Blob Blame History Raw
## <summary>Core policy for domains.</summary>
## <required val="true">
##	Contains the concept of a domain.
## </required>

########################################
## <summary>
##	Make the specified type usable as a basic domain.
## </summary>
## <desc>
##	<p>
##	Make the specified type usable as a basic domain.
##	</p>
##	<p>
##	This is primarily used for kernel threads;
##	generally the domain_type() interface is
##	more appropriate for userland processes.
##	</p>
## </desc>
## <param name="type">
##	Type to be used as a basic domain type.
## </param>
#
interface(`domain_base_type',`
	gen_require(`
		attribute domain;
		class dir r_dir_perms;
		class lnk_file r_file_perms;
		class file rw_file_perms;
		class process { fork sigchld };
	')

	# mark as a domain
	typeattribute $1 domain;

	# allow the domain to read its /proc/pid entries
	allow $1 self:dir r_dir_perms;
	allow $1 self:lnk_file r_file_perms;
	allow $1 self:file rw_file_perms;

	# allow $1 to create child processes in this domain
	allow $1 self:process { fork sigchld };

	ifdef(`targeted_policy',`
		tunable_policy(`allow_execmem',`
			allow $1 self:process execmem;
		')

		# FIXME:
		# hack until role dominance is fixed in
		# the module compiler
		role secadm_r types $1;
		role sysadm_r types $1;
		role user_r types $1;
		role staff_r types $1;
	')
')

########################################
## <summary>
##	Make the specified type usable as a domain.
## </summary>
## <param name="type">
##	Type to be used as a domain type.
## </param>
#
interface(`domain_type',`
	# start with basic domain
	domain_base_type($1)

	# Use trusted objects in /dev
	dev_rw_null_dev($1)
	dev_rw_zero_dev($1)
	term_use_controlling_term($1)

	# read the root directory
	files_list_root($1)

	# send init a sigchld and signull
	init_sigchld($1)
	init_signull($1)

	ifdef(`targeted_policy',`
		unconfined_use_fd($1)
		unconfined_sigchld($1)
	')

	tunable_policy(`allow_ptrace',`
		userdom_sigchld_sysadm($1)
	')

	# allow any domain to connect to the LDAP server
	optional_policy(`ldap.te',`
		ldap_use($1)
	')

	# these 3 seem highly questionable:
	optional_policy(`rpm.te',`
		rpm_use_fd($1)
		rpm_read_pipe($1)
	')

	optional_policy(`selinux.te',`
		selinux_dontaudit_read_fs($1)
	')

	optional_policy(`selinuxutil.te',`
		seutil_dontaudit_read_config($1)
	')
')

########################################
## <summary>
##	Make the specified type usable as
##	an entry point for the domain.
## </summary>
## <param name="domain">
##	Domain to be entered.
## </param>
## <param name="type">
##	Type of program used for entering
##	the domain.
## </param>
#
interface(`domain_entry_file',`
	gen_require(`
		attribute entry_type;
		class file entrypoint;
	')

	files_type($2)

	allow $1 $2:file entrypoint;
	allow $1 $2:file rx_file_perms;

	typeattribute $2 entry_type;
')

########################################
#
# domain_wide_inherit_fd(domain)
#
interface(`domain_wide_inherit_fd',`
	gen_require(`
		attribute privfd;
	')

	typeattribute $1 privfd;
')

########################################
#
# domain_dyntrans_type(domain)
#
interface(`domain_dyntrans_type',`
	gen_require(`
		attribute set_curr_context;
	')

	typeattribute $1 set_curr_context;
')

########################################
## <summary>
##	Makes caller and execption to the constraint
##	preventing changing to the system user
##	identity and system role.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_system_change_exempt',`
	gen_require(`
		attribute can_system_change;
	')

	typeattribute $1 can_system_change;
')

########################################
## <summary>
##	Makes caller an exception to the constraint preventing
##	changing of user identity.
## </summary>
## <param name="domain">
##	The process type to make an exception to the constraint.
## </param>
#
interface(`domain_subj_id_change_exempt',`
	gen_require(`
		attribute can_change_process_identity;
	')

	typeattribute $1 can_change_process_identity;
')

########################################
## <summary>
##	Makes caller an exception to the constraint preventing
##	changing of role.
## </summary>
## <param name="domain">
##	The process type to make an exception to the constraint.
## </param>
#
interface(`domain_role_change_exempt',`
	gen_require(`
		attribute can_change_process_role;
	')

	typeattribute $1 can_change_process_role;
')

########################################
## <summary>
##	Makes caller an exception to the constraint preventing
##	changing the user identity in object contexts.
## </summary>
## <param name="domain">
##	The process type to make an exception to the constraint.
## </param>
#
interface(`domain_obj_id_change_exempt',`
	gen_require(`
		attribute can_change_object_identity;
	')

	typeattribute $1 can_change_object_identity;
')

