## Core policy for domains. ## ## Contains the concept of a domain. ## ######################################## ## ## Make the specified type usable as a basic domain. ## ## ##

## Make the specified type usable as a basic domain. ##

##

## This is primarily used for kernel threads; ## generally the domain_type() interface is ## more appropriate for userland processes. ##

##
## ## ## Type to be used as a basic domain type. ## ## # interface(`domain_base_type',` gen_require(` attribute domain; ') typeattribute $1 domain; ') ######################################## ## ## Make the specified type usable as a domain. ## ## ## ## Type to be used as a domain type. ## ## # interface(`domain_type',` # start with basic domain domain_base_type($1) ifdef(`distro_redhat',` optional_policy(` unconfined_use_fds($1) ') ') # send init a sigchld and signull optional_policy(` init_sigchld($1) init_signull($1) ') # these seem questionable: optional_policy(` rpm_use_fds($1) rpm_read_pipes($1) ') optional_policy(` selinux_dontaudit_getattr_fs($1) selinux_dontaudit_read_fs($1) ') optional_policy(` seutil_dontaudit_read_config($1) ') ') ######################################## ## ## Make the specified type usable as ## an entry point for the domain. ## ## ## ## Domain to be entered. ## ## ## ## ## Type of program used for entering ## the domain. ## ## # interface(`domain_entry_file',` gen_require(` attribute entry_type; ') allow $1 $2:file entrypoint; allow $1 $2:file { mmap_file_perms ioctl lock }; typeattribute $2 entry_type; corecmd_executable_file($2) ') ######################################## ## ## Make the file descriptors of the specified ## domain for interactive use (widely inheritable) ## ## ## ## Domain allowed access. ## ## # interface(`domain_interactive_fd',` gen_require(` attribute privfd; ') typeattribute $1 privfd; ') ######################################## ## ## Allow the specified domain to perform ## dynamic transitions. ## ## ##

## Allow the specified domain to perform ## dynamic transitions. ##

##

## This violates process tranquility, and it ## is strongly suggested that this not be used. ##

##
## ## ## Domain allowed access. ## ## # interface(`domain_dyntrans_type',` gen_require(` attribute set_curr_context; ') typeattribute $1 set_curr_context; ') ######################################## ## ## Makes caller and execption to the constraint ## preventing changing to the system user ## identity and system role. ## ## ## ## Domain allowed access. ## ## # interface(`domain_system_change_exemption',` gen_require(` attribute can_system_change; ') typeattribute $1 can_system_change; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of user identity. ## ## ## ## The process type to make an exception to the constraint. ## ## # interface(`domain_subj_id_change_exemption',` gen_require(` attribute can_change_process_identity; ') typeattribute $1 can_change_process_identity; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of role. ## ## ## ## The process type to make an exception to the constraint. ## ## # interface(`domain_role_change_exemption',` gen_require(` attribute can_change_process_role; ') typeattribute $1 can_change_process_role; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. ## ## ## ## The process type to make an exception to the constraint. ## ## ## # interface(`domain_obj_id_change_exemption',` gen_require(` attribute can_change_object_identity; ') typeattribute $1 can_change_object_identity; ') ######################################## ## ## Make the specified domain the target of ## the user domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the target of ## the user domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the user domains from the base module. ## It should not be used other than on ## user domains. ##

##
## ## ## Domain target for user exemption. ## ## # interface(`domain_user_exemption_target',` gen_require(` attribute process_user_target; ') typeattribute $1 process_user_target; ') ######################################## ## ## Make the specified domain the source of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the source of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the cron domains from the base module. ## It should not be used other than on ## cron domains. ##

##
## ## ## Domain target for user exemption. ## ## # interface(`domain_cron_exemption_source',` gen_require(` attribute cron_source_domain; ') typeattribute $1 cron_source_domain; ') ######################################## ## ## Make the specified domain the target of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the target of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the cron domains from the base module. ## It should not be used other than on ## user cron jobs. ##

