## Core policy for domains. ## ## Contains the concept of a domain. ## ######################################## ## ## Make the specified type usable as a basic domain. ## ## ##

## Make the specified type usable as a basic domain. ##

##

## This is primarily used for kernel threads; ## generally the domain_type() interface is ## more appropriate for userland processes. ##

##
## ## ## Type to be used as a basic domain type. ## ## # interface(`domain_base_type',` gen_require(` attribute domain; ') typeattribute $1 domain; ') ######################################## ## ## Make the specified type usable as a domain. ## ## ##

## Make the specified type usable as a domain. This, ## or an interface that calls this interface, must be ## used on all types that are used as domains. ##

##

## Related interfaces: ##

## ##

## Example: ##

##

## type mydomain_t; ## domain_type(mydomain_t) ## type myfile_t; ## files_type(myfile_t) ## allow mydomain_t myfile_t:file read_file_perms; ##

##
## ## ## Type to be used as a domain type. ## ## ## # interface(`domain_type',` # start with basic domain domain_base_type($1) # Only way to get corenet_unlabeled packets disabled to work corenet_all_recvfrom_unlabeled($1) ') ######################################## ## ## Make the specified type usable as ## an entry point for the domain. ## ## ## ## Domain to be entered. ## ## ## ## ## Type of program used for entering ## the domain. ## ## # interface(`domain_entry_file',` gen_require(` attribute entry_type; ') allow $1 $2:file entrypoint; allow $1 $2:file { mmap_exec_file_perms ioctl lock }; typeattribute $2 entry_type; corecmd_executable_file($2) #optional_policy(` # unconfined_exec_typebounds($2) #') ') ######################################## ## ## Make the file descriptors of the specified ## domain for interactive use (widely inheritable) ## ## ## ## Domain allowed access. ## ## # interface(`domain_interactive_fd',` gen_require(` attribute privfd; ') typeattribute $1 privfd; ') ######################################## ## ## Allow the specified domain to perform ## dynamic transitions. ## ## ##

## Allow the specified domain to perform ## dynamic transitions. ##

##

## This violates process tranquility, and it ## is strongly suggested that this not be used. ##

##
## ## ## Domain allowed access. ## ## # interface(`domain_dyntrans_type',` gen_require(` attribute set_curr_context; ') typeattribute $1 set_curr_context; ') ######################################## ## ## Makes caller and execption to the constraint ## preventing changing to the system user ## identity and system role. ## ## ## ## Domain allowed access. ## ## # interface(`domain_system_change_exemption',` gen_require(` attribute can_system_change; ') typeattribute $1 can_system_change; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of user identity. ## ## ## ## The process type to make an exception to the constraint. ## ## # interface(`domain_subj_id_change_exemption',` gen_require(` attribute can_change_process_identity; ') typeattribute $1 can_change_process_identity; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of role. ## ## ## ## The process type to make an exception to the constraint. ## ## # interface(`domain_role_change_exemption',` gen_require(` attribute can_change_process_role; ') typeattribute $1 can_change_process_role; ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. ## ## ## ## The process type to make an exception to the constraint. ## ## ## # interface(`domain_obj_id_change_exemption',` gen_require(` attribute can_change_object_identity; ') typeattribute $1 can_change_object_identity; ') ######################################## ## ## Make the specified domain the target of ## the user domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the target of ## the user domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the user domains from the base module. ## It should not be used other than on ## user domains. ##

##
## ## ## Domain target for user exemption. ## ## # interface(`domain_user_exemption_target',` gen_require(` attribute process_user_target; ') typeattribute $1 process_user_target; ') ######################################## ## ## Make the specified domain the source of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the source of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the cron domains from the base module. ## It should not be used other than on ## cron domains. ##

##
## ## ## Domain target for user exemption. ## ## # interface(`domain_cron_exemption_source',` gen_require(` attribute cron_source_domain; ') typeattribute $1 cron_source_domain; ') ######################################## ## ## Make the specified domain the target of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the target of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the cron domains from the base module. ## It should not be used other than on ## user cron jobs. ##

