selinux-policy/refpolicy/policy/modules/system/unconfined.if

470 lines
9.1 KiB
Plaintext
Raw Normal View History

2005-07-05 20:59:51 +00:00
## <summary>The unconfined domain.</summary>
########################################
## <summary>
## Make the specified domain unconfined.
2005-07-05 20:59:51 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-07-05 20:59:51 +00:00
## Domain to make unconfined.
## </summary>
2005-07-05 20:59:51 +00:00
## </param>
#
interface(`unconfined_domain_noaudit',`
2005-09-21 14:49:41 +00:00
gen_require(`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
2005-07-05 20:59:51 +00:00
# Use any Linux capability.
allow $1 self:capability *;
allow $1 self:fifo_file create_file_perms;
2005-07-05 20:59:51 +00:00
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
# Userland object managers
allow $1 self:nscd *;
allow $1 self:dbus *;
allow $1 self:passwd *;
kernel_unconfined($1)
2005-07-19 20:38:26 +00:00
corenet_unconfined($1)
2005-07-05 20:59:51 +00:00
dev_unconfined($1)
2005-12-13 20:38:19 +00:00
domain_unconfined($1)
2006-01-17 17:50:10 +00:00
domain_dontaudit_read_all_domains_state($1)
2005-12-13 20:38:19 +00:00
files_unconfined($1)
2005-07-05 20:59:51 +00:00
fs_unconfined($1)
selinux_unconfined($1)
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
')
2005-07-05 20:59:51 +00:00
tunable_policy(`allow_execmem',`
2005-09-15 21:03:29 +00:00
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
2005-07-05 20:59:51 +00:00
allow $1 self:process execmem;
')
2005-09-15 21:03:29 +00:00
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
# auditallow $1 self:process execstack;
2005-09-15 21:03:29 +00:00
')
optional_policy(`
2005-07-19 18:40:19 +00:00
auth_unconfined($1)
2005-07-05 20:59:51 +00:00
')
optional_policy(`
2005-09-21 14:49:41 +00:00
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
')
optional_policy(`
# this is to handle execmod on shared
# libs with text relocations
2006-01-16 22:00:09 +00:00
libs_use_shared_libs($1)
')
optional_policy(`
2005-07-13 20:48:51 +00:00
nscd_unconfined($1)
')
optional_policy(`
2006-02-02 21:08:12 +00:00
seutil_create_bin_policy($1)
seutil_relabelto_bin_policy($1)
2005-07-05 20:59:51 +00:00
')
optional_policy(`
2005-07-05 20:59:51 +00:00
storage_unconfined($1)
')
')
2005-07-06 20:28:29 +00:00
########################################
## <summary>
## Make the specified domain unconfined and
## audit executable memory and executable heap
## usage.
## </summary>
## <param name="domain">
## <summary>
## Domain to make unconfined.
## </summary>
## </param>
#
interface(`unconfined_domain',`
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
auditallow $1 self:process execheap;
')
# Turn off this audit for FC5
# tunable_policy(`allow_execmem',`
# auditallow $1 self:process execmem;
# ')
')
2005-07-12 20:34:24 +00:00
########################################
## <summary>
## Transition to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
2005-07-12 20:34:24 +00:00
## Domain allowed access.
## </summary>
2005-07-12 20:34:24 +00:00
## </param>
#
interface(`unconfined_domtrans',`
gen_require(`
type unconfined_t, unconfined_exec_t;
')
domain_auto_trans($1,unconfined_exec_t,unconfined_t)
allow $1 unconfined_t:fd use;
allow unconfined_t $1:fd use;
allow unconfined_t $1:fifo_file rw_file_perms;
allow unconfined_t $1:process sigchld;
')
2005-07-18 18:31:49 +00:00
########################################
2005-08-11 17:46:39 +00:00
## <summary>
2005-07-18 18:31:49 +00:00
## Execute specified programs in the unconfined domain.
2005-08-11 17:46:39 +00:00
## </summary>
2005-07-18 18:31:49 +00:00
## <param name="domain">
## <summary>
2005-07-18 18:31:49 +00:00
## The type of the process performing this action.
## </summary>
2005-07-18 18:31:49 +00:00
## </param>
## <param name="role">
## <summary>
2005-07-18 18:31:49 +00:00
## The role to allow the unconfined domain.
## </summary>
2005-07-18 18:31:49 +00:00
## </param>
## <param name="terminal">
## <summary>
2005-07-18 18:31:49 +00:00
## The type of the terminal allow the unconfined domain to use.
## </summary>
2005-07-18 18:31:49 +00:00
## </param>
#
interface(`unconfined_run',`
gen_require(`
type unconfined_t;
')
unconfined_domtrans($1)
role $2 types unconfined_t;
allow unconfined_t $3:chr_file rw_term_perms;
')
