#DESC UML - User-Mode-Linux guest instances # # Author: Antoine Martin # ################################# type um_t, domain, privowner; type um_kernel_t, domain, privowner; type um_admin_t, file_type, sysadmfile; type um_exec_t, file_type, exec_type; type um_kernel_exec_t, file_type, sysadmfile, exec_type; type um_home_t, file_type; type um_fs_t, file_type; type um_tmp_t, file_type, tmpfile; type um_proc_t, file_type; type um_tundev_t, device_type, dev_fs; file_type_auto_trans(um_t, tmp_t, um_tmp_t) file_type_auto_trans(um_kernel_t, tmp_t, um_tmp_t) domain_auto_trans(initrc_t, um_exec_t, um_t) domain_auto_trans(sysadm_t, um_exec_t, um_t) domain_auto_trans(um_t, um_kernel_exec_t, um_kernel_t) #domain_auto_trans(sysadm_t, um_admin_t, um_t) allow sysadm_t um_admin_t:file execute; allow sysadm_t um_admin_t:file execute_no_trans; allow mount_t um_admin_t:file { getattr read write }; allow sysadm_t um_admin_t:file execute; allow mount_t um_admin_t:dir mounton; role system_r types um_t; role system_r types um_kernel_t; role sysadm_r types um_t; role sysadm_r types um_kernel_t; allow sysadm_t um_exec_t:file write; allow sysadm_t um_home_t:dir write; allow mount_t um_proc_t:dir mounton; allow mount_t um_proc_t:file mounton; allow um_kernel_t proc_t:dir search; allow um_t proc_t:dir search; allow um_kernel_t proc_t:file { read write }; allow um_t self:process execmem; allow um_t um_home_t:file { read write }; allow um_exec_t um_home_t:file { read execute }; ########################### allow sysadm_t um_exec_t:file execute; allow sysadm_t um_exec_t:file ioctl; # /dev/net/tun: auditallow sysadm_t um_tundev_t:chr_file { ioctl write }; # honeypot: allow sysadm_t um_proc_t:dir { add_name create remove_name rmdir setattr write }; allow sysadm_t um_proc_t:file write; allow sysadm_t um_proc_t:sock_file { create setattr unlink }; ########################### # scripts in chroot # running the kernel: allow um_kernel_t um_kernel_exec_t:file { execmod execute_no_trans }; allow um_kernel_t newrole_t:fd use; allow um_t newrole_t:fd use; allow um_t um_kernel_t:process transition; allow um_t self:fifo_file read; allow um_t self:process setpgid; allow um_t device_t:dir { getattr read search }; allow um_t devpts_t:dir search; allow um_t null_device_t:chr_file getattr; allow um_t random_device_t:chr_file getattr; allow um_t sysadm_devpts_t:chr_file { ioctl read }; allow um_t um_admin_t:chr_file { getattr read write }; allow um_t um_admin_t:dir { getattr search }; allow um_t um_admin_t:file { execute execute_no_trans getattr read }; allow um_t um_exec_t:file execute_no_trans; allow um_t um_home_t:dir { getattr search }; allow um_t um_proc_t:dir { getattr read search }; allow um_t self:capability { setgid setuid }; allow um_t self:process fork; allow um_t self:unix_dgram_socket { connect create }; allow um_t self:unix_stream_socket { connect create }; allow um_t zero_device_t:chr_file getattr; allow um_t sysadm_devpts_t:chr_file { getattr write }; allow um_t self:process sigchld; allow um_t self:process signal; # bash history in chroot (ignore access) dontaudit um_t um_home_t:file { append getattr }; ########################### # kernel # network allow um_kernel_t netif_t:netif { tcp_recv tcp_send }; allow um_kernel_t node_t:node { tcp_recv tcp_send }; allow um_kernel_t port_t:socket { recv_msg send_msg }; # sockets allow um_kernel_t self:packet_socket create; allow um_kernel_t self:unix_dgram_socket { bind create ioctl }; allow um_kernel_t self:unix_stream_socket { create ioctl read write }; # process allow um_kernel_t self:process { execmem fork ptrace sigchld sigkill signal sigstop }; # terminal (screen) allow um_kernel_t sysadm_devpts_t:chr_file { getattr ioctl read write }; allow um_kernel_t sysadm_t:fd use; allow um_t sysadm_screen_t:fd use; allow um_kernel_t sysadm_screen_t:fd use; # devices allow um_t null_device_t:chr_file { ioctl read write }; allow um_kernel_t device_t:dir search; allow um_kernel_t null_device_t:chr_file getattr; allow um_kernel_t null_device_t:chr_file { ioctl read write }; allow um_kernel_t um_tundev_t:chr_file { ioctl read write }; allow um_kernel_t random_device_t:chr_file read; # files # UML requires exec access to /tmp allow um_kernel_t um_tmp_t:file execute; allow um_kernel_t um_fs_t:file { getattr lock read write }; allow um_kernel_t um_fs_t:lnk_file read; # proc allow um_kernel_t um_proc_t:file read; allow um_kernel_t um_proc_t:dir search; # home (/uml/) allow um_kernel_t um_home_t:dir { add_name create getattr read remove_name rmdir write search}; allow um_kernel_t um_home_t:file { create getattr lock read unlink write }; allow um_kernel_t um_home_t:sock_file { create unlink }; # all other dirs: allow um_kernel_t um_admin_t:dir search; # allow ldconfig so we can check for binaries in place in the chroot allow ldconfig_t um_admin_t:dir { add_name getattr read remove_name search write }; allow ldconfig_t um_admin_t:file { create getattr read rename setattr unlink write }; allow ldconfig_t um_admin_t:lnk_file read; allow ldconfig_t um_exec_t:file { getattr read }; # screen allow sysadm_screen_t um_admin_t:dir search; allow um_t sysadm_screen_t:process sigchld; allow sysadm_screen_t um_admin_t:dir getattr;