|
Chris PeBenito |
17de1b |
## <summary>The unconfined domain.</summary>
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Make the specified domain unconfined.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain to make unconfined.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_domain_noaudit',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
class dbus all_dbus_perms;
|
|
Chris PeBenito |
17de1b |
class nscd all_nscd_perms;
|
|
Chris PeBenito |
17de1b |
class passwd all_passwd_perms;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Use any Linux capability.
|
|
Chris PeBenito |
17de1b |
allow $1 self:capability *;
|
|
Chris PeBenito |
c0868a |
allow $1 self:fifo_file manage_fifo_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Transition to myself, to make get_ordered_context_list happy.
|
|
Chris PeBenito |
17de1b |
allow $1 self:process transition;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Write access is for setting attributes under /proc/self/attr.
|
|
Chris PeBenito |
17de1b |
allow $1 self:file rw_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Userland object managers
|
|
Chris PeBenito |
17de1b |
allow $1 self:nscd *;
|
|
Chris PeBenito |
17de1b |
allow $1 self:dbus *;
|
|
Chris PeBenito |
17de1b |
allow $1 self:passwd *;
|
|
Chris PeBenito |
6b19be |
allow $1 self:association *;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
kernel_unconfined($1)
|
|
Chris PeBenito |
17de1b |
corenet_unconfined($1)
|
|
Chris PeBenito |
17de1b |
dev_unconfined($1)
|
|
Chris PeBenito |
17de1b |
domain_unconfined($1)
|
|
Chris PeBenito |
17de1b |
domain_dontaudit_read_all_domains_state($1)
|
|
Chris PeBenito |
a5e213 |
domain_dontaudit_ptrace_all_domains($1)
|
|
Chris PeBenito |
17de1b |
files_unconfined($1)
|
|
Chris PeBenito |
17de1b |
fs_unconfined($1)
|
|
Chris PeBenito |
17de1b |
selinux_unconfined($1)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
tunable_policy(`allow_execheap',`
|
|
Chris PeBenito |
17de1b |
# Allow making the stack executable via mprotect.
|
|
Chris PeBenito |
17de1b |
allow $1 self:process execheap;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
tunable_policy(`allow_execmem',`
|
|
Chris PeBenito |
17de1b |
# Allow making anonymous memory executable, e.g.
|
|
Chris PeBenito |
17de1b |
# for runtime-code generation or executable stack.
|
|
Chris PeBenito |
17de1b |
allow $1 self:process execmem;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
465510 |
tunable_policy(`allow_execstack',`
|
|
Chris PeBenito |
465510 |
# Allow making the stack executable via mprotect;
|
|
Chris PeBenito |
465510 |
# execstack implies execmem;
|
|
Chris PeBenito |
465510 |
allow $1 self:process { execstack execmem };
|
|
Chris PeBenito |
17de1b |
# auditallow $1 self:process execstack;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
auth_unconfined($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
# Communicate via dbusd.
|
|
Chris PeBenito |
17de1b |
dbus_system_bus_unconfined($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
# this is to handle execmod on shared
|
|
Chris PeBenito |
17de1b |
# libs with text relocations
|
|
Chris PeBenito |
17de1b |
libs_use_shared_libs($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
nscd_unconfined($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
seutil_create_bin_policy($1)
|
|
Chris PeBenito |
17de1b |
seutil_relabelto_bin_policy($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
storage_unconfined($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Make the specified domain unconfined and
|
|
Chris PeBenito |
17de1b |
## audit executable memory and executable heap
|
|
Chris PeBenito |
17de1b |
## usage.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain to make unconfined.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_domain',`
|
|
Chris PeBenito |
17de1b |
unconfined_domain_noaudit($1)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
tunable_policy(`allow_execheap',`
|
|
Chris PeBenito |
17de1b |
auditallow $1 self:process execheap;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Turn off this audit for FC5
|
|
Chris PeBenito |
17de1b |
# tunable_policy(`allow_execmem',`
|
|
Chris PeBenito |
17de1b |
# auditallow $1 self:process execmem;
|
|
Chris PeBenito |
17de1b |
# ')
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Transition to the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_domtrans',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t, unconfined_exec_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
c0868a |
domtrans_pattern($1,unconfined_exec_t,unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Execute specified programs in the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## The type of the process performing this action.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
## <param name="role">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## The role to allow the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
## <param name="terminal">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## The type of the terminal allow the unconfined domain to use.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_run',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
unconfined_domtrans($1)
|
|
Chris PeBenito |
17de1b |
role $2 types unconfined_t;
|
|
Chris PeBenito |
17de1b |
allow unconfined_t $3:chr_file rw_term_perms;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Transition to the unconfined domain by executing a shell.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_shell_domtrans',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
corecmd_shell_domtrans($1,unconfined_t)
|
|
Chris PeBenito |
c0868a |
allow unconfined_t $1:fd use;
|
|
Chris PeBenito |
c0868a |
allow unconfined_t $1:fifo_file rw_file_perms;
|
|
Chris PeBenito |
c0868a |
allow unconfined_t $1:process sigchld;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Allow unconfined to execute the specified program in
