|
Chris PeBenito |
9726b3 |
## <summary>The unconfined domain.</summary>
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
9726b3 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
9726b3 |
## A template to make the specified domain unconfined.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
9726b3 |
## <param name="domain">
|
|
Chris PeBenito |
9726b3 |
## Domain to make unconfined.
|
|
Chris PeBenito |
9726b3 |
## </param>
|
|
Chris PeBenito |
9726b3 |
#
|
|
Chris PeBenito |
c98340 |
template(`unconfined_domain_template',`
|
|
Chris PeBenito |
142e9f |
gen_require(`
|
|
Chris PeBenito |
142e9f |
class dbus all_dbus_perms;
|
|
Chris PeBenito |
142e9f |
class nscd all_nscd_perms;
|
|
Chris PeBenito |
142e9f |
class passwd all_passwd_perms;
|
|
Chris PeBenito |
142e9f |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
9726b3 |
# Use any Linux capability.
|
|
Chris PeBenito |
9726b3 |
allow $1 self:capability *;
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
9726b3 |
# Transition to myself, to make get_ordered_context_list happy.
|
|
Chris PeBenito |
9726b3 |
allow $1 self:process transition;
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
9726b3 |
# Write access is for setting attributes under /proc/self/attr.
|
|
Chris PeBenito |
9726b3 |
allow $1 self:file rw_file_perms;
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
9726b3 |
# Userland object managers
|
|
Chris PeBenito |
9726b3 |
allow $1 self:nscd *;
|
|
Chris PeBenito |
9726b3 |
allow $1 self:dbus *;
|
|
Chris PeBenito |
9726b3 |
allow $1 self:passwd *;
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
9726b3 |
kernel_unconfined($1)
|
|
Chris PeBenito |
8c3f43 |
corenet_unconfined($1)
|
|
Chris PeBenito |
9726b3 |
dev_unconfined($1)
|
|
Chris PeBenito |
9cca1c |
domain_unconfined($1)
|
|
Chris PeBenito |
93727e |
domain_dontaudit_read_all_domains_state($1)
|
|
Chris PeBenito |
9cca1c |
files_unconfined($1)
|
|
Chris PeBenito |
9726b3 |
fs_unconfined($1)
|
|
Chris PeBenito |
9726b3 |
selinux_unconfined($1)
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
a225f9 |
tunable_policy(`allow_execheap',`
|
|
Chris PeBenito |
a225f9 |
# Allow making the stack executable via mprotect.
|
|
Chris PeBenito |
a225f9 |
allow $1 self:process execheap;
|
|
Chris PeBenito |
a225f9 |
auditallow $1 self:process execheap;
|
|
Chris PeBenito |
a225f9 |
')
|
|
Chris PeBenito |
a225f9 |
|
|
Chris PeBenito |
9726b3 |
tunable_policy(`allow_execmem',`
|
|
Chris PeBenito |
98a8ea |
# Allow making anonymous memory executable, e.g.
|
|
Chris PeBenito |
98a8ea |
# for runtime-code generation or executable stack.
|
|
Chris PeBenito |
9726b3 |
allow $1 self:process execmem;
|
|
Chris PeBenito |
9cca1c |
auditallow $1 self:process execmem;
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
98a8ea |
tunable_policy(`allow_execmem && allow_execstack',`
|
|
Chris PeBenito |
98a8ea |
# Allow making the stack executable via mprotect.
|
|
Chris PeBenito |
98a8ea |
allow $1 self:process execstack;
|
|
Chris PeBenito |
51a89c |
', `
|
|
Chris PeBenito |
51a89c |
# These are fairly common but seem to be harmless
|
|
Chris PeBenito |
51a89c |
# caused by using shared libraries built with old tool chains
|
|
Chris PeBenito |
51a89c |
dontaudit $1 self:process execstack;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
51a89c |
|
|
Chris PeBenito |
132880 |
optional_policy(`authlogin',`
|
|
Chris PeBenito |
8b0bbd |
auth_unconfined($1)
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
132880 |
optional_policy(`bootloader',`
|
|
Chris PeBenito |
9726b3 |
bootloader_manage_kernel_modules($1)