##
## ## ## Domain target for user exemption. ## ## # interface(`domain_cron_exemption_target',` gen_require(` attribute cron_job_domain; ') typeattribute $1 cron_job_domain; ') ######################################## ## ## Inherit and use file descriptors from ## domains with interactive programs. ## ## ## ## Domain allowed access. ## ## # interface(`domain_use_interactive_fds',` gen_require(` attribute privfd; ') allow $1 privfd:fd use; ') ######################################## ## ## Do not audit attempts to inherit file ## descriptors from domains with interactive ## programs. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_use_interactive_fds',` gen_require(` attribute privfd; ') dontaudit $1 privfd:fd use; ') ######################################## ## ## Send a SIGCHLD signal to domains whose file ## discriptors are widely inheritable. ## ## ## ## Domain allowed access. ## ## # # cjp: this was added because of newrole interface(`domain_sigchld_interactive_fds',` gen_require(` attribute privfd; ') allow $1 privfd:process sigchld; ') ######################################## ## ## Set the nice level of all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_setpriority_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process setsched; ') ######################################## ## ## Send general signals to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_signal_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process signal; ') ######################################## ## ## Send a null signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_signull_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process signull; ') ######################################## ## ## Send a stop signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_sigstop_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process sigstop; ') ######################################## ## ## Send a child terminated signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_sigchld_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process sigchld; ') ######################################## ## ## Send a kill signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_kill_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process sigkill; allow $1 self:capability kill; ') ######################################## ## ## Search the process state directory (/proc/pid) of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_search_all_domains_state',` gen_require(` attribute domain; ') kernel_search_proc($1) allow $1 domain:dir search; ') ######################################## ## ## Do not audit attempts to search the process ## state directory (/proc/pid) of all domains. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_search_all_domains_state',` gen_require(` attribute domain; ') dontaudit $1 domain:dir search_dir_perms; ') ######################################## ## ## Read the process state (/proc/pid) of all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_read_all_domains_state',` gen_require(` attribute domain; ') kernel_search_proc($1) allow $1 domain:dir list_dir_perms; read_files_pattern($1,domain,domain) read_lnk_files_pattern($1,domain,domain) ') ######################################## ## ## Get the attributes of all domains of all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_getattr_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process getattr; ') ######################################## ## ## Get the attributes of all domains of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getattr_all_domains',` gen_require(` attribute domain; ') dontaudit $1 domain:process getattr; ') ######################################## ## ## Read the process state (/proc/pid) of all confined domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_read_confined_domains_state',` gen_require(` attribute domain, unconfined_domain_type; ') kernel_search_proc($1) allow $1 { domain -unconfined_domain_type }:dir list_dir_perms; read_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type }) read_lnk_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type }) dontaudit $1 unconfined_domain_type:dir search_dir_perms; dontaudit $1 unconfined_domain_type:file { getattr read }; ') ######################################## ## ## Get the attributes of all confined domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_getattr_confined_domains',` gen_require(` attribute domain, unconfined_domain_type; ') allow $1 { domain -unconfined_domain_type }:process getattr; ') ######################################## ## ## Ptrace all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_ptrace_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process ptrace; allow domain $1:process sigchld; ') ######################################## ## ## Do not audit attempts to ptrace all domains. ## ## ##

## Do not audit attempts to ptrace all domains. ##

##

## Generally this needs to be suppressed because procps tries to access ## /proc/pid/environ and this now triggers a ptrace check in recent kernels ## (2.4 and 2.6). ##

##
## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_ptrace_all_domains',` gen_require(` attribute domain; ') dontaudit $1 domain:process ptrace; ') ######################################## ## ## Do not audit attempts to ptrace confined domains. ## ## ##

## Do not audit attempts to ptrace confined domains. ##

##

## Generally this needs to be suppressed because procps tries to access ## /proc/pid/environ and this now triggers a ptrace check in recent kernels ## (2.4 and 2.6). ##

##
## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_ptrace_confined_domains',` gen_require(` attribute domain, unconfined_domain_type; ') dontaudit $1 { domain -unconfined_domain_type }:process ptrace; ') ######################################## ## ## Do not audit attempts to read the process ## state (/proc/pid) of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_read_all_domains_state',` gen_require(` attribute domain; ') dontaudit $1 domain:dir list_dir_perms; dontaudit $1 domain:lnk_file read_file_perms; dontaudit $1 domain:file read_file_perms; # cjp: these should be removed: dontaudit $1 domain:sock_file read_file_perms; dontaudit $1 domain:fifo_file read_file_perms; ') ######################################## ## ## Do not audit attempts to read the process state ## directories of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_list_all_domains_state',` gen_require(` attribute domain; ') dontaudit $1 domain:dir list_dir_perms; ') ######################################## ## ## Get the session ID of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_getsession_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process getsession; ') ######################################## ## ## Do not audit attempts to get the ## session ID of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getsession_all_domains',` gen_require(` attribute domain; ') dontaudit $1 domain:process getsession; ') ######################################## ## ## Get the attributes of all domains ## sockets, for all socket types. ## ## ##

