selinux-policy/refpolicy/policy/modules/kernel/kernel.te

# Copyright (C) 2005 Tresys Technology, LLC

policy_module(kernel,1.0)

attribute can_load_policy;
attribute can_setenforce;
attribute can_setsecparam;
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;

#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
# 
type kernel_t, can_load_kernmodule, can_load_policy;
role system_r types kernel_t;
domain_make_domain(kernel_t)

#
# unlabeled_t is the type of unlabeled objects.
# Objects that have no known labeling information or that
# have labels that are no longer valid are treated as having this type.
#
type unlabeled_t;

# 
# security_t is the target type when checking
# the permissions in the security class.  It is also
# applied to selinuxfs inodes.
#
type security_t;
filesystem_make_filesystem(security_t)
genfscon selinuxfs / system_u:object_r:security_t

#
# sysfs_t is the type for /sys
#
type sysfs_t;
files_make_mountpoint(sysfs_t)
filesystem_make_filesystem(sysfs_t)
genfscon sysfs / system_u:object_r:sysfs_t

#
# usbfs_t is the type for /proc/bus/usb
#
type usbfs_t alias usbdevfs_t;
files_make_mountpoint(usbfs_t)
filesystem_make_filesystem(usbfs_t)
genfscon usbfs / system_u:object_r:usbfs_t
genfscon usbdevfs / system_u:object_r:usbfs_t

#
# Procfs types
#

type proc_t;
files_make_mountpoint(proc_t)
genfscon proc / system_u:object_r:proc_t
genfscon proc /sysvipc system_u:object_r:proc_t

# kernel message interface
type proc_kmsg_t;
genfscon proc /kmsg system_u:object_r:proc_kmsg_t
neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;

# /proc kcore: inaccessible
type proc_kcore_t;
neverallow * proc_kcore_t:file ~getattr;
genfscon proc /kcore system_u:object_r:proc_kcore_t

type proc_mdstat_t;
genfscon proc /mdstat system_u:object_r:proc_mdstat_t

type proc_net_t;
genfscon proc /net system_u:object_r:proc_net_t

#
# Sysctl types
#

# /proc/irq directory and files
type sysctl_irq_t;
genfscon proc /irq system_u:object_r:sysctl_irq_t

# /proc/net/rpc directory and files
type sysctl_rpc_t;
genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t

# /proc/sys directory, base directory of sysctls
type sysctl_t;
genfscon proc /sys system_u:object_r:sysctl_t

# /proc/sys/fs directory and files
type sysctl_fs_t;
files_make_mountpoint(sysctl_fs_t)
genfscon proc /sys/fs system_u:object_r:sysctl_fs_t

# /proc/sys/kernel directory and files
type sysctl_kernel_t;
genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t

# /proc/sys/kernel/modprobe file
type sysctl_modprobe_t;
genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t

# /proc/sys/kernel/hotplug file
type sysctl_hotplug_t;
genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t

# /proc/sys/net directory and files
type sysctl_net_t;
genfscon proc /sys/net system_u:object_r:sysctl_net_t

# /proc/sys/net/unix directory and files
type sysctl_net_unix_t;
genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t

# /proc/sys/vm directory and files
type sysctl_vm_t;
genfscon proc /sys/vm system_u:object_r:sysctl_vm_t

# /proc/sys/dev directory and files
type sysctl_dev_t;
genfscon proc /sys/dev system_u:object_r:sysctl_dev_t

########################################
#
# kernel local policy
#

# Use capabilities. need to investigate which capabilities are actually used
allow kernel_t self:capability *;

# Other possible mount points for the root fs are in files
allow kernel_t unlabeled_t:dir mounton;

# old general_domain_access()
allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow kernel_t self:msg { send receive };
allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow kernel_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow kernel_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file { read getattr lock ioctl write append };
allow kernel_t self:fd use;

# old general_proc_read_access():
allow kernel_t proc_t:dir { getattr search read };
allow kernel_t proc_t:{ lnk_file file } { getattr read };
allow kernel_t proc_net_t:dir { getattr search read };
allow kernel_t proc_net_t:file { getattr read };
allow kernel_t proc_mdstat_t:file { getattr read }; 
allow kernel_t proc_kcore_t:file getattr;
allow kernel_t proc_kmsg_t:file getattr;
allow kernel_t sysctl_t:dir { getattr search read };
allow kernel_t sysctl_kernel_t:dir { getattr search read };
allow kernel_t sysctl_kernel_t:file { getattr read };

# old base_file_read_access():
files_list_home_directories(kernel_t)
files_read_general_shared_resources(kernel_t)
selinux_read_config(kernel_t)

selinux_read_binary_policy(kernel_t)
allow kernel_t security_t:dir { read search getattr };
allow kernel_t security_t:file { getattr read write };
allow kernel_t security_t:security load_policy;
auditallow kernel_t security_t:security load_policy;

libraries_use_dynamic_loader(kernel_t)
libraries_read_shared_libraries(kernel_t)

corecommands_execute_shell(kernel_t)

terminal_use_console(kernel_t)
domain_signal_all_domains(kernel_t)

