selinux-refpolicy/policy/modules/kernel/kernel.if

3569 lines
70 KiB
Plaintext
Raw Normal View History

2005-06-01 14:17:43 +00:00
## <summary>
2009-11-19 14:25:38 +00:00
## Policy for kernel threads, proc filesystem,
2006-01-13 19:10:31 +00:00
## and unlabeled processes and objects.
2005-06-01 14:17:43 +00:00
## </summary>
2005-07-05 17:47:15 +00:00
## <required val="true">
2005-11-08 22:00:30 +00:00
## This module has initial SIDs.
2005-07-05 17:47:15 +00:00
## </required>
2005-04-20 19:07:16 +00:00
########################################
## <summary>
## Allows the kernel to start userland processes
## by dynamic transitions to the specified domain.
## </summary>
## <param name="domain">
## <summary>
## The process type entered by the kernel.
## </summary>
## </param>
#
interface(`kernel_dyntrans_to',`
gen_require(`
type kernel_t;
')
domain_dyntrans_type(kernel_t)
allow kernel_t self:process setcurrent;
allow kernel_t $1:process dyntransition;
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allows to start userland processes
## by transitioning to the specified domain.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The process type entered by kernel.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
## <param name="entrypoint">
## <summary>
2005-06-23 21:30:57 +00:00
## The executable type for the entrypoint.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`kernel_domtrans_to',`
gen_require(`
type kernel_t;
')
2006-12-12 20:08:08 +00:00
domtrans_pattern(kernel_t, $2, $1)
')
########################################
## <summary>
## Allows to start userland processes
## by transitioning to the specified domain,
## with a range transition.
## </summary>
## <param name="domain">
## <summary>
## The process type entered by kernel.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The executable type for the entrypoint.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`kernel_ranged_domtrans_to',`
gen_require(`
type kernel_t;
')
2009-11-19 14:25:38 +00:00
kernel_domtrans_to($1, $2)
ifdef(`enable_mcs',`
range_transition kernel_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition kernel_t $2:process $3;
2007-08-20 15:15:03 +00:00
mls_rangetrans_target($1)
')
')
2005-06-09 20:50:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allows the kernel to mount filesystems on
## the specified directory type.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="directory_type">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the directory to use as a mountpoint.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-06-09 20:50:17 +00:00
#
interface(`kernel_rootfs_mountpoint',`
gen_require(`
type kernel_t;
')
2005-06-09 20:50:17 +00:00
allow kernel_t $1:dir mounton;
')
2005-09-15 21:03:29 +00:00
########################################
## <summary>
## Set the process group of kernel threads.
## </summary>
## <param name="domain">
## <summary>
2005-09-15 21:03:29 +00:00
## Domain allowed access.
## </summary>
2005-09-15 21:03:29 +00:00
## </param>
#
interface(`kernel_setpgid',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process setpgid;
')
2007-08-07 17:06:32 +00:00
########################################
## <summary>
## Set the priority of kernel threads.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_setsched',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process setsched;
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a SIGCHLD signal to kernel threads.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`kernel_sigchld',`
gen_require(`
type kernel_t;
')
2005-09-15 21:03:29 +00:00
allow $1 kernel_t:process sigchld;
')
2010-03-17 15:16:25 +00:00
########################################
## <summary>
## Send a kill signal to kernel threads.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2010-03-17 15:16:25 +00:00
## </summary>
## </param>
#
interface(`kernel_kill',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process sigkill;
')
2005-09-13 13:06:07 +00:00
########################################
## <summary>
## Send a generic signal to kernel threads.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-09-13 13:06:07 +00:00
## </param>
#
interface(`kernel_signal',`
gen_require(`
type kernel_t;
')
2009-06-11 15:00:48 +00:00
allow $1 kernel_t:process signal;
2005-09-13 13:06:07 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allows the kernel to share state information with
## the caller.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process with which to share state information.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_share_state',`
gen_require(`
type kernel_t;
')
allow kernel_t $1:process share;
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Permits caller to use kernel file descriptors.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_use_fds',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:fd use;
2005-04-14 20:18:17 +00:00
')
2005-04-28 21:41:09 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to use
## kernel file descriptors.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-28 21:41:09 +00:00
#
interface(`kernel_dontaudit_use_fds',`
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:fd use;
2005-04-28 21:41:09 +00:00
')
########################################
2005-07-11 19:15:54 +00:00
## <summary>
## Read and write kernel unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_rw_pipes',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:fifo_file { read write };
')
########################################
## <summary>
## Read/write to kernel using a unix
## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_rw_stream_sockets',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_stream_socket rw_socket_perms;
')
########################################
## <summary>
## Connect to kernel using a unix
## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_stream_connect',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Getattr on kernel unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_getattr_dgram_sockets',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_dgram_socket getattr;
')
########################################
## <summary>
## Read and write kernel unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_rw_unix_dgram_sockets',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_dgram_socket { read write ioctl };
')
########################################
## <summary>
## Send messages to kernel unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2006-02-06 15:43:46 +00:00
interface(`kernel_dgram_send',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_dgram_socket sendto;
')
2005-07-18 18:31:49 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allows caller to load kernel modules
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_load_module',`
gen_require(`
attribute can_load_kernmodule;
')
typeattribute $1 can_load_kernmodule;
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Allow search the kernel key ring.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_search_key',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key search;
')
2007-10-29 18:35:32 +00:00
########################################
## <summary>
## dontaudit search the kernel key ring.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2007-10-29 18:35:32 +00:00
## </summary>
## </param>
#
interface(`kernel_dontaudit_search_key',`
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:key search;
')
########################################
## <summary>
## Allow link to the kernel key ring.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_link_key',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key link;
')
2007-10-29 18:35:32 +00:00
########################################
## <summary>
## dontaudit link to the kernel key ring.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2007-10-29 18:35:32 +00:00
## </summary>
## </param>
#
interface(`kernel_dontaudit_link_key',`
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:key link;
')
########################################
## <summary>
## Allow view the kernel key ring.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_view_key',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key view;
')
########################################
## <summary>
## dontaudit view the kernel key ring.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_view_key',`
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:key view;
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allows caller to read the ring buffer.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_ring_buffer',`
gen_require(`
type kernel_t;
')
2011-01-19 19:11:00 +00:00
allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_read;
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to read the ring buffer.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`kernel_dontaudit_read_ring_buffer',`
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:system syslog_read;
')
