policy_module(domain, 1.8.0) ######################################## # # Declarations # ## ##

## Allow all domains to use other domains file descriptors ##

##
# gen_tunable(allow_domain_fd_use, true) ## ##

## Allow all domains to have the kernel load modules ##

##
# gen_tunable(domain_kernel_load_modules, false) # Mark process types as domains attribute domain; # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; # Domains that are unconfined attribute unconfined_domain_type; # Domains that can mmap low memory. attribute mmap_low_domain_type; neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; # Domains that can set their current context # (perform dynamic transitions) attribute set_curr_context; # enabling setcurrent breaks process tranquility. If you do not # know what this means or do not understand the implications of a # dynamic transition, you should not be using it!!! neverallow { domain -set_curr_context } self:process setcurrent; # entrypoint executables attribute entry_type; # widely-inheritable file descriptors attribute privfd; # # constraint related attributes # # [1] types that can change SELinux identity on transition attribute can_change_process_identity; # [2] types that can change SELinux role on transition attribute can_change_process_role; # [3] types that can change the SELinux identity on a filesystem # object or a socket object on a create or relabel attribute can_change_object_identity; # [3] types that can change to system_u:system_r attribute can_system_change; # [4] types that have attribute 1 can change the SELinux # identity only if the target domain has this attribute. # Types that have attribute 2 can change the SELinux role # only if the target domain has this attribute. attribute process_user_target; # For cron jobs # [5] types used for cron daemons attribute cron_source_domain; # [6] types used for cron jobs attribute cron_job_domain; # [7] types that are unconditionally exempt from # SELinux identity and role change constraints attribute process_uncond_exempt; # add userhelperdomain to this one neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; neverallow ~{ domain unlabeled_t } *:process *; ######################################## # # Rules applied to all domains # # read /proc/(pid|self) entries allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) kernel_read_crypto_sysctls(domain) # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) kernel_dontaudit_search_debugfs(domain) # create child processes in the domain allow domain self:process { fork getsched sigchld }; # Use trusted objects in /dev dev_rw_null(domain) dev_rw_zero(domain) term_use_controlling_term(domain) # list the root directory files_list_root(domain) # All executables should be able to search the directory they are in corecmd_search_bin(domain) tunable_policy(`domain_kernel_load_modules',` kernel_request_load_module(domain) ') tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs # are compiled with ProPolice/SSP # stack smashing protection. dev_read_urand(domain) ') optional_policy(` afs_rw_cache(domain) ') optional_policy(` libs_use_ld_so(domain) libs_use_shared_libs(domain) libs_read_lib_files(domain) ') optional_policy(` setrans_translate_context(domain) ') # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains. optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) xserver_dontaudit_append_xdm_home_files(domain) xserver_dontaudit_write_log(domain) ') ######################################## # # Unconfined access to this module # # unconfined access also allows constraints, but this # is handled in the interface as typeattribute cannot # be used on an attribute. # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; # Use descriptors and pipes created by any domain. allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; allow unconfined_domain_type unconfined_domain_type:dbus send_msg; # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; allow unconfined_domain_type domain:file rw_file_perms; allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) selinux_getattr_fs(domain) selinux_search_fs(domain) selinux_dontaudit_read_fs(domain) seutil_dontaudit_read_config(domain) init_sigchld(domain) init_signull(domain) ifdef(`distro_redhat',` files_search_mnt(domain) optional_policy(` unconfined_use_fds(domain) ') ') # these seem questionable: optional_policy(` abrt_domtrans_helper(domain) abrt_read_pid_files(domain) abrt_read_state(domain) abrt_signull(domain) abrt_stream_connect(domain) ') optional_policy(` rpm_use_fds(domain) rpm_read_pipes(domain) rpm_search_log(domain) rpm_append_tmp_files(domain) rpm_dontaudit_leaks(domain) rpm_read_script_tmp_files(domain) rpm_inherited_fifo(domain) ') optional_policy(` sosreport_append_tmp_files(domain) ') tunable_policy(`allow_domain_fd_use',` # Allow all domains to use fds past to them allow domain domain:fd use; ') optional_policy(` cron_dontaudit_write_system_job_tmp_files(domain) cron_rw_pipes(domain) cron_rw_system_job_pipes(domain) ') ifdef(`hide_broken_symptoms',` dontaudit domain self:udp_socket listen; allow domain domain:key { link search }; ') optional_policy(` ifdef(`hide_broken_symptoms',` afs_rw_udp_sockets(domain) ') ') optional_policy(` ssh_rw_pipes(domain) ') optional_policy(` unconfined_dontaudit_rw_pipes(domain) unconfined_sigchld(domain) ') # broken kernel dontaudit can_change_object_identity can_change_object_identity:key link;