## The unconfined domain. ######################################## ## ## Make the specified domain unconfined. ## ## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain_noaudit',` gen_require(` class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. allow $1 self:capability all_capabilities; allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; allow $1 self:dir rw_dir_perms; # Userland object managers allow $1 self:nscd all_nscd_perms; allow $1 self:dbus all_dbus_perms; allow $1 self:passwd all_passwd_perms; allow $1 self:association all_association_perms; allow $1 self:socket_class_set create_socket_perms; kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) domain_unconfined($1) domain_dontaudit_read_all_domains_state($1) domain_dontaudit_ptrace_all_domains($1) files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) domain_mmap_low_type($1) mls_file_read_all_levels($1) ubac_process_exempt($1) tunable_policy(`mmap_low_allowed',` allow $1 self:memprotect mmap_zero; ') tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; ') tunable_policy(`allow_execmem',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; ') tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect; # execstack implies execmem; Bugzilla #211271 allow $1 self:process { execmem execstack }; # auditallow $1 self:process execstack; ') optional_policy(` auth_unconfined($1) ') optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) dbus_unconfined($1) ') optional_policy(` ipsec_setcontext_default_spd($1) ipsec_match_default_spd($1) ') optional_policy(` nscd_unconfined($1) ') optional_policy(` postgresql_unconfined($1) ') optional_policy(` seutil_create_bin_policy($1) seutil_relabelto_bin_policy($1) ') optional_policy(` storage_unconfined($1) ') optional_policy(` xserver_unconfined($1) ') ') ######################################## ## ## Make the specified domain unconfined and ## audit executable heap usage. ## ## ##

## Make the specified domain unconfined and ## audit executable heap usage. With exception ## of memory protections, usage of this interface ## will result in the level of access the domain has ## is like SELinux was not being used. ##

##

## Only completely trusted domains should use this interface. ##

##
## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain',` gen_require(` attribute unconfined_services; ') unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` auditallow $1 self:process execheap; ') ') ######################################## ## ## Add an alias type to the unconfined domain. (Deprecated) ## ## ##

## Add an alias type to the unconfined domain. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## New alias of the unconfined domain. ## ## # interface(`unconfined_alias_domain',` refpolicywarn(`$0($1) has been deprecated.') ') ######################################## ## ## Add an alias type to the unconfined execmem ## program file type. (Deprecated) ## ## ##

## Add an alias type to the unconfined execmem ## program file type. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## New alias of the unconfined execmem program type. ## ## # interface(`unconfined_execmem_alias_program',` refpolicywarn(`$0($1) has been deprecated.') ')