2005-04-14 20:18:17 +00:00
########################################
2005-06-27 20:59:28 +00:00
## <summary>
## Change the level of kernel messages logged to the console.
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_change_ring_buffer_level',`
gen_require(`
type kernel_t;
')
2011-01-19 19:11:00 +00:00
allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_console;
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allows the caller to clear the ring buffer.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_clear_ring_buffer',`
gen_require(`
type kernel_t;
')
2011-01-19 19:11:00 +00:00
allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_mod;
2005-04-14 20:18:17 +00:00
')
2009-11-19 14:25:38 +00:00
########################################
## <summary>
## Allows caller to request the kernel to load a module
## </summary>
## <desc>
## <p>
## Allow the specified domain to request that the kernel
## load a kernel module. An example of this is the
## auto-loading of network drivers when doing an
## ioctl() on a network interface.
## </p>
## <p>
## In the specific case of a module loading request
## on a network interface, the domain will also
## need the net_admin capability.
## </p>
## </desc>
2009-11-19 14:25:38 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_request_load_module',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system module_request;
')
########################################
## <summary>
## Do not audit requests to the kernel to load a module.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_request_load_module',`
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:system module_request;
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Get information on all System V IPC objects.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2009-11-19 14:25:38 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_get_sysvipc_info',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system ipc_info;
2005-04-14 20:18:17 +00:00
')
2005-09-19 21:17:45 +00:00
########################################
## <summary>
## Get the attributes of a kernel debugging filesystem.
## </summary>
## <param name="domain">
## <summary>
2005-09-19 21:17:45 +00:00
## Domain allowed access.
## </summary>
2005-09-19 21:17:45 +00:00
## </param>
#
interface(`kernel_getattr_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem getattr;
')
########################################
## <summary>
## Mount a kernel debugging filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-09-19 21:17:45 +00:00
## </param>
#
interface(`kernel_mount_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem mount;
')
########################################
## <summary>
## Unmount a kernel debugging filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-09-19 21:17:45 +00:00
## </param>
#
interface(`kernel_unmount_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem unmount;
')
########################################
## <summary>
## Remount a kernel debugging filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-09-19 21:17:45 +00:00
## </param>
#
interface(`kernel_remount_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem remount;
')
########################################
## <summary>
## Search the contents of a kernel debugging filesystem.
## </summary>
## <param name="domain">
## <summary>
2005-09-19 21:17:45 +00:00
## Domain allowed access.
## </summary>
2005-09-19 21:17:45 +00:00
## </param>
#
interface(`kernel_search_debugfs',`
gen_require(`
type debugfs_t;
')
search_dirs_pattern($1, debugfs_t, debugfs_t)
2005-09-19 21:17:45 +00:00
')
2010-03-17 15:16:25 +00:00
########################################
## <summary>
## Do not audit attempts to search the kernel debugging filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2010-03-17 15:16:25 +00:00
## </summary>
## </param>
#
interface(`kernel_dontaudit_search_debugfs',`
gen_require(`
type debugfs_t;
')
dontaudit $1 debugfs_t:dir search_dir_perms;
')
########################################
## <summary>
## Read information from the debugging filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_read_debugfs',`
gen_require(`
type debugfs_t;
')
read_files_pattern($1, debugfs_t, debugfs_t)
read_lnk_files_pattern($1, debugfs_t, debugfs_t)
list_dirs_pattern($1, debugfs_t, debugfs_t)
')
2005-10-14 17:55:40 +00:00
########################################
## <summary>
## Do not audit attempts to write kernel debugging filesystem dirs.
2005-10-14 17:55:40 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-10-14 17:55:40 +00:00
## </param>
#
interface(`kernel_dontaudit_write_debugfs_dirs',`
2005-10-14 17:55:40 +00:00
gen_require(`
type debugfs_t;
')
dontaudit $1 debugfs_t:dir write;
2005-10-14 17:55:40 +00:00
')
########################################
## <summary>
## Manage information from the debugging filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_manage_debugfs',`
gen_require(`
type debugfs_t;
')
manage_files_pattern($1, debugfs_t, debugfs_t)
read_lnk_files_pattern($1, debugfs_t, debugfs_t)
list_dirs_pattern($1, debugfs_t, debugfs_t)
')
########################################
## <summary>
## Mount a kernel VM filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_mount_kvmfs',`
gen_require(`
type kvmfs_t;
')
allow $1 kvmfs_t:filesystem mount;
')
########################################
## <summary>
## mount the proc filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_mount_proc',`
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem mount;
')
########################################
## <summary>
## remount the proc filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_remount_proc',`
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem remount;
')
2006-04-28 20:20:40 +00:00
########################################
## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2006-04-28 20:20:40 +00:00
## </summary>
## </param>
#
interface(`kernel_unmount_proc',`
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem unmount;
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
## <summary>
2005-07-08 20:44:57 +00:00
## Domain allowed access.
## </summary>
2005-07-08 20:44:57 +00:00
## </param>
#
interface(`kernel_getattr_proc',`
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem getattr;
')
########################################
## <summary>
## Mount on proc directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_mounton_proc',`
gen_require(`
type proc_t;
')
allow $1 proc_t:dir mounton;
')
########################################
## <summary>
## Do not audit attempts to set the
## attributes of directories in /proc.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_setattr_proc_dirs',`
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:dir setattr;
')
