## The unconfined domain. ######################################## ## ## Make the specified domain unconfined. ## ## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain_noaudit',` gen_require(` type unconfined_t; class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. allow $1 self:capability *; allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; # Userland object managers allow $1 self:nscd *; allow $1 self:dbus *; allow $1 self:passwd *; allow $1 self:association *; kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) domain_unconfined($1) domain_dontaudit_read_all_domains_state($1) domain_dontaudit_ptrace_all_domains($1) files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; ') tunable_policy(`allow_execmem',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; ') tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect; # execstack implies execmem; allow $1 self:process { execstack execmem }; # auditallow $1 self:process execstack; ') optional_policy(` auth_unconfined($1) ') optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) ') optional_policy(` ipsec_setcontext_default_spd($1) ipsec_match_default_spd($1) ') optional_policy(` # this is to handle execmod on shared # libs with text relocations libs_use_shared_libs($1) ') optional_policy(` nscd_unconfined($1) ') optional_policy(` seutil_create_bin_policy($1) seutil_relabelto_bin_policy($1) ') optional_policy(` storage_unconfined($1) ') ') ######################################## ## ## Make the specified domain unconfined and ## audit executable memory and executable heap ## usage. ## ## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain',` unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` auditallow $1 self:process execheap; ') # Turn off this audit for FC5 # tunable_policy(`allow_execmem',` # auditallow $1 self:process execmem; # ') ') ######################################## ## ## Add an alias type to the unconfined domain. (Deprecated) ## ## ##

## Add an alias type to the unconfined domain. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## New alias of the unconfined domain. ## ## # interface(`unconfined_alias_domain',` refpolicywarn(`$0($1) has been deprecated.') ') ######################################## ## ## Add an alias type to the unconfined execmem ## program file type. (Deprecated) ## ## ##

## Add an alias type to the unconfined execmem ## program file type. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## New alias of the unconfined execmem program type. ## ## # interface(`unconfined_execmem_alias_program',` refpolicywarn(`$0($1) has been deprecated.') ') ######################################## ## ## Transition to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_domtrans',` gen_require(` type unconfined_t, unconfined_exec_t; ') domtrans_pattern($1,unconfined_exec_t,unconfined_t) ') ######################################## ## ## Execute specified programs in the unconfined domain. ## ## ## ## The type of the process performing this action. ## ## ## ## ## The role to allow the unconfined domain. ## ## ## ## ## The type of the terminal allow the unconfined domain to use. ## ## # interface(`unconfined_run',` gen_require(` type unconfined_t; ') unconfined_domtrans($1) role $2 types unconfined_t; allow unconfined_t $3:chr_file rw_term_perms; ') ######################################## ## ## Transition to the unconfined domain by executing a shell. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_shell_domtrans',` gen_require(` type unconfined_t; ') corecmd_shell_domtrans($1,unconfined_t) allow unconfined_t $1:fd use; allow unconfined_t $1:fifo_file rw_file_perms; allow unconfined_t $1:process sigchld; ') ######################################## ## ## Allow unconfined to execute the specified program in ## the specified domain. ## ## ##

## Allow unconfined to execute the specified program in ## the specified domain. ##

##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain to execute in. ## ## ## ## ## Domain entry point file. ## ## # interface(`unconfined_domtrans_to',` gen_require(` type unconfined_t; ') domtrans_pattern(unconfined_t,$2,$1) ') ######################################## ## ## Inherit file descriptors from the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_use_fds',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:fd use; ') ######################################## ## ## Send a SIGCHLD signal to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_sigchld',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process sigchld; ') ######################################## ## ## Send a SIGNULL signal to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_signull',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process signull; ') ######################################## ## ## Send generic signals to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_signal',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process signal; ') ######################################## ## ## Read unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_read_pipes',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:fifo_file read_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dontaudit_read_pipes',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:fifo_file read; ') ######################################## ## ## Read and write unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_rw_pipes',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read and write ## unconfined domain unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`unconfined_dontaudit_rw_pipes',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:fifo_file rw_file_perms; ') ######################################## ## ## Connect to the unconfined domain using ## a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_stream_connect',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:unix_stream_socket connectto; ') ######################################## ## ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## ## ##

## Do not audit attempts to read or write ## unconfined domain tcp sockets. ##

##

## This interface was added due to a broken ## symptom in ldconfig. ##

##
## ## ## Domain to not audit. ## ## # interface(`unconfined_dontaudit_rw_tcp_sockets',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:tcp_socket { read write }; ') ######################################## ## ## Create keys for the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_create_keys',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:key create; ') ######################################## ## ## Send messages to the unconfined domain over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dbus_send',` gen_require(` type unconfined_t; class dbus send_msg; ') allow $1 unconfined_t:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## unconfined_t over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dbus_chat',` gen_require(` type unconfined_t; class dbus send_msg; ') allow $1 unconfined_t:dbus send_msg; allow unconfined_t $1:dbus send_msg; ') ######################################## ## ## Connect to the the unconfined DBUS ## for service (acquire_svc). ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dbus_connect',` gen_require(` type unconfined_t; class dbus acquire_svc; ') allow $1 unconfined_t:dbus acquire_svc; ') ######################################## ## ## Read files in unconfined users home directories. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_read_home_content_files',` gen_require(` type unconfined_home_dir_t, unconfined_home_t; ') files_search_home($1) allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) ') ######################################## ## ## Read unconfined users temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_read_tmp_files',` gen_require(` type unconfined_tmp_t; ') files_search_tmp($1) allow $1 unconfined_tmp_t:dir list_dir_perms; read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) ') ######################################## ## ## Write unconfined users temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_write_tmp_files',` gen_require(` type unconfined_tmp_t; ') allow $1 unconfined_tmp_t:file { getattr write append }; ')