selinux-refpolicy/policy/modules/kernel/domain.if

1559 lines
31 KiB
Plaintext
Raw Normal View History

2005-05-23 15:49:03 +00:00
## <summary>Core policy for domains.</summary>
2005-07-05 17:47:15 +00:00
## <required val="true">
## Contains the concept of a domain.
## </required>
2005-04-20 19:07:16 +00:00
2005-04-14 20:18:17 +00:00
########################################
## <summary>
## Make the specified type usable as a basic domain.
## </summary>
## <desc>
## <p>
## Make the specified type usable as a basic domain.
## </p>
## <p>
## This is primarily used for kernel threads;
## generally the domain_type() interface is
## more appropriate for userland processes.
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used as a basic domain type.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`domain_base_type',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
2005-04-14 20:18:17 +00:00
typeattribute $1 domain;
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Make the specified type usable as a domain.
## </summary>
## <desc>
## <p>
## Make the specified type usable as a domain. This,
## or an interface that calls this interface, must be
## used on all types that are used as domains.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>application_domain()</li>
## <li>init_daemon_domain()</li>
## <li>init_domaion()</li>
## <li>init_ranged_daemon_domain()</li>
## <li>init_ranged_domain()</li>
## <li>init_ranged_system_domain()</li>
## <li>init_script_domain()</li>
## <li>init_system_domain()</li>
## </ul>
## <p>
## Example:
## </p>
## <p>
## type mydomain_t;
## domain_type(mydomain_t)
## type myfile_t;
## files_type(myfile_t)
## allow mydomain_t myfile_t:file read_file_perms;
## </p>
## </desc>
## <param name="type">
## <summary>
## Type to be used as a domain type.
## </summary>
## </param>
## <infoflow type="none"/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_type',`
# start with basic domain
domain_base_type($1)
2007-10-29 18:35:32 +00:00
ifdef(`distro_redhat',`
optional_policy(`
unconfined_use_fds($1)
')
')
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
init_signull($1)
')
# these seem questionable:
optional_policy(`
rpm_use_fds($1)
2006-02-02 21:08:12 +00:00
rpm_read_pipes($1)
')
2005-10-24 00:54:39 +00:00
optional_policy(`
2007-10-29 18:35:32 +00:00
selinux_dontaudit_getattr_fs($1)
2005-10-24 19:50:21 +00:00
selinux_dontaudit_read_fs($1)
2005-10-24 00:54:39 +00:00
')
optional_policy(`
2005-10-24 00:54:39 +00:00
seutil_dontaudit_read_config($1)
')
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Make the specified type usable as
## an entry point for the domain.
## </summary>
## <param name="domain">
## <summary>
## Domain to be entered.
## </summary>
## </param>
## <param name="type">
## <summary>
## Type of program used for entering
## the domain.
## </summary>
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`domain_entry_file',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute entry_type;
')
allow $1 $2:file entrypoint;
allow $1 $2:file { mmap_exec_file_perms ioctl lock };
typeattribute $2 entry_type;
corecmd_executable_file($2)
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Make the file descriptors of the specified
## domain for interactive use (widely inheritable)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2006-02-20 21:33:25 +00:00
interface(`domain_interactive_fd',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute privfd;
')
typeattribute $1 privfd;
')
2005-06-23 15:37:39 +00:00
########################################
## <summary>
## Allow the specified domain to perform
## dynamic transitions.
## </summary>
## <desc>
## <p>
## Allow the specified domain to perform
## dynamic transitions.
## </p>
## <p>
## This violates process tranquility, and it
## is strongly suggested that this not be used.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-06-23 15:37:39 +00:00
#
interface(`domain_dyntrans_type',`
gen_require(`
attribute set_curr_context;
')
typeattribute $1 set_curr_context;
')