########################################
## <summary>
##	Make the specified domain the target of
##	the user domain exception of the
##	SELinux role and identity change
##	constraints.
## </summary>
## <desc>
##	<p>
##	Make the specified domain the target of
##	the user domain exception of the
##	SELinux role and identity change
##	constraints.
##	</p>
##	<p>
##	This interface is needed to decouple
##	the user domains from the base module.
##	It should not be used other than on
##	user domains.
##	</p>
## </desc>
## <param name="domain">
##	Domain target for user exemption.
## </param>
#
interface(`domain_user_exemption_target',`
	gen_require(`
		attribute process_user_target;
	')

	typeattribute $1 process_user_target;
')

########################################
## <summary>
##	Make the specified domain the source of
##	the cron domain exception of the
##	SELinux role and identity change
##	constraints.
## </summary>
## <desc>
##	<p>
##	Make the specified domain the source of
##	the cron domain exception of the
##	SELinux role and identity change
##	constraints.
##	</p>
##	<p>
##	This interface is needed to decouple
##	the cron domains from the base module.
##	It should not be used other than on
##	cron domains.
##	</p>
## </desc>
## <param name="domain">
##	Domain target for user exemption.
## </param>
#
interface(`domain_cron_exemption_source',`
	gen_require(`
		attribute cron_source_domain;
	')

	typeattribute $1 cron_source_domain;
')

########################################
## <summary>
##	Make the specified domain the target of
##	the cron domain exception of the
##	SELinux role and identity change
##	constraints.
## </summary>
## <desc>
##	<p>
##	Make the specified domain the target of
##	the cron domain exception of the
##	SELinux role and identity change
##	constraints.
##	</p>
##	<p>
##	This interface is needed to decouple
##	the cron domains from the base module.
##	It should not be used other than on
##	user cron jobs.
##	</p>
## </desc>
## <param name="domain">
##	Domain target for user exemption.
## </param>
#
interface(`domain_cron_exemption_target',`
	gen_require(`
		attribute cron_job_domain;
	')

	typeattribute $1 cron_job_domain;
')

########################################
#
# domain_use_wide_inherit_fd(domain)
#
interface(`domain_use_wide_inherit_fd',`
	gen_require(`
		attribute privfd;
		class fd use;
	')

	allow $1 privfd:fd use;
')

########################################
#
# domain_dontaudit_use_wide_inherit_fd(domain)
#
interface(`domain_dontaudit_use_wide_inherit_fd',`
	gen_require(`
		attribute privfd;
		class fd use;
	')

	dontaudit $1 privfd:fd use;
')

########################################
## <summary>
##	Send a SIGCHLD signal to domains whose file
##	discriptors are widely inheritable.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
# cjp: this was added because of newrole
interface(`domain_sigchld_wide_inherit_fd',`
	gen_require(`
		attribute privfd;
	')

	allow $1 privfd:process sigchld;
')

########################################
#
# domain_setpriority_all_domains(domain)
#
interface(`domain_setpriority_all_domains',`
	gen_require(`
		attribute domain;
		class process setsched;
	')

	allow $1 domain:process setsched;
')

########################################
## <summary>
##	Send general signals to all domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_signal_all_domains',`
	gen_require(`
		attribute domain;
		class process signal;
	')

	allow $1 domain:process signal;
')

########################################
## <summary>
##	Send a null signal to all domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_signull_all_domains',`
	gen_require(`
		attribute domain;
		class process signull;
	')

	allow $1 domain:process signull;
')

########################################
## <summary>
##	Send a stop signal to all domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_sigstop_all_domains',`
	gen_require(`
		attribute domain;
		class process sigstop;
	')

	allow $1 domain:process sigstop;
')

########################################
## <summary>
##	Send a child terminated signal to all domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_sigchld_all_domains',`
	gen_require(`
		attribute domain;
		class process sigchld;
	')

	allow $1 domain:process sigchld;
')

########################################
## <summary>
##	Send a kill signal to all domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_kill_all_domains',`
	gen_require(`
		attribute domain;
		class process sigkill;
		class capability kill;
	')

	allow $1 domain:process sigkill;
	allow $1 self:capability kill;
')
########################################
## <summary>
##	Search the process state directory (/proc/pid) of all domains.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_search_all_domains_state',`
	gen_require(`
		attribute domain;
		class dir search;
	')

	kernel_search_proc($1)
	allow $1 domain:dir search;
')

