Chris PeBenito 17de1b
Chris PeBenito e4171e
policy_module(unconfined, 2.3.1)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Declarations
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 350b6a
# usage in this module of types created by these
Chris PeBenito 350b6a
# calls is not correct, however we dont currently
Chris PeBenito 350b6a
# have another method to add access to these types
Chris PeBenito 350b6a
userdom_base_user_template(unconfined)
Chris PeBenito 350b6a
userdom_manage_home_template(unconfined)
Chris PeBenito 350b6a
userdom_manage_tmp_template(unconfined)
Chris PeBenito 350b6a
userdom_manage_tmpfs_template(unconfined)
Chris PeBenito 350b6a
Chris PeBenito 17de1b
type unconfined_exec_t;
Chris PeBenito 350b6a
init_system_domain(unconfined_t, unconfined_exec_t)
Chris PeBenito 17de1b
Chris PeBenito 350b6a
type unconfined_execmem_t;
Chris PeBenito 350b6a
type unconfined_execmem_exec_t;
Chris PeBenito 350b6a
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
Chris PeBenito 350b6a
role unconfined_r types unconfined_execmem_t;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 350b6a
domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
Chris PeBenito 350b6a
Chris PeBenito 350b6a
files_create_boot_flag(unconfined_t)
Chris PeBenito 350b6a
Chris PeBenito 350b6a
mcs_killall(unconfined_t)
Chris PeBenito 350b6a
mcs_ptrace_all(unconfined_t)
Chris PeBenito 350b6a
Chris PeBenito 350b6a
init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
Chris PeBenito 350b6a
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 17de1b
Chris PeBenito 17de1b
logging_send_syslog_msg(unconfined_t)
Chris PeBenito 350b6a
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 17de1b
Chris PeBenito 350b6a
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 17de1b
Chris PeBenito 350b6a
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 17de1b
Chris PeBenito 350b6a
unconfined_domain(unconfined_t)
Chris PeBenito 17de1b
Chris PeBenito 350b6a
userdom_priveleged_home_dir_manager(unconfined_t)
Chris PeBenito d6d16b
Chris PeBenito d87efe
ifdef(`distro_gentoo',`
Chris PeBenito d87efe
	seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
Chris PeBenito d87efe
	seutil_init_script_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
Chris PeBenito d87efe
')
Chris PeBenito d87efe
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	ada_domtrans(unconfined_t)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
	apache_per_role_template(unconfined, unconfined_t, unconfined_r)
Chris PeBenito 350b6a
	# this is disallowed usage:
Chris PeBenito 350b6a
	unconfined_domain(httpd_unconfined_script_t)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
Chris PeBenito 350b6a
	# this is disallowed usage:
Chris PeBenito 350b6a
	unconfined_domain(unconfined_crond_t)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	init_dbus_chat_script(unconfined_t)
Chris PeBenito 17de1b
Chris PeBenito 350b6a
	dbus_stub(unconfined_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	optional_policy(`
Chris PeBenito 350b6a
		avahi_dbus_chat(unconfined_t)
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	optional_policy(`
Chris PeBenito 350b6a
		bluetooth_dbus_chat(unconfined_t)
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	optional_policy(`
Chris PeBenito 350b6a
		consolekit_dbus_chat(unconfined_t)
Chris PeBenito 6b19be
	')
Chris PeBenito 6b19be
Chris PeBenito 6b19be
	optional_policy(`
Chris PeBenito 350b6a
		cups_dbus_chat_config(unconfined_t)
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	optional_policy(`
Chris PeBenito 350b6a
		hal_dbus_chat(unconfined_t)
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	optional_policy(`
Chris PeBenito 350b6a
		networkmanager_dbus_chat(unconfined_t)
Chris PeBenito 17de1b
	')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
	optional_policy(`
Chris PeBenito 350b6a
		oddjob_dbus_chat(unconfined_t)
Chris PeBenito 17de1b
	')
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	inn_domtrans(unconfined_t)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	java_domtrans(unconfined_t)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito e2b84e
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	mono_domtrans(unconfined_t)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	mta_per_role_template(unconfined, unconfined_t, unconfined_r)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	oddjob_domtrans_mkhomedir(unconfined_t)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito e4171e
	postfix_per_role_template(unconfined, unconfined_t, unconfined_r)
Chris PeBenito 350b6a
	postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
	# cjp: this should probably be removed:
Chris PeBenito 350b6a
	postfix_domtrans_master(unconfined_t)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	pyzor_per_role_template(unconfined)
Chris PeBenito 350b6a
')
Chris PeBenito 6b19be
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito e4171e
	qmail_per_role_template(unconfined, unconfined_t, unconfined_r)
Chris PeBenito e4171e
')
Chris PeBenito e4171e
Chris PeBenito e4171e
optional_policy(`
Chris PeBenito 350b6a
	# cjp: this should probably be removed:
Chris PeBenito 350b6a
	rpc_domtrans_nfsd(unconfined_t)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	samba_per_role_template(unconfined)
Chris PeBenito 350b6a
	samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
	samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
Chris PeBenito 350b6a
')
Chris PeBenito 17de1b
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
	sysnet_dbus_chat_dhcpc(unconfined_t)
Chris PeBenito 350b6a
')
Chris PeBenito 350b6a
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 350b6a
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 350b6a
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 350b6a
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
Chris PeBenito 350b6a
')
Chris PeBenito 350b6a
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	wine_domtrans(unconfined_t)
Chris PeBenito 350b6a
')
Chris PeBenito 350b6a
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	xserver_domtrans_xdm_xserver(unconfined_t)
Chris PeBenito 17de1b
')
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Unconfined Execmem Local policy
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 350b6a
allow unconfined_execmem_t self:process { execstack execmem };
Chris PeBenito 350b6a
unconfined_domain_noaudit(unconfined_execmem_t)
Chris PeBenito a5e213
Chris PeBenito 350b6a
optional_policy(`
Chris PeBenito 350b6a
	dbus_stub(unconfined_execmem_t)
Chris PeBenito a5e213
Chris PeBenito 350b6a
	init_dbus_chat_script(unconfined_execmem_t)
Chris PeBenito 350b6a
	unconfined_dbus_chat(unconfined_execmem_t)
Chris PeBenito d6d16b
Chris PeBenito 350b6a
	optional_policy(`
Chris PeBenito 350b6a
		hal_dbus_chat(unconfined_execmem_t)
Chris PeBenito a5e213
	')
Chris PeBenito 17de1b
')