selinux-refpolicy/policy/modules/system/selinuxutil.if

1165 lines
24 KiB
Plaintext
Raw Normal View History

2005-05-23 15:50:12 +00:00
## <summary>Policy for SELinux policy and userland applications.</summary>
2005-04-20 19:07:16 +00:00
#######################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Execute checkpolicy in the checkpolicy domain.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`seutil_domtrans_checkpolicy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type checkpolicy_t, checkpolicy_exec_t;
')
2005-06-17 17:59:26 +00:00
files_search_usr($1)
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
2006-02-02 21:08:12 +00:00
interface(`seutil_run_checkpolicy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type checkpolicy_t;
')
2006-02-02 21:08:12 +00:00
seutil_domtrans_checkpolicy($1)
role $2 types checkpolicy_t;
')
########################################
## <summary>
## Execute checkpolicy in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
2006-02-02 21:08:12 +00:00
interface(`seutil_exec_checkpolicy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type checkpolicy_exec_t;
')
2005-06-17 17:59:26 +00:00
files_search_usr($1)
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
can_exec($1, checkpolicy_exec_t)
')
#######################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Execute load_policy in the load_policy domain.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`seutil_domtrans_loadpolicy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type load_policy_t, load_policy_exec_t;
')
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, load_policy_exec_t, load_policy_t)
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
2006-02-02 21:08:12 +00:00
interface(`seutil_run_loadpolicy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type load_policy_t;
')
2006-02-02 21:08:12 +00:00
seutil_domtrans_loadpolicy($1)
role $2 types load_policy_t;
')
########################################
## <summary>
## Execute load_policy in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`seutil_exec_loadpolicy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type load_policy_exec_t;
')
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
can_exec($1, load_policy_exec_t)
')
########################################
## <summary>
## Read the load_policy program file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`seutil_read_loadpolicy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type load_policy_exec_t;
')
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
2006-12-12 20:08:08 +00:00
allow $1 load_policy_exec_t:file read_file_perms;
')
#######################################
2005-08-11 17:46:39 +00:00
## <summary>
2008-11-05 16:10:46 +00:00
## Execute newrole in the newole domain.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`seutil_domtrans_newrole',`
2005-06-17 17:59:26 +00:00
gen_require(`
type newrole_t, newrole_exec_t;
')
2005-06-17 17:59:26 +00:00
files_search_usr($1)
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, newrole_exec_t, newrole_t)
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain,
## and use the caller's terminal.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`seutil_run_newrole',`
2005-06-17 17:59:26 +00:00
gen_require(`
attribute_role newrole_roles;
2005-06-17 17:59:26 +00:00
')
seutil_domtrans_newrole($1)
roleattribute $2 newrole_roles;
')
########################################
## <summary>
## Execute newrole in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_exec_newrole',`
2005-06-17 17:59:26 +00:00
gen_require(`
type newrole_exec_t;
2005-06-17 17:59:26 +00:00
')
2005-06-17 17:59:26 +00:00
files_search_usr($1)
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
can_exec($1, newrole_exec_t)
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit the caller attempts to send
## a signal to newrole.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`seutil_dontaudit_signal_newrole',`
2005-06-17 17:59:26 +00:00
gen_require(`
type newrole_t;
')
dontaudit $1 newrole_t:process signal;
')
