Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##############################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# core macros for the type enforcement (TE) configuration.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil>, Timothy Fraser  
Chris PeBenito 0fbfa5
#           Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
Chris PeBenito 0fbfa5
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Macros for groups of classes and 
Chris PeBenito 0fbfa5
# groups of permissions.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# All directory and file classes
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# All non-directory file classes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Non-device file classes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Device file classes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`devfile_class_set', `{ chr_file blk_file }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# All socket classes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 964681
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Datagram socket classes.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Stream socket classes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Unprivileged socket classes (exclude rawip, netlink, packet).
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Permissions for getting file attributes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`stat_file_perms', `{ getattr }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Permissions for executing files.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`x_file_perms', `{ getattr execute }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Permissions for reading files and their attributes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`r_file_perms', `{ read getattr lock ioctl }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Permissions for reading and executing files.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`rx_file_perms', `{ read getattr lock execute ioctl }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Permissions for reading and writing files and their attributes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`rw_file_perms', `{ ioctl read getattr lock write append }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Permissions for reading and appending to files.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`ra_file_perms', `{ ioctl read getattr lock append }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for linking, unlinking and renaming files.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`link_file_perms', `{ getattr link unlink rename }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating lnk_files.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating and using files.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Permissions for reading directories and their attributes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`r_dir_perms', `{ read getattr lock search ioctl }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Permissions for reading and writing directories and their attributes.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Permissions for reading and adding names to directories.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating and using directories.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions to mount and unmount file systems.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`mount_fs_perms', `{ mount remount unmount getattr }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for using sockets.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating and using sockets.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`create_socket_perms', `{ create rw_socket_perms }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for using stream sockets.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating and using stream sockets.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating and using sockets.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating and using sockets.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating and using netlink sockets.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for using netlink sockets for operations that modify state.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for using netlink sockets for operations that observe state.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for sending all signals.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for sending and receiving network packets.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for using System V IPC
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`r_sem_perms', `{ associate getattr read unix_read }')
Chris PeBenito 0fbfa5
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
Chris PeBenito 0fbfa5
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
Chris PeBenito 0fbfa5
define(`r_msgq_perms', `{ associate getattr read unix_read }')
Chris PeBenito 0fbfa5
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
Chris PeBenito 0fbfa5
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
Chris PeBenito 0fbfa5
define(`r_shm_perms', `{ associate getattr read unix_read }')
Chris PeBenito 0fbfa5
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
Chris PeBenito 0fbfa5
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Macros for type transition rules and
Chris PeBenito 0fbfa5
# access vector rules.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Simple combinations for reading and writing both
Chris PeBenito 0fbfa5
# directories and files.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
define(`r_dir_file', `
Chris PeBenito 0fbfa5
allow $1 $2:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow $1 $2:file r_file_perms;
Chris PeBenito 0fbfa5
allow $1 $2:lnk_file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`rw_dir_file', `
Chris PeBenito 0fbfa5
allow $1 $2:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow $1 $2:file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1 $2:lnk_file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`ra_dir_file', `
Chris PeBenito 0fbfa5
allow $1 $2:dir ra_dir_perms;
Chris PeBenito 0fbfa5
allow $1 $2:file ra_file_perms;
Chris PeBenito 0fbfa5
allow $1 $2:lnk_file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`ra_dir_create_file', `
Chris PeBenito 0fbfa5
allow $1 $2:dir ra_dir_perms;
Chris PeBenito 0fbfa5
allow $1 $2:file { create ra_file_perms };
Chris PeBenito 0fbfa5
allow $1 $2:lnk_file { create read getattr };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`rw_dir_create_file', `
Chris PeBenito 0fbfa5
allow $1 $2:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow $1 $2:file create_file_perms;
Chris PeBenito 0fbfa5
allow $1 $2:lnk_file create_lnk_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`create_dir_file', `
Chris PeBenito 0fbfa5
allow $1 $2:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow $1 $2:file create_file_perms;
Chris PeBenito 0fbfa5
allow $1 $2:lnk_file create_lnk_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`create_dir_notdevfile', `
Chris PeBenito 0fbfa5
allow $1 $2:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow $1 $2:{ file sock_file fifo_file } create_file_perms;
Chris PeBenito 0fbfa5
allow $1 $2:lnk_file create_lnk_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`create_append_log_file', `
Chris PeBenito 0fbfa5
allow $1 $2:dir { read getattr search add_name write };
Chris PeBenito 0fbfa5
allow $1 $2:file { create ioctl getattr setattr append link };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_ps(domain1, domain2)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authorize domain1 to see /proc entries for domain2 (see it in ps output)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_ps',`
Chris PeBenito 0fbfa5
allow $1 $2:dir { search getattr read };
Chris PeBenito 0fbfa5
allow $1 $2:{ file lnk_file } { read getattr };
Chris PeBenito 0fbfa5
allow $1 $2:process getattr;
Chris PeBenito 0fbfa5
# We need to suppress this denial because procps tries to access
Chris PeBenito 0fbfa5
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
Chris PeBenito 0fbfa5
# (2.4 and 2.6).  Might want to change procps to not do this, or only if
Chris PeBenito 0fbfa5
# running in a privileged domain.
Chris PeBenito 0fbfa5
dontaudit $1 $2:process ptrace;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_getsecurity(domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authorize a domain to get security policy decisions.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_getsecurity',`
Chris PeBenito 0fbfa5
# Get the selinuxfs mount point via /proc/self/mounts.
Chris PeBenito 0fbfa5
allow $1 proc_t:dir search;
Chris PeBenito 0fbfa5
allow $1 proc_t:{ file lnk_file } { getattr read };
Chris PeBenito 0fbfa5
allow $1 self:dir search;
Chris PeBenito 0fbfa5
allow $1 self:file { getattr read };
Chris PeBenito 0fbfa5
# Access selinuxfs.
Chris PeBenito 0fbfa5
allow $1 security_t:dir { read search getattr };
Chris PeBenito 0fbfa5
allow $1 security_t:file { getattr read write };
Chris PeBenito 0fbfa5
allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_setenforce(domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authorize a domain to set the enforcing flag.
Chris PeBenito 0fbfa5
# Due to its sensitivity, always audit this permission.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_setenforce',`
Chris PeBenito 0fbfa5
# Get the selinuxfs mount point via /proc/self/mounts.
Chris PeBenito 0fbfa5
allow $1 proc_t:dir search;
Chris PeBenito 0fbfa5
allow $1 proc_t:lnk_file read;
Chris PeBenito 0fbfa5
allow $1 self:dir search;
Chris PeBenito 0fbfa5
allow $1 self:file { getattr read };
Chris PeBenito 0fbfa5
# Access selinuxfs.
Chris PeBenito 0fbfa5
allow $1 security_t:dir { read search getattr };
Chris PeBenito 0fbfa5
allow $1 security_t:file { getattr read write };
Chris PeBenito 0fbfa5
allow $1 security_t:security setenforce;
Chris PeBenito 0fbfa5
auditallow $1 security_t:security setenforce;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_setbool(domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authorize a domain to set a policy boolean.
Chris PeBenito 0fbfa5
# Due to its sensitivity, always audit this permission.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_setbool',`
Chris PeBenito 0fbfa5
# Get the selinuxfs mount point via /proc/self/mounts.
Chris PeBenito 0fbfa5
allow $1 proc_t:dir search;
Chris PeBenito 0fbfa5
allow $1 proc_t:lnk_file read;
Chris PeBenito 0fbfa5
allow $1 self:dir search;
Chris PeBenito 0fbfa5
allow $1 self:file { getattr read };
Chris PeBenito 0fbfa5
# Access selinuxfs.
Chris PeBenito 0fbfa5
allow $1 security_t:dir { read search getattr };
Chris PeBenito 0fbfa5
allow $1 security_t:file { getattr read write };
Chris PeBenito 0fbfa5
allow $1 security_t:security setbool;
Chris PeBenito 0fbfa5
auditallow $1 security_t:security setbool;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_setsecparam(domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authorize a domain to set security parameters.
