|
Chris PeBenito |
29af4c |
policy_module(unconfined, 3.2.0)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Declarations
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
# usage in this module of types created by these
|
|
Chris PeBenito |
350b6a |
# calls is not correct, however we dont currently
|
|
Chris PeBenito |
350b6a |
# have another method to add access to these types
|
|
Chris PeBenito |
350b6a |
userdom_base_user_template(unconfined)
|
|
Chris PeBenito |
296273 |
userdom_manage_home_role(unconfined_r, unconfined_t)
|
|
Chris PeBenito |
296273 |
userdom_manage_tmp_role(unconfined_r, unconfined_t)
|
|
Chris PeBenito |
296273 |
userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
17de1b |
type unconfined_exec_t;
|
|
Chris PeBenito |
350b6a |
init_system_domain(unconfined_t, unconfined_exec_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
type unconfined_execmem_t;
|
|
Chris PeBenito |
350b6a |
type unconfined_execmem_exec_t;
|
|
Chris PeBenito |
350b6a |
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
|
|
Chris PeBenito |
350b6a |
role unconfined_r types unconfined_execmem_t;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
files_create_boot_flag(unconfined_t)
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
mcs_killall(unconfined_t)
|
|
Chris PeBenito |
350b6a |
mcs_ptrace_all(unconfined_t)
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
296273 |
init_run_daemon(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
296273 |
libs_run_ldconfig(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
logging_send_syslog_msg(unconfined_t)
|
|
Chris PeBenito |
296273 |
logging_run_auditctl(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
296273 |
mount_run_unconfined(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
296273 |
seutil_run_setfiles(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
296273 |
seutil_run_semanage(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
unconfined_domain(unconfined_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
296273 |
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
d87efe |
ifdef(`distro_gentoo',`
|
|
Chris PeBenito |
296273 |
seutil_run_runinit(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
296273 |
seutil_init_script_run_runinit(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
d87efe |
')
|
|
Chris PeBenito |
d87efe |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
ada_domtrans(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
apache_run_helper(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
296273 |
apache_role(unconfined_r, unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
bind_run_ndc(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
bootloader_run(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
cron_unconfined_role(unconfined_r, unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
init_dbus_chat_script(unconfined_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
dbus_stub(unconfined_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
avahi_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
bluetooth_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
consolekit_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
cups_dbus_chat_config(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
hal_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
networkmanager_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
oddjob_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
firstboot_run(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
ftp_run_ftpdctl(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
inn_domtrans(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
b26482 |
java_run_unconfined(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
lpd_run_checkpc(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
e2b84e |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
modutils_run_update_mods(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
mono_domtrans(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
mta_role(unconfined_r, unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
oddjob_domtrans_mkhomedir(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
prelink_run(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
portmap_run_helper(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
postfix_run_map(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
# cjp: this should probably be removed:
|
|
Chris PeBenito |
350b6a |
postfix_domtrans_master(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
pyzor_role(unconfined_r, unconfined_t)
|
|
Chris PeBenito |
e4171e |
')
|
|
Chris PeBenito |
e4171e |
|
|
Chris PeBenito |
e4171e |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
# cjp: this should probably be removed:
|
|
Chris PeBenito |
350b6a |
rpc_domtrans_nfsd(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
rpm_run(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
samba_run_net(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
296273 |
samba_run_winbind_helper(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
spamassassin_role(unconfined_r, unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
sysnet_run_dhcpc(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
sysnet_dbus_chat_dhcpc(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
tzdata_run(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
usermanage_run_admin_passwd(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
vpn_run(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
webalizer_run(unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
wine_domtrans(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
296273 |
xserver_domtrans(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Unconfined Execmem Local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
allow unconfined_execmem_t self:process { execstack execmem };
|
|
Chris PeBenito |
350b6a |
unconfined_domain_noaudit(unconfined_execmem_t)
|
|
Chris PeBenito |
a5e213 |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
dbus_stub(unconfined_execmem_t)
|
|
Chris PeBenito |
a5e213 |
|
|
Chris PeBenito |
350b6a |
init_dbus_chat_script(unconfined_execmem_t)
|
|
Chris PeBenito |
350b6a |
unconfined_dbus_chat(unconfined_execmem_t)
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
hal_dbus_chat(unconfined_execmem_t)
|
|
Chris PeBenito |
a5e213 |
')
|
|
Chris PeBenito |
17de1b |
')
|