Hi,
I've been playing a bit with creating LSM-protected containers.
Attached here are first stabs at an SELinux policy module (against
the refpolicy source with fedora 10) defining an interface
to create containers. The .te and .fc files use the interface
to create two containers, under /vs1 and /vs2. I've been
testing with liblxc (*1) creating debian-based containers
using debootstrap, on a fedora 10 host. It should work
equally well for libvirt though. Quite simply, $1_exec_t
is assigned to the container's /sbin/init, and used to
transition to the container's own type. (So far I'm lazily
using the devices whitelist cgroup to protect against device
access)
This interface is geared toward containers which have their
own private chroot. Containers can also be made minimalist
sharing read-only bind mounts of most of the fs. Such
containers should probably have their own interface, but
in any case I'm ignoring them for now.
Perhaps for starters, I don't know if there is a precedent
for this kind of interface. Would we want just the .if in
the base policy, with the user writing custom .te and .fc
files, based on the if, which they compile under /usr/share/selinux/?
Anyway, I'm posting this to see how far we can go toward
making something actually useful for the refpolicy.
-serge
*1: Install using
cvs -d:pserver:anonymous at lxc.cvs.sourceforge.net:/cvsroot/lxc login
cvs -z3 -d:pserver:anonymous at lxc.cvs.sourceforge.net:/cvsroot/lxc co -P lxc
cd lxc
./bootstrap && ./configure && make && make install
and use as
lxc-debian create (use vs1 as container name for instance)
lxc-start -n vs1
I can give more details on how to set everything up, but
am not sure whether that's necessary to hold a discussion
about the policy module.
-------------- next part --------------
# installation paths
SHAREDIR := /usr/share/selinux
AWK ?= gawk
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
MLSENABLED := $(shell cat /selinux/mls)
ifeq ($(MLSENABLED),)
MLSENABLED := 1
endif
ifeq ($(MLSENABLED),1)
NTYPE = mcs
endif
ifeq ($(NAME),mls)
NTYPE = mls
endif
TYPE ?= $(NTYPE)
HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile
-------------- next part --------------
## <Summary> Interface for creating SELinux-protected containers. </summary>
###############################################################################
##
## Copyright (c) International Business Machines Corp., 2008
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
## the GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
##
################################################################################
#######################################
## <summary>
## Create necessary types and rules for a container.
## </summary>
## <param name="container_name">
## <summary>
## base name for the container. For instance, if container name is
## vs1, then most container data will be of type vs1_t.
## </summary>
## </param>
interface(`container',`
gen_require(`
type proc_t;
role system_r;
role unconfined_r;
type unconfined_t;
type unconfined_devpts_t;
type staff_t;
type staff_devpts_t;
type fs_t;
type devpts_t;
type sysfs_t;
type inaddr_any_node_t;
type clock_device_t;
');
type $1_t;
type $1_exec_t;
domain_type($1_t);
role system_r types $1_t;
role unconfined_r types $1_t;
type $1_file_t;
files_type($1_file_t);
domain_entry_file($1_t, $1_exec_t);
domain_auto_trans(unconfined_t,$1_exec_t,$1_t)
domain_auto_trans(staff_t,$1_exec_t,$1_t)
allow unconfined_t $1_exec_t:file {read execute};
allow $1_t $1_exec_t:file {read execute entrypoint};
allow unconfined_t $1_t:dir create_dir_perms;
corecmd_exec_bin($1_t)
corecmd_exec_shell($1_t)
libs_exec_lib_files($1_t)
libs_use_ld_so($1_t)
term_create_pty($1_t,$1_file_t)
allow $1_t unconfined_devpts_t:chr_file {setattr rw_term_perms};
allow $1_t console_device_t:chr_file {setattr rw_chr_file_perms};
allow $1_t staff_devpts_t:chr_file rw_chr_file_perms;
allow $1_t self:capability sys_admin;
