diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 344e1e6..61e8572 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -971,3 +971,29 @@ interface(`corenet_use_tun_tap_device',`
dev_list_all_dev_nodes($1)
allow $1 tun_tap_device_t:chr_file { read write };
')
+
+########################################
+##
+## Unconfined access to network objects.
+##
+##
+## The domain allowed access.
+##
+#
+interface(`corenet_unconfined',`
+ gen_require(`
+ attribute node_type, netif_type, port_type;
+ class tcp_socket { send_msg recv_msg node_bind name_bind };
+ class udp_socket { send_msg recv_msg node_bind name_bind };
+ class rawip_socket node_bind;
+ ')
+
+ allow $1 node_type:node *;
+ allow $1 netif_type:netif *;
+ allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
+
+ # Bind to any network address.
+ # cjp: rawip_socket doesnt make any sense
+ allow $1 port_type:{ tcp_socket udp_socket } name_bind;
+ allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 1b6de8e..07544d7 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2042,3 +2042,25 @@ interface(`dev_dontaudit_setattr_video_dev',`
dontaudit $1 v4l_device_t:chr_file setattr;
')
+
+########################################
+##
+## Unconfined access to devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_unconfined',`
+ gen_require(`
+ attribute device_node, memory_raw_write, memory_raw_read;
+ type mtrr_device_t;
+ ')
+
+ allow $1 device_node:devfile_class_set *;
+ allow $1 mtrr_device_t:file *;
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_write, memory_raw_read;
+')
+
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index b8618ad..f70cff2 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1675,3 +1675,23 @@ interface(`fs_getattr_all_files',`
allow $1 filesystem_type:sock_file getattr;
')
+########################################
+##
+## Unconfined access to filesystems
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_unconfined',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem *;
+
+ # Create/access other files. fs_type is to pick up various
+ # pseudo filesystem types that are applied to both the filesystem
+ # and its files.
+ allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+')
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 2c58d7a..9b0abcf 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1015,3 +1015,27 @@ interface(`kernel_relabel_unlabeled',`
allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
')
+########################################
+##
+## Unconfined access to the kernel.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kernel_unconfined',`
+ gen_require(`
+ type kernel_t, unlabeled_t;
+ attribute can_load_kernmodule, can_receive_kernel_messages;
+ ')
+
+# allow $1 proc_fs:{ dir file } *;
+
+ allow $1 sysctl_t:{ dir file } *;
+ allow $1 kernel_t:system *;
+ allow $1 unlabeled_t:{ dir lnk_file sock_file fifo_file blk_file } *;
+
+ typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
+
+ kernel_rw_all_sysctl($1)
+')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 80398fe..bf5fa47 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -7,9 +7,6 @@ policy_module(kernel,1.0)
#
# assertion related attributes
-attribute can_load_policy;
-attribute can_setenforce;
-attribute can_setsecparam;
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
@@ -17,7 +14,7 @@ attribute can_receive_kernel_messages;
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, can_load_kernmodule, can_load_policy;
+type kernel_t, can_load_kernmodule;
role system_r types kernel_t;
domain_type(kernel_t)
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
@@ -173,6 +170,8 @@ corenet_raw_sendrecv_all_nodes(kernel_t)
corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
+selinux_load_policy(kernel_t)
+
term_use_console(kernel_t)
# Mount root file system. Used when loading a policy
@@ -200,9 +199,6 @@ logging_send_syslog_msg(kernel_t)
seutil_read_config(kernel_t)
seutil_read_binary_pol(kernel_t)
-neverallow ~can_load_policy security_t:security load_policy;
-neverallow ~can_setenforce security_t:security setenforce;
-neverallow ~can_setsecparam security_t:security setsecparam;
neverallow ~can_load_kernmodule self:capability sys_module;
########################################
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index a8baa0c..6f79c6e 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -250,3 +250,24 @@ interface(`selinux_compute_user_contexts',`
allow $1 security_t:security compute_user;
')
+########################################
+##
+## Unconfined access to the SELinux security server.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`selinux_unconfined',`
+ gen_require(`
+ attribute can_load_policy, can_setenforce, can_setsecparam;
+ type security_t;
+ class security { load_policy setenforce setbool };
+ ')
+
+ # Access the security API.
