policy_module(selinuxutil,1.1.3) gen_require(` bool secure_mode; ') ######################################## # # Declarations # attribute can_write_binary_policy; attribute can_relabelto_binary_policy; # # selinux_config_t is the type applied to # /etc/selinux/config # # cjp: this is out of order due to rules # in the domain_type interface # (fix dup decl) type selinux_config_t; files_type(selinux_config_t) type checkpolicy_t, can_write_binary_policy; domain_type(checkpolicy_t) role system_r types checkpolicy_t; type checkpolicy_exec_t; domain_entry_file(checkpolicy_t,checkpolicy_exec_t) # # default_context_t is the type applied to # /etc/selinux/*/contexts/* # type default_context_t; files_type(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; files_type(file_context_t) type load_policy_t; domain_type(load_policy_t) role system_r types load_policy_t; type load_policy_exec_t; domain_entry_file(load_policy_t,load_policy_exec_t) type newrole_t; domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) domain_type(newrole_t) domain_wide_inherit_fd(newrole_t) type newrole_exec_t; domain_entry_file(newrole_t,newrole_exec_t) # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # type policy_config_t; files_type(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; # # policy_src_t is the type of the policy source # files. # type policy_src_t; files_type(policy_src_t) type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; domain_obj_id_change_exemption(restorecon_t) init_system_domain(restorecon_t,restorecon_exec_t) role system_r types restorecon_t; type run_init_t; type run_init_exec_t; domain_type(run_init_t) domain_entry_file(run_init_t,run_init_exec_t) domain_system_change_exemption(run_init_t) type setfiles_t, can_relabelto_binary_policy; domain_obj_id_change_exemption(setfiles_t) domain_type(setfiles_t) role system_r types setfiles_t; type setfiles_exec_t; domain_entry_file(setfiles_t,setfiles_exec_t) ifdef(`distro_redhat',` init_system_domain(setfiles_t,setfiles_exec_t) ') ######################################## # # Checkpolicy local policy # allow checkpolicy_t self:capability dac_override; # able to create and modify binary policy files allow checkpolicy_t policy_config_t:dir rw_dir_perms; allow checkpolicy_t policy_config_t:file create_file_perms; # allow test policies to be created in src directories allow checkpolicy_t policy_src_t:dir rw_dir_perms; type_transition checkpolicy_t policy_src_t:file policy_config_t; # only allow read of policy source files allow checkpolicy_t policy_src_t:dir r_dir_perms; allow checkpolicy_t policy_src_t:file r_file_perms; allow checkpolicy_t policy_src_t:lnk_file r_file_perms; allow checkpolicy_t selinux_config_t:dir search; fs_getattr_xattr_fs(checkpolicy_t) term_use_console(checkpolicy_t) domain_use_wide_inherit_fd(checkpolicy_t) files_list_usr(checkpolicy_t) # directory search permissions for path to source and binary policy files files_search_etc(checkpolicy_t) init_use_fd(checkpolicy_t) init_use_script_ptys(checkpolicy_t) libs_use_ld_so(checkpolicy_t) libs_use_shared_libs(checkpolicy_t) userdom_use_all_users_fd(checkpolicy_t) ifdef(`targeted_policy',` term_use_generic_ptys(checkpolicy_t) term_use_unallocated_ttys(checkpolicy_t) ') ######################################## # # Load_policy local policy # allow load_policy_t self:capability dac_override; # only allow read of policy config files allow load_policy_t policy_src_t:dir search; allow load_policy_t policy_config_t:dir r_dir_perms; allow load_policy_t policy_config_t:file r_file_perms; allow load_policy_t policy_config_t:lnk_file r_file_perms; allow load_policy_t selinux_config_t:dir r_dir_perms; allow load_policy_t selinux_config_t:file r_file_perms; allow load_policy_t selinux_config_t:lnk_file