allow $1_t proc_t:filesystem mount;
allow $1_t device_t:filesystem mount;
allow $1_t device_t:dir { write setattr mounton add_name };
allow $1_t device_t:fifo_file { create rw_fifo_file_perms };
allow $1_t devpts_t:filesystem mount;
allow $1_t clock_device_t:chr_file read_chr_file_perms;
allow $1_t $1_file_t:file *;
allow $1_t $1_file_t:lnk_file *;
allow $1_t $1_file_t:chr_file *;
allow $1_t $1_file_t:blk_file *;
allow $1_t $1_file_t:sock_file *;
allow $1_t $1_file_t:fifo_file *;
allow $1_t $1_t:fifo_file *;
allow $1_t $1_file_t:socket *;
allow $1_t $1_file_t:dir *;
allow $1_t $1_t:process ~{setcurrent};
allow $1_t $1_t:capability ~{audit_write audit_control sys_module};
allow $1_t $1_t:fd *;
allow $1_t $1_t:socket *;
allow $1_t $1_t:tcp_socket *;
allow $1_t $1_t:udp_socket *;
# from audit2allow
storage_getattr_fixed_disk_dev($1_t)
corenet_tcp_bind_http_port($1_t)
corenet_tcp_connect_http_port($1_t)
corenet_tcp_sendrecv_http_port($1_t)
corenet_tcp_sendrecv_unspec_node($1_t)
corenet_tcp_bind_unspec_node($1_t)
kernel_read_ring_buffer($1_t)
kernel_read_network_state($1_t)
allow $1_t self:unix_dgram_socket create;
kernel_read_device_sysctls($1_t);
kernel_read_net_sysctls($1_t);
kernel_rw_net_sysctls($1_t);
kernel_read_system_state($1_t);
kernel_read_hotplug_sysctls($1_t);
kernel_read_kernel_sysctls($1_t);
logging_send_syslog_msg($1_t)
allow $1_t sysfs_t:filesystem mount;
dev_read_urand($1_t)
fs_mount_tmpfs($1_t)
fs_unmount_tmpfs($1_t)
fs_remount_tmpfs($1_t)
fs_list_tmpfs($1_t)
allow $1_t tmpfs_t:file rw_file_perms;
dev_mount_usbfs($1_t)
files_mount_all_file_type_fs($1_t)
files_unmount_all_file_type_fs($1_t)
files_mounton_all_mountpoints($1_t)
fs_remount_xattr_fs($1_t)
corenet_tcp_sendrecv_inaddr_any_node($1_t)
corenet_udp_sendrecv_inaddr_any_node($1_t)
corenet_raw_sendrecv_inaddr_any_node($1_t)
corenet_tcp_bind_inaddr_any_node($1_t)
corenet_udp_bind_inaddr_any_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_ssh_port($1_t)
corenet_tcp_sendrecv_ssh_port($1_t)
term_use_all_terms($1_t)
dev_getattr_sysfs_dirs($1_t)
dev_getattr_usbfs_dirs($1_t)
dev_read_rand($1_t)
dev_read_urand($1_t)
kernel_sendrecv_unlabeled_association($1_t);
allow $1_t self:unix_dgram_socket {create read write ioctl sendto connect };
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t device_t:fifo_file rw_fifo_file_perms;
allow $1_t unlabeled_t:packet recv;
')
-------------- next part --------------
/vs1/rootfs/sbin/init -- gen_context(system_u:object_r:vs1_exec_t,s0)
/vs1/rootfs -d gen_context(system_u:object_r:vs1_file_t,s0)
/vs1/rootfs/.+ gen_context(system_u:object_r:vs1_file_t,s0)
/vs2/rootfs/sbin/init -- gen_context(system_u:object_r:vs2_exec_t,s0)
/vs2/rootfs -d gen_context(system_u:object_r:vs2_file_t,s0)
/vs2/rootfs/.+ gen_context(system_u:object_r:vs2_file_t,s0)
-------------- next part --------------
policy_module(vs_gen,1.0.0)
container(vs1)
container(vs2)
Quoting Serge E. Hallyn (serue at us.ibm.com):
> Hi,
>
> I've been playing a bit with creating LSM-protected containers.
> Attached here are first stabs at an SELinux policy module (against
> the refpolicy source with fedora 10) defining an interface
> to create containers. The .te and .fc files use the interface
> to create two containers, under /vs1 and /vs2. I've been
> testing with liblxc (*1) creating debian-based containers
> using debootstrap, on a fedora 10 host. It should work
> equally well for libvirt though. Quite simply, $1_exec_t
> is assigned to the container's /sbin/init, and used to
> transition to the container's own type. (So far I'm lazily
> using the devices whitelist cgroup to protect against device
> access)
>
> This interface is geared toward containers which have their
> own private chroot. Containers can also be made minimalist
> sharing read-only bind mounts of most of the fs. Such
> containers should probably have their own interface, but
> in any case I'm ignoring them for now.
>
> Perhaps for starters, I don't know if there is a precedent
> for this kind of interface. Would we want just the .if in
> the base policy, with the user writing custom .te and .fc
> files, based on the if, which they compile under /usr/share/selinux/?
>
> Anyway, I'm posting this to see how far we can go toward
> making something actually useful for the refpolicy.
Well, no responses, but in any case here's a slightly updated
.if file which is working for me atm.
thanks,
-serge
-------------- next part --------------
## <Summary> Interface for creating SELinux-protected containers. </summary>
###############################################################################
##
## Copyright (c) International Business Machines Corp., 2008
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
## the GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
##
################################################################################
#######################################
## <summary>
## Create necessary types and rules for a container.
## </summary>
## <param name="container_name">
## <summary>
## base name for the container. For instance, if container name is
## vs1, then most container data will be of type vs1_t.
## </summary>
## </param>
interface(`container',`
gen_require(`
type proc_t;
role system_r;
role unconfined_r;
type unconfined_t;
type unconfined_devpts_t;
type staff_t;
type staff_devpts_t;
type fs_t;
type devpts_t;
type sysfs_t;
type inaddr_any_node_t;
type clock_device_t;
type tmpfs_t;
type port_t;
');
type $1_t;
type $1_exec_t;
domain_type($1_t);
role system_r types $1_t;
role unconfined_r types $1_t;
type $1_file_t;
files_type($1_file_t);
domain_entry_file($1_t, $1_exec_t);
domain_auto_trans(unconfined_t,$1_exec_t,$1_t)
domain_auto_trans(staff_t,$1_exec_t,$1_t)
allow unconfined_t $1_exec_t:file {read execute};
allow $1_t $1_exec_t:file {read execute entrypoint};
allow unconfined_t $1_t:dir create_dir_perms;
neverallow unconfined_t $1_t:file execute;
corecmd_exec_bin($1_t)
corecmd_exec_shell($1_t)
libs_exec_lib_files($1_t)
libs_use_ld_so($1_t)
term_create_pty($1_t,$1_file_t)
allow $1_t unconfined_devpts_t:chr_file {setattr rw_term_perms};
allow $1_t console_device_t:chr_file {setattr rw_chr_file_perms};
allow $1_t staff_devpts_t:chr_file rw_chr_file_perms;
allow $1_t self:capability sys_admin;
allow $1_t proc_t:filesystem mount;
allow $1_t device_t:filesystem mount;
allow $1_t device_t:dir { write setattr mounton add_name };
allow $1_t device_t:fifo_file { create rw_fifo_file_perms };
allow $1_t devpts_t:filesystem mount;
allow $1_t clock_device_t:chr_file read_chr_file_perms;
allow $1_t $1_file_t:file *;
allow $1_t $1_file_t:lnk_file *;
allow $1_t $1_file_t:chr_file *;
allow $1_t $1_file_t:blk_file *;
allow $1_t $1_file_t:sock_file *;
allow $1_t $1_file_t:fifo_file *;
allow $1_t $1_t:fifo_file *;
allow $1_t $1_file_t:socket *;
allow $1_t $1_file_t:dir *;
allow $1_t $1_t:process ~{setcurrent};
allow $1_t $1_t:capability ~{audit_write audit_control sys_module};
allow $1_t $1_t:fd *;
allow $1_t $1_t:socket *;
allow $1_t $1_t:tcp_socket *;
allow $1_t $1_t:udp_socket *;
# from audit2allow
storage_getattr_fixed_disk_dev($1_t)
corenet_tcp_bind_http_port($1_t)
corenet_tcp_connect_http_port($1_t)
corenet_tcp_sendrecv_http_port($1_t)
corenet_tcp_sendrecv_unspec_node($1_t)
corenet_tcp_bind_unspec_node($1_t)
kernel_read_ring_buffer($1_t)
kernel_read_network_state($1_t)
allow $1_t self:unix_dgram_socket create;
kernel_read_device_sysctls($1_t);
kernel_read_net_sysctls($1_t);
kernel_rw_net_sysctls($1_t);
kernel_read_system_state($1_t);
kernel_read_hotplug_sysctls($1_t);
kernel_read_kernel_sysctls($1_t);
sysnet_read_config($1_t)
logging_send_syslog_msg($1_t)
allow $1_t sysfs_t:filesystem mount;
dev_read_urand($1_t)
fs_mount_tmpfs($1_t)
fs_unmount_tmpfs($1_t)
fs_remount_tmpfs($1_t)
fs_manage_tmpfs_dirs($1_t)
