2005-10-21 18:05:21 +00:00
|
|
|
|
|
|
|
##############################
|
|
|
|
#
|
|
|
|
# core macros for the type enforcement (TE) configuration.
|
|
|
|
#
|
|
|
|
|
|
|
|
#
|
|
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil>, Timothy Fraser
|
|
|
|
# Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
|
|
|
|
# Russell Coker <russell@coker.com.au>
|
|
|
|
#
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# Macros for groups of classes and
|
|
|
|
# groups of permissions.
|
|
|
|
#
|
|
|
|
|
|
|
|
#
|
|
|
|
# All directory and file classes
|
|
|
|
#
|
|
|
|
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# All non-directory file classes.
|
|
|
|
#
|
|
|
|
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Non-device file classes.
|
|
|
|
#
|
|
|
|
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Device file classes.
|
|
|
|
#
|
|
|
|
define(`devfile_class_set', `{ chr_file blk_file }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# All socket classes.
|
|
|
|
#
|
|
|
|
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Datagram socket classes.
|
|
|
|
#
|
|
|
|
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Stream socket classes.
|
|
|
|
#
|
|
|
|
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Unprivileged socket classes (exclude rawip, netlink, packet).
|
|
|
|
#
|
|
|
|
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for getting file attributes.
|
|
|
|
#
|
|
|
|
define(`stat_file_perms', `{ getattr }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for executing files.
|
|
|
|
#
|
|
|
|
define(`x_file_perms', `{ getattr execute }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for reading files and their attributes.
|
|
|
|
#
|
|
|
|
define(`r_file_perms', `{ read getattr lock ioctl }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for reading and executing files.
|
|
|
|
#
|
|
|
|
define(`rx_file_perms', `{ read getattr lock execute ioctl }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for reading and writing files and their attributes.
|
|
|
|
#
|
|
|
|
define(`rw_file_perms', `{ ioctl read getattr lock write append }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for reading and appending to files.
|
|
|
|
#
|
|
|
|
define(`ra_file_perms', `{ ioctl read getattr lock append }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for linking, unlinking and renaming files.
|
|
|
|
#
|
|
|
|
define(`link_file_perms', `{ getattr link unlink rename }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for creating lnk_files.
|
|
|
|
#
|
|
|
|
define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for creating and using files.
|
|
|
|
#
|
|
|
|
define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for reading directories and their attributes.
|
|
|
|
#
|
|
|
|
define(`r_dir_perms', `{ read getattr lock search ioctl }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for reading and writing directories and their attributes.
|
|
|
|
#
|
|
|
|
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for reading and adding names to directories.
|
|
|
|
#
|
|
|
|
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for creating and using directories.
|
|
|
|
#
|
|
|
|
define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions to mount and unmount file systems.
|
|
|
|
#
|
|
|
|
define(`mount_fs_perms', `{ mount remount unmount getattr }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for using sockets.
|
|
|
|
#
|
|
|
|
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for creating and using sockets.
|
|
|
|
#
|
|
|
|
define(`create_socket_perms', `{ create rw_socket_perms }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for using stream sockets.
|
|
|
|
#
|
|
|
|
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for creating and using stream sockets.
|
|
|
|
#
|
|
|
|
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for creating and using sockets.
|
|
|
|
#
|
|
|
|
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for creating and using sockets.
|
|
|
|
#
|
|
|
|
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for creating and using netlink sockets.
|
|
|
|
#
|
|
|
|
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for using netlink sockets for operations that modify state.
|
|
|
|
#
|
|
|
|
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for using netlink sockets for operations that observe state.
|
|
|
|
#
|
|
|
|
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for sending all signals.
|
|
|
|
#
|
|
|
|
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for sending and receiving network packets.