2005-07-08 20:44:57 +00:00
########################################
## <summary>
## Search directories in /proc.
## </summary>
## <param name="domain">
## <summary>
2005-07-08 20:44:57 +00:00
## Domain allowed access.
## </summary>
2005-07-08 20:44:57 +00:00
## </param>
#
interface(`kernel_search_proc',`
gen_require(`
type proc_t;
')
search_dirs_pattern($1, proc_t, proc_t)
2005-07-08 20:44:57 +00:00
')
########################################
## <summary>
## List the contents of directories in /proc.
## </summary>
## <param name="domain">
## <summary>
2005-07-08 20:44:57 +00:00
## Domain allowed access.
## </summary>
2005-07-08 20:44:57 +00:00
## </param>
#
interface(`kernel_list_proc',`
gen_require(`
type proc_t;
')
list_dirs_pattern($1, proc_t, proc_t)
2005-07-08 20:44:57 +00:00
')
2005-11-08 22:00:30 +00:00
########################################
## <summary>
## Do not audit attempts to list the
## contents of directories in /proc.
## </summary>
## <param name="domain">
## <summary>
2005-11-08 22:00:30 +00:00
## Domain to not audit.
## </summary>
2005-11-08 22:00:30 +00:00
## </param>
#
interface(`kernel_dontaudit_list_proc',`
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to write the
## directories in /proc.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_write_proc_dirs',`
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:dir write;
')
########################################
## <summary>
## Mount the directories in /proc.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_mounton_proc_dirs',`
gen_require(`
type proc_t;
')
allow $1 proc_t:dir mounton;
')
2005-11-28 16:44:51 +00:00
########################################
## <summary>
## Get the attributes of files in /proc.
## </summary>
## <param name="domain">
## <summary>
2005-11-28 16:44:51 +00:00
## Domain allowed access.
## </summary>
2005-11-28 16:44:51 +00:00
## </param>
#
interface(`kernel_getattr_proc_files',`
gen_require(`
type proc_t;
')
getattr_files_pattern($1, proc_t, proc_t)
2005-11-28 16:44:51 +00:00
')
2005-07-08 20:44:57 +00:00
########################################
## <summary>
## Read generic symbolic links in /proc.
2005-07-08 20:44:57 +00:00
## </summary>
## <desc>
## <p>
## Allow the specified domain to read (follow) generic
## symbolic links (symlinks) in the proc filesystem (/proc).
## This interface does not include access to the targets of
## these links. An example symlink is /proc/self.
## </p>
## </desc>
2005-07-08 20:44:57 +00:00
## <param name="domain">
## <summary>
2005-07-08 20:44:57 +00:00
## Domain allowed access.
## </summary>
2005-07-08 20:44:57 +00:00
## </param>
## <infoflow type="read" weight="10"/>
2005-07-08 20:44:57 +00:00
#
interface(`kernel_read_proc_symlinks',`
gen_require(`
type proc_t;
')
read_lnk_files_pattern($1, proc_t, proc_t)
2005-07-08 20:44:57 +00:00
')
########################################
## <summary>
## Allows caller to read system state information in /proc.
2005-07-08 20:44:57 +00:00
## </summary>
## <desc>
## <p>
## Allow the specified domain to read general system
## state information from the proc filesystem (/proc).
## </p>
## <p>
## Generally it should be safe to allow this access. Some
## example files that can be read based on this interface:
## </p>
## <ul>
## <li>/proc/cpuinfo</li>
## <li>/proc/meminfo</li>
## <li>/proc/uptime</li>
## </ul>
## <p>
## This does not allow access to sysctl entries (/proc/sys/*)
## nor process state information (/proc/pid).
## </p>
## </desc>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
## <infoflow type="read" weight="10"/>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_system_state',`
gen_require(`
type proc_t;
')
read_files_pattern($1, proc_t, proc_t)
read_lnk_files_pattern($1, proc_t, proc_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, proc_t)
2005-10-14 17:55:40 +00:00
')
########################################
## <summary>
## Write to generic proc entries.
## </summary>
## <param name="domain">
## <summary>
2005-10-14 17:55:40 +00:00
## Domain allowed access.
## </summary>
2005-10-14 17:55:40 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-10-14 17:55:40 +00:00
#
# cjp: this should probably go away. any
# file thats writable in proc should really
# have its own label.
#
interface(`kernel_write_proc_files',`
2005-10-14 17:55:40 +00:00
gen_require(`
type proc_t;
')
write_files_pattern($1, proc_t, proc_t)
2005-04-14 20:18:17 +00:00
')
2005-05-02 18:42:33 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts by caller to