########################################
## <summary>
## Send a SIGCHLD signal to newrole.
## </summary>
## <desc>
## <p>
## Allow the specified domain to send a SIGCHLD
## signal to newrole. This signal is automatically
## sent from a process that is terminating to
## its parent. This may be needed by domains
## that are executed from newrole.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="write" weight="1"/>
#
interface(`seutil_sigchld_newrole',`
2005-06-17 17:59:26 +00:00
gen_require(`
type newrole_t;
')
allow $1 newrole_t:process sigchld;
')
########################################
## <summary>
## Inherit and use newrole file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-05-02 21:01:31 +00:00
#
2006-02-20 21:33:25 +00:00
interface(`seutil_use_newrole_fds',`
2005-06-17 17:59:26 +00:00
gen_require(`
type newrole_t;
')
allow $1 newrole_t:fd use;
2005-05-02 21:01:31 +00:00
')
2008-11-05 16:10:46 +00:00
########################################
## <summary>
## Do not audit attempts to inherit and use
## newrole file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`seutil_dontaudit_use_newrole_fds',`
gen_require(`
type newrole_t;
')
dontaudit $1 newrole_t:fd use;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Execute run_init in the run_init domain.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`seutil_domtrans_runinit',`
2005-06-17 17:59:26 +00:00
gen_require(`
type run_init_t, run_init_exec_t;
')
2005-06-17 17:59:26 +00:00
files_search_usr($1)
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, run_init_exec_t, run_init_t)
')
########################################
## <summary>
## Execute file in the run_init domain.
## </summary>
## <desc>
## <p>
## Execute file in the run_init domain.
## This is used for the Gentoo integrated run_init.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Type of entry file.
## </summary>
## </param>
#
interface(`seutil_labeled_init_script_domtrans_runinit',`
gen_require(`
type run_init_t;
')
domain_entry_file(run_init_t, $2)
domain_auto_transition_pattern($1, $2, run_init_t)
allow run_init_t $1:fd use;
allow run_init_t $1:fifo_file rw_inherited_fifo_file_perms;
allow run_init_t $1:process sigchld;
')
2006-02-21 15:57:49 +00:00
########################################
## <summary>
## Execute init scripts in the run_init domain.
## </summary>
## <desc>
## <p>
## Execute init scripts in the run_init domain.
## This is used for the Gentoo integrated run_init.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed to transition.
2006-02-21 15:57:49 +00:00
## </summary>
## </param>
#
interface(`seutil_init_script_domtrans_runinit',`
gen_require(`
type run_init_t;
')
2009-06-26 14:40:13 +00:00
init_script_file_domtrans($1, run_init_t)
2006-02-21 15:57:49 +00:00
allow run_init_t $1:fd use;
allow run_init_t $1:fifo_file rw_inherited_fifo_file_perms;
2006-02-21 15:57:49 +00:00
allow run_init_t $1:process sigchld;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`seutil_run_runinit',`
2005-06-17 17:59:26 +00:00
gen_require(`
attribute_role run_init_roles;
2005-06-17 17:59:26 +00:00
')
seutil_domtrans_runinit($1)
roleattribute $2 run_init_roles;
')
2006-02-21 15:57:49 +00:00
########################################
## <summary>
## Execute init scripts in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
## </summary>
## <desc>
## <p>
## Execute init scripts in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
## </p>
## <p>
## This is used for the Gentoo integrated run_init.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed to transition.
2006-02-21 15:57:49 +00:00
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
2006-02-21 15:57:49 +00:00
## </summary>
## </param>
#
interface(`seutil_init_script_run_runinit',`
gen_require(`
attribute_role run_init_roles;
2006-02-21 15:57:49 +00:00
')
seutil_init_script_domtrans_runinit($1)
roleattribute $2 run_init_roles;
2006-02-21 15:57:49 +00:00
')
########################################
## <summary>
## Execute specified file in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
## </summary>
## <desc>
## <p>
## Execute specified file in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
## </p>
## <p>
## This is used for the Gentoo integrated run_init.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Type of init script.
## </summary>
## </param>
#
interface(`seutil_labeled_init_script_run_runinit',`
gen_require(`
attribute_role run_init_roles;
')
seutil_labeled_init_script_domtrans_runinit($1, $3)
roleattribute $2 run_init_roles;
')
########################################
## <summary>
## Inherit and use run_init file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2006-02-20 21:33:25 +00:00
interface(`seutil_use_runinit_fds',`
2005-06-17 17:59:26 +00:00
gen_require(`
type run_init_t;
')
allow $1 run_init_t:fd use;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Execute setfiles in the setfiles domain.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`seutil_domtrans_setfiles',`
2005-06-17 17:59:26 +00:00
gen_require(`
type setfiles_t, setfiles_exec_t;
')
2005-06-17 17:59:26 +00:00
files_search_usr($1)
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain,
## and use the caller's terminal.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`seutil_run_setfiles',`
2005-06-17 17:59:26 +00:00
gen_require(`
type setfiles_t;
')
seutil_domtrans_setfiles($1)
role $2 types setfiles_t;
')
########################################
## <summary>
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_exec_setfiles',`
2005-06-17 17:59:26 +00:00
gen_require(`
type setfiles_exec_t;
')
2005-06-17 17:59:26 +00:00
files_search_usr($1)
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
can_exec($1, setfiles_exec_t)
')
2005-04-14 20:18:17 +00:00
########################################
## <summary>
## Do not audit attempts to search the SELinux
## configuration directory (/etc/selinux).
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`seutil_dontaudit_search_config',`
gen_require(`
type selinux_config_t;
')
2008-11-04 14:37:05 +00:00
dontaudit $1 selinux_config_t:dir search_dir_perms;
')
########################################
2005-09-16 13:36:26 +00:00
## <summary>
## Do not audit attempts to read the SELinux
## userland configuration (/etc/selinux).
## </summary>
## <param name="domain">
## <summary>
2005-09-16 13:36:26 +00:00
## Domain to not audit.
## </summary>
2005-09-16 13:36:26 +00:00
## </param>
#
interface(`seutil_dontaudit_read_config',`
gen_require(`
type selinux_config_t;
')
2008-11-04 14:37:05 +00:00
dontaudit $1 selinux_config_t:dir search_dir_perms;
dontaudit $1 selinux_config_t:file read_file_perms;
2005-09-16 13:36:26 +00:00
')
########################################
## <summary>
## Read the general SELinux configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`seutil_read_config',`
2005-06-17 17:59:26 +00:00
gen_require(`
type selinux_config_t;
')
2005-06-17 17:59:26 +00:00
files_search_etc($1)
2006-12-12 20:08:08 +00:00
allow $1 selinux_config_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
2005-04-14 20:18:17 +00:00
')
2006-10-25 20:48:04 +00:00
########################################
## <summary>
## Read and write the general SELinux configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`seutil_rw_config',`
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir list_dir_perms;
2009-06-26 14:40:13 +00:00
rw_files_pattern($1, selinux_config_t, selinux_config_t)
2006-10-25 20:48:04 +00:00
')
#######################################
## <summary>
## Create, read, write, and delete
## the general selinux configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`seutil_manage_config',`
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
2009-06-26 14:40:13 +00:00
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
#######################################
## <summary>
## Create, read, write, and delete
## the general selinux configuration directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`seutil_manage_config_dirs',`
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir manage_dir_perms;
')
2005-06-29 20:53:53 +00:00
########################################
## <summary>
## Search the policy directory with default_context files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-29 20:53:53 +00:00
## </param>
#
interface(`seutil_search_default_contexts',`
gen_require(`
type selinux_config_t, default_context_t;
')
files_search_etc($1)
2009-06-26 14:40:13 +00:00
search_dirs_pattern($1, selinux_config_t, default_context_t)
2005-06-29 20:53:53 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
## <summary>
## Read the default_contexts files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`seutil_read_default_contexts',`
2005-06-17 17:59:26 +00:00
gen_require(`
type selinux_config_t, default_context_t;
')
2005-06-17 17:59:26 +00:00
files_search_etc($1)
list_dirs_pattern($1, selinux_config_t, default_context_t)
2009-06-26 14:40:13 +00:00
read_files_pattern($1, default_context_t, default_context_t)
