selinux-policy/refpolicy/policy/modules/system/selinuxutil.te

458 lines
12 KiB
Plaintext
Raw Normal View History

2005-04-20 19:07:16 +00:00
2005-06-14 20:12:46 +00:00
policy_module(selinuxutil,1.0)
########################################
2005-04-14 20:18:17 +00:00
#
# Declarations
2005-04-14 20:18:17 +00:00
#
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
type checkpolicy_t, can_write_binary_policy;
2005-06-13 17:35:46 +00:00
domain_type(checkpolicy_t)
role system_r types checkpolicy_t;
type checkpolicy_exec_t;
2005-06-13 17:35:46 +00:00
domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
#
# default_context_t is the type applied to
# /etc/selinux/*/contexts/*
#
type default_context_t;
files_type(default_context_t)
#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
type file_context_t;
files_type(file_context_t)
type load_policy_t;
2005-06-13 17:35:46 +00:00
domain_type(load_policy_t)
role system_r types load_policy_t;
type load_policy_exec_t;
2005-06-13 17:35:46 +00:00
domain_entry_file(load_policy_t,load_policy_exec_t)
2005-07-13 20:48:51 +00:00
type newrole_t; # mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
domain_role_change_exempt(newrole_t)
domain_obj_id_change_exempt(newrole_t)
2005-06-13 17:35:46 +00:00
domain_type(newrole_t)
domain_wide_inherit_fd(newrole_t)
type newrole_exec_t;
2005-06-13 17:35:46 +00:00
domain_entry_file(newrole_t,newrole_exec_t)
2005-04-14 20:18:17 +00:00
#
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
type policy_config_t;
files_type(policy_config_t)
2005-09-12 15:17:39 +00:00
kernel_list_from(policy_config_t)
kernel_read_file_from(policy_config_t)
2005-04-14 20:18:17 +00:00
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append };
#
# policy_src_t is the type of the policy source
# files.
#
type policy_src_t;
files_type(policy_src_t)
2005-04-14 20:18:17 +00:00
2005-05-09 18:50:20 +00:00
type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t;
domain_obj_id_change_exempt(restorecon_t)
2005-06-13 17:35:46 +00:00
init_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t;
type run_init_t;
2005-06-13 17:35:46 +00:00
domain_type(run_init_t)
type run_init_exec_t;
2005-06-13 17:35:46 +00:00
domain_entry_file(run_init_t,run_init_exec_t)
2005-04-14 20:18:17 +00:00
#
# selinux_config_t is the type applied to
# /etc/selinux/config
2005-04-14 20:18:17 +00:00
#
type selinux_config_t;
files_type(selinux_config_t)
2005-09-12 15:17:39 +00:00
kernel_list_from(selinux_config_t)
kernel_read_file_from(selinux_config_t)
2005-04-14 20:18:17 +00:00
2005-05-09 18:50:20 +00:00
type setfiles_t, can_relabelto_binary_policy;
domain_obj_id_change_exempt(setfiles_t)
2005-06-13 17:35:46 +00:00
domain_type(setfiles_t)
role system_r types setfiles_t;
type setfiles_exec_t;
2005-06-13 17:35:46 +00:00
domain_entry_file(setfiles_t,setfiles_exec_t)
########################################
2005-04-14 20:18:17 +00:00
#
# Checkpolicy local policy
2005-04-14 20:18:17 +00:00
#
allow checkpolicy_t self:capability dac_override;
2005-04-14 20:18:17 +00:00
# able to create and modify binary policy files
2005-06-09 18:08:26 +00:00
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
allow checkpolicy_t policy_config_t:file create_file_perms;
2005-05-09 18:50:20 +00:00
# allow test policies to be created in src directories
2005-06-09 18:08:26 +00:00
allow checkpolicy_t policy_src_t:dir rw_dir_perms;
2005-05-09 18:50:20 +00:00
