## policy for sandboxX ######################################## ## ## Execute sandbox in the sandbox domain, and ## allow the specified role the sandbox domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the sandbox domain. ## ## # interface(`sandbox_x_transition',` gen_require(` type sandbox_xserver_t; type sandbox_file_t; attribute sandbox_x_domain; attribute sandbox_tmpfs_type; ') allow $1 sandbox_x_domain:process { signal_perms transition }; allow $1 sandbox_x_domain:process dyntransition; dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; allow sandbox_x_domain $1:process { sigchld signull }; allow { sandbox_x_domain sandbox_xserver_t } $1:fd use; role $2 types sandbox_x_domain; role $2 types sandbox_xserver_t; allow $1 sandbox_xserver_t:process signal_perms; dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms; dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; dontaudit sandbox_xserver_t $1:file read; allow sandbox_x_domain sandbox_x_domain:process signal; # Dontaudit leaked file descriptors dontaudit sandbox_x_domain $1:key { link read search view }; dontaudit sandbox_x_domain $1:fifo_file { read write }; dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms; dontaudit sandbox_x_domain $1:process { signal sigkill }; allow $1 sandbox_tmpfs_type:file manage_file_perms; dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; can_exec($1, sandbox_file_t) allow $1 sandbox_file_t:filesystem getattr; manage_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t) relabel_files_pattern($1, sandbox_file_t, sandbox_file_t) relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) ') ######################################## ## ## Creates types and rules for a basic ## sandbox process domain. ## ## ## ## Prefix for the domain. ## ## # template(`sandbox_x_domain_template',` gen_require(` type xserver_exec_t, sandbox_devpts_t; type sandbox_xserver_t; type sandbox_exec_t; attribute sandbox_x_domain; attribute sandbox_tmpfs_type; attribute sandbox_type; attribute sandbox_web_type; ') type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type; application_type($1_t) mcs_constrained($1_t) kernel_read_system_state($1_t) selinux_get_fs_mount($1_t) auth_use_nsswitch($1_t) logging_send_syslog_msg($1_t) # window manager miscfiles_setattr_fonts_cache_dirs($1_t) allow $1_t self:capability setuid; type $1_client_t, sandbox_x_domain; application_type($1_client_t) kernel_read_system_state($1_client_t) mcs_constrained($1_t) type $1_client_tmpfs_t, sandbox_tmpfs_type; files_tmpfs_file($1_client_tmpfs_t) manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t) fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file ) # Pulseaudio tmpfs files with different MCS labels dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; dontaudit $1_t $1_client_tmpfs_t:file { read write map }; allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; allow $1_client_t $1_client_tmpfs_t:file { map }; domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) allow $1_t sandbox_xserver_t:process signal_perms; domtrans_pattern($1_t, sandbox_exec_t, $1_client_t) domain_entry_file($1_client_t, sandbox_exec_t) allow $1_client_t $1_t:shm { unix_read unix_write }; ps_process_pattern(sandbox_xserver_t, $1_client_t) ps_process_pattern(sandbox_xserver_t, $1_t) allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; allow sandbox_xserver_t $1_t:shm rw_shm_perms; allow $1_client_t $1_t:unix_stream_socket connectto; allow $1_t $1_client_t:unix_stream_socket connectto; #optional_policy(` # unconfined_typebounds($1_t) # unconfined_typebounds($1_client_t) #') ') ######################################## ## ## allow domain to read, ## write sandbox_xserver tmp files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_rw_xserver_tmpfs_files',` gen_require(` type sandbox_xserver_tmpfs_t; ') allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; ') ######################################## ## ## allow domain to read ## sandbox tmpfs files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_read_tmpfs_files',` gen_require(` attribute sandbox_tmpfs_type; ') allow $1 sandbox_tmpfs_type:file read_file_perms; ') ######################################## ## ## allow domain to manage ## sandbox tmpfs files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_manage_tmpfs_files',` gen_require(` attribute sandbox_tmpfs_type; ') allow $1 sandbox_tmpfs_type:file manage_file_perms; ') ######################################## ## ## Delete sandbox files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_delete_files',` gen_require(` type sandbox_file_t; ') delete_files_pattern($1, sandbox_file_t, sandbox_file_t) ') ######################################## ## ## Manage sandbox content ## ## ## ## Domain allowed access ## ## # interface(`sandbox_manage_content',` gen_require(` type sandbox_file_t; ') allow $1 sandbox_file_t:filesystem getattr; manage_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); ') ######################################## ## ## Delete sandbox symbolic links ## ## ## ## Domain allowed access ## ## # interface(`sandbox_delete_lnk_files',` gen_require(` type sandbox_file_t; ') delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) ') ######################################## ## ## Delete sandbox fifo files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_delete_pipes',` gen_require(` type sandbox_file_t; ') delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) ') ######################################## ## ## Delete sandbox sock files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_delete_sock_files',` gen_require(` type sandbox_file_t; ') delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) ') ######################################## ## ## Allow domain to set the attributes ## of the sandbox directory. ## ## ## ## Domain allowed access ## ## # interface(`sandbox_setattr_dirs',` gen_require(` type sandbox_file_t; ') allow $1 sandbox_file_t:dir setattr; ') ######################################## ## ## Delete sandbox directories ## ## ## ## Domain allowed access ## ## # interface(`sandbox_delete_dirs',` gen_require(` type sandbox_file_t; ') delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t) ') ######################################## ## ## allow domain to list sandbox dirs ## ## ## ## Domain allowed access ## ## # interface(`sandbox_list',` gen_require(` type sandbox_file_t; ') allow $1 sandbox_file_t:dir list_dir_perms; ') ######################################## ## ## Read and write a sandbox domain pty. ## ## ## ## Domain allowed access. ## ## # interface(`sandbox_use_ptys',` gen_require(` type sandbox_devpts_t; ') allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms; ') ####################################### ## ## Allow domain to execute sandbox_file_t in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`sandbox_exec_file',` gen_require(` type sandbox_file_t; ') can_exec($1, sandbox_file_t) ') ###################################### ## ## Allow domain to execute sandbox_file_t in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`sandbox_dontaudit_mounton',` gen_require(` type sandbox_file_t; ') dontaudit $1 sandbox_file_t:dir mounton; ')