policy_module(kernel,1.0) # assertion related attributes attribute can_load_policy; attribute can_setenforce; attribute can_setsecparam; attribute can_load_kernmodule; attribute can_receive_kernel_messages; # constraint related attributes attribute can_change_process_identity; attribute can_change_process_role; attribute can_change_object_identity; # # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. # type kernel_t, can_load_kernmodule, can_load_policy; role system_r types kernel_t; domain_make_domain(kernel_t) sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127) # # unlabeled_t is the type of unlabeled objects. # Objects that have no known labeling information or that # have labels that are no longer valid are treated as having this type. # type unlabeled_t; sid unlabeled context_template(system_u:object_r:unlabeled_t,s0) # These initial sids are no longer used, and can be removed: sid any_socket context_template(system_u:object_r:unlabeled_t,s0) sid file_labels context_template(system_u:object_r:unlabeled_t,s0) sid icmp_socket context_template(system_u:object_r:unlabeled_t,s0) sid igmp_packet context_template(system_u:object_r:unlabeled_t,s0) sid init context_template(system_u:object_r:unlabeled_t,s0) sid kmod context_template(system_u:object_r:unlabeled_t,s0) sid netmsg context_template(system_u:object_r:unlabeled_t,s0) sid policy context_template(system_u:object_r:unlabeled_t,s0) sid scmp_packet context_template(system_u:object_r:unlabeled_t,s0) sid sysctl_modprobe context_template(system_u:object_r:unlabeled_t,s0) sid sysctl_fs context_template(system_u:object_r:unlabeled_t,s0) sid sysctl_kernel context_template(system_u:object_r:unlabeled_t,s0) sid sysctl_net context_template(system_u:object_r:unlabeled_t,s0) sid sysctl_net_unix context_template(system_u:object_r:unlabeled_t,s0) sid sysctl_vm context_template(system_u:object_r:unlabeled_t,s0) sid sysctl_dev context_template(system_u:object_r:unlabeled_t,s0) sid tcp_socket context_template(system_u:object_r:unlabeled_t,s0) # # security_t is the target type when checking # the permissions in the security class. It is also # applied to selinuxfs inodes. # type security_t; fs_make_fs(security_t) sid security context_template(system_u:object_r:security_t,s0) genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) # # sysfs_t is the type for /sys # type sysfs_t; files_make_mountpoint(sysfs_t) fs_make_fs(sysfs_t) genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0) # # usbfs_t is the type for /proc/bus/usb # type usbfs_t alias usbdevfs_t; files_make_mountpoint(usbfs_t) fs_make_fs(usbfs_t) genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0) # # Procfs types # type proc_t; files_make_mountpoint(proc_t) fs_make_fs(proc_t) genfscon proc / context_template(system_u:object_r:proc_t,s0) genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0) # kernel message interface type proc_kmsg_t; genfscon proc /kmsg context_template(system_u:object_r:proc_kmsg_t,s0) neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; # /proc kcore: inaccessible type proc_kcore_t; neverallow * proc_kcore_t:file ~getattr; genfscon proc /kcore context_template(system_u:object_r:proc_kcore_t,s0) type proc_mdstat_t; genfscon proc /mdstat context_template(system_u:object_r:proc_mdstat_t,s0) type proc_net_t; genfscon proc /net context_template(system_u:object_r:proc_net_t,s0) # # Sysctl types # # /proc/irq directory and files type sysctl_irq_t; genfscon proc /irq context_template(system_u:object_r:sysctl_irq_t,s0) # /proc/net/rpc directory and files type sysctl_rpc_t; genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0) # /proc/sys directory, base directory of sysctls type sysctl_t; files_make_mountpoint(sysctl_t) sid sysctl context_template(system_u:object_r:sysctl_t,s0) genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0) # /proc/sys/fs directory and files type sysctl_fs_t; files_make_mountpoint(sysctl_fs_t) genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0) # /proc/sys/kernel directory and files type