[people/stevee/selinux-policy.git] / policy / modules / system / unconfined.if

## <summary>The unconfined domain.</summary>

########################################
## <summary>
##	Make the specified domain unconfined.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to make unconfined.
##	</summary>
## </param>
#
interface(`unconfined_domain_noaudit',`
	gen_require(`
		type unconfined_t;
		class dbus all_dbus_perms;
		class nscd all_nscd_perms;
		class passwd all_passwd_perms;
	')

	# Use any Linux capability.
	allow $1 self:capability *;
	allow $1 self:fifo_file manage_fifo_file_perms;

	# Transition to myself, to make get_ordered_context_list happy.
	allow $1 self:process transition;

	# Write access is for setting attributes under /proc/self/attr.
	allow $1 self:file rw_file_perms;

	# Userland object managers
	allow $1 self:nscd *;
	allow $1 self:dbus *;
	allow $1 self:passwd *;
	allow $1 self:association *;

	kernel_unconfined($1)
	corenet_unconfined($1)
	dev_unconfined($1)
	domain_unconfined($1)
	domain_dontaudit_read_all_domains_state($1)
	domain_dontaudit_ptrace_all_domains($1)
	files_unconfined($1)
	fs_unconfined($1)
	selinux_unconfined($1)

	tunable_policy(`allow_execheap',`
		# Allow making the stack executable via mprotect.
		allow $1 self:process execheap;
	')

	tunable_policy(`allow_execmem',`
		# Allow making anonymous memory executable, e.g. 
		# for runtime-code generation or executable stack.
		allow $1 self:process execmem;
	')

	tunable_policy(`allow_execstack',`
		# Allow making the stack executable via mprotect;
		# execstack implies execmem;
		allow $1 self:process { execstack execmem };
#		auditallow $1 self:process execstack;
	')

	optional_policy(`
		auth_unconfined($1)
	')

	optional_policy(`
		# Communicate via dbusd.
		dbus_system_bus_unconfined($1)
	')

	optional_policy(`
		ipsec_setcontext_default_spd($1)
		ipsec_match_default_spd($1)
	')

	optional_policy(`
		nscd_unconfined($1)
	')

	optional_policy(`
		postgresql_unconfined($1)
	')

	optional_policy(`
		seutil_create_bin_policy($1)
		seutil_relabelto_bin_policy($1)
	')

	optional_policy(`
		storage_unconfined($1)
	')

	optional_policy(`
		xserver_unconfined($1)
	')
')

########################################
## <summary>
##	Make the specified domain unconfined and
##	audit executable memory and executable heap
##	usage.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to make unconfined.
##	</summary>
## </param>
#
interface(`unconfined_domain',`
	unconfined_domain_noaudit($1)

	tunable_policy(`allow_execheap',`
		auditallow $1 self:process execheap;
	')

# Turn off this audit for FC5
#	tunable_policy(`allow_execmem',`
#		auditallow $1 self:process execmem;
#	')
')

########################################
## <summary>
##	Add an alias type to the unconfined domain.  (Deprecated)
## </summary>
## <desc>
##	<p>
##	Add an alias type to the unconfined domain.  (Deprecated)
##	</p>
##	<p>
##	This is added to support targeted policy.  Its
##	use should be limited.  It has no effect
##	on the strict policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	New alias of the unconfined domain.
##	</summary>
## </param>
#
interface(`unconfined_alias_domain',`
	refpolicywarn(`$0($1) has been deprecated.')
')

########################################
## <summary>
##	Add an alias type to the unconfined execmem
##	program file type.  (Deprecated)
## </summary>
## <desc>
##	<p>
##	Add an alias type to the unconfined execmem
##	program file type.  (Deprecated)
##	</p>
##	<p>
##	This is added to support targeted policy.  Its
##	use should be limited.  It has no effect
##	on the strict policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	New alias of the unconfined execmem program type.
##	</summary>
## </param>
#
interface(`unconfined_execmem_alias_program',`
	refpolicywarn(`$0($1) has been deprecated.')
')

