## <summary> ## Policy for kernel security interface, in particular, selinuxfs. ## </summary> ## <required val="true"> ## Contains the policy for the kernel SELinux security interface. ## </required> ######################################## ## <summary> ## Gets the caller the mountpoint of the selinuxfs filesystem. ## </summary> ## <param name="domain"> ## The process type requesting the selinuxfs mountpoint. ## </param> # interface(`selinux_get_fs_mount',` # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_read_system_state($1) ') ######################################## ## <summary> ## Do not audit attempts to get the ## attributes of the selinuxfs directory. ## </summary> ## <param name="domain"> ## Domain to not audit. ## </param> # interface(`selinux_dontaudit_getattr_dir',` gen_require(` type security_t; ') dontaudit $1 security_t:dir getattr; ') ######################################## ## <summary> ## Search selinuxfs. ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`selinux_search_fs',` gen_require(` type security_t; ') allow $1 security_t:dir search; ') ######################################## ## <summary> ## Do not audit attempts to search selinuxfs. ## </summary> ## <param name="domain"> ## Domain to not audit. ## </param> # interface(`selinux_dontaudit_search_fs',` gen_require(` type security_t; ') dontaudit $1 security_t:dir search; ') ######################################## ## <summary> ## Do not audit attempts to read ## generic selinuxfs entries ## </summary> ## <param name="domain"> ## Domain to not audit. ## </param> # interface(`selinux_dontaudit_read_fs',` gen_require(` type security_t; ') dontaudit $1 security_t:dir search; dontaudit $1 security_t:file { getattr read }; ') ######################################## ## <summary> ## Allows the caller to get the mode of policy enforcement ## (enforcing or permissive mode). ## </summary> ## <param name="domain"> ## The process type to allow to get the enforcing mode. ## </param> # interface(`selinux_get_enforce_mode',` gen_require(` type security_t; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read }; ') ######################################## ## <summary> ## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). ## </summary> ## <desc> ## <p> ## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). ## </p> ## <p> ## Since this is a security event, this action is ## always audited. ## </p> ## </desc> ## <param name="domain"> ## The process type to allow to set the enforcement mode. ## </param> # interface(`selinux_set_enforce_mode',` gen_require(` type security_t; attribute can_setenforce; bool secure_mode_policyload; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; typeattribute $1 can_setenforce; if(!secure_mode_policyload) { allow $1 security_t:security setenforce; auditallow $1 security_t:security setenforce; } ') ######################################## ## <summary> ## Allow caller to load the policy into the kernel. ## </summary> ## <param name="domain"> ## The process type that will load the policy. ## </param> # interface(`selinux_load_policy',` gen_require(` type security_t; attribute can_load_policy; bool secure_mode_policyload; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; typeattribute $1 can_load_policy; if(!secure_mode_policyload) { allow $1 security_t:security load_policy; auditallow $1 security_t:security load_policy; } ') ######################################## ## <summary> ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. ## </summary> ## <desc> ## <p> ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. ## </p> ## <p> ## Since this is a security event, this action is ## always audited. ## </p> ## </desc> ## <param name="domain"> ## The process type allowed to set the Boolean. ## </param> # interface(`selinux_set_boolean',` gen_require(` type security_t; bool secure_mode_policyload; ') allow $1 security_t:dir search; allow $1 security_t:dir { getattr search read }; allow $1 security_t:file { getattr read write }; if(!secure_mode_policyload) { allow $1 security_t:security setbool; auditallow $1 security_t:security setbool; } ') ######################################## ## <summary> ## Allow caller to set SELinux access vector cache parameters. ## </summary> ## <desc> ## <p> ## Allow caller to set SELinux access vector cache parameters. ## The allows the domain to set performance related parameters ## of the AVC, such as cache threshold. ## </p> ## <p> ## Since this is a security event, this action is ## always audited. ## </p> ## </desc> ## <param name="domain"> ## The process type to allow to set security parameters. ## </param> # interface(`selinux_set_parameters',` gen_require(` type security_t; attribute can_setsecparam; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security setsecparam; auditallow $1 security_t:security setsecparam; typeattribute $1 can_setsecparam; ') ######################################## ## <summary> ## Allows caller to validate security contexts. ## </summary> ## <param name="domain"> ## The process type permitted to validate contexts. ## </param> # interface(`selinux_validate_context',` gen_require(` type security_t; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security check_context; ') ######################################## ## <summary> ## Allows caller to compute an access vector. ## </summary> ## <param name="domain"> ## The process type allowed to compute an access vector. ## </param> # interface(`selinux_compute_access_vector',` gen_require(` type security_t; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_av; ') ######################################## ## <summary> ## Calculate the default type for object creation. ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`selinux_compute_create_context',` gen_require(` type security_t; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_create; ') ######################################## ## <summary> ## Allows caller to compute polyinstatntiated ## directory members. ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`selinux_compute_member',` gen_require(` type security_t; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_member; ') ######################################## ## <summary> ## Calculate the context for relabeling objects. ## </summary> ## <desc> ## <p> ## Calculate the context for relabeling objects. ## This is determined by using the type_change ## rules in the policy, and is generally used ## for determining the context for relabeling ## a terminal when a user logs in. ## </p> ## </desc> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`selinux_compute_relabel_context',` gen_require(` type security_t; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_relabel; ') ######################################## ## <summary> ## Allows caller to compute possible contexts for a user. ## </summary> ## <param name="domain"> ## The process type allowed to compute user contexts. ## </param> # interface(`selinux_compute_user_contexts',` gen_require(` type security_t; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_user; ') ######################################## ## <summary> ## Unconfined access to the SELinux kernel security server. ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`selinux_unconfined',` gen_require(` attribute can_load_policy, can_setenforce, can_setsecparam; bool secure_mode_policyload; type security_t; ') # use SELinuxfs allow $1 security_t:dir { getattr search read }; allow $1 security_t:file { getattr read write }; typeattribute $1 can_load_policy, can_setenforce, can_setsecparam; if(!secure_mode_policyload) { # Access the security API. allow $1 security_t:security *; auditallow $1 security_t:security { load_policy setenforce setbool }; } ')