1 policy_module(unconfineduser, 1.0.0)
3 ########################################
7 attribute unconfined_login_domain;
11 ## allow unconfined users to transition to the nsplugin domains when running nspluginviewer
14 gen_tunable(allow_unconfined_nsplugin_transition, false)
18 ## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
21 gen_tunable(unconfined_mozilla_plugin_transition, false)
25 ## Allow vidio playing tools to tun unconfined
28 gen_tunable(unconfined_mplayer, false)
32 ## Allow a user to login as an unconfined domain
35 gen_tunable(unconfined_login, true)
39 ## Transition to confined qemu domains from unconfined user
42 gen_tunable(allow_unconfined_qemu_transition, false)
44 # usage in this module of types created by these
45 # calls is not correct, however we dont currently
46 # have another method to add access to these types
47 userdom_base_user_template(unconfined)
48 userdom_manage_home_role(unconfined_r, unconfined_t)
49 userdom_manage_tmp_role(unconfined_r, unconfined_t)
50 userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
51 userdom_unpriv_usertype(unconfined, unconfined_t)
53 type unconfined_exec_t;
54 init_system_domain(unconfined_t, unconfined_exec_t)
55 role unconfined_r types unconfined_t;
56 role_transition system_r unconfined_exec_t unconfined_r;
57 allow system_r unconfined_r;
59 domain_user_exemption_target(unconfined_t)
60 allow system_r unconfined_r;
61 allow unconfined_r system_r;
62 init_script_role_transition(unconfined_r)
63 role system_r types unconfined_t;
64 typealias unconfined_t alias unconfined_crontab_t;
66 type unconfined_notrans_t;
67 type unconfined_notrans_exec_t;
68 init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
69 role unconfined_r types unconfined_notrans_t;
71 ########################################
76 dontaudit unconfined_t self:dir write;
77 dontaudit unconfined_t self:file setattr;
79 allow unconfined_t self:system syslog_read;
80 dontaudit unconfined_t self:capability sys_module;
82 kernel_rw_unlabeled_socket(unconfined_t)
83 kernel_rw_unlabeled_rawip_socket(unconfined_t)
85 files_create_boot_flag(unconfined_t)
86 files_create_default_dir(unconfined_t)
87 files_root_filetrans_default(unconfined_t, dir)
89 dev_filetrans_all_named_dev(unconfined_t)
90 storage_filetrans_all_named_dev(unconfined_t)
91 term_filetrans_all_named_dev(unconfined_t)
93 sysnet_etc_filetrans_config(unconfined_t, resolv.conf)
94 sysnet_etc_filetrans_config(unconfined_t, denyhosts)
95 sysnet_etc_filetrans_config(unconfined_t, hosts)
96 sysnet_etc_filetrans_config(unconfined_t, ethers)
97 sysnet_etc_filetrans_config(unconfined_t, yp.conf)
100 ssh_filetrans_admin_home_content(unconfined_t)
103 mcs_killall(unconfined_t)
104 mcs_ptrace_all(unconfined_t)
105 mls_file_write_all_levels(unconfined_t)
107 init_run_daemon(unconfined_t, unconfined_r)
108 init_domtrans_script(unconfined_t)
109 init_telinit(unconfined_t)
111 libs_run_ldconfig(unconfined_t, unconfined_r)
113 logging_send_syslog_msg(unconfined_t)
114 logging_run_auditctl(unconfined_t, unconfined_r)
117 mount_run_unconfined(unconfined_t, unconfined_r)
118 # Unconfined running as system_r
119 mount_domtrans_unconfined(unconfined_t)
122 seutil_run_setsebool(unconfined_t, unconfined_r)
123 seutil_run_setfiles(unconfined_t, unconfined_r)
124 seutil_run_semanage(unconfined_t, unconfined_r)
126 unconfined_domain_noaudit(unconfined_t)
128 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
130 usermanage_run_passwd(unconfined_t, unconfined_r)
