optional_policy(`
unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
- unconfined_execmem_domtrans(rpm_script_t)
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
sysnet_dns_name_resolve(chrome_sandbox_t)
-optional_policy(`
- execmem_exec(chrome_sandbox_t)
- execmem_execmod(chrome_sandbox_t)
-')
-
optional_policy(`
gnome_rw_inherited_config(chrome_sandbox_t)
gnome_read_home_config(chrome_sandbox_t)
+++ /dev/null
-
-/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-')
-/usr/lib/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/secondlife-install/bin/SLPlugin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/usr/lib/gimp/[^/]+/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
-
-/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
+++ /dev/null
-## <summary>execmem domain</summary>
-
-########################################
-## <summary>
-## Execute the execmem program
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`execmem_exec',`
- gen_require(`
- type execmem_exec_t;
- ')
-
- can_exec($1, execmem_exec_t)
-')
-
-#######################################
-## <summary>
-## The role template for the execmem module.
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for execmem applications.
-## </p>
-## </desc>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-#
-template(`execmem_role_template',`
- gen_require(`
- type execmem_exec_t;
- ')
-
- type $1_execmem_t;
- domain_type($1_execmem_t)
- domain_entry_file($1_execmem_t, execmem_exec_t)
- role $2 types $1_execmem_t;
-
- userdom_unpriv_usertype($1, $1_execmem_t)
- userdom_manage_tmp_role($2, $1_execmem_t)
- userdom_manage_tmpfs_role($2, $1_execmem_t)
-
- allow $1_execmem_t self:process { execmem execstack };
- allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
- domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
-
- files_execmod_tmp($1_execmem_t)
-
- allow $3 execmem_exec_t:file execmod;
- allow $1_execmem_t execmem_exec_t:file execmod;
-
- # needed by plasma-desktop
- optional_policy(`
- gnome_read_usr_config($1_execmem_t)
- ')
-
- optional_policy(`
- mozilla_execmod_user_home_files($1_execmem_t)
- ')
-
- optional_policy(`
- nsplugin_rw_shm($1_execmem_t)
- nsplugin_rw_semaphores($1_execmem_t)
- ')
-
- optional_policy(`
- xserver_role($2, $1_execmem_t)
- ')
-')
-
-########################################
-## <summary>
-## Execute a execmem_exec file
-## in the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the new process.
-## </summary>
-## </param>
-#
-interface(`execmem_domtrans',`
- gen_require(`
- type execmem_exec_t;
- ')
-
- domtrans_pattern($1, execmem_exec_t, $2)
-')
-
-########################################
-## <summary>
-## Execmod the execmem_exec applications
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`execmem_execmod',`
- gen_require(`
- type execmem_exec_t;
- ')
-
- allow $1 execmem_exec_t:file execmod;
-')
-
+++ /dev/null
-policy_module(execmem, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type execmem_exec_t alias unconfined_execmem_exec_t;
-application_executable_file(execmem_exec_t)
-
/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
#
# /usr
#
-/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-
ifdef(`distro_redhat',`
/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
')
domain_interactive_fd($1_java_t)
- userdom_unpriv_usertype($1, $1_java_t)
- userdom_manage_tmpfs_role($2, $1_java_t)
+ userdom_manage_user_tmpfs_files($1_java_t)
allow $1_java_t self:process { ptrace signal getsched execmem execstack };
domtrans_pattern($3, java_exec_t, $1_java_t)
- corecmd_bin_domtrans($1_java_t, $1_t)
+ corecmd_bin_domtrans($1_java_t, $3)
dev_dontaudit_append_rand($1_java_t)
## </summary>
## </param>
#
-interface(`java_domtrans',`
+template(`java_domtrans',`
gen_require(`
type java_t, java_exec_t;
')
java_domtrans_unconfined($1)
role $2 types unconfined_java_t;
-
- optional_policy(`
- nsplugin_role_notrans($2, unconfined_java_t)
- ')
')
########################################
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)
-files_read_etc_files(java_t)
files_read_usr_files(java_t)