type_transition checkpolicy_t policy_src_t:file policy_config_t;
# only allow read of policy source files
2005-06-09 18:08:26 +00:00
allow checkpolicy_t policy_src_t:dir r_dir_perms;
allow checkpolicy_t policy_src_t:file r_file_perms;
allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
allow checkpolicy_t selinux_config_t:dir search;
2005-06-10 01:01:13 +00:00
fs_getattr_xattr_fs(checkpolicy_t)
2005-06-10 01:01:13 +00:00
term_use_console(checkpolicy_t)
2005-06-13 17:35:46 +00:00
domain_use_wide_inherit_fd(checkpolicy_t)
2005-05-18 21:00:56 +00:00
# directory search permissions for path to source and binary policy files
2005-06-13 17:35:46 +00:00
files_search_etc(checkpolicy_t)
2005-06-13 17:35:46 +00:00
init_use_fd(checkpolicy_t)
init_use_script_pty(checkpolicy_t)
2005-06-13 17:35:46 +00:00
libs_use_ld_so(checkpolicy_t)
libs_use_shared_libs(checkpolicy_t)
2005-06-13 17:35:46 +00:00
userdom_use_all_user_fd(checkpolicy_t)
2005-05-18 21:00:56 +00:00
########################################
#
# Load_policy local policy
#
allow load_policy_t self:capability dac_override;
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
2005-06-09 18:08:26 +00:00
allow load_policy_t policy_config_t:dir r_dir_perms;
allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
2005-06-09 18:08:26 +00:00
allow load_policy_t selinux_config_t:dir r_dir_perms;
allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
fs_getattr_xattr_fs(load_policy_t)
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
selinux_set_boolean(load_policy_t)
2005-06-10 01:01:13 +00:00
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
2005-06-13 17:35:46 +00:00
init_use_script_fd(load_policy_t)
init_use_script_pty(load_policy_t)
2005-06-13 17:35:46 +00:00
domain_use_wide_inherit_fd(load_policy_t)
2005-05-04 17:01:46 +00:00
2005-06-13 17:35:46 +00:00
files_search_etc(load_policy_t)
2005-05-25 20:58:21 +00:00
2005-06-13 17:35:46 +00:00
libs_use_ld_so(load_policy_t)
libs_use_shared_libs(load_policy_t)
miscfiles_read_localization(load_policy_t)
2005-06-13 17:35:46 +00:00
userdom_use_all_user_fd(load_policy_t)
2005-05-18 21:00:56 +00:00
########################################
#
# Newrole local policy
#
allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
2005-09-01 20:13:42 +00:00
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
2005-06-09 18:08:26 +00:00
allow newrole_t self:fifo_file rw_file_perms;
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket connectto;
2005-06-09 18:08:26 +00:00
allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
2005-06-09 18:08:26 +00:00
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t)
dev_read_urand(newrole_t)
fs_getattr_xattr_fs(newrole_t)
2005-06-27 16:30:55 +00:00
fs_search_auto_mountpoints(newrole_t)
selinux_get_fs_mount(newrole_t)
selinux_validate_context(newrole_t)
selinux_compute_access_vector(newrole_t)
selinux_compute_create_context(newrole_t)
selinux_compute_relabel_context(newrole_t)
selinux_compute_user_contexts(newrole_t)
2005-06-10 01:01:13 +00:00
term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t)
2005-06-21 17:01:45 +00:00
term_relabel_all_user_ttys(newrole_t)
term_relabel_all_user_ptys(newrole_t)
2005-06-13 17:35:46 +00:00
auth_domtrans_chk_passwd(newrole_t)
2005-05-04 17:01:46 +00:00
2005-06-13 17:35:46 +00:00
domain_use_wide_inherit_fd(newrole_t)
2005-06-29 20:53:53 +00:00
# for when the user types "exec newrole" at the command line:
domain_sigchld_wide_inherit_fd(newrole_t)