131 usermanage_run_chfn(unconfined_t, unconfined_r)
133 tunable_policy(`allow_execmem',`
134 allow unconfined_t self:process execmem;
137 tunable_policy(`allow_execmem && allow_execstack',`
138 allow unconfined_t self:process execstack;
141 tunable_policy(`allow_execmod',`
142 userdom_execmod_user_home_files(unconfined_usertype)
145 tunable_policy(`unconfined_login',`
146 corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
147 allow unconfined_t unconfined_login_domain:fd use;
148 allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
149 allow unconfined_t unconfined_login_domain:process sigchld;
154 attribute unconfined_usertype;
157 nsplugin_role_notrans(unconfined_r, unconfined_usertype)
159 tunable_policy(`allow_unconfined_nsplugin_transition',`
160 nsplugin_domtrans(unconfined_usertype)
161 nsplugin_domtrans_config(unconfined_usertype)
166 abrt_dbus_chat(unconfined_usertype)
167 abrt_run_helper(unconfined_usertype, unconfined_r)
171 avahi_dbus_chat(unconfined_usertype)
175 certmonger_dbus_chat(unconfined_usertype)
179 devicekit_dbus_chat(unconfined_usertype)
180 devicekit_dbus_chat_disk(unconfined_usertype)
181 devicekit_dbus_chat_power(unconfined_usertype)
185 hal_dbus_chat(unconfined_usertype)
189 networkmanager_dbus_chat(unconfined_usertype)
193 policykit_role(unconfined_r, unconfined_usertype)
197 rtkit_scheduled(unconfined_usertype)
201 setroubleshoot_dbus_chat(unconfined_usertype)
202 setroubleshoot_dbus_chat_fixit(unconfined_t)
206 sandbox_transition(unconfined_usertype, unconfined_r)
210 shutdown_run(unconfined_t, unconfined_r)
214 tzdata_run(unconfined_usertype, unconfined_r)
222 xserver_rw_session(unconfined_usertype, user_tmpfs_t)
223 xserver_run_xauth(unconfined_usertype, unconfined_r)
224 xserver_dbus_chat_xdm(unconfined_usertype)
228 ifdef(`distro_gentoo',`
229 seutil_run_runinit(unconfined_t, unconfined_r)
230 seutil_init_script_run_runinit(unconfined_t, unconfined_r)
234 accountsd_dbus_chat(unconfined_t)
238 ada_run(unconfined_t, unconfined_r)
242 alsa_run(unconfined_t, unconfined_r)
246 apache_run_helper(unconfined_t, unconfined_r)
247 apache_filetrans_home_content(unconfined_t)
251 bind_run_ndc(unconfined_t, unconfined_r)
255 bootloader_run(unconfined_t, unconfined_r)
259 cron_unconfined_role(unconfined_r, unconfined_t)
263 chrome_role(unconfined_r, unconfined_usertype)
267 dbus_role_template(unconfined, unconfined_r, unconfined_t)
270 unconfined_domain(unconfined_dbusd_t)
271 unconfined_execmem_domtrans(unconfined_dbusd_t)
274 xserver_rw_shm(unconfined_dbusd_t)
278 init_dbus_chat(unconfined_usertype)
279 init_dbus_chat_script(unconfined_usertype)
281 dbus_stub(unconfined_t)
284 bluetooth_dbus_chat(unconfined_usertype)
288 consolekit_dbus_chat(unconfined_usertype)
292 cups_dbus_chat_config(unconfined_usertype)
296 fprintd_dbus_chat(unconfined_usertype)
300 gnomeclock_dbus_chat(unconfined_usertype)
301 gnome_dbus_chat_gconfdefault(unconfined_usertype)
302 gnome_filetrans_admin_home_content(unconfined_usertype)
303 gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
307 ipsec_mgmt_dbus_chat(unconfined_usertype)
311 kerneloops_dbus_chat(unconfined_usertype)
315 oddjob_dbus_chat(unconfined_usertype)
319 vpn_dbus_chat(unconfined_usertype)
324 firewallgui_dbus_chat(unconfined_usertype)
328 firstboot_run(unconfined_t, unconfined_r)
332 ftp_run_ftpdctl(unconfined_t, unconfined_r)
336 gpsd_run(unconfined_t, unconfined_r)
340 java_run_unconfined(unconfined_t, unconfined_r)
344 kerberos_filetrans_named_content(unconfined_t)
