## The unconfined domain. ######################################## ## ## Make the specified domain unconfined. ## ## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain_noaudit',` gen_require(` class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. allow $1 self:capability *; allow $1 self:fifo_file create_file_perms; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; # Userland object managers allow $1 self:nscd *; allow $1 self:dbus *; allow $1 self:passwd *; kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) domain_unconfined($1) domain_dontaudit_read_all_domains_state($1) files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; ') tunable_policy(`allow_execmem',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; ') tunable_policy(`allow_execmem && allow_execstack',` # Allow making the stack executable via mprotect. allow $1 self:process execstack; # auditallow $1 self:process execstack; ', ` # These are fairly common but seem to be harmless # caused by using shared libraries built with old tool chains #dontaudit $1 self:process execstack; ') optional_policy(` auth_unconfined($1) ') optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) ') optional_policy(` libs_use_shared_libs($1) ') optional_policy(` nscd_unconfined($1) ') optional_policy(` seutil_create_bin_policy($1) seutil_relabelto_bin_policy($1) ') optional_policy(` storage_unconfined($1) ') ') ######################################## ## ## Make the specified domain unconfined and ## audit executable memory and executable heap ## usage. ## ## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain',` unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` auditallow $1 self:process execheap; ') # Turn off this audit for FC5 # tunable_policy(`allow_execmem',` # auditallow $1 self:process execmem; # ') ') ######################################## ## ## Transition to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_domtrans',` gen_require(` type unconfined_t, unconfined_exec_t; ') domain_auto_trans($1,unconfined_exec_t,unconfined_t) allow $1 unconfined_t:fd use; allow unconfined_t $1:fd use; allow unconfined_t $1:fifo_file rw_file_perms; allow unconfined_t $1:process sigchld; ') ######################################## ## ## Execute specified programs in the unconfined domain. ## ## ## ## The type of the process performing this action. ## ## ## ## ## The role to allow the unconfined domain. ## ## ## ## ## The type of the terminal allow the unconfined domain to use. ## ## # interface(`unconfined_run',` gen_require(` type unconfined_t; ') unconfined_domtrans($1) role $2 types unconfined_t; allow unconfined_t $3:chr_file rw_term_perms; ') ######################################## ## ## Transition to the unconfined domain by executing a shell. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_shell_domtrans',` gen_require(` type unconfined_t; ') corecmd_shell_domtrans($1,unconfined_t) ') ######################################## ## ## Inherit file descriptors from the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_use_fds',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:fd use; ') ######################################## ## ## Send a SIGCHLD signal to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_sigchld',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process sigchld; ') ######################################## ## ## Send a SIGNULL signal to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_signull',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process signull; ') ######################################## ## ## Send generic signals to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_signal',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process signal; ') ######################################## ## ## Read unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_read_pipes',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:fifo_file r_file_perms; ') ######################################## ## ## Do not audit attempts to read unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dontaudit_read_pipes',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:fifo_file read; ') ######################################## ## ## Read and write unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_rw_pipes',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:fifo_file rw_file_perms; ') ######################################## ## ## Connect to the unconfined domain using ## a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_stream_connect',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:unix_stream_socket connectto; ') ######################################## ## ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## ## ##

## Do not audit attempts to read or write ## unconfined domain tcp sockets. ##

##

## This interface was added due to a broken ## symptom in ldconfig. ##

##
## ## ## Domain to not audit. ## ## # interface(`unconfined_dontaudit_rw_tcp_sockets',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:tcp_socket { read write }; ') ######################################## ## ## Send messages to the unconfined domain over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dbus_send',` gen_require(` type unconfined_t; class dbus send_msg; ') allow $1 unconfined_t:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## unconfined_t over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dbus_chat',` gen_require(` type unconfined_t; class dbus send_msg; ') allow $1 unconfined_t:dbus send_msg; allow unconfined_t $1:dbus send_msg; ') ######################################## ## ## Add an alias type to the unconfined domain. ## ## ##

## Add an alias type to the unconfined domain. ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## New alias of the unconfined domain. ## ## # interface(`unconfined_alias_domain',` ifdef(`targeted_policy',` gen_require(` type unconfined_t; ') typealias unconfined_t alias $1; ',` errprint(`Warning: $0($1) has no effect in strict policy.'__endline__) ') ')