selinux-policy/refpolicy/policy/modules/system/domain.if

703 lines
16 KiB
Plaintext
Raw Normal View History

2005-05-23 15:49:03 +00:00
## <summary>Core policy for domains.</summary>
2005-07-05 17:47:15 +00:00
## <required val="true">
## Contains the concept of a domain.
## </required>
2005-04-20 19:07:16 +00:00
2005-04-14 20:18:17 +00:00
########################################
#
2005-06-13 17:35:46 +00:00
# domain_base_domain_type(domain)
2005-04-14 20:18:17 +00:00
#
interface(`domain_base_domain_type',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file rw_file_perms;
class process { fork sigchld };
')
2005-04-14 20:18:17 +00:00
# mark as a domain
typeattribute $1 domain;
2005-04-14 20:18:17 +00:00
# allow the domain to read its /proc/pid entries
2005-06-09 14:50:48 +00:00
allow $1 self:dir r_dir_perms;
2005-06-16 20:30:59 +00:00
allow $1 self:lnk_file r_file_perms;
allow $1 self:file rw_file_perms;
2005-04-14 20:18:17 +00:00
# allow $1 to create child processes in this domain
allow $1 self:process { fork sigchld };
2005-07-18 20:17:21 +00:00
# Files with domain types are currently only proc files
# self is excepted since domains and files can have
# the same type in SEFramework
# cjp: perhaps this should be a conditional exception,
# so it is excepted only on SEFramework policies
neverallow $1 { domain -$1 }:dir ~r_dir_perms;
neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms;
2005-04-14 20:18:17 +00:00
')
########################################
#
2005-06-13 17:35:46 +00:00
# domain_type(domain)
2005-04-14 20:18:17 +00:00
#
interface(`domain_type',`
# start with basic domain
2005-06-13 17:35:46 +00:00
domain_base_domain_type($1)
# Use trusted objects in /dev
2005-06-13 16:22:32 +00:00
dev_rw_null_dev($1)
dev_rw_zero_dev($1)
2005-06-10 01:01:13 +00:00
term_use_controlling_term($1)
# read the root directory
2005-06-13 17:35:46 +00:00
files_list_root($1)
# send init a sigchld
init_sigchld($1)
2005-05-23 17:56:35 +00:00
2005-07-06 20:28:29 +00:00
ifdef(`targeted_policy',`
unconfined_use_fd($1)
unconfined_sigchld($1)
')
# this seems highly questionable:
optional_policy(`rpm.te',`
2005-06-13 17:35:46 +00:00
rpm_use_fd($1)
rpm_read_pipe($1)
')
2005-04-14 20:18:17 +00:00
')
########################################
#
2005-06-13 17:35:46 +00:00
# domain_entry_file(domain,entrypointfile)
2005-04-14 20:18:17 +00:00
#
interface(`domain_entry_file',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute entry_type;
class file entrypoint;
')
files_type($2)
allow $1 $2:file entrypoint;
typeattribute $2 entry_type;
2005-04-14 20:18:17 +00:00
')
########################################
#
2005-06-13 17:35:46 +00:00
# domain_wide_inherit_fd(domain)
#
interface(`domain_wide_inherit_fd',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute privfd;
')
typeattribute $1 privfd;
')
2005-06-23 15:37:39 +00:00
########################################
#
# domain_dyntrans_type(domain)
#
interface(`domain_dyntrans_type',`
gen_require(`
attribute set_curr_context;
')
typeattribute $1 set_curr_context;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Makes caller an exception to the constraint preventing
## changing of user identity.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The process type to make an exception to the constraint.
## </param>
#
interface(`domain_subj_id_change_exempt',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute can_change_process_identity;
')
typeattribute $1 can_change_process_identity;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Makes caller an exception to the constraint preventing
## changing of role.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The process type to make an exception to the constraint.
## </param>
#
interface(`domain_role_change_exempt',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute can_change_process_role;
')
typeattribute $1 can_change_process_role;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The process type to make an exception to the constraint.
