## Core policy for domains. ## ## Contains the concept of a domain. ## ######################################## # # domain_base_domain_type(domain) # interface(`domain_base_type',` gen_require(` attribute domain; class dir r_dir_perms; class lnk_file r_file_perms; class file rw_file_perms; class process { fork sigchld }; ') # mark as a domain typeattribute $1 domain; # allow the domain to read its /proc/pid entries allow $1 self:dir r_dir_perms; allow $1 self:lnk_file r_file_perms; allow $1 self:file rw_file_perms; # allow $1 to create child processes in this domain allow $1 self:process { fork sigchld }; # Files with domain types are currently only proc files # self is excepted since domains and files can have # the same type in SEFramework # cjp: perhaps this should be a conditional exception, # so it is excepted only on SEFramework policies neverallow $1 { domain -$1 }:dir ~r_dir_perms; neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms; ') ######################################## # # domain_type(domain) # interface(`domain_type',` # start with basic domain domain_base_type($1) # Use trusted objects in /dev dev_rw_null_dev($1) dev_rw_zero_dev($1) term_use_controlling_term($1) # read the root directory files_list_root($1) # send init a sigchld init_sigchld($1) ifdef(`targeted_policy',` unconfined_use_fd($1) unconfined_sigchld($1) ') # this seems highly questionable: optional_policy(`rpm.te',` rpm_use_fd($1) rpm_read_pipe($1) ') ') ######################################## # # domain_entry_file(domain,entrypointfile) # interface(`domain_entry_file',` gen_require(` attribute entry_type; class file entrypoint; ') files_type($2) allow $1 $2:file entrypoint; typeattribute $2 entry_type; ') ######################################## # # domain_wide_inherit_fd(domain) # interface(`domain_wide_inherit_fd',` gen_require(` attribute privfd; ') typeattribute $1 privfd; ') ######################################## # # domain_dyntrans_type(domain) # interface(`domain_dyntrans_type',` gen_require(` attribute set_curr_context; ') typeattribute $1 set_curr_context; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of user identity. ## ## ## The process type to make an exception to the constraint. ## # interface(`domain_subj_id_change_exempt',` gen_require(` attribute can_change_process_identity; ') typeattribute $1 can_change_process_identity; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of role. ## ## ## The process type to make an exception to the constraint. ## # interface(`domain_role_change_exempt',` gen_require(` attribute can_change_process_role; ') typeattribute $1 can_change_process_role; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. ## ## ## The process type to make an exception to the constraint. ## # interface(`domain_obj_id_change_exempt',` gen_require(` attribute can_change_object_identity; ') typeattribute $1 can_change_object_identity; ') ######################################## # # domain_use_wide_inherit_fd(domain) # interface(`domain_use_wide_inherit_fd',` gen_require(` attribute privfd; class fd use; ') allow $1 privfd:fd use; ') ######################################## # # domain_dontaudit_use_wide_inherit_fd(domain) # interface(`domain_dontaudit_use_wide_inherit_fd',` gen_require(` attribute privfd; class fd use; ') dontaudit $1 privfd:fd use; ') ######################################## ## ## Send a SIGCHLD signal to domains whose file ## discriptors are widely inheritable. ## ## ## Domain allowed access. ## # # cjp: this was added because of newrole interface(`domain_sigchld_wide_inherit_fd',` gen_require(` attribute privfd; class process signal; ') dontaudit $1 privfd:fd use; ') ######################################## # # domain_setpriority_all_domains(domain) # interface(`domain_setpriority_all_domains',` gen_require(` attribute domain; class process setsched; ') allow $1 domain:process setsched; ') ######################################## ## ## Send general signals to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_signal_all_domains',` gen_require(` attribute domain; class process signal; ') allow $1 domain:process signal; ') ######################################## ## ## Send a null signal to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_signull_all_domains',` gen_require(` attribute domain; class process signull; ') allow $1 domain:process signull; ') ######################################## ## ## Send a stop signal to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_sigstop_all_domains',` gen_require(` attribute domain; class process sigstop; ') allow $1 domain:process sigstop; ') ######################################## ## ## Send a child terminated signal to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_sigchld_all_domains',` gen_require(` attribute domain; class process sigchld; ') allow $1 domain:process sigchld; ') ######################################## ## ## Send a kill signal to all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_kill_all_domains',` gen_require(` attribute domain; class process sigkill; class capability kill; ') allow $1 domain:process sigkill; allow $1 self:capability kill; ') ######################################## ## ## Read the process state (/proc/pid) of all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_read_all_domains_state',` gen_require(` attribute domain; class dir r_dir_perms; class lnk_file r_file_perms; class file r_file_perms; class process { getattr ptrace }; ') allow $1 domain:dir r_dir_perms; allow $1 domain:lnk_file r_file_perms; allow $1 domain:file r_file_perms; allow $1 domain:process getattr; # We need to suppress this denial because procps tries to access # /proc/pid/environ and this now triggers a ptrace check in recent kernels # (2.4 and 2.6). Might want to change procps to not do this, or only if # running in a privileged domain. dontaudit $1 domain:process ptrace; ') ######################################## ## ## Do not audit attempts to read the process ## state (/proc/pid) of all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_read_all_domains_state',` gen_require(` attribute domain; class dir r_dir_perms; class lnk_file r_file_perms; class file r_file_perms; class process { getattr ptrace }; ') dontaudit $1 domain:dir r_dir_perms; dontaudit $1 domain:lnk_file r_file_perms; dontaudit $1 domain:file r_file_perms; dontaudit $1 domain:process getattr; # We need to suppress this denial because procps tries to access # /proc/pid/environ and this now triggers a ptrace check in recent kernels # (2.4 and 2.6). Might want to change procps to not do this, or only if # running in a privileged domain. dontaudit $1 domain:process ptrace; ') ######################################## ## ## Do not audit attempts to read the process state ## directories of all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_list_all_domains_proc',` gen_require(` attribute domain; class dir r_dir_perms; ') dontaudit $1 domain:dir r_dir_perms; ') ######################################## ## ## Get the session ID of all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_getsession_all_domains',` gen_require(` attribute domain; class process getsession; ') allow $1 domain:process getsession; ') ######################################## ## ## Do not audit attempts to get the ## session ID of all domains. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getsession_all_domains',` gen_require(` attribute domain; class process getsession; ') allow $1 domain:process getsession; ') ######################################## ## ## Get the attributes of all domains ## sockets, for all socket types. ## ## ##

