## ## Policy for kernel security interface, in particular, selinuxfs. ## ## ## Contains the policy for the kernel SELinux security interface. ## ######################################## ## ## Make the specified type used for labeling SELinux Booleans. ## This interface is only usable in the base module. ## ## ##

## Make the specified type used for labeling SELinux Booleans. ##

##

## This makes use of genfscon statements, which are only ## available in the base module. Thus any module which calls this ## interface must be included in the base module. ##

##
## ## ## Type used for labeling a Boolean. ## ## ## ## ## Name of the Boolean. ## ## # interface(`selinux_labeled_boolean',` gen_require(` attribute boolean_type; ') typeattribute $1 boolean_type; # because of this statement, any module which # calls this interface must be in the base module: # genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) ') ######################################## ## ## Get the mountpoint of the selinuxfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_get_fs_mount',` gen_require(` type security_t; ') allow $1 security_t:lnk_file read_lnk_file_perms; dev_getattr_sysfs_fs($1) dev_search_sysfs($1) # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs allow $1 security_t:filesystem getattr; # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_read_system_state($1) ') ######################################## ## ## Do not audit attempts to get the mountpoint ## of the selinuxfs filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`selinux_dontaudit_get_fs_mount',` gen_require(` type security_t; ') # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:filesystem getattr; # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_dontaudit_read_system_state($1) ') ######################################## ## ## Mount the selinuxfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_mount_fs',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem mount; ') ######################################## ## ## Remount the selinuxfs filesystem. ## This allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_remount_fs',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem remount; ') ######################################## ## ## Unmount the selinuxfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_unmount_fs',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem unmount; ') ######################################## ## ## Get the attributes of the selinuxfs filesystem ## ## ## ## Domain allowed access. ## ## # interface(`selinux_getattr_fs',` gen_require(` type security_t; ') allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem getattr; ') ######################################## ## ## Do not audit attempts to get the ## attributes of the selinuxfs filesystem ## ## ## ## Domain to not audit. ## ## # interface(`selinux_dontaudit_getattr_fs',` gen_require(` type security_t; ') dontaudit $1 security_t:filesystem getattr; ') ######################################## ## ## Do not audit attempts to get the ## attributes of the selinuxfs directory. ## ## ## ## Domain to not audit. ## ## # interface(`selinux_dontaudit_getattr_dir',` gen_require(` type security_t; ') dontaudit $1 security_t:dir getattr; ') ######################################## ## ## Search selinuxfs. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_search_fs',` gen_require(` type security_t; ') dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir search_dir_perms; optional_policy(` seutil_search_config($1) ') ') ######################################## ## ## Do not audit attempts to search selinuxfs. ## ## ## ## Domain to not audit. ## ## # interface(`selinux_dontaudit_search_fs',` gen_require(` type security_t; ') dontaudit $1 security_t:dir search_dir_perms; ') ######################################## ## ## Mount on selinuxfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_mounton_fs',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir mounton; ') ######################################## ## ## Do not audit attempts to read ## generic selinuxfs entries ## ## ## ## Domain to not audit. ## ## # interface(`selinux_dontaudit_read_fs',` gen_require(` type security_t; ') selinux_dontaudit_getattr_fs($1) dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') ######################################## ## ## Allows the caller to get the mode of policy enforcement ## (enforcing or permissive mode). ## ## ## ## Domain allowed access. ## ## ## # interface(`selinux_get_enforce_mode',` gen_require(` type security_t; ') dev_search_sysfs($1) selinux_get_fs_mount($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file mmap_read_file_perms; allow $1 security_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). ## ## ##

## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). ##

##

## Since this is a security event, this action is ## always audited. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`selinux_set_enforce_mode',` gen_require(` type security_t; attribute can_setenforce; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; typeattribute $1 can_setenforce; ') ######################################## ## ## Allow caller to load the policy into the kernel. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_load_policy',` gen_require(` type security_t; attribute can_load_policy; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:lnk_file read_lnk_file_perms; typeattribute $1 can_load_policy; ') ######################################## ## ## Allow caller to read the policy from the kernel. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_read_policy',` gen_require(` type security_t; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:security read_policy; ') ######################################## ## ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. (Deprecated) ## ## ##

## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. ##

##

## Since this is a security event, this action is ## always audited. ##

##

## This interface has been deprecated. Please use ## selinux_set_generic_booleans() or selinux_set_all_booleans() ## instead. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`selinux_set_boolean',` refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.') selinux_set_generic_booleans($1) ') ######################################## ## ## Allow caller to set the state of generic Booleans to ## enable or disable conditional portions of the policy. ## ## ##

## Allow caller to set the state of generic Booleans to ## enable or disable conditional portions of the policy. ##

##

## Since this is a security event, this action is ## always audited. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`selinux_set_generic_booleans',` gen_require(` type security_t; attribute can_setbool; ') typeattribute $1 can_setbool; dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; ') ######################################## ## ## Allow caller to set the state of all Booleans to ## enable or disable conditional portions of the policy. ## ## ##

## Allow caller to set the state of all Booleans to ## enable or disable conditional portions of the policy. ##

##

## Since this is a security event, this action is ## always audited. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`selinux_set_all_booleans',` gen_require(` type security_t, secure_mode_policyload_t; attribute boolean_type; attribute can_setbool; ') typeattribute $1 can_setbool; dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 boolean_type:dir list_dir_perms; allow $1 boolean_type:file rw_file_perms; ') ######################################## ## ## Allow caller to set SELinux access vector cache parameters. ## ## ##

## Allow caller to set SELinux access vector cache parameters. ## The allows the domain to set performance related parameters ## of the AVC, such as cache threshold. ##

##

## Since this is a security event, this action is ## always audited. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`selinux_set_parameters',` gen_require(` type security_t; attribute can_setsecparam; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setsecparam; auditallow $1 security_t:security setsecparam; typeattribute $1 can_setsecparam; ') ######################################## ## ## Allows caller to validate security contexts. ## ## ## ## Domain allowed access. ## ## ## # interface(`selinux_validate_context',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { map rw_file_perms }; allow $1 security_t:security check_context; ') ######################################## ## ## Do not audit attempts to validate security contexts. ## ## ## ## Domain to not audit. ## ## ## # interface(`selinux_dontaudit_validate_context',` gen_require(` type security_t; ') dontaudit $1 security_t:dir list_dir_perms; dontaudit $1 security_t:file rw_file_perms; dontaudit $1 security_t:security check_context; ') ######################################## ## ## Allows caller to compute an access vector. ## ## ## ## Domain allowed access. ## ## ## # interface(`selinux_compute_access_vector',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av; ') ######################################## ## ## Calculate the default type for object creation. ## ## ## ## Domain allowed access. ## ## ## # interface(`selinux_compute_create_context',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_create; ') ######################################## ## ## Allows caller to compute polyinstatntiated ## directory members. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_compute_member',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_member; ') ######################################## ## ## Calculate the context for relabeling objects. ## ## ##

## Calculate the context for relabeling objects. ## This is determined by using the type_change ## rules in the policy, and is generally used ## for determining the context for relabeling ## a terminal when a user logs in. ##

##
## ## ## Domain allowed access. ## ## # interface(`selinux_compute_relabel_context',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; ') ######################################## ## ## Allows caller to setcheckreqprot ## ## ## ## Domain allowed access. ## ## # interface(`selinux_setcheckreqprot',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setcheckreqprot; ') ######################################## ## ## Allows caller to compute possible contexts for a user. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_compute_user_contexts',` gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; ') ######################################## ## ## Unconfined access to the SELinux kernel security server. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_unconfined',` gen_require(` attribute selinux_unconfined_type; ') typeattribute $1 selinux_unconfined_type; selinux_set_all_booleans($1) selinux_load_policy($1) selinux_set_parameters($1) selinux_set_enforce_mode($1) ') ######################################## ## ## Generate a file context for a boolean type ## ## ## ## Domain allowed access. ## ## # interface(`selinux_genbool',` gen_require(` attribute boolean_type; ') type $1; typeattribute $1 boolean_type; fs_type($1) mls_trusted_object($1) ') ######################################## ## ## Allow caller to read security_t files. ## ## ## ## Domain allowed access. ## ## # interface(`selinux_read_security_files',` gen_require(` type security_t; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ')