selinux-policy/targeted/assert.te

41 lines
1.5 KiB
Plaintext
Raw Normal View History

2005-10-21 18:05:21 +00:00
##############################
#
# Assertions for the type enforcement (TE) configuration.
#
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
##################################
#
# Access vector assertions.
#
# An access vector assertion specifies permissions that should not be in
# an access vector based on a source type, a target type, and a class.
# If any of the specified permissions are in the corresponding access
# vector, then the policy compiler will reject the policy configuration.
# Currently, there is only one kind of access vector assertion, neverallow,
# but support for the other kinds of vectors could be easily added. Access
# vector assertions use the same syntax as access vector rules.
#
# Confined domains must never touch an unconfined domain except to
# send SIGCHLD for child termination notifications.
neverallow { domain -unrestricted -unconfinedtrans -snmpd_t } unconfined_t:process ~sigchld;
# Confined domains must never see /proc/pid entries for an unconfined domain.
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
#
# Verify that every type that can be entered by
# a domain is also tagged as a domain.
#
neverallow domain ~domain:process { transition dyntransition};
# for gross mistakes in policy
neverallow domain domain:dir ~r_dir_perms;
neverallow domain domain:file_class_set ~rw_file_perms;
neverallow domain file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;