## ## Policy for kernel threads, proc filesystem, ## and unlabeled processes and objects. ## ## ## This module has initial SIDs. ## ######################################## ## ## Allows to start userland processes ## by transitioning to the specified domain. ## ## ## ## The process type entered by kernel. ## ## ## ## ## The executable type for the entrypoint. ## ## # interface(`kernel_domtrans_to',` gen_require(` type kernel_t; ') domtrans_pattern(kernel_t, $2, $1) ') ######################################## ## ## Allows to start userland processes ## by transitioning to the specified domain, ## with a range transition. ## ## ## ## The process type entered by kernel. ## ## ## ## ## The executable type for the entrypoint. ## ## ## ## ## Range for the domain. ## ## # interface(`kernel_ranged_domtrans_to',` gen_require(` type kernel_t; ') kernel_domtrans_to($1, $2) ifdef(`enable_mcs',` range_transition kernel_t $2:process $3; ') ifdef(`enable_mls',` range_transition kernel_t $2:process $3; mls_rangetrans_target($1) ') ') ######################################## ## ## Allows the kernel to mount filesystems on ## the specified directory type. ## ## ## ## The type of the directory to use as a mountpoint. ## ## # interface(`kernel_rootfs_mountpoint',` gen_require(` type kernel_t; ') allow kernel_t $1:dir mounton; ') ######################################## ## ## Set the process group of kernel threads. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_setpgid',` gen_require(` type kernel_t; ') allow $1 kernel_t:process setpgid; ') ######################################## ## ## Set the priority of kernel threads. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_setsched',` gen_require(` type kernel_t; ') allow $1 kernel_t:process setsched; ') ######################################## ## ## Dontaudit attempts to set the priority of kernel threads. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_setsched',` gen_require(` type kernel_t; ') dontaudit $1 kernel_t:process setsched; ') ######################################## ## ## Get scheduling policy and attributes of kernel threads. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_getsched',` gen_require(` type kernel_t; ') allow $1 kernel_t:process getsched; ') ######################################## ## ## Send a SIGCHLD signal to kernel threads. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_sigchld',` gen_require(` type kernel_t; ') allow $1 kernel_t:process sigchld; ') ######################################## ## ## Send a kill signal to kernel threads. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_kill',` gen_require(` type kernel_t; ') allow $1 kernel_t:process sigkill; ') ######################################## ## ## Send a generic signal to kernel threads. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_signal',` gen_require(` type kernel_t; ') allow $1 kernel_t:process signal; ') ######################################## ## ## Send signull to kernel threads. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_signull',` gen_require(` type kernel_t; ') allow $1 kernel_t:process signull; ') ######################################## ## ## Allows the kernel to share state information with ## the caller. ## ## ## ## The type of the process with which to share state information. ## ## # interface(`kernel_share_state',` gen_require(` type kernel_t; ') allow kernel_t $1:process share; ') ######################################## ## ## Permits caller to use kernel file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_use_fds',` gen_require(` type kernel_t; ') allow $1 kernel_t:fd use; ') ######################################## ## ## Do not audit attempts to use ## kernel file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_use_fds',` gen_require(` type kernel_t; ') dontaudit $1 kernel_t:fd use; ') ######################################## ## ## Read and write kernel unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_pipes',` gen_require(` type kernel_t; ') allow $1 kernel_t:fifo_file { read write }; ') ######################################## ## ## Connect to kernel using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_stream_connect',` gen_require(` type kernel_t; ') allow $1 kernel_t:unix_stream_socket { getattr connectto }; ') ######################################## ## ## Read and write kernel unix datagram sockets. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_unix_dgram_sockets',` gen_require(` type kernel_t; ') allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl }; ') ######################################## ## ## Send messages to kernel unix datagram sockets. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_dgram_send',` gen_require(` type kernel_t; ') allow $1 kernel_t:unix_dgram_socket sendto; ') ######################################## ## ## Receive messages from kernel TCP sockets. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`kernel_tcp_recvfrom',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Send UDP network traffic to the kernel. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`kernel_udp_send',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Receive messages from kernel UDP sockets. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`kernel_udp_recvfrom',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Allows caller to load kernel modules ## ## ## ## Domain allowed access. ## ## # interface(`kernel_load_module',` gen_require(` attribute can_load_kernmodule; ') typeattribute $1 can_load_kernmodule; ') ######################################## ## ## Allows caller to load unsigned kernel modules ## ## ## ## Domain allowed access. ## ## # interface(`kernel_load_unsigned_module',` kernel_load_module($1) ') ######################################## ## ## Allow search the kernel key ring. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_search_key',` gen_require(` type kernel_t; ') allow $1 kernel_t:key search; ') ######################################## ## ## dontaudit search the kernel key ring. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_search_key',` gen_require(` type kernel_t; ') dontaudit $1 kernel_t:key search; ') ######################################## ## ## Allow link to the kernel key ring. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_link_key',` gen_require(` type kernel_t; ') allow $1 kernel_t:key link; ') ######################################## ## ## dontaudit link to the kernel key ring. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_link_key',` gen_require(` type kernel_t; ') dontaudit $1 kernel_t:key link; ') ######################################## ## ## Allow read, view, and write the kernel key ring. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_key',` gen_require(` type kernel_t; ') allow $1 kernel_t:key { read view write }; ') ######################################## ## ## Allow read the kernel key ring. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_key',` gen_require(` type kernel_t; ') allow $1 kernel_t:key read; ') ######################################## ## ## Allow view the kernel key ring. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_view_key',` gen_require(` type kernel_t; ') allow $1 kernel_t:key view; ') ######################################## ## ## dontaudit view the kernel key ring. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_view_key',` gen_require(` type kernel_t; ') dontaudit $1 kernel_t:key view; ') ######################################## ## ## Allow to set attributes on the kernel key ring. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_setattr_key',` gen_require(` type kernel_t; ') allow $1 kernel_t:key setattr; ') ######################################## ## ## Allows caller to read the ring buffer. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_ring_buffer',` gen_require(` type kernel_t; ') allow $1 self:capability2 syslog; allow $1 kernel_t:system syslog_read; ') ######################################## ## ## Do not audit attempts to read the ring buffer. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_read_ring_buffer',` gen_require(` type kernel_t; ') dontaudit $1 kernel_t:system syslog_read; ') ######################################## ## ## Change the level of kernel messages logged to the console. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_change_ring_buffer_level',` gen_require(` type kernel_t; ') allow $1 self:capability2 syslog; allow $1 kernel_t:system syslog_console; ifdef(`distro_rhel4',` allow $1 self:capability sys_admin; ') ifdef(`distro_rhel5',` allow $1 self:capability sys_admin; ') ') ######################################## ## ## Allows the caller to clear the ring buffer. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_clear_ring_buffer',` gen_require(` type kernel_t; ') allow $1 self:capability2 syslog; allow $1 kernel_t:system syslog_mod; ifdef(`distro_rhel4',` allow $1 self:capability sys_admin; ') ifdef(`distro_rhel5',` allow $1 self:capability sys_admin; ') ') ######################################## ## ## Allows caller to request the kernel to load a module ## ## ##