########################################
## <summary>
##	Transition to the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_domtrans',`
	gen_require(`
		type unconfined_t, unconfined_exec_t;
	')

	domtrans_pattern($1, unconfined_exec_t, unconfined_t)
')

########################################
## <summary>
##	Execute specified programs in the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to allow the unconfined domain.
##	</summary>
## </param>
#
interface(`unconfined_run',`
	gen_require(`
		type unconfined_t;
	')

	unconfined_domtrans($1)
	role $2 types unconfined_t;
')

########################################
## <summary>
##	Transition to the unconfined domain by executing a shell.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_shell_domtrans',`
	gen_require(`
		type unconfined_t;
	')

	corecmd_shell_domtrans($1, unconfined_t)
	allow unconfined_t $1:fd use;
	allow unconfined_t $1:fifo_file rw_file_perms;
	allow unconfined_t $1:process sigchld;
')

########################################
## <summary>
##	Allow unconfined to execute the specified program in
##	the specified domain.
## </summary>
## <desc>
##	<p>
##	Allow unconfined to execute the specified program in
##	the specified domain.
##	</p>
##	<p>
##	This is a interface to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to execute in.
##	</summary>
## </param>
## <param name="entry_file">
##	<summary>
##	Domain entry point file.
##	</summary>
## </param>
#
interface(`unconfined_domtrans_to',`
	gen_require(`
		type unconfined_t;
	')

	domtrans_pattern(unconfined_t,$2,$1)
')

########################################
## <summary>
##	Allow unconfined to execute the specified program in
##	the specified domain.  Allow the specified domain the
##	unconfined role and use of unconfined user terminals.
## </summary>
## <desc>
##	<p>
##	Allow unconfined to execute the specified program in
##	the specified domain.  Allow the specified domain the
##	unconfined role and use of unconfined user terminals.
##	</p>
##	<p>
##	This is a interface to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to execute in.
##	</summary>
## </param>
## <param name="entry_file">
##	<summary>
##	Domain entry point file.
##	</summary>
## </param>
#
interface(`unconfined_run_to',`
	gen_require(`
		type unconfined_t;
		role unconfined_r;
	')

	domtrans_pattern(unconfined_t,$2,$1)
	role unconfined_r types $1;
	userdom_use_user_terminals($1)
')

########################################
## <summary>
##	Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_use_fds',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:fd use;
')

########################################
## <summary>
##	Send a SIGCHLD signal to the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_sigchld',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:process sigchld;
')

########################################
## <summary>
##	Send a SIGNULL signal to the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_signull',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:process signull;
')

########################################
## <summary>
##	Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_signal',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:process signal;
')

########################################
## <summary>
##	Read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_read_pipes',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:fifo_file read_fifo_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_dontaudit_read_pipes',`
	gen_require(`
		type unconfined_t;
	')

	dontaudit $1 unconfined_t:fifo_file read;
')

########################################
## <summary>
##	Read and write unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_rw_pipes',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read and write
##	unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`unconfined_dontaudit_rw_pipes',`
	gen_require(`
		type unconfined_t;
	')

	dontaudit $1 unconfined_t:fifo_file rw_file_perms;
')

########################################
## <summary>
##	Connect to the unconfined domain using
##	a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_stream_connect',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	Do not audit attempts to read or write
##	unconfined domain tcp sockets.
## </summary>
## <desc>
##	<p>
##	Do not audit attempts to read or write
##	unconfined domain tcp sockets.
##	</p>
##	<p>
##	This interface was added due to a broken
##	symptom in ldconfig.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`unconfined_dontaudit_rw_tcp_sockets',`
	gen_require(`
		type unconfined_t;
	')

	dontaudit $1 unconfined_t:tcp_socket { read write };
')

########################################
## <summary>
##	Create keys for the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_create_keys',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:key create;
')

########################################
## <summary>
##	Send messages to the unconfined domain over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_dbus_send',`
	gen_require(`
		type unconfined_t;
		class dbus send_msg;
	')

	allow $1 unconfined_t:dbus send_msg;
')

########################################
## <summary>
##	Send and receive messages from
##	unconfined_t over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_dbus_chat',`
	gen_require(`
		type unconfined_t;
		class dbus send_msg;
	')

	allow $1 unconfined_t:dbus send_msg;
	allow unconfined_t $1:dbus send_msg;
')

########################################
## <summary>
##	Connect to the the unconfined DBUS
##	for service (acquire_svc).
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_dbus_connect',`
	gen_require(`
		type unconfined_t;
		class dbus acquire_svc;
	')

	allow $1 unconfined_t:dbus acquire_svc;
')
Commit	Line	Data
9726b318 CP	1	## <summary>The unconfined domain.</summary>
	2
	3	########################################
	4	## <summary>
95501942	5	## Make the specified domain unconfined.
9726b318 CP	6	## </summary>
9726b318 CP	7	## <param name="domain">
885b83ec	8	## <summary>
9726b318	9	## Domain to make unconfined.
885b83ec	10	## </summary>
9726b318 CP	11	## </param>
9726b318 CP	12	#
95501942	13	interface(`unconfined_domain_noaudit',`
142e9f40	14	gen_require(`
350b6ab7	15	type unconfined_t;
142e9f40 CP	16	class dbus all_dbus_perms;
	17	class nscd all_nscd_perms;
	18	class passwd all_passwd_perms;
	19	')
9726b318 CP	20
	21	# Use any Linux capability.
	22	allow $1 self:capability *;
c0868a7a	23	allow $1 self:fifo_file manage_fifo_file_perms;
9726b318 CP	24
	25	# Transition to myself, to make get_ordered_context_list happy.
	26	allow $1 self:process transition;
	27
	28	# Write access is for setting attributes under /proc/self/attr.
	29	allow $1 self:file rw_file_perms;
	30
	31	# Userland object managers
	32	allow $1 self:nscd *;
	33	allow $1 self:dbus *;
	34	allow $1 self:passwd *;
6b19be33	35	allow $1 self:association *;
9726b318 CP	36
9726b318 CP	37	kernel_unconfined($1)
8c3f438f	38	corenet_unconfined($1)
9726b318	39	dev_unconfined($1)
9cca1cd5	40	domain_unconfined($1)
93727e3f	41	domain_dontaudit_read_all_domains_state($1)
a5e2133b	42	domain_dontaudit_ptrace_all_domains($1)
9cca1cd5	43	files_unconfined($1)
9726b318 CP	44	fs_unconfined($1)
	45	selinux_unconfined($1)
	46
a225f983 CP	47	tunable_policy(`allow_execheap',`
	48	# Allow making the stack executable via mprotect.
	49	allow $1 self:process execheap;
a225f983 CP	50	')
a225f983 CP	51
9726b318	52	tunable_policy(`allow_execmem',`
98a8ead4 CP	53	# Allow making anonymous memory executable, e.g.
98a8ead4 CP	54	# for runtime-code generation or executable stack.
9726b318 CP	55	allow $1 self:process execmem;
	56	')
	57
46551033 CP	58	tunable_policy(`allow_execstack',`
	59	# Allow making the stack executable via mprotect;
	60	# execstack implies execmem;
	61	allow $1 self:process { execstack execmem };
8cfa5a00	62	# auditallow $1 self:process execstack;
98a8ead4 CP	63	')
98a8ead4 CP	64
bb7170f6	65	optional_policy(`
8b0bbdda	66	auth_unconfined($1)
9726b318 CP	67	')
9726b318 CP	68
bb7170f6	69	optional_policy(`
142e9f40 CP	70	# Communicate via dbusd.
	71	dbus_system_bus_unconfined($1)
	72	')
	73
bdccbacd CP	74	optional_policy(`
bdccbacd CP	75	ipsec_setcontext_default_spd($1)
98203517	76	ipsec_match_default_spd($1)
bdccbacd CP	77	')
bdccbacd CP	78
bb7170f6	79	optional_policy(`
493d6c4a CP	80	nscd_unconfined($1)
	81	')
	82
e8cb08ae CP	83	optional_policy(`
	84	postgresql_unconfined($1)
	85	')
	86
bb7170f6	87	optional_policy(`
1815bad1 CP	88	seutil_create_bin_policy($1)
1815bad1 CP	89	seutil_relabelto_bin_policy($1)
