selinux-policy/policy/modules/kernel/domain.if

1465 lines
29 KiB
Plaintext
Raw Normal View History

2005-05-23 15:49:03 +00:00
## <summary>Core policy for domains.</summary>
2005-07-05 17:47:15 +00:00
## <required val="true">
## Contains the concept of a domain.
## </required>
2005-04-20 19:07:16 +00:00
2005-04-14 20:18:17 +00:00
########################################
## <summary>
## Make the specified type usable as a basic domain.
## </summary>
## <desc>
## <p>
## Make the specified type usable as a basic domain.
## </p>
## <p>
## This is primarily used for kernel threads;
## generally the domain_type() interface is
## more appropriate for userland processes.
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used as a basic domain type.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`domain_base_type',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
2005-04-14 20:18:17 +00:00
typeattribute $1 domain;
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Make the specified type usable as a domain.
## </summary>
## <desc>
## <p>
## Make the specified type usable as a domain. This,
## or an interface that calls this interface, must be
## used on all types that are used as domains.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>application_domain()</li>
## <li>init_daemon_domain()</li>
## <li>init_domaion()</li>
## <li>init_ranged_daemon_domain()</li>
## <li>init_ranged_domain()</li>
## <li>init_ranged_system_domain()</li>
## <li>init_script_domain()</li>
## <li>init_system_domain()</li>
## </ul>
## <p>
## Example:
## </p>
## <p>
## type mydomain_t;
## domain_type(mydomain_t)
## type myfile_t;
## files_type(myfile_t)
## allow mydomain_t myfile_t:file read_file_perms;
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used as a domain type.
## </summary>
## </param>
## <infoflow type="none"/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_type',`
# start with basic domain
domain_base_type($1)
2007-10-29 18:35:32 +00:00
ifdef(`distro_redhat',`
optional_policy(`
unconfined_use_fds($1)
')
')
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
init_signull($1)
')
# these seem questionable:
optional_policy(`
rpm_use_fds($1)
2006-02-02 21:08:12 +00:00
rpm_read_pipes($1)
')
2005-10-24 00:54:39 +00:00
optional_policy(`
2007-10-29 18:35:32 +00:00
selinux_dontaudit_getattr_fs($1)
2005-10-24 19:50:21 +00:00
selinux_dontaudit_read_fs($1)
2005-10-24 00:54:39 +00:00
')
optional_policy(`
2005-10-24 00:54:39 +00:00
seutil_dontaudit_read_config($1)
')
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Make the specified type usable as
## an entry point for the domain.
## </summary>
## <param name="domain">
## <summary>
## Domain to be entered.
## </summary>
## </param>
## <param name="type">
## <summary>
## Type of program used for entering
## the domain.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`domain_entry_file',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute entry_type;
')
allow $1 $2:file entrypoint;
allow $1 $2:file { mmap_file_perms ioctl lock };
typeattribute $2 entry_type;
corecmd_executable_file($2)
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Make the file descriptors of the specified
## domain for interactive use (widely inheritable)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2006-02-20 21:33:25 +00:00
interface(`domain_interactive_fd',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute privfd;
')
typeattribute $1 privfd;
')
2005-06-23 15:37:39 +00:00
########################################
## <summary>
## Allow the specified domain to perform
## dynamic transitions.
## </summary>
## <desc>
## <p>
## Allow the specified domain to perform
## dynamic transitions.
## </p>
## <p>
## This violates process tranquility, and it
## is strongly suggested that this not be used.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-06-23 15:37:39 +00:00
#
interface(`domain_dyntrans_type',`
gen_require(`
attribute set_curr_context;
')
typeattribute $1 set_curr_context;
')