allow $1_t tmpfs_t:file manage_file_perms;
dev_mount_usbfs($1_t)
files_mount_all_file_type_fs($1_t)
files_unmount_all_file_type_fs($1_t)
files_mounton_all_mountpoints($1_t)
fs_remount_xattr_fs($1_t)
fs_getattr_xattr_fs($1_t)
corenet_tcp_sendrecv_inaddr_any_node($1_t)
corenet_udp_sendrecv_inaddr_any_node($1_t)
corenet_raw_sendrecv_inaddr_any_node($1_t)
corenet_tcp_bind_inaddr_any_node($1_t)
corenet_udp_bind_inaddr_any_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_ssh_port($1_t)
corenet_tcp_sendrecv_ssh_port($1_t)
corenet_udp_bind_dhcpc_port($1_t);
term_use_all_terms($1_t)
dev_getattr_sysfs_dirs($1_t)
dev_getattr_usbfs_dirs($1_t)
dev_read_rand($1_t)
dev_read_urand($1_t)
kernel_sendrecv_unlabeled_association($1_t);
allow $1_t self:unix_dgram_socket {create read write ioctl sendto connect };
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:packet_socket *;
allow $1_t self:rawip_socket *;
allow $1_t device_t:fifo_file rw_fifo_file_perms;
allow $1_t unlabeled_t:packet recv;
allow $1_t port_t:tcp_socket *;
')
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Serge E. Hallyn wrote:
> Quoting Serge E. Hallyn (serue at us.ibm.com):
>> Hi,
>>
>> I've been playing a bit with creating LSM-protected containers.
>> Attached here are first stabs at an SELinux policy module (against
>> the refpolicy source with fedora 10) defining an interface
>> to create containers. The .te and .fc files use the interface
>> to create two containers, under /vs1 and /vs2. I've been
>> testing with liblxc (*1) creating debian-based containers
>> using debootstrap, on a fedora 10 host. It should work
>> equally well for libvirt though. Quite simply, $1_exec_t
>> is assigned to the container's /sbin/init, and used to
>> transition to the container's own type. (So far I'm lazily
>> using the devices whitelist cgroup to protect against device
>> access)
>>
>> This interface is geared toward containers which have their
>> own private chroot. Containers can also be made minimalist
>> sharing read-only bind mounts of most of the fs. Such
>> containers should probably have their own interface, but
>> in any case I'm ignoring them for now.
>>
>> Perhaps for starters, I don't know if there is a precedent
>> for this kind of interface. Would we want just the .if in
>> the base policy, with the user writing custom .te and .fc
>> files, based on the if, which they compile under /usr/share/selinux/?
>>
>> Anyway, I'm posting this to see how far we can go toward
>> making something actually useful for the refpolicy.
>
> Well, no responses, but in any case here's a slightly updated
> .if file which is working for me atm.
>
> thanks,
> -serge
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Interesting idea, although I have never used containers.
Rather then specifying unconfined_t and staff_t I think it would be
better to define an attribute
container_userdomain
domain_auto_trans(container_userdomain,$1_exec_t,$1_t)
allow unconfined_t $1_exec_t:file {read execute};
Not needed
allow $1_t $1_exec_t:file {read execute entrypoint};
Replace with
can_exec($1_t, $1_exec_t)
allow unconfined_t $1_t:dir create_dir_perms;
allow container_userdomain $1_t:dir create_dir_perms;
neverallow unconfined_t $1_t:file execute;
Not sure what executing a /proc file means anyways.
allow $1_t unconfined_devpts_t:chr_file {setattr rw_term_perms};
allow $1_t console_device_t:chr_file {setattr rw_chr_file_perms};
allow $1_t staff_devpts_t:chr_file rw_chr_file_perms;
Just use the term_use interfaces.
allow $1_t device_t:filesystem mount;
allow $1_t device_t:dir { write setattr mounton add_name };
allow $1_t device_t:fifo_file { create rw_fifo_file_perms };
This looks like a labeling problem, there should not be a file system
labeled device_t or fifo files
allow $1_t clock_device_t:chr_file read_chr_file_perms;
Does this mean you confine domain can change the time?