2005-09-20 20:48:17 +00:00
########################################
## <summary>
## Makes caller and exception to the constraint
2005-09-20 20:48:17 +00:00
## preventing changing to the system user
## identity and system role.
## </summary>
## <param name="domain">
## <summary>
2005-09-20 20:48:17 +00:00
## Domain allowed access.
## </summary>
2005-09-20 20:48:17 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`domain_system_change_exemption',`
2005-09-20 20:48:17 +00:00
gen_require(`
attribute can_system_change;
')
typeattribute $1 can_system_change;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Makes caller an exception to the constraint preventing
## changing of user identity.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The process type to make an exception to the constraint.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`domain_subj_id_change_exemption',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute can_change_process_identity;
')
typeattribute $1 can_change_process_identity;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Makes caller an exception to the constraint preventing
## changing of role.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The process type to make an exception to the constraint.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`domain_role_change_exemption',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute can_change_process_role;
')
typeattribute $1 can_change_process_role;
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The process type to make an exception to the constraint.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
#
2006-02-02 21:08:12 +00:00
interface(`domain_obj_id_change_exemption',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute can_change_object_identity;
')
typeattribute $1 can_change_object_identity;
')
########################################
## <summary>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the user domains from the base module.
## It should not be used other than on
## user domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`domain_user_exemption_target',`
gen_require(`
attribute process_user_target;
')
typeattribute $1 process_user_target;
')
########################################
## <summary>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## cron domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`domain_cron_exemption_source',`
gen_require(`
attribute cron_source_domain;
')
typeattribute $1 cron_source_domain;
')
########################################
## <summary>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </summary>
## <desc>
## <p>
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
## </p>
## <p>
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## user cron jobs.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain target for user exemption.
## </summary>
## </param>
#
interface(`domain_cron_exemption_target',`
gen_require(`
attribute cron_job_domain;
')
typeattribute $1 cron_job_domain;
')
2005-04-28 21:41:09 +00:00
########################################
## <summary>
## Inherit and use file descriptors from
## domains with interactive programs.
## </summary>
## <desc>
## <p>
## Allow the specified domain to inherit and use file
2016-12-06 12:28:10 +00:00
## descriptors from domains with interactive programs.
## This does not allow access to the objects being referenced
## by the file descriptors.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="1"/>
2005-04-28 21:41:09 +00:00
#
2006-02-20 21:33:25 +00:00
interface(`domain_use_interactive_fds',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute privfd;
')
allow $1 privfd:fd use;
2005-04-28 21:41:09 +00:00
')
########################################
## <summary>
## Do not audit attempts to inherit file
## descriptors from domains with interactive
## programs.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
2006-02-20 21:33:25 +00:00
interface(`domain_dontaudit_use_interactive_fds',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute privfd;
')
dontaudit $1 privfd:fd use;
')
2005-06-29 20:53:53 +00:00
########################################
## <summary>
## Send a SIGCHLD signal to domains whose file
## discriptors are widely inheritable.
## </summary>
## <param name="domain">
## <summary>
2005-06-29 20:53:53 +00:00
## Domain allowed access.
## </summary>
2005-06-29 20:53:53 +00:00
## </param>
#
# cjp: this was added because of newrole
2006-02-20 21:33:25 +00:00
interface(`domain_sigchld_interactive_fds',`
2005-06-29 20:53:53 +00:00
gen_require(`
attribute privfd;
')
2005-10-26 18:07:20 +00:00
allow $1 privfd:process sigchld;
2005-06-29 20:53:53 +00:00
')
2005-05-18 13:21:00 +00:00
########################################
## <summary>
## Set the nice level of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-18 13:21:00 +00:00
#
interface(`domain_setpriority_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process setsched;
2005-05-18 13:21:00 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send general signals to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_signal_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process signal;
2005-04-14 20:18:17 +00:00
')
########################################
## <summary>
## Do not audit attempts to send general
## signals to all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_dontaudit_signal_all_domains',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:process signal;
')
2005-05-23 15:49:03 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a null signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-23 15:49:03 +00:00
#
interface(`domain_signull_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process signull;
2005-05-23 15:49:03 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a stop signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-27 20:44:05 +00:00
#
interface(`domain_sigstop_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process sigstop;
2005-05-27 20:44:05 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a child terminated signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_sigchld_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process sigchld;
2005-05-27 20:44:05 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Send a kill signal to all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_kill_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process sigkill;
allow $1 self:capability kill;
2005-04-14 20:18:17 +00:00
')
