[people/stevee/selinux-policy.git] / policy / modules / kernel / domain.te

policy_module(domain, 1.9.1)

########################################
#
# Declarations
#
## <desc>
## <p>
## Allow all domains to use other domains file descriptors
## </p>
## </desc>
#
gen_tunable(allow_domain_fd_use, true)

## <desc>
## <p>
## Allow all domains to have the kernel load modules
## </p>
## </desc>
#
gen_tunable(domain_kernel_load_modules, false)

## <desc>
## <p>
##	Control the ability to mmap a low area of the address space,
##	as configured by /proc/sys/kernel/mmap_min_addr.
## </p>
## </desc>
gen_tunable(mmap_low_allowed, false)

# Mark process types as domains
attribute domain;

# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };

# Domains that are unconfined
attribute unconfined_domain_type;

# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;

# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;

# enabling setcurrent breaks process tranquility.  If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;

# entrypoint executables
attribute entry_type;

# widely-inheritable file descriptors
attribute privfd;

#
# constraint related attributes
#

# [1] types that can change SELinux identity on transition
attribute can_change_process_identity;

# [2] types that can change SELinux role on transition
attribute can_change_process_role;

# [3] types that can change the SELinux identity on a filesystem
# object or a socket object on a create or relabel
attribute can_change_object_identity;

# [3] types that can change to system_u:system_r
attribute can_system_change;

# [4] types that have attribute 1 can change the SELinux
# identity only if the target domain has this attribute.
# Types that have attribute 2 can change the SELinux role
# only if the target domain has this attribute.
attribute process_user_target;

# For cron jobs
# [5] types used for cron daemons
attribute cron_source_domain;
# [6] types used for cron jobs
attribute cron_job_domain;

# [7] types that are unconditionally exempt from
# SELinux identity and role change constraints
attribute process_uncond_exempt;	# add userhelperdomain to this one

neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
neverallow ~{ domain unlabeled_t } *:process *;

########################################
#
# Rules applied to all domains
#

# read /proc/(pid|self) entries
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
kernel_read_crypto_sysctls(domain)

# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
kernel_dontaudit_search_debugfs(domain)

# create child processes in the domain
allow domain self:process { fork getsched sigchld };

# Use trusted objects in /dev
dev_read_cpu_online(domain)
dev_rw_null(domain)
dev_rw_zero(domain)
term_use_controlling_term(domain)

# list the root directory
files_list_root(domain)
# allow all domains to search through default_t directory, since users sometimes
# place labels within these directories.  (samba_share_t) for example.
files_search_default(domain)

# All executables should be able to search the directory they are in
corecmd_search_bin(domain)

tunable_policy(`domain_kernel_load_modules',`
	kernel_request_load_module(domain)
')

tunable_policy(`global_ssp',`
	# enable reading of urandom for all domains:
	# this should be enabled when all programs
	# are compiled with ProPolice/SSP
	# stack smashing protection.
	dev_read_urand(domain)
')

optional_policy(`
	afs_rw_cache(domain)
')

optional_policy(`
	libs_use_ld_so(domain)
	libs_use_shared_libs(domain)
	libs_read_lib_files(domain)
')

optional_policy(`
	setrans_translate_context(domain)
')

# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
optional_policy(`
	xserver_dontaudit_use_xdm_fds(domain)
	xserver_dontaudit_rw_xdm_pipes(domain)
	xserver_dontaudit_append_xdm_home_files(domain)
	xserver_dontaudit_write_log(domain)
')

########################################
#
# Unconfined access to this module
#

# unconfined access also allows constraints, but this
# is handled in the interface as typeattribute cannot
# be used on an attribute.

# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;

# Use descriptors and pipes created by any domain.
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;

allow unconfined_domain_type unconfined_domain_type:dbus send_msg;

# Act upon any other process.
allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
tunable_policy(`deny_ptrace',`',`
	allow unconfined_domain_type domain:process ptrace;
')

# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
allow unconfined_domain_type domain:msg { send receive };

# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
allow unconfined_domain_type domain:file rw_file_perms;
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };

# act on all domains keys
allow unconfined_domain_type domain:key *;

dev_filetrans_all_named_dev(unconfined_domain_type)

# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)

storage_filetrans_all_named_dev(unconfined_domain_type)

term_filetrans_all_named_dev(unconfined_domain_type)

optional_policy(`
	auth_filetrans_named_content(unconfined_domain_type)
	auth_filetrans_admin_home_content(unconfined_domain_type)
	auth_filetrans_home_content(unconfined_domain_type)
')

optional_policy(`
	alsa_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	apache_filetrans_home_content(unconfined_domain_type)
')

optional_policy(`
	bootloader_filetrans_config(unconfined_domain_type)
')

optional_policy(`
	gnome_filetrans_admin_home_content(unconfined_domain_type)
')

optional_policy(`
	devicekit_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	dnsmasq_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	kerberos_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	libs_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	miscfiles_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	mta_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	modules_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	mozilla_filetrans_home_content(unconfined_domain_type)
')

optional_policy(`
	networkmanager_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	nx_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	postfix_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	pulseaudio_filetrans_home_content(unconfined_domain_type)
	pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
')

optional_policy(`
	quota_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	sysnet_filetrans_named_content(unconfined_domain_type)
')

optional_policy(`
	userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
	userdom_filetrans_home_content(unconfined_domain_type)
')

optional_policy(`
	virt_filetrans_home_content(unconfined_domain_type)
')

optional_policy(`
	ssh_filetrans_admin_home_content(unconfined_domain_type)
')

selinux_getattr_fs(domain)
selinux_search_fs(domain)
selinux_dontaudit_read_fs(domain)

optional_policy(`
	seutil_dontaudit_read_config(domain)
')

optional_policy(`
	init_sigchld(domain)
	init_signull(domain)
')

ifdef(`distro_redhat',`
	files_search_mnt(domain)
	optional_policy(`
		unconfined_use_fds(domain)
	')
')

# these seem questionable:

optional_policy(`
	abrt_domtrans_helper(domain)
	abrt_read_pid_files(domain)
	abrt_read_state(domain)
	abrt_signull(domain)
	abrt_append_cache(domain)
	abrt_rw_fifo_file(domain)
')

optional_policy(`
	rpm_use_fds(domain)
	rpm_read_pipes(domain)
	rpm_search_log(domain)
	rpm_append_tmp_files(domain)
	rpm_dontaudit_leaks(domain)
	rpm_read_script_tmp_files(domain)
	rpm_inherited_fifo(domain)
')

optional_policy(`
	sosreport_append_tmp_files(domain)
')

tunable_policy(`allow_domain_fd_use',`
	# Allow all domains to use fds past to them
	allow domain domain:fd use;
')

optional_policy(`
	cron_dontaudit_write_system_job_tmp_files(domain)
	cron_rw_pipes(domain)
	cron_rw_system_job_pipes(domain)
')

ifdef(`hide_broken_symptoms',`
	dontaudit domain self:udp_socket listen;
	allow domain domain:key { link search };
	dontaudit domain domain:socket_class_set { read write };
	dontaudit domain self:capability sys_module;
')

optional_policy(`
	hal_dontaudit_read_pid_files(domain)
')

optional_policy(`
	ipsec_match_default_spd(domain)
')

optional_policy(`
	ifdef(`hide_broken_symptoms',`
		afs_rw_udp_sockets(domain)
	')
')

optional_policy(`
	ssh_rw_pipes(domain)
')

optional_policy(`
	unconfined_dontaudit_rw_pipes(domain)
	unconfined_sigchld(domain)
')

# broken kernel
dontaudit can_change_object_identity can_change_object_identity:key link;

ifdef(`distro_redhat',`
	optional_policy(`
		unconfined_use_fds(domain)
	')
')