########################################
## <summary>
##	Read the process state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_read_all_domains_state',`
	gen_require(`
		attribute domain;
		class dir r_dir_perms;
		class lnk_file r_file_perms;
		class file r_file_perms;
	')

	kernel_search_proc($1)
	allow $1 domain:dir r_dir_perms;
	allow $1 domain:lnk_file r_file_perms;
	allow $1 domain:file r_file_perms;
')

########################################
## <summary>
##	Get the attributes of all domains of all domains.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_getattr_all_domains',`
	gen_require(`
		attribute domain;
		class process getattr;
	')

	allow $1 domain:process getattr;
')

########################################
## <summary>
##	Read the process state (/proc/pid) of all confined domains.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_read_confined_domains_state',`
	gen_require(`
		attribute domain, unconfined_domain;
	')

	kernel_search_proc($1)
	allow $1 { domain -unconfined_domain }:dir r_dir_perms;
	allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
	allow $1 { domain -unconfined_domain }:file r_file_perms;
	allow $1 { domain -unconfined_domain }:process getattr;

	dontaudit $1 unconfined_domain:dir search;
	dontaudit $1 unconfined_domain:file { getattr read };
')

########################################
## <summary>
##	Get the attributes of all confined domains.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_getattr_confined_domains',`
	gen_require(`
		attribute domain, unconfined_domain;
		class process getattr;
	')

	allow $1 { domain -unconfined_domain }:process getattr;
')

########################################
## <summary>
##	Ptrace all domains.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_ptrace_all_domains',`
	gen_require(`
		attribute domain;
	')

	allow $1 domain:process ptrace;
')

########################################
## <summary>
##	Do not audit attempts to ptrace all domains.
## </summary>
## <desc>
##	<p>
##	Do not audit attempts to ptrace all domains.
##	</p>
##	<p>
##	Generally this needs to be suppressed because procps tries to access
##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
##	(2.4 and 2.6).
##	</p>
## </desc>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_dontaudit_ptrace_all_domains',`
	gen_require(`
		attribute domain;
	')

	dontaudit $1 domain:process ptrace;
')

########################################
## <summary>
##	Do not audit attempts to ptrace confined domains.
## </summary>
## <desc>
##	<p>
##	Do not audit attempts to ptrace confined domains.
##	</p>
##	<p>
##	Generally this needs to be suppressed because procps tries to access
##	/proc/pid/environ and this now triggers a ptrace check in recent kernels
##	(2.4 and 2.6).
##	</p>
## </desc>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_dontaudit_ptrace_confined_domains',`
	gen_require(`
		attribute domain, unconfined_domain;
		class process ptrace;
	')

	dontaudit $1 { domain -unconfined_domain }:process ptrace;
')

########################################
## <summary>
##	Do not audit attempts to read the process
##	state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_read_all_domains_state',`
	gen_require(`
		attribute domain;
		class dir r_dir_perms;
		class lnk_file r_file_perms;
		class file r_file_perms;
	')

	dontaudit $1 domain:dir r_dir_perms;
	dontaudit $1 domain:lnk_file r_file_perms;
	dontaudit $1 domain:file r_file_perms;
	dontaudit $1 domain:process getattr;
')

########################################
## <summary>
##	Do not audit attempts to read the process state
##	directories of all domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_list_all_domains_proc',`
	gen_require(`
		attribute domain;
		class dir r_dir_perms;
	')

	dontaudit $1 domain:dir r_dir_perms;
')

########################################
## <summary>
##	Get the session ID of all domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_getsession_all_domains',`
	gen_require(`
		attribute domain;
		class process getsession;
	')

	allow $1 domain:process getsession;
')

########################################
## <summary>
##	Do not audit attempts to get the
##	session ID of all domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getsession_all_domains',`
	gen_require(`
		attribute domain;
		class process getsession;
	')

	dontaudit $1 domain:process getsession;
')

########################################
## <summary>
##	Get the attributes of all domains
##	sockets, for all socket types.
## </summary>
## <desc>
##	<p>
##	Get the attributes of all domains
##	sockets, for all socket types.
##	</p>
##	<p>
##	This is commonly used for domains
##	that can use lsof on all domains.
##	</p>
## </desc>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_getattr_all_sockets',`
	gen_require(`
		gen_require_set(getattr,socket_class_set)
	')

	allow $1 domain:socket_class_set getattr;
')

########################################
## <summary>
##	Do not audit attempts to get the attributes
##	of all domains sockets, for all socket types.
## </summary>
## <desc>
##	<p>
##	Do not audit attempts to get the attributes
##	of all domains sockets, for all socket types.
##	</p>
##	<p>
##	This interface was added for PCMCIA cardmgr
##	and is probably excessive.
##	</p>
## </desc>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`domain_dontaudit_getattr_all_sockets',`
	gen_require(`
		gen_require_set(getattr,socket_class_set)
	')

	dontaudit $1 domain:socket_class_set getattr;
')

