|
Chris PeBenito |
ab58ad |
#DESC Unconfined - The unconfined domain
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# This is the initial domain, and is used for everything that
|
|
Chris PeBenito |
ab58ad |
# is not explicitly confined. It has no restrictions.
|
|
Chris PeBenito |
ab58ad |
# It needs to be carefully protected from the confined domains.
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
type unconfined_t, domain, privuser, privhome, privrole, privowner, admin, auth_write, fs_domain, privmem;
|
|
Chris PeBenito |
ab58ad |
role system_r types unconfined_t;
|
|
Chris PeBenito |
ab58ad |
role user_r types unconfined_t;
|
|
Chris PeBenito |
ab58ad |
unconfined_domain(unconfined_t)
|
|
Chris PeBenito |
ab58ad |
allow domain unconfined_t:fd use;
|
|
Chris PeBenito |
ab58ad |
allow domain unconfined_t:process sigchld;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Define some type aliases to help with compatibility with
|
|
Chris PeBenito |
ab58ad |
# macros and domains from the "strict" policy.
|
|
Chris PeBenito |
ab58ad |
typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
typeattribute tty_device_t admin_tty_type;
|
|
Chris PeBenito |
ab58ad |
typeattribute devpts_t admin_tty_type;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# User home directory type.
|
|
Chris PeBenito |
ab58ad |
type user_home_t, file_type, sysadmfile, home_type;
|
|
Chris PeBenito |
ab58ad |
type user_home_dir_t, file_type, sysadmfile, home_dir_type;
|
|
Chris PeBenito |
ab58ad |
file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
|
|
Chris PeBenito |
ab58ad |
allow privhome home_root_t:dir { getattr search };
|
|
Chris PeBenito |
ab58ad |
file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
define(`user_typealias', `
|
|
Chris PeBenito |
ab58ad |
ifelse($1,`user',`',`
|
|
Chris PeBenito |
ab58ad |
typealias user_home_t alias $1_home_t;
|
|
Chris PeBenito |
ab58ad |
typealias user_home_dir_t alias $1_home_dir_t;
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
typealias tty_device_t alias $1_tty_device_t;
|
|
Chris PeBenito |
ab58ad |
typealias devpts_t alias $1_devpts_t;
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
user_typealias(sysadm)
|
|
Chris PeBenito |
ab58ad |
user_typealias(staff)
|
|
Chris PeBenito |
ab58ad |
user_typealias(user)
|
|
Chris PeBenito |
ab58ad |
attribute user_file_type;
|
|
Chris PeBenito |
ab58ad |
attribute staff_file_type;
|
|
Chris PeBenito |
ab58ad |
attribute sysadm_file_type;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow unconfined_t unlabeled_t:filesystem *;
|
|
Chris PeBenito |
ab58ad |
allow unconfined_t self:system syslog_read;
|
|
Chris PeBenito |
ab58ad |
allow unlabeled_t self:filesystem associate;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Support NFS home directories
|
|
Chris PeBenito |
ab58ad |
bool use_nfs_home_dirs false;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Allow making anonymous memory executable, e.g.
|
|
Chris PeBenito |
ab58ad |
# for runtime-code generation or executable stack.
|
|
Chris PeBenito |
ab58ad |
bool allow_execmem true;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Allow making the stack executable via mprotect.
|
|
Chris PeBenito |
ab58ad |
# Also requires allow_execmem.
|
|
Chris PeBenito |
ab58ad |
bool allow_execstack true;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Allow making a modified private file mapping executable (text relocation).
|
|
Chris PeBenito |
ab58ad |
bool allow_execmod true;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Support SAMBA home directories
|
|
Chris PeBenito |
ab58ad |
bool use_samba_home_dirs false;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
ifdef(`samba.te', `samba_domain(user)')
|
|
Chris PeBenito |
ab58ad |
ifdef(`i18n_input.te', `i18n_input_domain(user)')
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Allow system to run with NIS
|
|
Chris PeBenito |
ab58ad |
bool allow_ypbind false;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Allow system to run with Kerberos
|
|
Chris PeBenito |
ab58ad |
bool allow_kerberos false;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# allow reading of default file context
|
|
Chris PeBenito |
ab58ad |
bool read_default_t true;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
if (allow_execmem) {
|
|
Chris PeBenito |
ab58ad |
allow domain self:process execmem;
|
|
Chris PeBenito |
ab58ad |
}
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
#Removing i18n_input from targeted for now, since wants to read users homedirs
|
|
Chris PeBenito |
ab58ad |
typealias bin_t alias i18n_input_exec_t;
|
|
Chris PeBenito |
ab58ad |
typealias unconfined_t alias i18n_input_t;
|
|
Chris PeBenito |
ab58ad |
typealias var_run_t alias i18n_input_var_run_t;
|
|
Chris PeBenito |
ab58ad |
ifdef(`su.te', `
|
|
Chris PeBenito |
ab58ad |
typealias unconfined_t alias { sysadm_chkpwd_t };
|
|
Chris PeBenito |
ab58ad |
typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t };
|
|
Chris PeBenito |
ab58ad |
su_domain(sysadm)
|
|
Chris PeBenito |
ab58ad |
typeattribute sysadm_su_t unconfinedtrans;
|
|
Chris PeBenito |
ab58ad |
role system_r types sysadm_su_t;
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
|