# send init a sigchld and signull
optional_policy(`
	init_sigchld(domain)
	init_signull(domain)
')

# these seem questionable:

optional_policy(`
	rpm_use_fds(domain)
	rpm_read_pipes(domain)
')

optional_policy(`
	selinux_dontaudit_getattr_fs(domain)
	selinux_dontaudit_read_fs(domain)
')

optional_policy(`
	seutil_dontaudit_read_config(domain)
')

dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
dontaudit domain self:capability sys_ptrace;
Commit	Line	Data
0de0ea5c	1	policy_module(domain, 1.9.1)
960373dd	2
fd89e19f CP	3	########################################
	4	#
	5	# Declarations
	6	#
3eaa9939 DW	7	## <desc>
	8	## <p>
	9	## Allow all domains to use other domains file descriptors
	10	## </p>
	11	## </desc>
	12	#
5946923f	13	gen_tunable(allow_domain_fd_use, true)
3eaa9939 DW	14
	15	## <desc>
	16	## <p>
	17	## Allow all domains to have the kernel load modules
	18	## </p>
	19	## </desc>
	20	#
	21	gen_tunable(domain_kernel_load_modules, false)
fd89e19f	22
623e4f08 DG	23	## <desc>
	24	## <p>
	25	## Control the ability to mmap a low area of the address space,
	26	## as configured by /proc/sys/kernel/mmap_min_addr.
	27	## </p>
	28	## </desc>
	29	gen_tunable(mmap_low_allowed, false)
	30
b4cd1533 CP	31	# Mark process types as domains
	32	attribute domain;
	33
2e863f8a CP	34	# Transitions only allowed from domains to other domains
	35	neverallow domain ~domain:process { transition dyntransition };
	36
605ba285	37	# Domains that are unconfined
95501942	38	attribute unconfined_domain_type;
605ba285	39
41337aa8 CP	40	# Domains that can mmap low memory.
	41	attribute mmap_low_domain_type;
	42	neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
	43
2e863f8a CP	44	# Domains that can set their current context
	45	# (perform dynamic transitions)
	46	attribute set_curr_context;
	47
	48	# enabling setcurrent breaks process tranquility. If you do not
	49	# know what this means or do not understand the implications of a
	50	# dynamic transition, you should not be using it!!!
	51	neverallow { domain -set_curr_context } self:process setcurrent;
	52
960373dd CP	53	# entrypoint executables
	54	attribute entry_type;
	55
8a0da108 CP	56	# widely-inheritable file descriptors
	57	attribute privfd;
	58
2e863f8a	59	#
8bd67899	60	# constraint related attributes
2e863f8a CP	61	#
	62
	63	# [1] types that can change SELinux identity on transition
8bd67899	64	attribute can_change_process_identity;
2e863f8a CP	65
2e863f8a CP	66	# [2] types that can change SELinux role on transition
8bd67899	67	attribute can_change_process_role;
2e863f8a CP	68
	69	# [3] types that can change the SELinux identity on a filesystem
	70	# object or a socket object on a create or relabel
8bd67899 CP	71	attribute can_change_object_identity;
8bd67899 CP	72
2e863f8a CP	73	# [3] types that can change to system_u:system_r
2e863f8a CP	74	attribute can_system_change;
a154cd45	75
2e863f8a CP	76	# [4] types that have attribute 1 can change the SELinux
	77	# identity only if the target domain has this attribute.
	78	# Types that have attribute 2 can change the SELinux role
	79	# only if the target domain has this attribute.
	80	attribute process_user_target;
	81
	82	# For cron jobs
	83	# [5] types used for cron daemons
	84	attribute cron_source_domain;
	85	# [6] types used for cron jobs
	86	attribute cron_job_domain;
	87
	88	# [7] types that are unconditionally exempt from
