]>
Commit | Line | Data |
---|---|---|
9726b318 CP |
1 | ## <summary>The unconfined domain.</summary> |
2 | ||
3 | ######################################## | |
4 | ## <summary> | |
95501942 | 5 | ## Make the specified domain unconfined. |
9726b318 CP |
6 | ## </summary> |
7 | ## <param name="domain"> | |
885b83ec | 8 | ## <summary> |
9726b318 | 9 | ## Domain to make unconfined. |
885b83ec | 10 | ## </summary> |
9726b318 CP |
11 | ## </param> |
12 | # | |
95501942 | 13 | interface(`unconfined_domain_noaudit',` |
142e9f40 | 14 | gen_require(` |
350b6ab7 | 15 | type unconfined_t; |
142e9f40 CP |
16 | class dbus all_dbus_perms; |
17 | class nscd all_nscd_perms; | |
18 | class passwd all_passwd_perms; | |
19 | ') | |
9726b318 CP |
20 | |
21 | # Use any Linux capability. | |
22 | allow $1 self:capability *; | |
c0868a7a | 23 | allow $1 self:fifo_file manage_fifo_file_perms; |
9726b318 CP |
24 | |
25 | # Transition to myself, to make get_ordered_context_list happy. | |
26 | allow $1 self:process transition; | |
27 | ||
28 | # Write access is for setting attributes under /proc/self/attr. | |
29 | allow $1 self:file rw_file_perms; | |
30 | ||
31 | # Userland object managers | |
32 | allow $1 self:nscd *; | |
33 | allow $1 self:dbus *; | |
34 | allow $1 self:passwd *; | |
6b19be33 | 35 | allow $1 self:association *; |
9726b318 CP |
36 | |
37 | kernel_unconfined($1) | |
8c3f438f | 38 | corenet_unconfined($1) |
9726b318 | 39 | dev_unconfined($1) |
9cca1cd5 | 40 | domain_unconfined($1) |
93727e3f | 41 | domain_dontaudit_read_all_domains_state($1) |
a5e2133b | 42 | domain_dontaudit_ptrace_all_domains($1) |
9cca1cd5 | 43 | files_unconfined($1) |
9726b318 CP |
44 | fs_unconfined($1) |
45 | selinux_unconfined($1) | |
46 | ||
a225f983 CP |
47 | tunable_policy(`allow_execheap',` |
48 | # Allow making the stack executable via mprotect. | |
49 | allow $1 self:process execheap; | |
a225f983 CP |
50 | ') |
51 | ||
9726b318 | 52 | tunable_policy(`allow_execmem',` |
98a8ead4 CP |
53 | # Allow making anonymous memory executable, e.g. |
54 | # for runtime-code generation or executable stack. | |
9726b318 CP |
55 | allow $1 self:process execmem; |
56 | ') | |
57 | ||
46551033 CP |
58 | tunable_policy(`allow_execstack',` |
59 | # Allow making the stack executable via mprotect; | |
60 | # execstack implies execmem; | |
61 | allow $1 self:process { execstack execmem }; | |
8cfa5a00 | 62 | # auditallow $1 self:process execstack; |
98a8ead4 CP |
63 | ') |
64 | ||
bb7170f6 | 65 | optional_policy(` |
8b0bbdda | 66 | auth_unconfined($1) |
9726b318 CP |
67 | ') |
68 | ||
bb7170f6 | 69 | optional_policy(` |
142e9f40 CP |
70 | # Communicate via dbusd. |
71 | dbus_system_bus_unconfined($1) | |
72 | ') | |
73 | ||
bdccbacd CP |
74 | optional_policy(` |
75 | ipsec_setcontext_default_spd($1) | |
98203517 | 76 | ipsec_match_default_spd($1) |
bdccbacd CP |
77 | ') |
78 | ||
bb7170f6 | 79 | optional_policy(` |
493d6c4a CP |
80 | nscd_unconfined($1) |
81 | ') | |
82 | ||
e8cb08ae CP |
83 | optional_policy(` |
84 | postgresql_unconfined($1) | |
85 | ') | |
86 | ||
bb7170f6 | 87 | optional_policy(` |
1815bad1 CP |
88 | seutil_create_bin_policy($1) |
89 | seutil_relabelto_bin_policy($1) | |
