rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   b518fc2edfbaf58ec873faaf5803a21cbf3a75c6
  2.   refpolicy
  3.   policy
  4.   modules
  5.   kernel
  6.   kernel.te
Blob Blame History Raw 

policy_module(kernel,1.3.4)

########################################
#
# Declarations
#

# assertion related attributes
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;

neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;

# domains with unconfined access to kernel resources
attribute kern_unconfined;

# regular entries in proc
attribute proc_type;

# sysctls
attribute sysctl_type;

role system_r;
role sysadm_r;
role staff_r;
role user_r;

ifdef(`enable_mls',`
	role secadm_r;
')

#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
# 
type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255)

#
# DebugFS
#

type debugfs_t;
fs_type(debugfs_t)
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)

#
# Procfs types
#

type proc_t, proc_type;
files_mountpoint(proc_t)
fs_type(proc_t)
genfscon proc / gen_context(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)

# kernel message interface
type proc_kmsg_t, proc_type;
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;

# /proc kcore: inaccessible
type proc_kcore_t, proc_type;
neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)

type proc_mdstat_t, proc_type;
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)

type proc_net_t, proc_type;
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)

type proc_xen_t, proc_type;
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)

#
# Sysctl types
#

# /proc/sys directory, base directory of sysctls
type sysctl_t, sysctl_type;
files_mountpoint(sysctl_t)
sid sysctl gen_context(system_u:object_r:sysctl_t,s0)
genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)

# /proc/irq directory and files
type sysctl_irq_t, sysctl_type;
genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)

# /proc/net/rpc directory and files
type sysctl_rpc_t, sysctl_type;
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)

# /proc/sys/fs directory and files
type sysctl_fs_t, sysctl_type;
files_mountpoint(sysctl_fs_t)
genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)

# /proc/sys/kernel directory and files
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)

# /proc/sys/kernel/modprobe file
type sysctl_modprobe_t, sysctl_type;
genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)

# /proc/sys/kernel/hotplug file
type sysctl_hotplug_t, sysctl_type;
genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)

# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)

# /proc/sys/net/unix directory and files
type sysctl_net_unix_t, sysctl_type;
genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)

# /proc/sys/vm directory and files
type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)

# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)

#
# unlabeled_t is the type of unlabeled objects.
# Objects that have no known labeling information or that
# have labels that are no longer valid are treated as having this type.
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)

# These initial sids are no longer used, and can be removed:
sid any_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid init		gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid netmsg		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid policy		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_net		gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_net_unix	gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s0)
sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s0)
sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)

########################################
#
# kernel local policy
#

# Use capabilities. need to investigate which capabilities are actually used
allow kernel_t self:capability *;

# Other possible mount points for the root fs are in files
allow kernel_t unlabeled_t:dir mounton;

# old general_domain_access()
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms;
allow kernel_t self:msg { send receive };
allow kernel_t self:msgq create_msgq_perms;
allow kernel_t self:unix_dgram_socket create_socket_perms;
allow kernel_t self:unix_stream_socket create_stream_socket_perms;
allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file rw_file_perms;
allow kernel_t self:sock_file r_file_perms;
allow kernel_t self:fd use;

# old general_proc_read_access():
allow kernel_t proc_t:dir r_dir_perms;
allow kernel_t proc_t:{ lnk_file file } r_file_perms;
allow kernel_t proc_net_t:dir r_dir_perms;
allow kernel_t proc_net_t:file r_file_perms;
allow kernel_t proc_mdstat_t:file r_file_perms;
allow kernel_t proc_kcore_t:file getattr;
allow kernel_t proc_kmsg_t:file getattr;
allow kernel_t sysctl_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:file r_file_perms;

# cjp: this seems questionable
allow kernel_t unlabeled_t:fifo_file rw_file_perms;

corenet_non_ipsec_sendrecv(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_if(kernel_t)

# Kernel-generated traffic e.g., TCP resets:
corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_raw_send_multicast_node(kernel_t)

dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)