+ allow $1 security_t:security *;
+ auditallow $1 security_t:security { load_policy setenforce setbool };
+
+ typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
+')
diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te
index 25c104a..6953df6 100644
--- a/refpolicy/policy/modules/kernel/selinux.te
+++ b/refpolicy/policy/modules/kernel/selinux.te
@@ -6,6 +6,10 @@ policy_module(selinux,1.0)
# Declarations
#
+attribute can_load_policy;
+attribute can_setenforce;
+attribute can_setsecparam;
+
#
# security_t is the target type when checking
# the permissions in the security class. It is also
@@ -15,3 +19,7 @@ type security_t;
fs_type(security_t)
sid security context_template(system_u:object_r:security_t,s0)
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
+
+neverallow ~can_load_policy security_t:security load_policy;
+neverallow ~can_setenforce security_t:security setenforce;
+neverallow ~can_setsecparam security_t:security setsecparam;
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 996a029..659efa2 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -1,10 +1,10 @@
## Policy controlling access to storage devices
########################################
-##
+##
## Allow the caller to get the attributes of fixed disk
## device nodes.
-##
+##
##
## The type of the process performing this action.
##
@@ -20,10 +20,10 @@ interface(`storage_getattr_fixed_disk',`
')
########################################
-##
+##
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
-##
+##
##
## The type of the process to not audit.
##
@@ -38,10 +38,10 @@ interface(`storage_dontaudit_getattr_fixed_disk',`
')
########################################
-##
+##
## Allow the caller to set the attributes of fixed disk
## device nodes.
-##
+##
##
## The type of the process performing this action.
##
@@ -57,10 +57,10 @@ interface(`storage_setattr_fixed_disk',`
')
########################################
-##
+##
## Do not audit attempts made by the caller to set
## the attributes of fixed disk device nodes.
-##
+##
##
## The type of the process to not audit.
##
@@ -75,12 +75,12 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
')
########################################
-##
+##
## Allow the caller to directly read from a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -98,12 +98,12 @@ interface(`storage_raw_read_fixed_disk',`
')
########################################
-##
+##
## Allow the caller to directly write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -121,9 +121,9 @@ interface(`storage_raw_write_fixed_disk',`
')
########################################
-##
+##
## Create block devices in /dev with the fixed disk type.
-##
+##
##
## The type of the process performing this action.
##
@@ -197,12 +197,12 @@ interface(`storage_swapon_fixed_disk',`
')
########################################
-##
+##
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -220,12 +220,12 @@ interface(`storage_raw_read_lvm_volume',`
')
########################################
-##
+##
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -243,10 +243,10 @@ interface(`storage_raw_write_lvm_volume',`
')
########################################
-##
+##
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
-##
+##
##
## The type of the process performing this action.
##
@@ -262,10 +262,10 @@ interface(`storage_getattr_scsi_generic',`
')
########################################
-##
+##
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
-##
+##
##
## The type of the process performing this action.
##
@@ -281,13 +281,13 @@ interface(`storage_setattr_scsi_generic',`
')
########################################
-##
+##
## Allow the caller to directly read, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -305,13 +305,13 @@ interface(`storage_read_scsi_generic',`
')
########################################
-##
+##
## Allow the caller to directly write, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -329,10 +329,10 @@ interface(`storage_write_scsi_generic',`
')
########################################
-##
+##
## Get attributes of the device nodes
## for the SCSI generic inerface.
-##
+##
##
## The type of the process performing this action.
##
@@ -348,10 +348,10 @@ interface(`storage_getattr_scsi_generic',`
')