9726b318 CP |
90 | ') |
91 | ||
bb7170f6 | 92 | optional_policy(` |
9726b318 CP |
93 | storage_unconfined($1) |
94 | ') | |
2c12b471 CP |
95 | |
96 | optional_policy(` | |
97 | xserver_unconfined($1) | |
98 | ') | |
9726b318 | 99 | ') |
c98340cf | 100 | |
95501942 CP |
101 | ######################################## |
102 | ## <summary> | |
103 | ## Make the specified domain unconfined and | |
104 | ## audit executable memory and executable heap | |
105 | ## usage. | |
106 | ## </summary> | |
107 | ## <param name="domain"> | |
885b83ec | 108 | ## <summary> |
95501942 | 109 | ## Domain to make unconfined. |
885b83ec | 110 | ## </summary> |
95501942 CP |
111 | ## </param> |
112 | # | |
113 | interface(`unconfined_domain',` | |
114 | unconfined_domain_noaudit($1) | |
115 | ||
116 | tunable_policy(`allow_execheap',` | |
117 | auditallow $1 self:process execheap; | |
118 | ') | |
119 | ||
8cfa5a00 CP |
120 | # Turn off this audit for FC5 |
121 | # tunable_policy(`allow_execmem',` | |
122 | # auditallow $1 self:process execmem; | |
123 | # ') | |
95501942 CP |
124 | ') |
125 | ||
350b6ab7 CP |
126 | ######################################## |
127 | ## <summary> | |
128 | ## Add an alias type to the unconfined domain. (Deprecated) | |
129 | ## </summary> | |
130 | ## <desc> | |
131 | ## <p> | |
132 | ## Add an alias type to the unconfined domain. (Deprecated) | |
133 | ## </p> | |
134 | ## <p> | |
135 | ## This is added to support targeted policy. Its | |
136 | ## use should be limited. It has no effect | |
137 | ## on the strict policy. | |
138 | ## </p> | |
139 | ## </desc> | |
140 | ## <param name="domain"> | |
141 | ## <summary> | |
142 | ## New alias of the unconfined domain. | |
143 | ## </summary> | |
144 | ## </param> | |
145 | # | |
146 | interface(`unconfined_alias_domain',` | |
147 | refpolicywarn(`$0($1) has been deprecated.') | |
148 | ') | |
149 | ||
150 | ######################################## | |
151 | ## <summary> | |
152 | ## Add an alias type to the unconfined execmem | |
153 | ## program file type. (Deprecated) | |
154 | ## </summary> | |
155 | ## <desc> | |
156 | ## <p> | |
157 | ## Add an alias type to the unconfined execmem | |
158 | ## program file type. (Deprecated) | |
159 | ## </p> | |
160 | ## <p> | |
161 | ## This is added to support targeted policy. Its | |
162 | ## use should be limited. It has no effect | |
163 | ## on the strict policy. | |
164 | ## </p> | |
165 | ## </desc> | |
166 | ## <param name="domain"> | |
167 | ## <summary> | |
168 | ## New alias of the unconfined execmem program type. | |
169 | ## </summary> | |
170 | ## </param> | |
171 | # | |
172 | interface(`unconfined_execmem_alias_program',` | |
173 | refpolicywarn(`$0($1) has been deprecated.') | |
174 | ') | |
175 | ||
b24f35d8 CP |
176 | ######################################## |
177 | ## <summary> | |
178 | ## Transition to the unconfined domain. | |
179 | ## </summary> | |
180 | ## <param name="domain"> | |
885b83ec | 181 | ## <summary> |
b24f35d8 | 182 | ## Domain allowed access. |
885b83ec | 183 | ## </summary> |
b24f35d8 CP |
184 | ## </param> |
185 | # | |
186 | interface(`unconfined_domtrans',` | |
187 | gen_require(` | |
