rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/macros/global_macros.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   0fbfa546bdf996641cc75b829b6f93b12ebb84e5
  2.   strict
  3.   macros
  4.   global_macros.te
Blob History Raw
Chris PeBenito 0fbfa5 
##############################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Global macros for the type enforcement (TE) configuration.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
Chris PeBenito 0fbfa5 
#           Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
Chris PeBenito 0fbfa5 
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
##################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_setexec(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Authorize a domain to set its exec context
Chris PeBenito 0fbfa5 
# (via /proc/pid/attr/exec).
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_setexec',`
Chris PeBenito 0fbfa5 
allow $1 self:process setexec;
Chris PeBenito 0fbfa5 
allow $1 proc_t:dir search;
Chris PeBenito 0fbfa5 
allow $1 proc_t:{ file lnk_file } read;
Chris PeBenito 0fbfa5 
allow $1 self:dir search;
Chris PeBenito 0fbfa5 
allow $1 self:file { getattr read write };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
##################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_getcon(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Authorize a domain to get its context
Chris PeBenito 0fbfa5 
# (via /proc/pid/attr/current).
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_getcon',`
Chris PeBenito 0fbfa5 
allow $1 proc_t:dir search;
Chris PeBenito 0fbfa5 
allow $1 proc_t:{ file lnk_file } read;
Chris PeBenito 0fbfa5 
allow $1 self:dir search;
Chris PeBenito 0fbfa5 
allow $1 self:file { getattr read };
Chris PeBenito 0fbfa5 
allow $1 self:process getattr;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
##################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_setcon(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Authorize a domain to set its current context
Chris PeBenito 0fbfa5 
# (via /proc/pid/attr/current).
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_setcon',`
Chris PeBenito 0fbfa5 
allow $1 self:process setcurrent;
Chris PeBenito 0fbfa5 
allow $1 proc_t:dir search;
Chris PeBenito 0fbfa5 
allow $1 proc_t:{ file lnk_file } read;
Chris PeBenito 0fbfa5 
allow $1 self:dir search;
Chris PeBenito 0fbfa5 
allow $1 self:file { getattr read write };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
##################################
Chris PeBenito 0fbfa5 
# read_sysctl(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for reading sysctl variables.
Chris PeBenito 0fbfa5 
# If the second parameter is 'full', allow
Chris PeBenito 0fbfa5 
# reading of any sysctl variables, else only
Chris PeBenito 0fbfa5 
# sysctl_kernel_t.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`read_sysctl', `
Chris PeBenito 0fbfa5 
# Read system variables in /sys.
Chris PeBenito 0fbfa5 
ifelse($2,`full', `
Chris PeBenito 0fbfa5 
allow $1 sysctl_type:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1 sysctl_type:file r_file_perms;
Chris PeBenito 0fbfa5 
', `
Chris PeBenito 0fbfa5 
allow $1 sysctl_t:dir search;
Chris PeBenito 0fbfa5 
allow $1 sysctl_kernel_t:dir search;
Chris PeBenito 0fbfa5 
allow $1 sysctl_kernel_t:file { getattr read };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl read_sysctl
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
##################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_setfscreate(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Authorize a domain to set its fscreate context
