The unconfined domain.

######################################## ##

## A template to make the specified domain unconfined. ##

## ## Domain to make unconfined. ## # template(`unconfined_domain_template',` gen_require(` class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. allow $1 self:capability *; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; # Userland object managers allow $1 self:nscd *; allow $1 self:dbus *; allow $1 self:passwd *; kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) fs_unconfined($1) selinux_unconfined($1) domain_unconfined($1) files_unconfined($1) tunable_policy(`allow_execmem',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; ') tunable_policy(`allow_execmem && allow_execstack',` # Allow making the stack executable via mprotect. allow $1 self:process execstack; ') optional_policy(`authlogin.te',` auth_unconfined($1) ') optional_policy(`bootloader.te',` bootloader_manage_kernel_modules($1) ') optional_policy(`dbus.te', ` # Communicate via dbusd. dbus_system_bus_unconfined($1) ') optional_policy(`nscd.te', ` nscd_unconfined($1) ') optional_policy(`selinuxutil.te',` seutil_create_binary_pol($1) seutil_relabelto_binary_pol($1) ') optional_policy(`storage.te',` storage_unconfined($1) ') ifdef(`TODO',` if (allow_execmod) { ifdef(`targeted_policy', `', ` # Allow text relocations on system shared libraries, e.g. libGL. allow $1 texrel_shlib_t:file execmod; allow $1 home_type:file execmod; ') } ') dnl end TODO ') ######################################## ##

## Transition to the unconfined domain. ##

## ## Domain allowed access. ## # interface(`unconfined_domtrans',` gen_require(` type unconfined_t, unconfined_exec_t; class process sigchld; class fd use; class fifo_file rw_file_perms; ') domain_auto_trans($1,unconfined_exec_t,unconfined_t) allow $1 unconfined_t:fd use; allow unconfined_t $1:fd use; allow unconfined_t $1:fifo_file rw_file_perms; allow unconfined_t $1:process sigchld; ') ######################################## ##

## Execute specified programs in the unconfined domain. ##

## ## The type of the process performing this action. ## ## ## The role to allow the unconfined domain. ## ## ## The type of the terminal allow the unconfined domain to use. ## # interface(`unconfined_run',` gen_require(` type unconfined_t; class chr_file rw_term_perms; ') unconfined_domtrans($1) role $2 types unconfined_t; allow unconfined_t $3:chr_file rw_term_perms; ') ######################################## ##

## Transition to the unconfined domain by executing a shell. ##

## ## Domain allowed access. ## # interface(`unconfined_shell_domtrans',` gen_require(` type unconfined_t; ') corecmd_shell_domtrans($1,unconfined_t) ') ######################################## ##

## Inherit file descriptors from the unconfined domain. ##

## ## Domain allowed access. ## # interface(`unconfined_use_fd',` gen_require(` type unconfined_t; class fd use; ') allow $1 unconfined_t:fd use; ') ######################################## ##

## Send a SIGCHLD signal to the unconfined domain. ##

## ## Domain allowed access. ## # interface(`unconfined_sigchld',` gen_require(` type unconfined_t; class process sigchld; ') allow $1 unconfined_t:process sigchld; ') ######################################## ##

## Send generic signals to the unconfined domain. ##

## ## Domain allowed access. ## # interface(`unconfined_signal',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process signal; ') ######################################## ##

## Do not audit attempts to read unconfined domain unnamed pipes. ##

## ## Domain allowed access. ## # interface(`unconfined_dontaudit_read_pipe',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:fifo_file read; ') ######################################## ##

## Read and write unconfined domain unnamed pipes. ##

## ## Domain allowed access. ## # interface(`unconfined_rw_pipe',` gen_require(` type unconfined_t; class fifo_file rw_file_perms; ') allow $1 unconfined_t:fifo_file rw_file_perms; ') ######################################## ##

## Do not audit attempts to read or write ## unconfined domain tcp sockets. ##

## ##

## Do not audit attempts to read or write ## unconfined domain tcp sockets. ##

## This interface was added due to a broken ## symptom in ldconfig. ##

## ## ## Domain to not audit. ## # interface(`unconfined_dontaudit_rw_tcp_socket',` gen_require(` type unconfined_t; class tcp_socket { read write }; ') dontaudit $1 unconfined_t:tcp_socket { read write }; ') ######################################## ##

## Add an alias type to the unconfined domain. ##

## ##

## Add an alias type to the unconfined domain. ##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

## ## ## New alias of the unconfined domain. ## # interface(`unconfined_alias_domain',` ifdef(`targeted_policy',` gen_require(` type unconfined_t; ') typealias unconfined_t alias $1; ',` errprint(`Warning: $0($1) has no effect in strict policy.'__endline__) ') ')