188 | type unconfined_t, unconfined_exec_t; | |
b24f35d8 CP |
189 | ') |
190 | ||
3f67f722 | 191 | domtrans_pattern($1, unconfined_exec_t, unconfined_t) |
b24f35d8 CP |
192 | ') |
193 | ||
a5f339f1 | 194 | ######################################## |
f7ebea06 | 195 | ## <summary> |
a5f339f1 | 196 | ## Execute specified programs in the unconfined domain. |
f7ebea06 | 197 | ## </summary> |
a5f339f1 | 198 | ## <param name="domain"> |
885b83ec | 199 | ## <summary> |
a5f339f1 | 200 | ## The type of the process performing this action. |
885b83ec | 201 | ## </summary> |
a5f339f1 CP |
202 | ## </param> |
203 | ## <param name="role"> | |
885b83ec | 204 | ## <summary> |
a5f339f1 | 205 | ## The role to allow the unconfined domain. |
885b83ec | 206 | ## </summary> |
a5f339f1 | 207 | ## </param> |
a5f339f1 CP |
208 | # |
209 | interface(`unconfined_run',` | |
210 | gen_require(` | |
211 | type unconfined_t; | |
a5f339f1 CP |
212 | ') |
213 | ||
214 | unconfined_domtrans($1) | |
215 | role $2 types unconfined_t; | |
a5f339f1 CP |
216 | ') |
217 | ||
c98340cf CP |
218 | ######################################## |
219 | ## <summary> | |
220 | ## Transition to the unconfined domain by executing a shell. | |
221 | ## </summary> | |
222 | ## <param name="domain"> | |
885b83ec | 223 | ## <summary> |
c98340cf | 224 | ## Domain allowed access. |
885b83ec | 225 | ## </summary> |
c98340cf CP |
226 | ## </param> |
227 | # | |
a42ca7eb | 228 | interface(`unconfined_shell_domtrans',` |
c98340cf | 229 | gen_require(` |
b24f35d8 | 230 | type unconfined_t; |
c98340cf CP |
231 | ') |
232 | ||
3f67f722 | 233 | corecmd_shell_domtrans($1, unconfined_t) |
c0868a7a CP |
234 | allow unconfined_t $1:fd use; |
235 | allow unconfined_t $1:fifo_file rw_file_perms; | |
236 | allow unconfined_t $1:process sigchld; | |
c98340cf CP |
237 | ') |
238 | ||
85311bff CP |
239 | ######################################## |
240 | ## <summary> | |
241 | ## Allow unconfined to execute the specified program in | |
242 | ## the specified domain. | |
243 | ## </summary> | |
244 | ## <desc> | |
245 | ## <p> | |
246 | ## Allow unconfined to execute the specified program in | |
247 | ## the specified domain. | |
248 | ## </p> | |
249 | ## <p> | |
250 | ## This is a interface to support third party modules | |
251 | ## and its use is not allowed in upstream reference | |
252 | ## policy. | |
253 | ## </p> | |
254 | ## </desc> | |
255 | ## <param name="domain"> | |
256 | ## <summary> | |
257 | ## Domain to execute in. | |
258 | ## </summary> | |
259 | ## </param> | |
260 | ## <param name="entry_file"> | |
261 | ## <summary> | |
262 | ## Domain entry point file. | |
263 | ## </summary> | |
264 | ## </param> | |
265 | # | |
266 | interface(`unconfined_domtrans_to',` | |
267 | gen_require(` | |
268 | type unconfined_t; | |
269 | ') | |
270 | ||
c0868a7a | 271 | domtrans_pattern(unconfined_t,$2,$1) |
85311bff CP |
272 | ') |
273 | ||
ccf6611b CP |
274 | ######################################## |
275 | ## <summary> | |
276 | ## Allow unconfined to execute the specified program in | |
277 | ## the specified domain. Allow the specified domain the | |
278 | ## unconfined role and use of unconfined user terminals. | |