files_search_home(java_t)
files_search_var_lib(java_t)
files_read_etc_runtime_files(java_t)
# Read global fonts and font config
+files_read_etc_files(java_t)
fs_getattr_xattr_fs(java_t)
fs_dontaudit_rw_tmpfs_files(java_t)
logging_send_syslog_msg(java_t)
-auth_use_nsswitch(java_t)
-
miscfiles_read_localization(java_t)
# Read global fonts and font config
miscfiles_read_fonts(java_t)
miscfiles_legacy_read_localization(java_t)
')
+optional_policy(`
+ nis_use_ypbind(java_t)
+')
+
+optional_policy(`
+ nscd_socket_use(java_t)
+')
+
optional_policy(`
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
- init_dbus_chat_script(unconfined_java_t)
-
files_execmod_all_files(unconfined_java_t)
init_dbus_chat_script(unconfined_java_t)
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
- userdom_unpriv_usertype(unconfined, unconfined_java_t)
optional_policy(`
rpm_domtrans(unconfined_java_t)
')
-
- optional_policy(`
- wine_domtrans(unconfined_java_t)
- ')
')
domain_interactive_fd($1_mono_t)
application_type($1_mono_t)
- allow $1_mono_t self:process { signal getsched execheap execmem execstack };
- allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+ allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
domtrans_pattern($3, mono_exec_t, $1_mono_t)
fs_dontaudit_rw_tmpfs_files($1_mono_t)
corecmd_bin_domtrans($1_mono_t, $1_t)
- userdom_unpriv_usertype($1, $1_mono_t)
- userdom_manage_tmpfs_role($2, $1_mono_t)
+ userdom_manage_user_tmpfs_files($1_mono_t)
optional_policy(`
xserver_role($1_r, $1_mono_t)
# Local policy
#
-allow mono_t self:process { signal getsched execheap execmem execstack };
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
init_dbus_chat_script(mono_t)
mplayer_read_user_home_files(nsplugin_t)
')
-optional_policy(`
- unconfined_execmem_signull(nsplugin_t)
-')
-
optional_policy(`
sandbox_read_tmpfs_files(nsplugin_t)
')
pulseaudio_manage_home_files(nsplugin_t)
pulseaudio_setattr_home_dir(nsplugin_t)
')
-
-optional_policy(`
- unconfined_execmem_exec(nsplugin_t)
-')
+++ /dev/null
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
-/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
-
+++ /dev/null
-## <summary>Openoffice</summary>
-
-#######################################
-## <summary>
-## The per role template for the openoffice module.
-## </summary>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-#
-interface(`openoffice_plugin_role',`
- gen_require(`
- type openoffice_exec_t;
- type openoffice_t;
- ')
-
- ########################################
- #
- # Local policy
- #
-
- domtrans_pattern($1, openoffice_exec_t, openoffice_t)
- allow $1 openoffice_t:process { signal sigkill };
-')
-
-#######################################
-## <summary>
-## role for openoffice
-## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for java applications.
-## </p>
-## </desc>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-#
-interface(`openoffice_role_template',`
- gen_require(`
- type openoffice_exec_t;
- ')
-
- role $2 types $1_openoffice_t;
-
- type $1_openoffice_t;
- domain_type($1_openoffice_t)
- domain_entry_file($1_openoffice_t, openoffice_exec_t)
- domain_interactive_fd($1_openoffice_t)
-
- userdom_unpriv_usertype($1, $1_openoffice_t)
- userdom_exec_user_home_content_files($1_openoffice_t)
-
- allow $1_openoffice_t self:process { getsched sigkill execmem execstack };
-
- allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
- allow $1_openoffice_t $3:tcp_socket { read write };
-
- domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
-
- dev_read_urand($1_openoffice_t)
- dev_read_rand($1_openoffice_t)
-
- fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
-
- allow $3 $1_openoffice_t:process { signal sigkill };
- allow $1_openoffice_t $3:unix_stream_socket connectto;
-
- optional_policy(`
- xserver_role($2, $1_openoffice_t)
- ')
-')
-
-########################################
-## <summary>
-## Execute openoffice_exec_t
-## in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a openoffice_exec_t
-## in the specified domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the new process.
