############################## # # Global macros for the type enforcement (TE) configuration. # # # Authors: Stephen Smalley and Timothy Fraser # Howard Holm (NSA) # Russell Coker # # # ################################## # # can_setexec(domain) # # Authorize a domain to set its exec context # (via /proc/pid/attr/exec). # define(`can_setexec',` allow $1 self:process setexec; allow $1 proc_t:dir search; allow $1 proc_t:{ file lnk_file } read; allow $1 self:dir search; allow $1 self:file { getattr read write }; ') ################################## # # can_getcon(domain) # # Authorize a domain to get its context # (via /proc/pid/attr/current). # define(`can_getcon',` allow $1 proc_t:dir search; allow $1 proc_t:{ file lnk_file } read; allow $1 self:dir search; allow $1 self:file { getattr read }; allow $1 self:process getattr; ') ################################## # # can_setcon(domain) # # Authorize a domain to set its current context # (via /proc/pid/attr/current). # define(`can_setcon',` allow $1 self:process setcurrent; allow $1 proc_t:dir search; allow $1 proc_t:{ file lnk_file } read; allow $1 self:dir search; allow $1 self:file { getattr read write }; ') ################################## # read_sysctl(domain) # # Permissions for reading sysctl variables. # If the second parameter is full, allow # reading of any sysctl variables, else only # sysctl_kernel_t. # define(`read_sysctl', ` # Read system variables in /sys. ifelse($2,`full', ` allow $1 sysctl_type:dir r_dir_perms; allow $1 sysctl_type:file r_file_perms; ', ` allow $1 sysctl_t:dir search; allow $1 sysctl_kernel_t:dir search; allow $1 sysctl_kernel_t:file { getattr read }; ') ')dnl read_sysctl ################################## # # can_setfscreate(domain) # # Authorize a domain to set its fscreate context # (via /proc/pid/attr/fscreate). # define(`can_setfscreate',` allow $1 self:process setfscreate; allow $1 proc_t:dir search; allow $1 proc_t:{ file lnk_file } read; allow $1 self:dir search; allow $1 self:file { getattr read write }; ') ################################# # # uses_shlib(domain) # # Permissions for using shared libraries. # define(`uses_shlib',` allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms; allow $1 lib_t:lnk_file r_file_perms; allow $1 ld_so_t:file rx_file_perms; #allow $1 ld_so_t:file execute_no_trans; allow $1 ld_so_t:lnk_file r_file_perms; allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms; allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms; allow $1 texrel_shlib_t:file execmod; allow $1 ld_so_cache_t:file r_file_perms; allow $1 device_t:dir search; allow $1 null_device_t:chr_file rw_file_perms; ') ################################# # # can_exec_any(domain) # # Permissions for executing a variety # of executable types. # define(`can_exec_any',` allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms; allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read }; uses_shlib($1) can_exec($1, etc_t) can_exec($1, lib_t) can_exec($1, bin_t) can_exec($1, sbin_t) can_exec($1, exec_type) can_exec($1, ld_so_t) ') ################################# # # can_sysctl(domain) # # Permissions for modifying sysctl parameters. # define(`can_sysctl',` allow $1 sysctl_type:dir r_dir_perms; allow $1 sysctl_type:file { setattr rw_file_perms }; ') ################################## # # read_locale(domain) # # Permissions for reading the locale data, # /etc/localtime and the files that it links to # define(`read_locale', ` allow $1 etc_t:lnk_file read; allow $1 lib_t:file r_file_perms; r_dir_file($1, locale_t) ') ################################### # # access_terminal(domain, typeprefix) # # Permissions for accessing the terminal # define(`access_terminal', ` allow $1 $2_tty_device_t:chr_file { read write getattr ioctl }; allow $1 devtty_t:chr_file { read write getattr ioctl }; allow $1 devpts_t:dir { read search getattr }; allow $1 $2_devpts_t:chr_file { read write getattr ioctl }; ') # # general_proc_read_access(domain) # # Grant read/search permissions to most of /proc, excluding # the /proc/PID directories and the /proc/kmsg and /proc/kcore files. # The general_domain_access macro grants access to the domain /proc/PID # directories, but not to other domains. Only permissions to stat # are granted for /proc/kmsg and /proc/kcore, since these files are more # sensitive. # define(`general_proc_read_access',` # Read system information files in /proc. r_dir_file($1, proc_t) r_dir_file($1, proc_net_t) allow $1 proc_mdstat_t:file r_file_perms; # Stat /proc/kmsg and /proc/kcore. allow $1 proc_fs:file stat_file_perms; # Read system variables in /proc/sys. read_sysctl($1) ') # # base_file_read_access(domain) # # Grant read/search permissions to a few system file types. # define(`base_file_read_access',` # Read /. allow $1 root_t:dir r_dir_perms; allow $1 root_t:notdevfile_class_set r_file_perms; # Read /home. allow $1 home_root_t:dir r_dir_perms; # Read /usr. allow $1 usr_t:dir r_dir_perms; allow $1 usr_t:notdevfile_class_set r_file_perms; # Read bin and sbin directories. allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:notdevfile_class_set r_file_perms; allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:notdevfile_class_set r_file_perms; read_sysctl($1) r_dir_file($1, selinux_config_t) if (read_default_t) { # # Read default_t #. allow $1 default_t:dir r_dir_perms; allow $1 default_t:notdevfile_class_set r_file_perms; } ') ####################### # daemon_core_rules(domain_prefix, attribs) # # Define the core rules for a daemon, used by both daemon_base_domain() and # init_service_domain(). # Attribs is the list of attributes which must start with "," if it is not empty # # Author: Russell Coker # define(`daemon_core_rules', ` type $1_t, domain, privlog, daemon $2; type $1_exec_t, file_type, sysadmfile, exec_type; dontaudit $1_t self:capability sys_tty_config; role system_r types $1_t; # Inherit and use descriptors from init. allow $1_t init_t:fd use; allow $1_t init_t:process sigchld; allow $1_t self:process { signal_perms fork }; uses_shlib($1_t) allow $1_t { self proc_t }:dir r_dir_perms; allow $1_t { self proc_t }:lnk_file { getattr read }; allow $1_t device_t:dir r_dir_perms; ifdef(`udev.te', ` allow $1_t udev_tdb_t:file r_file_perms; ')dnl end if udev.te allow $1_t null_device_t:chr_file rw_file_perms; dontaudit $1_t console_device_t:chr_file rw_file_perms; dontaudit $1_t unpriv_userdomain:fd use; r_dir_file($1_t, sysfs_t) allow $1_t autofs_t:dir { search getattr }; ifdef(`targeted_policy', ` dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write }; dontaudit $1_t root_t:file { getattr read }; ')dnl end if targeted_policy ')dnl end macro daemon_core_rules ####################### # init_service_domain(domain_prefix, attribs) # # Define a domain for a program that is run from init # Attribs is the list of attributes which must start with "," if it is not empty # # Author: Russell Coker # define(`init_service_domain', ` daemon_core_rules($1, `$2') domain_auto_trans(init_t, $1_exec_t, $1_t) ')dnl ####################### # daemon_base_domain(domain_prefix, attribs) # # Define a daemon domain with a base set of type declarations # and permissions that are common to most daemons. # attribs is the list of attributes which must start with "," if it is not empty # nosysadm may be given as an optional third parameter, to specify that the # sysadmin should not transition to the domain when directly calling the executable # # Author: Russell Coker # define(`daemon_base_domain', ` daemon_core_rules($1, `$2') rhgb_domain($1_t) read_sysctl($1_t) ifdef(`direct_sysadm_daemon', ` dontaudit $1_t admin_tty_type:chr_file rw_file_perms; ') # # Allows user to define a tunable to disable domain transition # ifelse(index(`$2',`transitionbool'), -1, `', ` bool $1_disable_trans false; if ($1_disable_trans) { can_exec(initrc_t, $1_exec_t) can_exec(sysadm_t, $1_exec_t) } else { ') dnl