348 livecd_run(unconfined_t, unconfined_r)
352 lpd_run_checkpc(unconfined_t, unconfined_r)
356 mock_role(unconfined_r, unconfined_t)
360 modutils_run_update_mods(unconfined_t, unconfined_r)
364 mono_role_template(unconfined, unconfined_r, unconfined_t)
365 unconfined_domain_noaudit(unconfined_mono_t)
366 role system_r types unconfined_mono_t;
371 mozilla_role_plugin(unconfined_r)
373 tunable_policy(`unconfined_mozilla_plugin_transition', `
374 mozilla_domtrans_plugin(unconfined_usertype)
379 mta_filetrans_named_content(unconfined_t)
383 ncftool_run(unconfined_t, unconfined_r)
387 oddjob_run_mkhomedir(unconfined_t, unconfined_r)
391 prelink_run(unconfined_t, unconfined_r)
395 portmap_run_helper(unconfined_t, unconfined_r)
399 # ppp_run(unconfined_t, unconfined_r)
403 qemu_unconfined_role(unconfined_r)
405 tunable_policy(`allow_unconfined_qemu_transition',`
406 qemu_domtrans(unconfined_t)
408 qemu_domtrans_unconfined(unconfined_t)
413 quota_run(unconfined_t, unconfined_r)
417 rpm_run(unconfined_t, unconfined_r)
418 # Allow SELinux aware applications to request rpm_script execution
419 rpm_transition_script(unconfined_t)
420 rpm_dbus_chat(unconfined_t)
425 samba_run_unconfined_net(unconfined_t, unconfined_r)
428 samba_role_notrans(unconfined_r)
429 # samba_run_winbind_helper(unconfined_t, unconfined_r)
430 samba_run_smbcontrol(unconfined_t, unconfined_r)
434 sysnet_run_dhcpc(unconfined_t, unconfined_r)
435 sysnet_dbus_chat_dhcpc(unconfined_t)
436 sysnet_role_transition_dhcpc(unconfined_r)
440 telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
444 vbetool_run(unconfined_t, unconfined_r)
448 virt_transition_svirt(unconfined_t, unconfined_r)
449 virt_filetrans_home_content(unconfined_t)
453 vpn_run(unconfined_t, unconfined_r)
457 webalizer_run(unconfined_t, unconfined_r)
461 wine_run(unconfined_t, unconfined_r)
465 xserver_run(unconfined_t, unconfined_r)
466 xserver_manage_home_fonts(unconfined_t)
469 ########################################
471 # Unconfined Execmem Local policy
475 execmem_role_template(unconfined, unconfined_r, unconfined_t)
476 typealias unconfined_execmem_t alias execmem_t;
477 typealias unconfined_execmem_t alias unconfined_openoffice_t;
478 unconfined_domain_noaudit(unconfined_execmem_t)
479 allow unconfined_execmem_t unconfined_t:process transition;
480 rpm_transition_script(unconfined_execmem_t)
481 role system_r types unconfined_execmem_t;
484 init_dbus_chat_script(unconfined_execmem_t)
485 dbus_system_bus_client(unconfined_execmem_t)
486 unconfined_dbus_chat(unconfined_execmem_t)
487 unconfined_dbus_connect(unconfined_execmem_t)
491 tunable_policy(`allow_unconfined_nsplugin_transition',`', `
492 nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
497 tunable_policy(`unconfined_login',`
498 mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
503 openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
507 ########################################
509 # Unconfined notrans Local policy
512 allow unconfined_notrans_t self:process { execstack execmem };
513 unconfined_domain_noaudit(unconfined_notrans_t)
514 userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
515 domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
516 # Allow SELinux aware applications to request rpm_script execution
517 rpm_transition_script(unconfined_notrans_t)
518 domain_ptrace_all_domains(unconfined_notrans_t)
520 ########################################
522 # Unconfined mount local policy
525 gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)