Chris PeBenito 0fbfa5 
# (via /proc/pid/attr/fscreate).
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_setfscreate',`
Chris PeBenito 0fbfa5 
allow $1 self:process setfscreate;
Chris PeBenito 0fbfa5 
allow $1 proc_t:dir search;
Chris PeBenito 0fbfa5 
allow $1 proc_t:{ file lnk_file } read;
Chris PeBenito 0fbfa5 
allow $1 self:dir search;
Chris PeBenito 0fbfa5 
allow $1 self:file { getattr read write };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# uses_shlib(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for using shared libraries.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`uses_shlib',`
Chris PeBenito 0fbfa5 
allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1 lib_t:lnk_file r_file_perms;
Chris PeBenito 0fbfa5 
allow $1 ld_so_t:file rx_file_perms;
Chris PeBenito 0fbfa5 
#allow $1 ld_so_t:file execute_no_trans;
Chris PeBenito 0fbfa5 
allow $1 ld_so_t:lnk_file r_file_perms;
Chris PeBenito 0fbfa5 
allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
Chris PeBenito 0fbfa5 
allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
Chris PeBenito 0fbfa5 
allow $1 ld_so_cache_t:file r_file_perms;
Chris PeBenito 0fbfa5 
allow $1 device_t:dir search;
Chris PeBenito 0fbfa5 
allow $1 null_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_exec_any(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for executing a variety
Chris PeBenito 0fbfa5 
# of executable types.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_exec_any',`
Chris PeBenito 0fbfa5 
allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read };
Chris PeBenito 0fbfa5 
uses_shlib($1)
Chris PeBenito 0fbfa5 
can_exec($1, etc_t)
Chris PeBenito 0fbfa5 
can_exec($1, lib_t)
Chris PeBenito 0fbfa5 
can_exec($1, bin_t)
Chris PeBenito 0fbfa5 
can_exec($1, sbin_t)
Chris PeBenito 0fbfa5 
can_exec($1, exec_type)
Chris PeBenito 0fbfa5 
can_exec($1, ld_so_t)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_sysctl(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for modifying sysctl parameters.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_sysctl',`
Chris PeBenito 0fbfa5 
allow $1 sysctl_type:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1 sysctl_type:file { setattr rw_file_perms };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
##################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# read_locale(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for reading the locale data,
Chris PeBenito 0fbfa5 
# /etc/localtime and the files that it links to
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`read_locale', `
Chris PeBenito 0fbfa5 
allow $1 etc_t:lnk_file read;
Chris PeBenito 0fbfa5 
allow $1 lib_t:file r_file_perms;
Chris PeBenito 0fbfa5 
r_dir_file($1, locale_t)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
###################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# access_terminal(domain, typeprefix)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for accessing the terminal
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`access_terminal', `
Chris PeBenito 0fbfa5 
allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
Chris PeBenito 0fbfa5 
allow $1 devtty_t:chr_file { read write getattr ioctl };
Chris PeBenito 0fbfa5 
allow $1 devpts_t:dir { read search getattr };
Chris PeBenito 0fbfa5 
allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# general_proc_read_access(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Grant read/search permissions to most of /proc, excluding
Chris PeBenito 0fbfa5 
# the /proc/PID directories and the /proc/kmsg and /proc/kcore files.
Chris PeBenito 0fbfa5 
# The general_domain_access macro grants access to the domain /proc/PID
Chris PeBenito 0fbfa5 
# directories, but not to other domains.  Only permissions to stat
Chris PeBenito 0fbfa5 
# are granted for /proc/kmsg and /proc/kcore, since these files are more
Chris PeBenito 0fbfa5 
# sensitive.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`general_proc_read_access',`
Chris PeBenito 0fbfa5 
# Read system information files in /proc.
Chris PeBenito 0fbfa5 
r_dir_file($1, proc_t)
Chris PeBenito 0fbfa5 
r_dir_file($1, proc_net_t)
Chris PeBenito 0fbfa5 
allow $1 proc_mdstat_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Stat /proc/kmsg and /proc/kcore.
Chris PeBenito 0fbfa5 
allow $1 proc_fs:file stat_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Read system variables in /proc/sys.
Chris PeBenito 0fbfa5 
read_sysctl($1)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# base_file_read_access(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Grant read/search permissions to a few system file types.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`base_file_read_access',`
Chris PeBenito 0fbfa5 
# Read /.
Chris PeBenito 0fbfa5 
allow $1 root_t:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1 root_t:notdevfile_class_set r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Read /home.
Chris PeBenito 0fbfa5 
allow $1 home_root_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Read /usr.
Chris PeBenito 0fbfa5 
allow $1 usr_t:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1 usr_t:notdevfile_class_set r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Read bin and sbin directories.
Chris PeBenito 0fbfa5 
allow $1 bin_t:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1 bin_t:notdevfile_class_set r_file_perms;
Chris PeBenito 0fbfa5 
allow $1 sbin_t:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1 sbin_t:notdevfile_class_set r_file_perms;
Chris PeBenito 0fbfa5 
read_sysctl($1)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
r_dir_file($1, selinux_config_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
if (read_default_t) {
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Read default_t
Chris PeBenito 0fbfa5 
#.
Chris PeBenito 0fbfa5 
allow $1 default_t:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1 default_t:notdevfile_class_set r_file_perms;
Chris PeBenito 0fbfa5 
}
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#######################
Chris PeBenito 0fbfa5 
# daemon_core_rules(domain_prefix, attribs)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Define the core rules for a daemon, used by both daemon_base_domain() and
Chris PeBenito 0fbfa5 
# init_service_domain().
Chris PeBenito 0fbfa5 
# Attribs is the list of attributes which must start with "," if it is not empty
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`daemon_core_rules', `
Chris PeBenito 0fbfa5 
type $1_t, domain, privlog, daemon $2;
Chris PeBenito 0fbfa5 
type $1_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5 
dontaudit $1_t self:capability sys_tty_config;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
role system_r types $1_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Inherit and use descriptors from init.
Chris PeBenito 0fbfa5 
allow $1_t init_t:fd use;
Chris PeBenito 0fbfa5 
allow $1_t init_t:process sigchld;
Chris PeBenito 0fbfa5 
allow $1_t self:process { signal_perms fork };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
uses_shlib($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_t { self proc_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1_t { self proc_t }:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_t device_t:dir r_dir_perms;
Chris PeBenito 0fbfa5 
ifdef(`udev.te', `
Chris PeBenito 0fbfa5 
allow $1_t udev_tdb_t:file r_file_perms;
Chris PeBenito 0fbfa5 
')dnl end if udev.te
Chris PeBenito 0fbfa5 
allow $1_t null_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5 
dontaudit $1_t console_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5 
dontaudit $1_t unpriv_userdomain:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
r_dir_file($1_t, sysfs_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_t autofs_t:dir { search getattr };
Chris PeBenito 0fbfa5 
ifdef(`targeted_policy', `
Chris PeBenito 0fbfa5 
dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
Chris PeBenito 0fbfa5 
dontaudit $1_t root_t:file { getattr read };
Chris PeBenito 0fbfa5 
')dnl end if targeted_policy
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl end macro daemon_core_rules
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#######################
Chris PeBenito 0fbfa5 
# init_service_domain(domain_prefix, attribs)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Define a domain for a program that is run from init
Chris PeBenito 0fbfa5 
# Attribs is the list of attributes which must start with "," if it is not empty
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`init_service_domain', `
Chris PeBenito 0fbfa5 
daemon_core_rules($1, `$2')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
domain_auto_trans(init_t, $1_exec_t, $1_t)
Chris PeBenito 0fbfa5 
')dnl
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#######################
Chris PeBenito 0fbfa5 
# daemon_base_domain(domain_prefix, attribs)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Define a daemon domain with a base set of type declarations