9726b318 CP	90	')
9726b318 CP	91
bb7170f6	92	optional_policy(`
9726b318 CP	93	storage_unconfined($1)
9726b318 CP	94	')
2c12b471 CP	95
	96	optional_policy(`
	97	xserver_unconfined($1)
	98	')
9726b318	99	')
c98340cf	100
95501942 CP	101	########################################
	102	## <summary>
	103	## Make the specified domain unconfined and
	104	## audit executable memory and executable heap
	105	## usage.
	106	## </summary>
	107	## <param name="domain">
885b83ec	108	## <summary>
95501942	109	## Domain to make unconfined.
885b83ec	110	## </summary>
95501942 CP	111	## </param>
	112	#
	113	interface(`unconfined_domain',`
	114	unconfined_domain_noaudit($1)
	115
	116	tunable_policy(`allow_execheap',`
	117	auditallow $1 self:process execheap;
	118	')
	119
8cfa5a00 CP	120	# Turn off this audit for FC5
	121	# tunable_policy(`allow_execmem',`
	122	# auditallow $1 self:process execmem;
	123	# ')
95501942 CP	124	')
95501942 CP	125
350b6ab7 CP	126	########################################
	127	## <summary>
	128	## Add an alias type to the unconfined domain. (Deprecated)
	129	## </summary>
	130	## <desc>
	131	## <p>
	132	## Add an alias type to the unconfined domain. (Deprecated)
	133	## </p>
	134	## <p>
	135	## This is added to support targeted policy. Its
	136	## use should be limited. It has no effect
	137	## on the strict policy.
	138	## </p>
	139	## </desc>
	140	## <param name="domain">
	141	## <summary>
	142	## New alias of the unconfined domain.
	143	## </summary>
	144	## </param>
	145	#
	146	interface(`unconfined_alias_domain',`
	147	refpolicywarn(`$0($1) has been deprecated.')
	148	')
	149
	150	########################################
	151	## <summary>
	152	## Add an alias type to the unconfined execmem
	153	## program file type. (Deprecated)
	154	## </summary>
	155	## <desc>
	156	## <p>
	157	## Add an alias type to the unconfined execmem
	158	## program file type. (Deprecated)
	159	## </p>
	160	## <p>
	161	## This is added to support targeted policy. Its
	162	## use should be limited. It has no effect
	163	## on the strict policy.
	164	## </p>
	165	## </desc>
	166	## <param name="domain">
	167	## <summary>
	168	## New alias of the unconfined execmem program type.
	169	## </summary>
	170	## </param>
	171	#
	172	interface(`unconfined_execmem_alias_program',`
	173	refpolicywarn(`$0($1) has been deprecated.')
	174	')
	175
b24f35d8 CP	176	########################################
	177	## <summary>
	178	## Transition to the unconfined domain.
	179	## </summary>
	180	## <param name="domain">
885b83ec	181	## <summary>
b24f35d8	182	## Domain allowed access.
885b83ec	183	## </summary>
b24f35d8 CP	184	## </param>
	185	#
	186	interface(`unconfined_domtrans',`
	187	gen_require(`
	188	type unconfined_t, unconfined_exec_t;
b24f35d8 CP	189	')
b24f35d8 CP	190
3f67f722	191	domtrans_pattern($1, unconfined_exec_t, unconfined_t)
b24f35d8 CP	192	')
b24f35d8 CP	193
a5f339f1	194	########################################
f7ebea06	195	## <summary>
a5f339f1	196	## Execute specified programs in the unconfined domain.
f7ebea06	197	## </summary>
a5f339f1	198	## <param name="domain">
885b83ec	199	## <summary>
a5f339f1	200	## The type of the process performing this action.
885b83ec	201	## </summary>
a5f339f1 CP	202	## </param>
a5f339f1 CP	203	## <param name="role">
885b83ec	204	## <summary>
a5f339f1	205	## The role to allow the unconfined domain.
885b83ec	206	## </summary>
a5f339f1	207	## </param>
