245 lines
8.1 KiB
Plaintext
245 lines
8.1 KiB
Plaintext
|
|
policy_module(kernel,1.0)
|
|
|
|
# assertion related attributes
|
|
attribute can_load_policy;
|
|
attribute can_setenforce;
|
|
attribute can_setsecparam;
|
|
attribute can_load_kernmodule;
|
|
attribute can_receive_kernel_messages;
|
|
|
|
# constraint related attributes
|
|
attribute can_change_process_identity;
|
|
attribute can_change_process_role;
|
|
attribute can_change_object_identity;
|
|
|
|
#
|
|
# kernel_t is the domain of kernel threads.
|
|
# It is also the target type when checking permissions in the system class.
|
|
#
|
|
type kernel_t, can_load_kernmodule, can_load_policy;
|
|
role system_r types kernel_t;
|
|
domain_make_domain(kernel_t)
|
|
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
|
|
|
|
#
|
|
# unlabeled_t is the type of unlabeled objects.
|
|
# Objects that have no known labeling information or that
|
|
# have labels that are no longer valid are treated as having this type.
|
|
#
|
|
type unlabeled_t;
|
|
sid unlabeled context_template(system_u:object_r:unlabeled_t,s0)
|
|
|
|
# These initial sids are no longer used, and can be removed:
|
|
sid any_socket context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid file_labels context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid icmp_socket context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid igmp_packet context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid init context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid kmod context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid netmsg context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid policy context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid scmp_packet context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_modprobe context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_fs context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_kernel context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_net context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_net_unix context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_vm context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid sysctl_dev context_template(system_u:object_r:unlabeled_t,s0)
|
|
sid tcp_socket context_template(system_u:object_r:unlabeled_t,s0)
|
|
|
|
#
|
|
# security_t is the target type when checking
|
|
# the permissions in the security class. It is also
|
|
# applied to selinuxfs inodes.
|
|
#
|
|
type security_t;
|
|
fs_make_fs(security_t)
|
|
sid security context_template(system_u:object_r:security_t,s0)
|
|
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
|
|
|
|
#
|
|
# sysfs_t is the type for /sys
|
|
#
|
|
type sysfs_t;
|
|
files_make_mountpoint(sysfs_t)
|
|
fs_make_fs(sysfs_t)
|
|
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
|
|
|
|
#
|
|
# usbfs_t is the type for /proc/bus/usb
|
|
#
|
|
type usbfs_t alias usbdevfs_t;
|
|
files_make_mountpoint(usbfs_t)
|
|
fs_make_fs(usbfs_t)
|
|
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
|
|
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
|
|
|
|
#
|
|
# Procfs types
|
|
#
|
|
|
|
type proc_t;
|
|
files_make_mountpoint(proc_t)
|
|
fs_make_fs(proc_t)
|
|
genfscon proc / context_template(system_u:object_r:proc_t,s0)
|
|
genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0)
|
|
|
|
# kernel message interface
|
|
type proc_kmsg_t;
|
|
genfscon proc /kmsg context_template(system_u:object_r:proc_kmsg_t,s0)
|
|
neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
|
|
|
|
# /proc kcore: inaccessible
|
|
type proc_kcore_t;
|
|
neverallow * proc_kcore_t:file ~getattr;
|
|
genfscon proc /kcore context_template(system_u:object_r:proc_kcore_t,s0)
|
|
|
|
type proc_mdstat_t;
|
|
genfscon proc /mdstat context_template(system_u:object_r:proc_mdstat_t,s0)
|
|
|
|
type proc_net_t;
|
|
genfscon proc /net context_template(system_u:object_r:proc_net_t,s0)
|
|
|
|
#
|
|
# Sysctl types
|
|
#
|
|
|
|
# /proc/irq directory and files
|
|
type sysctl_irq_t;
|
|
genfscon proc /irq context_template(system_u:object_r:sysctl_irq_t,s0)
|
|
|
|
# /proc/net/rpc directory and files
|
|
type sysctl_rpc_t;
|
|
genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
|
|
|
|
# /proc/sys directory, base directory of sysctls
|
|
type sysctl_t;
|
|
files_make_mountpoint(sysctl_t)
|
|
sid sysctl context_template(system_u:object_r:sysctl_t,s0)
|
|
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
|
|
|
|
# /proc/sys/fs directory and files
|
|
type sysctl_fs_t;