|
|
Chris PeBenito |
17de1b |
## the specified domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <desc>
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
## Allow unconfined to execute the specified program in
|
|
Chris PeBenito |
17de1b |
## the specified domain.
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
## This is a interface to support third party modules
|
|
Chris PeBenito |
17de1b |
## and its use is not allowed in upstream reference
|
|
Chris PeBenito |
17de1b |
## policy.
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
## </desc>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain to execute in.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
## <param name="entry_file">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain entry point file.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_domtrans_to',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
c0868a |
domtrans_pattern(unconfined_t,$2,$1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Inherit file descriptors from the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_use_fds',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow $1 unconfined_t:fd use;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Send a SIGCHLD signal to the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_sigchld',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow $1 unconfined_t:process sigchld;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Send a SIGNULL signal to the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_signull',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow $1 unconfined_t:process signull;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Send generic signals to the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_signal',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow $1 unconfined_t:process signal;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Read unconfined domain unnamed pipes.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_read_pipes',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
c0868a |
allow $1 unconfined_t:fifo_file read_fifo_file_perms;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Do not audit attempts to read unconfined domain unnamed pipes.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_dontaudit_read_pipes',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
dontaudit $1 unconfined_t:fifo_file read;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Read and write unconfined domain unnamed pipes.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_rw_pipes',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
c0868a |
allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
d6d16b |
## Do not audit attempts to read and write
|
|
Chris PeBenito |
d6d16b |
## unconfined domain unnamed pipes.
|
|
Chris PeBenito |
d6d16b |
## </summary>
|
|
Chris PeBenito |
d6d16b |
## <param name="domain">
|
|
Chris PeBenito |
d6d16b |
## <summary>
|
|
Chris PeBenito |
d6d16b |
## Domain to not audit.
|
|
Chris PeBenito |
d6d16b |
## </summary>
|
|
Chris PeBenito |
d6d16b |
## </param>
|
|
Chris PeBenito |
d6d16b |
#
|
|
Chris PeBenito |
d6d16b |
interface(`unconfined_dontaudit_rw_pipes',`
|
|
Chris PeBenito |
d6d16b |
gen_require(`
|
|
Chris PeBenito |
d6d16b |
type unconfined_t;
|
|
Chris PeBenito |
d6d16b |
')
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
d6d16b |
dontaudit $1 unconfined_t:fifo_file rw_file_perms;
|
|
Chris PeBenito |
d6d16b |
')
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
d6d16b |
########################################
|
|
Chris PeBenito |
d6d16b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Connect to the unconfined domain using
|
|
Chris PeBenito |
17de1b |
## a unix domain stream socket.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_stream_connect',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow $1 unconfined_t:unix_stream_socket connectto;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
