selinux-policy/policy/modules/system/selinuxutil.te

policy_module(selinuxutil, 1.14.0)

gen_require(`
	bool secure_mode;
')

########################################
#
# Declarations
#

attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;

#
# selinux_config_t is the type applied to
# /etc/selinux/config
#
# cjp: this is out of order due to rules
# in the domain_type interface
# (fix dup decl)
type selinux_config_t;
files_type(selinux_config_t)

type selinux_var_lib_t;
files_type(selinux_var_lib_t)

type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
role system_r types checkpolicy_t;

#
# default_context_t is the type applied to
# /etc/selinux/*/contexts/*
#
type default_context_t;
files_type(default_context_t) 

#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
type file_context_t;
files_type(file_context_t)

type load_policy_t;
type load_policy_exec_t;
application_domain(load_policy_t, load_policy_exec_t)
role system_r types load_policy_t;

type newrole_t;
type newrole_exec_t;
application_domain(newrole_t, newrole_exec_t)
domain_role_change_exemption(newrole_t)
domain_obj_id_change_exemption(newrole_t)
domain_interactive_fd(newrole_t)

#
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
#type policy_config_t;
#files_type(policy_config_t)
typealias semanage_store_t alias policy_config_t;

neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };

#
# policy_src_t is the type of the policy source
# files.
#
type policy_src_t;
files_type(policy_src_t)

type restorecond_t;
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)

type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)

type run_init_t;
type run_init_exec_t;
application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
role system_r types run_init_t;

type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
dbus_system_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
role system_r types semanage_t;

type setsebool_t;
type setsebool_exec_t;
init_system_domain(setsebool_t, setsebool_exec_t)

type semanage_store_t;
files_type(semanage_store_t)

type semanage_read_lock_t;
files_type(semanage_read_lock_t)

type semanage_tmp_t; 
files_tmp_file(semanage_tmp_t)

type semanage_trans_lock_t; 
files_type(semanage_trans_lock_t)

type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)

type setfiles_mac_t;
domain_type(setfiles_mac_t)
domain_entry_file(setfiles_mac_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_mac_t)

########################################
#
# Checkpolicy local policy
#

allow checkpolicy_t self:capability dac_override;

# able to create and modify binary policy files
manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)

# allow test policies to be created in src directories
filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)

# only allow read of policy source files
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
allow checkpolicy_t selinux_config_t:dir search_dir_perms;

domain_use_interactive_fds(checkpolicy_t)

files_list_usr(checkpolicy_t)
# directory search permissions for path to source and binary policy files
files_search_etc(checkpolicy_t)

fs_getattr_xattr_fs(checkpolicy_t)

term_use_console(checkpolicy_t)

init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)

userdom_use_user_terminals(checkpolicy_t)
userdom_use_all_users_fds(checkpolicy_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(checkpolicy_t)
	')
')

########################################
#
# Load_policy local policy
#

allow load_policy_t self:capability dac_override;

# only allow read of policy config files
read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)

domain_use_interactive_fds(load_policy_t)

# for mcs.conf
files_read_etc_files(load_policy_t)
files_read_etc_runtime_files(load_policy_t)

fs_getattr_xattr_fs(load_policy_t)

mls_file_read_all_levels(load_policy_t)

selinux_load_policy(load_policy_t)
selinux_set_all_booleans(load_policy_t)

term_use_console(load_policy_t)
term_list_ptys(load_policy_t)

init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
init_write_script_pipes(load_policy_t)

miscfiles_read_localization(load_policy_t)

seutil_libselinux_linked(load_policy_t)

userdom_use_user_terminals(load_policy_t)
userdom_use_all_users_fds(load_policy_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(load_policy_t)
	')
')

ifdef(`hide_broken_symptoms',`
	# cjp: cover up stray file descriptors.
	dontaudit load_policy_t selinux_config_t:file write;

	optional_policy(`
		unconfined_dontaudit_read_pipes(load_policy_t)
	')
')

########################################
#
# Newrole local policy
#

allow newrole_t self:capability { fowner setuid setgid dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
allow newrole_t self:fifo_file rw_fifo_file_perms;
allow newrole_t self:sock_file read_sock_file_perms;
allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
logging_send_audit_msgs(newrole_t)

read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)

kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctls(newrole_t)

corecmd_list_bin(newrole_t)
corecmd_read_bin_symlinks(newrole_t)

dev_read_urand(newrole_t)

domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)

files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)

fs_getattr_xattr_fs(newrole_t)
fs_search_auto_mountpoints(newrole_t)

mls_file_read_all_levels(newrole_t)
mls_file_write_all_levels(newrole_t)
mls_file_upgrade(newrole_t)
mls_file_downgrade(newrole_t)
mls_process_set_level(newrole_t)
mls_fd_share_all_levels(newrole_t)

selinux_validate_context(newrole_t)
selinux_compute_access_vector(newrole_t)
selinux_compute_create_context(newrole_t)
selinux_compute_relabel_context(newrole_t)
selinux_compute_user_contexts(newrole_t)

term_use_all_ttys(newrole_t)
term_use_all_ptys(newrole_t)
term_relabel_all_ttys(newrole_t)
term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)

auth_use_pam(newrole_t)