## Get the attributes of all domains ## sockets, for all socket types. ##

##

## This is commonly used for domains ## that can use lsof on all domains. ##

##
## ## ## Domain allowed access. ## ## # interface(`domain_getattr_all_sockets',` gen_require(` attribute domain; ') allow $1 domain:socket_class_set getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ## ## ##

## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ##

##

## This interface was added for PCMCIA cardmgr ## and is probably excessive. ##

##
## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:socket_class_set getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains TCP sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getattr_all_tcp_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:tcp_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains UDP sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getattr_all_udp_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:udp_socket getattr; ') ######################################## ## ## Do not audit attempts to read or write ## all domains UDP sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_rw_all_udp_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:udp_socket { read write }; ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains IPSEC key management sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getattr_all_key_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:key_socket getattr; ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains packet sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getattr_all_packet_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:packet_socket getattr; ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains raw sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getattr_all_raw_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:rawip_socket getattr; ') ######################################## ## ## Do not audit attempts to read or write ## all domains key sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_rw_all_key_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:key_socket { read write }; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getattr_all_dgram_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:unix_dgram_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getattr_all_stream_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:unix_stream_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`domain_dontaudit_getattr_all_pipes',` gen_require(` attribute domain; ') dontaudit $1 domain:fifo_file getattr; ') ######################################## ## ## Allow specified type to set context of all ## domains IPSEC associations. ## ## ## ## Type of subject to be allowed this. ## ## # interface(`domain_ipsec_setcontext_all_domains',` gen_require(` attribute domain; ') allow $1 domain:association setcontext; ') ######################################## ## ## Get the attributes of entry point ## files for all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_getattr_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:lnk_file read_lnk_file_perms; allow $1 entry_type:file getattr; ') ######################################## ## ## Read the entry point files for all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_read_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:lnk_file read_lnk_file_perms; allow $1 entry_type:file read_file_perms; ') ######################################## ## ## Execute the entry point files for all ## domains in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_exec_all_entry_files',` gen_require(` attribute entry_type; ') can_exec($1,entry_type) ') ######################################## ## ## dontaudit checking for execute on all entry point files ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_exec_all_entry_files',` gen_require(` attribute entry_type; ') dontaudit $1 entry_type:file exec_file_perms; ') ######################################## ## ## Create, read, write, and delete all ## entrypoint files. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`domain_manage_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:file manage_file_perms; ') ######################################## ## ## Relabel to and from all entry point ## file types. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`domain_relabel_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:file relabel_file_perms; ') ######################################## ## ## Mmap all entry point files as executable. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`domain_mmap_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:file mmap_file_perms; ') ######################################## ## ## Execute an entry_type in the specified domain. ## ## ## ## Domain allowed access. ## ## # # cjp: added for userhelper interface(`domain_entry_file_spec_domtrans',` gen_require(` attribute entry_type; ') domain_transition_pattern($1,entry_type,$2) ') ######################################## ## ## Ability to mmap a low area of the address space, ## as configured by /proc/sys/kernel/mmap_min_addr. ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## ## ## ## Domain allowed to mmap low memory. ## ## # interface(`domain_mmap_low',` gen_require(` attribute mmap_low_domain_type; ') allow $1 self:memprotect mmap_zero; typeattribute $1 mmap_low_domain_type; ') ######################################## ## ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) ## ## ## ## Domain allowed access. ## ## # interface(`domain_all_recvfrom_all_domains',` gen_require(` attribute domain; ') # IPSEC-based labeled networking allow $1 domain:association recvfrom; # Netlabel (CIPSO)-based labeled networking # currently only supports MLS portion of label corenet_all_recvfrom_netlabel($1) ') ######################################## ## ## Unconfined access to domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_unconfined',` gen_require(` attribute set_curr_context; attribute can_change_object_identity; attribute unconfined_domain_type; attribute process_uncond_exempt; ') typeattribute $1 unconfined_domain_type; # pass constraints typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; ')