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
132880 |
optional_policy(`dbus',`
|
|
Chris PeBenito |
142e9f |
# Communicate via dbusd.
|
|
Chris PeBenito |
142e9f |
dbus_system_bus_unconfined($1)
|
|
Chris PeBenito |
142e9f |
')
|
|
Chris PeBenito |
142e9f |
|
|
Chris PeBenito |
76b519 |
optional_policy(`libraries',`
|
|
Chris PeBenito |
76b519 |
libs_use_shared_libs($1)
|
|
Chris PeBenito |
76b519 |
')
|
|
Chris PeBenito |
76b519 |
|
|
Chris PeBenito |
132880 |
optional_policy(`nscd',`
|
|
Chris PeBenito |
493d6c |
nscd_unconfined($1)
|
|
Chris PeBenito |
493d6c |
')
|
|
Chris PeBenito |
493d6c |
|
|
Chris PeBenito |
132880 |
optional_policy(`selinuxutil',`
|
|
Chris PeBenito |
9726b3 |
seutil_create_binary_pol($1)
|
|
Chris PeBenito |
9726b3 |
seutil_relabelto_binary_pol($1)
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
132880 |
optional_policy(`storage',`
|
|
Chris PeBenito |
9726b3 |
storage_unconfined($1)
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
9726b3 |
ifdef(`TODO',`
|
|
Chris PeBenito |
9726b3 |
if (allow_execmod) {
|
|
Chris PeBenito |
142e9f |
ifdef(`targeted_policy', `', `
|
|
Chris PeBenito |
98a8ea |
# Allow text relocations on system shared libraries, e.g. libGL.
|
|
Chris PeBenito |
98a8ea |
allow $1 home_type:file execmod;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
9726b3 |
}
|
|
Chris PeBenito |
9726b3 |
') dnl end TODO
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
c98340 |
|
|
Chris PeBenito |
c98340 |
########################################
|
|
Chris PeBenito |
c98340 |
## <summary>
|
|
Chris PeBenito |
b24f35 |
## Transition to the unconfined domain.
|
|
Chris PeBenito |
b24f35 |
## </summary>
|
|
Chris PeBenito |
b24f35 |
## <param name="domain">
|
|
Chris PeBenito |
b24f35 |
## Domain allowed access.
|
|
Chris PeBenito |
b24f35 |
## </param>
|
|
Chris PeBenito |
b24f35 |
#
|
|
Chris PeBenito |
b24f35 |
interface(`unconfined_domtrans',`
|
|
Chris PeBenito |
b24f35 |
gen_require(`
|
|
Chris PeBenito |
b24f35 |
type unconfined_t, unconfined_exec_t;
|
|
Chris PeBenito |
b24f35 |
class process sigchld;
|
|
Chris PeBenito |
b24f35 |
class fd use;
|
|
Chris PeBenito |
b24f35 |
class fifo_file rw_file_perms;
|
|
Chris PeBenito |
b24f35 |
')
|
|
Chris PeBenito |
b24f35 |
|
|
Chris PeBenito |
b24f35 |
domain_auto_trans($1,unconfined_exec_t,unconfined_t)
|
|
Chris PeBenito |
b24f35 |
|
|
Chris PeBenito |
b24f35 |
allow $1 unconfined_t:fd use;
|
|
Chris PeBenito |
b24f35 |
allow unconfined_t $1:fd use;
|
|
Chris PeBenito |
b24f35 |
allow unconfined_t $1:fifo_file rw_file_perms;
|
|
Chris PeBenito |
b24f35 |
allow unconfined_t $1:process sigchld;
|
|
Chris PeBenito |
b24f35 |
')
|
|
Chris PeBenito |
b24f35 |
|
|
Chris PeBenito |
b24f35 |
########################################
|
|
Chris PeBenito |
f7ebea |
## <summary>
|
|
Chris PeBenito |
a5f339 |
## Execute specified programs in the unconfined domain.
|
|
Chris PeBenito |
f7ebea |
## </summary>
|
|
Chris PeBenito |
a5f339 |
## <param name="domain">
|
|
Chris PeBenito |
a5f339 |
## The type of the process performing this action.
|
|
Chris PeBenito |
a5f339 |
## </param>
|
|
Chris PeBenito |
a5f339 |
## <param name="role">
|
|
Chris PeBenito |
a5f339 |
## The role to allow the unconfined domain.
|
|
Chris PeBenito |
a5f339 |
## </param>
|
|
Chris PeBenito |
a5f339 |
## <param name="terminal">
|
|
Chris PeBenito |
a5f339 |
## The type of the terminal allow the unconfined domain to use.
|
|
Chris PeBenito |
a5f339 |
## </param>
|
|
Chris PeBenito |
a5f339 |
#
|
|
Chris PeBenito |
a5f339 |
interface(`unconfined_run',`
|
|
Chris PeBenito |
a5f339 |
gen_require(`
|
|
Chris PeBenito |
a5f339 |
type unconfined_t;
|
|
Chris PeBenito |
a5f339 |
class chr_file rw_term_perms;
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
unconfined_domtrans($1)
|
|
Chris PeBenito |
a5f339 |
role $2 types unconfined_t;
|
|
Chris PeBenito |
a5f339 |
allow unconfined_t $3:chr_file rw_term_perms;
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
########################################
|
|
Chris PeBenito |
b24f35 |
## <summary>
|
|
Chris PeBenito |
c98340 |
## Transition to the unconfined domain by executing a shell.
|
|
Chris PeBenito |
c98340 |
## </summary>
|
|
Chris PeBenito |
c98340 |
## <param name="domain">
|
|
Chris PeBenito |
c98340 |
## Domain allowed access.
|
|
Chris PeBenito |
c98340 |
## </param>
|
|
Chris PeBenito |
c98340 |
#
|
|
Chris PeBenito |
a42ca7 |
interface(`unconfined_shell_domtrans',`
|
|
Chris PeBenito |
c98340 |
gen_require(`
|
|
Chris PeBenito |
b24f35 |
type unconfined_t;
|
|
Chris PeBenito |
c98340 |
')
|
|
Chris PeBenito |
c98340 |
|
|
Chris PeBenito |
8b0bbd |
corecmd_shell_domtrans($1,unconfined_t)
|
|
Chris PeBenito |
c98340 |
')
|
|
Chris PeBenito |
c98340 |
|
|
Chris PeBenito |
c98340 |
########################################
|
|
Chris PeBenito |
c98340 |
## <summary>
|
|
Chris PeBenito |
c98340 |
## Inherit file descriptors from the unconfined domain.
|
|
Chris PeBenito |
c98340 |
## </summary>
|
|
Chris PeBenito |
c98340 |
## <param name="domain">
|
|
Chris PeBenito |
c98340 |
## Domain allowed access.
|
|
Chris PeBenito |
c98340 |
## </param>
|
|
Chris PeBenito |
c98340 |
#
|
|
Chris PeBenito |
c98340 |
interface(`unconfined_use_fd',`
|
|
Chris PeBenito |
c98340 |
gen_require(`
|
|
Chris PeBenito |
c98340 |
type unconfined_t;
|
|
Chris PeBenito |
c98340 |
class fd use;
|
|
Chris PeBenito |
c98340 |
')
|
|
Chris PeBenito |
c98340 |
|
|
Chris PeBenito |
c98340 |
allow $1 unconfined_t:fd use;
|
|
Chris PeBenito |
c98340 |
')
|
|
Chris PeBenito |
c98340 |
|
|
Chris PeBenito |
c98340 |
########################################
|
|
Chris PeBenito |
c98340 |
## <summary>
|
|
Chris PeBenito |
c98340 |
## Send a SIGCHLD signal to the unconfined domain.
|
|
Chris PeBenito |
c98340 |
## </summary>
|
|
Chris PeBenito |
c98340 |
## <param name="domain">
|
|
Chris PeBenito |
c98340 |
## Domain allowed access.
|
|
Chris PeBenito |
c98340 |
## </param>
|
|
Chris PeBenito |
c98340 |
#
|
|
Chris PeBenito |
c98340 |
interface(`unconfined_sigchld',`
|
|
Chris PeBenito |
c98340 |
gen_require(`
|
|
Chris PeBenito |
c98340 |
type unconfined_t;
|
|
Chris PeBenito |
c98340 |
class process sigchld;
|
|
Chris PeBenito |
c98340 |
')
|
|
Chris PeBenito |
c98340 |
|
|
Chris PeBenito |
c98340 |
allow $1 unconfined_t:process sigchld;
|
|
Chris PeBenito |
c98340 |
')
