2005-07-05 20:59:51 +00:00
|
|
|
## <summary>The unconfined domain.</summary>
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
2006-02-06 22:47:46 +00:00
|
|
|
## Make the specified domain unconfined.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-05 20:59:51 +00:00
|
|
|
## Domain to make unconfined.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-05 20:59:51 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
2006-02-06 22:47:46 +00:00
|
|
|
interface(`unconfined_domain_noaudit',`
|
2005-09-21 14:49:41 +00:00
|
|
|
gen_require(`
|
|
|
|
|
class dbus all_dbus_perms;
|
|
|
|
|
class nscd all_nscd_perms;
|
|
|
|
|
class passwd all_passwd_perms;
|
|
|
|
|
')
|
2005-07-05 20:59:51 +00:00
|
|
|
|
|
|
|
|
# Use any Linux capability.
|
2010-08-26 13:41:21 +00:00
|
|
|
allow $1 self:capability all_capabilities;
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 self:fifo_file manage_fifo_file_perms;
|
2005-07-05 20:59:51 +00:00
|
|
|
|
|
|
|
|
# Transition to myself, to make get_ordered_context_list happy.
|
|
|
|
|
allow $1 self:process transition;
|
|
|
|
|
|
|
|
|
|
# Write access is for setting attributes under /proc/self/attr.
|
|
|
|
|
allow $1 self:file rw_file_perms;
|
2010-08-26 13:41:21 +00:00
|
|
|
allow $1 self:dir rw_dir_perms;
|
2005-07-05 20:59:51 +00:00
|
|
|
|
|
|
|
|
# Userland object managers
|
2010-08-26 13:41:21 +00:00
|
|
|
allow $1 self:nscd all_nscd_perms;
|
|
|
|
|
allow $1 self:dbus all_dbus_perms;
|
|
|
|
|
allow $1 self:passwd all_passwd_perms;
|
|
|
|
|
allow $1 self:association all_association_perms;
|
|
|
|
|
allow $1 self:socket_class_set create_socket_perms;
|
2005-07-05 20:59:51 +00:00
|
|
|
|
|
|
|
|
kernel_unconfined($1)
|
2005-07-19 20:38:26 +00:00
|
|
|
corenet_unconfined($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
dev_unconfined($1)
|
2005-12-13 20:38:19 +00:00
|
|
|
domain_unconfined($1)
|
2006-01-17 17:50:10 +00:00
|
|
|
domain_dontaudit_read_all_domains_state($1)
|
2006-08-29 02:41:00 +00:00
|
|
|
domain_dontaudit_ptrace_all_domains($1)
|
2005-12-13 20:38:19 +00:00
|
|
|
files_unconfined($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
fs_unconfined($1)
|
|
|
|
|
selinux_unconfined($1)
|
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
domain_mmap_low_type($1)
|
|
|
|
|
|
|
|
|
|
mls_file_read_all_levels($1)
|
|
|
|
|
|
|
|
|
|
ubac_process_exempt($1)
|
|
|
|
|
|
|
|
|
|
tunable_policy(`mmap_low_allowed',`
|
|
|
|
|
allow $1 self:memprotect mmap_zero;
|
|
|
|
|
')
|
|
|
|
|
|
2006-01-19 23:00:23 +00:00
|
|
|
tunable_policy(`allow_execheap',`
|
|
|
|
|
# Allow making the stack executable via mprotect.
|
|
|
|
|
allow $1 self:process execheap;
|
|
|
|
|
')