allow $1_t $1_file_t:file *;
allow $1_t $1_file_t:lnk_file *;
allow $1_t $1_file_t:chr_file *;
allow $1_t $1_file_t:blk_file *;
allow $1_t $1_file_t:sock_file *;
allow $1_t $1_file_t:fifo_file *;
allow $1_t $1_t:fifo_file *;
allow $1_t $1_file_t:socket *;
allow $1_t $1_file_t:dir *;
I would use the manage_*_perms rather then the *;
allow $1_t $1_t:process ~{setcurrent};
allow $1_t $1_t:capability ~{audit_write audit_control sys_module};
These are rather broad, not sure you need this much.
dev_read_urand($1_t)
In there twice
allow $1_t port_t:tcp_socket *;
THis allows you to use all non labeled ports to connect or bind.
gen_require(`
type proc_t;
role system_r;
role unconfined_r;
type unconfined_t;
type unconfined_devpts_t;
type staff_t;
type staff_devpts_t;
type fs_t;
type devpts_t;
type sysfs_t;
type inaddr_any_node_t;
type clock_device_t;
type tmpfs_t;
type port_t;
');
You should eliminate this entire section and use the appropriate
interfaces if the access is really needed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk/4owACgkQrlYvE4MpobNDSACg589AigXJ84igh3+roao12HYx
kNQAn00D5mN/nKFKSY3vSxNiN6Hb/kzM
=5Uh0
-----END PGP SIGNATURE-----
Quoting Daniel J Walsh (dwalsh at redhat.com):
> Interesting idea, although I have never used containers.
>
> Rather then specifying unconfined_t and staff_t I think it would be
> better to define an attribute
Thanks Dan, I'll apply these and test in the next few days.
-serge
Here is a version to start addressing your comments. It's working so far,
except when I do a useradd from inside a container (which apt-get install
openssh-server does), I get the following:
useradd unconfined_u:unconfined_r:vs1_t:s0 5 file create system_u:object_r:vs1_file_t:s0 denied 52
Now I can create files with no problem, and in fact I can
touch /etc/group+
but useradd always fails trying to create that file.
Is there some way to generate .if files through interfaces?
I also still need to pick a few more capabilities to always deny,
but since I also need to spend time targeting capabilities at
namespaces, i'd like to spend a bit more time working on that
so I can figure out which capabilities will always be unsafe.
-serge
-------------- next part --------------
policy_module(vs_gen,1.0.1)
attribute container_userdomain;
attribute container_domain;
allow_container_use(unconfined)
container(vs1)
container(vs2)
container(vs3)
-------------- next part --------------
/vs1/rootfs.vs1/sbin/init -- gen_context(system_u:object_r:vs1_exec_t,s0)
/vs1/rootfs.vs1 -d gen_context(system_u:object_r:vs1_file_t,s0)
/vs1/rootfs.vs1/.+ gen_context(system_u:object_r:vs1_file_t,s0)
/vs2/rootfs.vs2/sbin/init -- gen_context(system_u:object_r:vs2_exec_t,s0)
/vs2/rootfs.vs2 -d gen_context(system_u:object_r:vs2_file_t,s0)
/vs2/rootfs.vs2/.+ gen_context(system_u:object_r:vs2_file_t,s0)
/vs3/rootfs.vs3/sbin/init -- gen_context(system_u:object_r:vs3_exec_t,s0)
/vs3/rootfs.vs3 -d gen_context(system_u:object_r:vs3_file_t,s0)
/vs3/rootfs.vs3/.+ gen_context(system_u:object_r:vs3_file_t,s0)
-------------- next part --------------
## <Summary> Interface for creating SELinux-protected containers. </summary>
###############################################################################
##
## Copyright (c) International Business Machines Corp., 2008
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
## the GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
##
################################################################################
interface(`allow_container_use',`
gen_require(`
type $1_t;
role $1_r;
')
typeattribute $1_t container_userdomain;
role $1_r types container_domain;
')
