selinux-policy/refpolicy/policy/modules/kernel/domain.te

68 lines
1.9 KiB
Plaintext
Raw Normal View History

2005-04-20 19:07:16 +00:00
2006-01-17 20:14:04 +00:00
policy_module(domain,1.1.0)
2005-06-30 18:54:08 +00:00
########################################
#
# Declarations
#
2005-04-14 20:18:17 +00:00
# Mark process types as domains
attribute domain;
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
2005-09-15 15:34:31 +00:00
# Domains that are unconfined
attribute unconfined_domain_type;
2005-09-15 15:34:31 +00:00
# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;
# enabling setcurrent breaks process tranquility. If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
#
# constraint related attributes
#
# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;
# [2] types that can change SELinux role on transition
attribute can_change_process_role;
# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;
# [3] types that can change to system_u:system_r
attribute can_system_change;
2005-06-09 21:07:58 +00:00
# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;
# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;
# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt; # add userhelperdomain to this one
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
neverallow ~{ domain unlabeled_t } *:process *;