## </param>
#
interface(`domain_obj_id_change_exempt',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute can_change_object_identity;
')
typeattribute $1 can_change_object_identity;
')
2005-04-28 21:41:09 +00:00
########################################
#
2005-06-13 17:35:46 +00:00
# domain_use_wide_inherit_fd(domain)
2005-04-28 21:41:09 +00:00
#
interface(`domain_use_wide_inherit_fd',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute privfd;
class fd use;
')
allow $1 privfd:fd use;
2005-04-28 21:41:09 +00:00
')
########################################
#
2005-06-13 17:35:46 +00:00
# domain_dontaudit_use_wide_inherit_fd(domain)
#
interface(`domain_dontaudit_use_wide_inherit_fd',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute privfd;
class fd use;
')
dontaudit $1 privfd:fd use;
')
2005-06-29 20:53:53 +00:00
########################################
## <summary>
## Send a SIGCHLD signal to domains whose file
## discriptors are widely inheritable.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: this was added because of newrole
interface(`domain_sigchld_wide_inherit_fd',`
gen_require(`
attribute privfd;
class process signal;
')
dontaudit $1 privfd:fd use;
')
2005-05-18 13:21:00 +00:00
########################################
#
2005-06-13 17:35:46 +00:00
# domain_setpriority_all_domains(domain)
2005-05-18 13:21:00 +00:00
#
interface(`domain_setpriority_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class process setsched;
')
allow $1 domain:process setsched;
2005-05-18 13:21:00 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send general signals to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`domain_signal_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class process signal;
')
allow $1 domain:process signal;
2005-04-14 20:18:17 +00:00
')
2005-05-23 15:49:03 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a null signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-05-23 15:49:03 +00:00
#
interface(`domain_signull_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class process signull;
')
allow $1 domain:process signull;
2005-05-23 15:49:03 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a stop signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-05-27 20:44:05 +00:00
#
interface(`domain_sigstop_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class process sigstop;
')
allow $1 domain:process sigstop;
2005-05-27 20:44:05 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a child terminated signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`domain_sigchld_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class process sigchld;
')
allow $1 domain:process sigchld;
2005-05-27 20:44:05 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a kill signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`domain_kill_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class process sigkill;
class capability kill;
')
allow $1 domain:process sigkill;
allow $1 self:capability kill;
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-19 18:40:31 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read the process state (/proc/pid) of all domains.
2005-07-19 18:40:31 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`domain_read_all_domains_state',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file r_file_perms;
class process { getattr ptrace };
')
2005-06-09 14:50:48 +00:00
allow $1 domain:dir r_dir_perms;
allow $1 domain:lnk_file r_file_perms;
allow $1 domain:file r_file_perms;
allow $1 domain:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $1 domain:process ptrace;
2005-04-14 20:18:17 +00:00
')
2005-07-19 18:40:31 +00:00
########################################
## <summary>
## Do not audit attempts to read the process
## state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_read_all_domains_state',`
gen_require(`
attribute domain;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file r_file_perms;
class process { getattr ptrace };
')
dontaudit $1 domain:dir r_dir_perms;
dontaudit $1 domain:lnk_file r_file_perms;
dontaudit $1 domain:file r_file_perms;
dontaudit $1 domain:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $1 domain:process ptrace;
')
2005-05-26 20:38:45 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to read the process state
## directories of all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-05-26 20:38:45 +00:00
#
interface(`domain_dontaudit_list_all_domains_proc',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class dir r_dir_perms;
')
dontaudit $1 domain:dir r_dir_perms;
2005-05-26 20:38:45 +00:00
')
########################################
2005-07-19 18:40:31 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Get the session ID of all domains.
2005-07-19 18:40:31 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-05-26 20:38:45 +00:00
#
interface(`domain_getsession_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class process getsession;
')
allow $1 domain:process getsession;
2005-05-26 20:38:45 +00:00
')
2005-07-19 18:40:31 +00:00
########################################
## <summary>
## Do not audit attempts to get the
## session ID of all domains.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getsession_all_domains',`
gen_require(`
attribute domain;
class process getsession;
')
allow $1 domain:process getsession;
')
########################################
## <summary>
## Get the attributes of all domains
## sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Get the attributes of all domains
## sockets, for all socket types.
## </p>
## <p>
## This is commonly used for domains
## that can use lsof on all domains.
## </p>
## </desc>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`domain_getattr_all_sockets',`
gen_require(`
gen_require_set(getattr,socket_class_set)
')
allow $1 domain:socket_class_set getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </p>
## <p>
## This interface was added for PCMCIA cardmgr
## and is probably excessive.
## </p>
## </desc>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`domain_dontaudit_getattr_all_sockets',`
gen_require(`
gen_require_set(getattr,socket_class_set)
')
dontaudit $1 domain:socket_class_set getattr;
')
2005-05-30 21:17:20 +00:00
########################################
2005-07-18 18:31:49 +00:00
## <summary>
## Do not audit attempts to get the attributes
## of all domains TCP sockets.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
gen_require(`
attribute domain;
class tcp_socket getattr;
')
dontaudit $1 domain:tcp_socket getattr;
')
########################################
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
2005-07-18 18:31:49 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-05-30 21:17:20 +00:00
#
interface(`domain_dontaudit_getattr_all_udp_sockets',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class udp_socket getattr;
')
dontaudit $1 domain:udp_socket getattr;
2005-05-30 21:17:20 +00:00
')