|
|
files_make_mountpoint(sysctl_fs_t)
|
|
genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0)
|
|
|
|
# /proc/sys/kernel directory and files
|
|
type sysctl_kernel_t;
|
|
genfscon proc /sys/kernel context_template(system_u:object_r:sysctl_kernel_t,s0)
|
|
|
|
# /proc/sys/kernel/modprobe file
|
|
type sysctl_modprobe_t;
|
|
genfscon proc /sys/kernel/modprobe context_template(system_u:object_r:sysctl_modprobe_t,s0)
|
|
|
|
# /proc/sys/kernel/hotplug file
|
|
type sysctl_hotplug_t;
|
|
genfscon proc /sys/kernel/hotplug context_template(system_u:object_r:sysctl_hotplug_t,s0)
|
|
|
|
# /proc/sys/net directory and files
|
|
type sysctl_net_t;
|
|
genfscon proc /sys/net context_template(system_u:object_r:sysctl_net_t,s0)
|
|
|
|
# /proc/sys/net/unix directory and files
|
|
type sysctl_net_unix_t;
|
|
genfscon proc /sys/net/unix context_template(system_u:object_r:sysctl_net_unix_t,s0)
|
|
|
|
# /proc/sys/vm directory and files
|
|
type sysctl_vm_t;
|
|
genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0)
|
|
|
|
# /proc/sys/dev directory and files
|
|
type sysctl_dev_t;
|
|
genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
|
|
|
|
########################################
|
|
#
|
|
# kernel local policy
|
|
#
|
|
|
|
# Use capabilities. need to investigate which capabilities are actually used
|
|
allow kernel_t self:capability *;
|
|
|
|
# Other possible mount points for the root fs are in files
|
|
allow kernel_t unlabeled_t:dir mounton;
|
|
|
|
# old general_domain_access()
|
|
allow kernel_t self:shm create_shm_perms;
|
|
allow kernel_t self:sem create_sem_perms;
|
|
allow kernel_t self:msg { send receive };
|
|
allow kernel_t self:msgq create_msgq_perms;
|
|
allow kernel_t self:unix_dgram_socket create_socket_perms;
|
|
allow kernel_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow kernel_t self:unix_dgram_socket sendto;
|
|
allow kernel_t self:unix_stream_socket connectto;
|
|
allow kernel_t self:fifo_file rw_file_perms;
|
|
allow kernel_t self:fd use;
|
|
|
|
# old general_proc_read_access():
|
|
allow kernel_t proc_t:dir r_dir_perms;
|
|
allow kernel_t proc_t:{ lnk_file file } r_file_perms;
|
|
allow kernel_t proc_net_t:dir r_dir_perms;
|
|
allow kernel_t proc_net_t:file r_file_perms;
|
|
allow kernel_t proc_mdstat_t:file r_file_perms;
|
|
allow kernel_t proc_kcore_t:file getattr;
|
|
allow kernel_t proc_kmsg_t:file getattr;
|
|
allow kernel_t sysctl_t:dir r_dir_perms;
|
|
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
|
|
allow kernel_t sysctl_kernel_t:file r_file_perms;
|
|
|
|
allow kernel_t security_t:dir r_dir_perms;
|
|
allow kernel_t security_t:file rw_file_perms;
|
|
allow kernel_t security_t:security load_policy;
|
|
auditallow kernel_t security_t:security load_policy;
|
|
|
|
# Kernel-generated traffic e.g., ICMP replies:
|
|
corenet_raw_sendrecv_all_if(kernel_t)
|
|
corenet_raw_sendrecv_all_nodes(kernel_t)
|
|
# Kernel-generated traffic e.g., TCP resets:
|
|
corenet_raw_sendrecv_all_ifaces(kernel_t)
|
|
corenet_raw_sendrecv_all_nodes(kernel_t)
|
|
|
|
terminal_use_console(kernel_t)
|
|
|
|
# Mount root file system. Used when loading a policy
|
|
# from initrd, then mounting the root filesystem
|
|
fs_mount_all_fs(kernel_t)
|
|
|
|
corecommands_execute_shell(kernel_t)
|
|
corecommands_read_system_programs_directory(kernel_t)
|
|
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
|
corecommands_execute_general_programs(kernel_t)
|
|
|
|
domain_signal_all_domains(kernel_t)
|
|
|
|
files_read_root_dir(kernel_t)
|
|
files_list_home_directories(kernel_t)
|
|
files_read_general_application_resources(kernel_t)
|
|
|
|
init_sigchld(kernel_t)
|
|
|
|
libraries_use_dynamic_loader(kernel_t)
|
|
libraries_use_shared_libraries(kernel_t)
|
|
|
|
logging_send_system_log_message(kernel_t)
|
|
|
|
selinux_read_config(kernel_t)
|
|
selinux_read_binary_policy(kernel_t)
|
|
|
|
neverallow ~can_load_policy security_t:security load_policy;
|
|
neverallow ~can_setenforce security_t:security setenforce;
|
|
neverallow ~can_setsecparam security_t:security setsecparam;
|
|
neverallow ~can_load_kernmodule self:capability sys_module;
|
|
|
|
########################################
|
|
#
|
|
# Unlabeled process local policy
|
|
#
|
|
|
|
# If you load a new policy that removes active domains, processes can
|
|
# get stuck if you do not allow unlabeled processes to signal init.
|
|
# If you load an incompatible policy, you should probably reboot,
|
|
# since you may have compromised system security.
|
|
init_sigchld(unlabeled_t)
|