add unconfined
This commit is contained in:
parent
e8f0055b6d
commit
9726b31857
@ -971,3 +971,29 @@ interface(`corenet_use_tun_tap_device',`
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tun_tap_device_t:chr_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to network objects.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_unconfined',`
|
||||
gen_require(`
|
||||
attribute node_type, netif_type, port_type;
|
||||
class tcp_socket { send_msg recv_msg node_bind name_bind };
|
||||
class udp_socket { send_msg recv_msg node_bind name_bind };
|
||||
class rawip_socket node_bind;
|
||||
')
|
||||
|
||||
allow $1 node_type:node *;
|
||||
allow $1 netif_type:netif *;
|
||||
allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
|
||||
|
||||
# Bind to any network address.
|
||||
# cjp: rawip_socket doesnt make any sense
|
||||
allow $1 port_type:{ tcp_socket udp_socket } name_bind;
|
||||
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
||||
')
|
||||
|
@ -2042,3 +2042,25 @@ interface(`dev_dontaudit_setattr_video_dev',`
|
||||
|
||||
dontaudit $1 v4l_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_unconfined',`
|
||||
gen_require(`
|
||||
attribute device_node, memory_raw_write, memory_raw_read;
|
||||
type mtrr_device_t;
|
||||
')
|
||||
|
||||
allow $1 device_node:devfile_class_set *;
|
||||
allow $1 mtrr_device_t:file *;
|
||||
|
||||
allow $1 self:capability sys_rawio;
|
||||
typeattribute $1 memory_raw_write, memory_raw_read;
|
||||
')
|
||||
|
||||
|
@ -1675,3 +1675,23 @@ interface(`fs_getattr_all_files',`
|
||||
allow $1 filesystem_type:sock_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to filesystems
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_unconfined',`
|
||||
gen_require(`
|
||||
attribute filesystem_type;
|
||||
')
|
||||
|
||||
allow $1 filesystem_type:filesystem *;
|
||||
|
||||
# Create/access other files. fs_type is to pick up various
|
||||
# pseudo filesystem types that are applied to both the filesystem
|
||||
# and its files.
|
||||
allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *;
|
||||
')
|
||||
|
@ -1015,3 +1015,27 @@ interface(`kernel_relabel_unlabeled',`
|
||||
allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to the kernel.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_unconfined',`
|
||||
gen_require(`
|
||||
type kernel_t, unlabeled_t;
|
||||
attribute can_load_kernmodule, can_receive_kernel_messages;
|
||||
')
|
||||
|
||||
# allow $1 proc_fs:{ dir file } *;
|
||||
|
||||
allow $1 sysctl_t:{ dir file } *;
|
||||
allow $1 kernel_t:system *;
|
||||
allow $1 unlabeled_t:{ dir lnk_file sock_file fifo_file blk_file } *;
|
||||
|
||||
typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
|
||||
|
||||
kernel_rw_all_sysctl($1)
|
||||
')
|
||||
|
@ -7,9 +7,6 @@ policy_module(kernel,1.0)
|
||||
#
|
||||
|
||||
# assertion related attributes
|
||||
attribute can_load_policy;
|
||||
attribute can_setenforce;
|
||||
attribute can_setsecparam;
|
||||
attribute can_load_kernmodule;
|
||||
attribute can_receive_kernel_messages;
|
||||
|
||||
@ -17,7 +14,7 @@ attribute can_receive_kernel_messages;
|
||||
# kernel_t is the domain of kernel threads.
|
||||
# It is also the target type when checking permissions in the system class.
|
||||
#
|
||||
type kernel_t, can_load_kernmodule, can_load_policy;
|
||||
type kernel_t, can_load_kernmodule;
|
||||
role system_r types kernel_t;
|
||||
domain_type(kernel_t)
|
||||
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
|
||||
@ -173,6 +170,8 @@ corenet_raw_sendrecv_all_nodes(kernel_t)
|
||||
corenet_tcp_sendrecv_all_if(kernel_t)
|
||||
corenet_tcp_sendrecv_all_nodes(kernel_t)
|
||||
|
||||
selinux_load_policy(kernel_t)
|
||||
|
||||
term_use_console(kernel_t)
|
||||
|
||||
# Mount root file system. Used when loading a policy
|
||||
@ -200,9 +199,6 @@ logging_send_syslog_msg(kernel_t)
|
||||
seutil_read_config(kernel_t)
|
||||
seutil_read_binary_pol(kernel_t)
|
||||
|
||||
neverallow ~can_load_policy security_t:security load_policy;
|
||||
neverallow ~can_setenforce security_t:security setenforce;
|
||||
neverallow ~can_setsecparam security_t:security setsecparam;
|
||||
neverallow ~can_load_kernmodule self:capability sys_module;
|
||||
|
||||
########################################
|
||||
|
@ -250,3 +250,24 @@ interface(`selinux_compute_user_contexts',`
|
||||
allow $1 security_t:security compute_user;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Unconfined access to the SELinux security server.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_unconfined',`
|
||||
gen_require(`
|
||||
attribute can_load_policy, can_setenforce, can_setsecparam;
|
||||
type security_t;
|
||||
class security { load_policy setenforce setbool };
|
||||
')