	89	# SELinux identity and role change constraints
	90	attribute process_uncond_exempt; # add userhelperdomain to this one
2a3478cf	91
e0dfbdf1	92	neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
2e863f8a	93	neverallow ~{ domain unlabeled_t } :process ;
3cfd4876 CP	94
	95	########################################
	96	#
	97	# Rules applied to all domains
	98	#
	99
1f6524ae	100	# read /proc/(pid\|self) entries
ef659a47 CP	101	allow domain self:dir list_dir_perms;
ef659a47 CP	102	allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
3cfd4876	103	allow domain self:file rw_file_perms;
1f6524ae	104	kernel_read_proc_symlinks(domain)
3eaa9939 DW	105	kernel_read_crypto_sysctls(domain)
3eaa9939 DW	106
495df416 CP	107	# Every domain gets the key ring, so we should default
	108	# to no one allowed to look at it; afs kernel support creates
	109	# a keyring
	110	kernel_dontaudit_search_key(domain)
	111	kernel_dontaudit_link_key(domain)
3eaa9939	112	kernel_dontaudit_search_debugfs(domain)
3cfd4876 CP	113
3cfd4876 CP	114	# create child processes in the domain
3eaa9939	115	allow domain self:process { fork getsched sigchld };
3cfd4876 CP	116
3cfd4876 CP	117	# Use trusted objects in /dev
1a725aa0	118	dev_read_cpu_online(domain)
3cfd4876 CP	119	dev_rw_null(domain)
	120	dev_rw_zero(domain)
	121	term_use_controlling_term(domain)
	122
	123	# list the root directory
	124	files_list_root(domain)
fb52482a DW	125	# allow all domains to search through default_t directory, since users sometimes
	126	# place labels within these directories. (samba_share_t) for example.
	127	files_search_default(domain)
3cfd4876	128
3eaa9939 DW	129	# All executables should be able to search the directory they are in
	130	corecmd_search_bin(domain)
	131
	132	tunable_policy(`domain_kernel_load_modules',`
	133	kernel_request_load_module(domain)
	134	')
	135
3cfd4876 CP	136	tunable_policy(`global_ssp',`
	137	# enable reading of urandom for all domains:
	138	# this should be enabled when all programs
	139	# are compiled with ProPolice/SSP
	140	# stack smashing protection.
	141	dev_read_urand(domain)
	142	')
b518fc2e	143
3eaa9939 DW	144	optional_policy(`
	145	afs_rw_cache(domain)
	146	')
	147
8fddd0b9 MG	148	optional_policy(`
	149	libs_use_ld_so(domain)
	150	libs_use_shared_libs(domain)
	151	libs_read_lib_files(domain)
	152	')
6e68e6bb	153
165b42d2 CP	154	optional_policy(`
	155	setrans_translate_context(domain)
	156	')
	157
495df416 CP	158	# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
	159	optional_policy(`
	160	xserver_dontaudit_use_xdm_fds(domain)
	161	xserver_dontaudit_rw_xdm_pipes(domain)
3eaa9939 DW	162	xserver_dontaudit_append_xdm_home_files(domain)
3eaa9939 DW	163	xserver_dontaudit_write_log(domain)
495df416 CP	164	')
495df416 CP	165
b518fc2e CP	166	########################################
	167	#
	168	# Unconfined access to this module
	169	#
	170
	171	# unconfined access also allows constraints, but this
	172	# is handled in the interface as typeattribute cannot
	173	# be used on an attribute.
	174
	175	# Use/sendto/connectto sockets created by any domain.
	176	allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
	177
	178	# Use descriptors and pipes created by any domain.
	179	allow unconfined_domain_type domain:fd use;
	180	allow unconfined_domain_type domain:fifo_file rw_file_perms;