2005-07-08 20:44:57 +00:00
## read system state information in proc.
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-02 18:42:33 +00:00
#
interface(`kernel_dontaudit_read_system_state',`
gen_require(`
type proc_t;
')
2009-06-11 15:00:48 +00:00
dontaudit $1 proc_t:file read_file_perms;
2005-05-02 18:42:33 +00:00
')
########################################
## <summary>
## Do not audit attempts by caller to
## read symbolic links in proc.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_read_proc_symlinks',`
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:lnk_file read;
')
2007-10-29 22:08:34 +00:00
#######################################
## <summary>
## Allow caller to read and write state information for AFS.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_rw_afs_state',`
gen_require(`
type proc_t, proc_afs_t;
')
list_dirs_pattern($1, proc_t, proc_t)
rw_files_pattern($1, proc_afs_t, proc_afs_t)
2007-10-29 22:08:34 +00:00
')
2005-04-14 20:18:17 +00:00
#######################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow caller to read the state information for software raid.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_software_raid_state',`
gen_require(`
type proc_t, proc_mdstat_t;
')
read_files_pattern($1, proc_t, proc_mdstat_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, proc_t)
2005-07-15 20:45:26 +00:00
')
#######################################
## <summary>
## Allow caller to read and set the state information for software raid.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-15 20:45:26 +00:00
## </param>
#
interface(`kernel_rw_software_raid_state',`
gen_require(`
type proc_t, proc_mdstat_t;
')
rw_files_pattern($1, proc_t, proc_mdstat_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, proc_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allows caller to get attribues of core kernel interface.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_getattr_core_if',`
gen_require(`
type proc_t, proc_kcore_t;
')
getattr_files_pattern($1, proc_t, proc_kcore_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, proc_t)
2005-04-14 20:18:17 +00:00
')
2005-05-13 14:37:13 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes of
## core kernel interfaces.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-13 14:37:13 +00:00
#
interface(`kernel_dontaudit_getattr_core_if',`
gen_require(`
type proc_kcore_t;
')
dontaudit $1 proc_kcore_t:file getattr;
2005-05-13 14:37:13 +00:00
')
2009-11-19 14:25:38 +00:00
########################################
## <summary>
## Allows caller to read the core kernel interface.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_read_core_if',`
gen_require(`
type proc_t, proc_kcore_t;
attribute can_dump_kernel;
')
2009-11-25 15:04:40 +00:00
allow $1 self:capability sys_rawio;
2009-11-19 14:25:38 +00:00
read_files_pattern($1, proc_t, proc_kcore_t)
list_dirs_pattern($1, proc_t, proc_t)
typeattribute $1 can_dump_kernel;
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow caller to read kernel messages
## using the /proc/kmsg interface.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`kernel_read_messages',`
gen_require(`
attribute can_receive_kernel_messages;
type proc_kmsg_t, proc_t;
')
read_files_pattern($1, proc_t, proc_kmsg_t)
2006-12-12 20:08:08 +00:00
typeattribute $1 can_receive_kernel_messages;
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`kernel_getattr_message_if',`
gen_require(`
type proc_kmsg_t, proc_t;
')
getattr_files_pattern($1, proc_t, proc_kmsg_t)
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts by caller to get the attributes of kernel
## message interfaces.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`kernel_dontaudit_getattr_message_if',`
gen_require(`
type proc_kmsg_t, proc_t;
')
dontaudit $1 proc_kmsg_t:file getattr;
')
########################################
## <summary>
## Mount on kernel message interfaces files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_mounton_message_if',`
gen_require(`
type proc_t, proc_kmsg_t;
')
allow $1 proc_t:dir list_dir_perms;
allow $1 proc_kmsg_t:file { getattr mounton };
')
2005-08-30 20:47:41 +00:00
########################################
## <summary>
## Do not audit attempts to search the network
## state directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-08-30 20:47:41 +00:00
## </param>
##
#
interface(`kernel_dontaudit_search_network_state',`
gen_require(`
type proc_net_t;
')
2005-09-12 15:17:39 +00:00
dontaudit $1 proc_net_t:dir search;
2005-08-30 20:47:41 +00:00
')
2005-10-24 01:53:13 +00:00
########################################
## <summary>
## Allow searching of network state directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-10-24 01:53:13 +00:00
## </param>
##
#
interface(`kernel_search_network_state',`
gen_require(`
type proc_net_t;
')
search_dirs_pattern($1, proc_t, proc_net_t)
2005-10-24 01:53:13 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
## Read the network state information.
2005-07-08 20:44:57 +00:00
## </summary>
## <desc>
## <p>
## Allow the specified domain to read the networking
## state information. This includes several pieces
## of networking information, such as network interface
## names, netfilter (iptables) statistics, protocol
## information, routes, and remote procedure call (RPC)
## information.
## </p>
## </desc>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
## <infoflow type="read" weight="10"/>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_network_state',`
gen_require(`
type proc_t, proc_net_t;
')
read_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, proc_net_t)
2005-04-14 20:18:17 +00:00
')
2005-10-24 01:53:13 +00:00
########################################
## <summary>
## Allow caller to read the network state symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-10-24 01:53:13 +00:00
## </param>
#
interface(`kernel_read_network_state_symlinks',`
gen_require(`
type proc_t, proc_net_t;
')
read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, proc_net_t)
2005-10-24 01:53:13 +00:00
')
########################################
## <summary>
## Allow searching of xen state directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
##
#
interface(`kernel_search_xen_state',`
gen_require(`
type proc_t, proc_xen_t;
')
search_dirs_pattern($1, proc_t, proc_xen_t)
')
########################################
## <summary>
## Do not audit attempts to search the xen
## state directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
##
#
interface(`kernel_dontaudit_search_xen_state',`
gen_require(`
type proc_xen_t;
')
dontaudit $1 proc_xen_t:dir search;
')
########################################
## <summary>
## Allow caller to read the xen state information.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
##
#
interface(`kernel_read_xen_state',`
gen_require(`
type proc_t, proc_xen_t;
')
read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, proc_xen_t)
')
########################################
## <summary>
## Allow caller to read the xen state symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
##
#
interface(`kernel_read_xen_state_symlinks',`
gen_require(`
type proc_t, proc_xen_t;
')
read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, proc_xen_t)
')
########################################
## <summary>
## Allow caller to write xen state information.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
##
#
interface(`kernel_write_xen_state',`
gen_require(`
type proc_t, proc_xen_t;
')
write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
')
2009-06-11 15:00:48 +00:00
########################################
## <summary>
## Allow attempts to list all proc directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2009-06-11 15:00:48 +00:00
## </summary>
## </param>
#
interface(`kernel_list_all_proc',`
gen_require(`
attribute proc_type;
')
allow $1 proc_type:dir list_dir_perms;
allow $1 proc_type:file getattr;
')
########################################
## <summary>
## Do not audit attempts to list all proc directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_list_all_proc',`
gen_require(`
attribute proc_type;
')
dontaudit $1 proc_type:dir list_dir_perms;
2009-06-11 15:00:48 +00:00
dontaudit $1 proc_type:file getattr;
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
## Do not audit attempts by caller to search
## the base directory of sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-06-07 22:36:07 +00:00
##
#
interface(`kernel_dontaudit_search_sysctl',`
gen_require(`
type sysctl_t;
')
dontaudit $1 sysctl_t:dir search;
')
########################################
## <summary>
## Mount on sysctl_t dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_mounton_sysctl_dirs',`
gen_require(`
type proc_t, sysctl_t;
')
allow $1 proc_t:dir list_dir_perms;
allow $1 sysctl_t:dir { getattr mounton };
')
2005-10-24 01:53:13 +00:00
########################################
## <summary>
## Allow access to read sysctl directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-10-24 01:53:13 +00:00
## </param>
##
#
interface(`kernel_read_sysctl',`
gen_require(`
2009-06-11 15:00:48 +00:00
type sysctl_t, proc_t;
2005-10-24 01:53:13 +00:00
')
list_dirs_pattern($1, proc_t, sysctl_t)
2009-06-11 15:00:48 +00:00
read_files_pattern($1, sysctl_t, sysctl_t)
2005-10-24 01:53:13 +00:00
')
########################################
## <summary>
## Mount on sysctl files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_mounton_sysctl_files',`
gen_require(`
type proc_t, sysctl_t;
')
allow $1 { proc_t sysctl_t }:dir list_dir_perms;
allow $1 sysctl_t:file { getattr mounton };
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow caller to read the device sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_device_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_dev_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write device sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_device_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_dev_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
2005-04-14 20:18:17 +00:00
')
