selinux-policy/strict/domains/misc/kernel.te
2005-09-16 21:20:37 +00:00

76 lines
2.0 KiB
Plaintext

#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
#################################
#
# Rules for the kernel_t domain.
#
#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
base_file_read_access(kernel_t)
uses_shlib(kernel_t)
can_exec(kernel_t, shell_exec_t)
# Use capabilities.
allow kernel_t self:capability *;
r_dir_file(kernel_t, sysfs_t)
allow kernel_t { usbfs_t usbdevfs_t }:dir search;
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
ifdef(`mls_policy', `
# run init with maximum MLS range
range_transition kernel_t init_exec_t s0 - s9:c0.c127;
')
# Share state with the init process.
allow kernel_t init_t:process share;
# Mount and unmount file systems.
allow kernel_t fs_type:filesystem mount_fs_perms;
# Send signal to any process.
allow kernel_t domain:process signal;
allow kernel_t domain:dir search;
# Access the console.
allow kernel_t device_t:dir search;
allow kernel_t console_device_t:chr_file rw_file_perms;
# Access the initrd filesystem.
allow kernel_t file_t:chr_file rw_file_perms;
can_exec(kernel_t, file_t)
ifdef(`chroot.te', `
can_exec(kernel_t, chroot_exec_t)
')
allow kernel_t self:capability sys_chroot;
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
allow kernel_t file_t:dir rw_dir_perms;
allow kernel_t file_t:blk_file create_file_perms;
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
# Lookup the policy.
allow kernel_t policy_config_t:dir r_dir_perms;
# Load the policy configuration.
can_loadpol(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
can_exec(kernel_t, bin_t)
ifdef(`targeted_policy', `
unconfined_domain(kernel_t)
')