|
|
|
|
|
|
2005-07-05 20:59:51 +00:00
|
|
|
tunable_policy(`allow_execmem',`
|
2005-09-15 21:03:29 +00:00
|
|
|
# Allow making anonymous memory executable, e.g.
|
|
|
|
|
# for runtime-code generation or executable stack.
|
2005-07-05 20:59:51 +00:00
|
|
|
allow $1 self:process execmem;
|
|
|
|
|
')
|
|
|
|
|
|
2006-07-28 15:13:58 +00:00
|
|
|
tunable_policy(`allow_execstack',`
|
|
|
|
|
# Allow making the stack executable via mprotect;
|
2010-08-26 13:41:21 +00:00
|
|
|
# execstack implies execmem; Bugzilla #211271
|
|
|
|
|
allow $1 self:process { execmem execstack };
|
2006-04-12 15:04:28 +00:00
|
|
|
# auditallow $1 self:process execstack;
|
2005-09-15 21:03:29 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-19 18:40:19 +00:00
|
|
|
auth_unconfined($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-21 14:49:41 +00:00
|
|
|
# Communicate via dbusd.
|
|
|
|
|
dbus_system_bus_unconfined($1)
|
2010-08-26 13:41:21 +00:00
|
|
|
dbus_unconfined($1)
|
2005-09-21 14:49:41 +00:00
|
|
|
')
|
|
|
|
|
|
2007-11-14 14:38:45 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
ipsec_setcontext_default_spd($1)
|
2007-11-14 15:53:18 +00:00
|
|
|
ipsec_match_default_spd($1)
|
2007-11-14 14:38:45 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-13 20:48:51 +00:00
|
|
|
nscd_unconfined($1)
|
|
|
|
|
')
|
|
|
|
|
|
2008-06-10 15:33:18 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
postgresql_unconfined($1)
|
|
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-02 21:08:12 +00:00
|
|
|
seutil_create_bin_policy($1)
|
|
|
|
|
seutil_relabelto_bin_policy($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-05 20:59:51 +00:00
|
|
|
storage_unconfined($1)
|
|
|
|
|
')
|
2008-04-01 20:23:23 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
xserver_unconfined($1)
|
|
|
|
|
')
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
2005-07-06 20:28:29 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Make the specified domain unconfined and
|
2010-02-26 18:47:17 +00:00
|
|
|
## audit executable heap usage.
|
2006-02-06 22:47:46 +00:00
|
|
|
## </summary>
|
2010-02-26 18:47:17 +00:00
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Make the specified domain unconfined and
|
|
|
|
|
## audit executable heap usage. With exception
|
|
|
|
|
## of memory protections, usage of this interface
|
|
|
|
|
## will result in the level of access the domain has
|
|
|
|
|
## is like SELinux was not being used.
|
|
|
|
|
## </p>
|
|
|
|
|
## <p>
|
|
|
|
|
## Only completely trusted domains should use this interface.
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
2006-02-06 22:47:46 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-02-06 22:47:46 +00:00
|
|
|
## Domain to make unconfined.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-02-06 22:47:46 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`unconfined_domain',`
|
2010-08-26 13:41:21 +00:00
|
|
|
gen_require(`
|
|
|
|
|
attribute unconfined_services;
|
|
|
|
|
')
|
|
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
unconfined_domain_noaudit($1)
|
|
|
|
|
|
|
|
|
|
tunable_policy(`allow_execheap',`
|
|
|
|
|
auditallow $1 self:process execheap;
|
|
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
2007-10-02 16:04:50 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Add an alias type to the unconfined domain. (Deprecated)
|
|
|
|
|
## </summary>
|
|
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Add an alias type to the unconfined domain. (Deprecated)
|
|
|
|
|
## </p>
|
|
|
|
|
## <p>
|
|
|
|
|
## This is added to support targeted policy. Its
|
|
|
|
|
## use should be limited. It has no effect
|
|
|
|
|
## on the strict policy.
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## New alias of the unconfined domain.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`unconfined_alias_domain',`
|
|
|
|
|
refpolicywarn(`$0($1) has been deprecated.')
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Add an alias type to the unconfined execmem
|
|
|
|
|
## program file type. (Deprecated)
|
|
|
|
|
## </summary>
|
|
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Add an alias type to the unconfined execmem
|
|
|
|
|
## program file type. (Deprecated)
|
|
|
|
|
## </p>
|
|
|
|
|
## <p>
|
|
|
|
|
## This is added to support targeted policy. Its
|
|
|
|
|
## use should be limited. It has no effect
|
|
|
|
|
## on the strict policy.
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## New alias of the unconfined execmem program type.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`unconfined_execmem_alias_program',`
|
|
|
|
|
refpolicywarn(`$0($1) has been deprecated.')
|
|
|
|
|
')
|
