Blob Blame History Raw
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
#

#################################
#
# Rules for the kernel_t domain.
#

#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
# 
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
base_file_read_access(kernel_t)
uses_shlib(kernel_t)
can_exec(kernel_t, shell_exec_t)

# Use capabilities.
allow kernel_t self:capability *;

r_dir_file(kernel_t, sysfs_t)
allow kernel_t { usbfs_t usbdevfs_t }:dir search;

# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)

ifdef(`mls_policy', `
# run init with maximum MLS range
range_transition kernel_t init_exec_t s0 - s9:c0.c127;
')

# Share state with the init process.
allow kernel_t init_t:process share;

# Mount and unmount file systems.
allow kernel_t fs_type:filesystem mount_fs_perms;

# Send signal to any process.
allow kernel_t domain:process signal;
allow kernel_t domain:dir search;

# Access the console.
allow kernel_t device_t:dir search;
allow kernel_t console_device_t:chr_file rw_file_perms;

# Access the initrd filesystem.
allow kernel_t file_t:chr_file rw_file_perms;
can_exec(kernel_t, file_t)
ifdef(`chroot.te', `
can_exec(kernel_t, chroot_exec_t)
')
allow kernel_t self:capability sys_chroot;

allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
allow kernel_t file_t:dir rw_dir_perms;
allow kernel_t file_t:blk_file create_file_perms;
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };

# Lookup the policy.
allow kernel_t policy_config_t:dir r_dir_perms;

# Load the policy configuration.
can_loadpol(kernel_t)

# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
can_exec(kernel_t, bin_t)

ifdef(`targeted_policy', `
unconfined_domain(kernel_t)
')