|
|
|
|
#
|
|
|
|
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Permissions for using System V IPC
|
|
|
|
#
|
|
|
|
define(`r_sem_perms', `{ associate getattr read unix_read }')
|
|
|
|
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
|
|
|
|
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
|
|
|
|
define(`r_msgq_perms', `{ associate getattr read unix_read }')
|
|
|
|
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
|
|
|
|
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
|
|
|
|
define(`r_shm_perms', `{ associate getattr read unix_read }')
|
|
|
|
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
|
|
|
|
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# Macros for type transition rules and
|
|
|
|
# access vector rules.
|
|
|
|
#
|
|
|
|
|
|
|
|
#
|
|
|
|
# Simple combinations for reading and writing both
|
|
|
|
# directories and files.
|
|
|
|
#
|
|
|
|
define(`r_dir_file', `
|
|
|
|
allow $1 $2:dir r_dir_perms;
|
|
|
|
allow $1 $2:file r_file_perms;
|
|
|
|
allow $1 $2:lnk_file { getattr read };
|
|
|
|
')
|
|
|
|
|
|
|
|
define(`rw_dir_file', `
|
|
|
|
allow $1 $2:dir rw_dir_perms;
|
|
|
|
allow $1 $2:file rw_file_perms;
|
|
|
|
allow $1 $2:lnk_file { getattr read };
|
|
|
|
')
|
|
|
|
|
|
|
|
define(`ra_dir_file', `
|
|
|
|
allow $1 $2:dir ra_dir_perms;
|
|
|
|
allow $1 $2:file ra_file_perms;
|
|
|
|
allow $1 $2:lnk_file { getattr read };
|
|
|
|
')
|
|
|
|
|
|
|
|
define(`ra_dir_create_file', `
|
|
|
|
allow $1 $2:dir ra_dir_perms;
|
|
|
|
allow $1 $2:file { create ra_file_perms };
|
|
|
|
allow $1 $2:lnk_file { create read getattr };
|
|
|
|
')
|
|
|
|
|
|
|
|
define(`rw_dir_create_file', `
|
|
|
|
allow $1 $2:dir rw_dir_perms;
|
|
|
|
allow $1 $2:file create_file_perms;
|
|
|
|
allow $1 $2:lnk_file create_lnk_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
define(`create_dir_file', `
|
|
|
|
allow $1 $2:dir create_dir_perms;
|
|
|
|
allow $1 $2:file create_file_perms;
|
|
|
|
allow $1 $2:lnk_file create_lnk_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
define(`create_dir_notdevfile', `
|
|
|
|
allow $1 $2:dir create_dir_perms;
|
|
|
|
allow $1 $2:{ file sock_file fifo_file } create_file_perms;
|
|
|
|
allow $1 $2:lnk_file create_lnk_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
define(`create_append_log_file', `
|
|
|
|
allow $1 $2:dir { read getattr search add_name write };
|
|
|
|
allow $1 $2:file { create ioctl getattr setattr append link };
|
|
|
|
')
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# can_ps(domain1, domain2)
|
|
|
|
#
|
|
|
|
# Authorize domain1 to see /proc entries for domain2 (see it in ps output)
|
|
|
|
#
|
|
|
|
define(`can_ps',`
|
|
|
|
allow $1 $2:dir { search getattr read };
|
|
|
|
allow $1 $2:{ file lnk_file } { read getattr };
|
|
|
|
allow $1 $2:process getattr;
|
|
|
|
# We need to suppress this denial because procps tries to access
|
|
|
|
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
|
|
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
|
|
|
# running in a privileged domain.
|
|
|
|
dontaudit $1 $2:process ptrace;
|
|
|
|
')
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# can_getsecurity(domain)
|
|
|
|
#
|
|
|
|
# Authorize a domain to get security policy decisions.
|
|
|
|
#
|
|
|
|
define(`can_getsecurity',`
|
|
|
|
# Get the selinuxfs mount point via /proc/self/mounts.
|
|
|
|
allow $1 proc_t:dir search;
|
|
|
|
allow $1 proc_t:{ file lnk_file } { getattr read };
|
|
|
|
allow $1 self:dir search;
|
|
|
|
allow $1 self:file { getattr read };