# Mount root file system.  Used when loading a policy
# from initrd, then mounting the root filesystem
filesystem_mount_all_filesystems(kernel_t)

# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecommands_execute_general_programs(kernel_t)

logging_send_system_log_message(kernel_t)

# Kernel-generated traffic, e.g. ICMP replies.
corenetwork_network_raw_on_all_interfaces(kernel_t)
corenetwork_network_raw_on_all_nodes(kernel_t)

# Kernel-generated traffic, e.g. TCP resets.
corenetwork_network_tcp_on_all_interfaces(kernel_t)
corenetwork_network_tcp_on_all_nodes(kernel_t)

neverallow ~can_load_policy security_t:security load_policy;
neverallow ~can_setenforce security_t:security setenforce;
neverallow ~can_setsecparam security_t:security setsecparam;

# enabling dyntransition breaks process tranquility.  If you dont
# know what this means or dont understand the implications of a
# dynamic transition, you shouldnt be using it!!!
neverallow * *:process { setcurrent dyntransition };

neverallow ~can_load_kernmodule *:capability sys_module;
add copyright statement 2005-04-20 19:07:16 +00:00			`# Copyright (C) 2005 Tresys Technology, LLC`

add module statement macro and entrypoint executable attribute to replicate can_exec($1,exec_type) 2005-04-26 17:00:25 +00:00			`policy_module(kernel,1.0)`

restructure kernel module to be consistent with other module ordering. put in missing rules. fix naming problems 2005-04-25 16:11:21 +00:00			`attribute can_load_policy;`
			`attribute can_setenforce;`
			`attribute can_setsecparam;`
			`attribute can_load_kernmodule;`
			`attribute can_receive_kernel_messages;`

			`#`
initial commit 2005-04-14 20:18:17 +00:00			`# kernel_t is the domain of kernel threads.`
			`# It is also the target type when checking permissions in the system class.`
			`#`
restructure kernel module to be consistent with other module ordering. put in missing rules. fix naming problems 2005-04-25 16:11:21 +00:00			`type kernel_t, can_load_kernmodule, can_load_policy;`
initial commit 2005-04-14 20:18:17 +00:00			`role system_r types kernel_t;`
restructure kernel module to be consistent with other module ordering. put in missing rules. fix naming problems 2005-04-25 16:11:21 +00:00			`domain_make_domain(kernel_t)`
initial commit 2005-04-14 20:18:17 +00:00
			`#`
			`# unlabeled_t is the type of unlabeled objects.`
			`# Objects that have no known labeling information or that`
			`# have labels that are no longer valid are treated as having this type.`
			`#`
			`type unlabeled_t;`

			`#`
			`# security_t is the target type when checking`
			`# the permissions in the security class. It is also`
			`# applied to selinuxfs inodes.`
			`#`
			`type security_t;`
restructure kernel module to be consistent with other module ordering. put in missing rules. fix naming problems 2005-04-25 16:11:21 +00:00			`filesystem_make_filesystem(security_t)`
initial commit 2005-04-14 20:18:17 +00:00			`genfscon selinuxfs / system_u:object_r:security_t`

			`#`
			`# sysfs_t is the type for /sys`
			`#`
			`type sysfs_t;`
make mountpoints work, plus misc 2005-04-28 21:41:09 +00:00			`files_make_mountpoint(sysfs_t)`
initial commit 2005-04-14 20:18:17 +00:00			`filesystem_make_filesystem(sysfs_t)`
			`genfscon sysfs / system_u:object_r:sysfs_t`

			`#`
			`# usbfs_t is the type for /proc/bus/usb`
			`#`
			`type usbfs_t alias usbdevfs_t;`
make mountpoints work, plus misc 2005-04-28 21:41:09 +00:00			`files_make_mountpoint(usbfs_t)`
initial commit 2005-04-14 20:18:17 +00:00			`filesystem_make_filesystem(usbfs_t)`
			`genfscon usbfs / system_u:object_r:usbfs_t`
			`genfscon usbdevfs / system_u:object_r:usbfs_t`

			`#`
			`# Procfs types`
			`#`

			`type proc_t;`
make mountpoints work, plus misc 2005-04-28 21:41:09 +00:00			`files_make_mountpoint(proc_t)`
initial commit 2005-04-14 20:18:17 +00:00			`genfscon proc / system_u:object_r:proc_t`
			`genfscon proc /sysvipc system_u:object_r:proc_t`

			`# kernel message interface`
			`type proc_kmsg_t;`
			`genfscon proc /kmsg system_u:object_r:proc_kmsg_t`
			`neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;`

			`# /proc kcore: inaccessible`
			`type proc_kcore_t;`
			`neverallow * proc_kcore_t:file ~getattr;`
			`genfscon proc /kcore system_u:object_r:proc_kcore_t`

			`type proc_mdstat_t;`
			`genfscon proc /mdstat system_u:object_r:proc_mdstat_t`

			`type proc_net_t;`
			`genfscon proc /net system_u:object_r:proc_net_t`

			`#`
			`# Sysctl types`
			`#`

			`# /proc/irq directory and files`
			`type sysctl_irq_t;`
			`genfscon proc /irq system_u:object_r:sysctl_irq_t`