|
||||
|
||||
# Access the security API.
|
||||
allow $1 security_t:security *;
|
||||
auditallow $1 security_t:security { load_policy setenforce setbool };
|
||||
|
||||
typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
|
||||
')
|
||||
|
@ -6,6 +6,10 @@ policy_module(selinux,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute can_load_policy;
|
||||
attribute can_setenforce;
|
||||
attribute can_setsecparam;
|
||||
|
||||
#
|
||||
# security_t is the target type when checking
|
||||
# the permissions in the security class. It is also
|
||||
@ -15,3 +19,7 @@ type security_t;
|
||||
fs_type(security_t)
|
||||
sid security context_template(system_u:object_r:security_t,s0)
|
||||
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
|
||||
|
||||
neverallow ~can_load_policy security_t:security load_policy;
|
||||
neverallow ~can_setenforce security_t:security setenforce;
|
||||
neverallow ~can_setsecparam security_t:security setsecparam;
|
||||
|
@ -1,10 +1,10 @@
|
||||
## <summary>Policy controlling access to storage devices</summary>
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to get the attributes of fixed disk
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -20,10 +20,10 @@ interface(`storage_getattr_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts made by the caller to get
|
||||
## the attributes of fixed disk device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
@ -38,10 +38,10 @@ interface(`storage_dontaudit_getattr_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to set the attributes of fixed disk
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -57,10 +57,10 @@ interface(`storage_setattr_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts made by the caller to set
|
||||
## the attributes of fixed disk device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
@ -75,12 +75,12 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly read from a fixed disk.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -98,12 +98,12 @@ interface(`storage_raw_read_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly write to a fixed disk.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -121,9 +121,9 @@ interface(`storage_raw_write_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Create block devices in /dev with the fixed disk type.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -197,12 +197,12 @@ interface(`storage_swapon_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly read from a logical volume.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -220,12 +220,12 @@ interface(`storage_raw_read_lvm_volume',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly read from a logical volume.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -243,10 +243,10 @@ interface(`storage_raw_write_lvm_volume',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to get the attributes of
|
||||
## the generic SCSI interface device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -262,10 +262,10 @@ interface(`storage_getattr_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to set the attributes of
|
||||
## the generic SCSI interface device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -281,13 +281,13 @@ interface(`storage_setattr_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly read, in a
|
||||
## generic fashion, from any SCSI device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -305,13 +305,13 @@ interface(`storage_read_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly write, in a
|
||||
## generic fashion, from any SCSI device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -329,10 +329,10 @@ interface(`storage_write_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Get attributes of the device nodes
|
||||
## for the SCSI generic inerface.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -348,10 +348,10 @@ interface(`storage_getattr_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Set attributes of the device nodes
|
||||
## for the SCSI generic inerface.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -367,10 +367,10 @@ interface(`storage_set_scsi_generic_attributes',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to get the attributes of removable
|
||||
## devices device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -386,10 +386,10 @@ interface(`storage_getattr_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts made by the caller to get
|
||||
## the attributes of removable devices device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
@ -404,10 +404,10 @@ interface(`storage_dontaudit_getattr_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to set the attributes of removable
|
||||
## devices device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -423,10 +423,10 @@ interface(`storage_setattr_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts made by the caller to set
|
||||
## the attributes of removable devices device nodes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
@ -441,13 +441,13 @@ interface(`storage_dontaudit_setattr_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly read from
|
||||
## a removable device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -463,13 +463,13 @@ interface(`storage_raw_read_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly write to
|
||||
## a removable device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -485,10 +485,10 @@ interface(`storage_raw_write_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly read
|
||||
## a tape device.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -504,10 +504,10 @@ interface(`storage_read_tape_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to directly read
|
||||
## a tape device.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -523,10 +523,10 @@ interface(`storage_write_tape_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to get the attributes
|
||||
## of device nodes of tape devices.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -542,10 +542,10 @@ interface(`storage_getattr_tape_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow the caller to set the attributes
|
||||
## of device nodes of tape devices.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -560,3 +560,23 @@ interface(`storage_setattr_tape_device',`
|
||||
allow $1 tape_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to storage devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_unconfined',`
|
||||
gen_require(`
|
||||
type fixed_disk_device_t, removable_device_t;
|
||||
type lvm_vg_t, scsi_generic_device_t, tape_device_t;
|
||||
')
|
||||
|
||||
allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
|
||||
allow $1 { lvm_vg_t scsi_generic_device_t tape_device_t }:blk_file *;
|
||||
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
typeattribute $1 scsi_generic_read, scsi_generic_write;
|
||||
')
|
||||
|
@ -452,6 +452,45 @@ interface(`domain_read_all_entry_files',`
|
||||
allow $1 entry_type:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_unconfined',`
|
||||
gen_require(`
|
||||
attribute domain, set_curr_context;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
class process { transition dyntransition execmem };