2005-10-22 21:55:39 +00:00
########################################
## <summary>
## Allow caller to search virtual memory sysctls.
## </summary>
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-10-22 21:55:39 +00:00
## </param>
#
interface(`kernel_search_vm_sysctl',`
gen_require(`
type proc_t, sysctl_t, sysctl_vm_t;
')
search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
2005-10-22 21:55:39 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow caller to read virtual memory sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_vm_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_vm_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write virtual memory sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_vm_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_vm_t;
')
rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
# hal needs this
allow $1 sysctl_vm_t:dir write;
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
## Search network sysctl directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_search_network_sysctl',`
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
')
search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
########################################
## <summary>
## Do not audit attempts by caller to search network sysctl directories.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`kernel_dontaudit_search_network_sysctl',`
gen_require(`
type sysctl_net_t;
')
dontaudit $1 sysctl_net_t:dir search;
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow caller to read network sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_net_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow caller to modiry contents of sysctl network files.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_net_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow caller to read unix domain
## socket sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_unix_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, { sysctl_net_t sysctl_net_unix_t })
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write unix domain
## socket sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_unix_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, { sysctl_net_t sysctl_net_unix_t })
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read the hotplug sysctl.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_hotplug_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write the hotplug sysctl.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_hotplug_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read the modprobe sysctl.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_modprobe_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write the modprobe sysctl.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_modprobe_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
2005-04-14 20:18:17 +00:00
')
2005-10-17 17:55:38 +00:00
########################################
## <summary>
## Do not audit attempts to search generic kernel sysctls.
## </summary>
## <param name="domain">
## <summary>
2005-10-17 17:55:38 +00:00
## Domain to not audit.
## </summary>
2005-10-17 17:55:38 +00:00
## </param>
#
interface(`kernel_dontaudit_search_kernel_sysctl',`
gen_require(`
type sysctl_kernel_t;
')
dontaudit $1 sysctl_kernel_t:dir search;
')
2009-06-11 15:00:48 +00:00
########################################
## <summary>
## Read generic crypto sysctls.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_read_crypto_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_crypto_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
## Read general kernel sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
## <desc>
## <p>
## Allow the specified domain to read general
## kernel sysctl settings. These settings are typically
## read using the sysctl program. The settings
## that are included by this interface are prefixed
## with "kernel.", for example, kernel.sysrq.
## </p>
## <p>
## This does not include access to the hotplug
## handler setting (kernel.hotplug)
## nor the module installer handler setting
## (kernel.modprobe).
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>kernel_rw_kernel_sysctl()</li>
## </ul>
## </desc>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
## <infoflow type="read" weight="10"/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_kernel_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
2005-04-14 20:18:17 +00:00
')
2005-08-08 15:51:15 +00:00
########################################
## <summary>
## Do not audit attempts to write generic kernel sysctls.
## </summary>
## <param name="domain">
## <summary>
2005-08-08 15:51:15 +00:00
## Domain to not audit.
## </summary>
2005-08-08 15:51:15 +00:00
## </param>
#
interface(`kernel_dontaudit_write_kernel_sysctl',`
gen_require(`
type sysctl_kernel_t;
')
dontaudit $1 sysctl_kernel_t:file write;
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write generic kernel sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_kernel_sysctl',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
2005-04-14 20:18:17 +00:00
')
#######################################
## <summary>
## Mount on kernel sysctl files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_mounton_kernel_sysctl_files',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t;
')
allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
allow $1 sysctl_kernel_t:file { getattr mounton };
')
########################################
## <summary>
## Search filesystem sysctl directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_search_fs_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_fs_t;
')
search_dirs_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read filesystem sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_fs_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_fs_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write fileystem sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_fs_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_fs_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read IRQ sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_irq_sysctls',`
gen_require(`
type proc_t, sysctl_irq_t;
')
read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, sysctl_irq_t)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write IRQ sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_irq_sysctls',`
gen_require(`
type proc_t, sysctl_irq_t;
')
rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, proc_t, sysctl_irq_t)
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Read RPC sysctls.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_rpc_sysctls',`
gen_require(`
type proc_t, proc_net_t, sysctl_rpc_t;
')
read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Read and write RPC sysctls.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_rpc_sysctls',`
gen_require(`
type proc_t, proc_net_t, sysctl_rpc_t;
')
rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
2006-12-12 20:08:08 +00:00
list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Do not audit attempts to list all sysctl directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_list_all_sysctls',`
gen_require(`
attribute sysctl_type;
')
dontaudit $1 sysctl_type:dir list_dir_perms;
2009-06-11 15:00:48 +00:00
dontaudit $1 sysctl_type:file getattr;
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow caller to read all sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_read_all_sysctls',`
gen_require(`
attribute sysctl_type;
type proc_t, proc_net_t;
')
# proc_net_t for /proc/net/rpc sysctls
read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read and write all sysctls.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`kernel_rw_all_sysctls',`
gen_require(`
attribute sysctl_type;
type proc_t, proc_net_t;
')
# proc_net_t for /proc/net/rpc sysctls
rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
2006-12-12 20:08:08 +00:00
allow $1 sysctl_type:dir list_dir_perms;
