selinux-policy/refpolicy/policy/modules/system/unconfined.if

## <summary>The unconfined domain.</summary>

########################################
## <summary>
##	A template to make the specified domain unconfined.
## </summary>
## <param name="domain">
##	Domain to make unconfined.
## </param>
#
template(`unconfined_domain_template',`

	# Use any Linux capability.
	allow $1 self:capability *;

	# Transition to myself, to make get_ordered_context_list happy.
	allow $1 self:process transition;

	# Write access is for setting attributes under /proc/self/attr.
	allow $1 self:file rw_file_perms;

	# Userland object managers
	allow $1 self:nscd *;
	allow $1 self:dbus *;
	allow $1 self:passwd *;

	kernel_unconfined($1)
	corenet_unconfined($1)
	dev_unconfined($1)
	fs_unconfined($1)
	selinux_unconfined($1)

	domain_unconfined($1)
	files_unconfined($1)

	tunable_policy(`allow_execmem',`
		# Allow loading DSOs that require executable stack.
		allow $1 self:process execmem;
	')

	optional_policy(`authlogin.te',`
		auth_unconfined($1)
	')

	optional_policy(`bootloader.te',`
		bootloader_manage_kernel_modules($1)
	')

	optional_policy(`nscd.te', `
		nscd_unconfined($1)
	')

	optional_policy(`selinuxutil.te',`
		seutil_create_binary_pol($1)
		seutil_relabelto_binary_pol($1)
	')

	optional_policy(`storage.te',`
		storage_unconfined($1)
	')

	ifdef(`TODO',`
	if (allow_execmod) {
		# Allow text relocations on system shared libraries, e.g. libGL.
		allow $1 texrel_shlib_t:file execmod;
	}

	ifdef(`dbusd.te', `
		# Communicate via dbusd.
		allow $1 system_dbusd_t:dbus *;
	')

	') dnl end TODO
')

########################################
## <summary>
##	Transition to the unconfined domain.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_domtrans',`
	gen_require(`
		type unconfined_t, unconfined_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	domain_auto_trans($1,unconfined_exec_t,unconfined_t)

	allow $1 unconfined_t:fd use;
	allow unconfined_t $1:fd use;
	allow unconfined_t $1:fifo_file rw_file_perms;
	allow unconfined_t $1:process sigchld;
')

########################################
## <summary>
##	Execute specified programs in the unconfined domain.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
## <param name="role">
##	The role to allow the unconfined domain.
## </param>
## <param name="terminal">
##	The type of the terminal allow the unconfined domain to use.
## </param>
#
interface(`unconfined_run',`
	gen_require(`
		type unconfined_t;
		class chr_file rw_term_perms;
	')

	unconfined_domtrans($1)
	role $2 types unconfined_t;
	allow unconfined_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Transition to the unconfined domain by executing a shell.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_shell_domtrans',`
	gen_require(`
		type unconfined_t;
	')

	corecmd_shell_domtrans($1,unconfined_t)
')

########################################
## <summary>
##	Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_use_fd',`
	gen_require(`
		type unconfined_t;
		class fd use;
	')

	allow $1 unconfined_t:fd use;
')

########################################
## <summary>
##	Send a SIGCHLD signal to the unconfined domain.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_sigchld',`
	gen_require(`
		type unconfined_t;
		class process sigchld;
	')

	allow $1 unconfined_t:process sigchld;
')

########################################
## <summary>
##	Read and write unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_rw_pipe',`
	gen_require(`
		type unconfined_t;
		class fifo_file rw_file_perms;
	')

	allow $1 unconfined_t:fifo_file rw_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read or write
##	unconfined domain tcp sockets.
## </summary>
## <desc>
##	<p>
##	Do not audit attempts to read or write
##	unconfined domain tcp sockets.
##	</p>
##	<p>
##	This interface was added due to a broken
##	symptom in ldconfig.
##	</p>
## </desc>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`unconfined_dontaudit_rw_tcp_socket',`
	gen_require(`
		type unconfined_t;
		class tcp_socket { read write };
	')

	dontaudit $1 unconfined_t:tcp_socket { read write };
')

