2005-05-23 15:49:03 +00:00
|
|
|
## <summary>Core policy for domains.</summary>
|
2005-07-05 17:47:15 +00:00
|
|
|
## <required val="true">
|
|
|
|
## Contains the concept of a domain.
|
|
|
|
## </required>
|
2005-04-20 19:07:16 +00:00
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-09-09 20:51:54 +00:00
|
|
|
## <summary>
|
|
|
|
## Make the specified type usable as a basic domain.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Make the specified type usable as a basic domain.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This is primarily used for kernel threads;
|
|
|
|
## generally the domain_type() interface is
|
|
|
|
## more appropriate for userland processes.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="type">
|
|
|
|
## Type to be used as a basic domain type.
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-08-18 21:27:20 +00:00
|
|
|
interface(`domain_base_type',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-06-03 12:25:14 +00:00
|
|
|
# mark as a domain
|
|
|
|
typeattribute $1 domain;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-06-03 12:25:14 +00:00
|
|
|
# allow the domain to read its /proc/pid entries
|
2005-06-09 14:50:48 +00:00
|
|
|
allow $1 self:dir r_dir_perms;
|
2005-06-16 20:30:59 +00:00
|
|
|
allow $1 self:lnk_file r_file_perms;
|
|
|
|
allow $1 self:file rw_file_perms;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-06-03 12:25:14 +00:00
|
|
|
# allow $1 to create child processes in this domain
|
|
|
|
allow $1 self:process { fork sigchld };
|
2005-10-24 03:52:35 +00:00
|
|
|
|
|
|
|
ifdef(`targeted_policy',`
|
|
|
|
tunable_policy(`allow_execmem',`
|
|
|
|
allow $1 self:process execmem;
|
|
|
|
')
|
2005-11-10 20:37:31 +00:00
|
|
|
|
|
|
|
# FIXME:
|
|
|
|
# hack until role dominance is fixed in
|
|
|
|
# the module compiler
|
|
|
|
role secadm_r types $1;
|
|
|
|
role sysadm_r types $1;
|
|
|
|
role user_r types $1;
|
|
|
|
role staff_r types $1;
|
2005-10-24 03:52:35 +00:00
|
|
|
')
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-09-09 20:51:54 +00:00
|
|
|
## <summary>
|
|
|
|
## Make the specified type usable as a domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="type">
|
|
|
|
## Type to be used as a domain type.
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_type',`
|
2005-06-03 12:25:14 +00:00
|
|
|
# start with basic domain
|
2005-08-18 21:27:20 +00:00
|
|
|
domain_base_type($1)
|
2005-05-09 19:55:01 +00:00
|
|
|
|
2005-06-03 12:25:14 +00:00
|
|
|
# Use trusted objects in /dev
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_rw_null($1)
|
|
|
|
dev_rw_zero($1)
|
2005-06-10 01:01:13 +00:00
|
|
|
term_use_controlling_term($1)
|
2005-05-09 19:55:01 +00:00
|
|
|
|
2005-06-03 12:25:14 +00:00
|
|
|
# read the root directory
|
2005-06-13 17:35:46 +00:00
|
|
|
files_list_root($1)
|
2005-05-09 19:55:01 +00:00
|
|
|
|
2005-08-31 15:25:12 +00:00
|
|
|
# send init a sigchld and signull
|
2005-06-03 12:25:14 +00:00
|
|
|
init_sigchld($1)
|
2005-08-31 15:25:12 +00:00
|
|
|
init_signull($1)
|
2005-05-23 17:56:35 +00:00
|
|
|
|
2005-07-06 20:28:29 +00:00
|
|
|
ifdef(`targeted_policy',`
|
|
|
|
unconfined_use_fd($1)
|
|
|
|
unconfined_sigchld($1)
|
|
|
|
')
|
|
|
|
|
2005-09-20 20:48:17 +00:00
|
|
|
# allow any domain to connect to the LDAP server
|
2005-11-23 20:24:27 +00:00
|
|
|
optional_policy(`ldap',`
|
2005-09-20 20:48:17 +00:00
|
|
|
ldap_use($1)
|
|
|
|
')
|
|
|
|
|
2005-10-24 00:54:39 +00:00
|
|
|
# these 3 seem highly questionable:
|