# why is setattr needed?
allow $1 sysctl_type:file setattr;
2005-05-30 21:17:20 +00:00
')
2005-05-27 20:44:05 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a kill signal to unlabeled processes.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-27 20:44:05 +00:00
#
interface(`kernel_kill_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process sigkill;
2005-05-27 20:44:05 +00:00
')
2010-03-17 15:16:25 +00:00
########################################
## <summary>
## Mount a kernel unlabeled filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2010-03-17 15:16:25 +00:00
## </summary>
## </param>
#
interface(`kernel_mount_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:filesystem mount;
')
########################################
## <summary>
## Unmount a kernel unlabeled filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_unmount_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:filesystem unmount;
')
2010-03-17 15:16:25 +00:00
2005-05-27 20:44:05 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send general signals to unlabeled processes.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-27 20:44:05 +00:00
#
interface(`kernel_signal_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process signal;
2005-05-27 20:44:05 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a null signal to unlabeled processes.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-27 20:44:05 +00:00
#
interface(`kernel_signull_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process signull;
2005-05-27 20:44:05 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a stop signal to unlabeled processes.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-27 20:44:05 +00:00
#
interface(`kernel_sigstop_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process sigstop;
2005-05-27 20:44:05 +00:00
')
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a child terminated signal to unlabeled processes.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-10-22 21:55:39 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-27 20:44:05 +00:00
#
interface(`kernel_sigchld_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process sigchld;
2005-05-27 20:44:05 +00:00
')
########################################
## <summary>
## Get the attributes of unlabeled directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_getattr_unlabeled_dirs',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir getattr_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to search unlabeled directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_search_unlabeled',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:dir search_dir_perms;
')
2005-05-27 20:44:05 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
## List unlabeled directories.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-27 20:44:05 +00:00
#
interface(`kernel_list_unlabeled',`
gen_require(`
type unlabeled_t;
2005-07-08 20:44:57 +00:00
')
2006-12-12 20:08:08 +00:00
allow $1 unlabeled_t:dir list_dir_perms;
2005-07-08 20:44:57 +00:00
')
2007-10-29 18:35:32 +00:00
########################################
## <summary>
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_read_unlabeled_state',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir list_dir_perms;
read_files_pattern($1, unlabeled_t, unlabeled_t)
read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
2007-10-29 18:35:32 +00:00
')
2005-11-29 15:49:18 +00:00
########################################
## <summary>
## Do not audit attempts to list unlabeled directories.
## </summary>
## <param name="domain">
## <summary>
2005-11-29 15:49:18 +00:00
## Domain allowed access.
## </summary>
2005-11-29 15:49:18 +00:00
## </param>
#
interface(`kernel_dontaudit_list_unlabeled',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:dir list_dir_perms;
')
2005-07-08 20:44:57 +00:00
########################################
## <summary>
## Read and write unlabeled directories.
## </summary>
## <param name="domain">
## <summary>
2005-07-08 20:44:57 +00:00
## Domain allowed access.
## </summary>
2005-07-08 20:44:57 +00:00
## </param>
#
interface(`kernel_rw_unlabeled_dirs',`
2005-07-08 20:44:57 +00:00
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir rw_dir_perms;
')
########################################
## <summary>
## Delete unlabeled directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_delete_unlabeled_dirs',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir delete_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete unlabeled directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_manage_unlabeled_dirs',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir manage_dir_perms;
')
########################################
## <summary>
## Mount a filesystem on an unlabeled directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_mounton_unlabeled_dirs',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir { search_dir_perms mounton };
')
########################################
## <summary>
## Read unlabeled files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_read_unlabeled_files',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file read_file_perms;
')
########################################
## <summary>
## Read and write unlabeled files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_rw_unlabeled_files',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file rw_file_perms;
')
########################################
## <summary>
## Delete unlabeled files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_delete_unlabeled_files',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file delete_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete unlabeled files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_manage_unlabeled_files',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file manage_file_perms;
')
2005-10-22 19:58:58 +00:00
########################################
## <summary>
## Do not audit attempts by caller to get the
## attributes of an unlabeled file.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-10-22 19:58:58 +00:00
## </param>
#
interface(`kernel_dontaudit_getattr_unlabeled_files',`
2005-10-22 19:58:58 +00:00
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:file getattr;
')
