• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 # Copyright (C) 2007-2012 Red Hat
2 # see file 'COPYING' for use and warranty information
3 #
4 # policygentool is a tool for the initial generation of SELinux policy
5 #
6 #    This program is free software; you can redistribute it and/or
7 #    modify it under the terms of the GNU General Public License as
8 #    published by the Free Software Foundation; either version 2 of
9 #    the License, or (at your option) any later version.
10 #
11 #    This program is distributed in the hope that it will be useful,
12 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
13 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14 #    GNU General Public License for more details.
15 #
16 #    You should have received a copy of the GNU General Public License
17 #    along with this program; if not, write to the Free Software
18 #    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19 #                                        02111-1307  USA
20 #
21 #
22 ########################### Type Enforcement File #############################
23 te_daemon_types="""\
24 policy_module(TEMPLATETYPE, 1.0.0)
25 
26 ########################################
27 #
28 # Declarations
29 #
30 
31 type TEMPLATETYPE_t;
32 type TEMPLATETYPE_exec_t;
33 init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
34 
35 permissive TEMPLATETYPE_t;
36 """
37 
38 te_initscript_types="""
39 type TEMPLATETYPE_initrc_exec_t;
40 init_script_file(TEMPLATETYPE_initrc_exec_t)
41 """
42 
43 te_dbusd_types="""\
44 policy_module(TEMPLATETYPE, 1.0.0)
45 
46 ########################################
47 #
48 # Declarations
49 #
50 
51 type TEMPLATETYPE_t;
52 type TEMPLATETYPE_exec_t;
53 domain_type(TEMPLATETYPE_t)
54 domain_entry_file(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
55 role system_r types TEMPLATETYPE_t;
56 
57 permissive TEMPLATETYPE_t;
58 """
59 
60 te_inetd_types="""\
61 policy_module(TEMPLATETYPE, 1.0.0)
62 
63 ########################################
64 #
65 # Declarations
66 #
67 
68 type TEMPLATETYPE_t;
69 type TEMPLATETYPE_exec_t;
70 inetd_service_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
71 
72 permissive TEMPLATETYPE_t;
73 """
74 
75 te_userapp_types="""\
76 policy_module(TEMPLATETYPE, 1.0.0)
77 
78 ########################################
79 #
80 # Declarations
81 #
82 
83 attribute_role TEMPLATETYPE_roles;
84 roleattribute system_r TEMPLATETYPE_roles;
85 
86 type TEMPLATETYPE_t;
87 type TEMPLATETYPE_exec_t;
88 application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
89 role TEMPLATETYPE_roles types TEMPLATETYPE_t;
90 
91 permissive TEMPLATETYPE_t;
92 """
93 
94 te_sandbox_types="""\
95 policy_module(TEMPLATETYPE, 1.0.0)
96 
97 ########################################
98 #
99 # Declarations
100 #
101 
102 sandbox_x_domain_template(TEMPLATETYPE)
103 
104 permissive TEMPLATETYPE_t;
105 permissive TEMPLATETYPE_client_t;
106 
107 """
108 
109 te_cgi_types="""\
110 policy_module(TEMPLATETYPE, 1.0.0)
111 
112 ########################################
113 #
114 # Declarations
115 #
116 
117 apache_content_template(TEMPLATETYPE)
118 
119 permissive httpd_TEMPLATETYPE_script_t;
120 """
121 
122 te_daemon_rules="""\
123 allow TEMPLATETYPE_t self:fifo_file rw_fifo_file_perms;
124 allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
125 """
126 
127 te_inetd_rules="""
128 """
129 
130 te_dbusd_rules="""
131 optional_policy(`
132 	dbus_system_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
133 ')
134 """
135 
136 te_userapp_rules="""
137 allow TEMPLATETYPE_t self:fifo_file manage_fifo_file_perms;
138 allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
139 """
140 
141 te_cgi_rules="""
142 """
143 
144 te_sandbox_rules="""
145 """
146 
147 te_uid_rules="""
148 auth_use_nsswitch(TEMPLATETYPE_t)
149 """
150 
151 te_syslog_rules="""
152 logging_send_syslog_msg(TEMPLATETYPE_t)
153 """
154 
155 te_resolve_rules="""
156 sysnet_dns_name_resolve(TEMPLATETYPE_t)
157 """
158 
159 te_pam_rules="""
