selinux-policy/policy/modules/kernel/domain.if
Dominick Grift 623e4f0885 1/1] Make the ability to mmap zero conditional where this is fapplicable.
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-01 09:41:56 -04:00

1476 lines
29 KiB
Plaintext

## <summary>Core policy for domains.</summary>
## <required val="true">
## Contains the concept of a domain.
## </required>
########################################
## <summary>
## Make the specified type usable as a basic domain.
## </summary>
## <desc>
## <p>
## Make the specified type usable as a basic domain.
## </p>
## <p>
## This is primarily used for kernel threads;
## generally the domain_type() interface is
## more appropriate for userland processes.
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used as a basic domain type.
## </summary>
## </param>
#
interface(`domain_base_type',`
gen_require(`
attribute domain;
')
typeattribute $1 domain;
')
########################################
## <summary>
## Make the specified type usable as a domain.
## </summary>
## <desc>
## <p>
## Make the specified type usable as a domain. This,
## or an interface that calls this interface, must be
## used on all types that are used as domains.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>application_domain()</li>
## <li>init_daemon_domain()</li>
## <li>init_domaion()</li>
## <li>init_ranged_daemon_domain()</li>
## <li>init_ranged_domain()</li>
## <li>init_ranged_system_domain()</li>
## <li>init_script_domain()</li>
## <li>init_system_domain()</li>
## </ul>
## <p>
## Example:
## </p>
## <p>
## type mydomain_t;
## domain_type(mydomain_t)
## type myfile_t;
## files_type(myfile_t)
## allow mydomain_t myfile_t:file read_file_perms;
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used as a domain type.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`domain_type',`
# start with basic domain
domain_base_type($1)
ifdef(`distro_redhat',`
optional_policy(`
unconfined_use_fds($1)
')
')
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
init_signull($1)
')
# these seem questionable:
optional_policy(`
rpm_use_fds($1)
rpm_read_pipes($1)
')
optional_policy(`
selinux_dontaudit_getattr_fs($1)
selinux_dontaudit_read_fs($1)
')
optional_policy(`
seutil_dontaudit_read_config($1)
')
')
########################################
## <summary>
## Make the specified type usable as
## an entry point for the domain.
## </summary>
## <param name="domain">
## <summary>
## Domain to be entered.
## </summary>
## </param>
## <param name="type">
## <summary>
## Type of program used for entering
## the domain.
## </summary>
## </param>
#
interface(`domain_entry_file',`
gen_require(`
attribute entry_type;
')
allow $1 $2:file entrypoint;
allow $1 $2:file { mmap_file_perms ioctl lock };
typeattribute $2 entry_type;
corecmd_executable_file($2)
')
########################################
## <summary>
## Make the file descriptors of the specified
## domain for interactive use (widely inheritable)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_interactive_fd',`
gen_require(`
attribute privfd;
')
typeattribute $1 privfd;
')
########################################
## <summary>
## Allow the specified domain to perform
## dynamic transitions.
## </summary>
## <desc>
## <p>
## Allow the specified domain to perform
## dynamic transitions.
## </p>
## <p>
## This violates process tranquility, and it
## is strongly suggested that this not be used.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_dyntrans_type',`
gen_require(`
attribute set_curr_context;
')
typeattribute $1 set_curr_context;
')
########################################
## <summary>
## Makes caller and execption to the constraint
## preventing changing to the system user
## identity and system role.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_system_change_exemption',`
gen_require(`
attribute can_system_change;
')
typeattribute $1 can_system_change;
')
########################################
## <summary>
## Makes caller an exception to the constraint preventing
## changing of user identity.
## </summary>
## <param name="domain">
## <summary>
## The process type to make an exception to the constraint.
## </summary>
## </param>
#
interface(`domain_subj_id_change_exemption',`
gen_require(`
attribute can_change_process_identity;
')
typeattribute $1 can_change_process_identity;
')
########################################
## <summary>
## Makes caller an exception to the constraint preventing
## changing of role.
## </summary>
## <param name="domain">
## <summary>
## The process type to make an exception to the constraint.
## </summary>
## </param>
#
interface(`domain_role_change_exemption',`
gen_require(`
attribute can_change_process_role;
')
typeattribute $1 can_change_process_role;
')
########################################
## <summary>
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
## </summary>
## <param name="domain">
## <summary>
## The process type to make an exception to the constraint.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_obj_id_change_exemption',`
gen_require(`
attribute can_change_object_identity;
')
typeattribute $1 can_change_object_identity;
')