2005-09-20 20:48:17 +00:00
########################################
## <summary>
## Makes caller and execption to the constraint
## preventing changing to the system user
## identity and system role.
## </summary>
## <param name="domain">
## <summary>
2005-09-20 20:48:17 +00:00
## Domain allowed access.
## </summary>
2005-09-20 20:48:17 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`domain_system_change_exemption',`
2005-09-20 20:48:17 +00:00
gen_require(`
attribute can_system_change;
')
typeattribute $1 can_system_change;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Makes caller an exception to the constraint preventing
## changing of user identity.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The process type to make an exception to the constraint.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`domain_subj_id_change_exemption',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute can_change_process_identity;
')
typeattribute $1 can_change_process_identity;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Makes caller an exception to the constraint preventing
## changing of role.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The process type to make an exception to the constraint.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`domain_role_change_exemption',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute can_change_process_role;
')
typeattribute $1 can_change_process_role;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The process type to make an exception to the constraint.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
2006-02-02 21:08:12 +00:00
interface(`domain_obj_id_change_exemption',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute can_change_object_identity;
')
typeattribute $1 can_change_object_identity;
')
########################################
## <summary>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the user domains from the base module.
## It should not be used other than on
## user domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`domain_user_exemption_target',`
gen_require(`
attribute process_user_target;
')
typeattribute $1 process_user_target;
')
########################################
## <summary>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## cron domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`domain_cron_exemption_source',`
gen_require(`
attribute cron_source_domain;
')
typeattribute $1 cron_source_domain;
')
########################################
## <summary>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## user cron jobs.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`domain_cron_exemption_target',`
gen_require(`
attribute cron_job_domain;
')
typeattribute $1 cron_job_domain;
')
2005-04-28 21:41:09 +00:00
########################################
## <summary>
## Inherit and use file descriptors from
## domains with interactive programs.
## </summary>
## <desc>
## <p>
## Allow the specified domain to inherit and use file
## descriptors from domains with interactive programs.
## This does not allow access to the objects being referenced
## by the file descriptors.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="1"/>
2005-04-28 21:41:09 +00:00
#
2006-02-20 21:33:25 +00:00
interface(`domain_use_interactive_fds',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute privfd;
')
allow $1 privfd:fd use;
2005-04-28 21:41:09 +00:00
')
########################################
## <summary>
## Do not audit attempts to inherit file
## descriptors from domains with interactive
## programs.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
2006-02-20 21:33:25 +00:00
interface(`domain_dontaudit_use_interactive_fds',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute privfd;
')
dontaudit $1 privfd:fd use;
')
2005-06-29 20:53:53 +00:00
########################################
## <summary>
## Send a SIGCHLD signal to domains whose file
## discriptors are widely inheritable.
## </summary>
## <param name="domain">
## <summary>
2005-06-29 20:53:53 +00:00
## Domain allowed access.
## </summary>
2005-06-29 20:53:53 +00:00
## </param>
#
# cjp: this was added because of newrole
2006-02-20 21:33:25 +00:00
interface(`domain_sigchld_interactive_fds',`
2005-06-29 20:53:53 +00:00
gen_require(`
attribute privfd;
')
2005-10-26 18:07:20 +00:00
allow $1 privfd:process sigchld;
2005-06-29 20:53:53 +00:00
')
2005-05-18 13:21:00 +00:00
########################################
## <summary>
## Set the nice level of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-18 13:21:00 +00:00
#
interface(`domain_setpriority_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process setsched;
2005-05-18 13:21:00 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send general signals to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_signal_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process signal;
2005-04-14 20:18:17 +00:00
')
2005-05-23 15:49:03 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a null signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-23 15:49:03 +00:00
#
interface(`domain_signull_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process signull;
2005-05-23 15:49:03 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a stop signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-27 20:44:05 +00:00
#
interface(`domain_sigstop_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process sigstop;
2005-05-27 20:44:05 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a child terminated signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_sigchld_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process sigchld;
2005-05-27 20:44:05 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a kill signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_kill_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process sigkill;
allow $1 self:capability kill;
2005-04-14 20:18:17 +00:00
')