a5f339f1 CP	208	#
	209	interface(`unconfined_run',`
	210	gen_require(`
	211	type unconfined_t;
a5f339f1 CP	212	')
	213
	214	unconfined_domtrans($1)
	215	role $2 types unconfined_t;
a5f339f1 CP	216	')
a5f339f1 CP	217
c98340cf CP	218	########################################
	219	## <summary>
	220	## Transition to the unconfined domain by executing a shell.
	221	## </summary>
	222	## <param name="domain">
885b83ec	223	## <summary>
c98340cf	224	## Domain allowed access.
885b83ec	225	## </summary>
c98340cf CP	226	## </param>
c98340cf CP	227	#
a42ca7eb	228	interface(`unconfined_shell_domtrans',`
c98340cf	229	gen_require(`
b24f35d8	230	type unconfined_t;
c98340cf CP	231	')
c98340cf CP	232
3f67f722	233	corecmd_shell_domtrans($1, unconfined_t)
c0868a7a CP	234	allow unconfined_t $1:fd use;
	235	allow unconfined_t $1:fifo_file rw_file_perms;
	236	allow unconfined_t $1:process sigchld;
c98340cf CP	237	')
c98340cf CP	238
85311bff CP	239	########################################
	240	## <summary>
	241	## Allow unconfined to execute the specified program in
	242	## the specified domain.
	243	## </summary>
	244	## <desc>
	245	## <p>
	246	## Allow unconfined to execute the specified program in
	247	## the specified domain.
	248	## </p>
	249	## <p>
	250	## This is a interface to support third party modules
	251	## and its use is not allowed in upstream reference
	252	## policy.
	253	## </p>
	254	## </desc>
	255	## <param name="domain">
	256	## <summary>
	257	## Domain to execute in.
	258	## </summary>
	259	## </param>
	260	## <param name="entry_file">
	261	## <summary>
	262	## Domain entry point file.
	263	## </summary>
	264	## </param>
	265	#
	266	interface(`unconfined_domtrans_to',`
	267	gen_require(`
	268	type unconfined_t;
	269	')
	270
c0868a7a	271	domtrans_pattern(unconfined_t,$2,$1)
85311bff CP	272	')
85311bff CP	273
ccf6611b CP	274	########################################
	275	## <summary>
	276	## Allow unconfined to execute the specified program in
	277	## the specified domain. Allow the specified domain the
	278	## unconfined role and use of unconfined user terminals.
	279	## </summary>
	280	## <desc>
	281	## <p>
	282	## Allow unconfined to execute the specified program in
	283	## the specified domain. Allow the specified domain the
	284	## unconfined role and use of unconfined user terminals.
	285	## </p>
	286	## <p>
	287	## This is a interface to support third party modules
	288	## and its use is not allowed in upstream reference
	289	## policy.
	290	## </p>
	291	## </desc>
	292	## <param name="domain">
	293	## <summary>
	294	## Domain to execute in.
	295	## </summary>
	296	## </param>
	297	## <param name="entry_file">
	298	## <summary>
	299	## Domain entry point file.
	300	## </summary>
	301	## </param>
	302	#
	303	interface(`unconfined_run_to',`
	304	gen_require(`
296273a7	305	type unconfined_t;
ccf6611b CP	306	role unconfined_r;
	307	')
	308
	309	domtrans_pattern(unconfined_t,$2,$1)
	310	role unconfined_r types $1;
296273a7	311	userdom_use_user_terminals($1)
ccf6611b CP	312	')
ccf6611b CP	313
c98340cf CP	314	########################################
	315	## <summary>
	316	## Inherit file descriptors from the unconfined domain.
	317	## </summary>
	318	## <param name="domain">
885b83ec	319	## <summary>
c98340cf	320	## Domain allowed access.
885b83ec	321	## </summary>
c98340cf CP	322	## </param>
c98340cf CP	323	#
1c1ac67f	324	interface(`unconfined_use_fds',`
c98340cf CP	325	gen_require(`