Chris PeBenito 0fbfa5
# Due to its sensitivity, always audit this permission.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_setsecparam',`
Chris PeBenito 0fbfa5
# Get the selinuxfs mount point via /proc/self/mounts.
Chris PeBenito 0fbfa5
allow $1 proc_t:dir search;
Chris PeBenito 0fbfa5
allow $1 proc_t:lnk_file read;
Chris PeBenito 0fbfa5
allow $1 self:dir search;
Chris PeBenito 0fbfa5
allow $1 self:file { getattr read };
Chris PeBenito 0fbfa5
# Access selinuxfs.
Chris PeBenito 0fbfa5
allow $1 security_t:dir { read search getattr };
Chris PeBenito 0fbfa5
allow $1 security_t:file { getattr read write };
Chris PeBenito 0fbfa5
allow $1 security_t:security setsecparam;
Chris PeBenito 0fbfa5
auditallow $1 security_t:security setsecparam;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_loadpol(domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authorize a domain to load a policy configuration.
Chris PeBenito 0fbfa5
# Due to its sensitivity, always audit this permission.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_loadpol',`
Chris PeBenito 0fbfa5
# Get the selinuxfs mount point via /proc/self/mounts.
Chris PeBenito 0fbfa5
allow $1 proc_t:dir search;
Chris PeBenito 0fbfa5
allow $1 proc_t:lnk_file read;
Chris PeBenito cf6a7d
allow $1 proc_t:file { getattr read };
Chris PeBenito 0fbfa5
allow $1 self:dir search;
Chris PeBenito 0fbfa5
allow $1 self:file { getattr read };
Chris PeBenito 0fbfa5
# Access selinuxfs.
Chris PeBenito 0fbfa5
allow $1 security_t:dir { read search getattr };
Chris PeBenito 0fbfa5
allow $1 security_t:file { getattr read write };
Chris PeBenito 0fbfa5
allow $1 security_t:security load_policy;
Chris PeBenito 0fbfa5
auditallow $1 security_t:security load_policy;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# domain_trans(parent_domain, program_type, child_domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for transitioning to a new domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`domain_trans',`
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow the process to transition to the new domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $1 $3:process transition;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Do not audit when glibc secure mode is enabled upon the transition.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
dontaudit $1 $3:process noatsecure;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Do not audit when signal-related state is cleared upon the transition.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
dontaudit $1 $3:process siginh;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Do not audit when resource limits are reset upon the transition.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
dontaudit $1 $3:process rlimitinh;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow the process to execute the program.