			`# /proc/net/rpc directory and files`
			`type sysctl_rpc_t;`
			`genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t`

			`# /proc/sys directory, base directory of sysctls`
			`type sysctl_t;`
			`genfscon proc /sys system_u:object_r:sysctl_t`

			`# /proc/sys/fs directory and files`
			`type sysctl_fs_t;`
make mountpoints work, plus misc 2005-04-28 21:41:09 +00:00			`files_make_mountpoint(sysctl_fs_t)`
initial commit 2005-04-14 20:18:17 +00:00			`genfscon proc /sys/fs system_u:object_r:sysctl_fs_t`

			`# /proc/sys/kernel directory and files`
			`type sysctl_kernel_t;`
			`genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t`

			`# /proc/sys/kernel/modprobe file`
			`type sysctl_modprobe_t;`
			`genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t`

			`# /proc/sys/kernel/hotplug file`
			`type sysctl_hotplug_t;`
			`genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t`

			`# /proc/sys/net directory and files`
			`type sysctl_net_t;`
			`genfscon proc /sys/net system_u:object_r:sysctl_net_t`

			`# /proc/sys/net/unix directory and files`
			`type sysctl_net_unix_t;`
			`genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t`

			`# /proc/sys/vm directory and files`
			`type sysctl_vm_t;`
			`genfscon proc /sys/vm system_u:object_r:sysctl_vm_t`

			`# /proc/sys/dev directory and files`
			`type sysctl_dev_t;`
			`genfscon proc /sys/dev system_u:object_r:sysctl_dev_t`
restructure kernel module to be consistent with other module ordering. put in missing rules. fix naming problems 2005-04-25 16:11:21 +00:00
			`########################################`
			`#`
			`# kernel local policy`
			`#`

			`# Use capabilities. need to investigate which capabilities are actually used`
			`allow kernel_t self:capability *;`

			`# Other possible mount points for the root fs are in files`
			`allow kernel_t unlabeled_t:dir mounton;`

			`# old general_domain_access()`
			`allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };`
			`allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };`
			`allow kernel_t self:msg { send receive };`
			`allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };`
			`allow kernel_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };`
			`allow kernel_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };`
			`allow kernel_t self:unix_dgram_socket sendto;`
			`allow kernel_t self:unix_stream_socket connectto;`
			`allow kernel_t self:fifo_file { read getattr lock ioctl write append };`
			`allow kernel_t self:fd use;`

			`# old general_proc_read_access():`
			`allow kernel_t proc_t:dir { getattr search read };`
			`allow kernel_t proc_t:{ lnk_file file } { getattr read };`
			`allow kernel_t proc_net_t:dir { getattr search read };`
			`allow kernel_t proc_net_t:file { getattr read };`
			`allow kernel_t proc_mdstat_t:file { getattr read };`
			`allow kernel_t proc_kcore_t:file getattr;`
			`allow kernel_t proc_kmsg_t:file getattr;`
			`allow kernel_t sysctl_t:dir { getattr search read };`
			`allow kernel_t sysctl_kernel_t:dir { getattr search read };`
			`allow kernel_t sysctl_kernel_t:file { getattr read };`

			`# old base_file_read_access():`
			`files_list_home_directories(kernel_t)`
			`files_read_general_shared_resources(kernel_t)`
			`selinux_read_config(kernel_t)`

			`selinux_read_binary_policy(kernel_t)`
			`allow kernel_t security_t:dir { read search getattr };`
			`allow kernel_t security_t:file { getattr read write };`
			`allow kernel_t security_t:security load_policy;`
			`auditallow kernel_t security_t:security load_policy;`

			`libraries_use_dynamic_loader(kernel_t)`
			`libraries_read_shared_libraries(kernel_t)`

			`corecommands_execute_shell(kernel_t)`

			`terminal_use_console(kernel_t)`
			`domain_signal_all_domains(kernel_t)`

			`# Mount root file system. Used when loading a policy`
			`# from initrd, then mounting the root filesystem`
			`filesystem_mount_all_filesystems(kernel_t)`

			`# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.`
			`corecommands_execute_general_programs(kernel_t)`

			`logging_send_system_log_message(kernel_t)`

			`# Kernel-generated traffic, e.g. ICMP replies.`
			`corenetwork_network_raw_on_all_interfaces(kernel_t)`
			`corenetwork_network_raw_on_all_nodes(kernel_t)`

			`# Kernel-generated traffic, e.g. TCP resets.`
			`corenetwork_network_tcp_on_all_interfaces(kernel_t)`
			`corenetwork_network_tcp_on_all_nodes(kernel_t)`

			`neverallow ~can_load_policy security_t:security load_policy;`
			`neverallow ~can_setenforce security_t:security setenforce;`
			`neverallow ~can_setsecparam security_t:security setsecparam;`

			`# enabling dyntransition breaks process tranquility. If you dont`
			`# know what this means or dont understand the implications of a`
			`# dynamic transition, you shouldnt be using it!!!`
			`neverallow * *:process { setcurrent dyntransition };`

			`neverallow ~can_load_kernmodule *:capability sys_module;`