########################################
## <summary>
##	Add the unconfined domain to the specified role.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_role',`
	gen_require(`
		type unconfined_t;
	')

	role $1 types unconfined_t;
')
add unconfined 2005-07-05 20:59:51 +00:00			`## <summary>The unconfined domain.</summary>`

			`########################################`
			`## <summary>`
			`## A template to make the specified domain unconfined.`
			`## </summary>`
			`## <param name="domain">`
			`## Domain to make unconfined.`
			`## </param>`
			`#`
support for targeted policy 2005-07-06 20:28:29 +00:00			template(`unconfined_domain_template',`
add unconfined 2005-07-05 20:59:51 +00:00
			`# Use any Linux capability.`
			`allow $1 self:capability *;`

			`# Transition to myself, to make get_ordered_context_list happy.`
			`allow $1 self:process transition;`

			`# Write access is for setting attributes under /proc/self/attr.`
			`allow $1 self:file rw_file_perms;`

			`# Userland object managers`
			`allow $1 self:nscd *;`
			`allow $1 self:dbus *;`
			`allow $1 self:passwd *;`

			`kernel_unconfined($1)`
corenet was missing from unconfined 2005-07-19 20:38:26 +00:00			`corenet_unconfined($1)`
add unconfined 2005-07-05 20:59:51 +00:00			`dev_unconfined($1)`
			`fs_unconfined($1)`
			`selinux_unconfined($1)`

			`domain_unconfined($1)`
			`files_unconfined($1)`

			tunable_policy(`allow_execmem',`
			`# Allow loading DSOs that require executable stack.`
			`allow $1 self:process execmem;`
			`')`

			optional_policy(`authlogin.te',`
fixes for targeted policy 2005-07-19 18:40:19 +00:00			`auth_unconfined($1)`
add unconfined 2005-07-05 20:59:51 +00:00			`')`

			optional_policy(`bootloader.te',`
			`bootloader_manage_kernel_modules($1)`
			`')`

add nscd 2005-07-13 20:48:51 +00:00			optional_policy(`nscd.te', `
			`nscd_unconfined($1)`
			`')`

add unconfined 2005-07-05 20:59:51 +00:00			optional_policy(`selinuxutil.te',`
			`seutil_create_binary_pol($1)`
			`seutil_relabelto_binary_pol($1)`
			`')`

			optional_policy(`storage.te',`
			`storage_unconfined($1)`
			`')`

			ifdef(`TODO',`
			`if (allow_execmod) {`
			`# Allow text relocations on system shared libraries, e.g. libGL.`
			`allow $1 texrel_shlib_t:file execmod;`
			`}`

			ifdef(`dbusd.te', `
			`# Communicate via dbusd.`
			`allow $1 system_dbusd_t:dbus *;`
			`')`

			`') dnl end TODO`
			`')`
support for targeted policy 2005-07-06 20:28:29 +00:00
more cleanup of current TODOs 2005-07-12 20:34:24 +00:00			`########################################`
			`## <summary>`
			`## Transition to the unconfined domain.`
			`## </summary>`
			`## <param name="domain">`
			`## Domain allowed access.`
			`## </param>`
			`#`
			interface(`unconfined_domtrans',`
			gen_require(`
			`type unconfined_t, unconfined_exec_t;`
			`class process sigchld;`
			`class fd use;`
			`class fifo_file rw_file_perms;`
			`')`

			`domain_auto_trans($1,unconfined_exec_t,unconfined_t)`

			`allow $1 unconfined_t:fd use;`
			`allow unconfined_t $1:fd use;`
			`allow unconfined_t $1:fifo_file rw_file_perms;`
			`allow unconfined_t $1:process sigchld;`
			`')`

more cleanup in system 2005-07-18 18:31:49 +00:00			`########################################`
finalize desc -> summary xml change 2005-08-11 17:46:39 +00:00			`## <summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## Execute specified programs in the unconfined domain.`
finalize desc -> summary xml change 2005-08-11 17:46:39 +00:00			`## </summary>`
more cleanup in system 2005-07-18 18:31:49 +00:00			`## <param name="domain">`
			`## The type of the process performing this action.`
			`## </param>`
			`## <param name="role">`
			`## The role to allow the unconfined domain.`
			`## </param>`
			`## <param name="terminal">`
			`## The type of the terminal allow the unconfined domain to use.`
			`## </param>`
			`#`
			interface(`unconfined_run',`
			gen_require(`
			`type unconfined_t;`
			`class chr_file rw_term_perms;`
			`')`

