rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
a1b42052c9
selinux-policy/policy/modules/kernel/domain.te
Dominick Grift 623e4f0885 1/1] Make the ability to mmap zero conditional where this is fapplicable. 
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-01 09:41:56 -04:00

163 lines
4.6 KiB
Plaintext
Raw Blame History

policy_module(domain, 1.8.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Control the ability to mmap a low area of the address space,
## as configured by /proc/sys/kernel/mmap_min_addr.
## </p>
## </desc>
gen_tunable(mmap_low_allowed, false)
# Mark process types as domains
attribute domain;
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
# Domains that are unconfined
attribute unconfined_domain_type;
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;
# enabling setcurrent breaks process tranquility. If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
#
# constraint related attributes
#
# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;
# [2] types that can change SELinux role on transition
attribute can_change_process_role;
# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;
# [3] types that can change to system_u:system_r
attribute can_system_change;
# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;
# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;
# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt; # add userhelperdomain to this one
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
neverallow ~{ domain unlabeled_t } *:process *;
########################################
#
# Rules applied to all domains
#
# read /proc/(pid|self) entries
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
# Use trusted objects in /dev
dev_rw_null(domain)
dev_rw_zero(domain)
term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
# are compiled with ProPolice/SSP
# stack smashing protection.
dev_read_urand(domain)
')
optional_policy(`
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
')
optional_policy(`
setrans_translate_context(domain)
')
# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
')
########################################
#
# Unconfined access to this module
#
# unconfined access also allows constraints, but this
# is handled in the interface as typeattribute cannot
# be used on an attribute.
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
# Use descriptors and pipes created by any domain.
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
allow unconfined_domain_type domain:file rw_file_perms;
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
Reference in New Issue View Git Blame Copy Permalink