2005-11-29 21:27:15 +00:00
2005-09-15 15:34:31 +00:00
########################################
## <summary>
## Search the process state directory (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
2005-09-15 15:34:31 +00:00
## Domain allowed access.
## </summary>
2005-09-15 15:34:31 +00:00
## </param>
#
interface(`domain_search_all_domains_state',`
gen_require(`
attribute domain;
')
kernel_search_proc($1)
2009-06-11 15:00:48 +00:00
allow $1 domain:dir search_dir_perms;
2005-09-15 15:34:31 +00:00
')
2005-04-14 20:18:17 +00:00
2005-11-29 21:27:15 +00:00
########################################
## <summary>
## Do not audit attempts to search the process
## state directory (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
2005-11-29 21:27:15 +00:00
## Domain to not audit.
## </summary>
2005-11-29 21:27:15 +00:00
## </param>
#
interface(`domain_dontaudit_search_all_domains_state',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir search_dir_perms;
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Read the process state (/proc/pid) of all domains.
2005-07-19 18:40:31 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-09-15 15:34:31 +00:00
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-04-14 20:18:17 +00:00
#
interface(`domain_read_all_domains_state',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
2005-09-15 15:34:31 +00:00
kernel_search_proc($1)
2006-12-12 20:08:08 +00:00
allow $1 domain:dir list_dir_perms;
read_files_pattern($1, domain, domain)
read_lnk_files_pattern($1, domain, domain)
2005-09-16 14:54:36 +00:00
')
2005-09-16 14:54:36 +00:00
########################################
## <summary>
## Get the attributes of all domains of all domains.
## </summary>
## <param name="domain">
## <summary>
2005-09-16 14:54:36 +00:00
## Domain allowed access.
## </summary>
2005-09-16 14:54:36 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-16 14:54:36 +00:00
#
interface(`domain_getattr_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getattr;
2005-04-14 20:18:17 +00:00
')
2005-11-29 15:49:18 +00:00
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains.
2005-11-29 15:49:18 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-11-29 15:49:18 +00:00
## Domain allowed access.
## </summary>
2005-11-29 15:49:18 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_domains',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:process getattr;
')
2005-09-15 15:34:31 +00:00
########################################
## <summary>
2005-09-16 14:54:36 +00:00
## Read the process state (/proc/pid) of all confined domains.
2005-09-15 15:34:31 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-09-15 15:34:31 +00:00
## Domain allowed access.
## </summary>
2005-09-15 15:34:31 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-15 15:34:31 +00:00
#
interface(`domain_read_confined_domains_state',`
gen_require(`
attribute domain, unconfined_domain_type;
2005-09-15 15:34:31 +00:00
')
kernel_search_proc($1)
2006-12-12 20:08:08 +00:00
allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
2005-09-15 15:34:31 +00:00
2006-12-12 20:08:08 +00:00
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
dontaudit $1 unconfined_domain_type:file read_file_perms;
2009-06-11 15:00:48 +00:00
dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
2005-09-16 14:54:36 +00:00
')
########################################
## <summary>
## Get the attributes of all confined domains.
## </summary>
## <param name="domain">
## <summary>
2005-09-16 14:54:36 +00:00
## Domain allowed access.
## </summary>
2005-09-16 14:54:36 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-16 14:54:36 +00:00
#
interface(`domain_getattr_confined_domains',`
gen_require(`
attribute domain, unconfined_domain_type;
2005-09-16 14:54:36 +00:00
')
allow $1 { domain -unconfined_domain_type }:process getattr;
2005-09-16 14:54:36 +00:00
')
