selinux-policy/refpolicy/policy/modules/system/unconfined.if
2005-09-21 14:49:41 +00:00

248 lines
5.1 KiB
Plaintext

## <summary>The unconfined domain.</summary>
########################################
## <summary>
## A template to make the specified domain unconfined.
## </summary>
## <param name="domain">
## Domain to make unconfined.
## </param>
#
template(`unconfined_domain_template',`
gen_require(`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
# Use any Linux capability.
allow $1 self:capability *;
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
# Userland object managers
allow $1 self:nscd *;
allow $1 self:dbus *;
allow $1 self:passwd *;
kernel_unconfined($1)
corenet_unconfined($1)
dev_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
domain_unconfined($1)
files_unconfined($1)
tunable_policy(`allow_execmem',`
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
allow $1 self:process execmem;
')
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
')
optional_policy(`authlogin.te',`
auth_unconfined($1)
')
optional_policy(`bootloader.te',`
bootloader_manage_kernel_modules($1)
')
optional_policy(`dbus.te', `
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
')
optional_policy(`nscd.te', `
nscd_unconfined($1)
')
optional_policy(`selinuxutil.te',`
seutil_create_binary_pol($1)
seutil_relabelto_binary_pol($1)
')
optional_policy(`storage.te',`
storage_unconfined($1)
')
ifdef(`TODO',`
if (allow_execmod) {
ifdef(`targeted_policy', `', `
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1 texrel_shlib_t:file execmod;
allow $1 home_type:file execmod;
')
}
') dnl end TODO
')
########################################
## <summary>
## Transition to the unconfined domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`unconfined_domtrans',`
gen_require(`
type unconfined_t, unconfined_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,unconfined_exec_t,unconfined_t)
allow $1 unconfined_t:fd use;
allow unconfined_t $1:fd use;
allow unconfined_t $1:fifo_file rw_file_perms;
allow unconfined_t $1:process sigchld;
')
########################################
## <summary>
## Execute specified programs in the unconfined domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the unconfined domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the unconfined domain to use.
## </param>
#
interface(`unconfined_run',`
gen_require(`
type unconfined_t;
class chr_file rw_term_perms;
')
unconfined_domtrans($1)
role $2 types unconfined_t;
allow unconfined_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Transition to the unconfined domain by executing a shell.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`unconfined_shell_domtrans',`
gen_require(`
type unconfined_t;
')
corecmd_shell_domtrans($1,unconfined_t)
')
########################################
## <summary>
## Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`unconfined_use_fd',`
gen_require(`
type unconfined_t;
class fd use;
')
allow $1 unconfined_t:fd use;
')
########################################
## <summary>
## Send a SIGCHLD signal to the unconfined domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`unconfined_sigchld',`
gen_require(`
type unconfined_t;
class process sigchld;
')
allow $1 unconfined_t:process sigchld;
')
########################################
## <summary>
## Read and write unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`unconfined_rw_pipe',`
gen_require(`
type unconfined_t;
class fifo_file rw_file_perms;
')
allow $1 unconfined_t:fifo_file rw_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </p>
## <p>
## This interface was added due to a broken
## symptom in ldconfig.
## </p>
## </desc>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`unconfined_dontaudit_rw_tcp_socket',`
gen_require(`
type unconfined_t;
class tcp_socket { read write };
')
dontaudit $1 unconfined_t:tcp_socket { read write };
')
########################################
## <summary>
## Add the unconfined domain to the specified role.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`unconfined_role',`
gen_require(`
type unconfined_t;
')
role $1 types unconfined_t;
')