2005-11-08 22:00:30 +00:00
########################################
## <summary>
## Do not audit attempts by caller to
## read an unlabeled file.
## </summary>
## <param name="domain">
## <summary>
2005-11-08 22:00:30 +00:00
## Domain to not audit.
## </summary>
2005-11-08 22:00:30 +00:00
## </param>
#
interface(`kernel_dontaudit_read_unlabeled_files',`
2005-11-08 22:00:30 +00:00
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:file { getattr read };
')
########################################
## <summary>
## Delete unlabeled symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_delete_unlabeled_symlinks',`
gen_require(`
type unlabeled_t;
')
delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
')
########################################
## <summary>
## Create, read, write, and delete unlabeled symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_manage_unlabeled_symlinks',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
')
2005-11-29 15:49:18 +00:00
########################################
## <summary>
## Do not audit attempts by caller to get the
## attributes of unlabeled symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-29 15:49:18 +00:00
## </param>
#
interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:lnk_file getattr;
')
########################################
## <summary>
## Do not audit attempts by caller to get the
## attributes of unlabeled named pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-29 15:49:18 +00:00
## </param>
#
interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:fifo_file getattr;
')
########################################
## <summary>
## Do not audit attempts by caller to get the
## attributes of unlabeled named sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-29 15:49:18 +00:00
## </param>
#
interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:sock_file getattr;
')
########################################
## <summary>
## Do not audit attempts by caller to get attributes for
## unlabeled block devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
gen_require(`
type unlabeled_t;
')
2005-10-22 19:58:58 +00:00
dontaudit $1 unlabeled_t:blk_file getattr;
')
2005-07-08 20:44:57 +00:00
########################################
## <summary>
## Read and write unlabeled block device nodes.
## </summary>
## <param name="domain">
## <summary>
2005-07-08 20:44:57 +00:00
## Domain allowed access.
## </summary>
2005-07-08 20:44:57 +00:00
## </param>
#
interface(`kernel_rw_unlabeled_blk_files',`
2005-07-08 20:44:57 +00:00
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:blk_file rw_blk_file_perms;
')
########################################
## <summary>
## Delete unlabeled block device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_delete_unlabeled_blk_files',`
gen_require(`
type unlabeled_t;
')
delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
')
########################################
## <summary>
## Create, read, write, and delete unlabeled block device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_manage_unlabeled_blk_files',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:blk_file manage_blk_file_perms;
2005-05-27 20:44:05 +00:00
')
2005-11-29 15:49:18 +00:00
########################################
## <summary>
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-29 15:49:18 +00:00
## </param>
#
interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
2005-11-29 15:49:18 +00:00
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:chr_file getattr;
')
########################################
## <summary>
## Do not audit attempts to
## write unlabeled character devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_write_unlabeled_chr_files',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:file write;
')
########################################
## <summary>
## Delete unlabeled character device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_delete_unlabeled_chr_files',`
gen_require(`
type unlabeled_t;
')
delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
')
########################################
## <summary>
## Create, read, write, and delete unlabeled character device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_manage_unlabeled_chr_files',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:chr_file manage_chr_file_perms;
')
2005-05-27 20:44:05 +00:00
########################################
2005-07-08 20:44:57 +00:00
## <summary>
2006-02-03 17:57:16 +00:00
## Allow caller to relabel unlabeled directories.
2005-07-08 20:44:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-27 20:44:05 +00:00
#
2006-02-03 17:57:16 +00:00
interface(`kernel_relabelfrom_unlabeled_dirs',`
gen_require(`
type unlabeled_t;
')
2008-10-20 16:10:42 +00:00
allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
2006-02-03 17:57:16 +00:00
')
########################################
## <summary>
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2006-02-03 17:57:16 +00:00
## </param>
#
interface(`kernel_relabelfrom_unlabeled_files',`
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:file { getattr relabelfrom };
')
########################################
## <summary>
## Allow caller to relabel unlabeled symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2006-02-03 17:57:16 +00:00
## </param>
#
interface(`kernel_relabelfrom_unlabeled_symlinks',`
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
')
########################################
## <summary>
## Allow caller to relabel unlabeled named pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2006-02-03 17:57:16 +00:00
## </param>
#
interface(`kernel_relabelfrom_unlabeled_pipes',`
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
')
########################################
## <summary>
## Delete unlabeled named pipes
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_delete_unlabeled_pipes',`
gen_require(`
type unlabeled_t;
')
delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
')
2006-02-03 17:57:16 +00:00
########################################
## <summary>
## Allow caller to relabel unlabeled named sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2006-02-03 17:57:16 +00:00
## </param>
#
interface(`kernel_relabelfrom_unlabeled_sockets',`
gen_require(`
type unlabeled_t;
')
2006-01-06 22:51:40 +00:00
kernel_list_unlabeled($1)
2006-02-03 17:57:16 +00:00
allow $1 unlabeled_t:sock_file { getattr relabelfrom };
2005-05-27 20:44:05 +00:00
')
########################################
## <summary>
## Delete unlabeled named sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_delete_unlabeled_sockets',`
gen_require(`
type unlabeled_t;
')
delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
')
2005-12-06 19:59:50 +00:00
########################################
## <summary>
## Send and receive messages from an
## unlabeled IPSEC association.
## </summary>
## <desc>
## <p>
## Send and receive messages from an
## unlabeled IPSEC association. Network
## connections that are not protected
## by IPSEC have use an unlabeled
## assocation.
## </p>
## <p>
## The corenetwork interface
2006-01-13 16:08:16 +00:00
## corenet_non_ipsec_sendrecv() should
2005-12-06 19:59:50 +00:00
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
2005-12-06 19:59:50 +00:00
## Domain allowed access.
## </summary>
2005-12-06 19:59:50 +00:00
## </param>
#
interface(`kernel_sendrecv_unlabeled_association',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:association { sendto recvfrom };
')
2006-09-19 17:02:29 +00:00
########################################
## <summary>
## Do not audit attempts to send and receive messages
## from an unlabeled IPSEC association.
## </summary>
## <desc>
## <p>
## Do not audit attempts to send and receive messages
## from an unlabeled IPSEC association. Network
## connections that are not protected
## by IPSEC have use an unlabeled
## assocation.
## </p>
## <p>
## The corenetwork interface
## corenet_dontaudit_non_ipsec_sendrecv() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:association { sendto recvfrom };
')