2005-05-04 17:01:46 +00:00
# Write to utmp.
2005-06-13 17:35:46 +00:00
init_rw_script_pid(newrole_t)
files_read_etc_files(newrole_t)
2005-06-29 20:53:53 +00:00
files_read_var_files(newrole_t)
2005-06-13 17:35:46 +00:00
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(newrole_t)
2005-05-09 18:50:20 +00:00
miscfiles_read_localization(newrole_t)
2005-06-13 17:35:46 +00:00
userdom_use_unpriv_users_fd(newrole_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home(newrole_t)
2005-05-09 18:50:20 +00:00
2005-06-21 17:01:45 +00:00
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
userdom_spec_domtrans_unpriv_users(newrole_t)
} else {
userdom_spec_domtrans_all_users(newrole_t)
}
2005-06-27 16:30:55 +00:00
optional_policy(`nis.te',`
nis_use_ypbind(newrole_t)
')
2005-07-13 20:48:51 +00:00
optional_policy(`nscd.te',`
nscd_use_socket(newrole_t)
')
2005-06-27 16:30:55 +00:00
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
') dnl ifdef TODO
########################################
#
# Restorecon local policy
#
allow restorecon_t self:capability { dac_override dac_read_search fowner };
2005-06-09 18:08:26 +00:00
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
2005-06-10 01:01:13 +00:00
kernel_use_fd(restorecon_t)
kernel_rw_pipe(restorecon_t)
kernel_read_system_state(restorecon_t)
# cjp: why is this needed?
dev_rw_generic_file(restorecon_t)
fs_getattr_xattr_fs(restorecon_t)
fs_list_all(restorecon_t)
selinux_get_fs_mount(restorecon_t)
selinux_validate_context(restorecon_t)
selinux_compute_access_vector(restorecon_t)
selinux_compute_create_context(restorecon_t)
selinux_compute_relabel_context(restorecon_t)
selinux_compute_user_contexts(restorecon_t)
2005-06-10 01:01:13 +00:00
term_use_unallocated_tty(restorecon_t)
2005-05-04 17:01:46 +00:00
2005-06-13 17:35:46 +00:00
init_use_fd(restorecon_t)
init_use_script_pty(restorecon_t)
2005-06-13 17:35:46 +00:00
domain_use_wide_inherit_fd(restorecon_t)
2005-05-04 17:01:46 +00:00
2005-06-13 17:35:46 +00:00
files_read_etc_runtime_files(restorecon_t)
files_read_etc_files(restorecon_t)
2005-06-13 17:35:46 +00:00
libs_use_ld_so(restorecon_t)
libs_use_shared_libs(restorecon_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(restorecon_t)
2005-06-13 17:35:46 +00:00
userdom_use_all_user_fd(restorecon_t)
2005-05-18 21:00:56 +00:00
# relabeling rules
2005-06-10 01:01:13 +00:00
kernel_relabel_unlabeled(restorecon_t)
2005-06-13 16:22:32 +00:00
dev_relabel_all_dev_nodes(restorecon_t)
2005-05-25 20:58:21 +00:00
files_relabel_all_files(restorecon_t)
2005-06-13 17:35:46 +00:00
files_list_all_dirs(restorecon_t)
2005-05-09 18:50:20 +00:00
# this is to satisfy the assertion:
2005-06-13 17:35:46 +00:00
auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', `
2005-06-29 20:53:53 +00:00
fs_use_tmpfs_chr_dev(restorecon_t)
fs_use_tmpfs_blk_dev(restorecon_t)
fs_relabel_tmpfs_blk_dev(restorecon_t)
fs_relabel_tmpfs_chr_dev(restorecon_t)
')
ifdef(`hide_broken_symptoms',`
udev_donaudit_rw_unix_dgram_socket(restorecon_t)
')
2005-06-21 17:01:45 +00:00
optional_policy(`hotplug.te',`
hotplug_use_fd(restorecon_t)
')
ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute };
') dnl endif TODO
#################################
