aboutsummaryrefslogtreecommitdiff
blob: 0783dc9cae4e0774626a41f3ad56b8ceffba583f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
policy_module(domain, 1.15.0)

########################################
#
# Declarations
#

## <desc>
## <p>
##	Control the ability to mmap a low area of the address space,
##	as configured by /proc/sys/kernel/mmap_min_addr.
## </p>
## </desc>
gen_tunable(mmap_low_allowed, false)

# Mark process types as domains
attribute domain;

# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };

# Domains that are unconfined
attribute unconfined_domain_type;

# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;

# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;

# enabling setcurrent breaks process tranquility.  If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;

# No domain needs mac_override as it is unused by SELinux.
neverallow domain self:capability2 mac_override;

# entrypoint executables
attribute entry_type;

# widely-inheritable file descriptors
attribute privfd;

#
# constraint related attributes
#

# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;

# [2] types that can change SELinux role on transition
attribute can_change_process_role;

# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;

# [3] types that can change to system_u:system_r
attribute can_system_change;

# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;

# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;

# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt;	# add userhelperdomain to this one

neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
neverallow ~{ domain unlabeled_t } *:process *;

########################################
#
# Rules applied to all domains
#

# read /proc/(pid|self) entries
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)

# create child processes in the domain
allow domain self:process { fork sigchld };

# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
dev_read_cpu_online(domain)

# Use trusted objects in /dev
dev_rw_null(domain)
dev_rw_zero(domain)
term_use_controlling_term(domain)

# list the root directory
files_list_root(domain)

ifdef(`hide_broken_symptoms',`
	# This check is in the general socket
	# listen code, before protocol-specific
	# listen function is called, so bad calls
	# to listen on UDP sockets should be silenced
	dontaudit domain self:udp_socket listen;
')

ifdef(`init_systemd',`
	optional_policy(`
		shutdown_sigchld(domain)
	')
')

tunable_policy(`global_ssp',`
	# enable reading of urandom for all domains:
	# this should be enabled when all programs
	# are compiled with ProPolice/SSP
	# stack smashing protection.
	dev_read_urand(domain)
')

optional_policy(`
	libs_use_ld_so(domain)
	libs_use_shared_libs(domain)
')

# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
optional_policy(`
	xserver_dontaudit_use_xdm_fds(domain)
	xserver_dontaudit_rw_xdm_pipes(domain)
')

########################################
#
# Unconfined access to this module
#

# unconfined access also allows constraints, but this
# is handled in the interface as typeattribute cannot
# be used on an attribute.

# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms send_msg lock relabelto name_bind recv_msg map sendto recvfrom relabelfrom };
allow unconfined_domain_type domain:rawip_socket node_bind;
allow unconfined_domain_type domain:sctp_socket node_bind;
allow unconfined_domain_type domain:icmp_socket node_bind;
allow unconfined_domain_type domain:udp_socket node_bind;
allow unconfined_domain_type domain:tcp_socket { node_bind name_connect acceptfrom connectto newconn };
allow unconfined_domain_type domain:tun_socket attach_queue;
allow unconfined_domain_type domain:unix_stream_socket { acceptfrom newconn connectto };
allow unconfined_domain_type domain:netlink_audit_socket { nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_read nlmsg_tty_audit };
allow unconfined_domain_type domain:netlink_firewall_socket { nlmsg_write nlmsg_read };
allow unconfined_domain_type domain:netlink_ip6fw_socket { nlmsg_write nlmsg_read };
allow unconfined_domain_type domain:netlink_route_socket { nlmsg_write nlmsg_read };
allow unconfined_domain_type domain:netlink_tcpdiag_socket { nlmsg_write nlmsg_read };
allow unconfined_domain_type domain:netlink_xfrm_socket { nlmsg_write nlmsg_read };

# Use descriptors and pipes created by any domain.
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;

# Act upon any other process.
allow unconfined_domain_type domain:process { fork signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate getrlimit };

# Create/access any System V IPC objects.
allow unconfined_domain_type domain:sem create_sem_perms;
allow unconfined_domain_type domain:msgq create_msgq_perms;
allow unconfined_domain_type domain:shm create_shm_perms;
allow unconfined_domain_type domain:msg { send receive };

# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
allow unconfined_domain_type domain:file rw_file_perms;
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };

# act on all domains keys
allow unconfined_domain_type domain:key manage_key_perms;

# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)

ifdef(`distro_gentoo',`
	########################################
	#
	# Permissions for all domains
	#

	# Bug 529420
	kernel_read_vm_sysctls(domain)
')