unconfined can pass all constraints
This commit is contained in:
parent
ef424c14d4
commit
53857c8c05
@ -614,6 +614,9 @@ interface(`domain_read_all_entry_files',`
|
|||||||
interface(`domain_unconfined',`
|
interface(`domain_unconfined',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute domain, set_curr_context;
|
attribute domain, set_curr_context;
|
||||||
|
attribute can_change_process_identity;
|
||||||
|
attribute can_change_process_role;
|
||||||
|
attribute can_change_object_identity;
|
||||||
class fd use;
|
class fd use;
|
||||||
class fifo_file rw_file_perms;
|
class fifo_file rw_file_perms;
|
||||||
class process { transition dyntransition execmem };
|
class process { transition dyntransition execmem };
|
||||||
@ -622,6 +625,12 @@ interface(`domain_unconfined',`
|
|||||||
class lnk_file r_file_perms;
|
class lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
# pass all constraints
|
||||||
|
typeattribute $1 can_change_process_identity;
|
||||||
|
typeattribute $1 can_change_process_role;
|
||||||
|
typeattribute $1 can_change_object_identity;
|
||||||
|
typeattribute $1 set_curr_context;
|
||||||
|
|
||||||
# Use/sendto/connectto sockets created by any domain.
|
# Use/sendto/connectto sockets created by any domain.
|
||||||
allow $1 domain:{ socket_class_set socket key_socket } *;
|
allow $1 domain:{ socket_class_set socket key_socket } *;
|
||||||
|
|
||||||
@ -631,7 +640,6 @@ interface(`domain_unconfined',`
|
|||||||
|
|
||||||
# Act upon any other process.
|
# Act upon any other process.
|
||||||
allow $1 domain:process ~{ transition dyntransition execmem };
|
allow $1 domain:process ~{ transition dyntransition execmem };
|
||||||
typeattribute $1 set_curr_context;
|
|
||||||
|
|
||||||
# Create/access any System V IPC objects.
|
# Create/access any System V IPC objects.
|
||||||
allow $1 domain:{ sem msgq shm } *;
|
allow $1 domain:{ sem msgq shm } *;
|
||||||
|
Loading…
Reference in New Issue
Block a user