#
# Run_init local policy
#
selinux_get_fs_mount(run_init_t)
selinux_validate_context(run_init_t)
selinux_compute_access_vector(run_init_t)
selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
2005-06-09 18:08:26 +00:00
allow run_init_t self:fifo_file rw_file_perms;
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
2005-06-10 01:01:13 +00:00
fs_getattr_xattr_fs(run_init_t)
2005-06-13 17:35:46 +00:00
dev_dontaudit_list_all_dev_nodes(run_init_t)
2005-06-10 01:01:13 +00:00
term_dontaudit_list_ptys(run_init_t)
2005-06-13 17:35:46 +00:00
auth_domtrans_chk_passwd(run_init_t)
auth_dontaudit_read_shadow(run_init_t)
2005-06-13 17:35:46 +00:00
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
2005-06-13 17:35:46 +00:00
domain_use_wide_inherit_fd(run_init_t)
files_read_etc_files(run_init_t)
2005-06-13 17:35:46 +00:00
files_dontaudit_search_all_dirs(run_init_t)
2005-06-13 17:35:46 +00:00
init_domtrans_script(run_init_t)
# for utmp
2005-06-13 17:35:46 +00:00
init_rw_script_pid(run_init_t)
2005-06-13 17:35:46 +00:00
libs_use_ld_so(run_init_t)
libs_use_shared_libs(run_init_t)
seutil_read_config(run_init_t)
seutil_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(run_init_t)
') dnl end ifdef targeted policy
ifdef(`TODO',`
ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
2005-06-13 17:35:46 +00:00
domain_entry_file(run_init_t,initrc_exec_t)
2005-06-21 17:01:45 +00:00
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
')
') dnl end TODO
########################################
#
# Setfiles local policy
#
allow setfiles_t self:capability { dac_override dac_read_search fowner };
2005-06-09 18:08:26 +00:00
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t)
kernel_list_unlabeled(setfiles_t)
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
selinux_get_fs_mount(setfiles_t)
selinux_validate_context(setfiles_t)
selinux_compute_access_vector(setfiles_t)
selinux_compute_create_context(setfiles_t)
selinux_compute_relabel_context(setfiles_t)
selinux_compute_user_contexts(setfiles_t)
2005-06-10 01:01:13 +00:00
term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t)
term_use_unallocated_tty(setfiles_t)
2005-06-13 17:35:46 +00:00
init_use_fd(setfiles_t)
init_use_script_fd(setfiles_t)
init_use_script_pty(setfiles_t)
2005-06-13 17:35:46 +00:00
domain_use_wide_inherit_fd(setfiles_t)
2005-05-04 17:01:46 +00:00
2005-06-13 17:35:46 +00:00
libs_use_ld_so(setfiles_t)
libs_use_shared_libs(setfiles_t)
2005-06-13 17:35:46 +00:00
files_read_etc_runtime_files(setfiles_t)
files_read_etc_files(setfiles_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t)
2005-06-13 17:35:46 +00:00
userdom_use_all_user_fd(setfiles_t)
# for config files in a home directory
2005-06-30 18:54:08 +00:00
userdom_read_all_user_files(setfiles_t)
2005-05-18 21:00:56 +00:00
# relabeling rules
2005-06-10 01:01:13 +00:00
kernel_relabel_unlabeled(setfiles_t)
2005-06-13 16:22:32 +00:00
dev_relabel_all_dev_nodes(setfiles_t)
2005-06-13 17:35:46 +00:00
files_list_all_dirs(setfiles_t)
2005-05-25 20:58:21 +00:00
files_relabel_all_files(setfiles_t)
2005-05-09 18:50:20 +00:00
# this is to satisfy the assertion:
2005-06-13 17:35:46 +00:00
auth_relabelto_shadow(setfiles_t)
ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute };
') dnl endif TODO