diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 3cec277fc..4088072a9 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -79,6 +79,18 @@ interface(`domain_wide_inherit_fd',` typeattribute $1 privfd; ') +######################################## +# +# domain_dyntrans_type(domain) +# +interface(`domain_dyntrans_type',` + gen_require(` + attribute set_curr_context; + ') + + typeattribute $1 set_curr_context; +') + ######################################## ## ## @@ -461,7 +473,7 @@ interface(`domain_read_all_entry_files',` # # domain_trans(source_domain,entrypoint_file,target_domain) # -interface(`domain_trans',` +define(`domain_trans',` gen_require(` class file rx_file_perms; process { transition noatsecure siginh rlimitinh }; @@ -476,7 +488,7 @@ interface(`domain_trans',` # # domain_auto_trans(source_domain,entrypoint_file,target_domain) # -interface(`domain_auto_trans',` +define(`domain_auto_trans',` domain_trans($1,$2,$3) type_transition $1 $2:process $3; ') diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te index 6891c3061..be824fb67 100644 --- a/refpolicy/policy/modules/system/domain.te +++ b/refpolicy/policy/modules/system/domain.te @@ -10,6 +10,10 @@ attribute entry_type; # widely-inheritable file descriptors attribute privfd; +# Domains that can set their current context +# (perform dynamic transitions) +attribute set_curr_context; + # constraint related attributes attribute can_change_process_identity; attribute can_change_process_role; @@ -21,7 +25,7 @@ neverallow domain ~domain:process { transition dyntransition }; # enabling setcurrent breaks process tranquility. If you do not # know what this means or do not understand the implications of a # dynamic transition, you should not be using it!!! -neverallow * *:process setcurrent; +neverallow { domain -set_curr_context } self:process setcurrent; # Files with domain types are currently only proc files neverallow * domain:dir ~r_dir_perms;