policy_module(domain,1.1.2) ######################################## # # Declarations # # Mark process types as domains attribute domain; # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; # Domains that are unconfined attribute unconfined_domain_type; # Domains that can set their current context # (perform dynamic transitions) attribute set_curr_context; # enabling setcurrent breaks process tranquility. If you do not # know what this means or do not understand the implications of a # dynamic transition, you should not be using it!!! neverallow { domain -set_curr_context } self:process setcurrent; # entrypoint executables attribute entry_type; # widely-inheritable file descriptors attribute privfd; # # constraint related attributes # # [1] types that can change SELinux identity on transition attribute can_change_process_identity; # [2] types that can change SELinux role on transition attribute can_change_process_role; # [3] types that can change the SELinux identity on a filesystem # object or a socket object on a create or relabel attribute can_change_object_identity; # [3] types that can change to system_u:system_r attribute can_system_change; # [4] types that have attribute 1 can change the SELinux # identity only if the target domain has this attribute. # Types that have attribute 2 can change the SELinux role # only if the target domain has this attribute. attribute process_user_target; # For cron jobs # [5] types used for cron daemons attribute cron_source_domain; # [6] types used for cron jobs attribute cron_job_domain; # [7] types that are unconditionally exempt from # SELinux identity and role change constraints attribute process_uncond_exempt; # add userhelperdomain to this one neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; neverallow ~{ domain unlabeled_t } *:process *; ######################################## # # Rules applied to all domains # # read /proc/pid entries allow domain self:dir r_dir_perms; allow domain self:lnk_file r_file_perms; allow domain self:file rw_file_perms; # create child processes in the domain allow domain self:process { fork sigchld }; # Use trusted objects in /dev dev_rw_null(domain) dev_rw_zero(domain) term_use_controlling_term(domain) # list the root directory files_list_root(domain) ifdef(`targeted_policy',` # RBAC is disabled in the targeted policy, # as only one role is used, system_r. role system_r types domain; # FIXME: # workaround until role dominance is fixed in # the module compiler role secadm_r types domain; role sysadm_r types domain; role user_r types domain; role staff_r types domain; ') tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs # are compiled with ProPolice/SSP # stack smashing protection. dev_read_urand(domain) ') ######################################## # # Unconfined access to this module # # unconfined access also allows constraints, but this # is handled in the interface as typeattribute cannot # be used on an attribute. # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; # Use descriptors and pipes created by any domain. allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir r_dir_perms; allow unconfined_domain_type domain:file r_file_perms; allow unconfined_domain_type domain:lnk_file r_file_perms;