2005-11-29 21:27:15 +00:00
2005-09-15 15:34:31 +00:00
########################################
## <summary>
## Search the process state directory (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
2005-09-15 15:34:31 +00:00
## Domain allowed access.
## </summary>
2005-09-15 15:34:31 +00:00
## </param>
#
interface(`domain_search_all_domains_state',`
gen_require(`
attribute domain;
')
kernel_search_proc($1)
2009-06-11 15:00:48 +00:00
allow $1 domain:dir search_dir_perms;
2005-09-15 15:34:31 +00:00
')
2005-04-14 20:18:17 +00:00
2005-11-29 21:27:15 +00:00
########################################
## <summary>
## Do not audit attempts to search the process
## state directory (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
2005-11-29 21:27:15 +00:00
## Domain to not audit.
## </summary>
2005-11-29 21:27:15 +00:00
## </param>
#
interface(`domain_dontaudit_search_all_domains_state',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir search_dir_perms;
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read the process state (/proc/pid) of all domains.
2005-07-19 18:40:31 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-09-15 15:34:31 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_read_all_domains_state',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
2005-09-15 15:34:31 +00:00
kernel_search_proc($1)
2006-12-12 20:08:08 +00:00
allow $1 domain:dir list_dir_perms;
read_files_pattern($1, domain, domain)
read_lnk_files_pattern($1, domain, domain)
2005-09-16 14:54:36 +00:00
')
2005-09-16 14:54:36 +00:00
########################################
## <summary>
2010-08-26 13:41:21 +00:00
## Get the attributes of all domains.
2005-09-16 14:54:36 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-09-16 14:54:36 +00:00
## Domain allowed access.
## </summary>
2005-09-16 14:54:36 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-16 14:54:36 +00:00
#
interface(`domain_getattr_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getattr;
2005-04-14 20:18:17 +00:00
')
2005-11-29 15:49:18 +00:00
########################################
## <summary>
2010-08-26 13:41:21 +00:00
## Dontaudit geting the attributes of all domains.
2005-11-29 15:49:18 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-11-29 15:49:18 +00:00
## Domain allowed access.
## </summary>
2005-11-29 15:49:18 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_domains',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:process getattr;
')
2005-09-15 15:34:31 +00:00
########################################
## <summary>
2005-09-16 14:54:36 +00:00
## Read the process state (/proc/pid) of all confined domains.
2005-09-15 15:34:31 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-09-15 15:34:31 +00:00
## Domain allowed access.
## </summary>
2005-09-15 15:34:31 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-15 15:34:31 +00:00
#
interface(`domain_read_confined_domains_state',`
gen_require(`
attribute domain, unconfined_domain_type;
2005-09-15 15:34:31 +00:00
')
kernel_search_proc($1)
2006-12-12 20:08:08 +00:00
allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
2005-09-15 15:34:31 +00:00
2006-12-12 20:08:08 +00:00
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
dontaudit $1 unconfined_domain_type:file read_file_perms;
2009-06-11 15:00:48 +00:00
dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
2005-09-16 14:54:36 +00:00
')
########################################
## <summary>
## Get the attributes of all confined domains.
## </summary>
## <param name="domain">
## <summary>
2005-09-16 14:54:36 +00:00
## Domain allowed access.
## </summary>
2005-09-16 14:54:36 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-16 14:54:36 +00:00
#
interface(`domain_getattr_confined_domains',`
gen_require(`
attribute domain, unconfined_domain_type;
2005-09-16 14:54:36 +00:00
')
allow $1 { domain -unconfined_domain_type }:process getattr;
2005-09-16 14:54:36 +00:00
')