2005-11-23 20:24:27 +00:00
|
|
|
optional_policy(`rpm',`
|
2005-06-13 17:35:46 +00:00
|
|
|
rpm_use_fd($1)
|
2006-02-02 21:08:12 +00:00
|
|
|
rpm_read_pipes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
')
|
2005-10-24 00:54:39 +00:00
|
|
|
|
2005-11-23 20:24:27 +00:00
|
|
|
optional_policy(`selinux',`
|
2005-10-24 19:50:21 +00:00
|
|
|
selinux_dontaudit_read_fs($1)
|
2005-10-24 00:54:39 +00:00
|
|
|
')
|
|
|
|
|
2005-11-23 20:24:27 +00:00
|
|
|
optional_policy(`selinuxutil',`
|
2005-10-24 00:54:39 +00:00
|
|
|
seutil_dontaudit_read_config($1)
|
|
|
|
')
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-09-09 20:51:54 +00:00
|
|
|
## <summary>
|
|
|
|
## Make the specified type usable as
|
|
|
|
## an entry point for the domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain to be entered.
|
|
|
|
## </param>
|
|
|
|
## <param name="type">
|
|
|
|
## Type of program used for entering
|
|
|
|
## the domain.
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_entry_file',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute entry_type;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type($2)
|
2005-09-09 20:51:54 +00:00
|
|
|
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 $2:file entrypoint;
|
2005-09-09 20:51:54 +00:00
|
|
|
allow $1 $2:file rx_file_perms;
|
|
|
|
|
2005-06-03 12:25:14 +00:00
|
|
|
typeattribute $2 entry_type;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-04-22 19:31:32 +00:00
|
|
|
########################################
|
|
|
|
#
|
2005-06-13 17:35:46 +00:00
|
|
|
# domain_wide_inherit_fd(domain)
|
2005-04-22 19:31:32 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_wide_inherit_fd',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute privfd;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
typeattribute $1 privfd;
|
2005-04-22 19:31:32 +00:00
|
|
|
')
|
|
|
|
|
2005-06-23 15:37:39 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# domain_dyntrans_type(domain)
|
|
|
|
#
|
|
|
|
interface(`domain_dyntrans_type',`
|
|
|
|
gen_require(`
|
|
|
|
attribute set_curr_context;
|
|
|
|
')
|
|
|
|
|
|
|
|
typeattribute $1 set_curr_context;
|
|
|
|
')
|
|
|
|
|
2005-09-20 20:48:17 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Makes caller and execption to the constraint
|
|
|
|
## preventing changing to the system user
|
|
|
|
## identity and system role.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`domain_system_change_exemption',`
|
2005-09-20 20:48:17 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute can_system_change;
|
|
|
|
')
|
|
|
|
|
|
|
|
typeattribute $1 can_system_change;
|
|
|
|
')
|
|
|
|
|
2005-06-14 19:56:46 +00:00
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Makes caller an exception to the constraint preventing
|
|
|
|
## changing of user identity.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The process type to make an exception to the constraint.
|
|
|
|
## </param>
|
2005-06-14 19:56:46 +00:00
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`domain_subj_id_change_exemption',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute can_change_process_identity;
|
|
|
|
')
|
2005-06-14 19:56:46 +00:00
|
|
|
|
|
|
|
typeattribute $1 can_change_process_identity;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Makes caller an exception to the constraint preventing
|
|
|
|
## changing of role.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The process type to make an exception to the constraint.