	181
3eaa9939 DW	182	allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
3eaa9939 DW	183
b518fc2e	184	# Act upon any other process.
995bdbb1	185	allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
	186	tunable_policy(`deny_ptrace',`',`
	187	allow unconfined_domain_type domain:process ptrace;
	188	')
b518fc2e CP	189
	190	# Create/access any System V IPC objects.
	191	allow unconfined_domain_type domain:{ sem msgq shm } *;
	192	allow unconfined_domain_type domain:msg { send receive };
	193
	194	# For /proc/pid
ef659a47	195	allow unconfined_domain_type domain:dir list_dir_perms;
a65fd90a	196	allow unconfined_domain_type domain:file rw_file_perms;
ef659a47	197	allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
d8226758 CP	198
	199	# act on all domains keys
	200	allow unconfined_domain_type domain:key *;
bdccbacd	201
b96b2004 DW	202	dev_filetrans_all_named_dev(unconfined_domain_type)
b96b2004 DW	203
bdccbacd CP	204	# receive from all domains over labeled networking
bdccbacd CP	205	domain_all_recvfrom_all_domains(unconfined_domain_type)
3eaa9939	206
b96b2004 DW	207	storage_filetrans_all_named_dev(unconfined_domain_type)
	208
	209	term_filetrans_all_named_dev(unconfined_domain_type)
	210
951d25a5	211	optional_policy(`
11578593 DW	212	auth_filetrans_named_content(unconfined_domain_type)
	213	auth_filetrans_admin_home_content(unconfined_domain_type)
	214	auth_filetrans_home_content(unconfined_domain_type)
951d25a5	215	')
b96b2004 DW	216
	217	optional_policy(`
	218	alsa_filetrans_named_content(unconfined_domain_type)
	219	')
	220
	221	optional_policy(`
	222	apache_filetrans_home_content(unconfined_domain_type)
	223	')
	224
	225	optional_policy(`
	226	bootloader_filetrans_config(unconfined_domain_type)
	227	')
	228
	229	optional_policy(`
	230	gnome_filetrans_admin_home_content(unconfined_domain_type)
	231	')
	232
	233	optional_policy(`
	234	devicekit_filetrans_named_content(unconfined_domain_type)
	235	')
	236
	237	optional_policy(`
	238	dnsmasq_filetrans_named_content(unconfined_domain_type)
	239	')
	240
	241	optional_policy(`
	242	kerberos_filetrans_named_content(unconfined_domain_type)
	243	')
	244
951d25a5 DW	245	optional_policy(`
	246	libs_filetrans_named_content(unconfined_domain_type)
	247	')
	248
	249	optional_policy(`
	250	miscfiles_filetrans_named_content(unconfined_domain_type)
	251	')
	252
b96b2004 DW	253	optional_policy(`
	254	mta_filetrans_named_content(unconfined_domain_type)
	255	')
	256
951d25a5 DW	257	optional_policy(`
	258	modules_filetrans_named_content(unconfined_domain_type)
	259	')
	260
74cf2139 DW	261	optional_policy(`
	262	mozilla_filetrans_home_content(unconfined_domain_type)
	263	')
	264
b96b2004 DW	265	optional_policy(`
	266	networkmanager_filetrans_named_content(unconfined_domain_type)
	267	')
	268
	269	optional_policy(`
	270	nx_filetrans_named_content(unconfined_domain_type)
	271	')
	272
7dd47a9a DW	273	optional_policy(`
	274	postfix_filetrans_named_content(unconfined_domain_type)
	275	')
	276
b96b2004 DW	277	optional_policy(`
	278	pulseaudio_filetrans_home_content(unconfined_domain_type)
	279	pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
	280	')
	281
	282	optional_policy(`
	283	quota_filetrans_named_content(unconfined_domain_type)
	284	')
	285
951d25a5 DW	286	optional_policy(`
	287	sysnet_filetrans_named_content(unconfined_domain_type)
	288	')
