policy_module(domain, 1.11.0) ######################################## # # Declarations # ## ##

## Allow all domains to use other domains file descriptors ##

##
# gen_tunable(domain_fd_use, true) ## ##

## Allow all domains to execute in fips_mode ##

##
# gen_tunable(fips_mode, true) ## ##

## Allow all domains to have the kernel load modules ##

##
# gen_tunable(domain_kernel_load_modules, true) ## ##

## Control the ability to mmap a low area of the address space, ## as configured by /proc/sys/vm/mmap_min_addr. ##

##
gen_tunable(mmap_low_allowed, false) ## ##

## Allow all domains write to kmsg_device, ## while kernel is executed with systemd.log_target=kmsg parameter. ##

##
gen_tunable(domain_can_write_kmsg, false) ## ##

## Allow any process to mmap any file on system with attribute file_type. ##

##
gen_tunable(domain_can_mmap_files, false) # Mark process types as domains attribute domain; attribute named_filetrans_domain; # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; # Domains that are unconfined attribute unconfined_domain_type; # Domains that can mmap low memory. attribute mmap_low_domain_type; neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; # Domains that can set their current context # (perform dynamic transitions) attribute set_curr_context; # enabling setcurrent breaks process tranquility. If you do not # know what this means or do not understand the implications of a # dynamic transition, you should not be using it!!! neverallow { domain -set_curr_context } self:process setcurrent; # entrypoint executables attribute entry_type; # widely-inheritable file descriptors attribute privfd; # # constraint related attributes # # [1] types that can change SELinux identity on transition attribute can_change_process_identity; # [2] types that can change SELinux role on transition attribute can_change_process_role; # [3] types that can change the SELinux identity on a filesystem # object or a socket object on a create or relabel attribute can_change_object_identity; # [3] types that can change to system_u:system_r attribute can_system_change; # [4] types that have attribute 1 can change the SELinux # identity only if the target domain has this attribute. # Types that have attribute 2 can change the SELinux role # only if the target domain has this attribute. attribute process_user_target; # For cron jobs # [5] types used for cron daemons attribute cron_source_domain; # [6] types used for cron jobs attribute cron_job_domain; # [7] types that are unconditionally exempt from # SELinux identity and role change constraints attribute process_uncond_exempt; # add userhelperdomain to this one neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; neverallow ~{ domain unlabeled_t } *:process *; ######################################## # # Rules applied to all domains # # read /proc/(pid|self) entries allow domain self:dir { list_dir_perms watch_dir_perms }; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; allow domain self:fifo_file rw_fifo_file_perms; allow domain self:sem create_sem_perms; allow domain self:shm create_shm_perms; kernel_userfaultfd_domtrans(domain) kernel_io_uring_domtrans(domain) kernel_getattr_proc(domain) kernel_read_proc_symlinks(domain) kernel_read_crypto_sysctls(domain) kernel_read_usermodehelper_state(domain) kernel_read_vm_overcommit_sysctls(domain) # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) kernel_dontaudit_search_debugfs(domain) # create child processes in the domain allow domain self:process { getcap fork getsched signal_perms }; # Use trusted objects in /dev dev_read_cpu_online(domain) dev_rw_null(domain) dev_rw_zero(domain) term_use_controlling_term(domain) # Allow all domains stat /sys. It is needed by services reading hardware # state information, but there is no harm to allow it to all domains in general. dev_getattr_sysfs_fs(domain) # Allow all domains to read /dev/urandom. It is needed by all apps/services # linked to libgcrypt. There is no harm to allow it by default. dev_read_urand(domain) # list the root directory files_list_root(domain) # allow all domains to search through base_file_type directory, since users # sometimes place labels within these directories. (samba_share_t) for example. files_search_base_file_types(domain) files_read_inherited_tmp_files(domain) files_append_inherited_tmp_files(domain) files_mmap_usr_files(domain) files_read_all_base_ro_files(domain) files_dontaudit_getattr_kernel_symbol_table(domain) files_dontaudit_map_all_dirs(domain) # Executing a socket is nonsense, yet such access checks can technically # happen, so dontaudit them files_dontaudit_execute_all_sockets(domain) fs_dontaudit_map_all_dirs(domain) # All executables should be able to search the directory they are in corecmd_search_bin(domain) optional_policy(` userdom_search_admin_dir(domain) ') tunable_policy(`domain_can_write_kmsg',` dev_write_kmsg(domain) ') tunable_policy(`domain_kernel_load_modules',` kernel_request_load_module(domain) ') tunable_policy(`domain_can_mmap_files',` allow domain file_type:file map; allow domain file_type:chr_file map; allow domain file_type:blk_file map; allow domain file_type:lnk_file map; ') ifdef(`hide_broken_symptoms',` # This check is in the general socket # listen code, before protocol-specific # listen function is called, so bad calls # to listen on UDP sockets should be silenced dontaudit domain self:udp_socket listen; ') tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs # are compiled with ProPolice/SSP # stack smashing protection. dev_read_urand(domain) ') optional_policy(` afs_rw_cache(domain) ') optional_policy(` libs_use_ld_so(domain) libs_use_shared_libs(domain) libs_read_lib_files(domain) ') optional_policy(` miscfiles_read_localization(domain) miscfiles_read_man_pages(domain) miscfiles_read_fonts(domain) ') optional_policy(` setrans_translate_context(domain) ') # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains. optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) xserver_dontaudit_append_xdm_home_files(domain) xserver_dontaudit_write_log(domain) xserver_dontaudit_xdm_rw_stream_sockets(domain) ') ######################################## # # Unconfined access to this module # # unconfined access also allows constraints, but this # is handled in the interface as typeattribute cannot # be used on an attribute. # allow special io_uring features allow unconfined_domain_type domain:io_uring { cmd override_creds }; allow unconfined_domain_type self:io_uring sqpoll; dev_io_uring_cmd_on_all_dev_nodes(unconfined_domain_type) files_io_uring_cmd_on_all_files(unconfined_domain_type) # allow using the user_namespace class allow unconfined_domain_type self:user_namespace create; # Use bpf tools allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run }; allow unconfined_domain_type self:lnk_file setattr; # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type self:cap_userns all_cap_userns_perms; allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; allow unconfined_domain_type domain:system all_system_perms; # Use descriptors and pipes created by any domain. allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; allow unconfined_domain_type unconfined_domain_type:dbus send_msg; # Act upon any other process. allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; tunable_policy(`deny_ptrace',`',` allow unconfined_domain_type domain:process ptrace; ') # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir { list_dir_perms watch_dir_perms }; allow unconfined_domain_type domain:file manage_file_perms; allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; allow unconfined_domain_type domain:perf_event rw_inherited_perf_event_perms; kernel_manage_perf_event(unconfined_domain_type) kernel_userfaultfd_use(unconfined_domain_type) kernel_io_uring_use(unconfined_domain_type) corenet_filetrans_all_named_dev(named_filetrans_domain) dev_filetrans_all_named_dev(named_filetrans_domain) # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) files_filetrans_named_content(named_filetrans_domain) files_filetrans_system_conf_named_files(named_filetrans_domain) files_config_all_files(unconfined_domain_type) dev_config_null_dev_service(unconfined_domain_type) optional_policy(` miscfiles_filetrans_named_content_letsencrypt(unconfined_domain_type) ') optional_policy(` kdump_filetrans_named_content(unconfined_domain_type) ') optional_policy(` fstools_filetrans_named_content_fsadm(named_filetrans_domain) ') optional_policy(` ipa_filetrans_named_content(named_filetrans_domain) ') optional_policy(` locallogin_filetrans_home_content(named_filetrans_domain) ') optional_policy(` mandb_filetrans_named_home_content(named_filetrans_domain) ') optional_policy(` ppp_filetrans_named_content(named_filetrans_domain) ') optional_policy(` snapper_filetrans_named_content(named_filetrans_domain) ') optional_policy(` seutil_filetrans_named_content(named_filetrans_domain) ') optional_policy(` wine_filetrans_named_content(named_filetrans_domain) ') optional_policy(` storage_filetrans_all_named_dev(named_filetrans_domain) ') term_filetrans_all_named_dev(named_filetrans_domain) optional_policy(` init_disable_services(unconfined_domain_type) init_enable_services(unconfined_domain_type) init_reload_services(unconfined_domain_type) init_status(unconfined_domain_type) init_reboot(unconfined_domain_type) init_halt(unconfined_domain_type) init_undefined(unconfined_domain_type) init_filetrans_named_content(named_filetrans_domain) ') # Allow manage transient unit files optional_policy(` init_start_transient_unit(unconfined_domain_type) init_stop_transient_unit(unconfined_domain_type) init_status_transient_unit(unconfined_domain_type) init_reload_transient_unit(unconfined_domain_type) init_enable_transient_unit(unconfined_domain_type) init_disable_transient_unit(unconfined_domain_type) ') optional_policy(` libs_filetrans_named_content(unconfined_domain_type) ') optional_policy(` auth_filetrans_named_content(named_filetrans_domain) auth_filetrans_admin_home_content(named_filetrans_domain) ') optional_policy(` libs_filetrans_named_content(named_filetrans_domain) ') optional_policy(` logging_filetrans_named_content(named_filetrans_domain) ') optional_policy(` miscfiles_filetrans_named_content(named_filetrans_domain) ') optional_policy(` abrt_filetrans_named_content(named_filetrans_domain) ') optional_policy(` alsa_filetrans_named_content(named_filetrans_domain) ') optional_policy(` apache_filetrans_named_content(named_filetrans_domain) ') optional_policy(` apcupsd_filetrans_named_content(named_filetrans_domain) ') optional_policy(` bootloader_filetrans_config(named_filetrans_domain) ') optional_policy(` clock_filetrans_named_content(named_filetrans_domain) ') optional_policy(` cups_filetrans_named_content(named_filetrans_domain) ') optional_policy(` cvs_filetrans_home_content(named_filetrans_domain) ') optional_policy(` dbus_filetrans_named_content_system(named_filetrans_domain) ') optional_policy(` devicekit_filetrans_named_content(named_filetrans_domain) ') optional_policy(` dnsmasq_filetrans_named_content(named_filetrans_domain) ') optional_policy(` gnome_filetrans_admin_home_content(named_filetrans_domain) ') optional_policy(` iscsi_filetrans_named_content(named_filetrans_domain) ') optional_policy(` iptables_filetrans_named_content(named_filetrans_domain) ') optional_policy(` kerberos_filetrans_named_content(named_filetrans_domain) ') optional_policy(` mta_filetrans_named_content(named_filetrans_domain) ') optional_policy(` mplayer_filetrans_home_content(named_filetrans_domain) ') optional_policy(` modules_filetrans_named_content(named_filetrans_domain) ') optional_policy(` mysql_filetrans_named_content(named_filetrans_domain) ') optional_policy(` networkmanager_filetrans_named_content(named_filetrans_domain) ') optional_policy(` ntp_filetrans_named_content(named_filetrans_domain) ') optional_policy(` nx_filetrans_named_content(named_filetrans_domain) ') optional_policy(` plymouthd_filetrans_named_content(named_filetrans_domain) ') optional_policy(` postgresql_filetrans_named_content(named_filetrans_domain) ') optional_policy(` postfix_filetrans_named_content(named_filetrans_domain) ') optional_policy(` prelink_filetrans_named_content(named_filetrans_domain) ') optional_policy(` pulseaudio_filetrans_admin_home_content(named_filetrans_domain) ') optional_policy(` quota_filetrans_named_content(named_filetrans_domain) ') optional_policy(` rpcbind_filetrans_named_content(named_filetrans_domain) ') optional_policy(` rsync_filetrans_named_content(named_filetrans_domain) ') optional_policy(` sysnet_filetrans_named_content(named_filetrans_domain) sysnet_filetrans_named_content_ifconfig(named_filetrans_domain) sysnet_filetrans_named_content(unconfined_domain_type) sysnet_filetrans_named_content_ifconfig(unconfined_domain_type) ') optional_policy(` systemd_chat_resolved(domain) systemd_login_status(unconfined_domain_type) systemd_login_reboot(unconfined_domain_type) systemd_login_halt(unconfined_domain_type) systemd_login_undefined(unconfined_domain_type) systemd_resolved_write_pid_sock_files(domain) systemd_filetrans_named_content(named_filetrans_domain) systemd_filetrans_named_hostname(named_filetrans_domain) systemd_filetrans_home_content(named_filetrans_domain) systemd_dontaudit_write_inherited_logind_sessions_pipes(domain) ') optional_policy(` sssd_filetrans_named_content(named_filetrans_domain) ') optional_policy(` tftp_filetrans_named_content(named_filetrans_domain) ') optional_policy(` userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file }) ') optional_policy(` ssh_filetrans_admin_home_content(named_filetrans_domain) ssh_filetrans_keys(unconfined_domain_type) ') optional_policy(` userdom_filetrans_named_user_tmp_files(named_filetrans_domain) ') optional_policy(` virt_filetrans_named_content(named_filetrans_domain) ') selinux_getattr_fs(domain) selinux_search_fs(domain) selinux_dontaudit_read_fs(domain) optional_policy(` seutil_dontaudit_read_config(domain) ') optional_policy(` init_sigchld(domain) init_signull(domain) init_read_machineid(domain) ') ifdef(`distro_redhat',` files_search_mnt(domain) ') # these seem questionable: optional_policy(` abrt_domtrans_helper(domain) abrt_read_pid_files(domain) abrt_read_state(domain) abrt_signull(domain) abrt_append_cache(domain) abrt_rw_fifo_file(domain) ') optional_policy(` # This is needed purely for rpm-ostree (after --apply-live). # It should be removed when/if it gets its own policy. anaconda_fd_use(domain) ') optional_policy(` # A workaround to handle additional permissions check # introduced as an involuntary result of a kernel change automount_write_pipes(domain) ') optional_policy(` sosreport_append_tmp_files(domain) ') tunable_policy(`domain_fd_use',` # Allow all domains to use fds past to them allow domain domain:fd use; ') optional_policy(` cron_dontaudit_write_system_job_tmp_files(domain) cron_rw_pipes(domain) cron_rw_system_job_pipes(domain) ') optional_policy(` devicekit_dbus_chat_power(domain) ') ifdef(`hide_broken_symptoms',` dontaudit domain self:capability { net_admin }; dontaudit domain self:udp_socket listen; allow domain domain:key { link search }; dontaudit domain domain:socket_class_set { read write }; dontaudit domain self:capability sys_module; ') optional_policy(` ica_filetrans_named_content(domain) ') optional_policy(` ipsec_match_default_spd(domain) ') optional_policy(` miscfiles_read_pkcs11_modules(domain) ') optional_policy(` ifdef(`hide_broken_symptoms',` afs_rw_udp_sockets(domain) ') ') optional_policy(` rolekit_dbus_chat(domain) ') optional_policy(` vmtools_unconfined_dbus_chat(domain) ') optional_policy(` ssh_rw_pipes(domain) ') optional_policy(` unconfined_dontaudit_rw_pipes(domain) unconfined_server_dontaudit_rw_pipes(domain) unconfined_sigchld(domain) ') # broken kernel dontaudit can_change_object_identity can_change_object_identity:key link; dontaudit domain self:file create; ifdef(`distro_redhat',` optional_policy(` unconfined_use_fds(domain) ') ') # these seem questionable: optional_policy(` puppet_rw_tmp(domain) ') dontaudit domain domain:process { noatsecure siginh rlimitinh } ; optional_policy(` rkhunter_append_lib_files(domain) ') optional_policy(` rpm_rw_script_inherited_pipes(domain) rpm_use_fds(domain) rpm_read_pipes(domain) rpm_search_log(domain) rpm_append_tmp_files(domain) rpm_dontaudit_leaks(domain) rpm_read_script_tmp_files(domain) rpm_named_filetrans(named_filetrans_domain) ') tunable_policy(`fips_mode',` allow domain self:fifo_file manage_fifo_file_perms; kernel_read_kernel_sysctls(domain) ') optional_policy(` tunable_policy(`fips_mode',` prelink_exec(domain) ') ') optional_policy(` container_spc_stream_connect(domain) ')