Chris PeBenito 0fbfa5 
# and permissions that are common to most daemons.
Chris PeBenito 0fbfa5 
# attribs is the list of attributes which must start with "," if it is not empty
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`daemon_base_domain', `
Chris PeBenito 0fbfa5 
daemon_core_rules($1, `$2')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
rhgb_domain($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
read_sysctl($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`direct_sysadm_daemon', `
Chris PeBenito 0fbfa5 
dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Allows user to define a tunable to disable domain transition
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
ifelse(index(`$2',`transitionbool'), -1, `', `
Chris PeBenito 0fbfa5 
bool $1_disable_trans false;
Chris PeBenito 0fbfa5 
if ($1_disable_trans) {
Chris PeBenito 0fbfa5 
can_exec(initrc_t, $1_exec_t)
Chris PeBenito 0fbfa5 
can_exec(sysadm_t, $1_exec_t)
Chris PeBenito 0fbfa5 
} else {
Chris PeBenito 0fbfa5 
') dnl transitionbool
Chris PeBenito 0fbfa5 
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
Chris PeBenito 0fbfa5 
allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
Chris PeBenito 0fbfa5 
ifdef(`direct_sysadm_daemon', `
Chris PeBenito 0fbfa5 
ifelse(`$3', `nosysadm', `', `
Chris PeBenito 0fbfa5 
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
Chris PeBenito 0fbfa5 
allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
Chris PeBenito 0fbfa5 
')dnl end direct_sysadm_daemon
Chris PeBenito 0fbfa5 
')dnl end nosysadm
Chris PeBenito 0fbfa5 
ifelse(index(`$2', `transitionbool'), -1, `', `
Chris PeBenito 0fbfa5 
}
Chris PeBenito 0fbfa5 
') dnl end transitionbool
Chris PeBenito 0fbfa5 
ifdef(`direct_sysadm_daemon', `
Chris PeBenito 0fbfa5 
ifelse(`$3', `nosysadm', `', `
Chris PeBenito 0fbfa5 
role_transition sysadm_r $1_exec_t system_r;
Chris PeBenito 0fbfa5 
')dnl end nosysadm
Chris PeBenito 0fbfa5 
')dnl end direct_sysadm_daemon
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_t privfd:fd use;
Chris PeBenito 0fbfa5 
ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;')
Chris PeBenito 0fbfa5 
allow $1_t initrc_devpts_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5 
')dnl
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# allow a domain to create its own files under /var/run and to create files
Chris PeBenito 0fbfa5 
# in directories that are created for it.  $2 is an optional list of
Chris PeBenito 0fbfa5 
# classes to use; default is file.
Chris PeBenito 0fbfa5 
define(`var_run_domain', `
Chris PeBenito 0fbfa5 
type $1_var_run_t, file_type, sysadmfile, pidfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifelse(`$2', `', `
Chris PeBenito 0fbfa5 
file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
Chris PeBenito 0fbfa5 
', `
Chris PeBenito 0fbfa5 
file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5 
allow $1_t var_t:dir search;
Chris PeBenito 0fbfa5 
allow $1_t $1_var_run_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5 
define(`daemon_domain', `
Chris PeBenito 0fbfa5 
ifdef(`targeted_policy', `
Chris PeBenito 0fbfa5 
daemon_base_domain($1, `$2, transitionbool', $3)
Chris PeBenito 0fbfa5 
', `
Chris PeBenito 0fbfa5 
daemon_base_domain($1, `$2', $3)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5 
# Create pid file.
Chris PeBenito 0fbfa5 
allow $1_t var_t:dir { getattr search };
Chris PeBenito 0fbfa5 
var_run_domain($1)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# for daemons that look at /root on startup
Chris PeBenito 0fbfa5 
dontaudit $1_t sysadm_home_dir_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# for df
Chris PeBenito 0fbfa5 
allow $1_t fs_type:filesystem getattr;
Chris PeBenito 0fbfa5 
allow $1_t removable_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
read_locale($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# for localization
Chris PeBenito 0fbfa5 
allow $1_t lib_t:file { getattr read };
Chris PeBenito 0fbfa5 
')dnl end daemon_domain macro
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`uses_authbind',
Chris PeBenito 0fbfa5 
`domain_auto_trans($1, authbind_exec_t, authbind_t)
Chris PeBenito 0fbfa5 
allow authbind_t $1:process sigchld;
Chris PeBenito 0fbfa5 
allow authbind_t $1:fd use;
Chris PeBenito 0fbfa5 
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# define a sub-domain, $1_t is the parent domain, $2 is the name
Chris PeBenito 0fbfa5 
# of the sub-domain.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`daemon_sub_domain', `
Chris PeBenito 0fbfa5 
# $1 is the parent domain (or domains), $2_t is the child domain,
Chris PeBenito 0fbfa5 
# and $3 is any attributes to apply to the child
Chris PeBenito 0fbfa5 
type $2_t, domain, privlog, daemon $3;
Chris PeBenito 0fbfa5 
type $2_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
role system_r types $2_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
domain_auto_trans($1, $2_exec_t, $2_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Inherit and use descriptors from parent.
Chris PeBenito 0fbfa5 
allow $2_t $1:fd use;
Chris PeBenito 0fbfa5 
allow $2_t $1:process sigchld;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $2_t self:process signal_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
uses_shlib($2_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $2_t { self proc_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $2_t { self proc_t }:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $2_t device_t:dir getattr;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# grant access to /tmp
Chris PeBenito 0fbfa5 
# by default, only plain files and dirs may be stored there.
Chris PeBenito 0fbfa5 
# This can be overridden with a third parameter
Chris PeBenito 0fbfa5 
define(`tmp_domain', `
Chris PeBenito 0fbfa5 
type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
Chris PeBenito 0fbfa5 
ifelse($3, `',
Chris PeBenito 0fbfa5 
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
Chris PeBenito 0fbfa5 
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`tmpfs_domain', `
Chris PeBenito 0fbfa5 
type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
Chris PeBenito 0fbfa5 
# Use this type when creating tmpfs/shm objects.
Chris PeBenito 0fbfa5 
file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
Chris PeBenito 0fbfa5 
allow $1_tmpfs_t tmpfs_t:filesystem associate;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`var_lib_domain', `
Chris PeBenito 0fbfa5 
type $1_var_lib_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5 
typealias $1_var_lib_t alias var_lib_$1_t;
Chris PeBenito 0fbfa5 
file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
Chris PeBenito 0fbfa5 
allow $1_t $1_var_lib_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`log_domain', `
Chris PeBenito 0fbfa5 
type $1_log_t, file_type, sysadmfile, logfile;
Chris PeBenito 0fbfa5 
file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`logdir_domain', `
Chris PeBenito 0fbfa5 
log_domain($1)
Chris PeBenito 0fbfa5 
allow $1_t $1_log_t:dir { setattr rw_dir_perms };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`etc_domain', `
Chris PeBenito 0fbfa5 
type $1_etc_t, file_type, sysadmfile, usercanread;
Chris PeBenito 0fbfa5 
allow $1_t $1_etc_t:file r_file_perms;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`etcdir_domain', `
Chris PeBenito 0fbfa5 
etc_domain($1)
Chris PeBenito 0fbfa5 
allow $1_t $1_etc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5 
allow $1_t $1_etc_t:lnk_file { getattr read };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`append_log_domain', `
Chris PeBenito 0fbfa5 
type $1_log_t, file_type, sysadmfile, logfile;
Chris PeBenito 0fbfa5 
allow $1_t var_log_t:dir ra_dir_perms;
Chris PeBenito 0fbfa5 
allow $1_t $1_log_t:file  { create ra_file_perms };
Chris PeBenito 0fbfa5 
type_transition $1_t var_log_t:file $1_log_t;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`append_logdir_domain', `
Chris PeBenito 0fbfa5 
append_log_domain($1)
Chris PeBenito 0fbfa5 
allow $1_t $1_log_t:dir { setattr ra_dir_perms };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`lock_domain', `
Chris PeBenito 0fbfa5 
type $1_lock_t, file_type, sysadmfile, lockfile;
Chris PeBenito 0fbfa5 
file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
####################################################################
Chris PeBenito 0fbfa5 
# home_domain_ro_access(source, user, app)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Gives source access to the read-only home
Chris PeBenito 0fbfa5 
# domain of app for the given user type
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`home_domain_ro_access', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1 home_root_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
if (use_nfs_home_dirs) {
Chris PeBenito 0fbfa5 
r_dir_file($1, nfs_t)
Chris PeBenito 0fbfa5 
}
Chris PeBenito 0fbfa5 
if (use_samba_home_dirs) {
Chris PeBenito 0fbfa5 
r_dir_file($1, cifs_t)
