76 lines
2.0 KiB
Plaintext
76 lines
2.0 KiB
Plaintext
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the kernel_t domain.
|
|
#
|
|
|
|
#
|
|
# kernel_t is the domain of kernel threads.
|
|
# It is also the target type when checking permissions in the system class.
|
|
#
|
|
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
|
|
role system_r types kernel_t;
|
|
general_domain_access(kernel_t)
|
|
general_proc_read_access(kernel_t)
|
|
base_file_read_access(kernel_t)
|
|
uses_shlib(kernel_t)
|
|
can_exec(kernel_t, shell_exec_t)
|
|
|
|
# Use capabilities.
|
|
allow kernel_t self:capability *;
|
|
|
|
r_dir_file(kernel_t, sysfs_t)
|
|
allow kernel_t { usbfs_t usbdevfs_t }:dir search;
|
|
|
|
# Run init in the init_t domain.
|
|
domain_auto_trans(kernel_t, init_exec_t, init_t)
|
|
|
|
ifdef(`mls_policy', `
|
|
# run init with maximum MLS range
|
|
range_transition kernel_t init_exec_t s0 - s9:c0.c255;
|
|
')
|
|
|
|
# Share state with the init process.
|
|
allow kernel_t init_t:process share;
|
|
|
|
# Mount and unmount file systems.
|
|
allow kernel_t fs_type:filesystem mount_fs_perms;
|
|
|
|
# Send signal to any process.
|
|
allow kernel_t domain:process signal;
|
|
allow kernel_t domain:dir search;
|
|
|
|
# Access the console.
|
|
allow kernel_t device_t:dir search;
|
|
allow kernel_t console_device_t:chr_file rw_file_perms;
|
|
|
|
# Access the initrd filesystem.
|
|
allow kernel_t file_t:chr_file rw_file_perms;
|
|
can_exec(kernel_t, file_t)
|
|
ifdef(`chroot.te', `
|
|
can_exec(kernel_t, chroot_exec_t)
|
|
')
|
|
allow kernel_t self:capability sys_chroot;
|
|
|
|
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
|
|
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
|
|
allow kernel_t file_t:dir rw_dir_perms;
|
|
allow kernel_t file_t:blk_file create_file_perms;
|
|
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
|
|
|
|
# Lookup the policy.
|
|
allow kernel_t policy_config_t:dir r_dir_perms;
|
|
|
|
# Load the policy configuration.
|
|
can_loadpol(kernel_t)
|
|
|
|
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
|
can_exec(kernel_t, bin_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
unconfined_domain(kernel_t)
|
|
')
|