## The unconfined domain. ######################################## ## ## A template to make the specified domain unconfined. ## ## ## Domain to make unconfined. ## # template(`unconfined_domain_template',` # Use any Linux capability. allow $1 self:capability *; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; # Userland object managers allow $1 self:nscd *; allow $1 self:dbus *; allow $1 self:passwd *; kernel_unconfined($1) dev_unconfined($1) fs_unconfined($1) selinux_unconfined($1) domain_unconfined($1) files_unconfined($1) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. allow $1 self:process execmem; ') # to satisfy assertions: optional_policy(`authlogin.te',` auth_manage_shadow($1) auth_relabelto_shadow($1) ') optional_policy(`bootloader.te',` bootloader_manage_kernel_modules($1) ') optional_policy(`selinuxutil.te',` seutil_create_binary_pol($1) seutil_relabelto_binary_pol($1) ') optional_policy(`storage.te',` storage_unconfined($1) ') ifdef(`TODO',` if (allow_execmod) { # Allow text relocations on system shared libraries, e.g. libGL. allow $1 texrel_shlib_t:file execmod; } ifdef(`dbusd.te', ` # Communicate via dbusd. allow $1 system_dbusd_t:dbus *; ') ifdef(`nscd.te', ` # Get info via nscd. allow $1 nscd_t:nscd *; ') ') dnl end TODO ') ######################################## ## ## Transition to the unconfined domain by executing a shell. ## ## ## Domain allowed access. ## # interface(`unconfined_shell_domtrans',` gen_require(` unconfined_t; ') corecmd_domtrans_shell($1,unconfined_t) ') ######################################## ## ## Inherit file descriptors from the unconfined domain. ## ## ## Domain allowed access. ## # interface(`unconfined_use_fd',` gen_require(` type unconfined_t; class fd use; ') allow $1 unconfined_t:fd use; ') ######################################## ## ## Send a SIGCHLD signal to the unconfined domain. ## ## ## Domain allowed access. ## # interface(`unconfined_sigchld',` gen_require(` type unconfined_t; class process sigchld; ') allow $1 unconfined_t:process sigchld; ') ######################################## ## ## Read and write unconfined domain unnamed pipes. ## ## ## Domain allowed access. ## # interface(`unconfined_rw_pipe',` gen_require(` type unconfined_t; class fifo_file rw_file_perms; ') allow $1 unconfined_t:fifo_file rw_file_perms; ') ######################################## ## ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## ## ## ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## ## ## This interface was added due to a broken ## symptom in ldconfig. ## ## ## ## Domain to not audit. ## # interface(`unconfined_dontaudit_rw_tcp_socket',` gen_require(` type unconfined_t; class tcp_socket { read write }; ') dontaudit $1 unconfined_t:tcp_socket { read write }; ') ######################################## ## ## Add the unconfined domain to the specified role. ## ## ## Domain allowed access. ## # interface(`unconfined_role',` gen_require(` type unconfined_t; ') role $1 types unconfined_t; ')
## Do not audit attempts to read or write ## unconfined domain tcp sockets. ##
## This interface was added due to a broken ## symptom in ldconfig. ##