## Get the attributes of all domains ## sockets, for all socket types. ##

##

## This is commonly used for domains ## that can use lsof on all domains. ##

##
## ## Domain allowed access. ## # interface(`domain_getattr_all_sockets',` gen_require(` gen_require_set(getattr,socket_class_set) ') allow $1 domain:socket_class_set getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ## ## ##

## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ##

##

## This interface was added for PCMCIA cardmgr ## and is probably excessive. ##

##
## ## Domain to not audit. ## # interface(`domain_dontaudit_getattr_all_sockets',` gen_require(` gen_require_set(getattr,socket_class_set) ') dontaudit $1 domain:socket_class_set getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains TCP sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_tcp_sockets',` gen_require(` attribute domain; class tcp_socket getattr; ') dontaudit $1 domain:tcp_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains UDP sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_udp_sockets',` gen_require(` attribute domain; class udp_socket getattr; ') dontaudit $1 domain:udp_socket getattr; ') ######################################## ## ## Do not audit attempts to read or write ## all domains UDP sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_rw_all_udp_sockets',` gen_require(` attribute domain; class udp_socket { read write }; ') dontaudit $1 domain:udp_socket { read write }; ') ######################################## ## ## Do not audit attempts to read or write ## all domains key sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_rw_all_key_sockets',` gen_require(` attribute domain; class key_socket { read write }; ') dontaudit $1 domain:key_socket { read write }; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',` gen_require(` attribute domain; class unix_dgram_socket getattr; ') dontaudit $1 domain:unix_dgram_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. ## ## ## The type of the process performing this action. ## # interface(`domain_dontaudit_getattr_all_unnamed_pipes',` gen_require(` attribute domain; class fifo_file getattr; ') dontaudit $1 domain:fifo_file getattr; ') ######################################## ## ## Get the attributes of entry point ## files for all domains. ## ## ## Domain allowed access. ## # interface(`domain_getattr_all_entry_files',` gen_require(` attribute entry_type; class file getattr; class lnk_file r_file_perms; ') allow $1 entry_type:lnk_file getattr; allow $1 entry_type:file r_file_perms; ') ######################################## # # domain_read_all_entry_files(domain) # interface(`domain_read_all_entry_files',` gen_require(` attribute entry_type; class file r_file_perms; class lnk_file r_file_perms; ') allow $1 entry_type:lnk_file r_file_perms; allow $1 entry_type:file r_file_perms; ') ######################################## # # domain_exec_all_entry_files(domain) # interface(`domain_exec_all_entry_files',` gen_require(` attribute entry_type; ') can_exec($1,entry_type) ') ######################################## ## ## Unconfined access to domains. ## ## ## The type of the process performing this action. ## # interface(`domain_unconfined',` gen_require(` attribute domain, set_curr_context; attribute can_change_process_identity; attribute can_change_process_role; attribute can_change_object_identity; class fd use; class fifo_file rw_file_perms; class process { transition dyntransition execmem }; class dir r_dir_perms; class file r_file_perms; class lnk_file r_file_perms; ') # pass all constraints typeattribute $1 can_change_process_identity; typeattribute $1 can_change_process_role; typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; # Use/sendto/connectto sockets created by any domain. allow $1 domain:{ socket_class_set socket key_socket } *; # Use descriptors and pipes created by any domain. allow $1 domain:fd use; allow $1 domain:fifo_file rw_file_perms; # Act upon any other process. allow $1 domain:process ~{ transition dyntransition execmem }; # Create/access any System V IPC objects. allow $1 domain:{ sem msgq shm } *; allow $1 domain:msg { send receive }; # For /proc/pid allow $1 domain:dir r_dir_perms; allow $1 domain:file r_file_perms; allow $1 domain:lnk_file r_file_perms; ') # # These next macros are not interfaces, but actually are # support macros. Due to the domain_ prefix, they # are placed in this module, to try to prevent confusion. # ######################################## # # domain_trans(source_domain,entrypoint_file,target_domain) # template(`domain_trans',` gen_require(` class file rx_file_perms; class process { transition noatsecure siginh rlimitinh }; ') allow $1 $2:file rx_file_perms; allow $1 $3:process transition; dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ') ######################################## # # domain_auto_trans(source_domain,entrypoint_file,target_domain) # template(`domain_auto_trans',` domain_trans($1,$2,$3) type_transition $1 $2:process $3; ')