transitionbool domain_auto_trans(initrc_t, $1_exec_t, $1_t) allow initrc_t $1_t:process { noatsecure siginh rlimitinh }; ifdef(`direct_sysadm_daemon', ` ifelse(`$3', `nosysadm', `', ` domain_auto_trans(sysadm_t, $1_exec_t, $1_t) allow sysadm_t $1_t:process { noatsecure siginh rlimitinh }; ')dnl end direct_sysadm_daemon ')dnl end nosysadm ifelse(index(`$2', `transitionbool'), -1, `', ` } ') dnl end transitionbool ifdef(`direct_sysadm_daemon', ` ifelse(`$3', `nosysadm', `', ` role_transition sysadm_r $1_exec_t system_r; ')dnl end nosysadm ')dnl end direct_sysadm_daemon allow $1_t privfd:fd use; ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;') allow $1_t initrc_devpts_t:chr_file rw_file_perms; ')dnl # allow a domain to create its own files under /var/run and to create files # in directories that are created for it. $2 is an optional list of # classes to use; default is file. define(`var_run_domain', ` type $1_var_run_t, file_type, sysadmfile, pidfile; ifelse(`$2', `', ` file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file) ', ` file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) ') allow $1_t var_t:dir search; allow $1_t $1_var_run_t:dir rw_dir_perms; ') ####################### # daemon_domain(domain_prefix, attribs) # # see daemon_base_domain for calling details # daemon_domain defines some additional privileges needed by many domains, # like pid files and locale support define(`daemon_domain', ` ifdef(`targeted_policy', ` daemon_base_domain($1, `$2, transitionbool', $3) ', ` daemon_base_domain($1, `$2', $3) ') # Create pid file. allow $1_t var_t:dir { getattr search }; var_run_domain($1) allow $1_t devtty_t:chr_file rw_file_perms; # for daemons that look at /root on startup dontaudit $1_t sysadm_home_dir_t:dir search; # for df allow $1_t fs_type:filesystem getattr; allow $1_t removable_t:filesystem getattr; read_locale($1_t) # for localization allow $1_t lib_t:file { getattr read }; ')dnl end daemon_domain macro define(`uses_authbind', `domain_auto_trans($1, authbind_exec_t, authbind_t) allow authbind_t $1:process sigchld; allow authbind_t $1:fd use; allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; ') # define a sub-domain, $1_t is the parent domain, $2 is the name # of the sub-domain. # define(`daemon_sub_domain', ` # $1 is the parent domain (or domains), $2_t is the child domain, # and $3 is any attributes to apply to the child type $2_t, domain, privlog, daemon $3; type $2_exec_t, file_type, sysadmfile, exec_type; role system_r types $2_t; ifelse(index(`$3',`transitionbool'), -1, ` domain_auto_trans($1, $2_exec_t, $2_t) ', ` bool $2_disable_trans false; if (! $2_disable_trans) { domain_auto_trans($1, $2_exec_t, $2_t) } '); # Inherit and use descriptors from parent. allow $2_t $1:fd use; allow $2_t $1:process sigchld; allow $2_t self:process signal_perms; uses_shlib($2_t) allow $2_t { self proc_t }:dir r_dir_perms; allow $2_t { self proc_t }:lnk_file read; allow $2_t device_t:dir getattr; ') # grant access to /tmp # by default, only plain files and dirs may be stored there. # This can be overridden with a third parameter define(`tmp_domain', ` type $1_tmp_t, file_type, sysadmfile, tmpfile $2; ifelse($3, `', `file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')', `file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')') ') # grant access to /tmp. Do not perform an automatic transition. define(`tmp_domain_notrans', ` type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; ') define(`tmpfs_domain', ` ifdef(`$1_tmpfs_t_defined',`', ` define(`$1_tmpfs_t_defined') type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; # Use this type when creating tmpfs/shm objects. file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) allow $1_tmpfs_t tmpfs_t:filesystem associate; ') ') define(`var_lib_domain', ` type $1_var_lib_t, file_type, sysadmfile; file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) allow $1_t $1_var_lib_t:dir