160 auth_domtrans_chk_passwd(TEMPLATETYPE_t)
161 """
162 
163 te_mail_rules="""
164 mta_send_mail(TEMPLATETYPE_t)
165 """
166 
167 te_dbus_rules="""
168 optional_policy(`
169 	dbus_system_bus_client(TEMPLATETYPE_t)
170 	dbus_connect_system_bus(TEMPLATETYPE_t)
171 ')
172 """
173 
174 te_kerberos_rules="""
175 optional_policy(`
176 	kerberos_use(TEMPLATETYPE_t)
177 ')
178 """
179 
180 te_manage_krb5_rcache_rules="""
181 optional_policy(`
182 	kerberos_keytab_template(TEMPLATETYPE, TEMPLATETYPE_t)
183 	kerberos_manage_host_rcache(TEMPLATETYPE_t)
184 ')
185 """
186 
187 te_audit_rules="""
188 logging_send_audit_msgs(TEMPLATETYPE_t)
189 """
190 
191 te_run_rules="""
192 optional_policy(`
193 	gen_require(`
194 		type USER_t;
195 		role USER_r;
196 	')
197 
198 	TEMPLATETYPE_run(USER_t, USER_r)
199 ')
200 """
201 
202 te_fd_rules="""
203 domain_use_interactive_fds(TEMPLATETYPE_t)
204 """
205 
206 te_etc_rules="""
207 files_read_etc_files(TEMPLATETYPE_t)
208 """
209 
210 te_localization_rules="""
211 miscfiles_read_localization(TEMPLATETYPE_t)
212 """
213 
214 ########################### Interface File #############################
215 
216 if_heading_rules="""
217 ## <summary>policy for TEMPLATETYPE</summary>"""
218 
219 if_program_rules="""
220 
221 ########################################
222 ## <summary>
223 ##	Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain.
224 ## </summary>
225 ## <param name=\"domain\">
226 ## <summary>
227 ##	Domain allowed to transition.
228 ## </summary>
229 ## </param>
230 #
231 interface(`TEMPLATETYPE_domtrans',`
232 	gen_require(`
233 		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
234 	')
235 
236 	corecmd_search_bin($1)
237 	domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
238 ')
239 
240 ######################################
241 ## <summary>
242 ##	Execute TEMPLATETYPE in the caller domain.
243 ## </summary>
244 ## <param name="domain">
245 ##	<summary>
246 ##	Domain allowed access.
247 ##	</summary>
248 ## </param>
249 #
250 interface(`TEMPLATETYPE_exec',`
251 	gen_require(`
252 		type TEMPLATETYPE_exec_t;
253 	')
254 
255 	corecmd_search_bin($1)
256 	can_exec($1, TEMPLATETYPE_exec_t)
257 ')
258 """
259 
260 if_user_program_rules="""
261 ########################################
262 ## <summary>
263 ##	Execute TEMPLATETYPE in the TEMPLATETYPE domain, and
264 ##	allow the specified role the TEMPLATETYPE domain.
265 ## </summary>
266 ## <param name="domain">
267 ##	<summary>
268 ##	Domain allowed to transition
269 ##	</summary>
270 ## </param>
271 ## <param name="role">
272 ##	<summary>
273 ##	The role to be allowed the TEMPLATETYPE domain.
274 ##	</summary>
275 ## </param>
276 #
277 interface(`TEMPLATETYPE_run',`
278 	gen_require(`
279 		type TEMPLATETYPE_t;
280 		attribute_role TEMPLATETYPE_roles;
281 	')
282 
283 	TEMPLATETYPE_domtrans($1)
284 	roleattribute $2 TEMPLATETYPE_roles;
285 ')
286 
287 ########################################
288 ## <summary>
289 ##	Role access for TEMPLATETYPE
290 ## </summary>
291 ## <param name="role">
292 ##	<summary>
293 ##	Role allowed access
294 ##	</summary>
295 ## </param>
296 ## <param name="domain">
297 ##	<summary>
298 ##	User domain for the role
299 ##	</summary>
300 ## </param>
301 #
302 interface(`TEMPLATETYPE_role',`
303 	gen_require(`
304 		type TEMPLATETYPE_t;
305 		attribute_role TEMPLATETYPE_roles;
306 	')
307 
308 	roleattribute $1 TEMPLATETYPE_roles;
309 
310 	TEMPLATETYPE_domtrans($2)
311 
312 	ps_process_pattern($2, TEMPLATETYPE_t)
313 	allow $2 TEMPLATETYPE_t:process { signull signal sigkill };
314 ')
315 """
316 
317 if_sandbox_rules="""
318 ########################################
319 ## <summary>
320 ##	Execute sandbox in the TEMPLATETYPE_t domain, and
321 ##	allow the specified role the TEMPLATETYPE_t domain.
322 ## </summary>
323 ## <param name="domain">
324 ##	<summary>
325 ##	Domain allowed to transition.
326 ##	</summary>
327 ## </param>
328 ## <param name="role">
329 ##	<summary>
330 ##	The role to be allowed the TEMPLATETYPE_t domain.
