psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   sandboxX.if
Blob Blame History Raw 

## <summary>policy for sandboxX </summary>

########################################
## <summary>
##	Execute sandbox in the sandbox domain, and
##	allow the specified role the sandbox domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the sandbox domain.
##	</summary>
## </param>
#
interface(`sandbox_x_transition',`
	gen_require(`
		type sandbox_xserver_t;
		type sandbox_file_t;
		attribute sandbox_x_domain;
		attribute sandbox_tmpfs_type;
	')

	allow $1 sandbox_x_domain:process { signal_perms transition };
	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
	allow sandbox_x_domain $1:process { sigchld signull };
	allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
	role $2 types sandbox_x_domain;
	role $2 types sandbox_xserver_t;
	allow $1 sandbox_xserver_t:process signal_perms;
	dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
	dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
	dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
	allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
	allow sandbox_x_domain sandbox_x_domain:process signal;
	# Dontaudit leaked file descriptors
	dontaudit sandbox_x_domain $1:fifo_file { read write };
	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
	dontaudit sandbox_x_domain $1:process { signal sigkill };
	
	allow $1 sandbox_tmpfs_type:file manage_file_perms;
	dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;

	can_exec($1, sandbox_file_t)
	allow $1 sandbox_file_t:filesystem getattr;
	manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
	relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
	relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
	relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
	relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
	relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
')

########################################
## <summary>
##	Creates types and rules for a basic
##	sandbox process domain.
## </summary>
## <param name="prefix">
##	<summary>
##	Prefix for the domain.
##	</summary>
## </param>
#
template(`sandbox_x_domain_template',`
	gen_require(`
		type xserver_exec_t, sandbox_devpts_t;
		type sandbox_xserver_t;
		type sandbox_exec_t;
		attribute sandbox_x_domain;
		attribute sandbox_tmpfs_type;
		attribute sandbox_type;
	')

	type $1_t, sandbox_x_domain, sandbox_type;
	application_type($1_t)
	mcs_constrained($1_t)

	kernel_read_system_state($1_t)
	selinux_get_fs_mount($1_t)

	auth_use_nsswitch($1_t)

	logging_send_syslog_msg($1_t)

	# window manager
	miscfiles_setattr_fonts_cache_dirs($1_t)
	allow $1_t self:capability setuid;

	type $1_client_t, sandbox_x_domain;
	application_type($1_client_t)
	kernel_read_system_state($1_client_t)

	mcs_constrained($1_t)

	type $1_client_tmpfs_t, sandbox_tmpfs_type;
	files_tmpfs_file($1_client_tmpfs_t)

	manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
	manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
	fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
	fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
	# Pulseaudio tmpfs files with different MCS labels
	dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
	dontaudit $1_t $1_client_tmpfs_t:file { read write };
	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };

	domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
	allow $1_t sandbox_xserver_t:process signal_perms;

	domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
	domain_entry_file($1_client_t,  sandbox_exec_t)

	ps_process_pattern(sandbox_xserver_t, $1_client_t)
	ps_process_pattern(sandbox_xserver_t, $1_t)
	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
	allow $1_client_t $1_t:unix_stream_socket connectto;
	allow $1_t $1_client_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	allow domain to read, 
##	write sandbox_xserver tmp files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_rw_xserver_tmpfs_files',`
	gen_require(`
		type sandbox_xserver_tmpfs_t;
	')

	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
')

########################################
## <summary>
##	allow domain to read
##	sandbox tmpfs files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_read_tmpfs_files',`
	gen_require(`
		attribute sandbox_tmpfs_type;
	')

	allow $1 sandbox_tmpfs_type:file read_file_perms;
')

########################################
## <summary>
##	allow domain to manage
##	sandbox tmpfs files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_manage_tmpfs_files',`
	gen_require(`
		attribute sandbox_tmpfs_type;
	')

	allow $1 sandbox_tmpfs_type:file manage_file_perms;
')

########################################
## <summary>
##	Delete sandbox files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_delete_files',`
	gen_require(`
		type sandbox_file_t;
	')

	delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
')

########################################
## <summary>
##	Manage sandbox content
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_manage_content',`
	gen_require(`
		type sandbox_file_t;
	')

	allow $1 sandbox_file_t:filesystem getattr;
	manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
')

########################################
## <summary>
##	Delete sandbox symbolic links
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_delete_lnk_files',`
	gen_require(`
		type sandbox_file_t;
	')

	delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
')

########################################
## <summary>
##	Delete sandbox fifo files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_delete_pipes',`
	gen_require(`
		type sandbox_file_t;
	')

	delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
')

########################################
## <summary>
##	Delete sandbox sock files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_delete_sock_files',`
	gen_require(`
		type sandbox_file_t;
	')

	delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
')

########################################
## <summary>
##	Allow domain to  set the attributes
##	of the sandbox directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_setattr_dirs',`
	gen_require(`
		type sandbox_file_t;
	')

	allow $1 sandbox_file_t:dir setattr;
')

########################################
## <summary>
##	Delete sandbox directories
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_delete_dirs',`
	gen_require(`
		type sandbox_file_t;
	')

	delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
')

########################################
## <summary>
##	allow domain to list sandbox dirs
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_list',`
	gen_require(`
		type sandbox_file_t;
	')

	allow $1 sandbox_file_t:dir list_dir_perms;
')

########################################
## <summary>
##	Read and write a sandbox domain pty.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sandbox_use_ptys',`
	gen_require(`
		type sandbox_devpts_t;
	')

	allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
')

#######################################
## <summary>
##  Allow domain to execute sandbox_file_t in the caller domain.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`sandbox_exec_file',`
    gen_require(`
        type sandbox_file_t;
    ')

	can_exec($1, sandbox_file_t)
')

######################################
## <summary>
##  Allow domain to execute sandbox_file_t in the caller domain.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`sandbox_dontaudit_mounton',`
    gen_require(`
        type sandbox_file_t;
    ')

	dontaudit $1 sandbox_file_t:dir mounton;
')
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.