1 # Copyright (C) 2007-2012 Red Hat 2 # see file 'COPYING' for use and warranty information 3 # 4 # policygentool is a tool for the initial generation of SELinux policy 5 # 6 # This program is free software; you can redistribute it and/or 7 # modify it under the terms of the GNU General Public License as 8 # published by the Free Software Foundation; either version 2 of 9 # the License, or (at your option) any later version. 10 # 11 # This program is distributed in the hope that it will be useful, 12 # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 # GNU General Public License for more details. 15 # 16 # You should have received a copy of the GNU General Public License 17 # along with this program; if not, write to the Free Software 18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 19 # 02111-1307 USA 20 # 21 # 22 ########################### Type Enforcement File ############################# 23 te_daemon_types="""\ 24 policy_module(TEMPLATETYPE, 1.0.0) 25 26 ######################################## 27 # 28 # Declarations 29 # 30 31 type TEMPLATETYPE_t; 32 type TEMPLATETYPE_exec_t; 33 init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) 34 35 permissive TEMPLATETYPE_t; 36 """ 37 38 te_initscript_types=""" 39 type TEMPLATETYPE_initrc_exec_t; 40 init_script_file(TEMPLATETYPE_initrc_exec_t) 41 """ 42 43 te_dbusd_types="""\ 44 policy_module(TEMPLATETYPE, 1.0.0) 45 46 ######################################## 47 # 48 # Declarations 49 # 50 51 type TEMPLATETYPE_t; 52 type TEMPLATETYPE_exec_t; 53 domain_type(TEMPLATETYPE_t) 54 domain_entry_file(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) 55 role system_r types TEMPLATETYPE_t; 56 57 permissive TEMPLATETYPE_t; 58 """ 59 60 te_inetd_types="""\ 61 policy_module(TEMPLATETYPE, 1.0.0) 62 63 ######################################## 64 # 65 # Declarations 66 # 67 68 type TEMPLATETYPE_t; 69 type TEMPLATETYPE_exec_t; 70 inetd_service_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) 71 72 permissive TEMPLATETYPE_t; 73 """ 74 75 te_userapp_types="""\ 76 policy_module(TEMPLATETYPE, 1.0.0) 77 78 ######################################## 79 # 80 # Declarations 81 # 82 83 attribute_role TEMPLATETYPE_roles; 84 roleattribute system_r TEMPLATETYPE_roles; 85 86 type TEMPLATETYPE_t; 87 type TEMPLATETYPE_exec_t; 88 application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) 89 role TEMPLATETYPE_roles types TEMPLATETYPE_t; 90 91 permissive TEMPLATETYPE_t; 92 """ 93 94 te_sandbox_types="""\ 95 policy_module(TEMPLATETYPE, 1.0.0) 96 97 ######################################## 98 # 99 # Declarations 100 # 101 102 sandbox_x_domain_template(TEMPLATETYPE) 103 104 permissive TEMPLATETYPE_t; 105 permissive TEMPLATETYPE_client_t; 106 107 """ 108 109 te_cgi_types="""\ 110 policy_module(TEMPLATETYPE, 1.0.0) 111 112 ######################################## 113 # 114 # Declarations 115 # 116 117 apache_content_template(TEMPLATETYPE) 118 119 permissive httpd_TEMPLATETYPE_script_t; 120 """ 121 122 te_daemon_rules="""\ 123 allow TEMPLATETYPE_t self:fifo_file rw_fifo_file_perms; 124 allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms; 125 """ 126 127 te_inetd_rules=""" 128 """ 129 130 te_dbusd_rules=""" 131 optional_policy(` 132 dbus_system_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) 133 ') 134 """ 135 136 te_userapp_rules=""" 137 allow TEMPLATETYPE_t self:fifo_file manage_fifo_file_perms; 138 allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms; 139 """ 140 141 te_cgi_rules=""" 142 """ 143 144 te_sandbox_rules=""" 145 """ 146 147 te_uid_rules=""" 148 auth_use_nsswitch(TEMPLATETYPE_t) 149 """ 150 151 te_syslog_rules=""" 152 logging_send_syslog_msg(TEMPLATETYPE_t) 153 """ 154 155 te_resolve_rules=""" 156 sysnet_dns_name_resolve(TEMPLATETYPE_t) 157 """ 158 159 te_pam_rules=""" 160 auth_domtrans_chk_passwd(TEMPLATETYPE_t) 161 """ 162 163 te_mail_rules=""" 164 mta_send_mail(TEMPLATETYPE_t) 165 """ 166 167 te_dbus_rules=""" 168 optional_policy(` 169 dbus_system_bus_client(TEMPLATETYPE_t) 170 dbus_connect_system_bus(TEMPLATETYPE_t) 171 ') 172 """ 173 174 te_kerberos_rules=""" 175 optional_policy(` 176 kerberos_use(TEMPLATETYPE_t) 177 ') 178 """ 179 180 te_manage_krb5_rcache_rules=""" 181 optional_policy(` 182 kerberos_keytab_template(TEMPLATETYPE, TEMPLATETYPE_t) 183 kerberos_manage_host_rcache(TEMPLATETYPE_t) 184 ') 185 """ 186 187 te_audit_rules=""" 188 logging_send_audit_msgs(TEMPLATETYPE_t) 189 """ 190 191 te_run_rules=""" 192 optional_policy(` 193 gen_require(` 194 type USER_t; 195 role USER_r; 196 ') 197 198 TEMPLATETYPE_run(USER_t, USER_r) 199 ') 200 """ 201 202 te_fd_rules=""" 203 domain_use_interactive_fds(TEMPLATETYPE_t) 204 """ 205 206 te_etc_rules=""" 207 files_read_etc_files(TEMPLATETYPE_t) 208 """ 209 210 te_localization_rules=""" 211 miscfiles_read_localization(TEMPLATETYPE_t) 212 """ 213 214 ########################### Interface File ############################# 215 216 if_heading_rules=""" 217 ## <summary>policy for TEMPLATETYPE</summary>""" 218 219 if_program_rules=""" 220 221 ######################################## 222 ## <summary> 223 ## Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain. 224 ## </summary> 225 ## <param name=\"domain\"> 226 ## <summary> 227 ## Domain allowed to transition. 228 ## </summary> 229 ## </param> 230 # 231 interface(`TEMPLATETYPE_domtrans',` 232 gen_require(` 233 type TEMPLATETYPE_t, TEMPLATETYPE_exec_t; 234 ') 235 236 corecmd_search_bin($1) 237 domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t) 238 ') 239 240 ###################################### 241 ## <summary> 242 ## Execute TEMPLATETYPE in the caller domain. 243 ## </summary> 244 ## <param name="domain"> 245 ## <summary> 246 ## Domain allowed access. 247 ## </summary> 248 ## </param> 249 # 250 interface(`TEMPLATETYPE_exec',` 251 gen_require(` 252 type TEMPLATETYPE_exec_t; 253 ') 254 255 corecmd_search_bin($1) 256 can_exec($1, TEMPLATETYPE_exec_t) 257 ') 258 """ 259 260 if_user_program_rules=""" 261 ######################################## 262 ## <summary> 263 ## Execute TEMPLATETYPE in the TEMPLATETYPE domain, and 264 ## allow the specified role the TEMPLATETYPE domain. 265 ## </summary> 266 ## <param name="domain"> 267 ## <summary> 268 ## Domain allowed to transition 269 ## </summary> 270 ## </param> 271 ## <param name="role"> 272 ## <summary> 273 ## The role to be allowed the TEMPLATETYPE domain. 274 ## </summary> 275 ## </param> 276 # 277 interface(`TEMPLATETYPE_run',` 278 gen_require(` 279 type TEMPLATETYPE_t; 280 attribute_role TEMPLATETYPE_roles; 281 ') 282 283 TEMPLATETYPE_domtrans($1) 284 roleattribute $2 TEMPLATETYPE_roles; 285 ') 286 287 ######################################## 288 ## <summary> 289 ## Role access for TEMPLATETYPE 290 ## </summary> 291 ## <param name="role"> 292 ## <summary> 293 ## Role allowed access 294 ## </summary> 295 ## </param> 296 ## <param name="domain"> 297 ## <summary> 298 ## User domain for the role 299 ## </summary> 300 ## </param> 301 # 302 interface(`TEMPLATETYPE_role',` 303 gen_require(` 304 type TEMPLATETYPE_t; 305 attribute_role TEMPLATETYPE_roles; 306 ') 307 308 roleattribute $1 TEMPLATETYPE_roles; 309 310 TEMPLATETYPE_domtrans($2) 311 312 ps_process_pattern($2, TEMPLATETYPE_t) 313 allow $2 TEMPLATETYPE_t:process { signull signal sigkill }; 314 ') 315 """ 316 317 if_sandbox_rules=""" 318 ######################################## 319 ## <summary> 320 ## Execute sandbox in the TEMPLATETYPE_t domain, and 321 ## allow the specified role the TEMPLATETYPE_t domain. 322 ## </summary> 323 ## <param name="domain"> 324 ## <summary> 325 ## Domain allowed to transition. 326 ## </summary> 327 ## </param> 328 ## <param name="role"> 329 ## <summary> 330 ## The role to be allowed the TEMPLATETYPE_t domain. 331 ## </summary> 332 ## </param> 333 # 334 interface(`TEMPLATETYPE_transition',` 335 gen_require(` 336 type TEMPLATETYPE_t; 337 type TEMPLATETYPE_client_t; 338 ') 339 340 allow $1 TEMPLATETYPE_t:process { signal_perms transition }; 341 dontaudit $1 TEMPLATETYPE_t:process { noatsecure siginh rlimitinh }; 342 role $2 types TEMPLATETYPE_t; 343 role $2 types TEMPLATETYPE_client_t; 344 345 allow TEMPLATETYPE_t $1:process { sigchld signull }; 346 allow TEMPLATETYPE_t $1:fifo_file rw_inherited_fifo_file_perms; 347 allow TEMPLATETYPE_client_t $1:process { sigchld signull }; 348 allow TEMPLATETYPE_client_t $1:fifo_file rw_inherited_fifo_file_perms; 349 ') 350 """ 351 352 if_role_change_rules=""" 353 ######################################## 354 ## <summary> 355 ## Change to the TEMPLATETYPE role. 356 ## </summary> 357 ## <param name="role"> 358 ## <summary> 359 ## Role allowed access. 360 ## </summary> 361 ## </param> 362 ## <rolecap/> 363 # 364 interface(`TEMPLATETYPE_role_change',` 365 gen_require(` 366 role TEMPLATETYPE_r; 367 ') 368 369 allow $1 TEMPLATETYPE_r; 370 ') 371 """ 372 373 if_initscript_rules=""" 374 ######################################## 375 ## <summary> 376 ## Execute TEMPLATETYPE server in the TEMPLATETYPE domain. 377 ## </summary> 378 ## <param name="domain"> 379 ## <summary> 380 ## Domain allowed access. 381 ## </summary> 382 ## </param> 383 # 384 interface(`TEMPLATETYPE_initrc_domtrans',` 385 gen_require(` 386 type TEMPLATETYPE_initrc_exec_t; 387 ') 388 389 init_labeled_script_domtrans($1, TEMPLATETYPE_initrc_exec_t) 390 ') 391 """ 392 393 if_dbus_rules=""" 394 ######################################## 395 ## <summary> 396 ## Send and receive messages from 397 ## TEMPLATETYPE over dbus. 398 ## </summary> 399 ## <param name="domain"> 400 ## <summary> 401 ## Domain allowed access. 402 ## </summary> 403 ## </param> 404 # 405 interface(`TEMPLATETYPE_dbus_chat',` 406 gen_require(` 407 type TEMPLATETYPE_t; 408 class dbus send_msg; 409 ') 410 411 allow $1 TEMPLATETYPE_t:dbus send_msg; 412 allow TEMPLATETYPE_t $1:dbus send_msg; 413 ') 414 """ 415 416 if_begin_admin=""" 417 ######################################## 418 ## <summary> 419 ## All of the rules required to administrate 420 ## an TEMPLATETYPE environment 421 ## </summary> 422 ## <param name="domain"> 423 ## <summary> 424 ## Domain allowed access. 425 ## </summary> 426 ## </param> 427 ## <param name="role"> 428 ## <summary> 429 ## Role allowed access. 430 ## </summary> 431 ## </param> 432 ## <rolecap/> 433 # 434 interface(`TEMPLATETYPE_admin',` 435 gen_require(` 436 type TEMPLATETYPE_t;""" 437 438 if_middle_admin=""" 439 ') 440 441 allow $1 TEMPLATETYPE_t:process { signal_perms }; 442 ps_process_pattern($1, TEMPLATETYPE_t) 443 444 tunable_policy(`deny_ptrace',`',` 445 allow $1 TEMPLATETYPE_t:process ptrace; 446 ') 447 """ 448 449 if_initscript_admin_types=""" 450 type TEMPLATETYPE_initrc_exec_t;""" 451 452 if_initscript_admin=""" 453 TEMPLATETYPE_initrc_domtrans($1) 454 domain_system_change_exemption($1) 455 role_transition $2 TEMPLATETYPE_initrc_exec_t system_r; 456 allow $2 system_r; 457 """ 458 459 if_end_admin="""\ 460 optional_policy(` 461 systemd_passwd_agent_exec($1) 462 systemd_read_fifo_file_passwd_run($1) 463 ') 464 ') 465 """ 466 467 ########################### File Context ################################## 468 fc_program="""\ 469 EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0) 470 """ 471 472 fc_user="""\ 473 # No file context, leave blank 474 """ 475 476 fc_initscript="""\ 477 EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0) 478 """ 479