# Copyright (C) 2005 Tresys Technology, LLC policy_module(selinux,1.0) ######################################## # # Declarations # attribute can_write_binary_policy; attribute can_relabelto_binary_policy; type checkpolicy_t, can_write_binary_policy; domain_make_domain(checkpolicy_t) role system_r types checkpolicy_t; type checkpolicy_exec_t; domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t) # # default_context_t is the type applied to # /etc/selinux/*/contexts/* # type default_context_t; files_make_file(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; files_make_file(file_context_t) type load_policy_t; domain_make_domain(load_policy_t) role system_r types load_policy_t; type load_policy_exec_t; domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; kernel_make_role_change_constraint_exception(newrole_t) kernel_make_object_identity_change_constraint_exception(newrole_t) domain_make_domain(newrole_t) domain_make_file_descriptors_widely_inheritable(newrole_t) type newrole_exec_t; domain_make_entrypoint_file(newrole_t,newrole_exec_t) # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # type policy_config_t; files_make_file(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_write_binary_policy policy_config_t:file { write append }; # # policy_src_t is the type of the policy source # files. # type policy_src_t; files_make_file(policy_src_t) type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; kernel_make_object_identity_change_constraint_exception(restorecon_t) domain_make_system_domain(restorecon_t,restorecon_exec_t) role system_r types restorecon_t; # # selinux_config_t is the type applied to # /etc/selinux/config # type selinux_config_t; files_make_file(selinux_config_t) type setfiles_t, can_relabelto_binary_policy; kernel_make_object_identity_change_constraint_exception(setfiles_t) domain_make_domain(setfiles_t) role system_r types setfiles_t; type setfiles_exec_t; domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) ######################################## # # Checkpolicy local policy # allow checkpolicy_t self:capability dac_override; # able to create and modify binary policy files allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write }; allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; # allow test policies to be created in src directories allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name }; type_transition checkpolicy_t policy_src_t:file policy_config_t; # only allow read of policy source files allow checkpolicy_t policy_src_t:dir { getattr search read }; allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read }; allow checkpolicy_t selinux_config_t:dir search; filesystem_get_persistent_filesystem_attributes(checkpolicy_t) terminal_use_console(checkpolicy_t) terminal_use_controlling_terminal(checkpolicy_t) init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) domain_use_widely_inheritable_file_descriptors(checkpolicy_t) libraries_use_dynamic_loader(checkpolicy_t) libraries_read_shared_libraries(checkpolicy_t) ifdef(`TODO',` role sysadm_r types checkpolicy_t; domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; allow checkpolicy_t sysadm_tmp_t:file { getattr write }; # directory search permissions for path to source and binary policy files allow checkpolicy_t etc_t:dir search; # Read the devpts root directory. ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') # Allow users to execute checkpolicy without a domain transition # so it can be used without privilege to write real binary policy file can_exec(unpriv_userdomain, checkpolicy_exec_t) allow checkpolicy_t userdomain:fd use; ') dnl endif TODO ######################################## # # Load_policy local policy # allow load_policy_t self:capability dac_override; # only allow read of policy config files allow load_policy_t policy_src_t:dir search; allow load_policy_t policy_config_t:dir { getattr search read }; allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read }; allow newrole_t selinux_config_t:dir { getattr read search }; allow newrole_t selinux_config_t:file { read getattr }; allow newrole_t selinux_config_t:lnk_file { getattr read }; kernel_get_selinuxfs_mount_point(load_policy_t) kernel_load_selinux_policy(load_policy_t) kernel_set_selinux_boolean(load_policy_t) filesystem_get_persistent_filesystem_attributes(load_policy_t) terminal_use_console(load_policy_t) terminal_use_controlling_terminal(load_policy_t) terminal_list_pseudoterminals(load_policy_t) init_script_use_file_descriptors(load_policy_t) init_script_use_pseudoterminal(load_policy_t) domain_use_widely_inheritable_file_descriptors(load_policy_t) libraries_use_dynamic_loader(load_policy_t) libraries_read_shared_libraries(load_policy_t) miscfiles_read_localization(load_policy_t) ifdef(`TODO',` role sysadm_r types load_policy_t; domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) allow load_policy_t sysadm_tmp_t:file { getattr write }; allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; # directory search permissions for path to binary policy files allow load_policy_t etc_t:dir search; allow load_policy_t userdomain:fd use; ') dnl endif TODO ######################################## # # Newrole local policy # allow newrole_t self:capability { setuid setgid net_bind_service dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow newrole_t self:process setexec; allow newrole_t self:fd use; allow newrole_t self:fifo_file { read getattr lock ioctl write append }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket connectto; allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; allow newrole_t self:msg { send receive }; allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search }; allow newrole_t { selinux_config_t default_context_t }:file { read getattr }; allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read }; kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) kernel_get_selinuxfs_mount_point(newrole_t) kernel_validate_selinux_context(newrole_t) kernel_compute_selinux_av(newrole_t) kernel_compute_create(newrole_t) kernel_compute_relabel(newrole_t) kernel_compute_reachable_user_contexts(newrole_t) devices_get_pseudorandom_data(newrole_t) filesystem_get_persistent_filesystem_attributes(newrole_t) terminal_use_all_users_physical_terminals(newrole_t) terminal_use_all_users_pseudoterminals(newrole_t) terminal_use_controlling_terminal(newrole_t) # Write to utmp. init_script_modify_runtime_data(newrole_t) domain_use_widely_inheritable_file_descriptors(newrole_t) files_read_general_system_config(newrole_t) libraries_use_dynamic_loader(newrole_t) libraries_read_shared_libraries(newrole_t) logging_send_system_log_message(newrole_t) miscfiles_read_localization(newrole_t) authlogin_check_password_transition(newrole_t) ifdef(`TODO',` in_user_role(newrole_t) role sysadm_r types newrole_t; allow newrole_t unpriv_userdomain:fd use; can_ypbind(newrole) ifdef(`automount.te', ` allow newrole_t autofs_t:dir { search getattr }; ') # for when the user types "exec newrole" at the command line allow newrole_t privfd:process sigchld; # Execute /sbin/pwdb_chkpwd to check the password. allow newrole_t sbin_t:dir r_dir_perms; # Execute shells allow newrole_t bin_t:dir r_dir_perms; allow newrole_t bin_t:lnk_file read; # Allow newrole_t to transition to user domains. bool secure_mode false; domain_trans(newrole_t, shell_exec_t, unpriv_userdomain) if(!secure_mode) { # if we are not in secure mode then we can transition to sysadm_t domain_trans(newrole_t, shell_exec_t, sysadm_t) } # Read /var. allow newrole_t var_t:dir r_dir_perms; allow newrole_t var_t:notdevfile_class_set r_file_perms; # Relabel terminals. allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') # for some PAM modules and for cwd dontaudit newrole_t { home_root_t home_type }:dir search; # for when the network connection is killed dontaudit unpriv_userdomain newrole_t:process signal; ') dnl ifdef TODO ######################################## # # Restorecon local policy # allow restorecon_t self:capability { dac_override dac_read_search fowner }; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; kernel_use_file_descriptors(restorecon_t) kernel_read_system_state(restorecon_t) kernel_get_selinuxfs_mount_point(restorecon_t) kernel_validate_selinux_context(restorecon_t) kernel_compute_selinux_av(restorecon_t) kernel_compute_create(restorecon_t) kernel_compute_relabel(restorecon_t) kernel_compute_reachable_user_contexts(restorecon_t) filesystem_get_persistent_filesystem_attributes(restorecon_t) terminal_use_general_physical_terminal(restorecon_t) init_use_file_descriptors(restorecon_t) init_script_use_pseudoterminal(restorecon_t) domain_use_widely_inheritable_file_descriptors(restorecon_t) files_read_runtime_system_config(restorecon_t) files_read_general_system_config(restorecon_t) libraries_use_dynamic_loader(restorecon_t) libraries_read_shared_libraries(restorecon_t) logging_send_system_log_message(restorecon_t) optional_policy(`hotplug.te',` hotplug_use_file_descriptors(restorecon_t) ') # relabeling rules files_read_all_directories(restorecon_t) kernel_relabel_unlabeled_object(restorecon_t) devices_manage_all_devices_labels(restorecon_t) files_manage_all_files_labels(restorecon_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(restorecon_t) ifdef(`TODO',` allow restorecon_t admin_tty_type:chr_file { read write ioctl }; domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) role sysadm_r types restorecon_t; allow restorecon_t userdomain:fd use; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! allow restorecon_t lib_t:file { read execute }; tunable_policy(`distro_redhat', ` allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; ') allow restorecon_t fs_type:dir r_dir_perms; allow restorecon_t device_t:file { read write }; allow restorecon_t kernel_t:fifo_file { read write }; ') dnl endif TODO ######################################## # # Setfiles local policy # allow setfiles_t self:capability { dac_override dac_read_search fowner }; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search }; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr }; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read }; kernel_read_system_state(setfiles_t) kernel_get_selinuxfs_mount_point(setfiles_t) kernel_validate_selinux_context(setfiles_t) kernel_compute_selinux_av(setfiles_t) kernel_compute_create(setfiles_t) kernel_compute_relabel(setfiles_t) kernel_compute_reachable_user_contexts(setfiles_t) filesystem_get_persistent_filesystem_attributes(setfiles_t) terminal_use_controlling_terminal(setfiles_t) terminal_use_all_users_physical_terminals(setfiles_t) terminal_use_all_users_pseudoterminals(setfiles_t) terminal_use_general_physical_terminal(setfiles_t) init_use_file_descriptors(setfiles_t) init_script_use_file_descriptors(setfiles_t) init_script_use_pseudoterminal(setfiles_t) domain_use_widely_inheritable_file_descriptors(setfiles_t) libraries_use_dynamic_loader(setfiles_t) libraries_read_shared_libraries(setfiles_t) files_read_runtime_system_config(setfiles_t) files_read_general_system_config(setfiles_t) logging_send_system_log_message(setfiles_t) miscfiles_read_localization(setfiles_t) # relabeling rules files_read_all_directories(setfiles_t) kernel_relabel_unlabeled_object(setfiles_t) devices_manage_all_devices_labels(setfiles_t) files_manage_all_files_labels(setfiles_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(setfiles_t) ifdef(`TODO',` domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) role sysadm_r types setfiles_t; allow setfiles_t userdomain:fd use; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! allow setfiles_t lib_t:file { read execute }; allow setfiles_t unlabeled_t:dir read; allow setfiles_t fs_type:dir r_dir_perms; # for config files in a home directory allow setfiles_t home_type:file r_file_perms; ') dnl endif TODO