|
|
|
|
## </param>
|
2005-06-14 19:56:46 +00:00
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`domain_role_change_exemption',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute can_change_process_role;
|
|
|
|
')
|
2005-06-14 19:56:46 +00:00
|
|
|
|
|
|
|
typeattribute $1 can_change_process_role;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Makes caller an exception to the constraint preventing
|
|
|
|
## changing the user identity in object contexts.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The process type to make an exception to the constraint.
|
|
|
|
## </param>
|
2005-06-14 19:56:46 +00:00
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`domain_obj_id_change_exemption',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute can_change_object_identity;
|
|
|
|
')
|
2005-06-14 19:56:46 +00:00
|
|
|
|
|
|
|
typeattribute $1 can_change_object_identity;
|
|
|
|
')
|
|
|
|
|
2005-09-09 20:51:54 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Make the specified domain the target of
|
|
|
|
## the user domain exception of the
|
|
|
|
## SELinux role and identity change
|
|
|
|
## constraints.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Make the specified domain the target of
|
|
|
|
## the user domain exception of the
|
|
|
|
## SELinux role and identity change
|
|
|
|
## constraints.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This interface is needed to decouple
|
|
|
|
## the user domains from the base module.
|
|
|
|
## It should not be used other than on
|
|
|
|
## user domains.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain target for user exemption.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_user_exemption_target',`
|
|
|
|
gen_require(`
|
|
|
|
attribute process_user_target;
|
|
|
|
')
|
|
|
|
|
|
|
|
typeattribute $1 process_user_target;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Make the specified domain the source of
|
|
|
|
## the cron domain exception of the
|
|
|
|
## SELinux role and identity change
|
|
|
|
## constraints.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Make the specified domain the source of
|
|
|
|
## the cron domain exception of the
|
|
|
|
## SELinux role and identity change
|
|
|
|
## constraints.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This interface is needed to decouple
|
|
|
|
## the cron domains from the base module.
|
|
|
|
## It should not be used other than on
|
|
|
|
## cron domains.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain target for user exemption.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_cron_exemption_source',`
|
|
|
|
gen_require(`
|
|
|
|
attribute cron_source_domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
typeattribute $1 cron_source_domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Make the specified domain the target of
|
|
|
|
## the cron domain exception of the
|
|
|
|
## SELinux role and identity change
|
|
|
|
## constraints.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Make the specified domain the target of
|
|
|
|
## the cron domain exception of the
|
|
|
|
## SELinux role and identity change
|
|
|
|
## constraints.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This interface is needed to decouple
|
|
|
|
## the cron domains from the base module.
|
|
|
|
## It should not be used other than on
|
|
|
|
## user cron jobs.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain target for user exemption.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_cron_exemption_target',`
|
|
|
|
gen_require(`
|
|
|
|
attribute cron_job_domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
typeattribute $1 cron_job_domain;
|
|
|
|
')
|
|
|
|
|
2005-04-28 21:41:09 +00:00
|
|
|
########################################
|
|
|
|
#
|
2005-06-13 17:35:46 +00:00
|
|
|
# domain_use_wide_inherit_fd(domain)
|
2005-04-28 21:41:09 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_use_wide_inherit_fd',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute privfd;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 privfd:fd use;
|
2005-04-28 21:41:09 +00:00
|
|
|
')
|
|
|
|
|
2005-05-03 20:23:33 +00:00
|
|
|
########################################
|
|
|
|
#
|
2005-06-13 17:35:46 +00:00
|
|
|
# domain_dontaudit_use_wide_inherit_fd(domain)
|
2005-05-03 20:23:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_dontaudit_use_wide_inherit_fd',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute privfd;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
dontaudit $1 privfd:fd use;
|
2005-05-03 20:23:33 +00:00
|
|
|
')
|
|
|
|
|
2005-06-29 20:53:53 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send a SIGCHLD signal to domains whose file
|
|
|
|
## discriptors are widely inheritable.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
# cjp: this was added because of newrole
|
|
|
|
interface(`domain_sigchld_wide_inherit_fd',`
|
|
|
|
gen_require(`
|
|
|
|
attribute privfd;
|
|
|
|
')
|
|
|
|
|
2005-10-26 18:07:20 +00:00
|
|
|
allow $1 privfd:process sigchld;
|
2005-06-29 20:53:53 +00:00
|
|
|
')
|
|
|
|
|
2005-05-18 13:21:00 +00:00
|
|
|
########################################
|
|
|
|
#
|
2005-06-13 17:35:46 +00:00
|
|
|
# domain_setpriority_all_domains(domain)
|
2005-05-18 13:21:00 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_setpriority_all_domains',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 domain:process setsched;
|