Chris PeBenito 0fbfa5 
}
Chris PeBenito 0fbfa5 
allow $1 autofs_t:dir { search getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
r_dir_file($1, $2_$3_ro_home_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
') dnl home_domain_ro_access
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
####################################################################
Chris PeBenito 0fbfa5 
# home_domain_access(source, user, app)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Gives source full access to the home
Chris PeBenito 0fbfa5 
# domain of app for the given user type
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`home_domain_access', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow $1 home_root_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
if (use_nfs_home_dirs) {
Chris PeBenito 0fbfa5 
create_dir_file($1, nfs_t)
Chris PeBenito 0fbfa5 
}
Chris PeBenito 0fbfa5 
if (use_samba_home_dirs) {
Chris PeBenito 0fbfa5 
create_dir_file($1, cifs_t)
Chris PeBenito 0fbfa5 
}
Chris PeBenito 0fbfa5 
allow $1 autofs_t:dir { search getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
file_type_auto_trans($1, $2_home_dir_t, $2_$3_home_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
') dnl home_domain_access
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
####################################################################
Chris PeBenito 0fbfa5 
# home_domain (prefix, app)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Creates a domain in the prefix home where an application can
Chris PeBenito 0fbfa5 
# store its settings. It's accessible by the prefix domain.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`home_domain', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Declare home domain
Chris PeBenito 0fbfa5 
# FIXME: the second alias is problematic because
Chris PeBenito 0fbfa5 
# home_domain and home_domain_ro cannot be used in parallel
Chris PeBenito 0fbfa5 
# Remove the second alias when compatibility is no longer an issue
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
type $1_$2_home_t, file_type, $1_file_type, sysadmfile;
Chris PeBenito 0fbfa5 
typealias $1_$2_home_t alias $1_$2_rw_t;
Chris PeBenito 0fbfa5 
typealias $1_$2_home_t alias $1_home_$2_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# User side access
Chris PeBenito 0fbfa5 
create_dir_file($1_t, $1_$2_home_t)
Chris PeBenito 0fbfa5 
allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# App side access
Chris PeBenito 0fbfa5 
home_domain_access($1_$2_t, $1, $2)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
####################################################################
Chris PeBenito 0fbfa5 
# home_domain_ro (user, app)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Creates a read-only domain in the user home where an application can
Chris PeBenito 0fbfa5 
# store its settings. It's fully accessible by the user, but
Chris PeBenito 0fbfa5 
# it's read-only for the application.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`home_domain_ro', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Declare home domain
Chris PeBenito 0fbfa5 
# FIXME: the second alias is problematic because
Chris PeBenito 0fbfa5 
# home_domain and home_domain_ro cannot be used in parallel
Chris PeBenito 0fbfa5 
# Remove the second alias when compatibility is no longer an issue
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
Chris PeBenito 0fbfa5 
typealias $1_$2_ro_home_t alias $1_$2_ro_t;
Chris PeBenito 0fbfa5 
typealias $1_$2_ro_home_t alias $1_home_$2_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# User side access
Chris PeBenito 0fbfa5 
create_dir_file($1_t, $1_$2_ro_home_t)
Chris PeBenito 0fbfa5 
allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# App side access
Chris PeBenito 0fbfa5 
home_domain_ro_access($1_$2_t, $1, $2)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#######################