			`unconfined_domtrans($1)`
			`role $2 types unconfined_t;`
			`allow unconfined_t $3:chr_file rw_term_perms;`
			`')`

support for targeted policy 2005-07-06 20:28:29 +00:00			`########################################`
			`## <summary>`
			`## Transition to the unconfined domain by executing a shell.`
			`## </summary>`
			`## <param name="domain">`
			`## Domain allowed access.`
			`## </param>`
			`#`
another round of TODO cleanup 2005-07-08 20:44:57 +00:00			interface(`unconfined_shell_domtrans',`
support for targeted policy 2005-07-06 20:28:29 +00:00			gen_require(`
more cleanup of current TODOs 2005-07-12 20:34:24 +00:00			`type unconfined_t;`
support for targeted policy 2005-07-06 20:28:29 +00:00			`')`

fixes for targeted policy 2005-07-19 18:40:19 +00:00			`corecmd_shell_domtrans($1,unconfined_t)`
support for targeted policy 2005-07-06 20:28:29 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Inherit file descriptors from the unconfined domain.`
			`## </summary>`
			`## <param name="domain">`
			`## Domain allowed access.`
			`## </param>`
			`#`
			interface(`unconfined_use_fd',`
			gen_require(`
			`type unconfined_t;`
			`class fd use;`
			`')`

			`allow $1 unconfined_t:fd use;`
			`')`

			`########################################`
			`## <summary>`
			`## Send a SIGCHLD signal to the unconfined domain.`
			`## </summary>`
			`## <param name="domain">`
			`## Domain allowed access.`
			`## </param>`
			`#`
			interface(`unconfined_sigchld',`
			gen_require(`
			`type unconfined_t;`
			`class process sigchld;`
			`')`

			`allow $1 unconfined_t:process sigchld;`
			`')`

			`########################################`
			`## <summary>`
			`## Read and write unconfined domain unnamed pipes.`
			`## </summary>`
			`## <param name="domain">`
			`## Domain allowed access.`
			`## </param>`
			`#`
			interface(`unconfined_rw_pipe',`
			gen_require(`
			`type unconfined_t;`
			`class fifo_file rw_file_perms;`
			`')`

			`allow $1 unconfined_t:fifo_file rw_file_perms;`
			`')`

another round of TODO cleanup 2005-07-08 20:44:57 +00:00			`########################################`
			`## <summary>`
			`## Do not audit attempts to read or write`
			`## unconfined domain tcp sockets.`
			`## </summary>`
			`## <desc>`
			`## <p>`
			`## Do not audit attempts to read or write`
			`## unconfined domain tcp sockets.`
			`## </p>`
			`## <p>`
			`## This interface was added due to a broken`
			`## symptom in ldconfig.`
			`## </p>`
			`## </desc>`
			`## <param name="domain">`
			`## Domain to not audit.`
			`## </param>`
			`#`
			interface(`unconfined_dontaudit_rw_tcp_socket',`
			gen_require(`
			`type unconfined_t;`
			`class tcp_socket { read write };`
			`')`

			`dontaudit $1 unconfined_t:tcp_socket { read write };`
			`')`

support for targeted policy 2005-07-06 20:28:29 +00:00			`########################################`
			`## <summary>`
			`## Add the unconfined domain to the specified role.`
			`## </summary>`
			`## <param name="domain">`
			`## Domain allowed access.`
			`## </param>`
			`#`
			interface(`unconfined_role',`
			gen_require(`
			`type unconfined_t;`
			`')`

			`role $1 types unconfined_t;`
			`')`