2005-05-18 13:21:00 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Send general signals to all domains.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_signal_all_domains',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 domain:process signal;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-05-23 15:49:03 +00:00
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Send a null signal to all domains.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-05-23 15:49:03 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_signull_all_domains',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 domain:process signull;
|
2005-05-23 15:49:03 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Send a stop signal to all domains.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-05-27 20:44:05 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_sigstop_all_domains',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 domain:process sigstop;
|
2005-05-27 20:44:05 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Send a child terminated signal to all domains.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_sigchld_all_domains',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 domain:process sigchld;
|
2005-05-27 20:44:05 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Send a kill signal to all domains.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_kill_all_domains',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 domain:process sigkill;
|
|
|
|
allow $1 self:capability kill;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
2005-11-29 21:27:15 +00:00
|
|
|
|
2005-09-15 15:34:31 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search the process state directory (/proc/pid) of all domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_search_all_domains_state',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
kernel_search_proc($1)
|
|
|
|
allow $1 domain:dir search;
|
|
|
|
')
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-11-29 21:27:15 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to search the process
|
|
|
|
## state directory (/proc/pid) of all domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain to not audit.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_search_all_domains_state',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:dir search_dir_perms;
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-19 18:40:31 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read the process state (/proc/pid) of all domains.
|
2005-07-19 18:40:31 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2005-09-15 15:34:31 +00:00
|
|
|
## Domain allowed access.
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_read_all_domains_state',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-09-15 15:34:31 +00:00
|
|
|
kernel_search_proc($1)
|
2005-06-09 14:50:48 +00:00
|
|
|
allow $1 domain:dir r_dir_perms;
|
|
|
|
allow $1 domain:lnk_file r_file_perms;
|
|
|
|
allow $1 domain:file r_file_perms;
|
2005-09-16 14:54:36 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-09-16 14:54:36 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of all domains of all domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_getattr_all_domains',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 domain:process getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-11-29 15:49:18 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of all domains of all domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_getattr_all_domains',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:process getattr;
|
|
|
|
')
|
|
|
|
|
2005-09-15 15:34:31 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2005-09-16 14:54:36 +00:00
|
|
|
## Read the process state (/proc/pid) of all confined domains.
|
2005-09-15 15:34:31 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_read_confined_domains_state',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain, unconfined_domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
kernel_search_proc($1)
|
|
|
|
allow $1 { domain -unconfined_domain }:dir r_dir_perms;
|
|
|
|
allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
|
|
|
|
allow $1 { domain -unconfined_domain }:file r_file_perms;
|
|
|
|
|
|
|
|
dontaudit $1 unconfined_domain:dir search;
|
2005-10-22 17:44:04 +00:00
|
|
|
dontaudit $1 unconfined_domain:file { getattr read };
|
2005-09-16 14:54:36 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of all confined domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_getattr_confined_domains',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain, unconfined_domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 { domain -unconfined_domain }:process getattr;
|
|
|
|
')
|
|
|
|
|
2005-09-27 19:40:44 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Ptrace all domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_ptrace_all_domains',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 domain:process ptrace;
|
2005-12-12 16:52:46 +00:00
|
|
|
allow domain $1:process sigchld;
|
2005-09-27 19:40:44 +00:00
|
|
|
')
|
|
|
|
|
2005-09-16 14:54:36 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to ptrace all domains.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Do not audit attempts to ptrace all domains.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## Generally this needs to be suppressed because procps tries to access
