policy_module(domain,1.0.1) ######################################## # # Declarations # # Mark process types as domains attribute domain; # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; # Domains that are unconfined attribute unconfined_domain; # Domains that can set their current context # (perform dynamic transitions) attribute set_curr_context; # enabling setcurrent breaks process tranquility. If you do not # know what this means or do not understand the implications of a # dynamic transition, you should not be using it!!! neverallow { domain -set_curr_context } self:process setcurrent; # entrypoint executables attribute entry_type; # widely-inheritable file descriptors attribute privfd; # # constraint related attributes # # [1] types that can change SELinux identity on transition attribute can_change_process_identity; # [2] types that can change SELinux role on transition attribute can_change_process_role; # [3] types that can change the SELinux identity on a filesystem # object or a socket object on a create or relabel attribute can_change_object_identity; # [3] types that can change to system_u:system_r attribute can_system_change; # [4] types that have attribute 1 can change the SELinux # identity only if the target domain has this attribute. # Types that have attribute 2 can change the SELinux role # only if the target domain has this attribute. attribute process_user_target; # For cron jobs # [5] types used for cron daemons attribute cron_source_domain; # [6] types used for cron jobs attribute cron_job_domain; # [7] types that are unconditionally exempt from # SELinux identity and role change constraints attribute process_uncond_exempt; # add userhelperdomain to this one # TODO: # cjp: also need to except correctly for SEFramework neverallow { domain unlabeled_t } file_type:process *; neverallow ~{ domain unlabeled_t } *:process *;