c98340cf CP	326	type unconfined_t;
c98340cf CP	327	')
	328
	329	allow $1 unconfined_t:fd use;
	330	')
	331
	332	########################################
	333	## <summary>
	334	## Send a SIGCHLD signal to the unconfined domain.
	335	## </summary>
	336	## <param name="domain">
885b83ec	337	## <summary>
c98340cf	338	## Domain allowed access.
885b83ec	339	## </summary>
c98340cf CP	340	## </param>
	341	#
	342	interface(`unconfined_sigchld',`
	343	gen_require(`
	344	type unconfined_t;
c98340cf CP	345	')
	346
	347	allow $1 unconfined_t:process sigchld;
	348	')
	349
0e1c461e CP	350	########################################
	351	## <summary>
	352	## Send a SIGNULL signal to the unconfined domain.
	353	## </summary>
	354	## <param name="domain">
	355	## <summary>
	356	## Domain allowed access.
	357	## </summary>
	358	## </param>
	359	#
	360	interface(`unconfined_signull',`
	361	gen_require(`
	362	type unconfined_t;
	363	')
	364
	365	allow $1 unconfined_t:process signull;
	366	')
	367
1d697ce7 CP	368	########################################
	369	## <summary>
	370	## Send generic signals to the unconfined domain.
	371	## </summary>
	372	## <param name="domain">
885b83ec	373	## <summary>
1d697ce7	374	## Domain allowed access.
885b83ec	375	## </summary>
1d697ce7 CP	376	## </param>
	377	#
	378	interface(`unconfined_signal',`
	379	gen_require(`
	380	type unconfined_t;
	381	')
	382
	383	allow $1 unconfined_t:process signal;
	384	')
	385
6f81e1d3 CP	386	########################################
	387	## <summary>
	388	## Read unconfined domain unnamed pipes.
	389	## </summary>
	390	## <param name="domain">
885b83ec	391	## <summary>
6f81e1d3	392	## Domain allowed access.
885b83ec	393	## </summary>
6f81e1d3 CP	394	## </param>
6f81e1d3 CP	395	#
1815bad1	396	interface(`unconfined_read_pipes',`
6f81e1d3 CP	397	gen_require(`
	398	type unconfined_t;
	399	')
	400
c0868a7a	401	allow $1 unconfined_t:fifo_file read_fifo_file_perms;
6f81e1d3 CP	402	')
6f81e1d3 CP	403
33acca55 CP	404	########################################
	405	## <summary>
	406	## Do not audit attempts to read unconfined domain unnamed pipes.
	407	## </summary>
	408	## <param name="domain">
885b83ec	409	## <summary>
33acca55	410	## Domain allowed access.
885b83ec	411	## </summary>
33acca55 CP	412	## </param>
33acca55 CP	413	#
1815bad1	414	interface(`unconfined_dontaudit_read_pipes',`
33acca55 CP	415	gen_require(`
	416	type unconfined_t;
	417	')
	418
	419	dontaudit $1 unconfined_t:fifo_file read;
	420	')
	421
c98340cf CP	422	########################################
	423	## <summary>
	424	## Read and write unconfined domain unnamed pipes.
	425	## </summary>
	426	## <param name="domain">
885b83ec	427	## <summary>
c98340cf	428	## Domain allowed access.
885b83ec	429	## </summary>
c98340cf CP	430	## </param>
c98340cf CP	431	#
1815bad1	432	interface(`unconfined_rw_pipes',`
c98340cf CP	433	gen_require(`
c98340cf CP	434	type unconfined_t;
c98340cf CP	435	')
c98340cf CP	436
c0868a7a	437	allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
c98340cf CP	438	')
c98340cf CP	439
d6d16b97 CP	440	########################################
	441	## <summary>
	442	## Do not audit attempts to read and write
	443	## unconfined domain unnamed pipes.
	444	## </summary>
	445	## <param name="domain">
	446	## <summary>
	447	## Domain to not audit.
	448	## </summary>
	449	## </param>
	450	#
	451	interface(`unconfined_dontaudit_rw_pipes',`