2005-09-27 19:40:44 +00:00
########################################
## <summary>
## Ptrace all domains.
## </summary>
## <param name="domain">
## <summary>
2005-09-27 19:40:44 +00:00
## Domain allowed access.
## </summary>
2005-09-27 19:40:44 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-27 19:40:44 +00:00
#
interface(`domain_ptrace_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process ptrace;
2005-12-12 16:52:46 +00:00
allow domain $1:process sigchld;
2005-09-27 19:40:44 +00:00
')
2005-09-16 14:54:36 +00:00
########################################
## <summary>
## Do not audit attempts to ptrace all domains.
## </summary>
## <desc>
## <p>
## Do not audit attempts to ptrace all domains.
## </p>
## <p>
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-09-16 14:54:36 +00:00
## </param>
#
interface(`domain_dontaudit_ptrace_all_domains',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:process ptrace;
')
########################################
## <summary>
## Do not audit attempts to ptrace confined domains.
## </summary>
## <desc>
## <p>
## Do not audit attempts to ptrace confined domains.
## </p>
## <p>
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-09-16 14:54:36 +00:00
## </param>
#
interface(`domain_dontaudit_ptrace_confined_domains',`
gen_require(`
attribute domain, unconfined_domain_type;
2005-09-16 14:54:36 +00:00
')
2005-09-15 15:34:31 +00:00
dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
2005-09-15 15:34:31 +00:00
')
2005-07-19 18:40:31 +00:00
########################################
## <summary>
## Do not audit attempts to read the process
## state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`domain_dontaudit_read_all_domains_state',`
gen_require(`
attribute domain;
')
2006-12-12 20:08:08 +00:00
dontaudit $1 domain:dir list_dir_perms;
dontaudit $1 domain:lnk_file read_lnk_file_perms;
2006-12-12 20:08:08 +00:00
dontaudit $1 domain:file read_file_perms;
2005-11-29 15:49:18 +00:00
# cjp: these should be removed:
dontaudit $1 domain:sock_file read_sock_file_perms;
dontaudit $1 domain:fifo_file read_fifo_file_perms;
2005-07-19 18:40:31 +00:00
')
2005-05-26 20:38:45 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to read the process state
## directories of all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-26 20:38:45 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`domain_dontaudit_list_all_domains_state',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
2006-12-12 20:08:08 +00:00
dontaudit $1 domain:dir list_dir_perms;
2005-05-26 20:38:45 +00:00
')
########################################
2005-07-19 18:40:31 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Get the session ID of all domains.
2005-07-19 18:40:31 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-26 20:38:45 +00:00
#
interface(`domain_getsession_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process getsession;
2005-05-26 20:38:45 +00:00
')
2005-07-19 18:40:31 +00:00
########################################
## <summary>
## Do not audit attempts to get the
## session ID of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`domain_dontaudit_getsession_all_domains',`
gen_require(`
attribute domain;
')
2005-09-01 20:13:42 +00:00
dontaudit $1 domain:process getsession;
2005-07-19 18:40:31 +00:00
')
2010-03-17 14:02:07 +00:00
########################################
## <summary>
## Get the process group ID of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getpgid_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getpgid;
')
########################################
## <summary>
## Get the scheduler information of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getsched_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getsched;
')
2005-07-19 18:40:31 +00:00
########################################
## <summary>
## Get the attributes of all domains
## sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Get the attributes of all domains
## sockets, for all socket types.
## </p>
## <p>
## This is commonly used for domains
## that can use lsof on all domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
2005-07-19 18:40:31 +00:00
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`domain_getattr_all_sockets',`
gen_require(`
attribute domain;
2005-07-19 18:40:31 +00:00
')
allow $1 domain:socket_class_set getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </p>
## <p>
## This interface was added for PCMCIA cardmgr
## and is probably excessive.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:socket_class_set getattr;
')
2005-05-30 21:17:20 +00:00
########################################
2005-07-18 18:31:49 +00:00
## <summary>
## Do not audit attempts to get the attributes
## of all domains TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-07-18 18:31:49 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:tcp_socket getattr;
')
########################################
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
2005-07-18 18:31:49 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-30 21:17:20 +00:00
#
interface(`domain_dontaudit_getattr_all_udp_sockets',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
dontaudit $1 domain:udp_socket getattr;
2005-05-30 21:17:20 +00:00
')
########################################
2005-07-18 18:31:49 +00:00
## <summary>
## Do not audit attempts to read or write
## all domains UDP sockets.
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-30 21:17:20 +00:00
#
2005-07-18 18:31:49 +00:00
interface(`domain_dontaudit_rw_all_udp_sockets',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
2005-07-18 18:31:49 +00:00
dontaudit $1 domain:udp_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to get attribues of
## all domains IPSEC key management sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_key_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket getattr;
')
2005-11-25 19:38:45 +00:00
########################################
## <summary>
## Do not audit attempts to get attribues of
## all domains packet sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-25 19:38:45 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_packet_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:packet_socket getattr;
')
########################################
## <summary>
## Do not audit attempts to get attribues of
## all domains raw sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-25 19:38:45 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_raw_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:rawip_socket getattr;
')
2005-07-18 18:31:49 +00:00
########################################
## <summary>
## Do not audit attempts to read or write
## all domains key sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-07-18 18:31:49 +00:00
## </param>
#
interface(`domain_dontaudit_rw_all_key_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket { read write };
2005-05-30 21:17:20 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-30 21:17:20 +00:00
#
2005-11-25 19:38:45 +00:00
interface(`domain_dontaudit_getattr_all_dgram_sockets',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_dgram_socket getattr;
2005-05-30 21:17:20 +00:00
')
2010-03-17 14:02:07 +00:00
########################################
## <summary>
## Get the attributes
## of all domains unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getattr_all_stream_sockets',`
gen_require(`
attribute domain;
')
allow $1 domain:unix_stream_socket getattr;
')
2005-11-25 19:38:45 +00:00
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-25 19:38:45 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_stream_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_stream_socket getattr;
')
2010-03-17 14:02:07 +00:00
########################################
## <summary>
## Get the attributes of all domains
## unnamed pipes.
## </summary>
## <desc>
## <p>
## Get the attributes of all domains
## unnamed pipes.
## </p>
## <p>
## This is commonly used for domains
## that can use lsof on all domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getattr_all_pipes',`
gen_require(`
attribute domain;
')
allow $1 domain:fifo_file getattr;
')
2005-05-30 21:17:20 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-30 21:17:20 +00:00
#
2005-11-25 19:38:45 +00:00
interface(`domain_dontaudit_getattr_all_pipes',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
dontaudit $1 domain:fifo_file getattr;
2005-05-30 21:17:20 +00:00
')
########################################
## <summary>
## Allow specified type to set context of all
## domains IPSEC associations.
## </summary>
## <param name="type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_ipsec_setcontext_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:association setcontext;
')
########################################
2005-08-09 19:30:43 +00:00
## <summary>
## Get the attributes of entry point
## files for all domains.
## </summary>
## <param name="domain">
## <summary>
2005-08-09 19:30:43 +00:00
## Domain allowed access.
## </summary>
2005-08-09 19:30:43 +00:00
## </param>
#
2005-08-09 19:30:43 +00:00
interface(`domain_getattr_all_entry_files',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute entry_type;
')
2006-12-12 20:08:08 +00:00
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file getattr;
')
2005-05-04 21:44:51 +00:00
########################################
## <summary>
## Read the entry point files for all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-05-04 21:44:51 +00:00
#
interface(`domain_read_all_entry_files',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute entry_type;
')
2006-12-12 20:08:08 +00:00
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file read_file_perms;
2005-05-04 21:44:51 +00:00
')
2005-08-09 19:30:43 +00:00
########################################
## <summary>
## Execute the entry point files for all
## domains in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-08-09 19:30:43 +00:00
#
interface(`domain_exec_all_entry_files',`
gen_require(`
attribute entry_type;
')
can_exec($1, entry_type)
2005-08-09 19:30:43 +00:00
')
########################################
## <summary>
## dontaudit checking for execute on all entry point files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_exec_all_entry_files',`
gen_require(`
attribute entry_type;
')
dontaudit $1 entry_type:file exec_file_perms;
')
