policy_module(kernel,1.2.0) ######################################## # # Declarations # # assertion related attributes attribute can_load_kernmodule; attribute can_receive_kernel_messages; neverallow ~can_load_kernmodule self:capability sys_module; # domains with unconfined access to kernel resources attribute kern_unconfined; # regular entries in proc attribute proc_type; # sysctls attribute sysctl_type; role system_r; role sysadm_r; role staff_r; role user_r; ifdef(`enable_mls',` role secadm_r; ') # # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. # type kernel_t, can_load_kernmodule; domain_base_type(kernel_t) mls_rangetrans_source(kernel_t) role system_r types kernel_t; sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255) # # DebugFS # type debugfs_t; fs_type(debugfs_t) allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) # # Procfs types # type proc_t, proc_type; files_mountpoint(proc_t) fs_type(proc_t) genfscon proc / gen_context(system_u:object_r:proc_t,s0) genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0) # kernel message interface type proc_kmsg_t, proc_type; genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255) neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; # /proc kcore: inaccessible type proc_kcore_t, proc_type; neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr; genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255) type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) type proc_net_t, proc_type; genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) # # Sysctl types # # /proc/sys directory, base directory of sysctls type sysctl_t, sysctl_type; files_mountpoint(sysctl_t) sid sysctl gen_context(system_u:object_r:sysctl_t,s0) genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0) # /proc/irq directory and files type sysctl_irq_t, sysctl_type; genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) # /proc/net/rpc directory and files type sysctl_rpc_t, sysctl_type; genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) # /proc/sys/fs directory and files type sysctl_fs_t, sysctl_type; files_mountpoint(sysctl_fs_t) genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) # /proc/sys/kernel directory and files type sysctl_kernel_t, sysctl_type; genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) # /proc/sys/kernel/modprobe file type sysctl_modprobe_t, sysctl_type; genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0) # /proc/sys/kernel/hotplug file type sysctl_hotplug_t, sysctl_type; genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0) # /proc/sys/net directory and files type sysctl_net_t, sysctl_type; genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) # /proc/sys/net/unix directory and files type sysctl_net_unix_t, sysctl_type; genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) # /proc/sys/vm directory and files type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) # # unlabeled_t is the type of unlabeled objects. # Objects that have no known labeling information or that # have labels that are no longer valid are treated as having this type. # type unlabeled_t; sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid init gen_context(system_u:object_r:unlabeled_t,s0) sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0) sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) ######################################## # # kernel local policy # # Use capabilities. need to investigate which capabilities are actually used allow kernel_t self:capability *; # Other possible mount points for the root fs are in files allow kernel_t unlabeled_t:dir mounton; # old general_domain_access() allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; allow kernel_t self:sem create_sem_perms; allow kernel_t self:msg { send receive }; allow kernel_t self:msgq create_msgq_perms; allow kernel_t self:unix_dgram_socket create_socket_perms; allow kernel_t self:unix_stream_socket create_stream_socket_perms; allow kernel_t self:unix_dgram_socket sendto; allow kernel_t self:unix_stream_socket connectto; allow kernel_t self:fifo_file rw_file_perms; allow kernel_t self:sock_file r_file_perms; allow kernel_t self:fd use; # old general_proc_read_access(): allow kernel_t proc_t:dir r_dir_perms; allow kernel_t proc_t:{ lnk_file file } r_file_perms; allow kernel_t proc_net_t:dir r_dir_perms; allow kernel_t proc_net_t:file r_file_perms; allow kernel_t proc_mdstat_t:file r_file_perms; allow kernel_t proc_kcore_t:file getattr; allow kernel_t proc_kmsg_t:file getattr; allow kernel_t sysctl_t:dir r_dir_perms; allow kernel_t sysctl_kernel_t:dir r_dir_perms; allow kernel_t sysctl_kernel_t:file r_file_perms; # cjp: this seems questionable allow kernel_t unlabeled_t:fifo_file rw_file_perms; corenet_non_ipsec_sendrecv(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) corenet_raw_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_if(kernel_t) # Kernel-generated traffic e.g., TCP resets: corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_raw_send_multicast_node(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) selinux_load_policy(kernel_t) term_use_console(kernel_t) corecmd_exec_shell(kernel_t) corecmd_list_sbin(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. corecmd_exec_bin(kernel_t) domain_signal_all_domains(kernel_t) domain_search_all_domains_state(kernel_t) files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) ifdef(`targeted_policy',` unconfined_domain_template(kernel_t) ') tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) files_read_default_symlinks(kernel_t) files_read_default_sockets(kernel_t) files_read_default_pipes(kernel_t) ') optional_policy(`nis',` nis_use_ypbind(kernel_t) ') optional_policy(`rpc',` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; allow kernel_t self:udp_socket { connect }; allow kernel_t self:tcp_socket connected_socket_perms; allow kernel_t self:udp_socket connected_socket_perms; # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. corenet_udp_sendrecv_all_if(kernel_t) corenet_udp_sendrecv_all_nodes(kernel_t) corenet_tcp_bind_all_nodes(kernel_t) corenet_udp_bind_all_nodes(kernel_t) corenet_tcp_sendrecv_all_ports(kernel_t) corenet_udp_sendrecv_all_ports(kernel_t) auth_dontaudit_getattr_shadow(kernel_t) sysnet_read_config(kernel_t) rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t) rpc_udp_rw_nfs_sockets(kernel_t) #rpc_udp_sendto_sockets(kernel_t) rpc_udp_sendto_nfs(kernel_t) tunable_policy(`nfs_export_all_ro',` fs_list_noxattr_fs(kernel_t) fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) auth_read_all_dirs_except_shadow(kernel_t) auth_read_all_files_except_shadow(kernel_t) auth_read_all_symlinks_except_shadow(kernel_t) ') tunable_policy(`nfs_export_all_rw',` fs_list_noxattr_fs(kernel_t) fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) auth_manage_all_files_except_shadow(kernel_t) ') ') ######################################## # # Unlabeled process local policy # ifdef(`targeted_policy',` allow unlabeled_t self:filesystem associate; ')