## Allow the specified domain to request that the kernel ## load a kernel module. An example of this is the ## auto-loading of network drivers when doing an ## ioctl() on a network interface. ##

##

## In the specific case of a module loading request ## on a network interface, the domain will also ## need the net_admin capability. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_request_load_module',` gen_require(` type kernel_t; ') allow $1 kernel_t:system module_request; ') ######################################## ## ## Do not audit requests to the kernel to load a module. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_request_load_module',` gen_require(` type kernel_t; ') dontaudit $1 kernel_t:system module_request; ') ######################################## ## ## Get information on all System V IPC objects. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_get_sysvipc_info',` gen_require(` type kernel_t; ') allow $1 kernel_t:system ipc_info; ') ######################################## ## ## Get the attributes of a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_getattr_debugfs',` gen_require(` type debugfs_t; ') allow $1 debugfs_t:filesystem getattr; ') ######################################## ## ## Mount a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mount_debugfs',` gen_require(` type debugfs_t; ') allow $1 debugfs_t:filesystem mount; ') ######################################## ## ## Unmount a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_unmount_debugfs',` gen_require(` type debugfs_t; ') allow $1 debugfs_t:filesystem unmount; ') ######################################## ## ## Remount a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_remount_debugfs',` gen_require(` type debugfs_t; ') allow $1 debugfs_t:filesystem remount; ') ######################################## ## ## Search the contents of a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_search_debugfs',` gen_require(` type debugfs_t; ') search_dirs_pattern($1, debugfs_t, debugfs_t) ') ######################################## ## ## Do not audit attempts to search the kernel debugging filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_search_debugfs',` gen_require(` type debugfs_t; ') dontaudit $1 debugfs_t:dir search_dir_perms; ') ######################################## ## ## Read information from the debugging filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_debugfs',` gen_require(` type debugfs_t; ') read_files_pattern($1, debugfs_t, debugfs_t) read_lnk_files_pattern($1, debugfs_t, debugfs_t) list_dirs_pattern($1, debugfs_t, debugfs_t) ') ######################################## ## ## Do not audit attempts to write kernel debugging filesystem dirs. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_write_debugfs_dirs',` gen_require(` type debugfs_t; ') dontaudit $1 debugfs_t:dir write; ') ######################################## ## ## Manage information from the debugging filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_manage_debugfs',` gen_require(` type debugfs_t; ') manage_files_pattern($1, debugfs_t, debugfs_t) manage_dirs_pattern($1,debugfs_t, debugfs_t) read_lnk_files_pattern($1, debugfs_t, debugfs_t) ') ######################################## ## ## Mount a kernel VM filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mount_kvmfs',` gen_require(` type kvmfs_t; ') allow $1 kvmfs_t:filesystem mount; ') ######################################## ## ## Mount the proc filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mount_proc',` gen_require(` type proc_t; ') allow $1 proc_t:filesystem mount; ') ######################################## ## ## Unmount the proc filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_unmount_proc',` gen_require(` type proc_t; ') allow $1 proc_t:filesystem unmount; ') ######################################## ## ## Mounton a proc filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mounton_proc',` gen_require(` type proc_t; ') allow $1 proc_t:dir mounton; ') ######################################## ## ## Get the attributes of the proc filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_getattr_proc',` gen_require(` type proc_t; ') allow $1 proc_t:filesystem getattr; ') ######################################## ## ## Do not audit attempts to set the ## attributes of directories in /proc. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_setattr_proc_dirs',` gen_require(` type proc_t; ') dontaudit $1 proc_t:dir setattr; ') ######################################## ## ## Do not audit attempts to set the ## attributes of files in /proc. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_setattr_proc_files',` gen_require(` type proc_t; ') dontaudit $1 proc_t:file setattr; ') ######################################## ## ## Search directories in /proc. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_search_proc',` gen_require(` type proc_t; ') search_dirs_pattern($1, proc_t, proc_t) ') ######################################## ## ## List the contents of directories in /proc. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_list_proc',` gen_require(` type proc_t; ') list_dirs_pattern($1, proc_t, proc_t) ') ######################################## ## ## Do not audit attempts to list the ## contents of directories in /proc. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_list_proc',` gen_require(` type proc_t; ') dontaudit $1 proc_t:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to write the ## directories in /proc. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_write_proc_dirs',` gen_require(` type proc_t; ') dontaudit $1 proc_t:dir write; ') ######################################## ## ## Get the attributes of files in /proc. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_getattr_proc_files',` gen_require(` type proc_t; ') getattr_files_pattern($1, proc_t, proc_t) ') ######################################## ## ## Read generic files in /proc. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_proc_files',` gen_require(` type proc_t; ') read_files_pattern($1, proc_t, proc_t) ') ######################################## ## ## Read generic symbolic links in /proc. ## ## ##

## Allow the specified domain to read (follow) generic ## symbolic links (symlinks) in the proc filesystem (/proc). ## This interface does not include access to the targets of ## these links. An example symlink is /proc/self. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_proc_symlinks',` gen_require(` type proc_t; ') read_lnk_files_pattern($1, proc_t, proc_t) ') ######################################## ## ## Allows caller to read system state information in /proc. ## ## ##