# Mount root file system.  Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)

selinux_load_policy(kernel_t)

term_use_console(kernel_t)

corecmd_exec_shell(kernel_t)
corecmd_list_sbin(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecmd_exec_bin(kernel_t)

domain_signal_all_domains(kernel_t)
domain_search_all_domains_state(kernel_t)

files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)

mcs_process_set_categories(kernel_t)

mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)

ifdef(`targeted_policy',`
	unconfined_domain(kernel_t)
')

tunable_policy(`read_default_t',`
	files_list_default(kernel_t)
	files_read_default_files(kernel_t)
	files_read_default_symlinks(kernel_t)
	files_read_default_sockets(kernel_t)
	files_read_default_pipes(kernel_t)
')

optional_policy(`
	hotplug_search_config(kernel_t)
')

optional_policy(`
	init_sigchld(kernel_t)
')

optional_policy(`
	libs_use_ld_so(kernel_t)
	libs_use_shared_libs(kernel_t)
')

optional_policy(`
	logging_send_syslog_msg(kernel_t)
')

optional_policy(`
	nis_use_ypbind(kernel_t)
')

optional_policy(`
	portmap_udp_send(kernel_t)
')

optional_policy(`
	# nfs kernel server needs kernel UDP access.  It is less risky and painful
	# to just give it everything.
	allow kernel_t self:tcp_socket create_stream_socket_perms;
	allow kernel_t self:udp_socket { connect };
	allow kernel_t self:tcp_socket connected_socket_perms;
	allow kernel_t self:udp_socket connected_socket_perms;

	# nfs kernel server needs kernel UDP access.  It is less risky and painful
	# to just give it everything.
	corenet_udp_sendrecv_all_if(kernel_t)
	corenet_udp_sendrecv_all_nodes(kernel_t)
	corenet_tcp_bind_all_nodes(kernel_t)
	corenet_udp_bind_all_nodes(kernel_t)
	corenet_tcp_sendrecv_all_ports(kernel_t)
	corenet_udp_sendrecv_all_ports(kernel_t)

	auth_dontaudit_getattr_shadow(kernel_t)

	sysnet_read_config(kernel_t)

	rpc_manage_nfs_ro_content(kernel_t)
	rpc_manage_nfs_rw_content(kernel_t)
	rpc_udp_rw_nfs_sockets(kernel_t) 
	rpc_udp_send_nfs(kernel_t)

	tunable_policy(`nfs_export_all_ro',`
		fs_list_noxattr_fs(kernel_t) 
		fs_read_noxattr_fs_files(kernel_t) 
		fs_read_noxattr_fs_symlinks(kernel_t) 

		auth_read_all_dirs_except_shadow(kernel_t) 
		auth_read_all_files_except_shadow(kernel_t) 
		auth_read_all_symlinks_except_shadow(kernel_t) 
	')

	tunable_policy(`nfs_export_all_rw',`
		fs_list_noxattr_fs(kernel_t) 
		fs_read_noxattr_fs_files(kernel_t) 
		fs_read_noxattr_fs_symlinks(kernel_t) 

		auth_manage_all_files_except_shadow(kernel_t)
	')
')

optional_policy(`
	seutil_read_config(kernel_t)
	seutil_read_bin_policy(kernel_t)
')

########################################
#
# Unlabeled process local policy
#

ifdef(`targeted_policy',`
	allow unlabeled_t self:filesystem associate;
')

optional_policy(`
	# If you load a new policy that removes active domains, processes can
	# get stuck if you do not allow unlabeled processes to signal init.
	# If you load an incompatible policy, you should probably reboot,
	# since you may have compromised system security.
	init_sigchld(unlabeled_t)
')

########################################
#
# Rules for unconfined acccess to this module
#

allow kern_unconfined proc_type:{ dir file } *;

allow kern_unconfined sysctl_t:{ dir file } *;

allow kern_unconfined kernel_t:system *;

allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;

kernel_rw_all_sysctls(kern_unconfined)
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.