|
|
|
|
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
|
|
## (2.4 and 2.6).
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_ptrace_all_domains',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:process ptrace;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to ptrace confined domains.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Do not audit attempts to ptrace confined domains.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## Generally this needs to be suppressed because procps tries to access
|
|
|
|
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
|
|
## (2.4 and 2.6).
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_ptrace_confined_domains',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain, unconfined_domain;
|
|
|
|
')
|
2005-09-15 15:34:31 +00:00
|
|
|
|
|
|
|
dontaudit $1 { domain -unconfined_domain }:process ptrace;
|
|
|
|
')
|
|
|
|
|
2005-07-19 18:40:31 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read the process
|
|
|
|
## state (/proc/pid) of all domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_read_all_domains_state',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:dir r_dir_perms;
|
|
|
|
dontaudit $1 domain:lnk_file r_file_perms;
|
|
|
|
dontaudit $1 domain:file r_file_perms;
|
2005-11-29 15:49:18 +00:00
|
|
|
|
|
|
|
# cjp: these should be removed:
|
|
|
|
dontaudit $1 domain:sock_file r_file_perms;
|
|
|
|
dontaudit $1 domain:fifo_file r_file_perms;
|
2005-07-19 18:40:31 +00:00
|
|
|
')
|
|
|
|
|
2005-05-26 20:38:45 +00:00
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts to read the process state
|
|
|
|
## directories of all domains.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-05-26 20:38:45 +00:00
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`domain_dontaudit_list_all_domains_state',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
dontaudit $1 domain:dir r_dir_perms;
|
2005-05-26 20:38:45 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-19 18:40:31 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the session ID of all domains.
|
2005-07-19 18:40:31 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-05-26 20:38:45 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_getsession_all_domains',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 domain:process getsession;
|
2005-05-26 20:38:45 +00:00
|
|
|
')
|
|
|
|
|
2005-07-19 18:40:31 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the
|
|
|
|
## session ID of all domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_getsession_all_domains',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
2005-09-01 20:13:42 +00:00
|
|
|
dontaudit $1 domain:process getsession;
|
2005-07-19 18:40:31 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of all domains
|
|
|
|
## sockets, for all socket types.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Get the attributes of all domains
|
|
|
|
## sockets, for all socket types.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This is commonly used for domains
|
|
|
|
## that can use lsof on all domains.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_getattr_all_sockets',`
|
|
|
|
gen_require(`
|
2006-02-01 14:00:11 +00:00
|
|
|
attribute domain;
|
2005-07-19 18:40:31 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 domain:socket_class_set getattr;
|
|
|
|
')
|
|
|
|
|
2005-07-15 15:53:54 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all domains sockets, for all socket types.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all domains sockets, for all socket types.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This interface was added for PCMCIA cardmgr
|
|
|
|
## and is probably excessive.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain to not audit.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_getattr_all_sockets',`
|
|
|
|
gen_require(`
|
2006-02-01 14:00:11 +00:00
|
|
|
attribute domain;
|
2005-07-15 15:53:54 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:socket_class_set getattr;
|
|
|
|
')
|
|
|
|
|
2005-05-30 21:17:20 +00:00
|
|
|
########################################
|
2005-07-18 18:31:49 +00:00
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all domains TCP sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:tcp_socket getattr;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all domains UDP sockets.