-## </summary>
-## </param>
-#
-interface(`openoffice_exec_domtrans',`
- gen_require(`
- type openoffice_exec_t;
- ')
-
- allow $2 openoffice_exec_t:file entrypoint;
- domtrans_pattern($1, openoffice_exec_t, $2)
-')
+++ /dev/null
-policy_module(openoffice, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type openoffice_t;
-type openoffice_exec_t;
-application_domain(openoffice_t, openoffice_exec_t)
-
-########################################
-#
-# Unconfined java local policy
-#
-
allow $1 unconfined_t:process signull;
')
-########################################
-## <summary>
-## Send a SIGNULL signal to the unconfined execmem domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_execmem_signull',`
- gen_require(`
- type unconfined_execmem_t;
- ')
-
- allow $1 unconfined_execmem_t:process signull;
-')
-
-########################################
-## <summary>
-## Send a signal to the unconfined execmem domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_execmem_signal',`
- gen_require(`
- type unconfined_execmem_t;
- ')
-
- allow $1 unconfined_execmem_t:process signal;
-')
-
########################################
## <summary>
## Send generic signals to the unconfined domain.
allow $1 unconfined_t:shm rw_shm_perms;
')
-########################################
-## <summary>
-## Read and write to unconfined execmem shared memory.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`unconfined_execmem_rw_shm',`
- gen_require(`
- type unconfined_execmem_t;
- ')
-
- allow $1 unconfined_execmem_t:shm rw_shm_perms;
-')
-
-########################################
-## <summary>
-## Transition to the unconfined_execmem domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_execmem_domtrans',`
-
- gen_require(`
- type unconfined_execmem_t;
- ')
-
- execmem_domtrans($1, unconfined_execmem_t)
-')
-
-########################################
-## <summary>
-## execute the execmem applications
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_execmem_exec',`
-
- gen_require(`
- type execmem_exec_t;
- ')
-
- can_exec($1, execmem_exec_t)
-')
-
########################################
## <summary>
## Allow apps to set rlimits on userdomain
modutils_run_update_mods(unconfined_t, unconfined_r)
')
-optional_policy(`
- mono_role_template(unconfined, unconfined_r, unconfined_t)
- unconfined_domain_noaudit(unconfined_mono_t)
- role system_r types unconfined_mono_t;
-')
-
-
optional_policy(`
mozilla_role_plugin(unconfined_r)
gnomeclock_dontaudit_dbus_chat(xguest_t)
')
-optional_policy(`
- mono_role_template(xguest, xguest_r, xguest_t)
-')
-
optional_policy(`
mozilla_run_plugin(xguest_usertype, xguest_r)
')
init_dbus_chat(crond_t)
')
-optional_policy(`
- mono_domtrans(crond_t)
-')
-
optional_policy(`
amanda_search_var_lib(crond_t)
')
lpd_list_spool(system_cronjob_t)
')
-optional_policy(`
- mono_domtrans(system_cronjob_t)
-')
-
optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
sysnet_domtrans_ifconfig(virtd_lxc_t)
-optional_policy(`
- execmem_exec(virtd_lxc_t)
-')
-
#optional_policy(`
# unconfined_shell_domtrans(virtd_lxc_t)
# unconfined_signal(virtd_t)
optional_policy(`
unconfined_rw_shm(xserver_t)
- unconfined_execmem_rw_shm(xserver_t)
# xserver signals unconfined user on startx
unconfined_signal(xserver_t)
# Allow SELinux aware applications to request rpm_script_t execution
rpm_transition_script(initrc_t)
- optional_policy(`
- gen_require(`
- type unconfined_execmem_t, execmem_exec_t;
- ')
- init_system_domain(unconfined_execmem_t, execmem_exec_t)
- ')
-
optional_policy(`
rtkit_scheduled(initrc_t)
')
')
')
- optional_policy(`
- openoffice_role_template($1, $1_r, $1_usertype)
- ')
-
optional_policy(`
policykit_role($1_r, $1_usertype)
')
gpm_stream_connect($1_usertype)
')
- optional_policy(`
- mono_role_template($1, $1_r, $1_t)
- ')
-
optional_policy(`
mount_run_fusermount($1_t, $1_r)
mount_read_pid_files($1_t)