########################################
## <summary>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the user domains from the base module.
## It should not be used other than on
## user domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`domain_user_exemption_target',`
gen_require(`
attribute process_user_target;
')
typeattribute $1 process_user_target;
')
########################################
## <summary>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## cron domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`domain_cron_exemption_source',`
gen_require(`
attribute cron_source_domain;
')
typeattribute $1 cron_source_domain;
')
########################################
## <summary>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## user cron jobs.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`domain_cron_exemption_target',`
gen_require(`
attribute cron_job_domain;
')
typeattribute $1 cron_job_domain;
')
########################################
## <summary>
## Inherit and use file descriptors from
## domains with interactive programs.
## </summary>
## <desc>
## <p>
## Allow the specified domain to inherit and use file
## descriptors from domains with interactive programs.
## This does not allow access to the objects being referenced
## by the file descriptors.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="1"/>
#
interface(`domain_use_interactive_fds',`
gen_require(`
attribute privfd;
')
allow $1 privfd:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit file
## descriptors from domains with interactive
## programs.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_use_interactive_fds',`
gen_require(`
attribute privfd;
')
dontaudit $1 privfd:fd use;
')
########################################
## <summary>
## Send a SIGCHLD signal to domains whose file
## discriptors are widely inheritable.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: this was added because of newrole
interface(`domain_sigchld_interactive_fds',`
gen_require(`
attribute privfd;
')
allow $1 privfd:process sigchld;
')
########################################
## <summary>
## Set the nice level of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_setpriority_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process setsched;
')
########################################
## <summary>
## Send general signals to all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_signal_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process signal;
')
########################################
## <summary>
## Send a null signal to all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_signull_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process signull;
')
########################################
## <summary>
## Send a stop signal to all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_sigstop_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process sigstop;
')
########################################
## <summary>
## Send a child terminated signal to all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_sigchld_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process sigchld;
')
########################################
## <summary>
## Send a kill signal to all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_kill_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process sigkill;
allow $1 self:capability kill;
')
########################################
## <summary>
## Search the process state directory (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_search_all_domains_state',`
gen_require(`
attribute domain;
')
kernel_search_proc($1)
allow $1 domain:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to search the process
## state directory (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_search_all_domains_state',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir search_dir_perms;
')
########################################
## <summary>
## Read the process state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_read_all_domains_state',`
gen_require(`
attribute domain;
')
kernel_search_proc($1)
allow $1 domain:dir list_dir_perms;
read_files_pattern($1, domain, domain)
read_lnk_files_pattern($1, domain, domain)
')
########################################
## <summary>
## Get the attributes of all domains of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_getattr_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getattr;
')
########################################
## <summary>
## Get the attributes of all domains of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_domains',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:process getattr;
')
########################################
## <summary>
## Read the process state (/proc/pid) of all confined domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_read_confined_domains_state',`
gen_require(`
attribute domain, unconfined_domain_type;
')
kernel_search_proc($1)
allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
dontaudit $1 unconfined_domain_type:file read_file_perms;
dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Get the attributes of all confined domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_getattr_confined_domains',`
gen_require(`
attribute domain, unconfined_domain_type;
')
allow $1 { domain -unconfined_domain_type }:process getattr;
')
########################################
## <summary>
## Ptrace all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_ptrace_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process ptrace;
allow domain $1:process sigchld;
')
########################################
## <summary>
## Do not audit attempts to ptrace all domains.
## </summary>
## <desc>
## <p>
## Do not audit attempts to ptrace all domains.
## </p>
## <p>
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_ptrace_all_domains',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:process ptrace;
')
########################################
## <summary>
## Do not audit attempts to ptrace confined domains.
## </summary>
## <desc>
## <p>
## Do not audit attempts to ptrace confined domains.
## </p>
## <p>
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_ptrace_confined_domains',`
gen_require(`
attribute domain, unconfined_domain_type;
')
dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
')
########################################
## <summary>
## Do not audit attempts to read the process
## state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_read_all_domains_state',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir list_dir_perms;
dontaudit $1 domain:lnk_file read_lnk_file_perms;
dontaudit $1 domain:file read_file_perms;
# cjp: these should be removed:
dontaudit $1 domain:sock_file read_sock_file_perms;
dontaudit $1 domain:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read the process state
## directories of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_list_all_domains_state',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir list_dir_perms;
')
########################################
## <summary>
## Get the session ID of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getsession_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getsession;
')
########################################
## <summary>
## Do not audit attempts to get the
## session ID of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getsession_all_domains',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:process getsession;
')
########################################
## <summary>
## Get the process group ID of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getpgid_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getpgid;
')
########################################
## <summary>
## Get the scheduler information of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getsched_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getsched;
')
