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access the initrd filesystem.
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t file_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
can_exec(kernel_t, file_t)
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`chroot.te', `
|
|
Chris PeBenito |
0fbfa5 |
can_exec(kernel_t, chroot_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t self:capability sys_chroot;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
|
|
Chris PeBenito |
605ba2 |
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t file_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t file_t:blk_file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Lookup the policy.
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t policy_config_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Load the policy configuration.
|
|
Chris PeBenito |
0fbfa5 |
can_loadpol(kernel_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
|
Chris PeBenito |
0fbfa5 |
can_exec(kernel_t, bin_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
cf6a7d |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
cf6a7d |
unconfined_domain(kernel_t)
|
|
Chris PeBenito |
cf6a7d |
')
|