policy_module(selinuxutil,1.0) ######################################## # # Declarations # attribute can_write_binary_policy; attribute can_relabelto_binary_policy; type checkpolicy_t, can_write_binary_policy; domain_type(checkpolicy_t) role system_r types checkpolicy_t; type checkpolicy_exec_t; domain_entry_file(checkpolicy_t,checkpolicy_exec_t) # # default_context_t is the type applied to # /etc/selinux/*/contexts/* # type default_context_t; files_file_type(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; files_file_type(file_context_t) type load_policy_t; domain_type(load_policy_t) role system_r types load_policy_t; type load_policy_exec_t; domain_entry_file(load_policy_t,load_policy_exec_t) type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; domain_role_change_exempt(newrole_t) domain_obj_id_change_exempt(newrole_t) domain_type(newrole_t) domain_wide_inherit_fd(newrole_t) type newrole_exec_t; domain_entry_file(newrole_t,newrole_exec_t) # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # type policy_config_t; files_file_type(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_write_binary_policy policy_config_t:file { write append }; # # policy_src_t is the type of the policy source # files. # type policy_src_t; files_file_type(policy_src_t) type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; domain_obj_id_change_exempt(restorecon_t) init_system_domain(restorecon_t,restorecon_exec_t) role system_r types restorecon_t; type run_init_t; domain_type(run_init_t) type run_init_exec_t; domain_entry_file(run_init_t,run_init_exec_t) # # selinux_config_t is the type applied to # /etc/selinux/config # type selinux_config_t; files_file_type(selinux_config_t) type setfiles_t, can_relabelto_binary_policy; domain_obj_id_change_exempt(setfiles_t) domain_type(setfiles_t) role system_r types setfiles_t; type setfiles_exec_t; domain_entry_file(setfiles_t,setfiles_exec_t) ######################################## # # Checkpolicy local policy # allow checkpolicy_t self:capability dac_override; # able to create and modify binary policy files allow checkpolicy_t policy_config_t:dir rw_dir_perms; allow checkpolicy_t policy_config_t:file create_file_perms; # allow test policies to be created in src directories allow checkpolicy_t policy_src_t:dir rw_dir_perms; type_transition checkpolicy_t policy_src_t:file policy_config_t; # only allow read of policy source files allow checkpolicy_t policy_src_t:dir r_dir_perms; allow checkpolicy_t policy_src_t:file r_file_perms; allow checkpolicy_t policy_src_t:lnk_file r_file_perms; allow checkpolicy_t selinux_config_t:dir search; fs_getattr_xattr_fs(checkpolicy_t) term_use_console(checkpolicy_t) domain_use_wide_inherit_fd(checkpolicy_t) # directory search permissions for path to source and binary policy files files_search_etc(checkpolicy_t) init_use_fd(checkpolicy_t) init_use_script_pty(checkpolicy_t) libs_use_ld_so(checkpolicy_t) libs_use_shared_libs(checkpolicy_t) userdom_use_all_user_fd(checkpolicy_t) ifdef(`TODO',` # Read the devpts root directory. ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') ') dnl endif TODO ######################################## # # Load_policy local policy # allow load_policy_t self:capability dac_override; # only allow read of policy config files allow load_policy_t policy_src_t:dir search; allow load_policy_t policy_config_t:dir r_dir_perms; allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms; allow load_policy_t selinux_config_t:dir r_dir_perms; allow load_policy_t selinux_config_t:file r_file_perms; allow load_policy_t selinux_config_t:lnk_file r_file_perms; kernel_get_selinuxfs_mount_point(load_policy_t) kernel_load_policy(load_policy_t) kernel_set_boolean(load_policy_t) fs_getattr_xattr_fs(load_policy_t) term_use_console(load_policy_t) term_list_ptys(load_policy_t) init_use_script_fd(load_policy_t) init_use_script_pty(load_policy_t) domain_use_wide_inherit_fd(load_policy_t) files_search_etc(load_policy_t) libs_use_ld_so(load_policy_t) libs_use_shared_libs(load_policy_t) miscfiles_read_localization(load_policy_t) userdom_use_all_user_fd(load_policy_t) ######################################## # # Newrole local policy # allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow newrole_t self:process setexec; allow newrole_t self:fd use; allow newrole_t self:fifo_file rw_file_perms; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket connectto; allow newrole_t self:shm create_shm_perms; allow newrole_t self:sem create_sem_perms; allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms; allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) kernel_get_selinuxfs_mount_point(newrole_t) kernel_validate_context(newrole_t) kernel_compute_access_vector(newrole_t) kernel_compute_create_context(newrole_t) kernel_compute_relabel_context(newrole_t) kernel_compute_reachable_user_contexts(newrole_t) dev_read_urand(newrole_t) fs_getattr_xattr_fs(newrole_t) term_use_all_user_ttys(newrole_t) term_use_all_user_ptys(newrole_t) auth_domtrans_chk_passwd(newrole_t) domain_use_wide_inherit_fd(newrole_t) # Write to utmp. init_rw_script_pid(newrole_t) files_read_generic_etc_files(newrole_t) libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) userdom_use_unpriv_users_fd(newrole_t) ifdef(`TODO',` can_ypbind(newrole) ifdef(`automount.te', ` allow newrole_t autofs_t:dir { search getattr }; ') # for when the user types "exec newrole" at the command line allow newrole_t privfd:process sigchld; # Execute /sbin/pwdb_chkpwd to check the password. allow newrole_t sbin_t:dir r_dir_perms; # Execute shells allow newrole_t bin_t:dir r_dir_perms; allow newrole_t bin_t:lnk_file read; # Allow newrole_t to transition to user domains. bool secure_mode false; domain_trans(newrole_t, shell_exec_t, unpriv_userdomain) if(!secure_mode) { # if we are not in secure mode then we can transition to sysadm_t domain_trans(newrole_t, shell_exec_t, sysadm_t) } # Read /var. allow newrole_t var_t:dir r_dir_perms; allow newrole_t var_t:notdevfile_class_set r_file_perms; # Relabel terminals. allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') # for some PAM modules and for cwd dontaudit newrole_t { home_root_t home_type }:dir search; ') dnl ifdef TODO ######################################## # # Restorecon local policy # allow restorecon_t self:capability { dac_override dac_read_search fowner }; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_use_fd(restorecon_t) kernel_read_system_state(restorecon_t) kernel_get_selinuxfs_mount_point(restorecon_t) kernel_validate_context(restorecon_t) kernel_compute_access_vector(restorecon_t) kernel_compute_create_context(restorecon_t) kernel_compute_relabel_context(restorecon_t) kernel_compute_reachable_user_contexts(restorecon_t) fs_getattr_xattr_fs(restorecon_t) term_use_unallocated_tty(restorecon_t) init_use_fd(restorecon_t) init_use_script_pty(restorecon_t) domain_use_wide_inherit_fd(restorecon_t) files_read_etc_runtime_files(restorecon_t) files_read_generic_etc_files(restorecon_t) libs_use_ld_so(restorecon_t) libs_use_shared_libs(restorecon_t) logging_send_syslog_msg(restorecon_t) userdom_use_all_user_fd(restorecon_t) optional_policy(`hotplug.te',` hotplug_use_fd(restorecon_t) ') # relabeling rules kernel_relabel_unlabeled(restorecon_t) dev_relabel_all_dev_nodes(restorecon_t) files_relabel_all_files(restorecon_t) files_list_all_dirs(restorecon_t) # this is to satisfy the assertion: auth_relabelto_shadow(restorecon_t) ifdef(`distro_redhat', ` fs_use_tmpfs_character_devices(restorecon_t) fs_use_tmpfs_block_devices(restorecon_t) fs_relabel_tmpfs_block_devices(restorecon_t) fs_relabel_tmpfs_character_devices(restorecon_t) ') ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; allow restorecon_t fs_type:dir r_dir_perms; allow restorecon_t device_t:file { read write }; allow restorecon_t kernel_t:fifo_file { read write }; ') dnl endif TODO ################################# # # Run_init local policy # kernel_get_selinuxfs_mount_point(run_init_t) kernel_validate_context(run_init_t) kernel_compute_access_vector(run_init_t) kernel_compute_create_context(run_init_t) kernel_compute_relabel_context(run_init_t) kernel_compute_reachable_user_contexts(run_init_t) ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; fs_getattr_xattr_fs(run_init_t) dev_dontaudit_list_all_dev_nodes(run_init_t) term_dontaudit_list_ptys(run_init_t) auth_domtrans_chk_passwd(run_init_t) auth_dontaudit_read_shadow(run_init_t) corecmd_exec_bin(run_init_t) corecmd_exec_shell(run_init_t) domain_use_wide_inherit_fd(run_init_t) files_read_generic_etc_files(run_init_t) files_dontaudit_search_all_dirs(run_init_t) init_domtrans_script(run_init_t) # for utmp init_rw_script_pid(run_init_t) libs_use_ld_so(run_init_t) libs_use_shared_libs(run_init_t) selinux_read_config(run_init_t) selinux_read_default_contexts(run_init_t) miscfiles_read_localization(run_init_t) logging_send_syslog_msg(run_init_t) ') dnl end ifdef targeted policy ifdef(`TODO',` ifdef(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) domain_entry_file(run_init_t,initrc_exec_t) ') ') dnl end TODO ######################################## # # Setfiles local policy # allow setfiles_t self:capability { dac_override dac_read_search fowner }; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(setfiles_t) kernel_get_selinuxfs_mount_point(setfiles_t) kernel_validate_context(setfiles_t) kernel_compute_access_vector(setfiles_t) kernel_compute_create_context(setfiles_t) kernel_compute_relabel_context(setfiles_t) kernel_compute_reachable_user_contexts(setfiles_t) fs_getattr_xattr_fs(setfiles_t) term_use_all_user_ttys(setfiles_t) term_use_all_user_ptys(setfiles_t) term_use_unallocated_tty(setfiles_t) init_use_fd(setfiles_t) init_use_script_fd(setfiles_t) init_use_script_pty(setfiles_t) domain_use_wide_inherit_fd(setfiles_t) libs_use_ld_so(setfiles_t) libs_use_shared_libs(setfiles_t) files_read_etc_runtime_files(setfiles_t) files_read_generic_etc_files(setfiles_t) logging_send_syslog_msg(setfiles_t) miscfiles_read_localization(setfiles_t) userdom_use_all_user_fd(setfiles_t) # for config files in a home directory userdom_read_all_user_data(setfiles_t) # relabeling rules kernel_relabel_unlabeled(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t) files_list_all_dirs(setfiles_t) files_relabel_all_files(setfiles_t) # this is to satisfy the assertion: auth_relabelto_shadow(setfiles_t) ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! allow setfiles_t lib_t:file { read execute }; allow setfiles_t unlabeled_t:dir read; allow setfiles_t fs_type:dir r_dir_perms; ') dnl endif TODO