	452	gen_require(`
	453	type unconfined_t;
	454	')
	455
	456	dontaudit $1 unconfined_t:fifo_file rw_file_perms;
	457	')
	458
41b25f59 CP	459	########################################
	460	## <summary>
	461	## Connect to the unconfined domain using
	462	## a unix domain stream socket.
	463	## </summary>
	464	## <param name="domain">
	465	## <summary>
	466	## Domain allowed access.
	467	## </summary>
	468	## </param>
	469	#
	470	interface(`unconfined_stream_connect',`
	471	gen_require(`
	472	type unconfined_t;
	473	')
	474
	475	allow $1 unconfined_t:unix_stream_socket connectto;
	476	')
	477
a42ca7eb CP	478	########################################
	479	## <summary>
	480	## Do not audit attempts to read or write
	481	## unconfined domain tcp sockets.
	482	## </summary>
	483	## <desc>
	484	## <p>
	485	## Do not audit attempts to read or write
	486	## unconfined domain tcp sockets.
	487	## </p>
	488	## <p>
	489	## This interface was added due to a broken
	490	## symptom in ldconfig.
	491	## </p>
	492	## </desc>
	493	## <param name="domain">
885b83ec	494	## <summary>
a42ca7eb	495	## Domain to not audit.
885b83ec	496	## </summary>
a42ca7eb CP	497	## </param>
a42ca7eb CP	498	#
1815bad1	499	interface(`unconfined_dontaudit_rw_tcp_sockets',`
a42ca7eb CP	500	gen_require(`
a42ca7eb CP	501	type unconfined_t;
a42ca7eb CP	502	')
	503
	504	dontaudit $1 unconfined_t:tcp_socket { read write };
	505	')
	506
fe3a1eb8 CP	507	########################################
	508	## <summary>
	509	## Create keys for the unconfined domain.
	510	## </summary>
	511	## <param name="domain">
	512	## <summary>
	513	## Domain allowed access.
	514	## </summary>
	515	## </param>
	516	#
	517	interface(`unconfined_create_keys',`
	518	gen_require(`
	519	type unconfined_t;
	520	')
	521
	522	allow $1 unconfined_t:key create;
	523	')
	524
6f81e1d3 CP	525	########################################
	526	## <summary>
	527	## Send messages to the unconfined domain over dbus.
	528	## </summary>
	529	## <param name="domain">
885b83ec	530	## <summary>
6f81e1d3	531	## Domain allowed access.
885b83ec	532	## </summary>
6f81e1d3 CP	533	## </param>
	534	#
	535	interface(`unconfined_dbus_send',`
	536	gen_require(`
	537	type unconfined_t;
	538	class dbus send_msg;
	539	')
	540
	541	allow $1 unconfined_t:dbus send_msg;
	542	')
	543
e9935943 CP	544	########################################
	545	## <summary>
	546	## Send and receive messages from
	547	## unconfined_t over dbus.
	548	## </summary>
	549	## <param name="domain">
	550	## <summary>
	551	## Domain allowed access.
	552	## </summary>
	553	## </param>
	554	#
	555	interface(`unconfined_dbus_chat',`
	556	gen_require(`
	557	type unconfined_t;
	558	class dbus send_msg;
	559	')
	560
	561	allow $1 unconfined_t:dbus send_msg;
	562	allow unconfined_t $1:dbus send_msg;
	563	')
	564
375c2415 CP	565	########################################
375c2415 CP	566	## <summary>
350b6ab7 CP	567	## Connect to the the unconfined DBUS
350b6ab7 CP	568	## for service (acquire_svc).
375c2415	569	## </summary>
375c2415	570	## <param name="domain">
885b83ec	571	## <summary>
350b6ab7	572	## Domain allowed access.
885b83ec	573	## </summary>
375c2415 CP	574	## </param>
375c2415 CP	575	#
350b6ab7 CP	576	interface(`unconfined_dbus_connect',`
	577	gen_require(`
	578	type unconfined_t;
	579	class dbus acquire_svc;
c6d4c8f1	580	')
350b6ab7 CP	581
350b6ab7 CP	582	allow $1 unconfined_t:dbus acquire_svc;
375c2415	583	')