rw_dir_perms; ') define(`log_domain', ` type $1_log_t, file_type, sysadmfile, logfile; file_type_auto_trans($1_t, var_log_t, $1_log_t, file) ') define(`logdir_domain', ` log_domain($1) allow $1_t $1_log_t:dir { setattr rw_dir_perms }; ') define(`etc_domain', ` type $1_etc_t, file_type, sysadmfile, usercanread; allow $1_t $1_etc_t:file r_file_perms; ') define(`etcdir_domain', ` etc_domain($1) allow $1_t $1_etc_t:dir r_dir_perms; allow $1_t $1_etc_t:lnk_file { getattr read }; ') define(`append_log_domain', ` type $1_log_t, file_type, sysadmfile, logfile; allow $1_t var_log_t:dir ra_dir_perms; allow $1_t $1_log_t:file { create ra_file_perms }; type_transition $1_t var_log_t:file $1_log_t; ') define(`append_logdir_domain', ` append_log_domain($1) allow $1_t $1_log_t:dir { setattr ra_dir_perms }; ') define(`lock_domain', ` type $1_lock_t, file_type, sysadmfile, lockfile; file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file) ') ####################### # application_domain(domain_prefix) # # Define a domain with a base set of type declarations # and permissions that are common to simple applications. # # Author: Russell Coker # define(`application_domain', ` type $1_t, domain, privlog $2; type $1_exec_t, file_type, sysadmfile, exec_type; role sysadm_r types $1_t; domain_auto_trans(sysadm_t, $1_exec_t, $1_t) uses_shlib($1_t) ') define(`system_domain', ` type $1_t, domain, privlog $2; type $1_exec_t, file_type, sysadmfile, exec_type; role system_r types $1_t; uses_shlib($1_t) allow $1_t etc_t:dir r_dir_perms; ') # Dontaudit macros to prevent flooding the log define(`dontaudit_getattr', ` dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; dontaudit $1 unlabeled_t:dir_file_class_set getattr; dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr; ')dnl end dontaudit_getattr define(`dontaudit_search_dir', ` dontaudit $1 file_type - secure_file_type:dir search; dontaudit $1 unlabeled_t:dir search; dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search; ')dnl end dontaudit_search_dir define(`dontaudit_read_dir', ` dontaudit $1 file_type - secure_file_type:dir read; dontaudit $1 unlabeled_t:dir read; dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read; ')dnl end dontaudit_read_dir # Define legacy_domain for legacy binaries (java) # "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old # toolchain. They cause the kernel to automatically start translating all # read protection requests to read|execute for backward compatibility on # x86. They will all need execmem and execmod, including execmod to # shlib_t and ld_so_t unlike non-legacy binaries. define(`legacy_domain', ` allow $1_t self:process { execmem execstack }; allow $1_t { texrel_shlib_t shlib_t }:file execmod; allow $1_t ld_so_t:file execmod; allow $1_t ld_so_cache_t:file execute; ') # Allow domain to perform polyinstantiation functions # polyinstantiater(domain) define(`polyinstantiater', ` ifdef(`support_polyinstantiation', ` # Need to give access to /selinux/member allow $1 security_t:security compute_member; # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { getattr mounton add_name create setattr write search }; # Need to give access to the polyinstantiated subdirectories allow $1 polymember:dir {getattr search }; # Need to give access to parent directories where original # is remounted for polyinstantiation aware programs (like gdm) allow $1 polyparent:dir { getattr mounton }; # Need to give permission to create directories where applicable allow $1 polymember: dir { create setattr }; allow $1 polydir: dir { write add_name }; allow $1 self:process setfscreate; allow $1 polyparent:dir { write add_name }; # Default type for mountpoints allow $1 poly_t:dir { create mounton }; # Need sys_admin capability for mounting allow $1 self:capability sys_admin; ')dnl end else support_polyinstantiation ')dnl end polyinstantiater # # Domain that is allow to read anonymous data off the network # without providing