r_file_perms; fs_getattr_xattr_fs(load_policy_t) selinux_get_fs_mount(load_policy_t) selinux_load_policy(load_policy_t) selinux_set_boolean(load_policy_t) term_use_console(load_policy_t) term_list_ptys(load_policy_t) init_use_script_fd(load_policy_t) init_use_script_ptys(load_policy_t) domain_use_wide_inherit_fd(load_policy_t) # for mcs.conf files_read_etc_files(load_policy_t) files_read_etc_runtime_files(load_policy_t) libs_use_ld_so(load_policy_t) libs_use_shared_libs(load_policy_t) miscfiles_read_localization(load_policy_t) userdom_use_all_users_fd(load_policy_t) ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; optional_policy(`unconfined',` unconfined_dontaudit_read_pipes(load_policy_t) ') ') ifdef(`targeted_policy',` term_use_unallocated_ttys(load_policy_t) term_use_generic_ptys(load_policy_t) ') ######################################## # # Newrole local policy # allow newrole_t self:capability { fowner setuid setgid dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; allow newrole_t self:fifo_file rw_file_perms; allow newrole_t self:sock_file r_file_perms; allow newrole_t self:shm create_shm_perms; allow newrole_t self:sem create_sem_perms; allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms; allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(newrole_t) kernel_read_kernel_sysctls(newrole_t) dev_read_urand(newrole_t) fs_getattr_xattr_fs(newrole_t) fs_search_auto_mountpoints(newrole_t) mls_file_read_up(newrole_t) mls_file_write_down(newrole_t) mls_file_upgrade(newrole_t) mls_file_downgrade(newrole_t) mls_process_set_level(newrole_t) selinux_get_fs_mount(newrole_t) selinux_validate_context(newrole_t) selinux_compute_access_vector(newrole_t) selinux_compute_create_context(newrole_t) selinux_compute_relabel_context(newrole_t) selinux_compute_user_contexts(newrole_t) term_use_all_user_ttys(newrole_t) term_use_all_user_ptys(newrole_t) term_relabel_all_user_ttys(newrole_t) term_relabel_all_user_ptys(newrole_t) auth_domtrans_chk_passwd(newrole_t) corecmd_list_bin(newrole_t) corecmd_read_bin_symlinks(newrole_t) domain_use_wide_inherit_fd(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_wide_inherit_fd(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) userdom_use_unpriv_users_fd(newrole_t) # for some PAM modules and for cwd userdom_dontaudit_search_all_users_home(newrole_t) ifdef(`targeted_policy',` # newrole does not make any sense in # the targeted policy. This is to # make sediff easier. if(!secure_mode) { unconfined_domtrans(newrole_t) } ',` # if secure mode is enabled, then newrole # can only transition to unprivileged users if(secure_mode) { userdom_spec_domtrans_unpriv_users(newrole_t) } else { userdom_spec_domtrans_all_users(newrole_t) } ') optional_policy(`nis',` nis_use_ypbind(newrole_t) ') optional_policy(`nscd',` nscd_socket_use(newrole_t) ') ifdef(`TODO',` ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') ') dnl ifdef TODO ######################################## # # Restorecon local policy # allow restorecon_t self:capability { dac_override dac_read_search fowner }; allow restorecon_t self:fifo_file rw_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_use_fd(restorecon_t) kernel_rw_pipes(restorecon_t) kernel_read_system_state(restorecon_t) kernel_relabelfrom_unlabeled_dirs(restorecon_t) kernel_relabelfrom_unlabeled_files(restorecon_t) kernel_relabelfrom_unlabeled_symlinks(restorecon_t) kernel_relabelfrom_unlabeled_pipes(restorecon_t) kernel_relabelfrom_unlabeled_sockets(restorecon_t) dev_relabel_all_dev_nodes(restorecon_t) # cjp: why is this needed? dev_rw_generic_files(restorecon_t) fs_getattr_xattr_fs(restorecon_t) fs_search_auto_mountpoints(restorecon_t) mls_file_read_up(restorecon_t) mls_file_write_down(restorecon_t) mls_file_upgrade(restorecon_t) mls_file_downgrade(restorecon_t) selinux_get_fs_mount(restorecon_t) selinux_validate_context(restorecon_t) selinux_compute_access_vector(restorecon_t) selinux_compute_create_context(restorecon_t) selinux_compute_relabel_context(restorecon_t) selinux_compute_user_contexts(restorecon_t) term_use_unallocated_ttys(restorecon_t) term_use_all_user_ttys(restorecon_t) term_use_all_user_ptys(restorecon_t) init_use_fd(restorecon_t) init_use_script_ptys(restorecon_t) domain_use_wide_inherit_fd(restorecon_t) files_read_etc_runtime_files(restorecon_t) files_read_etc_files(restorecon_t) libs_use_ld_so(restorecon_t) libs_use_shared_libs(restorecon_t) logging_send_syslog_msg(restorecon_t) userdom_use_all_users_fd(restorecon_t) files_relabel_all_files(restorecon_t) files_list_all(restorecon_t) # this