41 lines
1.5 KiB
Plaintext
41 lines
1.5 KiB
Plaintext
|
##############################
|
||
|
#
|
||
|
# Assertions for the type enforcement (TE) configuration.
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||
|
#
|
||
|
|
||
|
##################################
|
||
|
#
|
||
|
# Access vector assertions.
|
||
|
#
|
||
|
# An access vector assertion specifies permissions that should not be in
|
||
|
# an access vector based on a source type, a target type, and a class.
|
||
|
# If any of the specified permissions are in the corresponding access
|
||
|
# vector, then the policy compiler will reject the policy configuration.
|
||
|
# Currently, there is only one kind of access vector assertion, neverallow,
|
||
|
# but support for the other kinds of vectors could be easily added. Access
|
||
|
# vector assertions use the same syntax as access vector rules.
|
||
|
#
|
||
|
|
||
|
# Confined domains must never touch an unconfined domain except to
|
||
|
# send SIGCHLD for child termination notifications.
|
||
|
neverallow { domain -unrestricted -unconfinedtrans -snmpd_t } unconfined_t:process ~sigchld;
|
||
|
|
||
|
# Confined domains must never see /proc/pid entries for an unconfined domain.
|
||
|
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
|
||
|
|
||
|
#
|
||
|
# Verify that every type that can be entered by
|
||
|
# a domain is also tagged as a domain.
|
||
|
#
|
||
|
neverallow domain ~domain:process { transition dyntransition};
|
||
|
|
||
|
# for gross mistakes in policy
|
||
|
neverallow domain domain:dir ~r_dir_perms;
|
||
|
neverallow domain domain:file_class_set ~rw_file_perms;
|
||
|
neverallow domain file_type:process *;
|
||
|
neverallow ~{ domain unlabeled_t } *:process *;
|