|
|
|
|
# Access selinuxfs.
|
|
|
|
allow $1 security_t:dir { read search getattr };
|
|
|
|
allow $1 security_t:file { getattr read write };
|
|
|
|
allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
|
|
|
|
')
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# can_setenforce(domain)
|
|
|
|
#
|
|
|
|
# Authorize a domain to set the enforcing flag.
|
|
|
|
# Due to its sensitivity, always audit this permission.
|
|
|
|
#
|
|
|
|
define(`can_setenforce',`
|
|
|
|
# Get the selinuxfs mount point via /proc/self/mounts.
|
|
|
|
allow $1 proc_t:dir search;
|
|
|
|
allow $1 proc_t:lnk_file read;
|
|
|
|
allow $1 self:dir search;
|
|
|
|
allow $1 self:file { getattr read };
|
|
|
|
# Access selinuxfs.
|
|
|
|
allow $1 security_t:dir { read search getattr };
|
|
|
|
allow $1 security_t:file { getattr read write };
|
2005-11-07 20:09:28 +00:00
|
|
|
if (!secure_mode_policyload) {
|
2005-10-21 18:05:21 +00:00
|
|
|
allow $1 security_t:security setenforce;
|
|
|
|
auditallow $1 security_t:security setenforce;
|
2005-11-07 20:09:28 +00:00
|
|
|
}dnl end if !secure_mode_policyload
|
2005-10-21 18:05:21 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# can_setbool(domain)
|
|
|
|
#
|
|
|
|
# Authorize a domain to set a policy boolean.
|
|
|
|
# Due to its sensitivity, always audit this permission.
|
|
|
|
#
|
|
|
|
define(`can_setbool',`
|
|
|
|
# Get the selinuxfs mount point via /proc/self/mounts.
|
|
|
|
allow $1 proc_t:dir search;
|
|
|
|
allow $1 proc_t:lnk_file read;
|
|
|
|
allow $1 self:dir search;
|
|
|
|
allow $1 self:file { getattr read };
|
|
|
|
# Access selinuxfs.
|
|
|
|
allow $1 security_t:dir { read search getattr };
|
|
|
|
allow $1 security_t:file { getattr read write };
|
2005-11-07 20:09:28 +00:00
|
|
|
if (!secure_mode_policyload) {
|
2005-10-21 18:05:21 +00:00
|
|
|
allow $1 security_t:security setbool;
|
|
|
|
auditallow $1 security_t:security setbool;
|
2005-11-07 20:09:28 +00:00
|
|
|
}dnl end if !secure_mode_policyload
|
2005-10-21 18:05:21 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# can_setsecparam(domain)
|
|
|
|
#
|
|
|
|
# Authorize a domain to set security parameters.
|
|
|
|
# Due to its sensitivity, always audit this permission.
|
|
|
|
#
|
|
|
|
define(`can_setsecparam',`
|
|
|
|
# Get the selinuxfs mount point via /proc/self/mounts.
|
|
|
|
allow $1 proc_t:dir search;
|
|
|
|
allow $1 proc_t:lnk_file read;
|
|
|
|
allow $1 self:dir search;
|
|
|
|
allow $1 self:file { getattr read };
|
|
|
|
# Access selinuxfs.
|
|
|
|
allow $1 security_t:dir { read search getattr };
|
|
|
|
allow $1 security_t:file { getattr read write };
|
|
|
|
allow $1 security_t:security setsecparam;
|
|
|
|
auditallow $1 security_t:security setsecparam;
|
|
|
|
')
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# can_loadpol(domain)
|
|
|
|
#
|
|
|
|
# Authorize a domain to load a policy configuration.
|
|
|
|
# Due to its sensitivity, always audit this permission.
|
|
|
|
#
|
|
|
|
define(`can_loadpol',`
|
|
|
|
# Get the selinuxfs mount point via /proc/self/mounts.
|
|
|
|
allow $1 proc_t:dir search;
|
|
|
|
allow $1 proc_t:lnk_file read;
|
|
|
|
allow $1 proc_t:file { getattr read };
|
|
|
|
allow $1 self:dir search;
|
|
|
|
allow $1 self:file { getattr read };
