policy/modules/roles/unconfineduser.te

   1 policy_module(unconfineduser, 1.0.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7 attribute unconfined_login_domain;
   8
   9 ## <desc>
  10 ## <p>
  11 ##  allow unconfined users to transition to the nsplugin domains when running nspluginviewer
  12 ## </p>
  13 ## </desc>
  14 gen_tunable(allow_unconfined_nsplugin_transition, false)
  15
  16 ## <desc>
  17 ## <p>
  18 ## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
  19 ## </p>
  20 ## </desc>
  21 gen_tunable(unconfined_mozilla_plugin_transition, false)
  22
  23 ## <desc>
  24 ## <p>
  25 ## Allow vidio playing tools to tun unconfined
  26 ## </p>
  27 ## </desc>
  28 gen_tunable(unconfined_mplayer, false)
  29
  30 ## <desc>
  31 ## <p>
  32 ## Allow a user to login as an unconfined domain
  33 ## </p>
  34 ## </desc>
  35 gen_tunable(unconfined_login, true)
  36
  37 ## <desc>
  38 ## <p>
  39 ## Transition to confined qemu domains from unconfined user
  40 ## </p>
  41 ## </desc>
  42 gen_tunable(allow_unconfined_qemu_transition, false)
  43
  44 # usage in this module of types created by these
  45 # calls is not correct, however we dont currently
  46 # have another method to add access to these types
  47 userdom_base_user_template(unconfined)
  48 userdom_manage_home_role(unconfined_r, unconfined_t)
  49 userdom_manage_tmp_role(unconfined_r, unconfined_t)
  50 userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
  51 userdom_unpriv_usertype(unconfined, unconfined_t)
  52
  53 type unconfined_exec_t;
  54 init_system_domain(unconfined_t, unconfined_exec_t)
  55 role unconfined_r types unconfined_t;
  56 role_transition system_r unconfined_exec_t unconfined_r;
  57 allow system_r unconfined_r;
  58
  59 domain_user_exemption_target(unconfined_t)
  60 allow system_r unconfined_r;
  61 allow unconfined_r system_r;
  62 init_script_role_transition(unconfined_r)
  63 role system_r types unconfined_t;
  64 typealias unconfined_t alias unconfined_crontab_t;
  65
  66 type unconfined_notrans_t;
  67 type unconfined_notrans_exec_t;
  68 init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
  69 role unconfined_r types unconfined_notrans_t;
  70
  71 ########################################
  72 #
  73 # Local policy
  74 #
  75
  76 dontaudit unconfined_t self:dir write;
  77 dontaudit unconfined_t self:file setattr;
  78
  79 allow unconfined_t self:system syslog_read;
  80 dontaudit unconfined_t self:capability sys_module;
  81
  82 kernel_rw_unlabeled_socket(unconfined_t)
  83 kernel_rw_unlabeled_rawip_socket(unconfined_t)
  84
  85 files_create_boot_flag(unconfined_t)
  86 files_create_default_dir(unconfined_t)
  87 files_root_filetrans_default(unconfined_t, dir)
  88
  89 dev_filetrans_all_named_dev(unconfined_t)
  90 storage_filetrans_all_named_dev(unconfined_t)
  91 term_filetrans_all_named_dev(unconfined_t)
  92
  93 sysnet_etc_filetrans_config(unconfined_t, resolv.conf)
  94 sysnet_etc_filetrans_config(unconfined_t, denyhosts)
  95 sysnet_etc_filetrans_config(unconfined_t, hosts)
  96 sysnet_etc_filetrans_config(unconfined_t, ethers)
  97 sysnet_etc_filetrans_config(unconfined_t, yp.conf)
  98
  99 optional_policy(`
 100         ssh_filetrans_admin_home_content(unconfined_t)
 101 ')
 102
 103 mcs_killall(unconfined_t)
 104 mcs_ptrace_all(unconfined_t)
 105 mls_file_write_all_levels(unconfined_t)
 106
 107 init_run_daemon(unconfined_t, unconfined_r)
 108 init_domtrans_script(unconfined_t)
 109 init_telinit(unconfined_t)
 110
 111 libs_run_ldconfig(unconfined_t, unconfined_r)
 112
 113 logging_send_syslog_msg(unconfined_t)
 114 logging_run_auditctl(unconfined_t, unconfined_r)
 115
 116 optional_policy(`
 117         mount_run_unconfined(unconfined_t, unconfined_r)
 118         # Unconfined running as system_r
 119         mount_domtrans_unconfined(unconfined_t)
 120 ')
 121
 122 seutil_run_setsebool(unconfined_t, unconfined_r)
 123 seutil_run_setfiles(unconfined_t, unconfined_r)
 124 seutil_run_semanage(unconfined_t, unconfined_r)
 125
 126 unconfined_domain_noaudit(unconfined_t)