|
2005-07-18 18:31:49 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-05-30 21:17:20 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_dontaudit_getattr_all_udp_sockets',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
dontaudit $1 domain:udp_socket getattr;
|
2005-05-30 21:17:20 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-18 18:31:49 +00:00
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read or write
|
|
|
|
## all domains UDP sockets.
|
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-05-30 21:17:20 +00:00
|
|
|
#
|
2005-07-18 18:31:49 +00:00
|
|
|
interface(`domain_dontaudit_rw_all_udp_sockets',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-07-18 18:31:49 +00:00
|
|
|
dontaudit $1 domain:udp_socket { read write };
|
|
|
|
')
|
|
|
|
|
2005-10-10 18:11:46 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get attribues of
|
|
|
|
## all domains IPSEC key management sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_getattr_all_key_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:key_socket getattr;
|
|
|
|
')
|
2005-11-25 19:38:45 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get attribues of
|
|
|
|
## all domains packet sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_getattr_all_packet_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:packet_socket getattr;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get attribues of
|
|
|
|
## all domains raw sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_getattr_all_raw_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:rawip_socket getattr;
|
|
|
|
')
|
|
|
|
|
2005-07-18 18:31:49 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read or write
|
|
|
|
## all domains key sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_rw_all_key_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:key_socket { read write };
|
2005-05-30 21:17:20 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all domains unix datagram sockets.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-05-30 21:17:20 +00:00
|
|
|
#
|
2005-11-25 19:38:45 +00:00
|
|
|
interface(`domain_dontaudit_getattr_all_dgram_sockets',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
dontaudit $1 domain:unix_dgram_socket getattr;
|
2005-05-30 21:17:20 +00:00
|
|
|
')
|
|
|
|
|
2005-11-25 19:38:45 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all domains unix datagram sockets.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_dontaudit_getattr_all_stream_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 domain:unix_stream_socket getattr;
|
|
|
|
')
|
|
|
|
|
2005-05-30 21:17:20 +00:00
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all domains unnamed pipes.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
2005-05-30 21:17:20 +00:00
|
|
|
#
|
2005-11-25 19:38:45 +00:00
|
|
|
interface(`domain_dontaudit_getattr_all_pipes',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute domain;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
dontaudit $1 domain:fifo_file getattr;
|
2005-05-30 21:17:20 +00:00
|
|
|
')
|
|
|
|
|
2005-04-26 17:00:25 +00:00
|
|
|
########################################
|
2005-08-09 19:30:43 +00:00
|
|
|
## <summary>
|
|
|
|
## Get the attributes of entry point
|
|
|
|
## files for all domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
2005-04-26 17:00:25 +00:00
|
|
|
#
|
2005-08-09 19:30:43 +00:00
|
|
|
interface(`domain_getattr_all_entry_files',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute entry_type;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-08-09 19:30:43 +00:00
|
|
|
allow $1 entry_type:lnk_file getattr;
|
|
|
|
allow $1 entry_type:file r_file_perms;
|
2005-04-26 17:00:25 +00:00
|
|
|
')
|
2005-05-04 21:44:51 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
2005-06-13 17:35:46 +00:00
|
|
|
# domain_read_all_entry_files(domain)
|
2005-05-04 21:44:51 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`domain_read_all_entry_files',`
|
2005-06-16 20:30:59 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute entry_type;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-09 14:50:48 +00:00
|
|
|
allow $1 entry_type:lnk_file r_file_perms;
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 entry_type:file r_file_perms;
|
2005-05-04 21:44:51 +00:00
|
|
|
')
|
|
|
|
|
2005-08-09 19:30:43 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# domain_exec_all_entry_files(domain)
|
|
|
|
#
|
|
|
|
interface(`domain_exec_all_entry_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute entry_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
