summaryrefslogtreecommitdiff
path: root/policy/modules/kernel/domain.te
blob: 2546240253045124966ff1a361281e1dc6ec0df8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

policy_module(domain, 1.6.0)

########################################
#
# Declarations
#

# Mark process types as domains
attribute domain;

# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };

# Domains that are unconfined
attribute unconfined_domain_type;

# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;

# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;

# enabling setcurrent breaks process tranquility.  If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;

# entrypoint executables
attribute entry_type;

# widely-inheritable file descriptors
attribute privfd;

#
# constraint related attributes
#

# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;

# [2] types that can change SELinux role on transition
attribute can_change_process_role;

# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;

# [3] types that can change to system_u:system_r
attribute can_system_change;

# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;

# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;

# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt;	# add userhelperdomain to this one

neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
neverallow ~{ domain unlabeled_t } *:process *;

########################################
#
# Rules applied to all domains
#

# read /proc/(pid|self) entries
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)

# create child processes in the domain
allow domain self:process { fork sigchld };

# Use trusted objects in /dev
dev_rw_null(domain)
dev_rw_zero(domain)
term_use_controlling_term(domain)

# list the root directory
files_list_root(domain)

tunable_policy(`global_ssp',`
	# enable reading of urandom for all domains:
	# this should be enabled when all programs
	# are compiled with ProPolice/SSP
	# stack smashing protection.
	dev_read_urand(domain)
')

optional_policy(`
	libs_use_ld_so(domain)
	libs_use_shared_libs(domain)
')

optional_policy(`
	setrans_translate_context(domain)
')

# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
optional_policy(`
	xserver_dontaudit_use_xdm_fds(domain)
	xserver_dontaudit_rw_xdm_pipes(domain)
')

########################################
#
# Unconfined access to this module
#

# unconfined access also allows constraints, but this
# is handled in the interface as typeattribute cannot
# be used on an attribute.

# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;

# Use descriptors and pipes created by any domain.
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;

# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };

# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
allow unconfined_domain_type domain:msg { send receive };

# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
allow unconfined_domain_type domain:file read_file_perms;
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };

# act on all domains keys
allow unconfined_domain_type domain:key *;

# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)