2006-08-18 14:01:48 +00:00
')
########################################
## <summary>
## Create, read, write, and delete the default_contexts files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_manage_default_contexts',`
gen_require(`
type selinux_config_t, default_context_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
2009-06-26 14:40:13 +00:00
manage_files_pattern($1, default_context_t, default_context_t)
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Read the file_contexts files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`seutil_read_file_contexts',`
2005-06-17 17:59:26 +00:00
gen_require(`
2006-12-12 20:08:08 +00:00
type selinux_config_t, default_context_t, file_context_t;
2005-06-17 17:59:26 +00:00
')
2005-06-17 17:59:26 +00:00
files_search_etc($1)
2006-12-12 20:08:08 +00:00
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern($1, file_context_t, file_context_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 file_context_t:file map;
')
########################################
## <summary>
## Do not audit attempts to read the file_contexts files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
interface(`seutil_dontaudit_read_file_contexts',`
gen_require(`
type selinux_config_t, default_context_t, file_context_t;
')
dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
dontaudit $1 file_context_t:file read_file_perms;
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
dontaudit $1 file_context_t:file map;
')
########################################
## <summary>
## Read and write the file_contexts files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_rw_file_contexts',`
gen_require(`
type selinux_config_t, file_context_t, default_context_t;
')
files_search_etc($1)
2006-12-12 20:08:08 +00:00
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
2009-06-26 14:40:13 +00:00
rw_files_pattern($1, file_context_t, file_context_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 file_context_t:file map;
')
########################################
## <summary>
## Create, read, write, and delete the file_contexts files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`seutil_manage_file_contexts',`
gen_require(`
type selinux_config_t, file_context_t, default_context_t;
')
files_search_etc($1)
2006-08-18 14:01:48 +00:00
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
2009-06-26 14:40:13 +00:00
manage_files_pattern($1, file_context_t, file_context_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 file_context_t:file map;
')
2005-04-14 20:18:17 +00:00
########################################
## <summary>
## Read the SELinux binary policy.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`seutil_read_bin_policy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type selinux_config_t, policy_config_t;
')
2005-06-17 17:59:26 +00:00
files_search_etc($1)
2006-12-12 20:08:08 +00:00
allow $1 selinux_config_t:dir search_dir_perms;
2009-06-26 14:40:13 +00:00
read_files_pattern($1, policy_config_t, policy_config_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 policy_config_t:file map;
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Create the SELinux binary policy.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`seutil_create_bin_policy',`
2005-06-17 17:59:26 +00:00
gen_require(`
# attribute can_write_binary_policy;
2005-06-17 17:59:26 +00:00
type selinux_config_t, policy_config_t;
')
2005-06-17 17:59:26 +00:00
files_search_etc($1)
2006-12-12 20:08:08 +00:00
allow $1 selinux_config_t:dir search_dir_perms;
2009-06-26 14:40:13 +00:00
create_files_pattern($1, policy_config_t, policy_config_t)
write_files_pattern($1, policy_config_t, policy_config_t)
# typeattribute $1 can_write_binary_policy;
2005-04-14 20:18:17 +00:00
')
2005-05-25 20:58:21 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to relabel a file to the binary policy type.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-25 20:58:21 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`seutil_relabelto_bin_policy',`
2005-06-17 17:59:26 +00:00
gen_require(`
attribute can_relabelto_binary_policy;
type policy_config_t;
')
allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy;
2005-05-25 20:58:21 +00:00
')
2005-05-18 13:21:28 +00:00
########################################
## <summary>
## Create, read, write, and delete the SELinux
## binary policy.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-05-18 13:21:28 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`seutil_manage_bin_policy',`
2005-06-17 17:59:26 +00:00
gen_require(`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
')
files_search_etc($1)
2006-12-12 20:08:08 +00:00
allow $1 selinux_config_t:dir search_dir_perms;
2009-06-26 14:40:13 +00:00
