############################## # # Assertions for the type enforcement (TE) configuration. # # # Authors: Stephen Smalley and Timothy Fraser # ################################## # # Access vector assertions. # # An access vector assertion specifies permissions that should not be in # an access vector based on a source type, a target type, and a class. # If any of the specified permissions are in the corresponding access # vector, then the policy compiler will reject the policy configuration. # Currently, there is only one kind of access vector assertion, neverallow, # but support for the other kinds of vectors could be easily added. Access # vector assertions use the same syntax as access vector rules. # # # Verify that every type that can be entered by # a domain is also tagged as a domain. # neverallow domain ~domain:process { transition dyntransition }; # # Verify that only the insmod_t and kernel_t domains # have the sys_module capability. # neverallow {domain -privsysmod -unrestricted } self:capability sys_module; # # Verify that executable types, the system dynamic loaders, and the # system shared libraries can only be modified by administrators. # neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename }; neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto; # # Verify that only appropriate domains can access /etc/shadow neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr; neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms; # # Verify that only appropriate domains can write to /etc (IE mess with # /etc/passwd) neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms; neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms; neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms }; # # Verify that other system software can only be modified by administrators. # neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename }; neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename }; # # Verify that only certain domains have access to the raw disk devices. # neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append }; # # Verify that only the X server and klogd have access to memory devices. # neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append }; # # Verify that only domains with the privlog attribute can actually syslog # neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append }; # # Verify that /proc/kmsg is only accessible to klogd. # neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms; # # Verify that /proc/kcore is inaccessible. # neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms; # # Verify that sysctl variables are only changeable # by initrc and administrators. # neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append }; neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append }; neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append }; neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append }; neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append }; neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append }; neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append }; neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append }; # # Verify that certain domains are limited to only being # entered by their entrypoint types and to only executing # the dynamic loader without a transition to another domain. # define(`assert_execute', ` ifelse($#, 0, , $#, 1, ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'', `assert_execute($1) assert_execute(shift($@))')') ifdef(`getty.te', `assert_execute(getty)') ifdef(`klogd.te', `assert_execute(klogd)') ifdef(`tcpd.te', `assert_execute(tcpd)') ifdef(`portmap.te', `assert_execute(portmap)') ifdef(`syslogd.te', `assert_execute(syslogd)') ifdef(`rpcd.te', `assert_execute(rpcd)') ifdef(`rlogind.te', `assert_execute(rlogind)') ifdef(`ypbind.te', `assert_execute(ypbind)') ifdef(`xfs.te', `assert_execute(xfs)') ifdef(`gpm.te', `assert_execute(gpm)') ifdef(`ifconfig.te', `assert_execute(ifconfig)') ifdef(`iptables.te', `assert_execute(iptables)') ifdef(`login.te', ` neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint; neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans; ') # # Verify that the passwd domain can only be entered by its # entrypoint type and can only execute the dynamic loader # and the ordinary passwd program without a transition to another domain. # ifdef(`passwd.te', ` neverallow passwd_t ~passwd_exec_t:file entrypoint; neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint; neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans; ') # # Verify that only the admin domains and initrc_t have setenforce. # neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce; # # Verify that only the kernel and load_policy_t have load_policy. # neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy; # # for gross mistakes in policy neverallow * domain:dir ~r_dir_perms; neverallow * domain:file_class_set ~rw_file_perms; neverallow { domain unlabeled_t } file_type:process *; neverallow ~{ domain unlabeled_t } *:process *;