authentication. # Also define boolean to allow anonymous writing # define(`anonymous_domain', ` r_dir_file($1_t, ftpd_anon_t) bool allow_$1_anon_write false; if (allow_$1_anon_write) { create_dir_file($1_t,ftpd_anon_rw_t) } ') # # Define a domain that can do anything, so that it is # effectively unconfined by the SELinux policy. This # means that it is only restricted by the normal Linux # protections. Note that you may need to add further rules # to allow other domains to interact with this domain as expected, # since this macro only allows the specified domain to act upon # all other domains and types, not vice versa. # define(`unconfined_domain', ` typeattribute $1 unrestricted; # Mount/unmount any filesystem. allow $1 fs_type:filesystem *; # Mount/unmount any filesystem with the context= option. allow $1 file_type:filesystem *; # Create/access any file in a labeled filesystem; allow $1 file_type:{ file chr_file } ~execmod; allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; allow $1 sysctl_t:{ dir file } *; allow $1 device_type:devfile_class_set *; allow $1 mtrr_device_t:file *; # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. allow $1 { unlabeled_t fs_type }:dir_file_class_set *; allow $1 proc_fs:{ dir file } *; # For /proc/pid r_dir_file($1,domain) # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; # Read and write sysctls. can_sysctl($1) # Access the network. allow $1 node_type:node *; allow $1 netif_type:netif *; allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; allow $1 port_type:tcp_socket name_connect; # Bind to any network address. allow $1 port_type:{ tcp_socket udp_socket } name_bind; allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; # Use/sendto/connectto sockets created by any domain. allow $1 domain:{ socket_class_set socket key_socket } *; # Use descriptors and pipes created by any domain. allow $1 domain:fd use; allow $1 domain:fifo_file rw_file_perms; # Act upon any other process. allow $1 domain:process ~{ transition dyntransition execmem }; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; if (allow_execmem) { # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; } if (allow_execmem && allow_execstack) { # Allow making the stack executable via mprotect. allow $1 self:process execstack; } if (allow_execmod) { # Allow text relocations on system shared libraries, e.g. libGL. ifdef(`targeted_policy', ` allow $1 file_type:file execmod; ', ` allow $1 texrel_shlib_t:file execmod; allow $1 home_type:file execmod; ') } # Create/access any System V IPC objects. allow $1 domain:{ sem msgq shm } *; allow $1 domain:msg { send receive }; # Access the security API. allow $1 security_t:security *; auditallow $1 security_t:security { load_policy setenforce setbool }; # Perform certain system operations that lacked individual capabilities. allow $1 kernel_t:system *; # Use any Linux capability. allow $1 self:capability *; # Set user information and skip authentication. allow $1 self:passwd *; # Communicate via dbusd. allow $1 self:dbus *; ifdef(`dbusd.te', ` allow $1 system_dbusd_t:dbus *; ') # Get info via nscd. allow $1 self:nscd *; ifdef(`nscd.te', ` allow $1 nscd_t:nscd *; ') ')dnl end unconfined_domain define(`access_removable_media', ` can_exec($1, { removable_t noexattrfile } ) if (user_rw_noexattrfile) { create_dir_file($1, noexattrfile) create_dir_file($1, removable_t) # Write floppies allow $1 removable_device_t:blk_file rw_file_perms; allow $1 usbtty_device_t:chr_file write; } else { r_dir_file($1, noexattrfile) r_dir_file($1, removable_t) allow $1 removable_device_t:blk_file r_file_perms; } allow $1 removable_t:filesystem getattr; ') define(`authentication_domain', ` can_ypbind($1) can_kerberos($1) can_ldap($1) can_resolve($1) can_winbind($1) r_dir_file($1, cert_t) allow $1 { random_device_t urandom_device_t }:chr_file { getattr read }; allow $1 self:capability { audit_write audit_control }; dontaudit $1 shadow_t:file { getattr read }; ')