manage_files_pattern($1, policy_config_t, policy_config_t)
typeattribute $1 can_write_binary_policy;
2005-05-18 13:21:28 +00:00
')
########################################
## <summary>
## Read SELinux policy source files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-05-18 13:21:28 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`seutil_read_src_policy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type selinux_config_t, policy_src_t;
')
2005-06-17 17:59:26 +00:00
files_search_etc($1)
2009-06-26 14:40:13 +00:00
list_dirs_pattern($1, selinux_config_t, policy_src_t)
read_files_pattern($1, policy_src_t, policy_src_t)
2005-05-18 13:21:28 +00:00
')
########################################
## <summary>
## Create, read, write, and delete SELinux
## policy source files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-18 13:21:28 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`seutil_manage_src_policy',`
2005-06-17 17:59:26 +00:00
gen_require(`
type selinux_config_t, policy_src_t;
')
2005-06-17 17:59:26 +00:00
files_search_etc($1)
2006-12-12 20:08:08 +00:00
allow $1 selinux_config_t:dir search_dir_perms;
2009-06-26 14:40:13 +00:00
manage_dirs_pattern($1, policy_src_t, policy_src_t)
manage_files_pattern($1, policy_src_t, policy_src_t)
2005-05-18 13:21:28 +00:00
')
########################################
## <summary>
## Execute a domain transition to run semanage.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`seutil_domtrans_semanage',`
gen_require(`
type semanage_t, semanage_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, semanage_exec_t, semanage_t)
')
########################################
## <summary>
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
interface(`seutil_run_semanage',`
gen_require(`
attribute_role semanage_roles;
')
seutil_domtrans_semanage($1)
roleattribute $2 semanage_roles;
')
########################################
## <summary>
## Read the semanage module store.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_read_module_store',`
gen_require(`
type selinux_config_t, semanage_store_t;
')
files_search_etc($1)
files_search_var($1)
list_dirs_pattern($1, selinux_config_t, semanage_store_t)
list_dirs_pattern($1, semanage_store_t, semanage_store_t)
read_files_pattern($1, semanage_store_t, semanage_store_t)
allow $1 semanage_store_t:file map;
read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
')
########################################
## <summary>
## Full management of the semanage
## module store.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_manage_module_store',`
gen_require(`
type selinux_config_t, semanage_store_t;
')
files_search_etc($1)
files_search_var($1)
2009-06-26 14:40:13 +00:00
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_dirs_pattern($1, semanage_store_t, semanage_store_t)
2009-06-26 14:40:13 +00:00
manage_files_pattern($1, semanage_store_t, semanage_store_t)
allow $1 semanage_store_t:file map;
manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
')
#######################################
## <summary>
## Get read lock on module store
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_get_semanage_read_lock',`
gen_require(`
type selinux_config_t, semanage_read_lock_t;
')
files_search_etc($1)
2009-06-26 14:40:13 +00:00
rw_files_pattern($1, selinux_config_t, semanage_read_lock_t)
')
#######################################
## <summary>
## Get trans lock on module store
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_get_semanage_trans_lock',`
gen_require(`
type selinux_config_t, semanage_trans_lock_t;
')
files_search_etc($1)
2009-06-26 14:40:13 +00:00
rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t)
')
########################################
## <summary>
## SELinux-enabled program access for
## libselinux-linked programs.
## </summary>
## <desc>
## <p>
## SELinux-enabled programs are typically
## linked to the libselinux library. This
## interface will allow access required for
## the libselinux constructor to function.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_libselinux_linked',`
selinux_get_fs_mount($1)
seutil_read_config($1)
')
########################################
## <summary>
## Do not audit SELinux-enabled program access for
## libselinux-linked programs.
## </summary>
## <desc>
## <p>
## SELinux-enabled programs are typically
## linked to the libselinux library. This
## interface will dontaudit access required for
## the libselinux constructor to function.
## </p>
## <p>
## Generally this should not be used on anything
## but simple SELinux-enabled programs that do not
## rely on data initialized by the libselinux
## constructor.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')