2006-12-12 20:08:08 +00:00
|
|
|
#
|
2016-12-01 17:12:34 +00:00
|
|
|
# Common domain transition pattern perms
|
|
|
|
#
|
|
|
|
# Parameters:
|
|
|
|
# 1. source domain
|
|
|
|
# 2. entry point file type
|
|
|
|
# 3. target domain
|
2006-12-12 20:08:08 +00:00
|
|
|
#
|
|
|
|
define(`domain_transition_pattern',`
|
2018-07-19 23:49:21 +00:00
|
|
|
allow $1 $2:file mmap_exec_file_perms;
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 $3:process transition;
|
|
|
|
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
|
|
|
|
')
|
|
|
|
|
|
|
|
|
2016-12-01 17:12:34 +00:00
|
|
|
#
|
|
|
|
# Specified domain transition patterns
|
|
|
|
#
|
|
|
|
# Parameters:
|
|
|
|
# 1. source domain
|
|
|
|
# 2. entry point file type
|
|
|
|
# 3. target domain
|
|
|
|
#
|
2006-12-12 20:08:08 +00:00
|
|
|
define(`spec_domtrans_pattern',`
|
|
|
|
allow $1 self:process setexec;
|
|
|
|
domain_transition_pattern($1,$2,$3)
|
|
|
|
|
|
|
|
allow $3 $1:fd use;
|
2017-03-08 16:19:26 +00:00
|
|
|
allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $3 $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
|
|
|
#
|
|
|
|
# Automatic domain transition patterns
|
|
|
|
#
|
2016-12-01 17:12:34 +00:00
|
|
|
# Parameters:
|
|
|
|
# 1. source domain
|
|
|
|
# 2. entry point file type
|
|
|
|
# 3. target domain
|
|
|
|
#
|
2006-12-12 20:08:08 +00:00
|
|
|
define(`domain_auto_transition_pattern',`
|
|
|
|
domain_transition_pattern($1,$2,$3)
|
|
|
|
type_transition $1 $2:process $3;
|
|
|
|
')
|
|
|
|
|
2016-12-01 17:12:34 +00:00
|
|
|
#
|
|
|
|
# Automatic domain transition patterns
|
|
|
|
# with feedback permissions
|
|
|
|
#
|
|
|
|
# Parameters:
|
|
|
|
# 1. source domain
|
|
|
|
# 2. entry point file type
|
|
|
|
# 3. target domain
|
|
|
|
#
|
2006-12-12 20:08:08 +00:00
|
|
|
define(`domtrans_pattern',`
|
|
|
|
domain_auto_transition_pattern($1,$2,$3)
|
|
|
|
|
|
|
|
allow $3 $1:fd use;
|
2017-03-08 16:19:26 +00:00
|
|
|
allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $3 $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
2010-04-26 19:15:23 +00:00
|
|
|
#
|
|
|
|
# Dynamic transition pattern
|
|
|
|
#
|
2016-12-01 17:12:34 +00:00
|
|
|
# Parameters:
|
|
|
|
# 1. source domain
|
|
|
|
# 2. target domain
|
|
|
|
#
|
2010-04-26 19:15:23 +00:00
|
|
|
define(`dyntrans_pattern',`
|
|
|
|
allow $1 self:process setcurrent;
|
|
|
|
allow $1 $2:process dyntransition;
|
|
|
|
allow $2 $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
#
|
2016-12-01 17:12:34 +00:00
|
|
|
# Read foreign domain proc data
|
|
|
|
#
|
|
|
|
# Parameters:
|
|
|
|
# 1. source domain
|
|
|
|
# 2. target domain
|
2006-12-12 20:08:08 +00:00
|
|
|
#
|
|
|
|
define(`ps_process_pattern',`
|
2008-10-20 16:10:42 +00:00
|
|
|
allow $1 $2:dir list_dir_perms;
|
|
|
|
allow $1 $2:file read_file_perms;
|
|
|
|
allow $1 $2:lnk_file read_lnk_file_perms;
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 $2:process getattr;
|
|
|
|
')
|
2017-02-17 15:26:22 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Process administration pattern
|
|
|
|
#
|
|
|
|
# Parameters:
|
|
|
|
# 1. source domain
|
|
|
|
# 2. target domain
|
|
|
|
#
|
|
|
|
define(`admin_process_pattern',`
|
|
|
|
ps_process_pattern($1, $2)
|
|
|
|
|
|
|
|
allow $1 $2:process { ptrace signal_perms };
|
|
|
|
')
|
2020-05-15 10:28:55 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# File execution pattern
|
|
|
|
#
|
|
|
|
# Parameters:
|
|
|
|
# 1. source domain
|
|
|
|
# 2. executable file type
|
|
|
|
#
|
|
|
|
define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };')
|