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
allow $1 $2:file { read x_file_perms };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow the process to reap the new domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $3 $1:process sigchld;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow the new domain to inherit and use file 
Chris PeBenito 0fbfa5
# descriptions from the creating process and vice versa.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $3 $1:fd use;
Chris PeBenito 0fbfa5
allow $1 $3:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow the new domain to write back to the old domain via a pipe.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $3 $1:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow the new domain to read and execute the program.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $3 $2:file rx_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow the new domain to be entered via the program.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $3 $2:file entrypoint;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# domain_auto_trans(parent_domain, program_type, child_domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Define a default domain transition and allow it.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`domain_auto_trans',`
Chris PeBenito 0fbfa5
domain_trans($1,$2,$3)
Chris PeBenito 0fbfa5
type_transition $1 $2:process $3;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_ptrace(domain, domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for running ptrace (strace or gdb) on another domain
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_ptrace',`
Chris PeBenito 0fbfa5
allow $1 $2:process ptrace;
Chris PeBenito 0fbfa5
allow $2 $1:process sigchld;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_exec(domain, type)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for executing programs with
Chris PeBenito 0fbfa5
# a specified type without changing domains.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_exec',`
Chris PeBenito 0fbfa5
allow $1 $2:file { rx_file_perms execute_no_trans };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# this is an internal macro used by can_create
Chris PeBenito 0fbfa5
define(`can_create_internal', `
Chris PeBenito 0fbfa5
ifelse(`$3', `dir', `
Chris PeBenito 0fbfa5
allow $1 $2:$3 create_dir_perms;
Chris PeBenito 0fbfa5
', `$3', `lnk_file', `
Chris PeBenito 0fbfa5
allow $1 $2:$3 create_lnk_perms;
Chris PeBenito 0fbfa5
', `
Chris PeBenito 0fbfa5
allow $1 $2:$3 create_file_perms;
Chris PeBenito 0fbfa5
')dnl end if dir
Chris PeBenito 0fbfa5
')dnl end can_create_internal
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_create(domain, file_type, object_class)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating files of the specified type and class
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_create', `
Chris PeBenito 0fbfa5
ifelse(regexp($3, `\w'), -1, `', `
Chris PeBenito 0fbfa5
can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1'))
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_create($1, $2, regexp($3, `\w+\(.*\)', `\1'))
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# file_type_trans(domain, dir_type, file_type)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for transitioning to a new file type.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`file_type_trans',`
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow the process to modify the directory.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $1 $2:dir rw_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow the process to create the file.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
ifelse(`$4', `', `
Chris PeBenito 0fbfa5
can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }')
Chris PeBenito 0fbfa5
', `
Chris PeBenito 0fbfa5
can_create($1, $3, $4)
Chris PeBenito 0fbfa5
')dnl end if param 4 specified
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# the object class will default to notdevfile_class_set if not specified as
Chris PeBenito 0fbfa5
# the fourth parameter
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Define a default file type transition and allow it.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`file_type_auto_trans',`
Chris PeBenito 0fbfa5
ifelse(`$4', `', `
Chris PeBenito 0fbfa5
file_type_trans($1,$2,$3)
Chris PeBenito 0fbfa5
type_transition $1 $2:dir $3;
Chris PeBenito 0fbfa5
type_transition $1 $2:notdevfile_class_set $3;
Chris PeBenito 0fbfa5
', `
Chris PeBenito 0fbfa5
file_type_trans($1,$2,$3,$4)
Chris PeBenito 0fbfa5
type_transition $1 $2:$4 $3;
Chris PeBenito 0fbfa5
')dnl end ifelse
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_unix_connect(client, server)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for establishing a Unix stream connection.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_unix_connect',`
Chris PeBenito 0fbfa5
allow $1 $2:unix_stream_socket connectto;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_unix_send(sender, receiver)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for sending Unix datagrams.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_unix_send',`
Chris PeBenito 0fbfa5
allow $1 $2:unix_dgram_socket sendto;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_tcp_connect(client, server)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for establishing a TCP connection.
Chris PeBenito 0fbfa5
# Irrelevant until we have labeled networking.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_tcp_connect',`
Chris PeBenito 0fbfa5
#allow $1 $2:tcp_socket { connectto recvfrom };
Chris PeBenito 0fbfa5
#allow $2 $1:tcp_socket { acceptfrom recvfrom };
Chris PeBenito 0fbfa5
#allow $2 kernel_t:tcp_socket recvfrom;
Chris PeBenito 0fbfa5
#allow $1 kernel_t:tcp_socket recvfrom;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_udp_send(sender, receiver)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for sending/receiving UDP datagrams.
