| 28 | | # |
|---|
| 29 | | # SELinux process identity change constraint: |
|---|
| 30 | | # |
|---|
| 31 | | constrain process transition |
|---|
| 32 | | ( |
|---|
| 33 | | u1 == u2 |
|---|
| 34 | | |
|---|
| | 28 | define(`basic_ubac_conditions',` |
|---|
| | 29 | u1 == u2 |
|---|
| | 30 | or t1 != ubac_constrained_type |
|---|
| | 31 | or t2 != ubac_constrained_type |
|---|
| | 32 | ') |
|---|
| | 33 | |
|---|
| | 34 | define(`basic_ubac_constraint',` |
|---|
| | 35 | constrain $1 all_$1_perms |
|---|
| | 36 | ( |
|---|
| | 37 | basic_ubac_conditions |
|---|
| | 38 | ); |
|---|
| | 39 | ') |
|---|
| | 40 | |
|---|
| | 41 | define(`exempted_ubac_constraint',` |
|---|
| | 42 | constrain $1 all_$1_perms |
|---|
| | 43 | ( |
|---|
| | 44 | basic_ubac_conditions |
|---|
| | 45 | or t1 == $2 |
|---|
| | 46 | ); |
|---|
| | 47 | ') |
|---|
| | 48 | |
|---|
| | 49 | ######################################## |
|---|
| | 50 | # |
|---|
| | 51 | # File rules |
|---|
| | 52 | # |
|---|
| | 53 | |
|---|
| | 54 | exempted_ubac_constraint(dir, ubacfilesubj) |
|---|
| | 55 | exempted_ubac_constraint(file, ubacfilesubj) |
|---|
| | 56 | exempted_ubac_constraint(lnk_file, ubacfilesubj) |
|---|
| | 57 | exempted_ubac_constraint(fifo_file, ubacfilesubj) |
|---|
| | 58 | exempted_ubac_constraint(sock_file, ubacfilesubj) |
|---|
| | 59 | exempted_ubac_constraint(chr_file, ubacfilesubj) |
|---|
| | 60 | exempted_ubac_constraint(blk_file, ubacfilesubj) |
|---|
| | 61 | |
|---|
| | 62 | # SElinux object identity change constraint: |
|---|
| | 63 | constrain dir_file_class_set { create relabelto relabelfrom } |
|---|
| | 64 | ( |
|---|
| | 65 | u1 == u2 |
|---|
| | 66 | or t1 == can_change_object_identity |
|---|
| | 67 | ); |
|---|
| | 68 | |
|---|
| | 69 | ######################################## |
|---|
| | 70 | # |
|---|
| | 71 | # Process rules |
|---|
| | 72 | # |
|---|
| | 73 | |
|---|
| | 74 | constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit } |
|---|
| | 75 | ( |
|---|
| | 76 | basic_ubac_conditions |
|---|
| | 77 | or t1 == ubacprocsubj |
|---|
| | 78 | ); |
|---|
| | 79 | |
|---|
| | 80 | constrain process { transition noatsecure siginh rlimitinh } |
|---|
| | 81 | ( |
|---|
| | 82 | u1 == u2 |
|---|
| 52 | | # |
|---|
| 53 | | # SElinux object identity change constraint: |
|---|
| 54 | | # |
|---|
| 55 | | constrain dir_file_class_set { create relabelto relabelfrom } |
|---|
| 56 | | ( |
|---|
| 57 | | u1 == u2 |
|---|
| 58 | | |
|---|
| | 94 | # These permissions do not have ubac constraints: |
|---|
| | 95 | # fork |
|---|
| | 96 | # setexec |
|---|
| | 97 | # setfscreate |
|---|
| | 98 | # setcurrent |
|---|
| | 99 | # execmem |
|---|
| | 100 | # execstack |
|---|
| | 101 | # execheap |
|---|
| | 102 | # setkeycreate |
|---|
| | 103 | # setsockcreate |
|---|
| | 104 | |
|---|
| | 105 | ######################################## |
|---|
| | 106 | # |
|---|
