## <summary>The unconfined domain.</summary>

########################################
## <summary>
##	A template to make the specified domain unconfined.
## </summary>
## <param name="domain">
##	Domain to make unconfined.
## </param>
#
template(`unconfined_domain_template',`

	# Use any Linux capability.
	allow $1 self:capability *;

	# Transition to myself, to make get_ordered_context_list happy.
	allow $1 self:process transition;

	# Write access is for setting attributes under /proc/self/attr.
	allow $1 self:file rw_file_perms;

	# Userland object managers
	allow $1 self:nscd *;
	allow $1 self:dbus *;
	allow $1 self:passwd *;

	kernel_unconfined($1)
	dev_unconfined($1)
	fs_unconfined($1)
	selinux_unconfined($1)

	domain_unconfined($1)
	files_unconfined($1)

	tunable_policy(`allow_execmem',`
		# Allow loading DSOs that require executable stack.
		allow $1 self:process execmem;
	')

	# to satisfy assertions:
	optional_policy(`authlogin.te',`
		auth_manage_shadow($1)
		auth_relabelto_shadow($1)
	')

	optional_policy(`bootloader.te',`
		bootloader_manage_kernel_modules($1)
	')

	optional_policy(`selinuxutil.te',`
		seutil_create_binary_pol($1)
		seutil_relabelto_binary_pol($1)
	')

	optional_policy(`storage.te',`
		storage_unconfined($1)
	')

	ifdef(`TODO',`
	if (allow_execmod) {
		# Allow text relocations on system shared libraries, e.g. libGL.
		allow $1 texrel_shlib_t:file execmod;
	}

	ifdef(`dbusd.te', `
		# Communicate via dbusd.
		allow $1 system_dbusd_t:dbus *;
	')

	ifdef(`nscd.te', `
		# Get info via nscd.
		allow $1 nscd_t:nscd *;
	')
	') dnl end TODO
')

########################################
## <summary>
##	Transition to the unconfined domain by executing a shell.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_domtrans_shell',`

	gen_require(`
		unconfined_t;
	')

	corecmd_domtrans_shell($1,unconfined_t)
')

########################################
## <summary>
##	Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_use_fd',`
	gen_require(`
		type unconfined_t;
		class fd use;
	')

	allow $1 unconfined_t:fd use;
')

########################################
## <summary>
##	Send a SIGCHLD signal to the unconfined domain.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_sigchld',`
	gen_require(`
		type unconfined_t;
		class process sigchld;
	')

	allow $1 unconfined_t:process sigchld;
')

########################################
## <summary>
##	Read and write unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_rw_pipe',`
	gen_require(`
		type unconfined_t;
		class fifo_file rw_file_perms;
	')

	allow $1 unconfined_t:fifo_file rw_file_perms;
')

########################################
## <summary>
##	Add the unconfined domain to the specified role.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`unconfined_role',`
	gen_require(`
		type unconfined_t;
	')

	role $1 types unconfined_t;
')