Chris PeBenito 0fbfa5 
# application_domain(domain_prefix)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Define a domain with a base set of type declarations
Chris PeBenito 0fbfa5 
# and permissions that are common to simple applications.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`application_domain', `
Chris PeBenito 0fbfa5 
type $1_t, domain, privlog $2;
Chris PeBenito 0fbfa5 
type $1_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5 
role sysadm_r types $1_t;
Chris PeBenito 0fbfa5 
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
Chris PeBenito 0fbfa5 
uses_shlib($1_t)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`user_application_domain', `
Chris PeBenito 0fbfa5 
application_domain($1, `$2')
Chris PeBenito 0fbfa5 
in_user_role($1_t)
Chris PeBenito 0fbfa5 
domain_auto_trans(userdomain, $1_exec_t, $1_t)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`system_domain', `
Chris PeBenito 0fbfa5 
type $1_t, domain, privlog $2;
Chris PeBenito 0fbfa5 
type $1_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5 
role system_r types $1_t;
Chris PeBenito 0fbfa5 
uses_shlib($1_t)
Chris PeBenito 0fbfa5 
allow $1_t etc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Do not flood message log, if the user does a browse
Chris PeBenito 0fbfa5 
define(`file_browse_domain', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Regular files/directories that are not security sensitive
Chris PeBenito 0fbfa5 
dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
Chris PeBenito 0fbfa5 
dontaudit $1 file_type - secure_file_type:dir { read search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# /dev
Chris PeBenito 0fbfa5 
dontaudit $1 dev_fs:dir_file_class_set getattr;
Chris PeBenito 0fbfa5 
dontaudit $1 dev_fs:dir { read search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# /proc
Chris PeBenito 0fbfa5 
dontaudit $1 sysctl_t:dir_file_class_set getattr;
Chris PeBenito 0fbfa5 
dontaudit $1 proc_fs:dir { read search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl end file_browse_domain
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Define legacy_domain  for legacy binaries (java)
Chris PeBenito 0fbfa5 
# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
Chris PeBenito 0fbfa5 
# toolchain.  They cause the kernel to automatically start translating all
Chris PeBenito 0fbfa5 
# read protection requests to read|execute for backward compatibility on
Chris PeBenito 0fbfa5 
# x86.  They will all need execmem and execmod, including execmod to
Chris PeBenito 0fbfa5 
# shlib_t and ld_so_t unlike non-legacy binaries.
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`legacy_domain', `
Chris PeBenito 0fbfa5 
allow $1_t self:process { execmem };
Chris PeBenito 0fbfa5 
allow $1_t { texrel_shlib_t shlib_t }:file execmod;
Chris PeBenito 0fbfa5 
allow $1_t ld_so_t:file execmod;
Chris PeBenito 0fbfa5 
allow $1_t ld_so_cache_t:file execute;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Define a domain that can do anything, so that it is
Chris PeBenito 0fbfa5 
# effectively unconfined by the SELinux policy.  This
Chris PeBenito 0fbfa5 
# means that it is only restricted by the normal Linux
Chris PeBenito 0fbfa5 
# protections.  Note that you may need to add further rules
Chris PeBenito 0fbfa5 
# to allow other domains to interact with this domain as expected,
Chris PeBenito 0fbfa5 
# since this macro only allows the specified domain to act upon
Chris PeBenito 0fbfa5 
# all other domains and types, not vice versa.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`unconfined_domain', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
typeattribute $1 unrestricted;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Mount/unmount any filesystem.
Chris PeBenito 0fbfa5 
allow $1 fs_type:filesystem *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Mount/unmount any filesystem with the context= option.
