selinux-policy/refpolicy/policy/modules/system/domain.te
2005-07-18 20:17:21 +00:00

39 lines
1.0 KiB
Plaintext

policy_module(domain,1.0)
########################################
#
# Declarations
#
# Mark process types as domains
attribute domain;
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;
# constraint related attributes
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
# enabling setcurrent breaks process tranquility. If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;
# TODO:
# cjp: also need to except correctly for SEFramework
#neverallow { domain unlabeled_t } file_type:process *;
#neverallow ~{ domain unlabeled_t } *:process *;