|
Chris PeBenito |
17de1b |
## <summary>The unconfined domain.</summary>
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Make the specified domain unconfined.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain to make unconfined.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_domain_noaudit',`
|
|
Chris PeBenito |
17de1b |
gen_require(`
|
|
Chris PeBenito |
17de1b |
class dbus all_dbus_perms;
|
|
Chris PeBenito |
17de1b |
class nscd all_nscd_perms;
|
|
Chris PeBenito |
17de1b |
class passwd all_passwd_perms;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Use any Linux capability.
|
|
Dan Walsh |
3eaa99 |
allow $1 self:capability all_capabilities;
|
|
Chris PeBenito |
c0868a |
allow $1 self:fifo_file manage_fifo_file_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Transition to myself, to make get_ordered_context_list happy.
|
|
Chris PeBenito |
17de1b |
allow $1 self:process transition;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Write access is for setting attributes under /proc/self/attr.
|
|
Chris PeBenito |
17de1b |
allow $1 self:file rw_file_perms;
|
|
Dan Walsh |
3eaa99 |
allow $1 self:dir rw_dir_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Userland object managers
|
|
Dan Walsh |
3eaa99 |
allow $1 self:nscd all_nscd_perms;
|
|
Dan Walsh |
3eaa99 |
allow $1 self:dbus all_dbus_perms;
|
|
Dan Walsh |
3eaa99 |
allow $1 self:passwd all_passwd_perms;
|
|
Dan Walsh |
3eaa99 |
allow $1 self:association all_association_perms;
|
|
Dan Walsh |
3eaa99 |
allow $1 self:socket_class_set create_socket_perms;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
kernel_unconfined($1)
|
|
Chris PeBenito |
17de1b |
corenet_unconfined($1)
|
|
Chris PeBenito |
17de1b |
dev_unconfined($1)
|
|
Chris PeBenito |
17de1b |
domain_unconfined($1)
|
|
Chris PeBenito |
17de1b |
domain_dontaudit_read_all_domains_state($1)
|
|
Chris PeBenito |
a5e213 |
domain_dontaudit_ptrace_all_domains($1)
|
|
Chris PeBenito |
17de1b |
files_unconfined($1)
|
|
Chris PeBenito |
17de1b |
fs_unconfined($1)
|
|
Chris PeBenito |
17de1b |
selinux_unconfined($1)
|
|
Chris PeBenito |
17de1b |
|
|
Dan Walsh |
cbadf7 |
domain_mmap_low($1)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
mls_file_read_all_levels($1)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
ubac_process_exempt($1)
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
17de1b |
tunable_policy(`allow_execheap',`
|
|
Chris PeBenito |
17de1b |
# Allow making the stack executable via mprotect.
|
|
Chris PeBenito |
17de1b |
allow $1 self:process execheap;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
tunable_policy(`allow_execmem',`
|
|
Chris PeBenito |
17de1b |
# Allow making anonymous memory executable, e.g.
|
|
Chris PeBenito |
17de1b |
# for runtime-code generation or executable stack.
|
|
Chris PeBenito |
17de1b |
allow $1 self:process execmem;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
465510 |
tunable_policy(`allow_execstack',`
|
|
Chris PeBenito |
465510 |
# Allow making the stack executable via mprotect;
|
|
Dan Walsh |
3a2e88 |
# execstack implies execmem;
|
|
Dan Walsh |
3a2e88 |
allow $1 self:process { execstack execmem };
|
|
Chris PeBenito |
17de1b |
# auditallow $1 self:process execstack;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
auth_unconfined($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
# Communicate via dbusd.
|
|
Chris PeBenito |
17de1b |
dbus_system_bus_unconfined($1)
|
|
Dan Walsh |
3eaa99 |
dbus_unconfined($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
bdccba |
ipsec_setcontext_default_spd($1)
|
|
Chris PeBenito |
982035 |
ipsec_match_default_spd($1)
|
|
Chris PeBenito |
bdccba |
')
|
|
Chris PeBenito |
bdccba |
|
|
Chris PeBenito |
bdccba |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
nscd_unconfined($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
e8cb08 |
postgresql_unconfined($1)
|
|
Chris PeBenito |
e8cb08 |
')
|
|
Chris PeBenito |
e8cb08 |
|
|
Chris PeBenito |
e8cb08 |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
seutil_create_bin_policy($1)
|
|
Chris PeBenito |
17de1b |
seutil_relabelto_bin_policy($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
17de1b |
storage_unconfined($1)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
2c12b4 |
|
|
Chris PeBenito |
2c12b4 |
optional_policy(`
|
|
Chris PeBenito |
2c12b4 |
xserver_unconfined($1)
|
|
Chris PeBenito |
2c12b4 |
')
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Make the specified domain unconfined and