|
|
|
|
# Access selinuxfs.
|
|
|
|
allow $1 security_t:dir { read search getattr };
|
|
|
|
allow $1 security_t:file { getattr read write };
|
2005-11-07 20:09:28 +00:00
|
|
|
if (!secure_mode_policyload) {
|
2005-10-21 18:05:21 +00:00
|
|
|
allow $1 security_t:security load_policy;
|
|
|
|
auditallow $1 security_t:security load_policy;
|
2005-11-07 20:09:28 +00:00
|
|
|
}dnl end if !secure_mode_policyload
|
2005-10-21 18:05:21 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# domain_trans(parent_domain, program_type, child_domain)
|
|
|
|
#
|
|
|
|
# Permissions for transitioning to a new domain.
|
|
|
|
#
|
|
|
|
|
|
|
|
define(`domain_trans',`
|
|
|
|
|
|
|
|
#
|
|
|
|
# Allow the process to transition to the new domain.
|
|
|
|
#
|
|
|
|
allow $1 $3:process transition;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Do not audit when glibc secure mode is enabled upon the transition.
|
|
|
|
#
|
|
|
|
dontaudit $1 $3:process noatsecure;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Do not audit when signal-related state is cleared upon the transition.
|
|
|
|
#
|
|
|
|
dontaudit $1 $3:process siginh;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Do not audit when resource limits are reset upon the transition.
|
|
|
|
#
|
|
|
|
dontaudit $1 $3:process rlimitinh;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Allow the process to execute the program.
|
|
|
|
#
|
|
|
|
allow $1 $2:file { read x_file_perms };
|
|
|
|
|
|
|
|
#
|
|
|
|
# Allow the process to reap the new domain.
|
|
|
|
#
|
|
|
|
allow $3 $1:process sigchld;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Allow the new domain to inherit and use file
|
|
|
|
# descriptions from the creating process and vice versa.
|
|
|
|
#
|
|
|
|
allow $3 $1:fd use;
|
|
|
|
allow $1 $3:fd use;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Allow the new domain to write back to the old domain via a pipe.
|
|
|
|
#
|
|
|
|
allow $3 $1:fifo_file rw_file_perms;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Allow the new domain to read and execute the program.
|
|
|
|
#
|
|
|
|
allow $3 $2:file rx_file_perms;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Allow the new domain to be entered via the program.
|
|
|
|
#
|
|
|
|
allow $3 $2:file entrypoint;
|
|
|
|
')
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# domain_auto_trans(parent_domain, program_type, child_domain)
|
|
|
|
#
|
|
|
|
# Define a default domain transition and allow it.
|
|
|
|
#
|
|
|
|
define(`domain_auto_trans',`
|
|
|
|
domain_trans($1,$2,$3)
|
|
|
|
type_transition $1 $2:process $3;
|
|
|
|
')
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# can_ptrace(domain, domain)
|
|
|
|
#
|
|
|
|
# Permissions for running ptrace (strace or gdb) on another domain
|
|
|
|
#
|
|
|
|
define(`can_ptrace',`
|
|
|
|
allow $1 $2:process ptrace;
|
|
|
|
allow $2 $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# can_exec(domain, type)
|
|
|
|
#
|
|
|
|
# Permissions for executing programs with
|
|
|
|
# a specified type without changing domains.
|
|
|
|
#
|
|
|
|
define(`can_exec',`
|
|
|
|
allow $1 $2:file { rx_file_perms execute_no_trans };
|
|
|
|
')
|
|
|
|
|
|
|
|
# this is an internal macro used by can_create
|
|
|
|
define(`can_create_internal', `
|
|
|
|
ifelse(`$3', `dir', `
|
|
|
|
allow $1 $2:$3 create_dir_perms;
|
|
|
|
', `$3', `lnk_file', `
|
|
|
|
allow $1 $2:$3 create_lnk_perms;
|
|
|
|
', `
|
|
|
|
allow $1 $2:$3 create_file_perms;
|
|
|
|
')dnl end if dir
|
|
|
|
')dnl end can_create_internal
|
|
|
|
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# can_create(domain, file_type, object_class)
|
|
|
|
#
|
|
|
|
# Permissions for creating files of the specified type and class
|
|
|
|
#
|
|
|
|
define(`can_create', `
|
|
|
|
ifelse(regexp($3, `\w'), -1, `', `
|
|
|
|
can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1'))
|
|
|
|
|
|
|
|
can_create($1, $2, regexp($3, `\w+\(.*\)', `\1'))
|
|
|
|
')
|
|
|
|
')
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# file_type_trans(domain, dir_type, file_type)