331 ##	</summary>
332 ## </param>
333 #
334 interface(`TEMPLATETYPE_transition',`
335 	gen_require(`
336 		type TEMPLATETYPE_t;
337 		type TEMPLATETYPE_client_t;
338 	')
339 
340 	allow $1 TEMPLATETYPE_t:process { signal_perms transition };
341 	dontaudit $1 TEMPLATETYPE_t:process { noatsecure siginh rlimitinh };
342 	role $2 types TEMPLATETYPE_t;
343 	role $2 types TEMPLATETYPE_client_t;
344 
345 	allow TEMPLATETYPE_t $1:process { sigchld signull };
346 	allow TEMPLATETYPE_t $1:fifo_file rw_inherited_fifo_file_perms;
347 	allow TEMPLATETYPE_client_t $1:process { sigchld signull };
348 	allow TEMPLATETYPE_client_t $1:fifo_file rw_inherited_fifo_file_perms;
349 ')
350 """
351 
352 if_role_change_rules="""
353 ########################################
354 ## <summary>
355 ##	Change to the TEMPLATETYPE role.
356 ## </summary>
357 ## <param name="role">
358 ##	<summary>
359 ##	Role allowed access.
360 ##	</summary>
361 ## </param>
362 ## <rolecap/>
363 #
364 interface(`TEMPLATETYPE_role_change',`
365 	gen_require(`
366 		role TEMPLATETYPE_r;
367 	')
368 
369 	allow $1 TEMPLATETYPE_r;
370 ')
371 """
372 
373 if_initscript_rules="""
374 ########################################
375 ## <summary>
376 ##	Execute TEMPLATETYPE server in the TEMPLATETYPE domain.
377 ## </summary>
378 ## <param name="domain">
379 ##	<summary>
380 ##	Domain allowed access.
381 ##	</summary>
382 ## </param>
383 #
384 interface(`TEMPLATETYPE_initrc_domtrans',`
385 	gen_require(`
386 		type TEMPLATETYPE_initrc_exec_t;
387 	')
388 
389 	init_labeled_script_domtrans($1, TEMPLATETYPE_initrc_exec_t)
390 ')
391 """
392 
393 if_dbus_rules="""
394 ########################################
395 ## <summary>
396 ##	Send and receive messages from
397 ##	TEMPLATETYPE over dbus.
398 ## </summary>
399 ## <param name="domain">
400 ##	<summary>
401 ##	Domain allowed access.
402 ##	</summary>
403 ## </param>
404 #
405 interface(`TEMPLATETYPE_dbus_chat',`
406 	gen_require(`
407 		type TEMPLATETYPE_t;
408 		class dbus send_msg;
409 	')
410 
411 	allow $1 TEMPLATETYPE_t:dbus send_msg;
412 	allow TEMPLATETYPE_t $1:dbus send_msg;
413 ')
414 """
415 
416 if_begin_admin="""
417 ########################################
418 ## <summary>
419 ##	All of the rules required to administrate
420 ##	an TEMPLATETYPE environment
421 ## </summary>
422 ## <param name="domain">
423 ##	<summary>
424 ##	Domain allowed access.
425 ##	</summary>
426 ## </param>
427 ## <param name="role">
428 ##	<summary>
429 ##	Role allowed access.
430 ##	</summary>
431 ## </param>
432 ## <rolecap/>
433 #
434 interface(`TEMPLATETYPE_admin',`
435 	gen_require(`
436 		type TEMPLATETYPE_t;"""
437 
438 if_middle_admin="""
439 	')
440 
441 	allow $1 TEMPLATETYPE_t:process { signal_perms };
442 	ps_process_pattern($1, TEMPLATETYPE_t)
443 
444     tunable_policy(`deny_ptrace',`',`
445         allow $1 TEMPLATETYPE_t:process ptrace;
446     ')
447 """
448 
449 if_initscript_admin_types="""
450 		type TEMPLATETYPE_initrc_exec_t;"""
451 
452 if_initscript_admin="""
453 	TEMPLATETYPE_initrc_domtrans($1)
454 	domain_system_change_exemption($1)
455 	role_transition $2 TEMPLATETYPE_initrc_exec_t system_r;
456 	allow $2 system_r;
457 """
458 
459 if_end_admin="""\
460 	optional_policy(`
461 		systemd_passwd_agent_exec($1)
462 		systemd_read_fifo_file_passwd_run($1)
463 	')
464 ')
465 """
466 
467 ########################### File Context ##################################
468 fc_program="""\
469 EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
470 """
471 
472 fc_user="""\
473 #  No file context, leave blank
474 """
475 
476 fc_initscript="""\
477 EXECUTABLE	--	gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
478 """
479