2006-01-11 23:20:28 +00:00
########################################
## <summary>
## Create, read, write, and delete all
## entrypoint files.
## </summary>
## <param name="domain">
## <summary>
2006-01-11 23:20:28 +00:00
## Domain allowed access.
## </summary>
2006-01-11 23:20:28 +00:00
## </param>
#
# cjp: added for prelink
interface(`domain_manage_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file manage_file_perms;
')
########################################
## <summary>
## Relabel to and from all entry point
## file types.
## </summary>
## <param name="domain">
## <summary>
2006-01-11 23:20:28 +00:00
## Domain allowed access.
## </summary>
2006-01-11 23:20:28 +00:00
## </param>
#
# cjp: added for prelink
interface(`domain_relabel_all_entry_files',`
gen_require(`
attribute entry_type;
')
2006-12-12 20:08:08 +00:00
allow $1 entry_type:file relabel_file_perms;
2006-01-11 23:20:28 +00:00
')
########################################
## <summary>
## Mmap all entry point files as executable.
## </summary>
## <param name="domain">
## <summary>
2006-01-11 23:20:28 +00:00
## Domain allowed access.
## </summary>
2006-01-11 23:20:28 +00:00
## </param>
#
# cjp: added for prelink
interface(`domain_mmap_all_entry_files',`
gen_require(`
attribute entry_type;
')
2006-12-12 20:08:08 +00:00
allow $1 entry_type:file mmap_file_perms;
2006-01-11 23:20:28 +00:00
')
2006-01-18 16:40:04 +00:00
########################################
## <summary>
## Execute an entry_type in the specified domain.
2006-01-18 16:40:04 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2006-01-18 16:40:04 +00:00
## </param>
## <param name="target_domain">
## <summary>
2008-12-03 19:16:20 +00:00
## The type of the new process.
## </summary>
## </param>
2006-01-18 16:40:04 +00:00
#
# cjp: added for userhelper
2006-02-02 21:08:12 +00:00
interface(`domain_entry_file_spec_domtrans',`
2006-01-18 16:40:04 +00:00
gen_require(`
attribute entry_type;
')
domain_transition_pattern($1, entry_type, $2)
2006-01-18 16:40:04 +00:00
')
########################################
## <summary>
## Ability to mmap a low area of the address space,
2008-12-03 19:16:20 +00:00
## as configured by /proc/sys/kernel/mmap_min_addr.
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2010-08-26 13:41:21 +00:00
interface(`domain_mmap_low_type',`
gen_require(`
attribute mmap_low_domain_type;
')
typeattribute $1 mmap_low_domain_type;
')
2007-10-29 18:35:32 +00:00
########################################
## <summary>
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
2007-10-29 18:35:32 +00:00
## </summary>
## <param name="type">
## <summary>
## Domain allowed access.
2007-10-29 18:35:32 +00:00
## </summary>
## </param>
#
interface(`domain_all_recvfrom_all_domains',`
2007-10-29 18:35:32 +00:00
gen_require(`
attribute domain;
')
corenet_all_recvfrom_labeled($1, domain)
')
2010-03-17 14:02:07 +00:00
########################################
## <summary>
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_unconfined_signal',`
gen_require(`
attribute unconfined_domain_type;
')
allow $1 unconfined_domain_type:process signal;
')
########################################
## <summary>
## Unconfined access to domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_unconfined',`
gen_require(`
attribute set_curr_context;
attribute can_change_object_identity;
attribute unconfined_domain_type;
attribute process_uncond_exempt;
')
typeattribute $1 unconfined_domain_type;
# pass constraints
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
2007-10-29 18:35:32 +00:00
')
2010-08-26 13:41:21 +00:00
########################################
## <summary>
## Do not audit attempts to read or write
## all leaked sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_dontaudit_leaks',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:socket_class_set { read write };
')