########################################
## <summary>
## Get the attributes of all domains
## sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Get the attributes of all domains
## sockets, for all socket types.
## </p>
## <p>
## This is commonly used for domains
## that can use lsof on all domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getattr_all_sockets',`
gen_require(`
attribute domain;
')
allow $1 domain:socket_class_set getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </p>
## <p>
## This interface was added for PCMCIA cardmgr
## and is probably excessive.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:socket_class_set getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:tcp_socket getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_udp_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:udp_socket getattr;
')
########################################
## <summary>
## Do not audit attempts to read or write
## all domains UDP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_rw_all_udp_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:udp_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to get attribues of
## all domains IPSEC key management sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_key_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket getattr;
')
########################################
## <summary>
## Do not audit attempts to get attribues of
## all domains packet sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_packet_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:packet_socket getattr;
')
########################################
## <summary>
## Do not audit attempts to get attribues of
## all domains raw sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_raw_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:rawip_socket getattr;
')
########################################
## <summary>
## Do not audit attempts to read or write
## all domains key sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_rw_all_key_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_dgram_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_dgram_socket getattr;
')
########################################
## <summary>
## Get the attributes
## of all domains unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getattr_all_stream_sockets',`
gen_require(`
attribute domain;
')
allow $1 domain:unix_stream_socket getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_stream_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_stream_socket getattr;
')
########################################
## <summary>
## Get the attributes of all domains
## unnamed pipes.
## </summary>
## <desc>
## <p>
## Get the attributes of all domains
## unnamed pipes.
## </p>
## <p>
## This is commonly used for domains
## that can use lsof on all domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getattr_all_pipes',`
gen_require(`
attribute domain;
')
allow $1 domain:fifo_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_pipes',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:fifo_file getattr;
')
########################################
## <summary>
## Allow specified type to set context of all
## domains IPSEC associations.
## </summary>
## <param name="type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_ipsec_setcontext_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:association setcontext;
')
########################################
## <summary>
## Get the attributes of entry point
## files for all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getattr_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file getattr;
')
########################################
## <summary>
## Read the entry point files for all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_read_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file read_file_perms;
')
########################################
## <summary>
## Execute the entry point files for all
## domains in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_exec_all_entry_files',`
gen_require(`
attribute entry_type;
')
can_exec($1, entry_type)
')
########################################
## <summary>
## dontaudit checking for execute on all entry point files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_exec_all_entry_files',`
gen_require(`
attribute entry_type;
')
dontaudit $1 entry_type:file exec_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete all
## entrypoint files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: added for prelink
interface(`domain_manage_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file manage_file_perms;
')
########################################
## <summary>
## Relabel to and from all entry point
## file types.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: added for prelink
interface(`domain_relabel_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file relabel_file_perms;
')
########################################
## <summary>
## Mmap all entry point files as executable.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: added for prelink
interface(`domain_mmap_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file mmap_file_perms;
')
########################################
## <summary>
## Execute an entry_type in the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## The type of the new process.
## </summary>
## </param>
#
# cjp: added for userhelper
interface(`domain_entry_file_spec_domtrans',`
gen_require(`
attribute entry_type;
')
domain_transition_pattern($1, entry_type, $2)
')
########################################
## <summary>
## Ability to mmap a low area of the address
## space conditionally, as configured by
## /proc/sys/kernel/mmap_min_addr.
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_mmap_low',`
gen_require(`
attribute mmap_low_domain_type;
bool mmap_low_allowed;
')
typeattribute $1 mmap_low_domain_type;
if ( mmap_low_allowed ) {
allow $1 self:memprotect mmap_zero;
}
')
########################################
## <summary>
## Ability to mmap a low area of the address
## space unconditionally, as configured
## by /proc/sys/kernel/mmap_min_addr.
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_mmap_low_uncond',`
gen_require(`
attribute mmap_low_domain_type;
')
typeattribute $1 mmap_low_domain_type;
allow $1 self:memprotect mmap_zero;
')
########################################
## <summary>
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
## </summary>
## <param name="type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_all_recvfrom_all_domains',`
gen_require(`
attribute domain;
')
corenet_all_recvfrom_labeled($1, domain)
')
########################################
## <summary>
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_unconfined_signal',`
gen_require(`
attribute unconfined_domain_type;
')
allow $1 unconfined_domain_type:process signal;
')
########################################
## <summary>
## Unconfined access to domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_unconfined',`
gen_require(`
attribute set_curr_context;
attribute can_change_object_identity;
attribute unconfined_domain_type;
attribute process_uncond_exempt;
')
typeattribute $1 unconfined_domain_type;
# pass constraints
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
')