dd14d0d892
permission is checked when using shared libs to execute code in them, which is not the same as just reading the shared libs.
214 lines
6.6 KiB
Plaintext
214 lines
6.6 KiB
Plaintext
# Copyright (C) 2005 Tresys Technology, LLC
|
|
|
|
policy_module(kernel,1.0)
|
|
|
|
# assertion related attributes
|
|
attribute can_load_policy;
|
|
attribute can_setenforce;
|
|
attribute can_setsecparam;
|
|
attribute can_load_kernmodule;
|
|
attribute can_receive_kernel_messages;
|
|
|
|
# constraint related attributes
|
|
attribute can_change_process_identity;
|
|
attribute can_change_process_role;
|
|
attribute can_change_object_identity;
|
|
|
|
#
|
|
# kernel_t is the domain of kernel threads.
|
|
# It is also the target type when checking permissions in the system class.
|
|
#
|
|
type kernel_t, can_load_kernmodule, can_load_policy;
|
|
role system_r types kernel_t;
|
|
domain_make_domain(kernel_t)
|
|
|
|
#
|
|
# unlabeled_t is the type of unlabeled objects.
|
|
# Objects that have no known labeling information or that
|
|
# have labels that are no longer valid are treated as having this type.
|
|
#
|
|
type unlabeled_t;
|
|
|
|
#
|
|
# security_t is the target type when checking
|
|
# the permissions in the security class. It is also
|
|
# applied to selinuxfs inodes.
|
|
#
|
|
type security_t;
|
|
filesystem_make_filesystem(security_t)
|
|
genfscon selinuxfs / system_u:object_r:security_t
|
|
|
|
#
|
|
# sysfs_t is the type for /sys
|
|
#
|
|
type sysfs_t;
|
|
files_make_mountpoint(sysfs_t)
|
|
filesystem_make_filesystem(sysfs_t)
|
|
genfscon sysfs / system_u:object_r:sysfs_t
|
|
|
|
#
|
|
# usbfs_t is the type for /proc/bus/usb
|
|
#
|
|
type usbfs_t alias usbdevfs_t;
|
|
files_make_mountpoint(usbfs_t)
|
|
filesystem_make_filesystem(usbfs_t)
|
|
genfscon usbfs / system_u:object_r:usbfs_t
|
|
genfscon usbdevfs / system_u:object_r:usbfs_t
|
|
|
|
#
|
|
# Procfs types
|
|
#
|
|
|
|
type proc_t;
|
|
files_make_mountpoint(proc_t)
|
|
filesystem_make_filesystem(proc_t)
|
|
genfscon proc / system_u:object_r:proc_t
|
|
genfscon proc /sysvipc system_u:object_r:proc_t
|
|
|
|
# kernel message interface
|
|
type proc_kmsg_t;
|
|
genfscon proc /kmsg system_u:object_r:proc_kmsg_t
|
|
neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
|
|
|
|
# /proc kcore: inaccessible
|
|
type proc_kcore_t;
|
|
neverallow * proc_kcore_t:file ~getattr;
|
|
genfscon proc /kcore system_u:object_r:proc_kcore_t
|
|
|
|
type proc_mdstat_t;
|
|
genfscon proc /mdstat system_u:object_r:proc_mdstat_t
|
|
|
|
type proc_net_t;
|
|
genfscon proc /net system_u:object_r:proc_net_t
|
|
|
|
#
|
|
# Sysctl types
|
|
#
|
|
|
|
# /proc/irq directory and files
|
|
type sysctl_irq_t;
|
|
genfscon proc /irq system_u:object_r:sysctl_irq_t
|
|
|
|
# /proc/net/rpc directory and files
|
|
type sysctl_rpc_t;
|
|
genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t
|
|
|
|
# /proc/sys directory, base directory of sysctls
|
|
type sysctl_t;
|
|
genfscon proc /sys system_u:object_r:sysctl_t
|
|
|
|
# /proc/sys/fs directory and files
|
|
type sysctl_fs_t;
|
|
files_make_mountpoint(sysctl_fs_t)
|
|
genfscon proc /sys/fs system_u:object_r:sysctl_fs_t
|
|
|
|
# /proc/sys/kernel directory and files
|
|
type sysctl_kernel_t;
|
|
genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t
|
|
|
|
# /proc/sys/kernel/modprobe file
|
|
type sysctl_modprobe_t;
|
|
genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t
|
|
|
|
# /proc/sys/kernel/hotplug file
|
|
type sysctl_hotplug_t;
|
|
genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t
|
|
|
|
# /proc/sys/net directory and files
|
|
type sysctl_net_t;
|
|
genfscon proc /sys/net system_u:object_r:sysctl_net_t
|
|
|
|
