############################## # # core macros for the type enforcement (TE) configuration. # # # Authors: Stephen Smalley , Timothy Fraser # Howard Holm (NSA) # Russell Coker # ################################# # # Macros for groups of classes and # groups of permissions. # # # All directory and file classes # define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') # # All non-directory file classes. # define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') # # Non-device file classes. # define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') # # Device file classes. # define(`devfile_class_set', `{ chr_file blk_file }') # # All socket classes. # define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') # # Datagram socket classes. # define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') # # Stream socket classes. # define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') # # Unprivileged socket classes (exclude rawip, netlink, packet). # define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') # # Permissions for getting file attributes. # define(`stat_file_perms', `{ getattr }') # # Permissions for executing files. # define(`x_file_perms', `{ getattr execute }') # # Permissions for reading files and their attributes. # define(`r_file_perms', `{ read getattr lock ioctl }') # # Permissions for reading and executing files. # define(`rx_file_perms', `{ read getattr lock execute ioctl }') # # Permissions for reading and writing files and their attributes. # define(`rw_file_perms', `{ ioctl read getattr lock write append }') # # Permissions for reading and appending to files. # define(`ra_file_perms', `{ ioctl read getattr lock append }') # # Permissions for linking, unlinking and renaming files. # define(`link_file_perms', `{ getattr link unlink rename }') # # Permissions for creating lnk_files. # define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') # # Permissions for creating and using files. # define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') # # Permissions for reading directories and their attributes. # define(`r_dir_perms', `{ read getattr lock search ioctl }') # # Permissions for reading and writing directories and their attributes. # define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') # # Permissions for reading and adding names to directories. # define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') # # Permissions for creating and using directories. # define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') # # Permissions to mount and unmount file systems. # define(`mount_fs_perms', `{ mount remount unmount getattr }') # # Permissions for using sockets. # define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') # # Permissions for creating and using sockets. # define(`create_socket_perms', `{ create rw_socket_perms }') # # Permissions for using stream sockets. # define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') # # Permissions for creating and using stream sockets. # define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') # # Permissions for creating and using sockets. # define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') # # Permissions for creating and using sockets. # define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') # # Permissions for creating and using netlink sockets. # define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') # # Permissions for using netlink sockets for operations that modify state. # define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') # # Permissions for using netlink sockets for operations that observe state. # define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') # # Permissions for sending all signals. # define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') # # Permissions for sending and receiving network packets. # define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') # # Permissions for using System V IPC # define(`r_sem_perms', `{ associate getattr read unix_read }') define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') define(`r_msgq_perms', `{ associate getattr read unix_read }') define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') define(`r_shm_perms', `{ associate getattr read unix_read }') define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') ################################# # # Macros for type transition rules and # access vector rules. # # # Simple combinations for reading and writing both # directories and files. # define(`r_dir_file', ` allow $1 $2:dir r_dir_perms; allow $1 $2:file r_file_perms; allow $1 $2:lnk_file { getattr read }; ') define(`rw_dir_file', ` allow $1 $2:dir rw_dir_perms; allow $1 $2:file rw_file_perms; allow $1 $2:lnk_file { getattr read }; ') define(`ra_dir_file', ` allow $1 $2:dir ra_dir_perms; allow $1 $2:file ra_file_perms; allow $1 $2:lnk_file { getattr read }; ') define(`ra_dir_create_file', ` allow $1 $2:dir ra_dir_perms; allow $1 $2:file { create ra_file_perms }; allow $1 $2:lnk_file { create read getattr }; ') define(`rw_dir_create_file', ` allow $1 $2:dir rw_dir_perms; allow $1 $2:file create_file_perms; allow $1 $2:lnk_file create_lnk_perms; ') define(`create_dir_file', ` allow $1 $2:dir create_dir_perms; allow $1 $2:file create_file_perms; allow $1 $2:lnk_file create_lnk_perms; ') define(`create_dir_notdevfile', ` allow $1 $2:dir create_dir_perms; allow $1 $2:{ file sock_file fifo_file } create_file_perms; allow $1 $2:lnk_file create_lnk_perms; ') define(`create_append_log_file', ` allow $1 $2:dir { read getattr search add_name write }; allow $1 $2:file { create ioctl getattr setattr append link }; ') ################################## # # can_ps(domain1, domain2) # # Authorize domain1 to see /proc entries for domain2 (see it in ps output) # define(`can_ps',` allow $1 $2:dir { search getattr read }; allow $1 $2:{ file lnk_file } { read getattr }; allow $1 $2:process getattr; # We need to suppress this denial because procps tries to access # /proc/pid/environ and this now triggers a ptrace check in recent kernels # (2.4 and 2.6). Might want to change procps to not do this, or only if # running in a privileged domain. dontaudit $1 $2:process ptrace; ') ################################## # # can_getsecurity(domain) # # Authorize a domain to get security policy decisions. # define(`can_getsecurity',` # Get the selinuxfs mount point via /proc/self/mounts. allow $1 proc_t:dir search; allow $1 proc_t:{ file lnk_file } { getattr read }; allow $1 self:dir search; allow $1 self:file { getattr read }; # Access selinuxfs. allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user }; ') ################################## # # can_setenforce(domain) # # Authorize a domain to set the enforcing flag. # Due to its sensitivity, always audit this permission. # define(`can_setenforce',` # Get the selinuxfs mount point via /proc/self/mounts. allow $1 proc_t:dir search; allow $1 proc_t:lnk_file read; allow $1 self:dir search; allow $1 self:file { getattr read }; # Access selinuxfs. allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security setenforce; auditallow $1 security_t:security setenforce; ') ################################## # # can_setbool(domain) # # Authorize a domain to set a policy boolean. # Due to its sensitivity, always audit this permission. # define(`can_setbool',` # Get the selinuxfs mount point via /proc/self/mounts. allow $1 proc_t:dir search; allow $1 proc_t:lnk_file read; allow $1 self:dir search; allow $1 self:file { getattr read }; # Access selinuxfs. allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security setbool; auditallow $1 security_t:security setbool; ') ################################## # # can_setsecparam(domain) # # Authorize a domain to set security parameters. # Due to its sensitivity, always audit this permission. # define(`can_setsecparam',` # Get the selinuxfs mount point via /proc/self/mounts. allow $1 proc_t:dir search; allow $1 proc_t:lnk_file read; allow $1 self:dir search; allow $1 self:file { getattr read }; # Access selinuxfs. allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security setsecparam; auditallow $1 security_t:security setsecparam; ') ################################## # # can_loadpol(domain) # # Authorize a domain to load a policy configuration. # Due to its sensitivity, always audit this permission. # define(`can_loadpol',` # Get the selinuxfs mount point via /proc/self/mounts. allow $1 proc_t:dir search; allow $1 proc_t:lnk_file read; allow $1 self:dir search; allow $1 self:file { getattr read }; # Access selinuxfs. allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security load_policy; auditallow $1 security_t:security load_policy; ') ################################# # # domain_trans(parent_domain, program_type, child_domain) # # Permissions for transitioning to a new domain. # define(`domain_trans',` # # Allow the process to transition to the new domain. # allow $1 $3:process transition; # # Do not audit when glibc secure mode is enabled upon the transition. # dontaudit $1 $3:process noatsecure; # # Do not audit when signal-related state is cleared upon the transition. # dontaudit $1 $3:process siginh; # # Do not audit when resource limits are reset upon the transition. # dontaudit $1 $3:process rlimitinh; # # Allow the process to execute the program. # allow $1 $2:file { read x_file_perms }; # # Allow the process to reap the new domain. # allow $3 $1:process sigchld; # # Allow the new domain to inherit and use file # descriptions from the creating process and vice versa. # allow $3 $1:fd use; allow $1 $3:fd use; # # Allow the new domain to write back to the old domain via a pipe. # allow $3 $1:fifo_file rw_file_perms; # # Allow the new domain to read and execute the program. # allow $3 $2:file rx_file_perms; # # Allow the new domain to be entered via the program. # allow $3 $2:file entrypoint; ') ################################# # # domain_auto_trans(parent_domain, program_type, child_domain) # # Define a default domain transition and allow it. # define(`domain_auto_trans',` domain_trans($1,$2,$3) type_transition $1 $2:process $3; ') ################################# # # can_ptrace(domain, domain) # # Permissions for running ptrace (strace or gdb) on another domain # define(`can_ptrace',` allow $1 $2:process ptrace; allow $2 $1:process sigchld; ') ################################# # # can_exec(domain, type) # # Permissions for executing programs with # a specified type without changing domains. # define(`can_exec',` allow $1 $2:file { rx_file_perms execute_no_trans }; ') # this is an internal macro used by can_create define(`can_create_internal', ` ifelse(`$3', `dir', ` allow $1 $2:$3 create_dir_perms; ', `$3', `lnk_file', ` allow $1 $2:$3 create_lnk_perms; ', ` allow $1 $2:$3 create_file_perms; ')dnl end if dir ')dnl end can_create_internal ################################# # # can_create(domain, file_type, object_class) # # Permissions for creating files of the specified type and class # define(`can_create', ` ifelse(regexp($3, `\w'), -1, `', ` can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1')) can_create($1, $2, regexp($3, `\w+\(.