# Copyright (C) 2005 Tresys Technology, LLC policy_module(selinux,1.0) ######################################## # # Declarations # attribute can_write_binary_policy; attribute can_relabelto_binary_policy; type checkpolicy_t, can_write_binary_policy; domain_make_domain(checkpolicy_t) role system_r types checkpolicy_t; type checkpolicy_exec_t; domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t) # # default_context_t is the type applied to # /etc/selinux/*/contexts/* # type default_context_t; files_make_file(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; files_make_file(file_context_t) type load_policy_t; domain_make_domain(load_policy_t) role system_r types load_policy_t; type load_policy_exec_t; domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; kernel_make_role_change_constraint_exception(newrole_t) kernel_make_object_identity_change_constraint_exception(newrole_t) domain_make_domain(newrole_t) domain_make_file_descriptors_widely_inheritable(newrole_t) type newrole_exec_t; domain_make_entrypoint_file(newrole_t,newrole_exec_t) # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # type policy_config_t; files_make_file(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_write_binary_policy policy_config_t:file { write append }; # # policy_src_t is the type of the policy source # files. # type policy_src_t; files_make_file(policy_src_t) type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; kernel_make_object_identity_change_constraint_exception(restorecon_t) init_make_system_domain(restorecon_t,restorecon_exec_t) role system_r types restorecon_t; type run_init_t; domain_make_domain(run_init_t) type run_init_exec_t; domain_make_entrypoint_file(run_init_t,run_init_exec_t) # # selinux_config_t is the type applied to # /etc/selinux/config # type selinux_config_t; files_make_file(selinux_config_t) type setfiles_t, can_relabelto_binary_policy; kernel_make_object_identity_change_constraint_exception(setfiles_t) domain_make_domain(setfiles_t) role system_r types setfiles_t; type setfiles_exec_t; domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) ######################################## # # Checkpolicy local policy # allow checkpolicy_t self:capability dac_override; # able to create and modify binary policy files allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write }; allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; # allow test policies to be created in src directories allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name }; type_transition checkpolicy_t policy_src_t:file policy_config_t; # only allow read of policy source files allow checkpolicy_t policy_src_t:dir { getattr search read }; allow checkpolicy_t policy_src_t:file { getattr read ioctl }; allow checkpolicy_t policy_src_t:lnk_file { getattr read }; allow checkpolicy_t selinux_config_t:dir search; filesystem_get_persistent_filesystem_attributes(checkpolicy_t) terminal_use_console(checkpolicy_t) domain_use_widely_inheritable_file_descriptors(checkpolicy_t) # directory search permissions for path to source and binary policy files files_search_general_system_config_directory(checkpolicy_t) init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) libraries_use_dynamic_loader(checkpolicy_t) libraries_use_shared_libraries(checkpolicy_t) userdomain_use_all_users_file_descriptors(checkpolicy_t) ifdef(`TODO',` # Read the devpts root directory. ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') ') dnl endif TODO ######################################## # # Load_policy local policy # allow load_policy_t self:capability dac_override; # only allow read of policy config files allow load_policy_t policy_src_t:dir search; allow load_policy_t policy_config_t:dir { getattr search read }; allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read }; allow load_policy_t selinux_config_t:dir { getattr read search }; allow load_policy_t selinux_config_t:file { read getattr }; allow load_policy_t selinux_config_t:lnk_file { getattr read }; kernel_get_selinuxfs_mount_point(load_policy_t) kernel_load_selinux_policy(load_policy_t) kernel_set_selinux_boolean(load_policy_t) filesystem_get_persistent_filesystem_attributes(load_policy_t) terminal_use_console(load_policy_t) terminal_list_pseudoterminals(load_policy_t) init_script_use_file_descriptors(load_policy_t) init_script_use_pseudoterminal(load_policy_t) domain_use_widely_inheritable_file_descriptors(load_policy_t) files_search_general_system_config_directory(load_policy_t) libraries_use_dynamic_loader(load_policy_t) libraries_use_shared_libraries(load_policy_t) miscfiles_read_localization(load_policy_t) userdomain_use_all_users_file_descriptors(load_policy_t) ######################################## # # Newrole local policy # allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow newrole_t self:process setexec; allow newrole_t self:fd use; allow newrole_t self:fifo_file { read getattr lock ioctl write append }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket connectto; allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; allow newrole_t self:msg { send receive }; allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search }; allow newrole_t { selinux_config_t default_context_t }:file { read getattr }; allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read }; kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) kernel_get_selinuxfs_mount_point(newrole_t) kernel_validate_selinux_context(newrole_t) kernel_compute_selinux_access_vector(newrole_t) kernel_compute_selinux_create_context(newrole_t) kernel_compute_selinux_relabel_context(newrole_t) kernel_compute_selinux_reachable_user_contexts(newrole_t) devices_get_pseudorandom_data(newrole_t) filesystem_get_persistent_filesystem_attributes(newrole_t) terminal_use_all_private_physical_terminals(newrole_t) terminal_use_all_private_pseudoterminals(newrole_t) authlogin_check_password_transition(newrole_t) domain_use_widely_inheritable_file_descriptors(newrole_t) # Write to utmp. init_script_modify_runtime_data(newrole_t) files_read_general_system_config(newrole_t) libraries_use_dynamic_loader(newrole_t) libraries_use_shared_libraries(newrole_t) logging_send_system_log_message(newrole_t) miscfiles_read_localization(newrole_t) userdomain_use_all_unprivileged_users_file_descriptors(newrole_t) ifdef(`TODO',` can_ypbind(newrole) ifdef(`automount.te', ` allow newrole_t autofs_t:dir { search getattr }; ') # for when the user types "exec newrole" at the command line allow newrole_t privfd:process sigchld; # Execute /sbin/pwdb_chkpwd to check the password. allow newrole_t sbin_t:dir r_dir_perms; # Execute shells allow newrole_t bin_t:dir r_dir_perms; allow newrole_t bin_t:lnk_file read; # Allow newrole_t to transition to user domains. bool secure_mode false; domain_trans(newrole_t, shell_exec_t, unpriv_userdomain) if(!secure_mode) { # if we are not in secure mode then we can transition to sysadm_t domain_trans(newrole_t, shell_exec_t, sysadm_t) } # Read /var. allow newrole_t var_t:dir r_dir_perms; allow newrole_t var_t:notdevfile_class_set r_file_perms; # Relabel terminals. allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') # for some PAM modules and for cwd dontaudit newrole_t { home_root_t home_type }:dir search; ') dnl ifdef TODO ######################################## # # Restorecon local policy # allow restorecon_t self:capability { dac_override dac_read_search fowner }; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; kernel_use_file_descriptors(restorecon_t) kernel_read_system_state(restorecon_t) kernel_get_selinuxfs_mount_point(restorecon_t) kernel_validate_selinux_context(restorecon_t) kernel_compute_selinux_access_vector(restorecon_t) kernel_compute_selinux_create_context(restorecon_t) kernel_compute_selinux_relabel_context(restorecon_t) kernel_compute_selinux_reachable_user_contexts(restorecon_t) filesystem_get_persistent_filesystem_attributes(restorecon_t) terminal_use_general_physical_terminal(restorecon_t) init_use_file_descriptors(restorecon_t) init_script_use_pseudoterminal(restorecon_t) domain_use_widely_inheritable_file_descriptors(restorecon_t) files_read_runtime_system_config(restorecon_t) files_read_general_system_config(restorecon_t) libraries_use_dynamic_loader(restorecon_t) libraries_use_shared_libraries(restorecon_t) logging_send_system_log_message(restorecon_t) userdomain_use_all_users_file_descriptors(restorecon_t) optional_policy(`hotplug.te',` hotplug_use_file_descriptors(restorecon_t) ') # relabeling