 127
 128 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
 129
 130 usermanage_run_passwd(unconfined_t, unconfined_r)
 131 usermanage_run_chfn(unconfined_t, unconfined_r)
 132
 133 tunable_policy(`allow_execmem',`
 134         allow unconfined_t self:process execmem;
 135 ')
 136
 137 tunable_policy(`allow_execmem && allow_execstack',`
 138         allow unconfined_t self:process execstack;
 139 ')
 140
 141 tunable_policy(`allow_execmod',`
 142         userdom_execmod_user_home_files(unconfined_usertype)
 143 ')
 144
 145 tunable_policy(`unconfined_login',`
 146         corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
 147         allow unconfined_t unconfined_login_domain:fd use;
 148         allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
 149         allow unconfined_t unconfined_login_domain:process sigchld;
 150 ')
 151
 152 optional_policy(`
 153         gen_require(`
 154                 attribute unconfined_usertype;
 155         ')
 156
 157         nsplugin_role_notrans(unconfined_r, unconfined_usertype)
 158         optional_policy(`
 159                 tunable_policy(`allow_unconfined_nsplugin_transition',`
 160                       nsplugin_domtrans(unconfined_usertype)
 161                       nsplugin_domtrans_config(unconfined_usertype)
 162                 ')
 163         ')
 164
 165         optional_policy(`
 166                 abrt_dbus_chat(unconfined_usertype)
 167                 abrt_run_helper(unconfined_usertype, unconfined_r)
 168         ')
 169
 170         optional_policy(`
 171                 avahi_dbus_chat(unconfined_usertype)
 172         ')
 173
 174         optional_policy(`
 175                 certmonger_dbus_chat(unconfined_usertype)
 176         ')
 177
 178         optional_policy(`
 179                 devicekit_dbus_chat(unconfined_usertype)
 180                 devicekit_dbus_chat_disk(unconfined_usertype)
 181                 devicekit_dbus_chat_power(unconfined_usertype)
 182         ')
 183
 184         optional_policy(`
 185                 hal_dbus_chat(unconfined_usertype)
 186         ')
 187
 188         optional_policy(`
 189                 networkmanager_dbus_chat(unconfined_usertype)
 190         ')
 191
 192         optional_policy(`
 193                 policykit_role(unconfined_r, unconfined_usertype)
 194         ')
 195
 196         optional_policy(`
 197                 rtkit_scheduled(unconfined_usertype)
 198         ')
 199
 200         optional_policy(`
 201                 setroubleshoot_dbus_chat(unconfined_usertype)
 202                 setroubleshoot_dbus_chat_fixit(unconfined_t)
 203         ')
 204
 205         optional_policy(`
 206                 sandbox_transition(unconfined_usertype, unconfined_r)
 207         ')
 208
 209         optional_policy(`
 210                 shutdown_run(unconfined_t, unconfined_r)
 211         ')
 212
 213         optional_policy(`
 214                 tzdata_run(unconfined_usertype, unconfined_r)
 215         ')
 216
 217         optional_policy(`
 218                 gen_require(`
 219                         type user_tmpfs_t;
 220                 ')
 221
 222                 xserver_rw_session(unconfined_usertype, user_tmpfs_t)
 223                 xserver_run_xauth(unconfined_usertype, unconfined_r)
 224                 xserver_dbus_chat_xdm(unconfined_usertype)
 225         ')
 226 ')
 227
 228 ifdef(`distro_gentoo',`
 229         seutil_run_runinit(unconfined_t, unconfined_r)
 230         seutil_init_script_run_runinit(unconfined_t, unconfined_r)
 231 ')
 232
 233 optional_policy(`
 234         accountsd_dbus_chat(unconfined_t)
 235 ')
 236
 237 optional_policy(`
 238         ada_run(unconfined_t, unconfined_r)
 239 ')
 240
 241 optional_policy(`
 242         alsa_run(unconfined_t, unconfined_r)
 243 ')
 244
 245 optional_policy(`
 246         apache_run_helper(unconfined_t, unconfined_r)
 247         apache_filetrans_home_content(unconfined_t)
 248 ')
 249
 250 optional_policy(`
 251         bind_run_ndc(unconfined_t, unconfined_r)
 252 ')
 253
 254 optional_policy(`