is to satisfy the assertion: auth_relabelto_shadow(restorecon_t) ifdef(`distro_redhat', ` fs_rw_tmpfs_chr_files(restorecon_t) fs_rw_tmpfs_blk_files(restorecon_t) fs_relabel_tmpfs_blk_file(restorecon_t) fs_relabel_tmpfs_chr_file(restorecon_t) ') ifdef(`hide_broken_symptoms',` udev_dontaudit_rw_dgram_sockets(restorecon_t) ') optional_policy(`hotplug',` hotplug_use_fd(restorecon_t) ') ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; ifdef(`dpkg.te', ` domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t) ') ') dnl endif TODO allow restorecon_t kernel_t:unix_dgram_socket { read write }; ################################# # # Run_init local policy # selinux_get_fs_mount(run_init_t) selinux_validate_context(run_init_t) selinux_compute_access_vector(run_init_t) selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; fs_getattr_xattr_fs(run_init_t) dev_dontaudit_list_all_dev_nodes(run_init_t) term_dontaudit_list_ptys(run_init_t) auth_domtrans_chk_passwd(run_init_t) auth_dontaudit_read_shadow(run_init_t) corecmd_exec_bin(run_init_t) corecmd_exec_shell(run_init_t) domain_use_wide_inherit_fd(run_init_t) files_read_etc_files(run_init_t) files_dontaudit_search_all_dirs(run_init_t) init_domtrans_script(run_init_t) # for utmp init_rw_utmp(run_init_t) libs_use_ld_so(run_init_t) libs_use_shared_libs(run_init_t) seutil_read_config(run_init_t) seutil_read_default_contexts(run_init_t) miscfiles_read_localization(run_init_t) logging_send_syslog_msg(run_init_t) optional_policy(`daemontools',` daemontools_domtrans_start(run_init_t) ') ') dnl end ifdef targeted policy ifdef(`TODO',` ifdef(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_entry_file(run_init_t,initrc_exec_t) domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) ') ') dnl end TODO ######################################## # # Setfiles local policy # allow setfiles_t self:capability { dac_override dac_read_search fowner }; allow setfiles_t self:fifo_file rw_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_files(setfiles_t) kernel_relabelfrom_unlabeled_symlinks(setfiles_t) kernel_relabelfrom_unlabeled_pipes(setfiles_t) kernel_relabelfrom_unlabeled_sockets(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t) fs_getattr_xattr_fs(setfiles_t) fs_list_all(setfiles_t) mls_file_read_up(setfiles_t) mls_file_write_down(setfiles_t) mls_file_upgrade(setfiles_t) mls_file_downgrade(setfiles_t) selinux_get_fs_mount(setfiles_t) selinux_validate_context(setfiles_t) selinux_compute_access_vector(setfiles_t) selinux_compute_create_context(setfiles_t) selinux_compute_relabel_context(setfiles_t) selinux_compute_user_contexts(setfiles_t) term_use_all_user_ttys(setfiles_t) term_use_all_user_ptys(setfiles_t) term_use_unallocated_ttys(setfiles_t) # this is to satisfy the assertion: auth_relabelto_shadow(setfiles_t) init_use_fd(setfiles_t) init_use_script_fd(setfiles_t) init_use_script_ptys(setfiles_t) domain_use_wide_inherit_fd(setfiles_t) libs_use_ld_so(setfiles_t) libs_use_shared_libs(setfiles_t) files_read_etc_runtime_files(setfiles_t) files_read_etc_files(setfiles_t) files_list_all(setfiles_t) files_relabel_all_files(setfiles_t) logging_send_syslog_msg(setfiles_t) miscfiles_read_localization(setfiles_t) userdom_use_all_users_fd(setfiles_t) # for config files in a home directory userdom_read_all_user_files(setfiles_t) ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! allow setfiles_t lib_t:file { read execute }; ') dnl endif TODO