########################################
-##
+##
## Set attributes of the device nodes
## for the SCSI generic inerface.
-##
+##
##
## The type of the process performing this action.
##
@@ -367,10 +367,10 @@ interface(`storage_set_scsi_generic_attributes',`
')
########################################
-##
+##
## Allow the caller to get the attributes of removable
## devices device nodes.
-##
+##
##
## The type of the process performing this action.
##
@@ -386,10 +386,10 @@ interface(`storage_getattr_removable_device',`
')
########################################
-##
+##
## Do not audit attempts made by the caller to get
## the attributes of removable devices device nodes.
-##
+##
##
## The type of the process to not audit.
##
@@ -404,10 +404,10 @@ interface(`storage_dontaudit_getattr_removable_device',`
')
########################################
-##
+##
## Allow the caller to set the attributes of removable
## devices device nodes.
-##
+##
##
## The type of the process performing this action.
##
@@ -423,10 +423,10 @@ interface(`storage_setattr_removable_device',`
')
########################################
-##
+##
## Do not audit attempts made by the caller to set
## the attributes of removable devices device nodes.
-##
+##
##
## The type of the process to not audit.
##
@@ -441,13 +441,13 @@ interface(`storage_dontaudit_setattr_removable_device',`
')
########################################
-##
+##
## Allow the caller to directly read from
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -463,13 +463,13 @@ interface(`storage_raw_read_removable_device',`
')
########################################
-##
+##
## Allow the caller to directly write to
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -485,10 +485,10 @@ interface(`storage_raw_write_removable_device',`
')
########################################
-##
+##
## Allow the caller to directly read
## a tape device.
-##
+##
##
## The type of the process performing this action.
##
@@ -504,10 +504,10 @@ interface(`storage_read_tape_device',`
')
########################################
-##
+##
## Allow the caller to directly read
## a tape device.
-##
+##
##
## The type of the process performing this action.
##
@@ -523,10 +523,10 @@ interface(`storage_write_tape_device',`
')
########################################
-##
+##
## Allow the caller to get the attributes
## of device nodes of tape devices.
-##
+##
##
## The type of the process performing this action.
##
@@ -542,10 +542,10 @@ interface(`storage_getattr_tape_device',`
')
########################################
-##
+##
## Allow the caller to set the attributes
## of device nodes of tape devices.
-##
+##
##
## The type of the process performing this action.
##
@@ -560,3 +560,23 @@ interface(`storage_setattr_tape_device',`
allow $1 tape_device_t:blk_file setattr;
')
+########################################
+##
+## Unconfined access to storage devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`storage_unconfined',`
+ gen_require(`
+ type fixed_disk_device_t, removable_device_t;
+ type lvm_vg_t, scsi_generic_device_t, tape_device_t;
+ ')
+
+ allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
+ allow $1 { lvm_vg_t scsi_generic_device_t tape_device_t }:blk_file *;
+
+ typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+ typeattribute $1 scsi_generic_read, scsi_generic_write;
+')
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 28da967..2c975b9 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -452,6 +452,45 @@ interface(`domain_read_all_entry_files',`
allow $1 entry_type:file r_file_perms;
')
+########################################
+##
+## Unconfined access to domains.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`domain_unconfined',`
+ gen_require(`
+ attribute domain, set_curr_context;
+ class fd use;
+ class fifo_file rw_file_perms;
+ class process { transition dyntransition execmem };
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ # Use/sendto/connectto sockets created by any domain.
+ allow $1 domain:{ socket_class_set socket key_socket } *;
+
+ # Use descriptors and pipes created by any domain.
+ allow $1 domain:fd use;
+ allow $1 domain:fifo_file rw_file_perms;
+
+ # Act upon any other process.
+ allow $1 domain:process ~{ transition dyntransition execmem };
+ typeattribute $1 set_curr_context;
+
+ # Create/access any System V IPC objects.
