rpms / selinux-policy

Clone
Source Code
GIT

Blame targeted/domains/unconfined.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   ab58ad00cd257a0b150954ef2892565aecb0d782
  2.   targeted
  3.   domains
  4.   unconfined.te
Blob History Raw
Chris PeBenito ab58ad 
#DESC Unconfined - The unconfined domain
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# This is the initial domain, and is used for everything that
Chris PeBenito ab58ad 
# is not explicitly confined.  It has no restrictions.
Chris PeBenito ab58ad 
# It needs to be carefully protected from the confined domains.
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
type unconfined_t, domain, privuser, privhome, privrole, privowner, admin, auth_write, fs_domain, privmem;
Chris PeBenito ab58ad 
role system_r types unconfined_t;
Chris PeBenito ab58ad 
role user_r types unconfined_t;
Chris PeBenito ab58ad 
unconfined_domain(unconfined_t)
Chris PeBenito ab58ad 
allow domain unconfined_t:fd use;
Chris PeBenito ab58ad 
allow domain unconfined_t:process sigchld;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Define some type aliases to help with compatibility with
Chris PeBenito ab58ad 
# macros and domains from the "strict" policy.
Chris PeBenito ab58ad 
typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
typeattribute tty_device_t admin_tty_type;
Chris PeBenito ab58ad 
typeattribute devpts_t admin_tty_type;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# User home directory type.
Chris PeBenito ab58ad 
type user_home_t, file_type, sysadmfile, home_type;
Chris PeBenito ab58ad 
type user_home_dir_t, file_type, sysadmfile, home_dir_type;
Chris PeBenito ab58ad 
file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
Chris PeBenito ab58ad 
allow privhome home_root_t:dir { getattr search };
Chris PeBenito ab58ad 
file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
define(`user_typealias', `
Chris PeBenito ab58ad 
ifelse($1,`user',`',`
Chris PeBenito ab58ad 
typealias user_home_t alias $1_home_t;
Chris PeBenito ab58ad 
typealias user_home_dir_t alias $1_home_dir_t;
Chris PeBenito ab58ad 
')
Chris PeBenito ab58ad 
typealias tty_device_t alias $1_tty_device_t;
Chris PeBenito ab58ad 
typealias devpts_t alias $1_devpts_t;
Chris PeBenito ab58ad 
')
Chris PeBenito ab58ad 
user_typealias(sysadm)
Chris PeBenito ab58ad 
user_typealias(staff)
Chris PeBenito ab58ad 
user_typealias(user)
Chris PeBenito ab58ad 
attribute user_file_type;
Chris PeBenito ab58ad 
attribute staff_file_type;
Chris PeBenito ab58ad 
attribute sysadm_file_type;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
allow unconfined_t unlabeled_t:filesystem *;
Chris PeBenito ab58ad 
allow unconfined_t self:system syslog_read;
Chris PeBenito ab58ad 
allow unlabeled_t self:filesystem associate;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Support NFS home directories
Chris PeBenito ab58ad 
bool use_nfs_home_dirs false;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow making anonymous memory executable, e.g.
Chris PeBenito ab58ad 
# for runtime-code generation or executable stack.
Chris PeBenito ab58ad 
bool allow_execmem true;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow making the stack executable via mprotect.
Chris PeBenito ab58ad 
# Also requires allow_execmem.
Chris PeBenito ab58ad 
bool allow_execstack true;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow making a modified private file mapping executable (text relocation).
Chris PeBenito ab58ad 
bool allow_execmod true;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Support SAMBA home directories
Chris PeBenito ab58ad 
bool use_samba_home_dirs false;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
ifdef(`samba.te', `samba_domain(user)')
Chris PeBenito ab58ad 
ifdef(`i18n_input.te', `i18n_input_domain(user)')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow system to run with NIS
Chris PeBenito ab58ad 
bool allow_ypbind false;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow system to run with Kerberos
Chris PeBenito ab58ad 
bool allow_kerberos false;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# allow reading of default file context
Chris PeBenito ab58ad 
bool read_default_t true;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
if (allow_execmem) {
Chris PeBenito ab58ad 
allow domain self:process execmem;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
#Removing i18n_input from targeted for now, since wants to read users homedirs
Chris PeBenito ab58ad 
typealias bin_t alias i18n_input_exec_t;
Chris PeBenito ab58ad 
typealias unconfined_t alias i18n_input_t;
Chris PeBenito ab58ad 
typealias var_run_t alias i18n_input_var_run_t;
Chris PeBenito ab58ad 
ifdef(`su.te', `
Chris PeBenito ab58ad 
typealias unconfined_t alias { sysadm_chkpwd_t };
Chris PeBenito ab58ad 
typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t };
Chris PeBenito ab58ad 
su_domain(sysadm)
Chris PeBenito ab58ad 
typeattribute sysadm_su_t unconfinedtrans;
Chris PeBenito ab58ad 
role system_r types sysadm_su_t;
Chris PeBenito ab58ad 
')
Chris PeBenito ab58ad

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation