## Policy for UML ####################################### ## ## The per role template for the uml module. ## ## ## ## This template creates a derived domains which are used ## for uml program. ## ## ## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ## ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The type of the user domain. ## ## ## ## ## The role associated with the user domain. ## ## # template(`uml_per_role_template',` gen_require(` type uml_ro_t, uml_exec_t; ') ######################################## # # Declarations # type $1_uml_t; domain_type($1_uml_t) role $3 types $1_uml_t; type $1_uml_exec_t; domain_entry_file($1_uml_t,$1_uml_exec_t) type $1_uml_ro_t; files_type($1_uml_ro_t) type $1_uml_rw_t; files_type($1_uml_rw_t) type $1_uml_tmp_t; files_tmp_file($1_uml_tmp_t) type $1_uml_tmpfs_t; files_tmpfs_file($1_uml_tmpfs_t) type $1_uml_devpts_t; term_pty($1_uml_devpts_t) ######################################## # # Local policy # allow $1_uml_t self:fifo_file rw_fifo_file_perms; allow $1_uml_t self:process { signal_perms ptrace }; allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; allow $1_uml_t self:unix_dgram_socket create_socket_perms; # Use the network. allow $1_uml_t self:tcp_socket create_stream_socket_perms; allow $1_uml_t self:udp_socket create_socket_perms; allow $1_uml_t $2:process sigchld; allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append }; # allow the UML thing to happen allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr }; term_create_pty($1_uml_t,$1_uml_devpts_t) manage_dirs_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t) manage_files_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t) files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir }) can_exec($1_uml_t, $1_uml_tmp_t) manage_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t) manage_lnk_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t) manage_fifo_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t) manage_sock_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t) fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ file lnk_file sock_file fifo_file }) can_exec($1_uml_t, $1_uml_tmpfs_t) # access config files allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir list_dir_perms; read_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t }) read_lnk_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t }) manage_dirs_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) manage_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) manage_lnk_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) manage_fifo_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) manage_sock_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t) userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file }) allow $2 uml_ro_t:dir list_dir_perms; read_files_pattern($2,uml_ro_t,uml_ro_t) read_lnk_files_pattern($2,uml_ro_t,uml_ro_t) manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) manage_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) manage_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) manage_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) relabel_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) relabel_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) relabel_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t }) manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }) # allow ps, ptrace, signal ps_process_pattern($2,$1_uml_t) allow $2 $1_uml_t:process { ptrace signal_perms }; manage_dirs_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t) manage_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t) manage_lnk_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t) manage_sock_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t) # Transition from the user domain to this domain. domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t) can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t }) # for mconsole allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto; allow $1_uml_t $2:unix_dgram_socket sendto; kernel_read_system_state($1_uml_t) # for SKAS - need something better kernel_write_proc_files($1_uml_t) # for xterm corecmd_exec_bin($1_uml_t) corecmd_exec_sbin($1_uml_t) corenet_non_ipsec_sendrecv($1_uml_t) corenet_tcp_sendrecv_generic_if($1_uml_t) corenet_udp_sendrecv_generic_if($1_uml_t) corenet_tcp_sendrecv_all_nodes($1_uml_t) corenet_udp_sendrecv_all_nodes($1_uml_t) corenet_tcp_sendrecv_all_ports($1_uml_t) corenet_udp_sendrecv_all_ports($1_uml_t) corenet_tcp_connect_all_ports($1_uml_t) corenet_sendrecv_all_client_packets($1_uml_t) corenet_rw_tun_tap_dev($1_uml_t) domain_use_interactive_fds($1_uml_t) # for xterm files_read_etc_files($1_uml_t) files_dontaudit_read_etc_runtime_files($1_uml_t) # putting uml data under /var is usual... files_search_var($1_uml_t) fs_getattr_xattr_fs($1_uml_t) init_read_utmp($1_uml_t) init_dontaudit_write_utmp($1_uml_t) # for xterm libs_use_ld_so($1_uml_t) libs_use_shared_libs($1_uml_t) libs_exec_lib_files($1_uml_t) # Inherit and use descriptors from newrole. seutil_use_newrole_fds($1_uml_t) # Use the network. sysnet_read_config($1_uml_t) userdom_use_user_terminals($1,$1_uml_t) optional_policy(` nis_use_ypbind($1_uml_t) ') ifdef(`TODO',` # for X optional_policy(` ifelse($1, sysadm,` ',` optional_policy(` allow $1_uml_t xdm_xserver_tmp_t:dir search; ') allow $1_uml_t $1_xserver_tmp_t:sock_file write; allow $1_uml_t $1_xserver_t:unix_stream_socket connectto; ') ') optional_policy(` # for uml_net domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t) allow uml_net_t $1_uml_t:unix_stream_socket { read write }; allow uml_net_t $1_uml_t:unix_dgram_socket { read write }; dontaudit uml_net_t privfd:fd use; can_access_pty(uml_net_t, $1_uml) dontaudit uml_net_t $1_uml_rw_t:dir { getattr search }; ') #TODO optional_policy(` allow $1_uml_t $1_xauth_home_t:file { getattr read }; ') ') ') ######################################## ## ## Set attributes on uml utility socket files. ## ## ## ## Domain allowed access. ## ## # interface(`uml_setattr_util_sockets',` gen_require(` type uml_switch_var_run_t; ') allow $1 uml_switch_var_run_t:sock_file setattr; ') ######################################## ## ## Manage uml utility files. ## ## ## ## Domain allowed access. ## ## # interface(`uml_manage_util_files',` gen_require(` type uml_switch_var_run_t; ') manage_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t) manage_lnk_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t) ')
## This template creates a derived domains which are used ## for uml program. ##
## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ##