## The unconfined domain. ######################################## ## ## A template to make the specified domain unconfined. ## ## ## Domain to make unconfined. ## # template(`unconfined_domain_template',` gen_require(` class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. allow $1 self:capability *; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; # Userland object managers allow $1 self:nscd *; allow $1 self:dbus *; allow $1 self:passwd *; kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) fs_unconfined($1) selinux_unconfined($1) domain_unconfined($1) files_unconfined($1) tunable_policy(`allow_execmem',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; ') tunable_policy(`allow_execmem && allow_execstack',` # Allow making the stack executable via mprotect. allow $1 self:process execstack; ') optional_policy(`authlogin.te',` auth_unconfined($1) ') optional_policy(`bootloader.te',` bootloader_manage_kernel_modules($1) ') optional_policy(`dbus.te', ` # Communicate via dbusd. dbus_system_bus_unconfined($1) ') optional_policy(`nscd.te', ` nscd_unconfined($1) ') optional_policy(`selinuxutil.te',` seutil_create_binary_pol($1) seutil_relabelto_binary_pol($1) ') optional_policy(`storage.te',` storage_unconfined($1) ') ifdef(`TODO',` if (allow_execmod) { ifdef(`targeted_policy', `', ` # Allow text relocations on system shared libraries, e.g. libGL. allow $1 texrel_shlib_t:file execmod; allow $1 home_type:file execmod; ') } ') dnl end TODO ') ######################################## ## ## Transition to the unconfined domain. ## ## ## Domain allowed access. ## # interface(`unconfined_domtrans',` gen_require(` type unconfined_t, unconfined_exec_t; class process sigchld; class fd use; class fifo_file rw_file_perms; ') domain_auto_trans($1,unconfined_exec_t,unconfined_t) allow $1 unconfined_t:fd use; allow unconfined_t $1:fd use; allow unconfined_t $1:fifo_file rw_file_perms; allow unconfined_t $1:process sigchld; ') ######################################## ## ## Execute specified programs in the unconfined domain. ## ## ## The type of the process performing this action. ## ## ## The role to allow the unconfined domain. ## ## ## The type of the terminal allow the unconfined domain to use. ## # interface(`unconfined_run',` gen_require(` type unconfined_t; class chr_file rw_term_perms; ') unconfined_domtrans($1) role $2 types unconfined_t; allow unconfined_t $3:chr_file rw_term_perms; ') ######################################## ## ## Transition to the unconfined domain by executing a shell. ## ## ## Domain allowed access. ## # interface(`unconfined_shell_domtrans',` gen_require(` type unconfined_t; ') corecmd_shell_domtrans($1,unconfined_t) ') ######################################## ## ## Inherit file descriptors from the unconfined domain. ## ## ## Domain allowed access. ## # interface(`unconfined_use_fd',` gen_require(` type unconfined_t; class fd use; ') allow $1 unconfined_t:fd use; ') ######################################## ## ## Send a SIGCHLD signal to the unconfined domain. ## ## ## Domain allowed access. ## # interface(`unconfined_sigchld',` gen_require(` type unconfined_t; class process sigchld; ') allow $1 unconfined_t:process sigchld; ') ######################################## ## ## Do not audit attempts to read unconfined domain unnamed pipes. ## ## ## Domain allowed access. ## # interface(`unconfined_dontaudit_read_pipe',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:fifo_file read; ') ######################################## ## ## Read and write unconfined domain unnamed pipes. ## ## ## Domain allowed access. ## # interface(`unconfined_rw_pipe',` gen_require(` type unconfined_t; class fifo_file rw_file_perms; ') allow $1 unconfined_t:fifo_file rw_file_perms; ') ######################################## ## ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## ## ##

## Do not audit attempts to read or write ## unconfined domain tcp sockets. ##

##

## This interface was added due to a broken ## symptom in ldconfig. ##

##
## ## Domain to not audit. ## # interface(`unconfined_dontaudit_rw_tcp_socket',` gen_require(` type unconfined_t; class tcp_socket { read write }; ') dontaudit $1 unconfined_t:tcp_socket { read write }; ') ######################################## ## ## Add an alias type to the unconfined domain. ## ## ##

## Add an alias type to the unconfined domain. ##

##

## This is added to support targeted policy. Its ## use should be very limited. ##

##
## ## New alias of the unconfined domain. ## # interface(`unconfined_alias_domain',` gen_require(` type unconfined_t; ') typealias unconfined_t alias $1; ')