*\)', `\1')) ') ') ################################# # # file_type_trans(domain, dir_type, file_type) # # Permissions for transitioning to a new file type. # define(`file_type_trans',` # # Allow the process to modify the directory. # allow $1 $2:dir rw_dir_perms; # # Allow the process to create the file. # ifelse(`$4', `', ` can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }') ', ` can_create($1, $3, $4) ')dnl end if param 4 specified ') ################################# # # file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class) # # the object class will default to notdevfile_class_set if not specified as # the fourth parameter # # Define a default file type transition and allow it. # define(`file_type_auto_trans',` ifelse(`$4', `', ` file_type_trans($1,$2,$3) type_transition $1 $2:dir $3; type_transition $1 $2:notdevfile_class_set $3; ', ` file_type_trans($1,$2,$3,$4) type_transition $1 $2:$4 $3; ')dnl end ifelse ') ################################# # # can_unix_connect(client, server) # # Permissions for establishing a Unix stream connection. # define(`can_unix_connect',` allow $1 $2:unix_stream_socket connectto; ') ################################# # # can_unix_send(sender, receiver) # # Permissions for sending Unix datagrams. # define(`can_unix_send',` allow $1 $2:unix_dgram_socket sendto; ') ################################# # # can_tcp_connect(client, server) # # Permissions for establishing a TCP connection. # Irrelevant until we have labeled networking. # define(`can_tcp_connect',` #allow $1 $2:tcp_socket { connectto recvfrom }; #allow $2 $1:tcp_socket { acceptfrom recvfrom }; #allow $2 kernel_t:tcp_socket recvfrom; #allow $1 kernel_t:tcp_socket recvfrom; ') ################################# # # can_udp_send(sender, receiver) # # Permissions for sending/receiving UDP datagrams. # Irrelevant until we have labeled networking. # define(`can_udp_send',` #allow $1 $2:udp_socket sendto; #allow $2 $1:udp_socket recvfrom; ') ################################## # # base_pty_perms(domain_prefix) # # Base permissions used for can_create_pty() and can_create_other_pty() # define(`base_pty_perms', ` # Access the pty master multiplexer. allow $1_t ptmx_t:chr_file rw_file_perms; allow $1_t devpts_t:filesystem getattr; # allow searching /dev/pts allow $1_t devpts_t:dir { getattr read search }; # ignore old BSD pty devices dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; ') ################################## # # pty_slave_label(domain_prefix, attributes) # # give access to a slave pty but do not allow creating new ptys # define(`pty_slave_label', ` type $1_devpts_t, file_type, sysadmfile, ptyfile $2; # Allow the pty to be associated with the file system. allow $1_devpts_t devpts_t:filesystem associate; # Label pty files with a derived type. type_transition $1_t devpts_t:chr_file $1_devpts_t; # Read and write my pty files. allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; ') ################################## # # can_create_pty(domain_prefix, attributes) # # Permissions for creating ptys. # define(`can_create_pty',` base_pty_perms($1) pty_slave_label($1, `$2') ') ################################## # # can_create_other_pty(domain_prefix,other_domain) # # Permissions for creating ptys for another domain. # define(`can_create_other_pty',` base_pty_perms($1) # Label pty files with a derived type. type_transition $1_t devpts_t:chr_file $2_devpts_t; # Read and write pty files. allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms }; ') # # general_domain_access(domain) # # Grant permissions within the domain. # This includes permissions to processes, /proc/PID files, # file descriptors, pipes, Unix sockets, and System V IPC objects # labeled with the domain. # define(`general_domain_access',` # Access other processes in the same domain. # Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap. # These must be granted separately if desired. allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap}; # Access /proc/PID files for processes in the same domain. allow $1 self:dir r_dir_perms; allow $1 self:notdevfile_class_set r_file_perms; # Access file descriptions, pipes, and sockets # created by processes in the same domain. allow $1 self:fd *; allow $1 self:fifo_file rw_file_perms; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket create_stream_socket_perms; # Allow the domain to communicate with other processes in the same domain. allow $1 self:unix_dgram_socket sendto; allow $1 self:unix_stream_socket connectto; # Access System V IPC objects created by processes in the same domain. allow $1 self:sem create_sem_perms; allow $1 self:msg { send receive }; allow $1 self:msgq create_msgq_perms; allow $1 self:shm create_shm_perms; allow $1 unpriv_userdomain:fd use; # # Every app is asking for ypbind so I am adding this here, # eventually this should become can_nsswitch # can_ypbind($1) allow $1 autofs_t:dir { search getattr }; ')dnl end general_domain_access