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
# Use/sendto/connectto sockets created by any domain.
|
||||
allow $1 domain:{ socket_class_set socket key_socket } *;
|
||||
|
||||
# Use descriptors and pipes created by any domain.
|
||||
allow $1 domain:fd use;
|
||||
allow $1 domain:fifo_file rw_file_perms;
|
||||
|
||||
# Act upon any other process.
|
||||
allow $1 domain:process ~{ transition dyntransition execmem };
|
||||
typeattribute $1 set_curr_context;
|
||||
|
||||
# Create/access any System V IPC objects.
|
||||
allow $1 domain:{ sem msgq shm } *;
|
||||
allow $1 domain:msg { send receive };
|
||||
|
||||
# For /proc/pid
|
||||
allow $1 domain:dir r_dir_perms;
|
||||
allow $1 domain:file r_file_perms;
|
||||
allow $1 domain:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
#
|
||||
# These next macros are not interfaces, but actually are
|
||||
|
@ -1342,3 +1342,30 @@ interface(`files_manage_generic_spools',`
|
||||
allow $1 var_spool_t:dir rw_dir_perms;
|
||||
allow $1 var_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_unconfined',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class unix_stream_socket name_bind;
|
||||
class unix_dgram_socket name_bind;
|
||||
')
|
||||
|
||||
# Create/access any file in a labeled filesystem;
|
||||
allow $1 file_type:{ file chr_file } ~execmod;
|
||||
allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
|
||||
|
||||
# Mount/unmount any filesystem with the context= option.
|
||||
allow $1 file_type:filesystem *;
|
||||
|
||||
# Bind to any network address.
|
||||
# cjp: need to check this, I dont think this has any effect.
|
||||
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
|
||||
')
|
||||
|
3
refpolicy/policy/modules/system/unconfined.fc
Normal file
3
refpolicy/policy/modules/system/unconfined.fc
Normal file
@ -0,0 +1,3 @@
|
||||
# Add programs here which should not be confined by SELinux
|
||||
# e.g.:
|
||||
# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t
|
75
refpolicy/policy/modules/system/unconfined.if
Normal file
75
refpolicy/policy/modules/system/unconfined.if
Normal file
@ -0,0 +1,75 @@
|
||||
## <summary>The unconfined domain.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## A template to make the specified domain unconfined.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to make unconfined.
|
||||
## </param>
|
||||
#
|
||||
template(`unconfined_access_template',`
|
||||
|
||||
# Use any Linux capability.
|
||||
allow $1 self:capability *;
|
||||
|
||||
# Transition to myself, to make get_ordered_context_list happy.
|
||||
allow $1 self:process transition;
|
||||
|
||||
# Write access is for setting attributes under /proc/self/attr.
|
||||
allow $1 self:file rw_file_perms;
|
||||
|
||||
# Userland object managers
|
||||
allow $1 self:nscd *;
|
||||
allow $1 self:dbus *;
|
||||
allow $1 self:passwd *;
|
||||
|
||||
kernel_unconfined($1)
|
||||
dev_unconfined($1)
|
||||
fs_unconfined($1)
|
||||
selinux_unconfined($1)
|
||||
|
||||
domain_unconfined($1)
|
||||
files_unconfined($1)
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
# Allow loading DSOs that require executable stack.
|
||||
allow $1 self:process execmem;
|
||||
')
|
||||
|
||||
# to satisfy assertions:
|
||||
optional_policy(`authlogin.te',`
|
||||
auth_manage_shadow($1)
|
||||
auth_relabelto_shadow($1)
|
||||
')
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
bootloader_manage_kernel_modules($1)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_create_binary_pol($1)
|
||||
seutil_relabelto_binary_pol($1)
|
||||
')
|
||||
|
||||
optional_policy(`storage.te',`
|
||||
storage_unconfined($1)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
if (allow_execmod) {
|
||||
# Allow text relocations on system shared libraries, e.g. libGL.
|
||||
allow $1 texrel_shlib_t:file execmod;
|
||||
}
|
||||
|
||||
ifdef(`dbusd.te', `
|
||||
# Communicate via dbusd.
|
||||
allow $1 system_dbusd_t:dbus *;
|
||||
')
|
||||
|
||||
ifdef(`nscd.te', `
|
||||
# Get info via nscd.
|
||||
allow $1 nscd_t:nscd *;
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
23
refpolicy/policy/modules/system/unconfined.te
Normal file
23
refpolicy/policy/modules/system/unconfined.te
Normal file
@ -0,0 +1,23 @@
|
||||
|
||||
policy_module(unconfined,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type unconfined_t;
|
||||
type unconfined_exec_t;
|
||||
init_system_domain(unconfined_t,unconfined_exec_t)
|
||||
role system_r types unconfined_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
unconfined_access_template(unconfined_t)
|
||||
logging_send_syslog_msg(unconfined_t)
|
||||
|
||||
#role sysadm_r types unconfined_t;
|
||||
#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
|
Loading…
Reference in New Issue
Block a user