	289
	290	optional_policy(`
	291	userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
55a7fd92	292	userdom_filetrans_home_content(unconfined_domain_type)
951d25a5 DW	293	')
951d25a5 DW	294
b96b2004 DW	295	optional_policy(`
	296	virt_filetrans_home_content(unconfined_domain_type)
	297	')
	298
	299	optional_policy(`
	300	ssh_filetrans_admin_home_content(unconfined_domain_type)
	301	')
	302
3eaa9939 DW	303	selinux_getattr_fs(domain)
	304	selinux_search_fs(domain)
	305	selinux_dontaudit_read_fs(domain)
	306
a9c4f705 DW	307	optional_policy(`
	308	seutil_dontaudit_read_config(domain)
	309	')
3eaa9939	310
a9c4f705 DW	311	optional_policy(`
	312	init_sigchld(domain)
	313	init_signull(domain)
	314	')
3eaa9939 DW	315
	316	ifdef(`distro_redhat',`
	317	files_search_mnt(domain)
	318	optional_policy(`
	319	unconfined_use_fds(domain)
	320	')
	321	')
	322
	323	# these seem questionable:
	324
	325	optional_policy(`
	326	abrt_domtrans_helper(domain)
	327	abrt_read_pid_files(domain)
	328	abrt_read_state(domain)
	329	abrt_signull(domain)
0e7fbb58 DW	330	abrt_append_cache(domain)
0e7fbb58 DW	331	abrt_rw_fifo_file(domain)
3eaa9939 DW	332	')
	333
	334	optional_policy(`
	335	rpm_use_fds(domain)
	336	rpm_read_pipes(domain)
	337	rpm_search_log(domain)
	338	rpm_append_tmp_files(domain)
	339	rpm_dontaudit_leaks(domain)
	340	rpm_read_script_tmp_files(domain)
	341	rpm_inherited_fifo(domain)
	342	')
	343
	344	optional_policy(`
	345	sosreport_append_tmp_files(domain)
	346	')
	347
	348	tunable_policy(`allow_domain_fd_use',`
	349	# Allow all domains to use fds past to them
	350	allow domain domain:fd use;
	351	')
	352
	353	optional_policy(`
	354	cron_dontaudit_write_system_job_tmp_files(domain)
	355	cron_rw_pipes(domain)
	356	cron_rw_system_job_pipes(domain)
	357	')
	358
	359	ifdef(`hide_broken_symptoms',`
	360	dontaudit domain self:udp_socket listen;
	361	allow domain domain:key { link search };
54f9ea9e	362	dontaudit domain domain:socket_class_set { read write };
c7c7cd24	363	dontaudit domain self:capability sys_module;
3eaa9939 DW	364	')
3eaa9939 DW	365
dfe675b8 DW	366	optional_policy(`
	367	hal_dontaudit_read_pid_files(domain)
	368	')
	369
5dd938af DW	370	optional_policy(`
	371	ipsec_match_default_spd(domain)
	372	')
	373
3eaa9939 DW	374	optional_policy(`
	375	ifdef(`hide_broken_symptoms',`
	376	afs_rw_udp_sockets(domain)
	377	')
	378	')
	379
	380	optional_policy(`
	381	ssh_rw_pipes(domain)
	382	')
	383
	384	optional_policy(`
	385	unconfined_dontaudit_rw_pipes(domain)
	386	unconfined_sigchld(domain)
	387	')
	388
	389	# broken kernel
	390	dontaudit can_change_object_identity can_change_object_identity:key link;
54f9ea9e	391
e15a6502 DW	392	ifdef(`distro_redhat',`
	393	optional_policy(`
	394	unconfined_use_fds(domain)
	395	')
	396	')
	397
	398	# send init a sigchld and signull
	399	optional_policy(`
	400	init_sigchld(domain)
	401	init_signull(domain)
	402	')
	403
	404	# these seem questionable:
	405
	406	optional_policy(`
	407	rpm_use_fds(domain)
	408	rpm_read_pipes(domain)
	409	')
	410
	411	optional_policy(`
	412	selinux_dontaudit_getattr_fs(domain)
	413	selinux_dontaudit_read_fs(domain)
	414	')
	415
	416	optional_policy(`
	417	seutil_dontaudit_read_config(domain)
	418	')
b8df5447 DW	419
b8df5447 DW	420	dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
995bdbb1	421	dontaudit domain self:capability sys_ptrace;