##
## ## ## Domain target for user exemption. ## ## # interface(`domain_cron_exemption_target',` gen_require(` attribute cron_job_domain; ') typeattribute $1 cron_job_domain; ') ######################################## ## ## Inherit and use file descriptors from ## all domains. ## ## ##

## Allow the specified domain to inherit and use file ## descriptors from all domains. This does not allow ## access to the objects being referenced by the file ## descriptors. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`domain_use_all_fds',` gen_require(` attribute domain; ') allow $1 domain:fd use; ') ######################################## ## ## Inherit and use file descriptors from ## domains with interactive programs. ## ## ##

## Allow the specified domain to inherit and use file ## descriptors from domains with interactive programs. ## This does not allow access to the objects being referenced ## by the file descriptors. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`domain_use_interactive_fds',` gen_require(` attribute privfd; ') allow $1 privfd:fd use; ') ######################################## ## ## Do not audit attempts to inherit file ## descriptors from domains with interactive ## programs. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_use_interactive_fds',` gen_require(` attribute privfd; ') dontaudit $1 privfd:fd use; ') ######################################## ## ## Send a SIGCHLD signal to domains whose file ## discriptors are widely inheritable. ## ## ## ## Domain allowed access. ## ## # # cjp: this was added because of newrole interface(`domain_sigchld_interactive_fds',` gen_require(` attribute privfd; ') allow $1 privfd:process sigchld; ') ######################################## ## ## Set the nice level of all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_setpriority_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process setsched; ') ######################################## ## ## Send general signals to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_signal_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process signal; ') ######################################## ## ## Do not audit attempts to send general ## signals to all domains. ## ## ## ## Domain to not audit. ## ## ## # interface(`domain_dontaudit_signal_all_domains',` gen_require(` attribute domain; ') dontaudit $1 domain:process signal; ') ######################################## ## ## Send a null signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_signull_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process signull; ') ######################################## ## ## Do not audit attempts to send ## signulls to all domains. ## ## ## ## Domain to not audit. ## ## ## # interface(`domain_dontaudit_signull_all_domains',` gen_require(` attribute domain; ') dontaudit $1 domain:process signull; ') ######################################## ## ## Send a stop signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_sigstop_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process sigstop; ') ######################################## ## ## Send a child terminated signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_sigchld_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process sigchld; ') ######################################## ## ## Send a kill signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_kill_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process sigkill; allow $1 self:capability kill; ') ######################################## ## ## Allow unix_read all domains semaphores ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_unix_read_all_semaphores',` gen_require(` attribute domain; ') allow $1 domain:sem unix_read; ') ######################################## ## ## Destroy all domains semaphores ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_destroy_all_semaphores',` gen_require(` attribute domain; ') allow $1 domain:sem destroy; ') ######################################## ## ## Search the process state directory (/proc/pid) of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_search_all_domains_state',` gen_require(` attribute domain; ') kernel_search_proc($1) allow $1 domain:dir search_dir_perms; ') ######################################## ## ## Allow read and view of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # interface(`domain_read_view_all_domains_keyrings',` gen_require(` attribute domain; ') allow $1 domain:key { read view}; ') ######################################## ## ## Allow read and write of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # interface(`domain_rw_all_domains_keyrings',` gen_require(` attribute domain; ') allow $1 domain:key { read write}; ') ######################################## ## ## Allow manage of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # interface(`domain_manage_all_domains_keyrings',` gen_require(` attribute domain; ') allow $1 domain:key manage_key_perms; ') ######################################## ## ## Dontaudit search of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # interface(`domain_dontaudit_search_all_domains_keyrings',` gen_require(` attribute domain; ') dontaudit $1 domain:key search; ') ######################################## ## ## Dontaudit link of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # interface(`domain_dontaudit_link_all_domains_keyrings',` gen_require(` attribute domain; ') dontaudit $1 domain:key link; ') ######################################## ## ## Do not audit attempts to search the process ## state directory (/proc/pid) of all domains. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_search_all_domains_state',` gen_require(` attribute domain; ') dontaudit $1 domain:dir search_dir_perms; ') ######################################## ## ## Read the process state (/proc/pid) of all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_read_all_domains_state',` gen_require(` attribute domain; ') kernel_search_proc($1) allow $1 domain:dir list_dir_perms; read_files_pattern($1, domain, domain) read_lnk_files_pattern($1, domain, domain) ') ######################################## ## ## Get the attributes of all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_getattr_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_domains',` gen_require(` attribute domain; ') dontaudit $1 domain:process getattr; ') ######################################## ## ## Read the process state (/proc/pid) of all confined domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_read_confined_domains_state',` gen_require(` attribute domain, unconfined_domain_type; ') kernel_search_proc($1) allow $1 { domain -unconfined_domain_type }:dir list_dir_perms; read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) dontaudit $1 unconfined_domain_type:dir search_dir_perms; dontaudit $1 unconfined_domain_type:file read_file_perms; dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms; ') ######################################## ## ## Get the attributes of all confined domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_getattr_confined_domains',` gen_require(` attribute domain, unconfined_domain_type; ') allow $1 { domain -unconfined_domain_type }:process getattr; ') ######################################## ## ## Ptrace all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_ptrace_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process ptrace; allow domain $1:process sigchld; ') ######################################## ## ## Do not audit attempts to ptrace all domains. ## ## ##