|
|
|
|
#
|
|
|
|
# Permissions for transitioning to a new file type.
|
|
|
|
#
|
|
|
|
|
|
|
|
define(`file_type_trans',`
|
|
|
|
|
|
|
|
#
|
|
|
|
# Allow the process to modify the directory.
|
|
|
|
#
|
|
|
|
allow $1 $2:dir rw_dir_perms;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Allow the process to create the file.
|
|
|
|
#
|
|
|
|
ifelse(`$4', `', `
|
|
|
|
can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }')
|
|
|
|
', `
|
|
|
|
can_create($1, $3, $4)
|
|
|
|
')dnl end if param 4 specified
|
|
|
|
|
|
|
|
')
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
|
|
|
|
#
|
|
|
|
# the object class will default to notdevfile_class_set if not specified as
|
|
|
|
# the fourth parameter
|
|
|
|
#
|
|
|
|
# Define a default file type transition and allow it.
|
|
|
|
#
|
|
|
|
define(`file_type_auto_trans',`
|
|
|
|
ifelse(`$4', `', `
|
|
|
|
file_type_trans($1,$2,$3)
|
|
|
|
type_transition $1 $2:dir $3;
|
|
|
|
type_transition $1 $2:notdevfile_class_set $3;
|
|
|
|
', `
|
|
|
|
file_type_trans($1,$2,$3,$4)
|
|
|
|
type_transition $1 $2:$4 $3;
|
|
|
|
')dnl end ifelse
|
|
|
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# can_unix_connect(client, server)
|
|
|
|
#
|
|
|
|
# Permissions for establishing a Unix stream connection.
|
|
|
|
#
|
|
|
|
define(`can_unix_connect',`
|
|
|
|
allow $1 $2:unix_stream_socket connectto;
|
|
|
|
')
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# can_unix_send(sender, receiver)
|
|
|
|
#
|
|
|
|
# Permissions for sending Unix datagrams.
|
|
|
|
#
|
|
|
|
define(`can_unix_send',`
|
|
|
|
allow $1 $2:unix_dgram_socket sendto;
|
|
|
|
')
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# can_tcp_connect(client, server)
|
|
|
|
#
|
|
|
|
# Permissions for establishing a TCP connection.
|
|
|
|
# Irrelevant until we have labeled networking.
|
|
|
|
#
|
|
|
|
define(`can_tcp_connect',`
|
|
|
|
#allow $1 $2:tcp_socket { connectto recvfrom };
|
|
|
|
#allow $2 $1:tcp_socket { acceptfrom recvfrom };
|
|
|
|
#allow $2 kernel_t:tcp_socket recvfrom;
|
|
|
|
#allow $1 kernel_t:tcp_socket recvfrom;
|
|
|
|
')
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# can_udp_send(sender, receiver)
|
|
|
|
#
|
|
|
|
# Permissions for sending/receiving UDP datagrams.
|
|
|
|
# Irrelevant until we have labeled networking.
|
|
|
|
#
|
|
|
|
define(`can_udp_send',`
|
|
|
|
#allow $1 $2:udp_socket sendto;
|
|
|
|
#allow $2 $1:udp_socket recvfrom;
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# base_pty_perms(domain_prefix)