########################################
## <summary>
2008-12-03 19:16:20 +00:00
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
2008-12-03 19:16:20 +00:00
## Receive TCP packets from an unlabeled connection.
## </p>
## <p>
## The corenetwork interface corenet_tcp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_tcp_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:tcp_socket recvfrom;
')
########################################
## <summary>
2008-12-03 19:16:20 +00:00
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
## <desc>
## <p>
2008-12-03 19:16:20 +00:00
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
2008-12-03 19:16:20 +00:00
## </p>
## <p>
## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:tcp_socket recvfrom;
')
########################################
## <summary>
2008-12-03 19:16:20 +00:00
## Receive UDP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
2008-12-03 19:16:20 +00:00
## Receive UDP packets from an unlabeled connection.
## </p>
## <p>
## The corenetwork interface corenet_udp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_udp_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:udp_socket recvfrom;
')
########################################
## <summary>
2008-12-03 19:16:20 +00:00
## Do not audit attempts to receive UDP packets from an unlabeled
## connection.
## </summary>
## <desc>
## <p>
2008-12-03 19:16:20 +00:00
## Do not audit attempts to receive UDP packets from an unlabeled
## connection.
2008-12-03 19:16:20 +00:00
## </p>
## <p>
## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:udp_socket recvfrom;
')
########################################
## <summary>
2008-12-03 19:16:20 +00:00
## Receive Raw IP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
2008-12-03 19:16:20 +00:00
## Receive Raw IP packets from an unlabeled connection.
## </p>
## <p>
## The corenetwork interface corenet_raw_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_raw_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:rawip_socket recvfrom;
')
########################################
## <summary>
2008-12-03 19:16:20 +00:00
## Do not audit attempts to receive Raw IP packets from an unlabeled
## connection.
## </summary>
## <desc>
## <p>
2008-12-03 19:16:20 +00:00
## Do not audit attempts to receive Raw IP packets from an unlabeled
## connection.
2008-12-03 19:16:20 +00:00
## </p>
## <p>
## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_raw_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:rawip_socket recvfrom;
')
########################################
## <summary>
## Send and receive unlabeled packets.
## </summary>
## <desc>
## <p>
## Send and receive unlabeled packets.
## These packets do not match any netfilter
## SECMARK rules.
## </p>
## <p>
## The corenetwork interface
## corenet_sendrecv_unlabeled_packets() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_sendrecv_unlabeled_packets',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:packet { send recv };
')
########################################
## <summary>
## Receive packets from an unlabeled peer.
## </summary>
## <desc>
## <p>
## Receive packets from an unlabeled peer, these packets do not have any
2008-12-03 19:16:20 +00:00
## peer labeling information present.
## </p>
## <p>
## The corenetwork interface corenet_recvfrom_unlabeled_peer() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_recvfrom_unlabeled_peer',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:peer recv;
')
########################################
## <summary>
## Do not audit attempts to receive packets from an unlabeled peer.
## </summary>
## <desc>
## <p>
## Do not audit attempts to receive packets from an unlabeled peer,
2008-12-03 19:16:20 +00:00
## these packets do not have any peer labeling information present.
## </p>
## <p>
## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:peer recv;
')
########################################
## <summary>
2008-12-03 19:16:20 +00:00
## Relabel from unlabeled database objects.
## </summary>
## <param name="domain">
2008-12-03 19:16:20 +00:00
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_relabelfrom_unlabeled_database',`
gen_require(`
type unlabeled_t;
class db_database { setattr relabelfrom };
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
class db_schema { setattr relabelfrom };
class db_table { setattr relabelfrom };
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
class db_sequence { setattr relabelfrom };
class db_view { setattr relabelfrom };
class db_procedure { setattr relabelfrom };
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
class db_language { setattr relabelfrom };
class db_column { setattr relabelfrom };
class db_tuple { update relabelfrom };
class db_blob { setattr relabelfrom };
')
allow $1 unlabeled_t:db_database { setattr relabelfrom };
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
allow $1 unlabeled_t:db_schema { setattr relabelfrom };
allow $1 unlabeled_t:db_table { setattr relabelfrom };
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
allow $1 unlabeled_t:db_sequence { setattr relabelfrom };
allow $1 unlabeled_t:db_view { setattr relabelfrom };
allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
allow $1 unlabeled_t:db_language { setattr relabelfrom };
allow $1 unlabeled_t:db_column { setattr relabelfrom };
allow $1 unlabeled_t:db_tuple { update relabelfrom };
allow $1 unlabeled_t:db_blob { setattr relabelfrom };
')
2005-07-05 20:59:51 +00:00
########################################
## <summary>
2006-01-13 16:08:16 +00:00
## Unconfined access to kernel module resources.
2005-07-05 20:59:51 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-07-05 20:59:51 +00:00
## Domain allowed access.
## </summary>
2005-07-05 20:59:51 +00:00
## </param>
#
interface(`kernel_unconfined',`
gen_require(`
attribute kern_unconfined;
2005-07-05 20:59:51 +00:00
')
typeattribute $1 kern_unconfined;
kernel_load_module($1)
2005-07-05 20:59:51 +00:00
')
########################################
## <summary>
## Read virtual memory overcommit sysctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_read_vm_overcommit_sysctl',`
gen_require(`
type sysctl_vm_overcommit_t;
')
kernel_search_vm_sysctl($1)
allow $1 sysctl_vm_overcommit_t:file read_file_perms;
')
########################################
## <summary>
## Read and write virtual memory overcommit sysctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_rw_vm_overcommit_sysctl',`
gen_require(`
type sysctl_vm_overcommit_t;
')
kernel_search_vm_sysctl($1)
allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
')
########################################
## <summary>
## Access unlabeled infiniband pkeys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_ib_access_unlabeled_pkeys',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:infiniband_pkey access;
')
########################################
## <summary>
## Manage subnet on unlabeled Infiniband endports.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_ib_manage_subnet_unlabeled_endports',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:infiniband_endport manage_subnet;
')