## Do not audit attempts to ptrace all domains. ##

##

## Generally this needs to be suppressed because procps tries to access ## /proc/pid/environ and this now triggers a ptrace check in recent kernels ## (2.4 and 2.6). ##

##
## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_ptrace_all_domains',` gen_require(` attribute domain; ') dontaudit $1 domain:process ptrace; ') ######################################## ## ## Do not audit attempts to ptrace confined domains. ## ## ##

## Do not audit attempts to ptrace confined domains. ##

##

## Generally this needs to be suppressed because procps tries to access ## /proc/pid/environ and this now triggers a ptrace check in recent kernels ## (2.4 and 2.6). ##

##
## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_ptrace_confined_domains',` gen_require(` attribute domain, unconfined_domain_type; ') dontaudit $1 { domain -unconfined_domain_type }:process ptrace; ') ######################################## ## ## Do not audit attempts to read the process ## state (/proc/pid) of all domains. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_read_all_domains_state',` gen_require(` attribute domain; ') dontaudit $1 domain:dir list_dir_perms; dontaudit $1 domain:lnk_file read_lnk_file_perms; dontaudit $1 domain:file read_file_perms; # cjp: these should be removed: dontaudit $1 domain:sock_file read_sock_file_perms; dontaudit $1 domain:fifo_file read_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read the process state ## directories of all domains. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_list_all_domains_state',` gen_require(` attribute domain; ') dontaudit $1 domain:dir list_dir_perms; ') ######################################## ## ## Get the session ID of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_getsession_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process getsession; ') ######################################## ## ## Do not audit attempts to get the ## session ID of all domains. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getsession_all_domains',` gen_require(` attribute domain; ') dontaudit $1 domain:process getsession; ') ######################################## ## ## Get the process group ID of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_getpgid_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process getpgid; ') ######################################## ## ## Get the scheduler information of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_getsched_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process getsched; ') ######################################## ## ## Get the capability information of all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_getcap_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process getcap; ') ######################################## ## ## Get the attributes of all domains ## sockets, for all socket types. ## ## ##

## Get the attributes of all domains ## sockets, for all socket types. ##

##

## This is commonly used for domains ## that can use lsof on all domains. ##

##
## ## ## Domain allowed access. ## ## # interface(`domain_getattr_all_sockets',` gen_require(` attribute domain; ') allow $1 domain:socket_class_set getattr; ') ######################################## ## ## Read/write all domains sockets, for all socket types. ## ## ## ## Domain allowed access. ## ## # interface(`domain_rw_all_sockets',` gen_require(` attribute domain; ') allow $1 domain:socket_class_set { rw_stream_socket_perms }; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ## ## ##

## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ##

##

## This interface was added for PCMCIA cardmgr ## and is probably excessive. ##

##
## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:socket_class_set getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains TCP sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_tcp_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:tcp_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains UDP sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_udp_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:udp_socket getattr; ') ######################################## ## ## Do not audit attempts to read or write ## all domains UDP sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_rw_all_udp_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:udp_socket { read write }; ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains IPSEC key management sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_key_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:key_socket getattr; ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains packet sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_packet_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:packet_socket getattr; ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains raw sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_raw_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:rawip_socket getattr; ') ######################################## ## ## Do not audit attempts to read or write ## all domains key sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_rw_all_key_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:key_socket { read write }; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_dgram_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:unix_dgram_socket getattr; ') ######################################## ## ## Get the attributes ## of all domains unix datagram sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_getattr_all_stream_sockets',` gen_require(` attribute domain; ') allow $1 domain:unix_stream_socket getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_stream_sockets',` gen_require(` attribute domain; ') dontaudit $1 domain:unix_stream_socket getattr; ') ######################################## ## ## Connect to all domains unix stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`domain_connect_all_stream_sockets',` gen_require(` attribute domain; ') allow $1 domain:unix_stream_socket connectto; ') ######################################## ## ## Get the attributes of all domains ## unnamed pipes. ## ## ##