########################################
2005-07-18 18:31:49 +00:00
## <summary>
## Do not audit attempts to read or write
## all domains UDP sockets.
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-05-30 21:17:20 +00:00
#
2005-07-18 18:31:49 +00:00
interface(`domain_dontaudit_rw_all_udp_sockets',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
2005-07-18 18:31:49 +00:00
class udp_socket { read write };
2005-06-16 20:30:59 +00:00
')
2005-07-18 18:31:49 +00:00
dontaudit $1 domain:udp_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to read or write
## all domains key sockets.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_rw_all_key_sockets',`
gen_require(`
attribute domain;
class key_socket { read write };
')
dontaudit $1 domain:key_socket { read write };
2005-05-30 21:17:20 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-05-30 21:17:20 +00:00
#
interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class unix_dgram_socket getattr;
')
dontaudit $1 domain:unix_dgram_socket getattr;
2005-05-30 21:17:20 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## The type of the process performing this action.
## </param>
2005-05-30 21:17:20 +00:00
#
interface(`domain_dontaudit_getattr_all_unnamed_pipes',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
class fifo_file getattr;
')
dontaudit $1 domain:fifo_file getattr;
2005-05-30 21:17:20 +00:00
')
########################################
2005-08-09 19:30:43 +00:00
## <summary>
## Get the attributes of entry point
## files for all domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
2005-08-09 19:30:43 +00:00
interface(`domain_getattr_all_entry_files',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute entry_type;
2005-08-09 19:30:43 +00:00
class file getattr;
class lnk_file r_file_perms;
2005-06-16 20:30:59 +00:00
')
2005-08-09 19:30:43 +00:00
allow $1 entry_type:lnk_file getattr;
allow $1 entry_type:file r_file_perms;
')
2005-05-04 21:44:51 +00:00
########################################
#
2005-06-13 17:35:46 +00:00
# domain_read_all_entry_files(domain)
2005-05-04 21:44:51 +00:00
#
interface(`domain_read_all_entry_files',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute entry_type;
class file r_file_perms;
class lnk_file r_file_perms;
')
2005-06-09 14:50:48 +00:00
allow $1 entry_type:lnk_file r_file_perms;
allow $1 entry_type:file r_file_perms;
2005-05-04 21:44:51 +00:00
')
2005-08-09 19:30:43 +00:00
########################################
#
# domain_exec_all_entry_files(domain)
#
interface(`domain_exec_all_entry_files',`
gen_require(`
attribute entry_type;
')
can_exec($1,entry_type)
')
2005-07-05 20:59:51 +00:00
########################################
## <summary>
## Unconfined access to domains.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_unconfined',`
gen_require(`
attribute domain, set_curr_context;
2005-07-20 17:24:23 +00:00
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;
2005-07-05 20:59:51 +00:00
class fd use;
class fifo_file rw_file_perms;
class process { transition dyntransition execmem };
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
2005-07-20 17:24:23 +00:00
# pass all constraints
typeattribute $1 can_change_process_identity;
typeattribute $1 can_change_process_role;
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
2005-07-05 20:59:51 +00:00
# Use/sendto/connectto sockets created by any domain.
allow $1 domain:{ socket_class_set socket key_socket } *;
# Use descriptors and pipes created by any domain.
allow $1 domain:fd use;
allow $1 domain:fifo_file rw_file_perms;
# Act upon any other process.
allow $1 domain:process ~{ transition dyntransition execmem };
# Create/access any System V IPC objects.
allow $1 domain:{ sem msgq shm } *;
allow $1 domain:msg { send receive };
# For /proc/pid
allow $1 domain:dir r_dir_perms;
allow $1 domain:file r_file_perms;
allow $1 domain:lnk_file r_file_perms;
')
2005-06-07 14:43:14 +00:00
#
# These next macros are not interfaces, but actually are
2005-06-08 16:16:41 +00:00
# support macros. Due to the domain_ prefix, they
2005-06-16 20:30:59 +00:00
# are placed in this module, to try to prevent confusion.
2005-06-07 14:43:14 +00:00
#
########################################
#
# domain_trans(source_domain,entrypoint_file,target_domain)
#
2005-06-23 16:06:39 +00:00
template(`domain_trans',`
2005-06-16 20:30:59 +00:00
gen_require(`
class file rx_file_perms;
process { transition noatsecure siginh rlimitinh };
')
2005-06-07 14:43:14 +00:00
2005-06-09 14:50:48 +00:00
allow $1 $2:file rx_file_perms;
2005-06-07 14:43:14 +00:00
allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
########################################
#
# domain_auto_trans(source_domain,entrypoint_file,target_domain)
#
2005-06-23 16:06:39 +00:00
template(`domain_auto_trans',`
2005-06-07 14:43:14 +00:00
domain_trans($1,$2,$3)
type_transition $1 $2:process $3;
')