Chris PeBenito 0fbfa5
# Irrelevant until we have labeled networking.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_udp_send',`
Chris PeBenito 0fbfa5
#allow $1 $2:udp_socket sendto;
Chris PeBenito 0fbfa5
#allow $2 $1:udp_socket recvfrom;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# base_pty_perms(domain_prefix)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Base permissions used for can_create_pty() and can_create_other_pty()
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`base_pty_perms', `
Chris PeBenito 0fbfa5
# Access the pty master multiplexer.
Chris PeBenito 0fbfa5
allow $1_t ptmx_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_t devpts_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow searching /dev/pts
Chris PeBenito 0fbfa5
allow $1_t devpts_t:dir { getattr read search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# ignore old BSD pty devices
Chris PeBenito 0fbfa5
dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# pty_slave_label(domain_prefix, attributes)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# give access to a slave pty but do not allow creating new ptys
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`pty_slave_label', `
Chris PeBenito 0fbfa5
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow the pty to be associated with the file system.
Chris PeBenito 0fbfa5
allow $1_devpts_t devpts_t:filesystem associate;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Label pty files with a derived type.
Chris PeBenito 0fbfa5
type_transition $1_t devpts_t:chr_file $1_devpts_t;
Chris PeBenito 0fbfa5
Chris PeBenito 77f6e2
# allow searching /dev/pts
Chris PeBenito 77f6e2
allow $1_t devpts_t:dir { getattr read search };
Chris PeBenito 77f6e2
Chris PeBenito 0fbfa5
# Read and write my pty files.
Chris PeBenito 0fbfa5
allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_create_pty(domain_prefix, attributes)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating ptys.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_create_pty',`
Chris PeBenito 0fbfa5
base_pty_perms($1)
Chris PeBenito 0fbfa5
pty_slave_label($1, `$2')
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# can_create_other_pty(domain_prefix,other_domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Permissions for creating ptys for another domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`can_create_other_pty',`
Chris PeBenito 0fbfa5
base_pty_perms($1)
Chris PeBenito 0fbfa5
# Label pty files with a derived type.
Chris PeBenito 0fbfa5
type_transition $1_t devpts_t:chr_file $2_devpts_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read and write pty files.
Chris PeBenito 0fbfa5
allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# general_domain_access(domain)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Grant permissions within the domain.
Chris PeBenito 0fbfa5
# This includes permissions to processes, /proc/PID files,
Chris PeBenito 0fbfa5
# file descriptors, pipes, Unix sockets, and System V IPC objects
Chris PeBenito 0fbfa5
# labeled with the domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`general_domain_access',`
Chris PeBenito 0fbfa5
# Access other processes in the same domain.
Chris PeBenito 5493c2
# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
Chris PeBenito 0fbfa5
# These must be granted separately if desired.
Chris PeBenito 5493c2
allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access /proc/PID files for processes in the same domain.
Chris PeBenito 0fbfa5
allow $1 self:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow $1 self:notdevfile_class_set r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access file descriptions, pipes, and sockets
Chris PeBenito 0fbfa5
# created by processes in the same domain.
Chris PeBenito 0fbfa5
allow $1 self:fd *;
Chris PeBenito 0fbfa5
allow $1 self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1 self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow $1 self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow the domain to communicate with other processes in the same domain.
Chris PeBenito 0fbfa5
allow $1 self:unix_dgram_socket sendto;
Chris PeBenito 0fbfa5
allow $1 self:unix_stream_socket connectto;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access System V IPC objects created by processes in the same domain.
Chris PeBenito 0fbfa5
allow $1 self:sem  create_sem_perms;
Chris PeBenito 0fbfa5
allow $1 self:msg  { send receive };
Chris PeBenito 0fbfa5
allow $1 self:msgq create_msgq_perms;
Chris PeBenito 0fbfa5
allow $1 self:shm  create_shm_perms;
Chris PeBenito 0fbfa5
allow $1 unpriv_userdomain:fd use;
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Every app is asking for ypbind so I am adding this here, 
Chris PeBenito 0fbfa5
# eventually this should become can_nsswitch
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
can_ypbind($1)
Chris PeBenito 0fbfa5
allow $1 autofs_t:dir { search getattr };
Chris PeBenito 0fbfa5
')dnl end general_domain_access