|
|
Chris PeBenito |
c98340 |
|
|
Chris PeBenito |
c98340 |
########################################
|
|
Chris PeBenito |
c98340 |
## <summary>
|
|
Chris PeBenito |
1d697c |
## Send generic signals to the unconfined domain.
|
|
Chris PeBenito |
1d697c |
## </summary>
|
|
Chris PeBenito |
1d697c |
## <param name="domain">
|
|
Chris PeBenito |
1d697c |
## Domain allowed access.
|
|
Chris PeBenito |
1d697c |
## </param>
|
|
Chris PeBenito |
1d697c |
#
|
|
Chris PeBenito |
1d697c |
interface(`unconfined_signal',`
|
|
Chris PeBenito |
1d697c |
gen_require(`
|
|
Chris PeBenito |
1d697c |
type unconfined_t;
|
|
Chris PeBenito |
1d697c |
')
|
|
Chris PeBenito |
1d697c |
|
|
Chris PeBenito |
1d697c |
allow $1 unconfined_t:process signal;
|
|
Chris PeBenito |
1d697c |
')
|
|
Chris PeBenito |
1d697c |
|
|
Chris PeBenito |
1d697c |
########################################
|
|
Chris PeBenito |
1d697c |
## <summary>
|
|
Chris PeBenito |
6f81e1 |
## Read unconfined domain unnamed pipes.
|
|
Chris PeBenito |
6f81e1 |
## </summary>
|
|
Chris PeBenito |
6f81e1 |
## <param name="domain">
|
|
Chris PeBenito |
6f81e1 |
## Domain allowed access.
|
|
Chris PeBenito |
6f81e1 |
## </param>
|
|
Chris PeBenito |
6f81e1 |
#
|
|
Chris PeBenito |
6f81e1 |
interface(`unconfined_read_pipe',`
|
|
Chris PeBenito |
6f81e1 |
gen_require(`
|
|
Chris PeBenito |
6f81e1 |
type unconfined_t;
|
|
Chris PeBenito |
6f81e1 |
')
|
|
Chris PeBenito |
6f81e1 |
|
|
Chris PeBenito |
6f81e1 |
allow $1 unconfined_t:fifo_file r_file_perms;
|
|
Chris PeBenito |
6f81e1 |
')
|
|
Chris PeBenito |
6f81e1 |
|
|
Chris PeBenito |
6f81e1 |
########################################
|
|
Chris PeBenito |
6f81e1 |
## <summary>
|
|
Chris PeBenito |
33acca |
## Do not audit attempts to read unconfined domain unnamed pipes.
|
|
Chris PeBenito |
33acca |
## </summary>
|
|
Chris PeBenito |
33acca |
## <param name="domain">
|
|
Chris PeBenito |
33acca |
## Domain allowed access.
|
|
Chris PeBenito |
33acca |
## </param>
|
|
Chris PeBenito |
33acca |
#
|
|
Chris PeBenito |
33acca |
interface(`unconfined_dontaudit_read_pipe',`
|
|
Chris PeBenito |
33acca |
gen_require(`
|
|
Chris PeBenito |
33acca |
type unconfined_t;
|
|
Chris PeBenito |
33acca |
')
|
|
Chris PeBenito |
33acca |
|
|
Chris PeBenito |
33acca |
dontaudit $1 unconfined_t:fifo_file read;
|
|
Chris PeBenito |
33acca |
')
|
|
Chris PeBenito |
33acca |
|
|
Chris PeBenito |
33acca |
########################################
|
|
Chris PeBenito |
33acca |
## <summary>
|
|
Chris PeBenito |
c98340 |
## Read and write unconfined domain unnamed pipes.
|
|
Chris PeBenito |
c98340 |
## </summary>
|
|
Chris PeBenito |
c98340 |
## <param name="domain">
|
|
Chris PeBenito |
c98340 |
## Domain allowed access.
|
|
Chris PeBenito |
c98340 |
## </param>
|
|
Chris PeBenito |
c98340 |
#
|
|
Chris PeBenito |
c98340 |
interface(`unconfined_rw_pipe',`
|
|
Chris PeBenito |
c98340 |
gen_require(`
|
|
Chris PeBenito |
c98340 |
type unconfined_t;
|
|
Chris PeBenito |
c98340 |
class fifo_file rw_file_perms;
|
|
Chris PeBenito |
c98340 |
')
|
|
Chris PeBenito |
c98340 |
|
|
Chris PeBenito |
c98340 |
allow $1 unconfined_t:fifo_file rw_file_perms;
|
|
Chris PeBenito |
c98340 |
')