2005-09-27 19:40:44 +00:00
########################################
## <summary>
## Ptrace all domains.
## </summary>
## <param name="domain">
## <summary>
2005-09-27 19:40:44 +00:00
## Domain allowed access.
## </summary>
2005-09-27 19:40:44 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-27 19:40:44 +00:00
#
interface(`domain_ptrace_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process ptrace;
2005-12-12 16:52:46 +00:00
allow domain $1:process sigchld;
2005-09-27 19:40:44 +00:00
')
2005-09-16 14:54:36 +00:00
########################################
## <summary>
## Do not audit attempts to ptrace all domains.
## </summary>
## <desc>
## <p>
## Do not audit attempts to ptrace all domains.
## </p>
## <p>
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-09-16 14:54:36 +00:00
## </param>
#
interface(`domain_dontaudit_ptrace_all_domains',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:process ptrace;
')
########################################
## <summary>
## Do not audit attempts to ptrace confined domains.
## </summary>
## <desc>
## <p>
## Do not audit attempts to ptrace confined domains.
## </p>
## <p>
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-09-16 14:54:36 +00:00
## </param>
#
interface(`domain_dontaudit_ptrace_confined_domains',`
gen_require(`
attribute domain, unconfined_domain_type;
2005-09-16 14:54:36 +00:00
')
2005-09-15 15:34:31 +00:00
dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
2005-09-15 15:34:31 +00:00
')
2005-07-19 18:40:31 +00:00
########################################
## <summary>
## Do not audit attempts to read the process
## state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`domain_dontaudit_read_all_domains_state',`
gen_require(`
attribute domain;
')
2006-12-12 20:08:08 +00:00
dontaudit $1 domain:dir list_dir_perms;
dontaudit $1 domain:lnk_file read_lnk_file_perms;
2006-12-12 20:08:08 +00:00
dontaudit $1 domain:file read_file_perms;
2005-11-29 15:49:18 +00:00
# cjp: these should be removed:
dontaudit $1 domain:sock_file read_sock_file_perms;
dontaudit $1 domain:fifo_file read_fifo_file_perms;
2005-07-19 18:40:31 +00:00
')
2005-05-26 20:38:45 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to read the process state
## directories of all domains.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-26 20:38:45 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`domain_dontaudit_list_all_domains_state',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
2006-12-12 20:08:08 +00:00
dontaudit $1 domain:dir list_dir_perms;
2005-05-26 20:38:45 +00:00
')
########################################
2005-07-19 18:40:31 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Get the session ID of all domains.
2005-07-19 18:40:31 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-26 20:38:45 +00:00
#
interface(`domain_getsession_all_domains',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
allow $1 domain:process getsession;
2005-05-26 20:38:45 +00:00
')
2005-07-19 18:40:31 +00:00
########################################
## <summary>
## Do not audit attempts to get the
## session ID of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`domain_dontaudit_getsession_all_domains',`
gen_require(`
attribute domain;
')
2005-09-01 20:13:42 +00:00
dontaudit $1 domain:process getsession;
2005-07-19 18:40:31 +00:00
')
2010-03-17 14:02:07 +00:00
########################################
## <summary>
## Get the process group ID of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getpgid_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getpgid;
')
########################################
## <summary>
## Get the scheduler information of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getsched_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getsched;
')
########################################
## <summary>
## Get the capability information of all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getcap_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:process getcap;
')
