2005-07-05 20:59:51 +00:00
|
|
|
## <summary>The unconfined domain.</summary>
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## A template to make the specified domain unconfined.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain to make unconfined.
|
|
|
|
## </param>
|
|
|
|
#
|
2005-07-06 20:28:29 +00:00
|
|
|
template(`unconfined_domain_template',`
|
2005-07-05 20:59:51 +00:00
|
|
|
|
|
|
|
# Use any Linux capability.
|
|
|
|
allow $1 self:capability *;
|
|
|
|
|
|
|
|
# Transition to myself, to make get_ordered_context_list happy.
|
|
|
|
allow $1 self:process transition;
|
|
|
|
|
|
|
|
# Write access is for setting attributes under /proc/self/attr.
|
|
|
|
allow $1 self:file rw_file_perms;
|
|
|
|
|
|
|
|
# Userland object managers
|
|
|
|
allow $1 self:nscd *;
|
|
|
|
allow $1 self:dbus *;
|
|
|
|
allow $1 self:passwd *;
|
|
|
|
|
|
|
|
kernel_unconfined($1)
|
2005-07-19 20:38:26 +00:00
|
|
|
corenet_unconfined($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
dev_unconfined($1)
|
|
|
|
fs_unconfined($1)
|
|
|
|
selinux_unconfined($1)
|
|
|
|
|
|
|
|
domain_unconfined($1)
|
|
|
|
files_unconfined($1)
|
|
|
|
|
|
|
|
tunable_policy(`allow_execmem',`
|
2005-09-15 21:03:29 +00:00
|
|
|
# Allow making anonymous memory executable, e.g.
|
|
|
|
# for runtime-code generation or executable stack.
|
2005-07-05 20:59:51 +00:00
|
|
|
allow $1 self:process execmem;
|
|
|
|
')
|
|
|
|
|
2005-09-15 21:03:29 +00:00
|
|
|
tunable_policy(`allow_execmem && allow_execstack',`
|
|
|
|
# Allow making the stack executable via mprotect.
|
|
|
|
allow $1 self:process execstack;
|
|
|
|
')
|
|
|
|
|
2005-07-05 20:59:51 +00:00
|
|
|
optional_policy(`authlogin.te',`
|
2005-07-19 18:40:19 +00:00
|
|
|
auth_unconfined($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`bootloader.te',`
|
|
|
|
bootloader_manage_kernel_modules($1)
|
|
|
|
')
|
|
|
|
|
2005-07-13 20:48:51 +00:00
|
|
|
optional_policy(`nscd.te', `
|
|
|
|
nscd_unconfined($1)
|
|
|
|
')
|
|
|
|
|
2005-07-05 20:59:51 +00:00
|
|
|
optional_policy(`selinuxutil.te',`
|
|
|
|
seutil_create_binary_pol($1)
|
|
|
|
seutil_relabelto_binary_pol($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`storage.te',`
|
|
|
|
storage_unconfined($1)
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`TODO',`
|
|
|
|
if (allow_execmod) {
|
2005-09-15 21:03:29 +00:00
|
|
|
ifdef(`targeted_policy', `
|
|
|
|
allow $1 file_type:file execmod;
|
|
|
|
', `
|
|
|
|
# Allow text relocations on system shared libraries, e.g. libGL.
|
|
|
|
allow $1 texrel_shlib_t:file execmod;
|
|
|
|
allow $1 home_type:file execmod;
|
|
|
|
')
|
2005-07-05 20:59:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
ifdef(`dbusd.te', `
|
|
|
|
# Communicate via dbusd.
|
|
|
|
allow $1 system_dbusd_t:dbus *;
|
|
|
|
')
|
|
|
|
|
|
|
|
') dnl end TODO
|
|
|
|
')
|
2005-07-06 20:28:29 +00:00
|
|
|
|
2005-07-12 20:34:24 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Transition to the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_domtrans',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t, unconfined_exec_t;
|
|
|
|
class process sigchld;
|
|
|
|
class fd use;
|
|
|
|
class fifo_file rw_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_auto_trans($1,unconfined_exec_t,unconfined_t)
|
|
|
|
|
|
|
|
allow $1 unconfined_t:fd use;
|
|
|
|
allow unconfined_t $1:fd use;
|
|
|
|
allow unconfined_t $1:fifo_file rw_file_perms;
|
|
|
|
allow unconfined_t $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
2005-07-18 18:31:49 +00:00
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## Execute specified programs in the unconfined domain.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## <param name="domain">
|
|
|
|
## The type of the process performing this action.
|
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
|
|
|
## The role to allow the unconfined domain.
|
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
|
|
|
## The type of the terminal allow the unconfined domain to use.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_run',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
class chr_file rw_term_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
unconfined_domtrans($1)
|
|
|
|
role $2 types unconfined_t;
|
|
|
|
allow unconfined_t $3:chr_file rw_term_perms;
|
|
|
|
')
|
|
|
|
|
2005-07-06 20:28:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Transition to the unconfined domain by executing a shell.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
2005-07-08 20:44:57 +00:00
|
|
|
interface(`unconfined_shell_domtrans',`
|
2005-07-06 20:28:29 +00:00
|
|
|
gen_require(`
|
2005-07-12 20:34:24 +00:00
|
|
|
type unconfined_t;
|
2005-07-06 20:28:29 +00:00
|
|
|
')
|
|
|
|
|
2005-07-19 18:40:19 +00:00
|
|
|
corecmd_shell_domtrans($1,unconfined_t)
|
2005-07-06 20:28:29 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Inherit file descriptors from the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_use_fd',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
class fd use;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:fd use;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send a SIGCHLD signal to the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_sigchld',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
class process sigchld;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:process sigchld;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write unconfined domain unnamed pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_rw_pipe',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
class fifo_file rw_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:fifo_file rw_file_perms;
|
|
|
|
')
|
|
|
|
|
2005-07-08 20:44:57 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read or write
|
|
|
|
## unconfined domain tcp sockets.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Do not audit attempts to read or write
|
|
|
|
## unconfined domain tcp sockets.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This interface was added due to a broken
|
|
|
|
## symptom in ldconfig.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain to not audit.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_dontaudit_rw_tcp_socket',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
class tcp_socket { read write };
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 unconfined_t:tcp_socket { read write };
|
|
|
|
')
|
|
|
|
|
2005-07-06 20:28:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Add the unconfined domain to the specified role.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## Domain allowed access.
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_role',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
role $1 types unconfined_t;
|
|
|
|
')
|