|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
12e9ea |
policy_module(unconfined,2.0.0)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Declarations
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
# usage in this module of types created by these
|
|
Chris PeBenito |
350b6a |
# calls is not correct, however we dont currently
|
|
Chris PeBenito |
350b6a |
# have another method to add access to these types
|
|
Chris PeBenito |
350b6a |
userdom_base_user_template(unconfined)
|
|
Chris PeBenito |
350b6a |
userdom_manage_home_template(unconfined)
|
|
Chris PeBenito |
350b6a |
userdom_manage_tmp_template(unconfined)
|
|
Chris PeBenito |
350b6a |
userdom_manage_tmpfs_template(unconfined)
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
17de1b |
type unconfined_exec_t;
|
|
Chris PeBenito |
350b6a |
init_system_domain(unconfined_t, unconfined_exec_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
type unconfined_execmem_t;
|
|
Chris PeBenito |
350b6a |
type unconfined_execmem_exec_t;
|
|
Chris PeBenito |
350b6a |
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
|
|
Chris PeBenito |
350b6a |
role unconfined_r types unconfined_execmem_t;
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
files_create_boot_flag(unconfined_t)
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
mcs_killall(unconfined_t)
|
|
Chris PeBenito |
350b6a |
mcs_ptrace_all(unconfined_t)
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
logging_send_syslog_msg(unconfined_t)
|
|
Chris PeBenito |
350b6a |
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
unconfined_domain(unconfined_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
userdom_priveleged_home_dir_manager(unconfined_t)
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
ada_domtrans(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
apache_per_role_template(unconfined, unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
# this is disallowed usage:
|
|
Chris PeBenito |
350b6a |
unconfined_domain(httpd_unconfined_script_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
cron_per_role_template(unconfined, unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
# this is disallowed usage:
|
|
Chris PeBenito |
350b6a |
unconfined_domain(unconfined_crond_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
init_dbus_chat_script(unconfined_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
dbus_stub(unconfined_t)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
avahi_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
bluetooth_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
consolekit_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
cups_dbus_chat_config(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
hal_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
networkmanager_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
oddjob_dbus_chat(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
inn_domtrans(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
java_domtrans(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
e2b84e |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
mono_domtrans(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
mta_per_role_template(unconfined, unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
oddjob_domtrans_mkhomedir(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
# cjp: this should probably be removed:
|
|
Chris PeBenito |
350b6a |
postfix_domtrans_master(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
pyzor_per_role_template(unconfined)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
# cjp: this should probably be removed:
|
|
Chris PeBenito |
350b6a |
rpc_domtrans_nfsd(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
samba_per_role_template(unconfined)
|
|
Chris PeBenito |
350b6a |
samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
sysnet_dbus_chat_dhcpc(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
wine_domtrans(unconfined_t)
|
|
Chris PeBenito |
350b6a |
')
|
|
Chris PeBenito |
350b6a |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
xserver_domtrans_xdm_xserver(unconfined_t)
|
|
Chris PeBenito |
17de1b |
')
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Unconfined Execmem Local policy
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
350b6a |
allow unconfined_execmem_t self:process { execstack execmem };
|
|
Chris PeBenito |
350b6a |
unconfined_domain_noaudit(unconfined_execmem_t)
|
|
Chris PeBenito |
a5e213 |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
dbus_stub(unconfined_execmem_t)
|
|
Chris PeBenito |
a5e213 |
|
|
Chris PeBenito |
350b6a |
init_dbus_chat_script(unconfined_execmem_t)
|
|
Chris PeBenito |
350b6a |
unconfined_dbus_chat(unconfined_execmem_t)
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
350b6a |
optional_policy(`
|
|
Chris PeBenito |
350b6a |
hal_dbus_chat(unconfined_execmem_t)
|
|
Chris PeBenito |
a5e213 |
')
|
|
Chris PeBenito |
17de1b |
')
|