2005-07-19 18:40:31 +00:00
########################################
## <summary>
## Get the attributes of all domains
## sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Get the attributes of all domains
## sockets, for all socket types.
## </p>
## <p>
## This is commonly used for domains
## that can use lsof on all domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
2005-07-19 18:40:31 +00:00
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`domain_getattr_all_sockets',`
gen_require(`
attribute domain;
2005-07-19 18:40:31 +00:00
')
allow $1 domain:socket_class_set getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </p>
## <p>
## This interface was added for PCMCIA cardmgr
## and is probably excessive.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:socket_class_set getattr;
')
2005-05-30 21:17:20 +00:00
########################################
2005-07-18 18:31:49 +00:00
## <summary>
## Do not audit attempts to get the attributes
## of all domains TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-07-18 18:31:49 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:tcp_socket getattr;
')
########################################
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
2005-07-18 18:31:49 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-30 21:17:20 +00:00
#
interface(`domain_dontaudit_getattr_all_udp_sockets',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
dontaudit $1 domain:udp_socket getattr;
2005-05-30 21:17:20 +00:00
')
########################################
2005-07-18 18:31:49 +00:00
## <summary>
## Do not audit attempts to read or write
## all domains UDP sockets.
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-30 21:17:20 +00:00
#
2005-07-18 18:31:49 +00:00
interface(`domain_dontaudit_rw_all_udp_sockets',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
2005-07-18 18:31:49 +00:00
dontaudit $1 domain:udp_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to get attributes of
## all domains IPSEC key management sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_key_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket getattr;
')
2005-11-25 19:38:45 +00:00
########################################
## <summary>
## Do not audit attempts to get attributes of
2005-11-25 19:38:45 +00:00
## all domains packet sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-25 19:38:45 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_packet_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:packet_socket getattr;
')
########################################
## <summary>
## Do not audit attempts to get attributes of
2005-11-25 19:38:45 +00:00
## all domains raw sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-25 19:38:45 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_raw_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:rawip_socket getattr;
')
2005-07-18 18:31:49 +00:00
########################################
## <summary>
## Do not audit attempts to read or write
## all domains key sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-07-18 18:31:49 +00:00
## </param>
#
interface(`domain_dontaudit_rw_all_key_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket { read write };
2005-05-30 21:17:20 +00:00
')
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-30 21:17:20 +00:00
#
2005-11-25 19:38:45 +00:00
interface(`domain_dontaudit_getattr_all_dgram_sockets',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_dgram_socket getattr;
2005-05-30 21:17:20 +00:00
')
2010-03-17 14:02:07 +00:00
########################################
## <summary>
## Get the attributes
## of all domains unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getattr_all_stream_sockets',`
gen_require(`
attribute domain;
')
allow $1 domain:unix_stream_socket getattr;
')
2005-11-25 19:38:45 +00:00
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains unix stream sockets.
2005-11-25 19:38:45 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-11-25 19:38:45 +00:00
## </param>
#
interface(`domain_dontaudit_getattr_all_stream_sockets',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_stream_socket getattr;
')
2010-03-17 14:02:07 +00:00
########################################
## <summary>
## Get the attributes of all domains
## unnamed pipes.
## </summary>
## <desc>
## <p>
## Get the attributes of all domains
## unnamed pipes.
## </p>
## <p>
## This is commonly used for domains
## that can use lsof on all domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_getattr_all_pipes',`
gen_require(`
attribute domain;
')
allow $1 domain:fifo_file getattr;
')
2005-05-30 21:17:20 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
2005-08-11 17:46:39 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-30 21:17:20 +00:00
#
2005-11-25 19:38:45 +00:00
interface(`domain_dontaudit_getattr_all_pipes',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute domain;
')
dontaudit $1 domain:fifo_file getattr;
2005-05-30 21:17:20 +00:00
')
########################################
## <summary>
## Allow specified type to set context of all
## domains IPSEC associations.
## </summary>
## <param name="type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_ipsec_setcontext_all_domains',`
gen_require(`
attribute domain;
')
allow $1 domain:association setcontext;
')