sysctl_kernel_t; genfscon proc /sys/kernel context_template(system_u:object_r:sysctl_kernel_t,s0) # /proc/sys/kernel/modprobe file type sysctl_modprobe_t; genfscon proc /sys/kernel/modprobe context_template(system_u:object_r:sysctl_modprobe_t,s0) # /proc/sys/kernel/hotplug file type sysctl_hotplug_t; genfscon proc /sys/kernel/hotplug context_template(system_u:object_r:sysctl_hotplug_t,s0) # /proc/sys/net directory and files type sysctl_net_t; genfscon proc /sys/net context_template(system_u:object_r:sysctl_net_t,s0) # /proc/sys/net/unix directory and files type sysctl_net_unix_t; genfscon proc /sys/net/unix context_template(system_u:object_r:sysctl_net_unix_t,s0) # /proc/sys/vm directory and files type sysctl_vm_t; genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0) # /proc/sys/dev directory and files type sysctl_dev_t; genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0) ######################################## # # kernel local policy # # Use capabilities. need to investigate which capabilities are actually used allow kernel_t self:capability *; # Other possible mount points for the root fs are in files allow kernel_t unlabeled_t:dir mounton; # old general_domain_access() allow kernel_t self:shm create_shm_perms; allow kernel_t self:sem create_sem_perms; allow kernel_t self:msg { send receive }; allow kernel_t self:msgq create_msgq_perms; allow kernel_t self:unix_dgram_socket create_socket_perms; allow kernel_t self:unix_stream_socket create_stream_socket_perms; allow kernel_t self:unix_dgram_socket sendto; allow kernel_t self:unix_stream_socket connectto; allow kernel_t self:fifo_file rw_file_perms; allow kernel_t self:fd use; # old general_proc_read_access(): allow kernel_t proc_t:dir r_dir_perms; allow kernel_t proc_t:{ lnk_file file } r_file_perms; allow kernel_t proc_net_t:dir r_dir_perms; allow kernel_t proc_net_t:file r_file_perms; allow kernel_t proc_mdstat_t:file r_file_perms; allow kernel_t proc_kcore_t:file getattr; allow kernel_t proc_kmsg_t:file getattr; allow kernel_t sysctl_t:dir r_dir_perms; allow kernel_t sysctl_kernel_t:dir r_dir_perms; allow kernel_t sysctl_kernel_t:file r_file_perms; allow kernel_t security_t:dir r_dir_perms; allow kernel_t security_t:file rw_file_perms; allow kernel_t security_t:security load_policy; auditallow kernel_t security_t:security load_policy; corecommands_execute_shell(kernel_t) corecommands_read_system_programs_directory(kernel_t) files_read_root_dir(kernel_t) files_list_home_directories(kernel_t) files_read_general_application_resources(kernel_t) init_sigchld(kernel_t) libraries_use_dynamic_loader(kernel_t) libraries_use_shared_libraries(kernel_t) selinux_read_config(kernel_t) selinux_read_binary_policy(kernel_t) terminal_use_console(kernel_t) domain_signal_all_domains(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. corecommands_execute_general_programs(kernel_t) logging_send_system_log_message(kernel_t) # Kernel-generated traffic, e.g. ICMP replies. corenetwork_sendrecv_raw_on_all_interfaces(kernel_t) corenetwork_sendrecv_raw_on_all_nodes(kernel_t) # Kernel-generated traffic, e.g. TCP resets. corenetwork_sendrecv_tcp_on_all_interfaces(kernel_t) corenetwork_sendrecv_tcp_on_all_nodes(kernel_t) neverallow ~can_load_policy security_t:security load_policy; neverallow ~can_setenforce security_t:security setenforce; neverallow ~can_setsecparam security_t:security setsecparam; # enabling dyntransition breaks process tranquility. If you dont # know what this means or dont understand the implications of a # dynamic transition, you shouldnt be using it!!! neverallow * *:process { setcurrent dyntransition }; neverallow ~can_load_kernmodule *:capability sys_module; ######################################## # # Unlabeled process local policy # # If you load a new policy that removes active domains, processes can # get stuck if you do not allow unlabeled processes to signal init. # If you load an incompatible policy, you should probably reboot, # since you may have compromised system security. init_sigchld(unlabeled_t)