selinux-refpolicy/refpolicy/policy/modules/system/domain.te

33 lines
951 B
Plaintext

policy_module(domain,1.0)
# Mark process types as domains
attribute domain;
# entrypoint executables
attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;
# constraint related attributes
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
# enabling setcurrent breaks process tranquility. If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;
# Files with domain types are currently only proc files
neverallow * domain:dir ~r_dir_perms;
neverallow * domain:file_class_set ~rw_file_perms;