########################################
2005-08-09 19:30:43 +00:00
## <summary>
## Get the attributes of entry point
## files for all domains.
## </summary>
## <param name="domain">
## <summary>
2005-08-09 19:30:43 +00:00
## Domain allowed access.
## </summary>
2005-08-09 19:30:43 +00:00
## </param>
#
2005-08-09 19:30:43 +00:00
interface(`domain_getattr_all_entry_files',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute entry_type;
')
2006-12-12 20:08:08 +00:00
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file getattr;
')
2005-05-04 21:44:51 +00:00
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all entry point files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_getattr_all_entry_files',`
gen_require(`
attribute entry_type;
')
dontaudit $1 entry_type:file getattr_file_perms;
')
2005-05-04 21:44:51 +00:00
########################################
## <summary>
## Read the entry point files for all domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2005-05-04 21:44:51 +00:00
#
interface(`domain_read_all_entry_files',`
2005-06-16 20:30:59 +00:00
gen_require(`
attribute entry_type;
')
2006-12-12 20:08:08 +00:00
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file read_file_perms;
2005-05-04 21:44:51 +00:00
')
2005-08-09 19:30:43 +00:00
########################################
## <summary>
## Execute the entry point files for all
## domains in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-08-09 19:30:43 +00:00
#
interface(`domain_exec_all_entry_files',`
gen_require(`
attribute entry_type;
')
can_exec($1, entry_type)
2005-08-09 19:30:43 +00:00
')
########################################
## <summary>
## dontaudit checking for execute on all entry point files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`domain_dontaudit_exec_all_entry_files',`
gen_require(`
attribute entry_type;
')
dontaudit $1 entry_type:file exec_file_perms;
')
2006-01-11 23:20:28 +00:00
########################################
## <summary>
## Create, read, write, and delete all
## entrypoint files.
## </summary>
## <param name="domain">
## <summary>
2006-01-11 23:20:28 +00:00
## Domain allowed access.
## </summary>
2006-01-11 23:20:28 +00:00
## </param>
#
# cjp: added for prelink
interface(`domain_manage_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file manage_file_perms;
')
########################################
## <summary>
## Relabel to and from all entry point
## file types.
## </summary>
## <param name="domain">
## <summary>
2006-01-11 23:20:28 +00:00
## Domain allowed access.
## </summary>
2006-01-11 23:20:28 +00:00
## </param>
#
# cjp: added for prelink
interface(`domain_relabel_all_entry_files',`
gen_require(`
attribute entry_type;
')
2006-12-12 20:08:08 +00:00
allow $1 entry_type:file relabel_file_perms;
2006-01-11 23:20:28 +00:00
')
########################################
## <summary>
## Mmap all entry point files as executable.
## </summary>
## <param name="domain">
## <summary>
2006-01-11 23:20:28 +00:00
## Domain allowed access.
## </summary>
2006-01-11 23:20:28 +00:00
## </param>
#
# cjp: added for prelink
interface(`domain_mmap_all_entry_files',`
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file mmap_exec_file_perms;
2006-01-11 23:20:28 +00:00
')
2006-01-18 16:40:04 +00:00
########################################
## <summary>
## Execute an entry_type in the specified domain.
2006-01-18 16:40:04 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2006-01-18 16:40:04 +00:00
## </param>
## <param name="target_domain">
## <summary>
2008-12-03 19:16:20 +00:00
## The type of the new process.
## </summary>
## </param>
2006-01-18 16:40:04 +00:00
#
# cjp: added for userhelper
2006-02-02 21:08:12 +00:00
interface(`domain_entry_file_spec_domtrans',`
2006-01-18 16:40:04 +00:00
gen_require(`
attribute entry_type;
')
domain_transition_pattern($1, entry_type, $2)
2006-01-18 16:40:04 +00:00
')
########################################
## <summary>
## Ability to mmap a low area of the address
## space conditionally, as configured by
## /proc/sys/kernel/mmap_min_addr.
2008-12-03 19:16:20 +00:00
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_mmap_low',`
gen_require(`
attribute mmap_low_domain_type;
')
typeattribute $1 mmap_low_domain_type;
tunable_policy(`mmap_low_allowed',`
allow $1 self:memprotect mmap_zero;
')
')
########################################
## <summary>
## Ability to mmap a low area of the address
## space unconditionally, as configured
## by /proc/sys/kernel/mmap_min_addr.
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_mmap_low_uncond',`
gen_require(`
attribute mmap_low_domain_type;
')
typeattribute $1 mmap_low_domain_type;
allow $1 self:memprotect mmap_zero;
')
2007-10-29 18:35:32 +00:00
########################################
## <summary>
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
2007-10-29 18:35:32 +00:00
## </summary>
## <param name="type">
## <summary>
## Domain allowed access.
2007-10-29 18:35:32 +00:00
## </summary>
## </param>
#
interface(`domain_all_recvfrom_all_domains',`
2007-10-29 18:35:32 +00:00
gen_require(`
attribute domain;
')
corenet_all_recvfrom_labeled($1, domain)
')
Interfaces needed to support IMA/EVM keys I have been working to support IMA/EVM on a system. It requires having keys added to the kernel keyring. Keys added with keyctl and evmctl. I am creating keys in the ima_key_t type. Once the keys are created, many domains then need search permission on the type of the key. The following changes are needed to get things to work. Need to add keys to the kernel keyring (keyctl). type=AVC msg=audit(1585420717.704:1868): avc: denied { write } for pid=8622 comm="keyctl" scontext=system_u:system_r:cleanup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1 Allow all domains to search key type=AVC msg=audit(1587936822.802:556): avc: denied { search } for pid=5963 comm="kworker/u16:6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936822.804:559): avc: denied { search } for pid=5963 comm="systemd-cgroups" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936822.809:560): avc: denied { search } for pid=5964 comm="(sysctl)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936822.813:562): avc: denied { search } for pid=5964 comm="sysctl" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936823.149:604): avc: denied { search } for pid=5987 comm="setsebool" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-03-28 18:18:33 +00:00
########################################
## <summary>
## Allow all domains to search specified type keys.
## </summary>
## <desc>
## <p>
## When setting up IMA/EVM key(s) are added to the
Interfaces needed to support IMA/EVM keys I have been working to support IMA/EVM on a system. It requires having keys added to the kernel keyring. Keys added with keyctl and evmctl. I am creating keys in the ima_key_t type. Once the keys are created, many domains then need search permission on the type of the key. The following changes are needed to get things to work. Need to add keys to the kernel keyring (keyctl). type=AVC msg=audit(1585420717.704:1868): avc: denied { write } for pid=8622 comm="keyctl" scontext=system_u:system_r:cleanup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1 Allow all domains to search key type=AVC msg=audit(1587936822.802:556): avc: denied { search } for pid=5963 comm="kworker/u16:6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936822.804:559): avc: denied { search } for pid=5963 comm="systemd-cgroups" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936822.809:560): avc: denied { search } for pid=5964 comm="(sysctl)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936822.813:562): avc: denied { search } for pid=5964 comm="sysctl" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936823.149:604): avc: denied { search } for pid=5987 comm="setsebool" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-03-28 18:18:33 +00:00
## kernel keyring but the type of the key is the domain
## adding the key. This interface will allow all domains
## search the key so IMA/EVM validation can happen.
## </p>
## </desc>
## <param name="type">
## <summary>
## Type of key to be searched.
## </summary>
## </param>
#
interface(`domain_public_key',`
gen_require(`
attribute domain;
')
allow domain $1:key search;
')
2010-03-17 14:02:07 +00:00
########################################
## <summary>
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_unconfined_signal',`
gen_require(`
attribute unconfined_domain_type;
')
allow $1 unconfined_domain_type:process signal;
')
########################################
## <summary>
## Unconfined access to domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`domain_unconfined',`
gen_require(`
attribute set_curr_context;
attribute can_change_object_identity;
attribute unconfined_domain_type;
attribute process_uncond_exempt;
')
typeattribute $1 unconfined_domain_type;
# pass constraints
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
2007-10-29 18:35:32 +00:00
')