2005-07-06 20:28:29 +00:00
########################################
## <summary>
## Transition to the unconfined domain by executing a shell.
## </summary>
## <param name="domain">
## <summary>
2005-07-06 20:28:29 +00:00
## Domain allowed access.
## </summary>
2005-07-06 20:28:29 +00:00
## </param>
#
2005-07-08 20:44:57 +00:00
interface(`unconfined_shell_domtrans',`
2005-07-06 20:28:29 +00:00
gen_require(`
2005-07-12 20:34:24 +00:00
type unconfined_t;
2005-07-06 20:28:29 +00:00
')
2005-07-19 18:40:19 +00:00
corecmd_shell_domtrans($1,unconfined_t)
2005-07-06 20:28:29 +00:00
')
########################################
## <summary>
## Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
2005-07-06 20:28:29 +00:00
## Domain allowed access.
## </summary>
2005-07-06 20:28:29 +00:00
## </param>
#
interface(`unconfined_use_fds',`
2005-07-06 20:28:29 +00:00
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fd use;
')
########################################
## <summary>
## Send a SIGCHLD signal to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
2005-07-06 20:28:29 +00:00
## Domain allowed access.
## </summary>
2005-07-06 20:28:29 +00:00
## </param>
#
interface(`unconfined_sigchld',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process sigchld;
')
########################################
## <summary>
## Send a SIGNULL signal to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_signull',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process signull;
')
2005-11-18 18:38:37 +00:00
########################################
## <summary>
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
2005-11-18 18:38:37 +00:00
## Domain allowed access.
## </summary>
2005-11-18 18:38:37 +00:00
## </param>
#
interface(`unconfined_signal',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process signal;
')
2005-12-02 22:06:05 +00:00
########################################
## <summary>
## Read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
2005-12-02 22:06:05 +00:00
## Domain allowed access.
## </summary>
2005-12-02 22:06:05 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`unconfined_read_pipes',`
2005-12-02 22:06:05 +00:00
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fifo_file r_file_perms;
')
2005-10-26 16:00:13 +00:00
########################################
## <summary>
## Do not audit attempts to read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
2005-10-26 16:00:13 +00:00
## Domain allowed access.
## </summary>
2005-10-26 16:00:13 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`unconfined_dontaudit_read_pipes',`
2005-10-26 16:00:13 +00:00
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:fifo_file read;
')
2005-07-06 20:28:29 +00:00
########################################
## <summary>
## Read and write unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
2005-07-06 20:28:29 +00:00
## Domain allowed access.
## </summary>
2005-07-06 20:28:29 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`unconfined_rw_pipes',`
2005-07-06 20:28:29 +00:00
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fifo_file rw_file_perms;
')
2006-03-29 14:31:10 +00:00
########################################
## <summary>
## Connect to the unconfined domain using
## a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_stream_connect',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:unix_stream_socket connectto;
')
2005-07-08 20:44:57 +00:00
########################################
## <summary>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </p>
## <p>
## This interface was added due to a broken
## symptom in ldconfig.
## </p>
## </desc>
## <param name="domain">
## <summary>
2005-07-08 20:44:57 +00:00
## Domain to not audit.
## </summary>
2005-07-08 20:44:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`unconfined_dontaudit_rw_tcp_sockets',`
2005-07-08 20:44:57 +00:00
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:tcp_socket { read write };
')
2006-06-21 21:02:49 +00:00
########################################
## <summary>
## Create keys for the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_create_keys',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:key create;
')
2005-12-02 22:06:05 +00:00
########################################
## <summary>
## Send messages to the unconfined domain over dbus.
## </summary>
## <param name="domain">
## <summary>
2005-12-02 22:06:05 +00:00
## Domain allowed access.
## </summary>
2005-12-02 22:06:05 +00:00
## </param>
#
interface(`unconfined_dbus_send',`
gen_require(`
type unconfined_t;
class dbus send_msg;
')
allow $1 unconfined_t:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## unconfined_t over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_dbus_chat',`
gen_require(`
type unconfined_t;
class dbus send_msg;
')
allow $1 unconfined_t:dbus send_msg;
allow unconfined_t $1:dbus send_msg;
')
2005-10-28 18:13:44 +00:00
########################################
## <summary>
## Add an alias type to the unconfined domain.
## </summary>
## <desc>
## <p>
## Add an alias type to the unconfined domain.
## </p>
## <p>
## This is added to support targeted policy. Its
2005-11-15 18:47:20 +00:00
## use should be limited. It has no effect
## on the strict policy.
2005-10-28 18:13:44 +00:00
## </p>
## </desc>
## <param name="domain">
## <summary>
2005-10-28 18:13:44 +00:00
## New alias of the unconfined domain.
## </summary>
2005-10-28 18:13:44 +00:00
## </param>
#
interface(`unconfined_alias_domain',`
2005-11-15 18:47:20 +00:00
ifdef(`targeted_policy',`
gen_require(`
type unconfined_t;
')
2005-10-28 18:13:44 +00:00
2005-11-15 18:47:20 +00:00
typealias unconfined_t alias $1;
',`
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
')
2005-10-28 18:13:44 +00:00
')
########################################
## <summary>
## Connect to the the unconfined DBUS
## for service (acquire_svc).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_dbus_connect',`
gen_require(`
type unconfined_t;
class dbus acquire_svc;
')
allow $1 unconfined_t:dbus acquire_svc;
')