+ allow $1 domain:{ sem msgq shm } *;
+ allow $1 domain:msg { send receive };
+
+ # For /proc/pid
+ allow $1 domain:dir r_dir_perms;
+ allow $1 domain:file r_file_perms;
+ allow $1 domain:lnk_file r_file_perms;
+')
#
# These next macros are not interfaces, but actually are
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 10dc4da..51ba3d8 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1342,3 +1342,30 @@ interface(`files_manage_generic_spools',`
allow $1 var_spool_t:dir rw_dir_perms;
allow $1 var_spool_t:file create_file_perms;
')
+
+########################################
+##
+## Unconfined access to files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_unconfined',`
+ gen_require(`
+ attribute file_type;
+ class unix_stream_socket name_bind;
+ class unix_dgram_socket name_bind;
+ ')
+
+ # Create/access any file in a labeled filesystem;
+ allow $1 file_type:{ file chr_file } ~execmod;
+ allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+
+ # Mount/unmount any filesystem with the context= option.
+ allow $1 file_type:filesystem *;
+
+ # Bind to any network address.
+ # cjp: need to check this, I dont think this has any effect.
+ allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+')
diff --git a/refpolicy/policy/modules/system/unconfined.fc b/refpolicy/policy/modules/system/unconfined.fc
new file mode 100644
index 0000000..c3a6c12
--- /dev/null
+++ b/refpolicy/policy/modules/system/unconfined.fc
@@ -0,0 +1,3 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
new file mode 100644
index 0000000..c74aadb
--- /dev/null
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -0,0 +1,75 @@
+## The unconfined domain.
+
+########################################
+##
+## A template to make the specified domain unconfined.
+##
+##
+## Domain to make unconfined.
+##
+#
+template(`unconfined_access_template',`
+
+ # Use any Linux capability.
+ allow $1 self:capability *;
+
+ # Transition to myself, to make get_ordered_context_list happy.
+ allow $1 self:process transition;
+
+ # Write access is for setting attributes under /proc/self/attr.
+ allow $1 self:file rw_file_perms;
+
+ # Userland object managers
+ allow $1 self:nscd *;
+ allow $1 self:dbus *;
+ allow $1 self:passwd *;
+
+ kernel_unconfined($1)
+ dev_unconfined($1)
+ fs_unconfined($1)
+ selinux_unconfined($1)
+
+ domain_unconfined($1)
+ files_unconfined($1)
+
+ tunable_policy(`allow_execmem',`
+ # Allow loading DSOs that require executable stack.
+ allow $1 self:process execmem;
+ ')
+
+ # to satisfy assertions:
+ optional_policy(`authlogin.te',`
+ auth_manage_shadow($1)
+ auth_relabelto_shadow($1)
+ ')
+
+ optional_policy(`bootloader.te',`
+ bootloader_manage_kernel_modules($1)
+ ')
+
+ optional_policy(`selinuxutil.te',`
+ seutil_create_binary_pol($1)
+ seutil_relabelto_binary_pol($1)
+ ')
+
+ optional_policy(`storage.te',`
+ storage_unconfined($1)
+ ')
+
+ ifdef(`TODO',`
+ if (allow_execmod) {
+ # Allow text relocations on system shared libraries, e.g. libGL.
+ allow $1 texrel_shlib_t:file execmod;
+ }
+
+ ifdef(`dbusd.te', `
+ # Communicate via dbusd.
+ allow $1 system_dbusd_t:dbus *;
+ ')
+
+ ifdef(`nscd.te', `
+ # Get info via nscd.
+ allow $1 nscd_t:nscd *;
+ ')
+ ') dnl end TODO
+')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
new file mode 100644
index 0000000..98106af
--- /dev/null
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -0,0 +1,23 @@
+
+policy_module(unconfined,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type unconfined_t;
+type unconfined_exec_t;
+init_system_domain(unconfined_t,unconfined_exec_t)
+role system_r types unconfined_t;
+
+########################################
+#
+# Local policy
+#
+
+unconfined_access_template(unconfined_t)
+logging_send_syslog_msg(unconfined_t)
+
+#role sysadm_r types unconfined_t;
+#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)