17de1b |
## unconfined domain tcp sockets.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <desc>
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
17de1b |
## unconfined domain tcp sockets.
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
## This interface was added due to a broken
|
|
Chris PeBenito |
17de1b |
## symptom in ldconfig.
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
## </desc>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain to not audit.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_dontaudit_rw_tcp_sockets',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
dontaudit $1 unconfined_t:tcp_socket { read write };
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Create keys for the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_create_keys',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow $1 unconfined_t:key create;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Send messages to the unconfined domain over dbus.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_dbus_send',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
class dbus send_msg;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow $1 unconfined_t:dbus send_msg;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Send and receive messages from
|
|
Chris PeBenito |
17de1b |
## unconfined_t over dbus.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_dbus_chat',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
class dbus send_msg;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow $1 unconfined_t:dbus send_msg;
|
|
Chris PeBenito |
17de1b |
allow unconfined_t $1:dbus send_msg;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Add an alias type to the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <desc>
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
## Add an alias type to the unconfined domain.
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
## This is added to support targeted policy. Its
|
|
Chris PeBenito |
17de1b |
## use should be limited. It has no effect
|
|
Chris PeBenito |
17de1b |
## on the strict policy.
|
|
Chris PeBenito |
17de1b |
##
|
|
Chris PeBenito |
17de1b |
## </desc>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## New alias of the unconfined domain.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_alias_domain',`
|
|
Chris PeBenito |
17de1b |
ifdef(`targeted_policy',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
typealias unconfined_t alias $1;
|
|
Chris PeBenito |
17de1b |
',`
|
|
Chris PeBenito |
ea3c1f |
refpolicywarn(`$0($1) has no effect in strict policy.')
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
b04ecc |
## Add an alias type to the unconfined execmem
|
|
Chris PeBenito |
b04ecc |
## program file type.
|
|
Chris PeBenito |
b04ecc |
## </summary>
|
|
Chris PeBenito |
b04ecc |
## <desc>
|
|
Chris PeBenito |
b04ecc |
##
|
|
Chris PeBenito |
b04ecc |
## Add an alias type to the unconfined execmem
|
|
Chris PeBenito |
b04ecc |
## program file type.
|
|
Chris PeBenito |
b04ecc |
##
|
|
Chris PeBenito |
b04ecc |
##
|
|
Chris PeBenito |
b04ecc |
## This is added to support targeted policy. Its
|
|
Chris PeBenito |
b04ecc |
## use should be limited. It has no effect
|
|
Chris PeBenito |
b04ecc |
## on the strict policy.
|
|
Chris PeBenito |
b04ecc |
##
|
|
Chris PeBenito |
b04ecc |
## </desc>
|
|
Chris PeBenito |
b04ecc |
## <param name="domain">
|
|
Chris PeBenito |
b04ecc |
## <summary>
|
|
Chris PeBenito |
b04ecc |
## New alias of the unconfined execmem program type.
|
|
Chris PeBenito |
b04ecc |
## </summary>
|
|
Chris PeBenito |
b04ecc |
## </param>
|
|
Chris PeBenito |
b04ecc |
#
|
|
Chris PeBenito |
b04ecc |
interface(`unconfined_execmem_alias_program',`
|
|
Chris PeBenito |
b04ecc |
ifdef(`targeted_policy',`
|
|
Chris PeBenito |
b04ecc |
gen_require(`
|
|
Chris PeBenito |
b04ecc |
type unconfined_execmem_exec_t;
|
|
Chris PeBenito |
b04ecc |
')
|
|
Chris PeBenito |
b04ecc |
|
|
Chris PeBenito |
b04ecc |
typealias unconfined_execmem_exec_t alias $1;
|
|
Chris PeBenito |
b04ecc |
',`
|
|
Chris PeBenito |
b04ecc |
refpolicywarn(`$0($1) has no effect in strict policy.')
|
|
Chris PeBenito |
b04ecc |
')
|
|
Chris PeBenito |
b04ecc |
')
|
|
Chris PeBenito |
b04ecc |
|
|
Chris PeBenito |
b04ecc |
########################################
|
|
Chris PeBenito |
b04ecc |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Connect to the the unconfined DBUS
|
|
Chris PeBenito |
17de1b |
## for service (acquire_svc).
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain allowed access.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_dbus_connect',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
type unconfined_t;
|
|
Chris PeBenito |
17de1b |
class dbus acquire_svc;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
allow $1 unconfined_t:dbus acquire_svc;
|
|
Chris PeBenito |
17de1b |
')
|