279 | ## </summary> | |
280 | ## <desc> | |
281 | ## <p> | |
282 | ## Allow unconfined to execute the specified program in | |
283 | ## the specified domain. Allow the specified domain the | |
284 | ## unconfined role and use of unconfined user terminals. | |
285 | ## </p> | |
286 | ## <p> | |
287 | ## This is a interface to support third party modules | |
288 | ## and its use is not allowed in upstream reference | |
289 | ## policy. | |
290 | ## </p> | |
291 | ## </desc> | |
292 | ## <param name="domain"> | |
293 | ## <summary> | |
294 | ## Domain to execute in. | |
295 | ## </summary> | |
296 | ## </param> | |
297 | ## <param name="entry_file"> | |
298 | ## <summary> | |
299 | ## Domain entry point file. | |
300 | ## </summary> | |
301 | ## </param> | |
302 | # | |
303 | interface(`unconfined_run_to',` | |
304 | gen_require(` | |
296273a7 | 305 | type unconfined_t; |
ccf6611b CP |
306 | role unconfined_r; |
307 | ') | |
308 | ||
309 | domtrans_pattern(unconfined_t,$2,$1) | |
310 | role unconfined_r types $1; | |
296273a7 | 311 | userdom_use_user_terminals($1) |
ccf6611b CP |
312 | ') |
313 | ||
c98340cf CP |
314 | ######################################## |
315 | ## <summary> | |
316 | ## Inherit file descriptors from the unconfined domain. | |
317 | ## </summary> | |
318 | ## <param name="domain"> | |
885b83ec | 319 | ## <summary> |
c98340cf | 320 | ## Domain allowed access. |
885b83ec | 321 | ## </summary> |
c98340cf CP |
322 | ## </param> |
323 | # | |
1c1ac67f | 324 | interface(`unconfined_use_fds',` |
c98340cf CP |
325 | gen_require(` |
326 | type unconfined_t; | |
c98340cf CP |
327 | ') |
328 | ||
329 | allow $1 unconfined_t:fd use; | |
330 | ') | |
331 | ||
332 | ######################################## | |
333 | ## <summary> | |
334 | ## Send a SIGCHLD signal to the unconfined domain. | |
335 | ## </summary> | |
336 | ## <param name="domain"> | |
885b83ec | 337 | ## <summary> |
c98340cf | 338 | ## Domain allowed access. |
885b83ec | 339 | ## </summary> |
c98340cf CP |
340 | ## </param> |
341 | # | |
342 | interface(`unconfined_sigchld',` | |
343 | gen_require(` | |
344 | type unconfined_t; | |
c98340cf CP |
345 | ') |
346 | ||
347 | allow $1 unconfined_t:process sigchld; | |
348 | ') | |
349 | ||
0e1c461e CP |
350 | ######################################## |
351 | ## <summary> | |
352 | ## Send a SIGNULL signal to the unconfined domain. | |
353 | ## </summary> | |
354 | ## <param name="domain"> | |
355 | ## <summary> | |
356 | ## Domain allowed access. | |
357 | ## </summary> | |
358 | ## </param> | |
359 | # | |
360 | interface(`unconfined_signull',` | |
361 | gen_require(` | |
362 | type unconfined_t; | |
363 | ') | |
364 | ||
365 | allow $1 unconfined_t:process signull; | |
366 | ') | |
367 | ||
1d697ce7 CP |
368 | ######################################## |
369 | ## <summary> | |
370 | ## Send generic signals to the unconfined domain. | |
371 | ## </summary> | |
372 | ## <param name="domain"> | |
885b83ec | 373 | ## <summary> |
1d697ce7 | 374 | ## Domain allowed access. |
885b83ec | 375 | ## </summary> |
1d697ce7 CP |
376 | ## </param> |
377 | # | |
378 | interface(`unconfined_signal',` | |
379 | gen_require(` | |