|
|
|
|
#
|
|
|
|
# Base permissions used for can_create_pty() and can_create_other_pty()
|
|
|
|
#
|
|
|
|
define(`base_pty_perms', `
|
|
|
|
# Access the pty master multiplexer.
|
|
|
|
allow $1_t ptmx_t:chr_file rw_file_perms;
|
|
|
|
|
|
|
|
allow $1_t devpts_t:filesystem getattr;
|
|
|
|
|
|
|
|
# allow searching /dev/pts
|
|
|
|
allow $1_t devpts_t:dir { getattr read search };
|
|
|
|
|
|
|
|
# ignore old BSD pty devices
|
|
|
|
dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# pty_slave_label(domain_prefix, attributes)
|
|
|
|
#
|
|
|
|
# give access to a slave pty but do not allow creating new ptys
|
|
|
|
#
|
|
|
|
define(`pty_slave_label', `
|
|
|
|
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
|
|
|
|
|
|
|
|
# Allow the pty to be associated with the file system.
|
|
|
|
allow $1_devpts_t devpts_t:filesystem associate;
|
|
|
|
|
|
|
|
# Label pty files with a derived type.
|
|
|
|
type_transition $1_t devpts_t:chr_file $1_devpts_t;
|
|
|
|
|
|
|
|
# allow searching /dev/pts
|
|
|
|
allow $1_t devpts_t:dir { getattr read search };
|
|
|
|
|
|
|
|
# Read and write my pty files.
|
|
|
|
allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# can_create_pty(domain_prefix, attributes)
|
|
|
|
#
|
|
|
|
# Permissions for creating ptys.
|
|
|
|
#
|
|
|
|
define(`can_create_pty',`
|
|
|
|
base_pty_perms($1)
|
|
|
|
pty_slave_label($1, `$2')
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
|
|
##################################
|
|
|
|
#
|
|
|
|
# can_create_other_pty(domain_prefix,other_domain)
|
|
|
|
#
|
|
|
|
# Permissions for creating ptys for another domain.
|
|
|
|
#
|
|
|
|
define(`can_create_other_pty',`
|
|
|
|
base_pty_perms($1)
|
|
|
|
# Label pty files with a derived type.
|
|
|
|
type_transition $1_t devpts_t:chr_file $2_devpts_t;
|
|
|
|
|
|
|
|
# Read and write pty files.
|
|
|
|
allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# general_domain_access(domain)
|
|
|
|
#
|
|
|
|
# Grant permissions within the domain.
|
|
|
|
# This includes permissions to processes, /proc/PID files,
|
|
|
|
# file descriptors, pipes, Unix sockets, and System V IPC objects
|
|
|
|
# labeled with the domain.
|
|
|
|
#
|
|
|
|
define(`general_domain_access',`
|
|
|
|
# Access other processes in the same domain.
|
|
|
|
# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
|
|
|
|
# These must be granted separately if desired.
|
|
|
|
allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};
|
|
|
|
|
|
|
|
# Access /proc/PID files for processes in the same domain.
|
|
|
|
allow $1 self:dir r_dir_perms;
|
|
|
|
allow $1 self:notdevfile_class_set r_file_perms;
|
|
|
|
|
|
|
|
# Access file descriptions, pipes, and sockets
|
|
|
|
# created by processes in the same domain.
|
|
|
|
allow $1 self:fd *;
|
|
|
|
allow $1 self:fifo_file rw_file_perms;
|
|
|
|
allow $1 self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow $1 self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
|
|
|
|
# Allow the domain to communicate with other processes in the same domain.
|
|
|
|
allow $1 self:unix_dgram_socket sendto;
|
|
|
|
allow $1 self:unix_stream_socket connectto;
|
|
|
|
|
|
|
|
# Access System V IPC objects created by processes in the same domain.
|
|
|
|
allow $1 self:sem create_sem_perms;
|
|
|
|
allow $1 self:msg { send receive };
|
|
|
|
allow $1 self:msgq create_msgq_perms;
|
|
|
|
allow $1 self:shm create_shm_perms;
|
|
|
|
allow $1 unpriv_userdomain:fd use;
|
|
|
|
#
|
|
|
|
# Every app is asking for ypbind so I am adding this here,
|
|
|
|
# eventually this should become can_nsswitch
|
|
|
|
#
|
|
|
|
can_ypbind($1)
|
|
|
|
allow $1 autofs_t:dir { search getattr };
|
|
|
|
')dnl end general_domain_access
|