## Get the attributes of all domains ## unnamed pipes. ##

##

## This is commonly used for domains ## that can use lsof on all domains. ##

##
## ## ## Domain allowed access. ## ## # interface(`domain_getattr_all_pipes',` gen_require(` attribute domain; ') allow $1 domain:fifo_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_pipes',` gen_require(` attribute domain; ') dontaudit $1 domain:fifo_file getattr; ') ######################################## ## ## Allow specified type to set context of all ## domains IPSEC associations. ## ## ## ## Domain allowed access. ## ## # interface(`domain_ipsec_setcontext_all_domains',` gen_require(` attribute domain; ') allow $1 domain:association setcontext; ') ######################################## ## ## Get the attributes of entry point ## files for all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_getattr_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:lnk_file read_lnk_file_perms; allow $1 entry_type:file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all entry point files. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_getattr_all_entry_files',` gen_require(` attribute entry_type; ') dontaudit $1 entry_type:file getattr_file_perms; ') ######################################## ## ## Read the entry point files for all domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_read_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:lnk_file read_lnk_file_perms; allow $1 entry_type:file read_file_perms; ') ######################################## ## ## Execute the entry point files for all ## domains in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_exec_all_entry_files',` gen_require(` attribute entry_type; ') can_exec($1, entry_type) ') ######################################## ## ## dontaudit checking for execute on all entry point files ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_exec_all_entry_files',` gen_require(` attribute entry_type; ') dontaudit $1 entry_type:file exec_file_perms; ') ######################################## ## ## Create, read, write, and delete all ## entrypoint files. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`domain_manage_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:file manage_file_perms; ') ######################################## ## ## Relabel from domain types on files if a user managed to mislable ## ## ## ## Domain allowed access. ## ## # interface(`domain_relabelfrom',` gen_require(` attribute domain; ') allow $1 domain:dir_file_class_set relabelfrom_file_perms; ') ######################################## ## ## Relabel to and from all entry point ## file types. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`domain_relabel_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:file relabel_file_perms; ') ######################################## ## ## Mmap all entry point files as executable. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`domain_mmap_all_entry_files',` gen_require(` attribute entry_type; ') allow $1 entry_type:file mmap_exec_file_perms; ') ######################################## ## ## Execute an entry_type in the specified domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # # cjp: added for userhelper interface(`domain_entry_file_spec_domtrans',` gen_require(` attribute entry_type; ') domain_transition_pattern($1, entry_type, $2) ') ######################################## ## ## Ability to mmap a low area of the address ## space conditionally, as configured by ## /proc/sys/vm/mmap_min_addr. ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## ## ## ## Domain allowed access. ## ## # interface(`domain_mmap_low',` gen_require(` attribute mmap_low_domain_type; bool mmap_low_allowed; ') typeattribute $1 mmap_low_domain_type; if ( mmap_low_allowed ) { allow $1 self:memprotect mmap_zero; } ') ######################################## ## ## Ability to mmap a low area of the address ## space unconditionally, as configured ## by /proc/sys/vm/mmap_min_addr. ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## ## ## ## Domain allowed access. ## ## # interface(`domain_mmap_low_uncond',` gen_require(` attribute mmap_low_domain_type; ') typeattribute $1 mmap_low_domain_type; allow $1 self:memprotect mmap_zero; ') ######################################## ## ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) ## ## ## ## Domain allowed access. ## ## # interface(`domain_all_recvfrom_all_domains',` gen_require(` attribute domain; ') corenet_all_recvfrom_labeled($1, domain) ') ######################################## ## ## Send generic signals to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`domain_unconfined_signal',` gen_require(` attribute unconfined_domain_type; ') allow $1 unconfined_domain_type:process signal; ') ######################################## ## ## Named Filetrans Domain. ## ## ## ## Domain allowed access. ## ## # interface(`domain_named_filetrans',` gen_require(` attribute named_filetrans_domain; ') typeattribute $1 named_filetrans_domain; ') ##################################### ## ## named_filetrans_domain stub attribute interface. No access allowed. ## ## ## ## Domain allowed access ## ## # interface(`domain_stub_named_filetrans_domain',` gen_require(` attribute named_filetrans_domain; ') ') ######################################## ## ## Unconfined access to domains. ## ## ## ## Domain allowed access. ## ## # interface(`domain_unconfined',` gen_require(` attribute set_curr_context; attribute can_change_object_identity; attribute unconfined_domain_type; attribute process_uncond_exempt; ') typeattribute $1 unconfined_domain_type; # pass constraints typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; mcs_process_set_categories($1) userdom_filetrans_home_content($1) ') ######################################## ## ## Do not audit attempts to read or write ## all leaked sockets. ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_leaks',` gen_require(` attribute domain; ') dontaudit $1 domain:socket_class_set { read write }; ') ######################################## ## ## Allow caller to transition to any domain ## ## ## ## Domain allowed access. ## ## # interface(`domain_transition_all',` gen_require(` attribute domain; ') allow $1 domain:process transition; ') ######################################## ## ## Do not audit attempts to access check /proc ## ## ## ## Domain to not audit. ## ## # interface(`domain_dontaudit_access_check',` gen_require(` attribute domain; ') dontaudit $1 domain:dir_file_class_set audit_access; ') ######################################## ## ## Allow set resource limits to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_setrlimit_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process setrlimit; ') ######################################## ## ## Allow set resource limits to all domains. ## ## ## ## Domain allowed access. ## ## ## # interface(`domain_rlimitinh_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process rlimitinh; ') ######################################## ## ## Allow all domains noatsecure permission ## ## ## ## Domain allowed access. ## ## # interface(`domain_noatsecure_all_domains',` gen_require(` attribute domain; ') allow $1 domain:process { noatsecure }; ') ###################################### ## ## Allow domain dyntransition to all domains in domain attribute. ## ## ## ## Domain allowed to transition. ## ## # interface(`domain_dyntrans',` gen_require(` attribute domain; ') dyntrans_pattern($1, domain) ') ######################################## ## ## Allow read and write perf_event file descriptors from all domains ## ## ## ## Domain allowed access. ## ## # interface(`domain_rw_perf_event_all_domains',` gen_require(` attribute domain; ') allow $1 domain:perf_event rw_inherited_perf_event_perms; ')