rules kernel_relabel_unlabeled_object(restorecon_t) devices_manage_all_devices_labels(restorecon_t) files_relabel_all_files(restorecon_t) files_read_all_directories(restorecon_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(restorecon_t) tunable_policy(`distro_redhat', ` filesystem_use_tmpfs_character_devices(restorecon_t) filesystem_use_tmpfs_block_devices(restorecon_t) filesystem_relabel_tmpfs_block_devices(restorecon_t) filesystem_relabel_tmpfs_character_devices(restorecon_t) ') ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; allow restorecon_t fs_type:dir r_dir_perms; allow restorecon_t device_t:file { read write }; allow restorecon_t kernel_t:fifo_file { read write }; ') dnl endif TODO ################################# # # Run_init local policy # kernel_get_selinuxfs_mount_point(run_init_t) kernel_validate_selinux_context(run_init_t) kernel_compute_selinux_access_vector(run_init_t) kernel_compute_selinux_create_context(run_init_t) kernel_compute_selinux_relabel_context(run_init_t) kernel_compute_selinux_reachable_user_contexts(run_init_t) tunable_policy(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file { getattr read write }; # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; filesystem_get_persistent_filesystem_attributes(run_init_t) devices_ignore_list_device_nodes(run_init_t) terminal_ignore_list_pseudoterminals(run_init_t) authlogin_check_password_transition(run_init_t) authlogin_ignore_read_shadow_passwords(run_init_t) corecommands_execute_general_programs(run_init_t) corecommands_execute_shell(run_init_t) domain_use_widely_inheritable_file_descriptors(run_init_t) files_read_general_system_config(run_init_t) files_ignore_search_all_directories(run_init_t) init_script_transition(run_init_t) # for utmp init_script_modify_runtime_data(run_init_t) libraries_use_dynamic_loader(run_init_t) libraries_use_shared_libraries(run_init_t) selinux_read_config(run_init_t) selinux_read_default_contexts(run_init_t) miscfiles_read_localization(run_init_t) logging_send_system_log_message(run_init_t) ') dnl end ifdef targeted policy ifdef(`TODO',` tunable_policy(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) domain_make_entrypoint_file(run_init_t,initrc_exec_t) ') ') dnl end TODO ######################################## # # Setfiles local policy # allow setfiles_t self:capability { dac_override dac_read_search fowner }; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; kernel_read_system_state(setfiles_t) kernel_get_selinuxfs_mount_point(setfiles_t) kernel_validate_selinux_context(setfiles_t) kernel_compute_selinux_access_vector(setfiles_t) kernel_compute_selinux_create_context(setfiles_t) kernel_compute_selinux_relabel_context(setfiles_t) kernel_compute_selinux_reachable_user_contexts(setfiles_t) filesystem_get_persistent_filesystem_attributes(setfiles_t) terminal_use_all_private_physical_terminals(setfiles_t) terminal_use_all_private_pseudoterminals(setfiles_t) terminal_use_general_physical_terminal(setfiles_t) init_use_file_descriptors(setfiles_t) init_script_use_file_descriptors(setfiles_t) init_script_use_pseudoterminal(setfiles_t) domain_use_widely_inheritable_file_descriptors(setfiles_t) libraries_use_dynamic_loader(setfiles_t) libraries_use_shared_libraries(setfiles_t) files_read_runtime_system_config(setfiles_t) files_read_general_system_config(setfiles_t) logging_send_system_log_message(setfiles_t) miscfiles_read_localization(setfiles_t) userdomain_use_all_users_file_descriptors(setfiles_t) # for config files in a home directory userdomain_read_all_users_data(setfiles_t) # relabeling rules kernel_relabel_unlabeled_object(setfiles_t) devices_manage_all_devices_labels(setfiles_t) files_read_all_directories(setfiles_t) files_relabel_all_files(setfiles_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(setfiles_t) ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! allow setfiles_t lib_t:file { read execute }; allow setfiles_t unlabeled_t:dir read; allow setfiles_t fs_type:dir r_dir_perms; ') dnl endif TODO