Blob Blame History Raw

policy_module(domain,1.1.0)

########################################
#
# Declarations
#

# Mark process types as domains
attribute domain;

# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };

# Domains that are unconfined
attribute unconfined_domain_type;

# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;

# enabling setcurrent breaks process tranquility.  If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;

# entrypoint executables
attribute entry_type;

# widely-inheritable file descriptors
attribute privfd;

#
# constraint related attributes
#

# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;

# [2] types that can change SELinux role on transition
attribute can_change_process_role;

# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;

# [3] types that can change to system_u:system_r
attribute can_system_change;

# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;

# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;

# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt;	# add userhelperdomain to this one

neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
neverallow ~{ domain unlabeled_t } *:process *;

########################################
#
# Rules applied to all domains
#

# read /proc/pid entries
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file rw_file_perms;

# create child processes in the domain
allow domain self:process { fork sigchld };

# Use trusted objects in /dev
dev_rw_null(domain)
dev_rw_zero(domain)
term_use_controlling_term(domain)

# list the root directory
files_list_root(domain)

ifdef(`targeted_policy',`
	# RBAC is disabled in the targeted policy,
	# as only one role is used, system_r.
	role system_r types domain;

	# FIXME:
	# workaround until role dominance is fixed in
	# the module compiler
	role secadm_r types domain;
	role sysadm_r types domain;
	role user_r types domain;
	role staff_r types domain;
')

tunable_policy(`global_ssp',`
	# enable reading of urandom for all domains:
	# this should be enabled when all programs
	# are compiled with ProPolice/SSP
	# stack smashing protection.
	dev_read_urand(domain)
')