can_exec($1,entry_type)
|
|
|
|
')
|
|
|
|
|
2006-01-11 23:20:28 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete all
|
|
|
|
## entrypoint files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
# cjp: added for prelink
|
|
|
|
interface(`domain_manage_all_entry_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute entry_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 entry_type:file manage_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Relabel to and from all entry point
|
|
|
|
## file types.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
# cjp: added for prelink
|
|
|
|
interface(`domain_relabel_all_entry_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute entry_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 entry_type:file { relabelfrom relabelto };
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Mmap all entry point files as executable.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
# cjp: added for prelink
|
|
|
|
interface(`domain_mmap_all_entry_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute entry_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 entry_type:file { getattr read execute };
|
|
|
|
')
|
|
|
|
|
2006-01-18 16:40:04 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute an entry_type in the specified domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
# cjp: added for userhelper
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`domain_entry_file_spec_domtrans',`
|
2006-01-18 16:40:04 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute entry_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_trans($1,entry_type,$2)
|
|
|
|
')
|
|
|
|
|
2005-07-05 20:59:51 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Unconfined access to domains.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`domain_unconfined',`
|
|
|
|
gen_require(`
|
|
|
|
attribute domain, set_curr_context;
|
2005-07-20 17:24:23 +00:00
|
|
|
attribute can_change_process_identity;
|
|
|
|
attribute can_change_process_role;
|
|
|
|
attribute can_change_object_identity;
|
2005-09-19 14:18:48 +00:00
|
|
|
attribute unconfined_domain;
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
|
|
|
|
2005-09-15 15:34:31 +00:00
|
|
|
typeattribute $1 unconfined_domain;
|
|
|
|
|
2005-07-20 17:24:23 +00:00
|
|
|
# pass all constraints
|
|
|
|
typeattribute $1 can_change_process_identity;
|
|
|
|
typeattribute $1 can_change_process_role;
|
|
|
|
typeattribute $1 can_change_object_identity;
|
|
|
|
typeattribute $1 set_curr_context;
|
|
|
|
|
2005-07-05 20:59:51 +00:00
|
|
|
# Use/sendto/connectto sockets created by any domain.
|
|
|
|
allow $1 domain:{ socket_class_set socket key_socket } *;
|
|
|
|
|
|
|
|
# Use descriptors and pipes created by any domain.
|
|
|
|
allow $1 domain:fd use;
|
|
|
|
allow $1 domain:fifo_file rw_file_perms;
|
|
|
|
|
|
|
|
# Act upon any other process.
|
2006-01-19 15:55:56 +00:00
|
|
|
allow $1 domain:process ~{ transition dyntransition execmem execstack execheap };
|
2005-07-05 20:59:51 +00:00
|
|
|
|
|
|
|
# Create/access any System V IPC objects.
|
|
|
|
allow $1 domain:{ sem msgq shm } *;
|
|
|
|
allow $1 domain:msg { send receive };
|
|
|
|
|
|
|
|
# For /proc/pid
|
|
|
|
allow $1 domain:dir r_dir_perms;
|
|
|
|
allow $1 domain:file r_file_perms;
|
|
|
|
allow $1 domain:lnk_file r_file_perms;
|
|
|
|
')
|
2005-06-07 14:43:14 +00:00
|
|
|
|
|
|
|
#
|
2005-10-19 14:36:04 +00:00
|
|
|
# These next macros are not templates, but actually are
|
2005-06-08 16:16:41 +00:00
|
|
|
# support macros. Due to the domain_ prefix, they
|
2005-06-16 20:30:59 +00:00
|
|
|
# are placed in this module, to try to prevent confusion.
|
2005-10-19 14:36:04 +00:00
|
|
|
# They are called templates since regular m4 defines
|
|
|
|
# wont work here.
|
2005-06-07 14:43:14 +00:00
|
|
|
#
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# domain_trans(source_domain,entrypoint_file,target_domain)
|
|
|
|
#
|
2005-06-23 16:06:39 +00:00
|
|
|
template(`domain_trans',`
|
2005-10-31 20:32:53 +00:00
|
|
|
allow $1 $2:file { getattr read execute };
|
2005-06-07 14:43:14 +00:00
|
|
|
allow $1 $3:process transition;
|
|
|
|
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# domain_auto_trans(source_domain,entrypoint_file,target_domain)
|
|
|
|
#
|
2005-06-23 16:06:39 +00:00
|
|
|
template(`domain_auto_trans',`
|
2005-06-07 14:43:14 +00:00
|
|
|
domain_trans($1,$2,$3)
|
|
|
|
type_transition $1 $2:process $3;
|
|
|
|
')
|