 255         bootloader_run(unconfined_t, unconfined_r)
 256 ')
 257
 258 optional_policy(`
 259         cron_unconfined_role(unconfined_r, unconfined_t)
 260 ')
 261
 262 optional_policy(`
 263         chrome_role(unconfined_r, unconfined_usertype)
 264 ')
 265
 266 optional_policy(`
 267         dbus_role_template(unconfined, unconfined_r, unconfined_t)
 268
 269         optional_policy(`
 270                 unconfined_domain(unconfined_dbusd_t)
 271                 unconfined_execmem_domtrans(unconfined_dbusd_t)
 272
 273                 optional_policy(`
 274                         xserver_rw_shm(unconfined_dbusd_t)
 275                 ')
 276         ')
 277
 278         init_dbus_chat(unconfined_usertype)
 279         init_dbus_chat_script(unconfined_usertype)
 280
 281         dbus_stub(unconfined_t)
 282
 283         optional_policy(`
 284                 bluetooth_dbus_chat(unconfined_usertype)
 285         ')
 286
 287         optional_policy(`
 288                 consolekit_dbus_chat(unconfined_usertype)
 289         ')
 290
 291         optional_policy(`
 292                 cups_dbus_chat_config(unconfined_usertype)
 293         ')
 294
 295         optional_policy(`
 296                 fprintd_dbus_chat(unconfined_usertype)
 297         ')
 298
 299         optional_policy(`
 300                 gnomeclock_dbus_chat(unconfined_usertype)
 301                 gnome_dbus_chat_gconfdefault(unconfined_usertype)
 302                 gnome_filetrans_admin_home_content(unconfined_usertype)
 303                 gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
 304         ')
 305
 306         optional_policy(`
 307                 ipsec_mgmt_dbus_chat(unconfined_usertype)
 308         ')
 309
 310         optional_policy(`
 311                 kerneloops_dbus_chat(unconfined_usertype)
 312         ')
 313
 314         optional_policy(`
 315                 oddjob_dbus_chat(unconfined_usertype)
 316         ')
 317
 318         optional_policy(`
 319                 vpn_dbus_chat(unconfined_usertype)
 320         ')
 321 ')
 322
 323 optional_policy(`
 324         firewallgui_dbus_chat(unconfined_usertype)
 325 ')
 326
 327 optional_policy(`
 328         firstboot_run(unconfined_t, unconfined_r)
 329 ')
 330
 331 optional_policy(`
 332         ftp_run_ftpdctl(unconfined_t, unconfined_r)
 333 ')
 334
 335 optional_policy(`
 336         gpsd_run(unconfined_t, unconfined_r)
 337 ')
 338
 339 optional_policy(`
 340         java_run_unconfined(unconfined_t, unconfined_r)
 341 ')
 342
 343 optional_policy(`
 344         kerberos_filetrans_named_content(unconfined_t)
 345 ')
 346
 347 optional_policy(`
 348         livecd_run(unconfined_t, unconfined_r)
 349 ')
 350
 351 optional_policy(`
 352         lpd_run_checkpc(unconfined_t, unconfined_r)
 353 ')
 354
 355 optional_policy(`
 356         mock_role(unconfined_r, unconfined_t)
 357 ')
 358
 359 optional_policy(`
 360         modutils_run_update_mods(unconfined_t, unconfined_r)
 361 ')
 362
 363 optional_policy(`
 364         mono_role_template(unconfined, unconfined_r, unconfined_t)
 365         unconfined_domain_noaudit(unconfined_mono_t)
 366         role system_r types unconfined_mono_t;
 367 ')
 368
 369
 370 optional_policy(`
 371         mozilla_role_plugin(unconfined_r)
 372
 373         tunable_policy(`unconfined_mozilla_plugin_transition', `
 374                         mozilla_domtrans_plugin(unconfined_usertype)
 375         ')
 376 ')
 377
 378 optional_policy(`
 379         mta_filetrans_named_content(unconfined_t)
 380 ')
 381
 382 optional_policy(`
 383         ncftool_run(unconfined_t, unconfined_r)
 384 ')
 385
 386 optional_policy(`
 387         oddjob_run_mkhomedir(unconfined_t, unconfined_r)
 388 ')
 389
 390 optional_policy(`
 391         prelink_run(unconfined_t, unconfined_r)
 392 ')
 393
 394 optional_policy(`
 395         portmap_run_helper(unconfined_t, unconfined_r)
 396 ')
 397
 398 #optional_policy(`
 399 #       ppp_run(unconfined_t, unconfined_r)
 400 #')
 401
 402 optional_policy(`
 403         qemu_unconfined_role(unconfined_r)
 404
 405         tunable_policy(`allow_unconfined_qemu_transition',`
 406                 qemu_domtrans(unconfined_t)
 407         ',`
 408                 qemu_domtrans_unconfined(unconfined_t)
 409         ')
 410 ')
 411
 412 optional_policy(`
 413         quota_run(unconfined_t, unconfined_r)
 414 ')
 415
 416 optional_policy(`
 417         rpm_run(unconfined_t, unconfined_r)
 418         # Allow SELinux aware applications to request rpm_script execution
 419         rpm_transition_script(unconfined_t)
 420         rpm_dbus_chat(unconfined_t)
 421 ')
 422
 423 optional_policy(`
 424         optional_policy(`
 425                 samba_run_unconfined_net(unconfined_t, unconfined_r)
 426         ')
 427
 428         samba_role_notrans(unconfined_r)
 429 #       samba_run_winbind_helper(unconfined_t, unconfined_r)
 430         samba_run_smbcontrol(unconfined_t, unconfined_r)
 431 ')
 432
 433 optional_policy(`
 434         sysnet_run_dhcpc(unconfined_t, unconfined_r)
 435         sysnet_dbus_chat_dhcpc(unconfined_t)
 436         sysnet_role_transition_dhcpc(unconfined_r)
 437 ')
 438
 439 optional_policy(`
 440         telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
 441 ')
 442
 443 optional_policy(`
 444         vbetool_run(unconfined_t, unconfined_r)
 445 ')
 446
 447 optional_policy(`
 448         virt_transition_svirt(unconfined_t, unconfined_r)
 449         virt_filetrans_home_content(unconfined_t)
 450 ')
 451
 452 optional_policy(`
 453         vpn_run(unconfined_t, unconfined_r)
 454 ')
 455
 456 optional_policy(`
 457         webalizer_run(unconfined_t, unconfined_r)
 458 ')
 459
 460 optional_policy(`
 461         wine_run(unconfined_t, unconfined_r)
 462 ')
 463
 464 optional_policy(`
 465         xserver_run(unconfined_t, unconfined_r)
 466         xserver_manage_home_fonts(unconfined_t)
 467 ')
 468
 469 ########################################
 470 #
 471 # Unconfined Execmem Local policy
 472 #
 473
 474 optional_policy(`
 475         execmem_role_template(unconfined, unconfined_r, unconfined_t)
 476         typealias unconfined_execmem_t alias execmem_t;
 477         typealias unconfined_execmem_t alias unconfined_openoffice_t;
 478         unconfined_domain_noaudit(unconfined_execmem_t)
 479         allow unconfined_execmem_t unconfined_t:process transition;
 480         rpm_transition_script(unconfined_execmem_t)
 481         role system_r types unconfined_execmem_t;
 482
 483         optional_policy(`
 484                 init_dbus_chat_script(unconfined_execmem_t)
 485                 dbus_system_bus_client(unconfined_execmem_t)
 486                 unconfined_dbus_chat(unconfined_execmem_t)
 487                 unconfined_dbus_connect(unconfined_execmem_t)
 488         ')
 489
 490         optional_policy(`
 491                 tunable_policy(`allow_unconfined_nsplugin_transition',`', `
 492                         nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
 493                 ')
 494         ')
 495
 496         optional_policy(`
 497                 tunable_policy(`unconfined_login',`
 498                         mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
 499                 ')
 500         ')
 501
 502         optional_policy(`
 503                 openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
 504         ')
 505 ')
 506
 507 ########################################
 508 #
 509 # Unconfined notrans Local policy
 510 #
 511
 512 allow unconfined_notrans_t self:process { execstack execmem };
 513 unconfined_domain_noaudit(unconfined_notrans_t)
 514 userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
 515 domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
 516 # Allow SELinux aware applications to request rpm_script execution
 517 rpm_transition_script(unconfined_notrans_t)
 518 domain_ptrace_all_domains(unconfined_notrans_t)
 519
 520 ########################################
 521 #
 522 # Unconfined mount local policy
 523 #
 524
 525 gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 526