|
|
Chris PeBenito |
c98340 |
|
|
Chris PeBenito |
c98340 |
########################################
|
|
Chris PeBenito |
c98340 |
## <summary>
|
|
Chris PeBenito |
a42ca7 |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
a42ca7 |
## unconfined domain tcp sockets.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
a42ca7 |
## <desc>
|
|
Chris PeBenito |
a42ca7 |
##
|
|
Chris PeBenito |
a42ca7 |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
a42ca7 |
## unconfined domain tcp sockets.
|
|
Chris PeBenito |
a42ca7 |
##
|
|
Chris PeBenito |
a42ca7 |
##
|
|
Chris PeBenito |
a42ca7 |
## This interface was added due to a broken
|
|
Chris PeBenito |
a42ca7 |
## symptom in ldconfig.
|
|
Chris PeBenito |
a42ca7 |
##
|
|
Chris PeBenito |
a42ca7 |
## </desc>
|
|
Chris PeBenito |
a42ca7 |
## <param name="domain">
|
|
Chris PeBenito |
a42ca7 |
## Domain to not audit.
|
|
Chris PeBenito |
a42ca7 |
## </param>
|
|
Chris PeBenito |
a42ca7 |
#
|
|
Chris PeBenito |
a42ca7 |
interface(`unconfined_dontaudit_rw_tcp_socket',`
|
|
Chris PeBenito |
a42ca7 |
gen_require(`
|
|
Chris PeBenito |
a42ca7 |
type unconfined_t;
|
|
Chris PeBenito |
a42ca7 |
class tcp_socket { read write };
|
|
Chris PeBenito |
a42ca7 |
')
|
|
Chris PeBenito |
a42ca7 |
|
|
Chris PeBenito |
a42ca7 |
dontaudit $1 unconfined_t:tcp_socket { read write };
|
|
Chris PeBenito |
a42ca7 |
')
|
|
Chris PeBenito |
a42ca7 |
|
|
Chris PeBenito |
a42ca7 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
6f81e1 |
## Send messages to the unconfined domain over dbus.
|
|
Chris PeBenito |
6f81e1 |
## </summary>
|
|
Chris PeBenito |
6f81e1 |
## <param name="domain">
|
|
Chris PeBenito |
6f81e1 |
## Domain allowed access.
|
|
Chris PeBenito |
6f81e1 |
## </param>
|
|
Chris PeBenito |
6f81e1 |
#
|
|
Chris PeBenito |
6f81e1 |
interface(`unconfined_dbus_send',`
|
|
Chris PeBenito |
6f81e1 |
gen_require(`
|
|
Chris PeBenito |
6f81e1 |
type unconfined_t;
|
|
Chris PeBenito |
6f81e1 |
class dbus send_msg;
|
|
Chris PeBenito |
6f81e1 |
')
|
|
Chris PeBenito |
6f81e1 |
|
|
Chris PeBenito |
6f81e1 |
allow $1 unconfined_t:dbus send_msg;
|
|
Chris PeBenito |
6f81e1 |
')
|
|
Chris PeBenito |
6f81e1 |
|
|
Chris PeBenito |
6f81e1 |
########################################
|
|
Chris PeBenito |
6f81e1 |
## <summary>
|
|
Chris PeBenito |
375c24 |
## Add an alias type to the unconfined domain.
|
|
Chris PeBenito |
375c24 |
## </summary>
|
|
Chris PeBenito |
375c24 |
## <desc>
|
|
Chris PeBenito |
375c24 |
##
|
|
Chris PeBenito |
375c24 |
## Add an alias type to the unconfined domain.
|
|
Chris PeBenito |
375c24 |
##
|
|
Chris PeBenito |
375c24 |
##
|
|
Chris PeBenito |
375c24 |
## This is added to support targeted policy. Its
|
|
Chris PeBenito |
c6d4c8 |
## use should be limited. It has no effect
|
|
Chris PeBenito |
c6d4c8 |
## on the strict policy.
|
|
Chris PeBenito |
375c24 |
##
|
|
Chris PeBenito |
375c24 |
## </desc>
|
|
Chris PeBenito |
375c24 |
## <param name="domain">
|
|
Chris PeBenito |
375c24 |
## New alias of the unconfined domain.
|
|
Chris PeBenito |
375c24 |
## </param>
|
|
Chris PeBenito |
375c24 |
#
|
|
Chris PeBenito |
375c24 |
interface(`unconfined_alias_domain',`
|
|
Chris PeBenito |
c6d4c8 |
ifdef(`targeted_policy',`
|
|
Chris PeBenito |
c6d4c8 |
gen_require(`
|
|
Chris PeBenito |
c6d4c8 |
type unconfined_t;
|
|
Chris PeBenito |
c6d4c8 |
')
|
|
Chris PeBenito |
375c24 |
|
|
Chris PeBenito |
c6d4c8 |
typealias unconfined_t alias $1;
|
|
Chris PeBenito |
c6d4c8 |
',`
|
|
Chris PeBenito |
c6d4c8 |
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
|
|
Chris PeBenito |
c6d4c8 |
')
|
|
Chris PeBenito |
375c24 |
')
|