|
|
Chris PeBenito |
14e543 |
## audit executable heap usage.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
14e543 |
## <desc>
|
|
Chris PeBenito |
14e543 |
##
|
|
Chris PeBenito |
14e543 |
## Make the specified domain unconfined and
|
|
Chris PeBenito |
14e543 |
## audit executable heap usage. With exception
|
|
Chris PeBenito |
14e543 |
## of memory protections, usage of this interface
|
|
Chris PeBenito |
14e543 |
## will result in the level of access the domain has
|
|
Chris PeBenito |
14e543 |
## is like SELinux was not being used.
|
|
Chris PeBenito |
14e543 |
##
|
|
Chris PeBenito |
14e543 |
##
|
|
Chris PeBenito |
14e543 |
## Only completely trusted domains should use this interface.
|
|
Chris PeBenito |
14e543 |
##
|
|
Chris PeBenito |
14e543 |
## </desc>
|
|
Chris PeBenito |
17de1b |
## <param name="domain">
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
17de1b |
## Domain to make unconfined.
|
|
Chris PeBenito |
17de1b |
## </summary>
|
|
Chris PeBenito |
17de1b |
## </param>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
interface(`unconfined_domain',`
|
|
Dan Walsh |
3eaa99 |
gen_require(`
|
|
Dan Walsh |
3eaa99 |
attribute unconfined_services;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
17de1b |
unconfined_domain_noaudit($1)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
tunable_policy(`allow_execheap',`
|
|
Chris PeBenito |
17de1b |
auditallow $1 self:process execheap;
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
## <summary>
|
|
Chris PeBenito |
350b6a |
## Add an alias type to the unconfined domain. (Deprecated)
|
|
Chris PeBenito |
350b6a |
## </summary>
|
|
Chris PeBenito |
350b6a |
## <desc>
|
|
Chris PeBenito |
350b6a |
##
|
|
Chris PeBenito |
350b6a |
## Add an alias type to the unconfined domain. (Deprecated)
|
|
Chris PeBenito |
350b6a |
##
|
|
Chris PeBenito |
350b6a |
##
|
|
Chris PeBenito |
350b6a |
## This is added to support targeted policy. Its
|
|
Chris PeBenito |
350b6a |
## use should be limited. It has no effect
|
|
Chris PeBenito |
350b6a |
## on the strict policy.
|
|
Chris PeBenito |
350b6a |
##
|
|
Chris PeBenito |
350b6a |
## </desc>
|
|
Chris PeBenito |
350b6a |
## <param name="domain">
|
|
Chris PeBenito |
350b6a |
## <summary>
|
|
Chris PeBenito |
350b6a |
## New alias of the unconfined domain.
|
|
Chris PeBenito |
350b6a |
## </summary>
|
|
Chris PeBenito |
350b6a |
## </param>
|
|
Chris PeBenito |
350b6a |
#
|
|
Chris PeBenito |
350b6a |
interface(`unconfined_alias_domain',`
|
|
Chris PeBenito |
350b6a |
refpolicywarn(`$0($1) has been deprecated.')
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
########################################
|
|
Chris PeBenito |
350b6a |
## <summary>
|
|
Chris PeBenito |
350b6a |
## Add an alias type to the unconfined execmem
|
|
Chris PeBenito |
350b6a |
## program file type. (Deprecated)
|
|
Chris PeBenito |
350b6a |
## </summary>
|
|
Chris PeBenito |
350b6a |
## <desc>
|
|
Chris PeBenito |
350b6a |
##
|
|
Chris PeBenito |
350b6a |
## Add an alias type to the unconfined execmem
|
|
Chris PeBenito |
350b6a |
## program file type. (Deprecated)
|
|
Chris PeBenito |
350b6a |
##
|
|
Chris PeBenito |
350b6a |
##
|
|
Chris PeBenito |
350b6a |
## This is added to support targeted policy. Its
|
|
Chris PeBenito |
350b6a |
## use should be limited. It has no effect
|
|
Chris PeBenito |
350b6a |
## on the strict policy.
|
|
Chris PeBenito |
350b6a |
##
|
|
Chris PeBenito |
350b6a |
## </desc>
|
|
Chris PeBenito |
350b6a |
## <param name="domain">
|
|
Chris PeBenito |
350b6a |
## <summary>
|
|
Chris PeBenito |
350b6a |
## New alias of the unconfined execmem program type.
|
|
Chris PeBenito |
350b6a |
## </summary>
|
|
Chris PeBenito |
350b6a |
## </param>
|
|
Chris PeBenito |
350b6a |
#
|
|
Chris PeBenito |
350b6a |
interface(`unconfined_execmem_alias_program',`
|
|
Chris PeBenito |
350b6a |
refpolicywarn(`$0($1) has been deprecated.')
|
|
Chris PeBenito |
350b6a |
')
|