#######################################
## <summary>
## Create necessary types and rules for a container.
## </summary>
## <param name="container_name">
## <summary>
## base name for the container. For instance, if container name is
## vs1, then most container data will be of type vs1_t.
## </summary>
## </param>
# notes on the remaining gen_requires:
#
# tmpfs_t: has no manage_file_perms interface
# container_userdomain is the attribute we define ourselves
# unconfined_devpts_t: I assume the container init should somehow relabel?
# but I'm deferring that until devpts namespaces (in tty-next) are
# upstream and I can trivially test what happens with default
# labeling in a new devpts mount
interface(`container',`
gen_require(`
type tmpfs_t;
attribute container_userdomain;
type unconfined_devpts_t;
');
type $1_t;
type $1_exec_t;
typeattribute $1_t container_domain;
domain_type($1_t);
domain_auto_trans(container_userdomain,$1_exec_t,$1_t)
type $1_file_t;
files_type($1_file_t);
domain_entry_file($1_t, $1_exec_t);
can_exec($1_t, $1_exec_t)
allow container_userdomain $1_t:dir create_dir_perms;
corecmd_exec_bin($1_t)
corecmd_exec_shell($1_t)
libs_exec_lib_files($1_t)
libs_use_ld_so($1_t)
term_create_pty($1_t,$1_file_t)
term_use_all_terms($1_t)
files_mounton_non_security($1_t)
allow $1_t self:capability sys_admin;
files_mount_all_file_type_fs($1_t);
allow $1_t device_t:dir { write setattr add_name };
allow $1_t device_t:fifo_file { create rw_fifo_file_perms };
allow $1_t device_t:fifo_file rw_fifo_file_perms;
dev_read_realtime_clock($1_t)
dev_create_generic_dirs($1_t)
allow $1_t $1_file_t:file { manage_file_perms exec_file_perms };
allow $1_t $1_file_t:dir { manage_dir_perms mounton };
allow $1_t $1_file_t:lnk_file manage_lnk_file_perms;
allow $1_t $1_file_t:chr_file manage_chr_file_perms;
allow $1_t $1_file_t:blk_file manage_blk_file_perms;
allow $1_t $1_file_t:sock_file manage_sock_file_perms;
allow $1_t $1_file_t:fifo_file manage_fifo_file_perms;
allow $1_t $1_t:fifo_file manage_fifo_file_perms;
allow $1_t $1_file_t:socket *;
allow $1_t $1_t:process ~{setcurrent};
allow $1_t $1_t:capability ~{audit_write audit_control sys_module};
allow $1_t $1_t:fd *;
allow $1_t $1_t:socket *;
allow $1_t $1_t:tcp_socket *;
allow $1_t $1_t:udp_socket *;
# from audit2allow
storage_getattr_fixed_disk_dev($1_t)
corenet_tcp_bind_http_port($1_t)
corenet_tcp_connect_http_port($1_t)
corenet_tcp_sendrecv_http_port($1_t)
corenet_tcp_sendrecv_unspec_node($1_t)
corenet_tcp_bind_unspec_node($1_t)
kernel_read_ring_buffer($1_t)
kernel_read_network_state($1_t)
allow $1_t self:unix_dgram_socket create;
kernel_read_device_sysctls($1_t);
kernel_read_net_sysctls($1_t);
kernel_rw_net_sysctls($1_t);
kernel_read_system_state($1_t);
kernel_read_hotplug_sysctls($1_t);
kernel_read_kernel_sysctls($1_t);
sysnet_read_config($1_t)
logging_send_syslog_msg($1_t)
dev_read_urand($1_t)
fs_mount_tmpfs($1_t)
fs_unmount_tmpfs($1_t)
fs_remount_tmpfs($1_t)
fs_manage_tmpfs_dirs($1_t)
fs_getattr_xattr_fs($1_t)
allow $1_t tmpfs_t:file manage_file_perms;
dev_mount_usbfs($1_t)
files_mount_all_file_type_fs($1_t)
files_unmount_all_file_type_fs($1_t)
files_mounton_all_mountpoints($1_t)
fs_remount_xattr_fs($1_t)
corenet_tcp_sendrecv_inaddr_any_node($1_t)
corenet_udp_sendrecv_inaddr_any_node($1_t)
corenet_raw_sendrecv_inaddr_any_node($1_t)
corenet_tcp_bind_inaddr_any_node($1_t)
corenet_udp_bind_inaddr_any_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_ssh_port($1_t)
corenet_tcp_sendrecv_ssh_port($1_t)
corenet_udp_bind_dhcpc_port($1_t);
term_use_all_terms($1_t)
dev_getattr_sysfs_dirs($1_t)
dev_getattr_usbfs_dirs($1_t)
dev_read_rand($1_t)
kernel_sendrecv_unlabeled_association($1_t);
allow $1_t self:unix_dgram_socket {create read write ioctl sendto connect };
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:packet_socket *;
allow $1_t self:rawip_socket *;
allow $1_t unlabeled_t:packet recv;
allow $1_t unconfined_devpts_t:chr_file {setattr rw_term_perms};
')