623e4f0885
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() : Inspired by similar implementation in Fedora. Wine and vbetool do not always actually need the ability to mmap a low area of the address space. In some cases this can be silently denied. Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean. Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space. Rename domain_mmap_low interface to domain_mmap_low_uncond. Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability. Signed-off-by: Dominick Grift <domg472@gmail.com>
163 lines
4.6 KiB
Plaintext
163 lines
4.6 KiB
Plaintext
policy_module(domain, 1.8.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Control the ability to mmap a low area of the address space,
|
|
## as configured by /proc/sys/kernel/mmap_min_addr.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(mmap_low_allowed, false)
|
|
|
|
# Mark process types as domains
|
|
attribute domain;
|
|
|
|
# Transitions only allowed from domains to other domains
|
|
neverallow domain ~domain:process { transition dyntransition };
|
|
|
|
# Domains that are unconfined
|
|
attribute unconfined_domain_type;
|
|
|
|
# Domains that can mmap low memory.
|
|
attribute mmap_low_domain_type;
|
|
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
|
|
|
|
# Domains that can set their current context
|
|
# (perform dynamic transitions)
|
|
attribute set_curr_context;
|
|
|
|
# enabling setcurrent breaks process tranquility. If you do not
|
|
# know what this means or do not understand the implications of a
|
|
# dynamic transition, you should not be using it!!!
|
|
neverallow { domain -set_curr_context } self:process setcurrent;
|
|
|
|
# entrypoint executables
|
|
attribute entry_type;
|
|
|
|
# widely-inheritable file descriptors
|
|
attribute privfd;
|
|
|
|
#
|
|
# constraint related attributes
|
|
#
|
|
|
|
# [1] types that can change SELinux identity on transition
|
|
attribute can_change_process_identity;
|
|
|
|
# [2] types that can change SELinux role on transition
|
|
attribute can_change_process_role;
|
|
|
|
# [3] types that can change the SELinux identity on a filesystem
|
|
# object or a socket object on a create or relabel
|
|
attribute can_change_object_identity;
|
|
|
|
# [3] types that can change to system_u:system_r
|
|
attribute can_system_change;
|
|
|
|
# [4] types that have attribute 1 can change the SELinux
|
|
# identity only if the target domain has this attribute.
|
|
# Types that have attribute 2 can change the SELinux role
|
|
# only if the target domain has this attribute.
|
|
attribute process_user_target;
|
|
|
|
# For cron jobs
|
|
# [5] types used for cron daemons
|
|
attribute cron_source_domain;
|
|
# [6] types used for cron jobs
|
|
attribute cron_job_domain;
|
|
|
|
# [7] types that are unconditionally exempt from
|
|
# SELinux identity and role change constraints
|
|
attribute process_uncond_exempt; # add userhelperdomain to this one
|
|
|
|
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
|
|
neverallow ~{ domain unlabeled_t } *:process *;
|
|
|
|
########################################
|
|
#
|
|
# Rules applied to all domains
|
|
#
|
|
|
|
# read /proc/(pid|self) entries
|
|
allow domain self:dir list_dir_perms;
|
|
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
|
|
allow domain self:file rw_file_perms;
|
|
kernel_read_proc_symlinks(domain)
|
|
# Every domain gets the key ring, so we should default
|
|
# to no one allowed to look at it; afs kernel support creates
|
|
# a keyring
|
|
kernel_dontaudit_search_key(domain)
|
|
kernel_dontaudit_link_key(domain)
|
|
|
|
# create child processes in the domain
|
|
allow domain self:process { fork sigchld };
|
|
|
|
# Use trusted objects in /dev
|
|
dev_rw_null(domain)
|
|
dev_rw_zero(domain)
|
|
term_use_controlling_term(domain)
|
|
|
|
# list the root directory
|
|
files_list_root(domain)
|
|
|
|
tunable_policy(`global_ssp',`
|
|
# enable reading of urandom for all domains:
|
|
# this should be enabled when all programs
|
|
# are compiled with ProPolice/SSP
|
|
# stack smashing protection.
|
|
dev_read_urand(domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
libs_use_ld_so(domain)
|
|
libs_use_shared_libs(domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
setrans_translate_context(domain)
|
|
')
|
|
|
|
# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
|
|
optional_policy(`
|
|
xserver_dontaudit_use_xdm_fds(domain)
|
|
xserver_dontaudit_rw_xdm_pipes(domain)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Unconfined access to this module
|
|
#
|
|
|
|
# unconfined access also allows constraints, but this
|
|
# is handled in the interface as typeattribute cannot
|
|
# be used on an attribute.
|
|
|
|
# Use/sendto/connectto sockets created by any domain.
|
|
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
|
|
|
# Use descriptors and pipes created by any domain.
|
|
allow unconfined_domain_type domain:fd use;
|
|
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
|
|
|
# Act upon any other process.
|
|
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
|
|
|
# Create/access any System V IPC objects.
|
|
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
|
allow unconfined_domain_type domain:msg { send receive };
|
|
|
|
# For /proc/pid
|
|
allow unconfined_domain_type domain:dir list_dir_perms;
|
|
allow unconfined_domain_type domain:file rw_file_perms;
|
|
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
|
|
|
# act on all domains keys
|
|
allow unconfined_domain_type domain:key *;
|
|
|
|
# receive from all domains over labeled networking
|
|
domain_all_recvfrom_all_domains(unconfined_domain_type)
|