selinux-refpolicy/policy/modules/kernel/domain.te

194 lines
6.5 KiB
Plaintext

policy_module(domain, 1.15.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Control the ability to mmap a low area of the address space,
## as configured by /proc/sys/kernel/mmap_min_addr.
## </p>
## </desc>
gen_tunable(mmap_low_allowed, false)
# Mark process types as domains
attribute domain;
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
# Domains that are unconfined
attribute unconfined_domain_type;
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;
# enabling setcurrent breaks process tranquility. If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;
# No domain needs mac_override as it is unused by SELinux.
neverallow domain self:capability2 mac_override;
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
#
# constraint related attributes
#
# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;
# [2] types that can change SELinux role on transition
attribute can_change_process_role;
# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;
# [3] types that can change to system_u:system_r
attribute can_system_change;
# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;
# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;
# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt; # add userhelperdomain to this one
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
neverallow ~{ domain unlabeled_t } *:process *;
########################################
#
# Rules applied to all domains
#
# read /proc/(pid|self) entries
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
dev_read_cpu_online(domain)
# Use trusted objects in /dev
dev_rw_null(domain)
dev_rw_zero(domain)
term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
# listen code, before protocol-specific
# listen function is called, so bad calls
# to listen on UDP sockets should be silenced
dontaudit domain self:udp_socket listen;
')
ifdef(`init_systemd',`
optional_policy(`
shutdown_sigchld(domain)
')
')
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
# are compiled with ProPolice/SSP
# stack smashing protection.
dev_read_urand(domain)
')
optional_policy(`
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
')
# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
')
########################################
#
# Unconfined access to this module
#
# unconfined access also allows constraints, but this
# is handled in the interface as typeattribute cannot
# be used on an attribute.
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms send_msg lock relabelto name_bind recv_msg map sendto recvfrom relabelfrom };
allow unconfined_domain_type domain:rawip_socket node_bind;
allow unconfined_domain_type domain:sctp_socket node_bind;
allow unconfined_domain_type domain:icmp_socket node_bind;
allow unconfined_domain_type domain:udp_socket node_bind;
allow unconfined_domain_type domain:tcp_socket { node_bind name_connect acceptfrom connectto newconn };
allow unconfined_domain_type domain:tun_socket attach_queue;
allow unconfined_domain_type domain:unix_stream_socket { acceptfrom newconn connectto };
allow unconfined_domain_type domain:netlink_audit_socket { nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_read nlmsg_tty_audit };
allow unconfined_domain_type domain:netlink_firewall_socket { nlmsg_write nlmsg_read };
allow unconfined_domain_type domain:netlink_ip6fw_socket { nlmsg_write nlmsg_read };
allow unconfined_domain_type domain:netlink_route_socket { nlmsg_write nlmsg_read };
allow unconfined_domain_type domain:netlink_tcpdiag_socket { nlmsg_write nlmsg_read };
allow unconfined_domain_type domain:netlink_xfrm_socket { nlmsg_write nlmsg_read };
# Use descriptors and pipes created by any domain.
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
# Act upon any other process.
allow unconfined_domain_type domain:process { fork signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate getrlimit };
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:sem create_sem_perms;
allow unconfined_domain_type domain:msgq create_msgq_perms;
allow unconfined_domain_type domain:shm create_shm_perms;
allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
allow unconfined_domain_type domain:file rw_file_perms;
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key manage_key_perms;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)