rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

unconfined can pass all constraints

Browse Source
This commit is contained in:
Chris PeBenito 2005-07-20 17:24:23 +00:00
parent ef424c14d4
commit 53857c8c05
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
refpolicy/policy/modules/system/domain.if
View File

@ -614,6 +614,9 @@ interface(`domain_read_all_entry_files',`
interface(`domain_unconfined',`
gen_require(`
attribute domain, set_curr_context;
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;
class fd use;
class fifo_file rw_file_perms;
class process { transition dyntransition execmem };
@ -622,6 +625,12 @@ interface(`domain_unconfined',`
class lnk_file r_file_perms;
')
# pass all constraints
typeattribute $1 can_change_process_identity;
typeattribute $1 can_change_process_role;
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
# Use/sendto/connectto sockets created by any domain.
allow $1 domain:{ socket_class_set socket key_socket } *;
@ -631,7 +640,6 @@ interface(`domain_unconfined',`
# Act upon any other process.
allow $1 domain:process ~{ transition dyntransition execmem };
typeattribute $1 set_curr_context;
# Create/access any System V IPC objects.
allow $1 domain:{ sem msgq shm } *;