Chris PeBenito 0fbfa5 
allow $1 file_type:filesystem *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Create/access any file in a labeled filesystem;
Chris PeBenito 0fbfa5 
allow $1 file_type:{ file chr_file } ~execmod;
Chris PeBenito 0fbfa5 
allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
Chris PeBenito 0fbfa5 
allow $1 sysctl_t:{ dir file } *;
Chris PeBenito 0fbfa5 
allow $1 device_type:devfile_class_set *;
Chris PeBenito 0fbfa5 
allow $1 mtrr_device_t:file *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Create/access other files.  fs_type is to pick up various
Chris PeBenito 0fbfa5 
# pseudo filesystem types that are applied to both the filesystem
Chris PeBenito 0fbfa5 
# and its files.
Chris PeBenito 0fbfa5 
allow $1 { unlabeled_t fs_type }:dir_file_class_set *;
Chris PeBenito 0fbfa5 
allow $1 proc_fs:{ dir file } *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# For /proc/pid
Chris PeBenito 0fbfa5 
r_dir_file($1,domain)
Chris PeBenito 0fbfa5 
# Write access is for setting attributes under /proc/self/attr.
Chris PeBenito 0fbfa5 
allow $1 self:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Read and write sysctls.
Chris PeBenito 0fbfa5 
can_sysctl($1)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Access the network.
Chris PeBenito 0fbfa5 
allow $1 node_type:node *;
Chris PeBenito 0fbfa5 
allow $1 netif_type:netif *;
Chris PeBenito 0fbfa5 
allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Bind to any network address.
Chris PeBenito 0fbfa5 
allow $1 port_type:{ tcp_socket udp_socket } name_bind;
Chris PeBenito 0fbfa5 
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
Chris PeBenito 0fbfa5 
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Use/sendto/connectto sockets created by any domain.
Chris PeBenito 0fbfa5 
allow $1 domain:{ socket_class_set socket key_socket } *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Use descriptors and pipes created by any domain.
Chris PeBenito 0fbfa5 
allow $1 domain:fd use;
Chris PeBenito 0fbfa5 
allow $1 domain:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Act upon any other process.
Chris PeBenito 0fbfa5 
allow $1 domain:process ~{ transition dyntransition execmem };
Chris PeBenito 0fbfa5 
# Transition to myself, to make get_ordered_context_list happy.
Chris PeBenito 0fbfa5 
allow $1 self:process transition;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
if (allow_execmem) {
Chris PeBenito 0fbfa5 
# Allow loading DSOs that require executable stack.
Chris PeBenito 0fbfa5 
allow $1 self:process execmem;
Chris PeBenito 0fbfa5 
}
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
if (allow_execmod) {
Chris PeBenito 0fbfa5 
# Allow text relocations on system shared libraries, e.g. libGL.
Chris PeBenito 0fbfa5 
allow $1 texrel_shlib_t:file execmod;
Chris PeBenito 0fbfa5 
}
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Create/access any System V IPC objects.
Chris PeBenito 0fbfa5 
allow $1 domain:{ sem msgq shm } *;
Chris PeBenito 0fbfa5 
allow $1 domain:msg  { send receive };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Access the security API.
Chris PeBenito 0fbfa5 
allow $1 security_t:security *;
Chris PeBenito 0fbfa5 
auditallow $1 security_t:security { load_policy setenforce setbool };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Perform certain system operations that lacked individual capabilities.
Chris PeBenito 0fbfa5 
allow $1 kernel_t:system *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Use any Linux capability.
Chris PeBenito 0fbfa5 
allow $1 self:capability *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Set user information and skip authentication.
Chris PeBenito 0fbfa5 
allow $1 self:passwd *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Communicate via dbusd.
Chris PeBenito 0fbfa5 
allow $1 self:dbus *;
Chris PeBenito 0fbfa5 
ifdef(`dbusd.te', `
Chris PeBenito 0fbfa5 
allow $1 system_dbusd_t:dbus *;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Get info via nscd.
Chris PeBenito 0fbfa5 
allow $1 self:nscd *;
Chris PeBenito 0fbfa5 
ifdef(`nscd.te', `
Chris PeBenito 0fbfa5 
allow $1 nscd_t:nscd *;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl end unconfined_domain

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation