selinux-policy/policy/modules/kernel/domain.te


policy_module(domain,1.1.4)

########################################
#
# Declarations
#

# Mark process types as domains
attribute domain;

# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };

# Domains that are unconfined
attribute unconfined_domain_type;

# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;

# enabling setcurrent breaks process tranquility.  If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;

# entrypoint executables
attribute entry_type;

# widely-inheritable file descriptors
attribute privfd;

#
# constraint related attributes
#

# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;

# [2] types that can change SELinux role on transition
attribute can_change_process_role;

# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;

# [3] types that can change to system_u:system_r
attribute can_system_change;

# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;

# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;

# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt;	# add userhelperdomain to this one

neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
neverallow ~{ domain unlabeled_t } *:process *;

########################################
#
# Rules applied to all domains
#

# read /proc/(pid|self) entries
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)

# create child processes in the domain
allow domain self:process { fork sigchld };

# Use trusted objects in /dev
dev_rw_null(domain)
dev_rw_zero(domain)
term_use_controlling_term(domain)

# list the root directory
files_list_root(domain)

ifdef(`targeted_policy',`
	# RBAC is disabled in the targeted policy,
	# as only one role is used, system_r.
	role system_r types domain;

	# FIXME:
	# workaround until role dominance is fixed in
	# the module compiler
	role secadm_r types domain;
	role sysadm_r types domain;
	role user_r types domain;
	role staff_r types domain;
')

tunable_policy(`global_ssp',`
	# enable reading of urandom for all domains:
	# this should be enabled when all programs
	# are compiled with ProPolice/SSP
	# stack smashing protection.
	dev_read_urand(domain)
')

optional_policy(`
	setrans_translate_context(domain)
')

########################################
#
# Unconfined access to this module
#

# unconfined access also allows constraints, but this
# is handled in the interface as typeattribute cannot
# be used on an attribute.

# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;

# Use descriptors and pipes created by any domain.
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;

# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };

# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
allow unconfined_domain_type domain:msg { send receive };

# For /proc/pid
allow unconfined_domain_type domain:dir r_dir_perms;
allow unconfined_domain_type domain:file r_file_perms;
allow unconfined_domain_type domain:lnk_file r_file_perms;

# act on all domains keys
allow unconfined_domain_type domain:key *;
add copyright statement 2005-04-20 19:07:16 +00:00
add access to keys for unconfined 2006-07-14 13:11:42 +00:00			`policy_module(domain,1.1.4)`
add module statement macro and entrypoint executable attribute to replicate can_exec($1,exec_type) 2005-04-26 17:00:25 +00:00
more work on current modules 2005-06-30 18:54:08 +00:00			`########################################`
			`#`
			`# Declarations`
			`#`

initial commit 2005-04-14 20:18:17 +00:00			`# Mark process types as domains`
			`attribute domain;`

add first part of changes to make base module compilable 2005-09-09 20:51:54 +00:00			`# Transitions only allowed from domains to other domains`
			`neverallow domain ~domain:process { transition dyntransition };`

more merging from nsa cvs 2005-09-15 15:34:31 +00:00			`# Domains that are unconfined`
patch from dan Wed, 01 Feb 2006 08:33:30 -0500 2006-02-06 22:47:46 +00:00			`attribute unconfined_domain_type;`
more merging from nsa cvs 2005-09-15 15:34:31 +00:00
add first part of changes to make base module compilable 2005-09-09 20:51:54 +00:00			`# Domains that can set their current context`
			`# (perform dynamic transitions)`
			`attribute set_curr_context;`

			`# enabling setcurrent breaks process tranquility. If you do not`
			`# know what this means or do not understand the implications of a`
			`# dynamic transition, you should not be using it!!!`
			`neverallow { domain -set_curr_context } self:process setcurrent;`

add module statement macro and entrypoint executable attribute to replicate can_exec($1,exec_type) 2005-04-26 17:00:25 +00:00			`# entrypoint executables`
			`attribute entry_type;`

make getattr and setattr interfaces and make naming consistent 2005-04-22 19:31:32 +00:00			`# widely-inheritable file descriptors`
			`attribute privfd;`

add first part of changes to make base module compilable 2005-09-09 20:51:54 +00:00			`#`
move constraints interfaces to domain module. move sysfs and usbfs to devices module 2005-06-14 19:56:46 +00:00			`# constraint related attributes`
add first part of changes to make base module compilable 2005-09-09 20:51:54 +00:00			`#`

