## Core policy for domains. ## ## Contains the concept of a domain. ## ######################################## ## ## Make the specified type usable as a basic domain. ## ## ##

## Make the specified type usable as a basic domain. ##

##

## This is primarily used for kernel threads; ## generally the domain_type() interface is ## more appropriate for userland processes. ##

##
## ## Type to be used as a basic domain type. ## # interface(`domain_base_type',` gen_require(` attribute domain; class dir r_dir_perms; class lnk_file r_file_perms; class file rw_file_perms; class process { fork sigchld }; ') # mark as a domain typeattribute $1 domain; # allow the domain to read its /proc/pid entries allow $1 self:dir r_dir_perms; allow $1 self:lnk_file r_file_perms; allow $1 self:file rw_file_perms; # allow $1 to create child processes in this domain allow $1 self:process { fork sigchld }; ifdef(`targeted_policy',` tunable_policy(`allow_execmem',` allow $1 self:process execmem; ') # FIXME: # hack until role dominance is fixed in # the module compiler role secadm_r types $1; role sysadm_r types $1; role user_r types $1; role staff_r types $1; ') ') ######################################## ## ## Make the specified type usable as a domain. ## ## ## Type to be used as a domain type. ## # interface(`domain_type',` # start with basic domain domain_base_type($1) # Use trusted objects in /dev dev_rw_null_dev($1) dev_rw_zero_dev($1) term_use_controlling_term($1) # read the root directory files_list_root($1) # send init a sigchld and signull init_sigchld($1) init_signull($1) ifdef(`targeted_policy',` unconfined_use_fd($1) unconfined_sigchld($1) ') tunable_policy(`allow_ptrace',` userdom_sigchld_sysadm($1) ') # allow any domain to connect to the LDAP server optional_policy(`ldap',` ldap_use($1) ') # these 3 seem highly questionable: optional_policy(`rpm',` rpm_use_fd($1) rpm_read_pipe($1) ') optional_policy(`selinux',` selinux_dontaudit_read_fs($1) ') optional_policy(`selinuxutil',` seutil_dontaudit_read_config($1) ') ') ######################################## ## ## Make the specified type usable as ## an entry point for the domain. ## ## ## Domain to be entered. ## ## ## Type of program used for entering ## the domain. ## # interface(`domain_entry_file',` gen_require(` attribute entry_type; class file entrypoint; ') files_type($2) allow $1 $2:file entrypoint; allow $1 $2:file rx_file_perms; typeattribute $2 entry_type; ') ######################################## # # domain_wide_inherit_fd(domain) # interface(`domain_wide_inherit_fd',` gen_require(` attribute privfd; ') typeattribute $1 privfd; ') ######################################## # # domain_dyntrans_type(domain) # interface(`domain_dyntrans_type',` gen_require(` attribute set_curr_context; ') typeattribute $1 set_curr_context; ') ######################################## ## ## Makes caller and execption to the constraint ## preventing changing to the system user ## identity and system role. ## ## ## Domain allowed access. ## # interface(`domain_system_change_exempt',` gen_require(` attribute can_system_change; ') typeattribute $1 can_system_change; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of user identity. ## ## ## The process type to make an exception to the constraint. ## # interface(`domain_subj_id_change_exempt',` gen_require(` attribute can_change_process_identity; ') typeattribute $1 can_change_process_identity; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of role. ## ## ## The process type to make an exception to the constraint. ## # interface(`domain_role_change_exempt',` gen_require(` attribute can_change_process_role; ') typeattribute $1 can_change_process_role; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. ## ## ## The process type to make an exception to the constraint. ## # interface(`domain_obj_id_change_exempt',` gen_require(` attribute can_change_object_identity; ') typeattribute $1 can_change_object_identity; ') ######################################## ## ## Make the specified domain the target of ## the user domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the target of ## the user domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the user domains from the base module. ## It should not be used other than on ## user domains. ##

##
## ## Domain target for user exemption. ## # interface(`domain_user_exemption_target',` gen_require(` attribute process_user_target; ') typeattribute $1 process_user_target; ') ######################################## ## ## Make the specified domain the source of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the source of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the cron domains from the base module. ## It should not be used other than on ## cron domains. ##

##
## ## Domain target for user exemption. ## # interface(`domain_cron_exemption_source',` gen_require(` attribute cron_source_domain; ') typeattribute $1 cron_source_domain; ') ######################################## ## ## Make the specified domain the target of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the target of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the cron domains from the base module. ## It should not be used other than on ## user cron jobs. ##

##
## ## Domain target for user exemption. ## # interface(`domain_cron_exemption_target',` gen_require(` attribute cron_job_domain; ') typeattribute $1 cron_job_domain; ') ######################################## # # domain_use_wide_inherit_fd(domain) # interface(`domain_use_wide_inherit_fd',` gen_require(` attribute privfd; class fd use; ') allow $1 privfd:fd use; ') ######################################## # # domain_dontaudit_use_wide_inherit_fd(domain) # interface(`domain_dontaudit_use_wide_inherit_fd',` gen_require(` attribute privfd; class fd use; ') dontaudit $1 privfd:fd use; ') ######################################## ## ## Send a SIGCHLD signal to domains whose file ## discriptors are widely inheritable. ## ## ## Domain allowed access. ## # # cjp: this was added because of newrole interface(`domain_sigchld_wide_inherit_fd',` gen_require(` attribute privfd; ') allow $1 privfd:process sigchld; ') ######################################## # # domain_setpriority_all_domains(domain) # interface(`domain_setpriority_all_domains',` gen_require(` attribute domain; class process setsched; ') allow $1 domain:process setsched; ') ######################################## ## ## Send general signals to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_signal_all_domains',` gen_require(` attribute domain; class process signal; ') allow $1 domain:process signal; ') ######################################## ## ## Send a null signal to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_signull_all_domains',` gen_require(` attribute domain; class process signull; ') allow $1 domain:process signull; ') ######################################## ## ## Send a stop signal to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_sigstop_all_domains',` gen_require(` attribute domain; class process sigstop; ') allow $1 domain:process sigstop; ') ######################################## ## ## Send a child terminated signal to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_sigchld_all_domains',` gen_require(` attribute domain; class process sigchld; ') allow $1 domain:process sigchld; ') ######################################## ## ## Send a kill signal to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_kill_all_domains',` gen_require(` attribute domain; class process sigkill; class capability kill; ') allow $1 domain:process sigkill; allow $1 self:capability kill; ') ######################################## ## ## Search the process state directory (/proc/pid) of all domains. ## ## ## Domain allowed access. ## # interface(`domain_search_all_domains_state',` gen_require(` attribute domain; class dir search; ') kernel_search_proc($1) allow $1 domain:dir search; ') ######################################## ## ## Read the process state (/proc/pid) of all domains. ## ## ## Domain allowed access. ## # interface(`domain_read_all_domains_state',` gen_require(` attribute domain; class dir r_dir_perms; class lnk_file r_file_perms; class file r_file_perms; ') kernel_search_proc($1) allow $1 domain:dir r_dir_perms; allow $1 domain:lnk_file r_file_perms; allow $1 domain:file r_file_perms; ') ######################################## ## ## Get the attributes of all domains of all domains. ## ## ## Domain allowed access. ## # interface(`domain_getattr_all_domains',` gen_require(` attribute domain; class process getattr; ') allow $1 domain:process getattr; ') ######################################## ## ## Read the process state (/proc/pid) of all confined domains. ## ## ## Domain allowed access. ## # interface(`domain_read_confined_domains_state',` gen_require(` attribute domain, unconfined_domain; ') kernel_search_proc($1) allow $1 { domain -unconfined_domain }:dir r_dir_perms; allow $1 { domain -unconfined_domain }:lnk_file r_file_perms; allow $1 { domain -unconfined_domain }:file r_file_perms; dontaudit $1 unconfined_domain:dir search; dontaudit $1 unconfined_domain:file { getattr read }; ') ######################################## ## ## Get the attributes of all confined domains. ## ## ## Domain allowed access. ## # interface(`domain_getattr_confined_domains',` gen_require(` attribute domain, unconfined_domain; class process getattr; ') allow $1 { domain -unconfined_domain }:process getattr; ') ######################################## ## ## Ptrace all domains. ## ## ## Domain allowed access. ## # interface(`domain_ptrace_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process ptrace; ') ######################################## ## ## Do not audit attempts to ptrace all domains. ## ## ##

## Do not audit attempts to ptrace all domains. ##

##

## Generally this needs to be suppressed because procps tries to access ## /proc/pid/environ and this now triggers a ptrace check in recent kernels ## (2.4 and 2.6). ##

##
## ## Domain allowed access. ## # interface(`domain_dontaudit_ptrace_all_domains',` gen_require(` attribute domain; ') dontaudit $1 domain:process ptrace; ') ######################################## ## ## Do not audit attempts to ptrace confined domains. ## ## ##

## Do not audit attempts to ptrace confined domains. ##

##

## Generally this needs to be suppressed because procps tries to access ## /proc/pid/environ and this now triggers a ptrace check in recent kernels ## (2.4 and 2.6). ##

