diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 1ec4713b..1aaf7d79 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -193,8 +193,25 @@ allow kernel_t security_t:file rw_file_perms; allow kernel_t security_t:security load_policy; auditallow kernel_t security_t:security load_policy; +# Kernel-generated traffic e.g., ICMP replies: +corenet_raw_sendrecv_all_if(kernel_t) +corenet_raw_sendrecv_all_nodes(kernel_t) +# Kernel-generated traffic e.g., TCP resets: +corenet_raw_sendrecv_all_ifaces(kernel_t) +corenet_raw_sendrecv_all_nodes(kernel_t) + +terminal_use_console(kernel_t) + +# Mount root file system. Used when loading a policy +# from initrd, then mounting the root filesystem +fs_mount_all_fs(kernel_t) + corecommands_execute_shell(kernel_t) corecommands_read_system_programs_directory(kernel_t) +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. +corecommands_execute_general_programs(kernel_t) + +domain_signal_all_domains(kernel_t) files_read_root_dir(kernel_t) files_list_home_directories(kernel_t) @@ -205,39 +222,15 @@ init_sigchld(kernel_t) libraries_use_dynamic_loader(kernel_t) libraries_use_shared_libraries(kernel_t) -selinux_read_config(kernel_t) -selinux_read_binary_policy(kernel_t) - -terminal_use_console(kernel_t) -domain_signal_all_domains(kernel_t) - -# Mount root file system. Used when loading a policy -# from initrd, then mounting the root filesystem -fs_mount_all_fs(kernel_t) - -# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. -corecommands_execute_general_programs(kernel_t) - logging_send_system_log_message(kernel_t) -# Kernel-generated traffic, e.g. ICMP replies. -corenetwork_sendrecv_raw_on_all_interfaces(kernel_t) -corenetwork_sendrecv_raw_on_all_nodes(kernel_t) - -# Kernel-generated traffic, e.g. TCP resets. -corenetwork_sendrecv_tcp_on_all_interfaces(kernel_t) -corenetwork_sendrecv_tcp_on_all_nodes(kernel_t) +selinux_read_config(kernel_t) +selinux_read_binary_policy(kernel_t) neverallow ~can_load_policy security_t:security load_policy; neverallow ~can_setenforce security_t:security setenforce; neverallow ~can_setsecparam security_t:security setsecparam; - -# enabling dyntransition breaks process tranquility. If you dont -# know what this means or dont understand the implications of a -# dynamic transition, you shouldnt be using it!!! -neverallow * *:process { setcurrent dyntransition }; - -neverallow ~can_load_kernmodule *:capability sys_module; +neverallow ~can_load_kernmodule self:capability sys_module; ######################################## # diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te index 58659782..bc5e3870 100644 --- a/refpolicy/policy/modules/system/domain.te +++ b/refpolicy/policy/modules/system/domain.te @@ -11,3 +11,8 @@ attribute entry_type; attribute privfd; neverallow domain ~domain:process { transition dyntransition }; + +# enabling setcurrent breaks process tranquility. If you do not +# know what this means or do not understand the implications of a +# dynamic transition, you should not be using it!!! +neverallow * *:process setcurrent;