# # Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # ################################# # # Rules for the kernel_t domain. # # # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. # type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ; role system_r types kernel_t; general_domain_access(kernel_t) general_proc_read_access(kernel_t) base_file_read_access(kernel_t) uses_shlib(kernel_t) can_exec(kernel_t, shell_exec_t) # Use capabilities. allow kernel_t self:capability *; r_dir_file(kernel_t, sysfs_t) allow kernel_t { usbfs_t usbdevfs_t }:dir search; # Run init in the init_t domain. domain_auto_trans(kernel_t, init_exec_t, init_t) ifdef(`mls_policy', ` # run init with maximum MLS range range_transition kernel_t init_exec_t s0 - s15:c0.c255; ') # Share state with the init process. allow kernel_t init_t:process share; # Mount and unmount file systems. allow kernel_t fs_type:filesystem mount_fs_perms; # Send signal to any process. allow kernel_t domain:process signal; allow kernel_t domain:dir search; # Access the console. allow kernel_t device_t:dir search; allow kernel_t console_device_t:chr_file rw_file_perms; # Access the initrd filesystem. allow kernel_t file_t:chr_file rw_file_perms; can_exec(kernel_t, file_t) ifdef(`chroot.te', ` can_exec(kernel_t, chroot_exec_t) ') allow kernel_t self:capability sys_chroot; allow kernel_t { unlabeled_t root_t file_t }:dir mounton; allow kernel_t unlabeled_t:fifo_file rw_file_perms; allow kernel_t file_t:dir rw_dir_perms; allow kernel_t file_t:blk_file create_file_perms; allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms }; # Lookup the policy. allow kernel_t policy_config_t:dir r_dir_perms; # Load the policy configuration. can_loadpol(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. can_exec(kernel_t, bin_t) ifdef(`targeted_policy', ` unconfined_domain(kernel_t) ')