| | 107 | # File descriptor rules |
|---|
| | 108 | # |
|---|
| | 109 | |
|---|
| | 110 | basic_ubac_constraint(fd) |
|---|
| | 111 | |
|---|
| | 112 | ######################################## |
|---|
| | 113 | # |
|---|
| | 114 | # Socket rules |
|---|
| | 115 | # |
|---|
| | 116 | |
|---|
| | 117 | exempted_ubac_constraint(socket, ubacsocksubj) |
|---|
| | 118 | exempted_ubac_constraint(tcp_socket, ubacsocksubj) |
|---|
| | 119 | exempted_ubac_constraint(udp_socket, ubacsocksubj) |
|---|
| | 120 | exempted_ubac_constraint(rawip_socket, ubacsocksubj) |
|---|
| | 121 | exempted_ubac_constraint(netlink_socket, ubacsocksubj) |
|---|
| | 122 | exempted_ubac_constraint(packet_socket, ubacsocksubj) |
|---|
| | 123 | exempted_ubac_constraint(key_socket, ubacsocksubj) |
|---|
| | 124 | exempted_ubac_constraint(unix_stream_socket, ubacsocksubj) |
|---|
| | 125 | exempted_ubac_constraint(unix_dgram_socket, ubacsocksubj) |
|---|
| | 126 | exempted_ubac_constraint(netlink_route_socket, ubacsocksubj) |
|---|
| | 127 | exempted_ubac_constraint(netlink_firewall_socket, ubacsocksubj) |
|---|
| | 128 | exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsocksubj) |
|---|
| | 129 | exempted_ubac_constraint(netlink_nflog_socket, ubacsocksubj) |
|---|
| | 130 | exempted_ubac_constraint(netlink_xfrm_socket, ubacsocksubj) |
|---|
| | 131 | exempted_ubac_constraint(netlink_selinux_socket, ubacsocksubj) |
|---|
| | 132 | exempted_ubac_constraint(netlink_audit_socket, ubacsocksubj) |
|---|
| | 133 | exempted_ubac_constraint(netlink_ip6fw_socket, ubacsocksubj) |
|---|
| | 134 | exempted_ubac_constraint(netlink_dnrt_socket, ubacsocksubj) |
|---|
| | 135 | exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsocksubj) |
|---|
| | 136 | exempted_ubac_constraint(appletalk_socket, ubacsocksubj) |
|---|
| | 137 | exempted_ubac_constraint(dccp_socket, ubacsocksubj) |
|---|
| | 138 | |
|---|
| | 139 | constrain socket_class_set { create relabelto relabelfrom } |
|---|
| | 140 | ( |
|---|
| | 141 | u1 == u2 |
|---|
| 62 | | constrain socket_class_set { create relabelto relabelfrom } |
|---|
| 63 | | ( |
|---|
| 64 | | u1 == u2 |
|---|
| 65 | | |
|---|
| 66 | | or t1 == can_change_object_identity |
|---|
| 67 | | ); |
|---|
| | 145 | ######################################## |
|---|
| | 146 | # |
|---|
| | 147 | # SysV IPC rules |
|---|
| | 148 | |
|---|
| | 149 | exempted_ubac_constraint(sem, ubacipcsubj) |
|---|
| | 150 | exempted_ubac_constraint(msg, ubacipcsubj) |
|---|
| | 151 | exempted_ubac_constraint(msgq, ubacipcsubj) |
|---|
| | 152 | exempted_ubac_constraint(shm, ubacipcsubj) |
|---|
| | 153 | exempted_ubac_constraint(ipc, ubacipcsubj) |
|---|
| | 154 | |
|---|
| | 155 | ######################################## |
|---|
| | 156 | # |
|---|
| | 157 | # SE-X Windows rules |
|---|
| | 158 | # |
|---|
| | 159 | |
|---|
| | 160 | exempted_ubac_constraint(x_drawable, ubacxwinsubj) |
|---|