380 | type unconfined_t; | |
381 | ') | |
382 | ||
383 | allow $1 unconfined_t:process signal; | |
384 | ') | |
385 | ||
6f81e1d3 CP |
386 | ######################################## |
387 | ## <summary> | |
388 | ## Read unconfined domain unnamed pipes. | |
389 | ## </summary> | |
390 | ## <param name="domain"> | |
885b83ec | 391 | ## <summary> |
6f81e1d3 | 392 | ## Domain allowed access. |
885b83ec | 393 | ## </summary> |
6f81e1d3 CP |
394 | ## </param> |
395 | # | |
1815bad1 | 396 | interface(`unconfined_read_pipes',` |
6f81e1d3 CP |
397 | gen_require(` |
398 | type unconfined_t; | |
399 | ') | |
400 | ||
c0868a7a | 401 | allow $1 unconfined_t:fifo_file read_fifo_file_perms; |
6f81e1d3 CP |
402 | ') |
403 | ||
33acca55 CP |
404 | ######################################## |
405 | ## <summary> | |
406 | ## Do not audit attempts to read unconfined domain unnamed pipes. | |
407 | ## </summary> | |
408 | ## <param name="domain"> | |
885b83ec | 409 | ## <summary> |
33acca55 | 410 | ## Domain allowed access. |
885b83ec | 411 | ## </summary> |
33acca55 CP |
412 | ## </param> |
413 | # | |
1815bad1 | 414 | interface(`unconfined_dontaudit_read_pipes',` |
33acca55 CP |
415 | gen_require(` |
416 | type unconfined_t; | |
417 | ') | |
418 | ||
419 | dontaudit $1 unconfined_t:fifo_file read; | |
420 | ') | |
421 | ||
c98340cf CP |
422 | ######################################## |
423 | ## <summary> | |
424 | ## Read and write unconfined domain unnamed pipes. | |
425 | ## </summary> | |
426 | ## <param name="domain"> | |
885b83ec | 427 | ## <summary> |
c98340cf | 428 | ## Domain allowed access. |
885b83ec | 429 | ## </summary> |
c98340cf CP |
430 | ## </param> |
431 | # | |
1815bad1 | 432 | interface(`unconfined_rw_pipes',` |
c98340cf CP |
433 | gen_require(` |
434 | type unconfined_t; | |
c98340cf CP |
435 | ') |
436 | ||
c0868a7a | 437 | allow $1 unconfined_t:fifo_file rw_fifo_file_perms; |
c98340cf CP |
438 | ') |
439 | ||
d6d16b97 CP |
440 | ######################################## |
441 | ## <summary> | |
442 | ## Do not audit attempts to read and write | |
443 | ## unconfined domain unnamed pipes. | |
444 | ## </summary> | |
445 | ## <param name="domain"> | |
446 | ## <summary> | |
447 | ## Domain to not audit. | |
448 | ## </summary> | |
449 | ## </param> | |
450 | # | |
451 | interface(`unconfined_dontaudit_rw_pipes',` | |
452 | gen_require(` | |
453 | type unconfined_t; | |
454 | ') | |
455 | ||
456 | dontaudit $1 unconfined_t:fifo_file rw_file_perms; | |
457 | ') | |
458 | ||
41b25f59 CP |
459 | ######################################## |
460 | ## <summary> | |
461 | ## Connect to the unconfined domain using | |
462 | ## a unix domain stream socket. | |
463 | ## </summary> | |
464 | ## <param name="domain"> | |
465 | ## <summary> | |
466 | ## Domain allowed access. | |
467 | ## </summary> | |
468 | ## </param> | |
469 | # | |
470 | interface(`unconfined_stream_connect',` | |
471 | gen_require(` | |
472 | type unconfined_t; | |
473 | ') | |
474 | ||
475 | allow $1 unconfined_t:unix_stream_socket connectto; | |
476 | ') | |
477 | ||
a42ca7eb CP |
478 | ######################################## |
479 | ## <summary> | |
480 | ## Do not audit attempts to read or write | |
