selinux-policy/refpolicy/policy/modules/kernel/kernel.te
2005-09-26 20:26:32 +00:00

237 lines
7.4 KiB
Plaintext

policy_module(kernel,1.0)
########################################
#
# Declarations
#
# assertion related attributes
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
neverallow ~can_load_kernmodule self:capability sys_module;
# domains with unconfined access to kernel resources
attribute kern_unconfined;
# regular entries in proc
attribute proc_type;
# sysctls
attribute sysctl_type;
#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
role system_r types kernel_t;
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
#
# DebugFS
#
type debugfs_t;
fs_type(debugfs_t)
allow debugfs_t self:filesystem associate;
genfscon debugfs / context_template(system_u:object_r:debugfs_t,s0)
#
# Procfs types
#
type proc_t, proc_type;
files_mountpoint(proc_t)
fs_type(proc_t)
genfscon proc / context_template(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0)
# kernel message interface
type proc_kmsg_t, proc_type;
genfscon proc /kmsg context_template(system_u:object_r:proc_kmsg_t,s0)
neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
# /proc kcore: inaccessible
type proc_kcore_t, proc_type;
neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr;
genfscon proc /kcore context_template(system_u:object_r:proc_kcore_t,s0)
type proc_mdstat_t, proc_type;
genfscon proc /mdstat context_template(system_u:object_r:proc_mdstat_t,s0)
type proc_net_t, proc_type;
genfscon proc /net context_template(system_u:object_r:proc_net_t,s0)
#
# Sysctl types
#
# /proc/sys directory, base directory of sysctls
type sysctl_t, sysctl_type;
files_mountpoint(sysctl_t)
sid sysctl context_template(system_u:object_r:sysctl_t,s0)
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
# /proc/irq directory and files
type sysctl_irq_t, sysctl_type;
genfscon proc /irq context_template(system_u:object_r:sysctl_irq_t,s0)
# /proc/net/rpc directory and files
type sysctl_rpc_t, sysctl_type;
genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
# /proc/sys/fs directory and files
type sysctl_fs_t, sysctl_type;
files_mountpoint(sysctl_fs_t)
genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0)
# /proc/sys/kernel directory and files
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel context_template(system_u:object_r:sysctl_kernel_t,s0)
# /proc/sys/kernel/modprobe file
type sysctl_modprobe_t, sysctl_type;
genfscon proc /sys/kernel/modprobe context_template(system_u:object_r:sysctl_modprobe_t,s0)
# /proc/sys/kernel/hotplug file
type sysctl_hotplug_t, sysctl_type;
genfscon proc /sys/kernel/hotplug context_template(system_u:object_r:sysctl_hotplug_t,s0)
# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
genfscon proc /sys/net context_template(system_u:object_r:sysctl_net_t,s0)
# /proc/sys/net/unix directory and files
type sysctl_net_unix_t, sysctl_type;
genfscon proc /sys/net/unix context_template(system_u:object_r:sysctl_net_unix_t,s0)
# /proc/sys/vm directory and files
type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0)
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
#
# unlabeled_t is the type of unlabeled objects.
# Objects that have no known labeling information or that
# have labels that are no longer valid are treated as having this type.
#
type unlabeled_t;
sid unlabeled context_template(system_u:object_r:unlabeled_t,s0)
# These initial sids are no longer used, and can be removed:
sid any_socket context_template(system_u:object_r:unlabeled_t,s0)
sid file_labels context_template(system_u:object_r:unlabeled_t,s0)
sid icmp_socket context_template(system_u:object_r:unlabeled_t,s0)
sid igmp_packet context_template(system_u:object_r:unlabeled_t,s0)
sid init context_template(system_u:object_r:unlabeled_t,s0)
sid kmod context_template(system_u:object_r:unlabeled_t,s0)
sid netmsg context_template(system_u:object_r:unlabeled_t,s0)
sid policy context_template(system_u:object_r:unlabeled_t,s0)
sid scmp_packet context_template(system_u:object_r:unlabeled_t,s0)
sid sysctl_modprobe context_template(system_u:object_r:unlabeled_t,s0)
sid sysctl_fs context_template(system_u:object_r:unlabeled_t,s0)
sid sysctl_kernel context_template(system_u:object_r:unlabeled_t,s0)
sid sysctl_net context_template(system_u:object_r:unlabeled_t,s0)
sid sysctl_net_unix context_template(system_u:object_r:unlabeled_t,s0)
sid sysctl_vm context_template(system_u:object_r:unlabeled_t,s0)
sid sysctl_dev context_template(system_u:object_r:unlabeled_t,s0)
sid tcp_socket context_template(system_u:object_r:unlabeled_t,s0)
########################################
#
# kernel local policy
#
# Use capabilities. need to investigate which capabilities are actually used
allow kernel_t self:capability *;
# Other possible mount points for the root fs are in files
allow kernel_t unlabeled_t:dir mounton;
# old general_domain_access()
allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms;
allow kernel_t self:msg { send receive };
allow kernel_t self:msgq create_msgq_perms;
allow kernel_t self:unix_dgram_socket create_socket_perms;
allow kernel_t self:unix_stream_socket create_stream_socket_perms;
allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file rw_file_perms;
allow kernel_t self:fd use;
# old general_proc_read_access():
allow kernel_t proc_t:dir r_dir_perms;
allow kernel_t proc_t:{ lnk_file file } r_file_perms;
allow kernel_t proc_net_t:dir r_dir_perms;
allow kernel_t proc_net_t:file r_file_perms;
allow kernel_t proc_mdstat_t:file r_file_perms;
allow kernel_t proc_kcore_t:file getattr;
allow kernel_t proc_kmsg_t:file getattr;
allow kernel_t sysctl_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:file r_file_perms;
# cjp: this seems questionable
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
# Kernel-generated traffic e.g., TCP resets:
corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
term_use_console(kernel_t)
corecmd_exec_shell(kernel_t)
corecmd_list_sbin(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecmd_exec_bin(kernel_t)
domain_signal_all_domains(kernel_t)
domain_search_all_domains_state(kernel_t)
files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
ifdef(`TODO',`
ifdef(`targeted_policy', `
unconfined_domain(kernel_t)
')
ifdef(`mls_policy', `
# run init with maximum MLS range
range_transition kernel_t init_exec_t s0 - s9:c0.c127;
')
') dnl end TODO
########################################
#
# Unlabeled process local policy
#
ifdef(`targeted_policy',`
allow unlabeled_t self:filesystem associate;
')