##
## ## Domain allowed access. ## # interface(`domain_dontaudit_ptrace_confined_domains',` gen_require(` attribute domain, unconfined_domain; class process ptrace; ') dontaudit $1 { domain -unconfined_domain }:process ptrace; ') ######################################## ## ## Do not audit attempts to read the process ## state (/proc/pid) of all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_read_all_domains_state',` gen_require(` attribute domain; class dir r_dir_perms; class lnk_file r_file_perms; class file r_file_perms; ') dontaudit $1 domain:dir r_dir_perms; dontaudit $1 domain:lnk_file r_file_perms; dontaudit $1 domain:file r_file_perms; dontaudit $1 domain:process getattr; ') ######################################## ## ## Do not audit attempts to read the process state ## directories of all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_list_all_domains_proc',` gen_require(` attribute domain; class dir r_dir_perms; ') dontaudit $1 domain:dir r_dir_perms; ') ######################################## ## ## Get the session ID of all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_getsession_all_domains',` gen_require(` attribute domain; class process getsession; ') allow $1 domain:process getsession; ') ######################################## ## ## Do not audit attempts to get the ## session ID of all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getsession_all_domains',` gen_require(` attribute domain; class process getsession; ') dontaudit $1 domain:process getsession; ') ######################################## ## ## Get the attributes of all domains ## sockets, for all socket types. ## ## ##

## Get the attributes of all domains ## sockets, for all socket types. ##

##

## This is commonly used for domains ## that can use lsof on all domains. ##

##
## ## Domain allowed access. ## # interface(`domain_getattr_all_sockets',` gen_require(` gen_require_set(getattr,socket_class_set) ') allow $1 domain:socket_class_set getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ## ## ##

## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ##

##

## This interface was added for PCMCIA cardmgr ## and is probably excessive. ##

##
## ## Domain to not audit. ## # interface(`domain_dontaudit_getattr_all_sockets',` gen_require(` gen_require_set(getattr,socket_class_set) ') dontaudit $1 domain:socket_class_set getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains TCP sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_tcp_sockets',` gen_require(` attribute domain; class tcp_socket getattr; ') dontaudit $1 domain:tcp_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains UDP sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_udp_sockets',` gen_require(` attribute domain; class udp_socket getattr; ') dontaudit $1 domain:udp_socket getattr; ') ######################################## ## ## Do not audit attempts to read or write ## all domains UDP sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_rw_all_udp_sockets',` gen_require(` attribute domain; class udp_socket { read write }; ') dontaudit $1 domain:udp_socket { read write }; ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains IPSEC key management sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_key_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:key_socket getattr; ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains packet sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_packet_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:packet_socket getattr; ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains raw sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_raw_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:rawip_socket getattr; ') ######################################## ## ## Do not audit attempts to read or write ## all domains key sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_rw_all_key_sockets',` gen_require(` attribute domain; class key_socket { read write }; ') dontaudit $1 domain:key_socket { read write }; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_dgram_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:unix_dgram_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_stream_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:unix_stream_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_pipes',` gen_require(` attribute domain; class fifo_file getattr; ') dontaudit $1 domain:fifo_file getattr; ') ######################################## ## ## Get the attributes of entry point ## files for all domains. ## ## ## Domain allowed access. ## # interface(`domain_getattr_all_entry_files',` gen_require(` attribute entry_type; class file getattr; class lnk_file r_file_perms; ') allow $1 entry_type:lnk_file getattr; allow $1 entry_type:file r_file_perms; ') ######################################## # # domain_read_all_entry_files(domain) # interface(`domain_read_all_entry_files',` gen_require(` attribute entry_type; class file r_file_perms; class lnk_file r_file_perms; ') allow $1 entry_type:lnk_file r_file_perms; allow $1 entry_type:file r_file_perms; ') ######################################## # # domain_exec_all_entry_files(domain) # interface(`domain_exec_all_entry_files',` gen_require(` attribute entry_type; ') can_exec($1,entry_type) ') ######################################## ## ## Unconfined access to domains. ## ## ## The type of the process performing this action. ## # interface(`domain_unconfined',` gen_require(` attribute domain, set_curr_context; attribute can_change_process_identity; attribute can_change_process_role; attribute can_change_object_identity; attribute unconfined_domain; ') typeattribute $1 unconfined_domain; # pass all constraints typeattribute $1 can_change_process_identity; typeattribute $1 can_change_process_role; typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; # Use/sendto/connectto sockets created by any domain. allow $1 domain:{ socket_class_set socket key_socket } *; # Use descriptors and pipes created by any domain. allow $1 domain:fd use; allow $1 domain:fifo_file rw_file_perms; # Act upon any other process. allow $1 domain:process ~{ transition dyntransition execmem }; # Create/access any System V IPC objects. allow $1 domain:{ sem msgq shm } *; allow $1 domain:msg { send receive }; # For /proc/pid allow $1 domain:dir r_dir_perms; allow $1 domain:file r_file_perms; allow $1 domain:lnk_file r_file_perms; ') # # These next macros are not templates, but actually are # support macros. Due to the domain_ prefix, they # are placed in this module, to try to prevent confusion. # They are called templates since regular m4 defines # wont work here. # ######################################## # # domain_trans(source_domain,entrypoint_file,target_domain) # template(`domain_trans',` allow $1 $2:file { getattr read execute }; allow $1 $3:process transition; dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ') ######################################## # # domain_auto_trans(source_domain,entrypoint_file,target_domain) # template(`domain_auto_trans',` domain_trans($1,$2,$3) type_transition $1 $2:process $3; ')