Blob Blame History Raw
##############################
#
# Assertions for the type enforcement (TE) configuration.
#

#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
#

##################################
#
# Access vector assertions.
#
# An access vector assertion specifies permissions that should not be in
# an access vector based on a source type, a target type, and a class.
# If any of the specified permissions are in the corresponding access
# vector, then the policy compiler will reject the policy configuration.
# Currently, there is only one kind of access vector assertion, neverallow, 
# but support for the other kinds of vectors could be easily added.  Access 
# vector assertions use the same syntax as access vector rules.
#

# Confined domains must never touch an unconfined domain except to
# send SIGCHLD for child termination notifications.
neverallow { domain -unrestricted -unconfinedtrans -snmpd_t } unconfined_t:process ~sigchld;

# Confined domains must never see /proc/pid entries for an unconfined domain.
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };

#
# Verify that every type that can be entered by
# a domain is also tagged as a domain.
#
neverallow domain ~domain:process { transition dyntransition};

# for gross mistakes in policy
neverallow domain domain:dir ~r_dir_perms;
neverallow domain domain:file_class_set ~rw_file_perms;
neverallow domain file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;