			`# [1] types that can change SELinux identity on transition`
move constraints interfaces to domain module. move sysfs and usbfs to devices module 2005-06-14 19:56:46 +00:00			`attribute can_change_process_identity;`
add first part of changes to make base module compilable 2005-09-09 20:51:54 +00:00
			`# [2] types that can change SELinux role on transition`
move constraints interfaces to domain module. move sysfs and usbfs to devices module 2005-06-14 19:56:46 +00:00			`attribute can_change_process_role;`
add first part of changes to make base module compilable 2005-09-09 20:51:54 +00:00
			`# [3] types that can change the SELinux identity on a filesystem`
			`# object or a socket object on a create or relabel`
move constraints interfaces to domain module. move sysfs and usbfs to devices module 2005-06-14 19:56:46 +00:00			`attribute can_change_object_identity;`

add first part of changes to make base module compilable 2005-09-09 20:51:54 +00:00			`# [3] types that can change to system_u:system_r`
			`attribute can_system_change;`
reorder 2005-06-09 21:07:58 +00:00
add first part of changes to make base module compilable 2005-09-09 20:51:54 +00:00			`# [4] types that have attribute 1 can change the SELinux`
			`# identity only if the target domain has this attribute.`
			`# Types that have attribute 2 can change the SELinux role`
			`# only if the target domain has this attribute.`
			`attribute process_user_target;`

			`# For cron jobs`
			`# [5] types used for cron daemons`
			`attribute cron_source_domain;`
			`# [6] types used for cron jobs`
			`attribute cron_job_domain;`

			`# [7] types that are unconditionally exempt from`
			`# SELinux identity and role change constraints`
			`attribute process_uncond_exempt; # add userhelperdomain to this one`
fixes pointed out by steve, plus fixes revealed by the added assertions 2005-06-23 14:19:56 +00:00
fix process object class assertion for hierarchy 2006-02-10 14:21:16 +00:00			`neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;`
add first part of changes to make base module compilable 2005-09-09 20:51:54 +00:00			`neverallow ~{ domain unlabeled_t } :process ;`
add ssp patch and move some domain_(base_)?_type() rules to the TE file. 2006-03-14 19:13:59 +00:00
			`########################################`
			`#`
			`# Rules applied to all domains`
			`#`

more TODO cleanup 2006-07-06 17:00:29 +00:00			`# read /proc/(pid\|self) entries`
add ssp patch and move some domain_(base_)?_type() rules to the TE file. 2006-03-14 19:13:59 +00:00			`allow domain self:dir r_dir_perms;`
			`allow domain self:lnk_file r_file_perms;`
			`allow domain self:file rw_file_perms;`
more TODO cleanup 2006-07-06 17:00:29 +00:00			`kernel_read_proc_symlinks(domain)`
add ssp patch and move some domain_(base_)?_type() rules to the TE file. 2006-03-14 19:13:59 +00:00
			`# create child processes in the domain`
			`allow domain self:process { fork sigchld };`

			`# Use trusted objects in /dev`
			`dev_rw_null(domain)`
			`dev_rw_zero(domain)`
			`term_use_controlling_term(domain)`

			`# list the root directory`
			`files_list_root(domain)`

			ifdef(`targeted_policy',`
			`# RBAC is disabled in the targeted policy,`
			`# as only one role is used, system_r.`
			`role system_r types domain;`

			`# FIXME:`
			`# workaround until role dominance is fixed in`
			`# the module compiler`
			`role secadm_r types domain;`
			`role sysadm_r types domain;`
			`role user_r types domain;`
			`role staff_r types domain;`
			`')`

			tunable_policy(`global_ssp',`
			`# enable reading of urandom for all domains:`
			`# this should be enabled when all programs`
			`# are compiled with ProPolice/SSP`
			`# stack smashing protection.`
			`dev_read_urand(domain)`
			`')`
move over to attributes for unconfined interfaces. 2006-04-10 21:04:51 +00:00
most of patch from dan Mon, 15 May 2006 11:58:01 -0400 2006-05-17 14:50:31 +00:00			optional_policy(`
			`setrans_translate_context(domain)`
			`')`

move over to attributes for unconfined interfaces. 2006-04-10 21:04:51 +00:00			`########################################`
			`#`
			`# Unconfined access to this module`
			`#`

			`# unconfined access also allows constraints, but this`
			`# is handled in the interface as typeattribute cannot`
			`# be used on an attribute.`

			`# Use/sendto/connectto sockets created by any domain.`
			`allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;`

			`# Use descriptors and pipes created by any domain.`
			`allow unconfined_domain_type domain:fd use;`
			`allow unconfined_domain_type domain:fifo_file rw_file_perms;`

			`# Act upon any other process.`
			`allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };`

			`# Create/access any System V IPC objects.`
			`allow unconfined_domain_type domain:{ sem msgq shm } *;`
			`allow unconfined_domain_type domain:msg { send receive };`

			`# For /proc/pid`
			`allow unconfined_domain_type domain:dir r_dir_perms;`
			`allow unconfined_domain_type domain:file r_file_perms;`
			`allow unconfined_domain_type domain:lnk_file r_file_perms;`
add access to keys for unconfined 2006-07-14 13:11:42 +00:00
			`# act on all domains keys`
			`allow unconfined_domain_type domain:key *;`