## Allow the specified domain to read general system ## state information from the proc filesystem (/proc). ##

##

## Generally it should be safe to allow this access. Some ## example files that can be read based on this interface: ##

##
    ##
  • /proc/cpuinfo
  • ##
  • /proc/meminfo
  • ##
  • /proc/uptime
  • ##
##

## This does not allow access to sysctl entries (/proc/sys/*) ## nor process state information (/proc/pid). ##

##
## ## ## Domain allowed access. ## ## ## ## # interface(`kernel_read_system_state',` gen_require(` attribute kernel_system_state_reader; ') typeattribute $1 kernel_system_state_reader; ') ######################################## ## ## Write to generic proc entries. ## ## ## ## Domain allowed access. ## ## ## # # cjp: this should probably go away. any # file thats writable in proc should really # have its own label. # interface(`kernel_write_proc_files',` gen_require(` type proc_t; ') write_files_pattern($1, proc_t, proc_t) ') ######################################## ## ## Do not audit attempts to write the ## file in /proc. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_write_proc_files',` gen_require(` type proc_t; ') dontaudit $1 proc_t:file write; ') ######################################## ## ## Do not audit attempts to check the ## access on generic proc entries. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_access_check_proc',` gen_require(` type proc_t; ') dontaudit $1 proc_t:dir_file_class_set audit_access; ') ######################################## ## ## Do not audit attempts by caller to ## read system state information in proc. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_read_system_state',` gen_require(` type proc_t; ') dontaudit $1 proc_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts by caller to ## read system state information in proc. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_read_proc_symlinks',` gen_require(` type proc_t; ') dontaudit $1 proc_t:lnk_file read; ') ####################################### ## ## Allow caller to read state information for AFS. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_afs_state',` gen_require(` type proc_t, proc_afs_t; ') list_dirs_pattern($1, proc_t, proc_t) read_files_pattern($1, proc_afs_t, proc_afs_t) ') ####################################### ## ## Allow caller to read and write state information for AFS. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_afs_state',` gen_require(` type proc_t, proc_afs_t; ') list_dirs_pattern($1, proc_t, proc_t) rw_files_pattern($1, proc_afs_t, proc_afs_t) ') ####################################### ## ## Allow caller to read the state information for software raid. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_software_raid_state',` gen_require(` type proc_t, proc_mdstat_t; ') read_files_pattern($1, proc_t, proc_mdstat_t) list_dirs_pattern($1, proc_t, proc_t) ') ####################################### ## ## Allow caller to read and set the state information for software raid. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_software_raid_state',` gen_require(` type proc_t, proc_mdstat_t; ') rw_files_pattern($1, proc_t, proc_mdstat_t) list_dirs_pattern($1, proc_t, proc_t) ') ######################################## ## ## Allows caller to get attribues of core kernel interface. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_getattr_core_if',` gen_require(` type proc_t, proc_kcore_t; ') getattr_files_pattern($1, proc_t, proc_kcore_t) list_dirs_pattern($1, proc_t, proc_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## core kernel interfaces. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_getattr_core_if',` gen_require(` type proc_kcore_t; ') dontaudit $1 proc_kcore_t:file getattr; ') ######################################## ## ## Allows caller to read the core kernel interface. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_core_if',` gen_require(` type proc_t, proc_kcore_t; attribute can_dump_kernel; ') allow $1 self:capability sys_rawio; read_files_pattern($1, proc_t, proc_kcore_t) list_dirs_pattern($1, proc_t, proc_t) typeattribute $1 can_dump_kernel; ') ######################################## ## ## Allow caller to mounton the kernel messages file ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mounton_core_if',` gen_require(` type proc_kcore_t; ') allow $1 proc_kcore_t:file mounton; ') ######################################## ## ## Allow caller to read kernel messages ## using the /proc/kmsg interface. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_messages',` gen_require(` attribute can_receive_kernel_messages; type proc_kmsg_t, proc_t; ') read_files_pattern($1, proc_t, proc_kmsg_t) typeattribute $1 can_receive_kernel_messages; ') ######################################## ## ## Allow caller to mounton the kernel messages file ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mounton_messages',` gen_require(` type proc_kmsg_t; ') allow $1 proc_kmsg_t:file mounton; ') ######################################## ## ## Allow caller to get the attributes of kernel message ## interface (/proc/kmsg). ## ## ## ## Domain allowed access. ## ## # interface(`kernel_getattr_message_if',` gen_require(` type proc_kmsg_t, proc_t; ') getattr_files_pattern($1, proc_t, proc_kmsg_t) ') ######################################## ## ## Do not audit attempts by caller to get the attributes of kernel ## message interfaces. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_getattr_message_if',` gen_require(` type proc_kmsg_t, proc_t; ') dontaudit $1 proc_kmsg_t:file getattr; ') ######################################## ## ## Do not audit attempts to search the network ## state directory. ## ## ## ## Domain to not audit. ## ## ## # interface(`kernel_dontaudit_search_network_state',` gen_require(` type proc_net_t; ') dontaudit $1 proc_net_t:dir search; ') ######################################## ## ## Allow searching of network state directory. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_search_network_state',` gen_require(` type proc_net_t; ') search_dirs_pattern($1, proc_t, proc_net_t) ') ######################################## ## ## Read the network state information. ## ## ##

## Allow the specified domain to read the networking ## state information. This includes several pieces ## of networking information, such as network interface ## names, netfilter (iptables) statistics, protocol ## information, routes, and remote procedure call (RPC) ## information. ##

##
## ## ## Domain allowed access. ## ## ## ## # interface(`kernel_read_network_state',` gen_require(` type proc_t, proc_net_t; ') read_files_pattern($1, { proc_t proc_net_t }, proc_net_t) read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) list_dirs_pattern($1, proc_t, proc_net_t) ') ######################################## ## ## Allow caller to read the network state symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_network_state_symlinks',` gen_require(` type proc_t, proc_net_t; ') read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) list_dirs_pattern($1, proc_t, proc_net_t) ') ######################################## ## ## Allow searching of xen state directory. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_search_xen_state',` gen_require(` type proc_t, proc_xen_t; ') search_dirs_pattern($1, proc_t, proc_xen_t) ') ######################################## ## ## Do not audit attempts to search the xen ## state directory. ## ## ## ## Domain to not audit. ## ## ## # interface(`kernel_dontaudit_search_xen_state',` gen_require(` type proc_xen_t; ') dontaudit $1 proc_xen_t:dir search; ') ######################################## ## ## Allow caller to read the xen state information. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_xen_state',` gen_require(` type proc_t, proc_xen_t; ') read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) list_dirs_pattern($1, proc_t, proc_xen_t) ') ######################################## ## ## Allow caller to read the xen state symbolic links. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_xen_state_symlinks',` gen_require(` type proc_t, proc_xen_t; ') read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) list_dirs_pattern($1, proc_t, proc_xen_t) ') ######################################## ## ## Allow caller to write xen state information. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_write_xen_state',` gen_require(` type proc_t, proc_xen_t; ') write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) ') ######################################## ## ## Allow attempts to list all proc directories. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_list_all_proc',` gen_require(` attribute proc_type; ') allow $1 proc_type:dir list_dir_perms; allow $1 proc_type:file getattr; ') ######################################## ## ## Allow attempts to mounton all proc directories. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mounton_all_proc',` gen_require(` attribute proc_type; ') allow $1 proc_type:dir mounton; allow $1 proc_type:file mounton; ') ######################################## ## ## Do not audit attempts to list all proc directories. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_list_all_proc',` gen_require(` attribute proc_type; ') dontaudit $1 proc_type:dir list_dir_perms; dontaudit $1 proc_type:file getattr; ') ######################################## ## ## Allow attempts to read all proc types. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_all_proc',` gen_require(` attribute proc_type; attribute can_dump_kernel; attribute can_receive_kernel_messages; ') read_files_pattern($1, proc_type, proc_type) typeattribute $1 can_dump_kernel; typeattribute $1 can_receive_kernel_messages; ') ######################################## ## ## Do not audit attempts by caller to search ## the base directory of sysctls. ## ## ## ## Domain to not audit. ## ## ## # interface(`kernel_dontaudit_search_sysctl',` gen_require(` type sysctl_t; ') dontaudit $1 sysctl_t:dir search; ') ######################################## ## ## Allow access to read sysctl directories. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_sysctl',` gen_require(` type sysctl_t, proc_t; ') list_dirs_pattern($1, proc_t, sysctl_t) read_files_pattern($1, sysctl_t, sysctl_t) ') ######################################## ## ## Allow caller to read the device sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_device_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_dev_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) ') ######################################## ## ## Read and write device sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_device_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_dev_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) ') ######################################## ## ## Allow caller to search virtual memory sysctls. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_search_vm_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_vm_t; ') search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) ') ######################################## ## ## Allow caller to read virtual memory sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_vm_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_vm_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) ') ######################################## ## ## Read and write virtual memory sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_vm_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_vm_t; ') rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) # hal needs this allow $1 sysctl_vm_t:dir write; ') ######################################## ## ## Search network sysctl directories. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_search_network_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_net_t; ') search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') ######################################## ## ## Do not audit attempts by caller to search network sysctl directories. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_search_network_sysctl',` gen_require(` type sysctl_net_t; ') dontaudit $1 sysctl_net_t:dir search; ') ######################################## ## ## Allow caller to read network sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_net_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_net_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') ######################################## ## ## Allow caller to modiry contents of sysctl network files. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_net_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_net_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') ######################################## ## ## Allow caller to read unix domain ## socket sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_unix_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) list_dirs_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) ') ######################################## ## ## Read and write unix domain ## socket sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_unix_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') ######################################## ## ## Read the hotplug sysctl. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_hotplug_sysctls',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Read and write the hotplug sysctl. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_hotplug_sysctls',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Read the modprobe sysctl. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_modprobe_sysctls',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Read and write the modprobe sysctl. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_modprobe_sysctls',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Allow mounton generic kernel sysctls. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_mounton_kernel_sysctl',` gen_require(` type sysctl_kernel_t; ') allow $1 sysctl_kernel_t:dir mounton; allow $1 sysctl_kernel_t:file mounton; ') ######################################## ## ## Do not audit attempts to search generic kernel sysctls. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_search_kernel_sysctl',` gen_require(` type sysctl_kernel_t; ') dontaudit $1 sysctl_kernel_t:dir search; ') ######################################## ## ## Read generic crypto sysctls. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_crypto_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_crypto_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) ') ######################################## ## ## Read general kernel sysctls. ## ## ##

## Allow the specified domain to read general ## kernel sysctl settings. These settings are typically ## read using the sysctl program. The settings ## that are included by this interface are prefixed ## with "kernel.", for example, kernel.sysrq. ##

##

## This does not include access to the hotplug ## handler setting (kernel.hotplug) ## nor the module installer handler setting ## (kernel.modprobe). ##

