##############################
#
# Assertions for the type enforcement (TE) configuration.
#
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
##################################
#
# Access vector assertions.
#
# An access vector assertion specifies permissions that should not be in
# an access vector based on a source type, a target type, and a class.
# If any of the specified permissions are in the corresponding access
# vector, then the policy compiler will reject the policy configuration.
# Currently, there is only one kind of access vector assertion, neverallow,
# but support for the other kinds of vectors could be easily added. Access
# vector assertions use the same syntax as access vector rules.
#
#
# Verify that every type that can be entered by
# a domain is also tagged as a domain.
#
neverallow domain ~domain:process { transition dyntransition };
#
# Verify that only the insmod_t and kernel_t domains
# have the sys_module capability.
#
neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module;
#
# Verify that executable types, the system dynamic loaders, and the
# system shared libraries can only be modified by administrators.
#
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename };
neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto;
#
# Verify that only appropriate domains can access /etc/shadow
neverallow { domain -auth -auth_write } shadow_t:file ~getattr;
neverallow { domain -auth_write } shadow_t:file ~r_file_perms;
#
# Verify that only appropriate domains can write to /etc (IE mess with
# /etc/passwd)
neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms;
neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms;
neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms };
#
# Verify that other system software can only be modified by administrators.
#
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename };
#
# Verify that only certain domains have access to the raw disk devices.
#
neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append };
#
# Verify that only the X server and klogd have access to memory devices.
#
neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append };
#
# Verify that only domains with the privlog attribute can actually syslog
#
neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append };
#
# Verify that /proc/kmsg is only accessible to klogd.
#
ifdef(`klogd.te', `
neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms;
', `
ifdef(`syslogd.te', `
neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms;
')dnl end if syslogd
')dnl end if klogd
#
# Verify that /proc/kcore is inaccessible.
#
neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
#
# Verify that sysctl variables are only changeable
# by initrc and administrators.
#
neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append };
neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append };
neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append };
#
# Verify that certain domains are limited to only being
# entered by their entrypoint types and to only executing
# the dynamic loader without a transition to another domain.
#
define(`assert_execute', `
ifelse($#, 0, ,
$#, 1,
``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
`assert_execute($1) assert_execute(shift($@))')')
ifdef(`getty.te', `assert_execute(getty)')
ifdef(`klogd.te', `assert_execute(klogd)')
ifdef(`tcpd.te', `assert_execute(tcpd)')
ifdef(`portmap.te', `assert_execute(portmap)')
ifdef(`syslogd.te', `assert_execute(syslogd)')
ifdef(`rpcd.te', `assert_execute(rpcd)')
ifdef(`rlogind.te', `assert_execute(rlogind)')
ifdef(`ypbind.te', `assert_execute(ypbind)')
ifdef(`xfs.te', `assert_execute(xfs)')
ifdef(`gpm.te', `assert_execute(gpm)')
ifdef(`ifconfig.te', `assert_execute(ifconfig)')
ifdef(`iptables.te', `assert_execute(iptables)')
ifdef(`login.te', `
neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
')
#
# Verify that the passwd domain can only be entered by its
# entrypoint type and can only execute the dynamic loader
# and the ordinary passwd program without a transition to another domain.
#
ifdef(`passwd.te', `
neverallow passwd_t ~passwd_exec_t:file entrypoint;
neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
')
#
# Verify that only the admin domains and initrc_t have setenforce.
#
neverallow { domain -admin -initrc_t } security_t:security setenforce;
#
# Verify that only the kernel and load_policy_t have load_policy.
#
neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy;
#
# for gross mistakes in policy
neverallow * domain:dir ~r_dir_perms;
neverallow * domain:file_class_set ~rw_file_perms;
neverallow { domain unlabeled_t } file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;