481 | ## unconfined domain tcp sockets. | |
482 | ## </summary> | |
483 | ## <desc> | |
484 | ## <p> | |
485 | ## Do not audit attempts to read or write | |
486 | ## unconfined domain tcp sockets. | |
487 | ## </p> | |
488 | ## <p> | |
489 | ## This interface was added due to a broken | |
490 | ## symptom in ldconfig. | |
491 | ## </p> | |
492 | ## </desc> | |
493 | ## <param name="domain"> | |
885b83ec | 494 | ## <summary> |
a42ca7eb | 495 | ## Domain to not audit. |
885b83ec | 496 | ## </summary> |
a42ca7eb CP |
497 | ## </param> |
498 | # | |
1815bad1 | 499 | interface(`unconfined_dontaudit_rw_tcp_sockets',` |
a42ca7eb CP |
500 | gen_require(` |
501 | type unconfined_t; | |
a42ca7eb CP |
502 | ') |
503 | ||
504 | dontaudit $1 unconfined_t:tcp_socket { read write }; | |
505 | ') | |
506 | ||
fe3a1eb8 CP |
507 | ######################################## |
508 | ## <summary> | |
509 | ## Create keys for the unconfined domain. | |
510 | ## </summary> | |
511 | ## <param name="domain"> | |
512 | ## <summary> | |
513 | ## Domain allowed access. | |
514 | ## </summary> | |
515 | ## </param> | |
516 | # | |
517 | interface(`unconfined_create_keys',` | |
518 | gen_require(` | |
519 | type unconfined_t; | |
520 | ') | |
521 | ||
522 | allow $1 unconfined_t:key create; | |
523 | ') | |
524 | ||
6f81e1d3 CP |
525 | ######################################## |
526 | ## <summary> | |
527 | ## Send messages to the unconfined domain over dbus. | |
528 | ## </summary> | |
529 | ## <param name="domain"> | |
885b83ec | 530 | ## <summary> |
6f81e1d3 | 531 | ## Domain allowed access. |
885b83ec | 532 | ## </summary> |
6f81e1d3 CP |
533 | ## </param> |
534 | # | |
535 | interface(`unconfined_dbus_send',` | |
536 | gen_require(` | |
537 | type unconfined_t; | |
538 | class dbus send_msg; | |
539 | ') | |
540 | ||
541 | allow $1 unconfined_t:dbus send_msg; | |
542 | ') | |
543 | ||
e9935943 CP |
544 | ######################################## |
545 | ## <summary> | |
546 | ## Send and receive messages from | |
547 | ## unconfined_t over dbus. | |
548 | ## </summary> | |
549 | ## <param name="domain"> | |
550 | ## <summary> | |
551 | ## Domain allowed access. | |
552 | ## </summary> | |
553 | ## </param> | |
554 | # | |
555 | interface(`unconfined_dbus_chat',` | |
556 | gen_require(` | |
557 | type unconfined_t; | |
558 | class dbus send_msg; | |
559 | ') | |
560 | ||
561 | allow $1 unconfined_t:dbus send_msg; | |
562 | allow unconfined_t $1:dbus send_msg; | |
563 | ') | |
564 | ||
375c2415 CP |
565 | ######################################## |
566 | ## <summary> | |
350b6ab7 CP |
567 | ## Connect to the the unconfined DBUS |
568 | ## for service (acquire_svc). | |
375c2415 | 569 | ## </summary> |
375c2415 | 570 | ## <param name="domain"> |
885b83ec | 571 | ## <summary> |
350b6ab7 | 572 | ## Domain allowed access. |
885b83ec | 573 | ## </summary> |
375c2415 CP |
574 | ## </param> |
575 | # | |
350b6ab7 CP |
576 | interface(`unconfined_dbus_connect',` |
577 | gen_require(` | |
578 | type unconfined_t; | |
579 | class dbus acquire_svc; | |
c6d4c8f1 | 580 | ') |
350b6ab7 CP |
581 | |
582 | allow $1 unconfined_t:dbus acquire_svc; | |
375c2415 | 583 | ') |