##

## Related interfaces: ##

##
    ##
  • kernel_rw_kernel_sysctl()
  • ##
##
## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_kernel_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) ') ######################################## ## ## Do not audit attempts to write generic kernel sysctls. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_write_kernel_sysctl',` gen_require(` type sysctl_kernel_t; ') dontaudit $1 sysctl_kernel_t:file write; ') ######################################## ## ## Read and write generic kernel sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_kernel_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) ') ######################################## ## ## Read kernel ns lastpid sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_kernel_ns_lastpid_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t) ') ######################################## ## ## Do not audit attempts to write kernel ns lastpid sysctls. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',` gen_require(` type sysctl_kernel_ns_last_pid_t; ') dontaudit $1 sysctl_kernel_ns_last_pid_t:file write; ') ######################################## ## ## Read and write kernel ns lastpid sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_kernel_ns_lastpid_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t) ') ######################################## ## ## Read filesystem sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_fs_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_fs_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) ') ######################################## ## ## Read and write fileystem sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_fs_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_fs_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) ') ######################################## ## ## Do not audit attempts to search filesystem sysctl directories. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_search_fs_sysctl',` gen_require(` type sysctl_fs_t; ') dontaudit $1 sysctl_fs_t:dir search; ') ######################################## ## ## Read IRQ sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_irq_sysctls',` gen_require(` type proc_t, sysctl_irq_t; ') read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) list_dirs_pattern($1, proc_t, sysctl_irq_t) ') ######################################## ## ## Read and write IRQ sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_irq_sysctls',` gen_require(` type proc_t, sysctl_irq_t; ') rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) list_dirs_pattern($1, proc_t, sysctl_irq_t) ') ######################################## ## ## Read RPC sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_rpc_sysctls',` gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ') ######################################## ## ## Read RPC sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_rpc_sysctls_dirs',` gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ') ######################################## ## ## Read and write RPC sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_rpc_sysctls',` gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ') ######################################## ## ## Read and write RPC sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_create_rpc_sysctls',` gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) ') ######################################## ## ## Do not audit attempts to list all sysctl directories. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_list_all_sysctls',` gen_require(` attribute sysctl_type; ') dontaudit $1 sysctl_type:dir list_dir_perms; dontaudit $1 sysctl_type:file read_file_perms; ') ######################################## ## ## Allow attempts to mounton all sysctl directories. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mounton_all_sysctls',` gen_require(` attribute sysctl_type; ') allow $1 sysctl_type:dir mounton; ') ######################################## ## ## Allow attempts to mounton all filesystems used by ProtectKernelTunables systemd feature. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mounton_systemd_ProtectKernelTunables',` gen_require(` type sysctl_t; type sysctl_irq_t; type proc_t; type mtrr_device_t; type debugfs_t; type cgroup_t; ') allow $1 sysctl_t:dir mounton; allow $1 sysctl_irq_t:dir mounton; allow $1 proc_t:dir mounton; allow $1 mtrr_device_t:dir mounton; allow $1 debugfs_t:dir mounton; allow $1 cgroup_t:dir mounton; ') ######################################## ## ## Allow caller to read all sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_all_sysctls',` gen_require(` attribute sysctl_type; type proc_t, proc_net_t; ') # proc_net_t for /proc/net/rpc sysctls read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type) ') ######################################## ## ## Read and write all sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_all_sysctls',` gen_require(` attribute sysctl_type; type proc_t, proc_net_t; ') # proc_net_t for /proc/net/rpc sysctls rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) allow $1 sysctl_type:dir list_dir_perms; # why is setattr needed? allow $1 sysctl_type:file setattr; ') ######################################## ## ## Send a kill signal to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_kill_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process sigkill; ') ######################################## ## ## Mount a kernel unlabeled filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_mount_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:filesystem mount; ') ######################################## ## ## Unmount a kernel unlabeled filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_unmount_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:filesystem unmount; ') ######################################## ## ## Send general signals to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_signal_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process signal; ') ######################################## ## ## Send a null signal to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_signull_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process signull; ') ######################################## ## ## Send a stop signal to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_sigstop_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process sigstop; ') ######################################## ## ## Send a child terminated signal to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_sigchld_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process sigchld; ') ######################################## ## ## List unlabeled directories. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_list_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir list_dir_perms; ') ######################################## ## ## Delete unlabeled files ## ## ## ## Domain allowed access. ## ## # interface(`kernel_delete_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir delete_dir_perms; allow $1 unlabeled_t:dir_file_class_set delete_file_perms; ') ######################################## ## ## Read the process state (/proc/pid) of all unlabeled_t. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_unlabeled_state',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir list_dir_perms; read_files_pattern($1, unlabeled_t, unlabeled_t) read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## ## ## Do not audit attempts to list unlabeled directories. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_list_unlabeled',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dir list_dir_perms; ') ######################################## ## ## Read and write unlabeled directories. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_unlabeled_dirs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir rw_dir_perms; ') ######################################## ## ## Read and write unlabeled files. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_unlabeled_files',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file rw_file_perms; ') ######################################## ## ## Watch unlabeled directories. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_watch_unlabeled_dirs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir watch_dir_perms; ') ######################################## ## ## Do not audit attempts by caller to get the ## attributes of an unlabeled file. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_getattr_unlabeled_files',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:file getattr; ') ######################################## ## ## Do not audit attempts by caller to ## read an unlabeled file. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_read_unlabeled_files',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:file { getattr read }; ') ######################################## ## ## Do not audit attempts by caller to get the ## attributes of unlabeled symbolic links. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_getattr_unlabeled_symlinks',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:lnk_file getattr; ') ######################################## ## ## Do not audit attempts by caller to get the ## attributes of unlabeled named pipes. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_getattr_unlabeled_pipes',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:fifo_file getattr; ') ######################################## ## ## Do not audit attempts by caller to get the ## attributes of unlabeled named sockets. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_getattr_unlabeled_sockets',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:sock_file getattr; ') ######################################## ## ## Do not audit attempts by caller to get attributes for ## unlabeled block devices. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_getattr_unlabeled_blk_files',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:blk_file getattr; ') ######################################## ## ## Read unlabeled symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_unlabeled_lnk_files',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Read and write unlabeled block device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_unlabeled_blk_files',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:blk_file getattr; ') ######################################## ## ## Read and write unlabeled sockets. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_unlabeled_socket',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:socket rw_socket_perms; ') ######################################## ## ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_getattr_unlabeled_chr_files',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:chr_file getattr; ') ######################################## ## ## Allow caller to relabel unlabeled directories. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelfrom_unlabeled_dirs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir { list_dir_perms relabelfrom }; ') ######################################## ## ## Allow caller to relabel unlabeled filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelfrom_unlabeled_fs',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:filesystem relabelfrom; ') ######################################## ## ## Allow caller to relabel unlabeled files. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelfrom_unlabeled_files',` gen_require(` type unlabeled_t; ') kernel_list_unlabeled($1) allow $1 unlabeled_t:file { getattr relabelfrom }; ') ######################################## ## ## Allow caller to relabel unlabeled symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelfrom_unlabeled_symlinks',` gen_require(` type unlabeled_t; ') kernel_list_unlabeled($1) allow $1 unlabeled_t:lnk_file { getattr relabelfrom }; ') ######################################## ## ## Allow caller to relabel unlabeled named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelfrom_unlabeled_pipes',` gen_require(` type unlabeled_t; ') kernel_list_unlabeled($1) allow $1 unlabeled_t:fifo_file { getattr relabelfrom }; ') ######################################## ## ## Allow caller to relabel unlabeled named sockets. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelfrom_unlabeled_sockets',` gen_require(` type unlabeled_t; ') kernel_list_unlabeled($1) allow $1 unlabeled_t:sock_file { getattr relabelfrom }; ') ######################################## ## ## Send and receive messages from an ## unlabeled IPSEC association. ## ## ##

## Send and receive messages from an ## unlabeled IPSEC association. Network ## connections that are not protected ## by IPSEC have use an unlabeled ## assocation. ##

##

## The corenetwork interface ## corenet_non_ipsec_sendrecv() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_sendrecv_unlabeled_association',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:association { sendto recvfrom }; ') ######################################## ## ## Do not audit attempts to send and receive messages ## from an unlabeled IPSEC association. ## ## ##

## Do not audit attempts to send and receive messages ## from an unlabeled IPSEC association. Network ## connections that are not protected ## by IPSEC have use an unlabeled ## assocation. ##

##

## The corenetwork interface ## corenet_dontaudit_non_ipsec_sendrecv() should ## be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_sendrecv_unlabeled_association',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:association { sendto recvfrom }; ') ######################################## ## ## Receive DCCP packets from an unlabeled connection. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_dccp_recvfrom_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dccp_socket recvfrom; ') ######################################## ## ## Receive TCP packets from an unlabeled connection. ## ## ##

## Receive TCP packets from an unlabeled connection. ##

##

## The corenetwork interface corenet_tcp_recv_unlabeled() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_tcp_recvfrom_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:tcp_socket recvfrom; ') ######################################## ## ## Do not audit attempts to receive DCCP packets from an unlabeled ## connection. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dccp_socket recvfrom; ') ######################################## ## ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## ## ##

## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ##

##

## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() ## should be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:tcp_socket recvfrom; ') ######################################## ## ## Receive UDP packets from an unlabeled connection. ## ## ##

## Receive UDP packets from an unlabeled connection. ##

##

## The corenetwork interface corenet_udp_recv_unlabeled() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_udp_recvfrom_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:udp_socket recvfrom; ') ######################################## ## ## Do not audit attempts to receive UDP packets from an unlabeled ## connection. ## ## ##

## Do not audit attempts to receive UDP packets from an unlabeled ## connection. ##

##

## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled() ## should be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_udp_recvfrom_unlabeled',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:udp_socket recvfrom; ') ######################################## ## ## Receive Raw IP packets from an unlabeled connection. ## ## ##

## Receive Raw IP packets from an unlabeled connection. ##

##

## The corenetwork interface corenet_raw_recv_unlabeled() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_raw_recvfrom_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:rawip_socket recvfrom; ') ######################################## ## ## Read/Write Raw IP packets from an unlabeled connection. ## ## ##

## Receive Raw IP packets from an unlabeled connection. ##

##

## The corenetwork interface corenet_raw_recv_unlabeled() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_rw_unlabeled_rawip_socket',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:rawip_socket rw_socket_perms; ') ######################################## ## ## Read/Write smc packets from an unlabeled connection. ## ## ##

## Receive smc packets from an unlabeled connection. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_rw_unlabeled_smc_socket',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:smc_socket rw_socket_perms; ') ######################################## ## ## Read/Write vsock packets from an unlabeled connection. ## ## ##

## Receive vsock packets from an unlabeled connection. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_rw_unlabeled_vsock_socket',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:vsock_socket rw_socket_perms; ') ######################################## ## ## Do not audit attempts to receive Raw IP packets from an unlabeled ## connection. ## ## ##

## Do not audit attempts to receive Raw IP packets from an unlabeled ## connection. ##

##

## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() ## should be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_raw_recvfrom_unlabeled',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:rawip_socket recvfrom; ') ######################################## ## ## Send and receive unlabeled packets. ## ## ##

## Send and receive unlabeled packets. ## These packets do not match any netfilter ## SECMARK rules. ##

##

## The corenetwork interface ## corenet_sendrecv_unlabeled_packets() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_sendrecv_unlabeled_packets',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:packet { send recv }; ') ######################################## ## ## Receive packets from an unlabeled peer. ## ## ##

## Receive packets from an unlabeled peer, these packets do not have any ## peer labeling information present. ##

##

## The corenetwork interface corenet_recvfrom_unlabeled_peer() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_recvfrom_unlabeled_peer',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:peer recv; ') ######################################## ## ## Do not audit attempts to receive packets from an unlabeled peer. ## ## ##

## Do not audit attempts to receive packets from an unlabeled peer, ## these packets do not have any peer labeling information present. ##

##

## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled() ## should be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_recvfrom_unlabeled_peer',` gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:peer recv; ') ######################################## ## ## Relabel from unlabeled database objects. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelfrom_unlabeled_database',` gen_require(` type unlabeled_t; class db_database { setattr relabelfrom }; class db_schema { setattr relabelfrom }; class db_table { setattr relabelfrom }; class db_sequence { setattr relabelfrom }; class db_view { setattr relabelfrom }; class db_procedure { setattr relabelfrom }; class db_language { setattr relabelfrom }; class db_column { setattr relabelfrom }; class db_tuple { update relabelfrom }; class db_blob { setattr relabelfrom }; ') allow $1 unlabeled_t:db_database { setattr relabelfrom }; allow $1 unlabeled_t:db_schema { setattr relabelfrom }; allow $1 unlabeled_t:db_table { setattr relabelfrom }; allow $1 unlabeled_t:db_sequence { setattr relabelfrom }; allow $1 unlabeled_t:db_view { setattr relabelfrom }; allow $1 unlabeled_t:db_procedure { setattr relabelfrom }; allow $1 unlabeled_t:db_language { setattr relabelfrom }; allow $1 unlabeled_t:db_column { setattr relabelfrom }; allow $1 unlabeled_t:db_tuple { update relabelfrom }; allow $1 unlabeled_t:db_blob { setattr relabelfrom }; ') ######################################## ## ## Relabel to unlabeled context . ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelto_unlabeled',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir_file_class_set relabelto; ') ######################################## ## ## Unconfined access to kernel module resources. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_unconfined',` gen_require(` attribute kern_unconfined; ') typeattribute $1 kern_unconfined; kernel_load_module($1) ') ######################################## ## ## Allow the specified domain to getattr on ## the kernel with a unix socket. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_stream_read',` gen_require(` type kernel_t; ') allow $1 kernel_t:unix_stream_socket { read getattr }; ') ####################################### ## ## Allow the specified domain to write on ## the kernel with a unix socket. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_stream_write',` gen_require(` type kernel_t; ') allow $1 kernel_t:unix_stream_socket { write getattr }; ') ####################################### ## ## Allow the specified domain to read/write on ## the kernel with a unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_rw_stream_socket_perms',` gen_require(` type kernel_t; ') allow $1 kernel_t:unix_stream_socket rw_socket_perms; allow $1 kernel_t:fd use; ') ####################################### ## ## Allow the specified domain to ioctl a ## kernel with a unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_ioctl_stream_sockets',` gen_require(` type init_t; ') allow $1 kernel_t:unix_stream_socket { getopt ioctl }; ') ######################################## ## ## Make the specified type usable for regular entries in proc ## ## ## ## Type to be used for /proc entries. ## ## # interface(`kernel_proc_type',` gen_require(` attribute proc_type; ') typeattribute $1 proc_type; ') ######################################## ## ## Do not audit attempts by caller to get attributes on all sysctls. ## ## ## ## Domain to not audit. ## ## # interface(`kernel_dontaudit_getattr_all_sysctls',` gen_require(` attribute sysctl_type; ') dontaudit $1 sysctl_type:file getattr; ') ######################################## ## ## Read the process state (/proc/pid) of the kernel. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_state',` gen_require(` type kernel_t; ') allow $1 kernel_t:dir search_dir_perms; allow $1 kernel_t:file read_file_perms; allow $1 kernel_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Dontaudit attempts to read the process state (/proc/pid) of the kernel. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_dontaudit_read_state',` gen_require(` type kernel_t; ') dontaudit $1 kernel_t:dir search_dir_perms; dontaudit $1 kernel_t:file read_file_perms; dontaudit $1 kernel_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Allow searching of numa state directory. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_search_numa_state',` gen_require(` type proc_t, proc_numa_t; ') search_dirs_pattern($1, proc_t, proc_numa_t) ') ######################################## ## ## Do not audit attempts to search the numa ## state directory. ## ## ## ## Domain to not audit. ## ## ## # interface(`kernel_dontaudit_search_numa_state',` gen_require(` type proc_numa_t; ') dontaudit $1 proc_numa_t:dir search; ') ######################################## ## ## Allow caller to read the numa state information. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_numa_state',` gen_require(` type proc_t, proc_numa_t; ') read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) list_dirs_pattern($1, proc_t, proc_numa_t) ') ######################################## ## ## Allow caller to read the numa state symbolic links. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_numa_state_symlinks',` gen_require(` type proc_t, proc_numa_t; ') read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) list_dirs_pattern($1, proc_t, proc_numa_t) ') ######################################## ## ## Allow caller to write numa state information. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_write_numa_state',` gen_require(` type proc_t, proc_numa_t; ') write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) ') ######################################## ## ## Allow caller to search virtual memory overcommit sysctls. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_search_vm_overcommit_sysctl',` gen_require(` type sysctl_vm_overcommit_t; ') kernel_search_vm_sysctl($1) search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') ######################################## ## ## Allow caller to read virtual memory overcommit sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_read_vm_overcommit_sysctls',` gen_require(` type sysctl_vm_overcommit_t; ') kernel_search_vm_sysctl($1) read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') ######################################## ## ## Read and write virtual memory overcommit sysctls. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_vm_overcommit_sysctls',` gen_require(` type sysctl_vm_overcommit_t; ') kernel_search_vm_sysctl($1) rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') ######################################## ## ## Do not audit attempts to search the security ## state directory. ## ## ## ## Domain to not audit. ## ## ## # interface(`kernel_dontaudit_search_security_state',` gen_require(` type proc_security_t; ') dontaudit $1 proc_security_t:dir search; ') ######################################## ## ## Allow searching of security state directory. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_search_security_state',` gen_require(` type proc_security_t; ') search_dirs_pattern($1, proc_t, proc_security_t) ') ######################################## ## ## Read the security state information. ## ## ##

## Allow the specified domain to read the security ## state information. ##

##
## ## ## Domain allowed access. ## ## ## ## # interface(`kernel_read_security_state',` gen_require(` type proc_t, proc_security_t; attribute sysctl_type; ') read_files_pattern($1, { proc_t proc_security_t }, proc_security_t) read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) list_dirs_pattern($1, proc_t, proc_security_t) allow $1 sysctl_type:dir search_dir_perms; ') ######################################## ## ## Write the security state information. ## ## ##

## Allow the specified domain to write the security ## state information. ##

##
## ## ## Domain allowed access. ## ## ## ## # interface(`kernel_write_security_state',` gen_require(` type proc_t, proc_security_t; ') write_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ') ######################################## ## ## Allow caller to read the security state symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_security_state_symlinks',` gen_require(` type proc_t, proc_security_t; ') read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) list_dirs_pattern($1, proc_t, proc_security_t) ') ######################################## ## ## Access unlabeled infiniband pkeys. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_ib_access_unlabeled_pkeys',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:infiniband_pkey access; ') ######################################## ## ## Manage subnet on unlabeled Infiniband endports. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_ib_manage_subnet_unlabeled_endports',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:infiniband_endport manage_subnet; ') ######################################## ## ## Read and write the security state information. ## ## ##

## Allow the specified domain to read and write ## the security state information. ##

##
## ## ## Domain allowed access. ## ## # interface(`kernel_rw_security_state',` gen_require(` type proc_t, proc_security_t; ') rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t) list_dirs_pattern($1, proc_t, proc_security_t) ') ######################################## ## ## Do not audit attempts to search the usermodehelper ## state directory. ## ## ## ## Domain to not audit. ## ## ## # interface(`kernel_dontaudit_search_usermodehelper_state',` gen_require(` type usermodehelper_t; ') dontaudit $1 usermodehelper_t:dir search; ') ######################################## ## ## Allow searching of usermodehelper state directory. ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_search_usermodehelper_state',` gen_require(` type usermodehelper_t; ') search_dirs_pattern($1, proc_t, usermodehelper_t) ') ######################################## ## ## Read the usermodehelper state information. ## ## ##

## Allow the specified domain to read the usermodehelpering ## state information. This includes several pieces ## of usermodehelpering information, such as usermodehelper interface ## names, usermodehelperfilter (iptables) statistics, protocol ## information, routes, and remote procedure call (RPC) ## information. ##

##
## ## ## Domain allowed access. ## ## ## ## # interface(`kernel_read_usermodehelper_state',` gen_require(` type proc_t, usermodehelper_t; ') read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) list_dirs_pattern($1, proc_t, usermodehelper_t) ') ######################################## ## ## Allow caller to read the usermodehelper state symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_usermodehelper_state_symlinks',` gen_require(` type proc_t, usermodehelper_t; ') read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) list_dirs_pattern($1, proc_t, usermodehelper_t) ') ######################################## ## ## Read and write usermodehelper state ## ## ## ## Domain allowed access. ## ## ## # interface(`kernel_rw_usermodehelper_state',` gen_require(` type proc_t, usermodehelper_t; ') dev_search_sysfs($1) rw_files_pattern($1, proc_t, usermodehelper_t) list_dirs_pattern($1, proc_t, usermodehelper_t) ') ######################################## ## ## Dontaudit write usermodehelper state ## ## ## ## Domain to not audit. ## ## ## # interface(`kernel_dontaudit_write_usermodehelper_state',` gen_require(` type usermodehelper_t; ') dontaudit $1 usermodehelper_t:file write; ') ######################################## ## ## Relabel to usermodehelper context . ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelto_usermodehelper',` gen_require(` type usermodehelper_t; ') allow $1 usermodehelper_t:file relabelto; ') ######################################## ## ## Relabel from usermodehelper context . ## ## ## ## Domain allowed access. ## ## # interface(`kernel_relabelfrom_usermodehelper',` gen_require(` type usermodehelper_t; ') allow $1 usermodehelper_t:file { getattr relabelfrom }; ') ######################################## ## ## Read netlink audit socket ## ## ## ## Domain allowed access. ## ## # interface(`kernel_read_netlink_audit_socket',` gen_require(` type kernel_t; ') allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms; ') ######################################## ## ## Execute an unlabeled file in the specified domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`kernel_unlabeled_domtrans',` gen_require(` type unlabeled_t; ') read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) domain_transition_pattern($1, unlabeled_t, $2) type_transition $1 unlabeled_t:process $2; ') ######################################## ## ## Make general progams without labeles an entrypoint for ## the specified domain. ## ## ## ## The domain for which unlabeled_t is an entrypoint. ## ## # interface(`kernel_unlabeled_entry_type',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file entrypoint; allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock }; ') ######################################## ## ## Allow the caller load a new kernel ## ## ## ## Domain allowed access. ## ## # interface(`kernel_kexec_load',` allow $1 self:capability sys_boot; ') ######################################## ## ## Allow the caller write perf_event ## ## ## ## Domain allowed access. ## ## # interface(`kernel_write_perf_event',` allow $1 self:capability2 perfmon; # The confidentiality permission may not be needed soon if # the kernel commit 08ef1af4de5f # (perf/core: Fix unconditional security_locked_down() call) # is backported to stable kernels allow $1 self:perf_event write_perf_event_perms; ') ######################################## ## ## Allow the caller manage perf_event ## ## ## ## Domain allowed access. ## ## # interface(`kernel_manage_perf_event',` allow $1 self:capability2 perfmon; # The confidentiality permission may not be needed, refer to kernel_write_perf_event() allow $1 self:perf_event manage_perf_event_perms; ') ######################################## ## ## Allow caller domain to run bpf. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_prog_run_bpf',` gen_require(` type init_t; ') allow $1 kernel_t:bpf { map_read map_write prog_run }; ') ######################################## ## ## Set up type transition for userfaultfd anon inodes. ## ## ## ## Domain to receive the type transition. ## ## # interface(`kernel_userfaultfd_domtrans',` gen_require(` type userfaultfd_t; ') type_transition $1 self:anon_inode userfaultfd_t "[userfaultfd]"; ') ######################################## ## ## Allow the domain to use the userfaultfd API via an inherited ## file descriptor. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_userfaultfd_use_inherited',` gen_require(` type userfaultfd_t; ') allow $1 userfaultfd_t:anon_inode { getattr ioctl read }; # Work around a known bug; see: # https://lore.kernel.org/selinux/20210624152515.1844133-1-omosnace@redhat.com/ allow $1 userfaultfd_t:anon_inode { write }; ') ######################################## ## ## Allow the domain to use the userfaultfd API. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_userfaultfd_use',` gen_require(` type userfaultfd_t; ') kernel_userfaultfd_use_inherited($1) allow $1 userfaultfd_t:anon_inode create; ') ######################################## ## ## Set up type transition for io_uring anon inodes. ## ## ## ## Domain to receive the type transition. ## ## # interface(`kernel_io_uring_domtrans',` gen_require(` type io_uring_t; ') type_transition $1 self:anon_inode io_uring_t "[io_uring]"; ') ######################################## ## ## Allow the domain to use the io_uring API via an inherited file ## descriptor. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_io_uring_use_inherited',` gen_require(` type io_uring_t; ') allow $1 io_uring_t:anon_inode { getattr read write map }; ') ######################################## ## ## Allow the domain to use the io_uring API. ## ## ## ## Domain allowed access. ## ## # interface(`kernel_io_uring_use',` gen_require(` type io_uring_t; ') kernel_io_uring_use_inherited($1) allow $1 io_uring_t:anon_inode create; ')