|
 |
1ec3d1a |
policy_module(sandbox,1.0.0)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
attribute sandbox_domain;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Declarations
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
sandbox_domain_template(sandbox)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# sandbox local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
|
|
|
1ec3d1a |
tunable_policy(`deny_execmem',`',`
|
|
|
1ec3d1a |
allow sandbox_domain self:process execmem;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow sandbox_domain self:fifo_file manage_file_perms;
|
|
|
1ec3d1a |
allow sandbox_domain self:sem create_sem_perms;
|
|
|
1ec3d1a |
allow sandbox_domain self:shm create_shm_perms;
|
|
|
1ec3d1a |
allow sandbox_domain self:msgq create_msgq_perms;
|
|
|
1ec3d1a |
allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
1ec3d1a |
allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|
|
1ec3d1a |
dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
dev_rw_all_inherited_chr_files(sandbox_domain)
|
|
|
1ec3d1a |
dev_rw_all_inherited_blk_files(sandbox_domain)
|
|
|
1ec3d1a |
|
|
|
9e6ba0c |
# sandbox_file_t was moved to sandboxX.te
|
|
|
9e6ba0c |
optional_policy(`
|
|
|
9e6ba0c |
sandbox_exec_file(sandbox_domain)
|
|
|
9e6ba0c |
sandbox_manage_content(sandbox_domain)
|
|
|
9e6ba0c |
sandbox_dontaudit_mounton(sandbox_domain)
|
|
|
96ca8cc |
sandbox_manage_tmpfs_files(sandbox_domain)
|
|
|
9e6ba0c |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
gen_require(`
|
|
 |
0c4eb28 |
type usr_t, lib_t, locale_t, device_t;
|
|
|
1ec3d1a |
type var_t, var_run_t, rpm_log_t, locale_t;
|
|
|
1ec3d1a |
attribute exec_type, configfile;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
kernel_dontaudit_read_system_state(sandbox_domain)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corecmd_exec_all_executables(sandbox_domain)
|
|
|
1ec3d1a |
|
|
|
6cfdf6a |
dev_dontaudit_getattr_all(sandbox_domain)
|
|
|
6cfdf6a |
|
|
|
1ec3d1a |
files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
|
|
|
1ec3d1a |
files_entrypoint_all_files(sandbox_domain)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_read_config_files(sandbox_domain)
|
|
|
1ec3d1a |
files_read_var_files(sandbox_domain)
|
|
|
1ec3d1a |
files_dontaudit_search_all_dirs(sandbox_domain)
|
|
|
1ec3d1a |
|
|
|
6cfdf6a |
fs_dontaudit_getattr_all_fs(sandbox_domain)
|
|
|
6cfdf6a |
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_dontaudit_use_user_terminals(sandbox_domain)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
mta_dontaudit_read_spool_symlinks(sandbox_domain)
|
|
|
1ec3d1a |
|
|
|
96ca8cc |
|