| | 161 | exempted_ubac_constraint(x_screen, ubacxwinsubj) |
|---|
| | 162 | exempted_ubac_constraint(x_gc, ubacxwinsubj) |
|---|
| | 163 | exempted_ubac_constraint(x_font, ubacxwinsubj) |
|---|
| | 164 | exempted_ubac_constraint(x_colormap, ubacxwinsubj) |
|---|
| | 165 | exempted_ubac_constraint(x_property, ubacxwinsubj) |
|---|
| | 166 | exempted_ubac_constraint(x_selection, ubacxwinsubj) |
|---|
| | 167 | exempted_ubac_constraint(x_cursor, ubacxwinsubj) |
|---|
| | 168 | exempted_ubac_constraint(x_client, ubacxwinsubj) |
|---|
| | 169 | exempted_ubac_constraint(x_device, ubacxwinsubj) |
|---|
| | 170 | exempted_ubac_constraint(x_server, ubacxwinsubj) |
|---|
| | 171 | exempted_ubac_constraint(x_extension, ubacxwinsubj) |
|---|
| | 172 | exempted_ubac_constraint(x_resource, ubacxwinsubj) |
|---|
| | 173 | exempted_ubac_constraint(x_event, ubacxwinsubj) |
|---|
| | 174 | exempted_ubac_constraint(x_synthetic_event, ubacxwinsubj) |
|---|
| | 175 | exempted_ubac_constraint(x_application_data, ubacxwinsubj) |
|---|
| | 176 | |
|---|
| | 177 | ######################################## |
|---|
| | 178 | # |
|---|
| | 179 | # D-BUS rules |
|---|
| | 180 | # |
|---|
| | 181 | |
|---|
| | 182 | exempted_ubac_constraint(dbus, ubacdbussubj) |
|---|
| | 183 | |
|---|
| | 184 | ######################################## |
|---|
| | 185 | # |
|---|
| | 186 | # Key rules |
|---|
| | 187 | # |
|---|
| | 188 | |
|---|
| | 189 | exempted_ubac_constraint(key, ubackeysubj) |
|---|
| | 190 | |
|---|
| | 191 | ######################################## |
|---|
| | 192 | # |
|---|
| | 193 | # Database rules |
|---|
| | 194 | # |
|---|
| | 195 | |
|---|
| | 196 | exempted_ubac_constraint(db_database, ubacdbsubj) |
|---|
| | 197 | exempted_ubac_constraint(db_table, ubacdbsubj) |
|---|
| | 198 | exempted_ubac_constraint(db_procedure, ubacdbsubj) |
|---|
| | 199 | exempted_ubac_constraint(db_column, ubacdbsubj) |
|---|
| | 200 | exempted_ubac_constraint(db_tuple, ubacdbsubj) |
|---|
| | 201 | exempted_ubac_constraint(db_blob, ubacdbsubj) |
|---|
| | 202 | |
|---|
| | 203 | |
|---|
| | 204 | |
|---|
| | 205 | basic_ubac_constraint(association) |
|---|
| | 206 | basic_ubac_constraint(peer) |
|---|
| | 207 | |
|---|
| | 208 | |
|---|
| | 209 | # these classes have no UBAC restrictions |
|---|
| | 210 | #class security |
|---|
| | 211 | #class system |
|---|
| | 212 | #class capability |
|---|
| | 213 | #class memprotect |
|---|
| | 214 | #class passwd # userspace |
|---|
| | 215 | #class node |
|---|
| | 216 | #class netif |
|---|
| | 217 | #class packet |
|---|
| | 218 | #class capability2 |
|---|
| | 219 | #class nscd # userspace |
|---|
| | 220 | #class context # userspace |
|---|
| | 221 | |
|---|
| | 222 | |
|---|
| | 223 | |
|---|
| | 224 | undefine(`basic_ubac_constraint') |
|---|
| | 225 | undefine(`basic_ubac_conditions') |
|---|
| | 226 | undefine(`exempted_ubac_constraint') |
|---|