# Write to utmp.
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)

miscfiles_read_localization(newrole_t)

seutil_libselinux_linked(newrole_t)

userdom_use_unpriv_users_fds(newrole_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)

optional_policy(`
	xserver_dontaudit_exec_xauth(newrole_t)
')

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(newrole_t)
	')
')

# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
	userdom_spec_domtrans_unpriv_users(newrole_t)
} else {
	userdom_spec_domtrans_all_users(newrole_t)
}

tunable_policy(`allow_polyinstantiation',`
	files_polyinstantiate_all(newrole_t)
')

########################################
#
# Restorecond local policy
#

allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;

allow restorecond_t restorecond_var_run_t:file manage_file_perms;
files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)

kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)

files_dontaudit_read_all_symlinks(restorecond_t)

fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
fs_list_inotifyfs(restorecond_t)

selinux_validate_context(restorecond_t)
selinux_compute_access_vector(restorecond_t)
selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)

auth_relabel_all_files_except_shadow(restorecond_t )
auth_read_all_files_except_shadow(restorecond_t)
auth_use_nsswitch(restorecond_t)

locallogin_dontaudit_use_fds(restorecond_t)

logging_send_syslog_msg(restorecond_t)

miscfiles_read_localization(restorecond_t)

seutil_libselinux_linked(restorecond_t)

userdom_read_user_home_content_symlinks(restorecond_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(restorecond_t)
	')
')

optional_policy(`
	rpm_use_script_fds(restorecond_t)
')

#################################
#
# Run_init local policy
#

allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
logging_send_audit_msgs(run_init_t)

# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };

corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)

dev_dontaudit_list_all_dev_nodes(run_init_t)

domain_use_interactive_fds(run_init_t)

files_read_etc_files(run_init_t)
files_dontaudit_search_all_dirs(run_init_t)

fs_getattr_xattr_fs(run_init_t)

mls_rangetrans_source(run_init_t)

selinux_validate_context(run_init_t)
selinux_compute_access_vector(run_init_t)
selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)

auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
auth_dontaudit_read_shadow(run_init_t)

init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)

logging_send_syslog_msg(run_init_t)

miscfiles_read_localization(run_init_t)

seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)

userdom_use_user_terminals(run_init_t)

ifndef(`direct_sysadm_daemon',`
	ifdef(`distro_gentoo',`
		# Gentoo integrated run_init:
		init_script_file_entry_type(run_init_t)
	')
')

optional_policy(`
	rpm_domtrans(run_init_t)
')

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(run_init_t)
	')
')

optional_policy(`
	daemontools_domtrans_start(run_init_t)
')

########################################
#
# semodule local policy
#

seutil_semanage_policy(semanage_t)
allow semanage_t self:fifo_file rw_fifo_file_perms;

manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)

selinux_set_all_booleans(semanage_t)
can_exec(semanage_t, semanage_exec_t)

# Admins are creating pp files in random locations
auth_read_all_files_except_shadow(semanage_t)

seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
seutil_domtrans_setfiles(semanage_t)

# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)

ifdef(`distro_debian',`
	files_read_var_lib_files(semanage_t)
	files_read_var_lib_symlinks(semanage_t)
')

optional_policy(`
	setrans_initrc_domtrans(semanage_t)
        domain_system_change_exemption(semanage_t)
	consoletype_exec(semanage_t)
')

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(semanage_t)
	')
')

optional_policy(`
	#signal mcstrans on reload
	init_spec_domtrans_script(semanage_t)
')

# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
	# read secadm tmp files
',`
	# Handle pp files created in homedir and /tmp
	userdom_read_user_home_content_files(semanage_t)
	userdom_read_user_tmp_files(semanage_t)
')

userdom_search_admin_dir(semanage_t)

####################################n####
#
# setsebool local policy
#
seutil_semanage_policy(setsebool_t)
selinux_set_all_booleans(setsebool_t)

init_dontaudit_use_fds(setsebool_t)

# Bug in semanage
seutil_domtrans_setfiles(setsebool_t)
seutil_manage_file_contexts(setsebool_t)
seutil_manage_default_contexts(setsebool_t)
seutil_manage_config(setsebool_t)

########################################
#
# Setfiles local policy
#

seutil_setfiles(setfiles_t)
# During boot in Rawhide
term_use_generic_ptys(setfiles_t)

seutil_setfiles(setfiles_mac_t)
allow setfiles_mac_t self:capability2 mac_admin;
kernel_relabelto_unlabeled(setfiles_mac_t)

optional_policy(`
	files_dontaudit_write_isid_chr_files(setfiles_mac_t)
	livecd_dontaudit_leaks(setfiles_mac_t)
	livecd_rw_tmp_files(setfiles_mac_t)
	dev_dontaudit_write_all_chr_files(setfiles_mac_t)
')

ifdef(`hide_broken_symptoms',`
	optional_policy(`
		setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
		setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
	')
')

ifdef(`enforcing',`
optional_policy(`
	unconfined_domain(setfiles_mac_t)
')
', `
	permissive lvm_t;
')