########################################
## <summary>
##	Do not audit attempts to get the attributes
##	of all domains TCP sockets.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
	gen_require(`
		attribute domain;
		class tcp_socket getattr;
	')

	dontaudit $1 domain:tcp_socket getattr;
')

########################################
## <summary>
##	Do not audit attempts to get the attributes
##	of all domains UDP sockets.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_udp_sockets',`
	gen_require(`
		attribute domain;
		class udp_socket getattr;
	')

	dontaudit $1 domain:udp_socket getattr;
')

########################################
## <summary>
##	Do not audit attempts to read or write
##	all domains UDP sockets.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_rw_all_udp_sockets',`
	gen_require(`
		attribute domain;
		class udp_socket { read write };
	')

	dontaudit $1 domain:udp_socket { read write };
')

########################################
## <summary>
##	Do not audit attempts to get attribues of
##	all domains IPSEC key management sockets.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_key_sockets',`
	gen_require(`
		attribute domain;
		class key_socket { read write };
	')

	dontaudit $1 domain:key_socket getattr;
')
########################################
## <summary>
##	Do not audit attempts to read or write
##	all domains key sockets.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_rw_all_key_sockets',`
	gen_require(`
		attribute domain;
		class key_socket { read write };
	')

	dontaudit $1 domain:key_socket { read write };
')

########################################
## <summary>
##	Do not audit attempts to get the attributes
##	of all domains unix datagram sockets.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
	gen_require(`
		attribute domain;
		class unix_dgram_socket getattr;
	')

	dontaudit $1 domain:unix_dgram_socket getattr;
')

########################################
## <summary>
##	Do not audit attempts to get the attributes
##	of all domains unnamed pipes.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_unnamed_pipes',`
	gen_require(`
		attribute domain;
		class fifo_file getattr;
	')

	dontaudit $1 domain:fifo_file getattr;
')

########################################
## <summary>
##	Get the attributes of entry point
##	files for all domains.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`domain_getattr_all_entry_files',`
	gen_require(`
		attribute entry_type;
		class file getattr;
		class lnk_file r_file_perms;
	')

	allow $1 entry_type:lnk_file getattr;
	allow $1 entry_type:file r_file_perms;
')

########################################
#
# domain_read_all_entry_files(domain)
#
interface(`domain_read_all_entry_files',`
	gen_require(`
		attribute entry_type;
		class file r_file_perms;
		class lnk_file r_file_perms;
	')

	allow $1 entry_type:lnk_file r_file_perms;
	allow $1 entry_type:file r_file_perms;
')

########################################
#
# domain_exec_all_entry_files(domain)
#
interface(`domain_exec_all_entry_files',`
	gen_require(`
		attribute entry_type;
	')

	can_exec($1,entry_type)
')

########################################
## <summary>
##	Unconfined access to domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`domain_unconfined',`
	gen_require(`
		attribute domain, set_curr_context;
		attribute can_change_process_identity;
		attribute can_change_process_role;
		attribute can_change_object_identity;
		attribute unconfined_domain;
	')

	typeattribute $1 unconfined_domain;

	# pass all constraints
	typeattribute $1 can_change_process_identity;
	typeattribute $1 can_change_process_role;
	typeattribute $1 can_change_object_identity;
	typeattribute $1 set_curr_context;

	# Use/sendto/connectto sockets created by any domain.
	allow $1 domain:{ socket_class_set socket key_socket } *;

	# Use descriptors and pipes created by any domain.
	allow $1 domain:fd use;
	allow $1 domain:fifo_file rw_file_perms;

	# Act upon any other process.
	allow $1 domain:process ~{ transition dyntransition execmem };

	# Create/access any System V IPC objects.
	allow $1 domain:{ sem msgq shm } *;
	allow $1 domain:msg { send receive };

	# For /proc/pid
	allow $1 domain:dir r_dir_perms;
	allow $1 domain:file r_file_perms;
	allow $1 domain:lnk_file r_file_perms;
')

#
# These next macros are not templates, but actually are 
# support macros.  Due to the domain_ prefix, they 
# are placed in this module, to try to prevent confusion.
# They are called templates since regular m4 defines
# wont work here.
#

########################################
#
# domain_trans(source_domain,entrypoint_file,target_domain)
#
template(`domain_trans',`
	allow $1 $2:file { getattr read execute };
	allow $1 $3:process transition;
	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')

########################################
#
# domain_auto_trans(source_domain,entrypoint_file,target_domain)
#
template(`domain_auto_trans',`
	domain_trans($1,$2,$3)
	type_transition $1 $2:process $3;
')