# /proc/sys/net/unix directory and files
|
|
type sysctl_net_unix_t;
|
|
genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t
|
|
|
|
# /proc/sys/vm directory and files
|
|
type sysctl_vm_t;
|
|
genfscon proc /sys/vm system_u:object_r:sysctl_vm_t
|
|
|
|
# /proc/sys/dev directory and files
|
|
type sysctl_dev_t;
|
|
genfscon proc /sys/dev system_u:object_r:sysctl_dev_t
|
|
|
|
########################################
|
|
#
|
|
# kernel local policy
|
|
#
|
|
|
|
# Use capabilities. need to investigate which capabilities are actually used
|
|
allow kernel_t self:capability *;
|
|
|
|
# Other possible mount points for the root fs are in files
|
|
allow kernel_t unlabeled_t:dir mounton;
|
|
|
|
# old general_domain_access()
|
|
allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
|
allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
|
allow kernel_t self:msg { send receive };
|
|
allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
|
allow kernel_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
|
allow kernel_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
|
allow kernel_t self:unix_dgram_socket sendto;
|
|
allow kernel_t self:unix_stream_socket connectto;
|
|
allow kernel_t self:fifo_file { read getattr lock ioctl write append };
|
|
allow kernel_t self:fd use;
|
|
|
|
# old general_proc_read_access():
|
|
allow kernel_t proc_t:dir { getattr search read };
|
|
allow kernel_t proc_t:{ lnk_file file } { getattr read };
|
|
allow kernel_t proc_net_t:dir { getattr search read };
|
|
allow kernel_t proc_net_t:file { getattr read };
|
|
allow kernel_t proc_mdstat_t:file { getattr read };
|
|
allow kernel_t proc_kcore_t:file getattr;
|
|
allow kernel_t proc_kmsg_t:file getattr;
|
|
allow kernel_t sysctl_t:dir { getattr search read };
|
|
allow kernel_t sysctl_kernel_t:dir { getattr search read };
|
|
allow kernel_t sysctl_kernel_t:file { getattr read };
|
|
|
|
# old base_file_read_access():
|
|
files_list_home_directories(kernel_t)
|
|
files_read_general_application_resources(kernel_t)
|
|
selinux_read_config(kernel_t)
|
|
|
|
selinux_read_binary_policy(kernel_t)
|
|
allow kernel_t security_t:dir { read search getattr };
|
|
allow kernel_t security_t:file { getattr read write };
|
|
allow kernel_t security_t:security load_policy;
|
|
auditallow kernel_t security_t:security load_policy;
|
|
|
|
libraries_use_dynamic_loader(kernel_t)
|
|
libraries_use_shared_libraries(kernel_t)
|
|
|
|
corecommands_execute_shell(kernel_t)
|
|
|
|
terminal_use_console(kernel_t)
|
|
domain_signal_all_domains(kernel_t)
|
|
|
|
# Mount root file system. Used when loading a policy
|
|
# from initrd, then mounting the root filesystem
|
|
filesystem_mount_all_filesystems(kernel_t)
|
|
|
|
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
|
corecommands_execute_general_programs(kernel_t)
|
|
|
|
logging_send_system_log_message(kernel_t)
|
|
|
|
# Kernel-generated traffic, e.g. ICMP replies.
|
|
corenetwork_network_raw_on_all_interfaces(kernel_t)
|
|
corenetwork_network_raw_on_all_nodes(kernel_t)
|
|
|
|
# Kernel-generated traffic, e.g. TCP resets.
|
|
corenetwork_network_tcp_on_all_interfaces(kernel_t)
|
|
corenetwork_network_tcp_on_all_nodes(kernel_t)
|
|
|
|
neverallow ~can_load_policy security_t:security load_policy;
|
|
neverallow ~can_setenforce security_t:security setenforce;
|
|
neverallow ~can_setsecparam security_t:security setsecparam;
|
|
|
|
# enabling dyntransition breaks process tranquility. If you dont
|
|
# know what this means or dont understand the implications of a
|
|
# dynamic transition, you shouldnt be using it!!!
|
|
neverallow * *:process { setcurrent dyntransition };
|
|
|
|
neverallow ~can_load_kernmodule *:capability sys_module;
|