[people/stevee/selinux-policy.git] / policy / modules / roles / unconfineduser.te

policy_module(unconfineduser, 1.0.0)

########################################
#
# Declarations
#
attribute unconfined_login_domain;

## <desc>
## <p>
## Allow vidio playing tools to tun unconfined
## </p>
## </desc>
gen_tunable(unconfined_mplayer, false)

## <desc>
## <p>
## Allow a user to login as an unconfined domain
## </p>
## </desc>
gen_tunable(unconfined_login, true)

# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
userdom_base_user_template(unconfined)
userdom_manage_home_role(unconfined_r, unconfined_t)
userdom_manage_tmp_role(unconfined_r, unconfined_t)
userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
userdom_unpriv_type(unconfined_r, unconfined_t)

type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
role unconfined_r types unconfined_t;
role_transition system_r unconfined_exec_t unconfined_r;
allow system_r unconfined_r;

domain_user_exemption_target(unconfined_t)
allow system_r unconfined_r;
allow unconfined_r system_r;
init_script_role_transition(unconfined_r)
role system_r types unconfined_t;
typealias unconfined_t alias unconfined_crontab_t;

########################################
#
# Local policy
#

dontaudit unconfined_t self:dir write;
dontaudit unconfined_t self:file setattr;

allow unconfined_t self:system syslog_read;
dontaudit unconfined_t self:capability sys_module;

kernel_rw_unlabeled_socket(unconfined_t)
kernel_rw_unlabeled_rawip_socket(unconfined_t)

files_create_boot_flag(unconfined_t)
files_create_default_dir(unconfined_t)
files_root_filetrans_default(unconfined_t, dir)

mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)
mls_file_write_all_levels(unconfined_t)

init_run_daemon(unconfined_t, unconfined_r)
init_domtrans_script(unconfined_t)
init_telinit(unconfined_t)

logging_send_syslog_msg(unconfined_t)
logging_run_auditctl(unconfined_t, unconfined_r)

systemd_config_all_services(unconfined_t)

seutil_run_loadpolicy(unconfined_t, unconfined_r)
seutil_run_setsebool(unconfined_t, unconfined_r)
seutil_run_setfiles(unconfined_t, unconfined_r)
seutil_run_semanage(unconfined_t, unconfined_r)

unconfined_domain_noaudit(unconfined_t)

usermanage_run_passwd(unconfined_t, unconfined_r)
usermanage_run_chfn(unconfined_t, unconfined_r)

tunable_policy(`deny_execmem',`',`
	allow unconfined_t self:process execmem;
')

tunable_policy(`allow_execstack',`
	allow unconfined_t self:process execstack;
')

tunable_policy(`allow_execmod',`
	userdom_execmod_user_home_files(unconfined_t)
')

tunable_policy(`unconfined_login',`
	corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
	allow unconfined_t unconfined_login_domain:fd use;
	allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
	allow unconfined_t unconfined_login_domain:process sigchld;
')

optional_policy(`
	gen_require(`
		type unconfined_t;
	')

	optional_policy(`
		abrt_dbus_chat(unconfined_t)
		abrt_run_helper(unconfined_t, unconfined_r)
	')

	optional_policy(`
		avahi_dbus_chat(unconfined_t)
	')

	optional_policy(`
		blueman_dbus_chat(unconfined_t)
	')

	optional_policy(`
		certmonger_dbus_chat(unconfined_t)
	')

	optional_policy(`
		devicekit_dbus_chat(unconfined_t)
		devicekit_dbus_chat_disk(unconfined_t)
		devicekit_dbus_chat_power(unconfined_t)
	')

	optional_policy(`
		hal_dbus_chat(unconfined_t)
	')

	optional_policy(`
		networkmanager_dbus_chat(unconfined_t)
	')

	optional_policy(`
		policykit_role(unconfined_r, unconfined_t)
	')

	optional_policy(`
		rtkit_scheduled(unconfined_t)
	')

	optional_policy(`
		setroubleshoot_dbus_chat(unconfined_t)
		setroubleshoot_dbus_chat_fixit(unconfined_t)
	')

	optional_policy(`
		sandbox_transition(unconfined_t, unconfined_r)
	')

	optional_policy(`
		shutdown_run(unconfined_t, unconfined_r)
	')

	optional_policy(`
		gen_require(`
			type user_tmpfs_t;
		')
	
		xserver_rw_session(unconfined_t, user_tmpfs_t)
		xserver_run_xauth(unconfined_t, unconfined_r)
		xserver_dbus_chat_xdm(unconfined_t)
	')
')

ifdef(`distro_gentoo',`
	seutil_run_runinit(unconfined_t, unconfined_r)
	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
')

optional_policy(`
	accountsd_dbus_chat(unconfined_t)
')

optional_policy(`
	apache_run_helper(unconfined_t, unconfined_r)
')

optional_policy(`
	bind_run_ndc(unconfined_t, unconfined_r)
')

optional_policy(`
	dbus_role_template(unconfined, unconfined_r, unconfined_t)

	optional_policy(`
		unconfined_domain(unconfined_dbusd_t)

		optional_policy(`
			xserver_rw_shm(unconfined_dbusd_t)
		')
	')

	init_dbus_chat(unconfined_t)
	init_dbus_chat_script(unconfined_t)

	dbus_stub(unconfined_t)

	optional_policy(`
		bluetooth_dbus_chat(unconfined_t)
	')

	optional_policy(`
		consolekit_dbus_chat(unconfined_t)
	')

	optional_policy(`
		cups_dbus_chat_config(unconfined_t)
	')

	optional_policy(`
		fprintd_dbus_chat(unconfined_t)
	')

	optional_policy(`
		gnomeclock_dbus_chat(unconfined_t)
		gnome_dbus_chat_gconfdefault(unconfined_t)
		gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
	')

	optional_policy(`
		ipsec_mgmt_dbus_chat(unconfined_t)
	')

	optional_policy(`
		kerneloops_dbus_chat(unconfined_t)
	')

	optional_policy(`
        telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
    ')

	optional_policy(`
		oddjob_dbus_chat(unconfined_t)
	')

	optional_policy(`
		vpn_dbus_chat(unconfined_t)
	')
')

optional_policy(`
	firewallgui_dbus_chat(unconfined_t)
')

optional_policy(`
	firstboot_run(unconfined_t, unconfined_r)
')

optional_policy(`
	ftp_run_ftpdctl(unconfined_t, unconfined_r)
')

optional_policy(`
        gpsd_run(unconfined_t, unconfined_r)
')

optional_policy(`
	java_run_unconfined(unconfined_t, unconfined_r)
')

optional_policy(`
	livecd_run(unconfined_t, unconfined_r)
')

optional_policy(`
	lpd_run_checkpc(unconfined_t, unconfined_r)
')

#optional_policy(`
#	mock_role(unconfined_r, unconfined_t)
#')

optional_policy(`
	modutils_run_update_mods(unconfined_t, unconfined_r)
')

optional_policy(`
	ncftool_run(unconfined_t, unconfined_r)
')

optional_policy(`
	oddjob_run_mkhomedir(unconfined_t, unconfined_r)
')

optional_policy(`
	prelink_run(unconfined_t, unconfined_r)
')

optional_policy(`
	portmap_run_helper(unconfined_t, unconfined_r)
')

optional_policy(`
	rpm_run(unconfined_t, unconfined_r)
	# Allow SELinux aware applications to request rpm_script execution
	rpm_transition_script(unconfined_t)
	rpm_dbus_chat(unconfined_t)
')

optional_policy(`
	optional_policy(`
		samba_run_unconfined_net(unconfined_t, unconfined_r)
	')

	samba_role_notrans(unconfined_r)
	samba_run_smbcontrol(unconfined_t, unconfined_r)
')

optional_policy(`
	sysnet_run_dhcpc(unconfined_t, unconfined_r)
	sysnet_dbus_chat_dhcpc(unconfined_t)
	sysnet_role_transition_dhcpc(unconfined_r)
')

optional_policy(`
	usermanage_run_useradd(unconfined_t, unconfined_r)
')

optional_policy(`
	vbetool_run(unconfined_t, unconfined_r)
')

optional_policy(`
	virt_transition_svirt(unconfined_t, unconfined_r)
')

optional_policy(`
	vpn_run(unconfined_t, unconfined_r)
')

optional_policy(`
	webalizer_run(unconfined_t, unconfined_r)
')

optional_policy(`
	wine_run(unconfined_t, unconfined_r)
')

optional_policy(`
	xserver_run(unconfined_t, unconfined_r)
	xserver_manage_home_fonts(unconfined_t)
')

gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
Commit	Line	Data
3eaa9939 DW	1	policy_module(unconfineduser, 1.0.0)
	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7	attribute unconfined_login_domain;
	8
dfe675b8 DW	9	## <desc>
	10	## <p>
	11	## Allow vidio playing tools to tun unconfined
	12	## </p>
	13	## </desc>
	14	gen_tunable(unconfined_mplayer, false)
	15
3eaa9939 DW	16	## <desc>
	17	## <p>
	18	## Allow a user to login as an unconfined domain
	19	## </p>
	20	## </desc>
	21	gen_tunable(unconfined_login, true)
	22
3eaa9939 DW	23	# usage in this module of types created by these
	24	# calls is not correct, however we dont currently
	25	# have another method to add access to these types
	26	userdom_base_user_template(unconfined)
	27	userdom_manage_home_role(unconfined_r, unconfined_t)
	28	userdom_manage_tmp_role(unconfined_r, unconfined_t)
	29	userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
8592752f	30	userdom_unpriv_type(unconfined_r, unconfined_t)
3eaa9939 DW	31
	32	type unconfined_exec_t;
	33	init_system_domain(unconfined_t, unconfined_exec_t)
	34	role unconfined_r types unconfined_t;
	35	role_transition system_r unconfined_exec_t unconfined_r;
	36	allow system_r unconfined_r;
	37
	38	domain_user_exemption_target(unconfined_t)
	39	allow system_r unconfined_r;
	40	allow unconfined_r system_r;
	41	init_script_role_transition(unconfined_r)
	42	role system_r types unconfined_t;
	43	typealias unconfined_t alias unconfined_crontab_t;
	44
3eaa9939 DW	45	########################################
	46	#
	47	# Local policy
	48	#
	49
	50	dontaudit unconfined_t self:dir write;
	51	dontaudit unconfined_t self:file setattr;
	52
	53	allow unconfined_t self:system syslog_read;
	54	dontaudit unconfined_t self:capability sys_module;
	55
e3007c2a MG	56	kernel_rw_unlabeled_socket(unconfined_t)
	57	kernel_rw_unlabeled_rawip_socket(unconfined_t)
	58
3eaa9939 DW	59	files_create_boot_flag(unconfined_t)
	60	files_create_default_dir(unconfined_t)
	61	files_root_filetrans_default(unconfined_t, dir)
	62
	63	mcs_killall(unconfined_t)
	64	mcs_ptrace_all(unconfined_t)
	65	mls_file_write_all_levels(unconfined_t)
	66
	67	init_run_daemon(unconfined_t, unconfined_r)
	68	init_domtrans_script(unconfined_t)
	69	init_telinit(unconfined_t)
	70
3eaa9939 DW	71	logging_send_syslog_msg(unconfined_t)
	72	logging_run_auditctl(unconfined_t, unconfined_r)
	73
eedf23b8 DW	74	systemd_config_all_services(unconfined_t)
eedf23b8 DW	75
ef04987e	76	seutil_run_loadpolicy(unconfined_t, unconfined_r)
3eaa9939 DW	77	seutil_run_setsebool(unconfined_t, unconfined_r)
	78	seutil_run_setfiles(unconfined_t, unconfined_r)
	79	seutil_run_semanage(unconfined_t, unconfined_r)
	80
	81	unconfined_domain_noaudit(unconfined_t)
	82
3eaa9939 DW	83	usermanage_run_passwd(unconfined_t, unconfined_r)
	84	usermanage_run_chfn(unconfined_t, unconfined_r)
	85
4a093096	86	tunable_policy(`deny_execmem',`',`
3eaa9939 DW	87	allow unconfined_t self:process execmem;
	88	')
	89
4a093096	90	tunable_policy(`allow_execstack',`
3eaa9939 DW	91	allow unconfined_t self:process execstack;
	92	')
	93
	94	tunable_policy(`allow_execmod',`
a6c4623b	95	userdom_execmod_user_home_files(unconfined_t)
3eaa9939 DW	96	')
	97
	98	tunable_policy(`unconfined_login',`
	99	corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
	100	allow unconfined_t unconfined_login_domain:fd use;
	101	allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
	102	allow unconfined_t unconfined_login_domain:process sigchld;
	103	')
	104
	105	optional_policy(`
	106	gen_require(`
8592752f	107	type unconfined_t;
3eaa9939 DW	108	')
3eaa9939 DW	109
3eaa9939	110	optional_policy(`
a6c4623b DW	111	abrt_dbus_chat(unconfined_t)
a6c4623b DW	112	abrt_run_helper(unconfined_t, unconfined_r)
3eaa9939 DW	113	')
	114
	115	optional_policy(`
a6c4623b	116	avahi_dbus_chat(unconfined_t)
3eaa9939 DW	117	')
3eaa9939 DW	118
0b544ffb	119	optional_policy(`
a6c4623b	120	blueman_dbus_chat(unconfined_t)
0b544ffb DW	121	')
0b544ffb DW	122
3eaa9939	123	optional_policy(`
a6c4623b	124	certmonger_dbus_chat(unconfined_t)
3eaa9939 DW	125	')
	126
	127	optional_policy(`
a6c4623b DW	128	devicekit_dbus_chat(unconfined_t)
	129	devicekit_dbus_chat_disk(unconfined_t)
	130	devicekit_dbus_chat_power(unconfined_t)
3eaa9939 DW	131	')
	132
	133	optional_policy(`
a6c4623b	134	hal_dbus_chat(unconfined_t)
3eaa9939 DW	135	')
3eaa9939 DW	136
3eaa9939	137	optional_policy(`
a6c4623b	138	networkmanager_dbus_chat(unconfined_t)
3eaa9939 DW	139	')
	140
	141	optional_policy(`
a6c4623b	142	policykit_role(unconfined_r, unconfined_t)
3eaa9939 DW	143	')
	144
	145	optional_policy(`
a6c4623b	146	rtkit_scheduled(unconfined_t)
3eaa9939 DW	147	')
	148
	149	optional_policy(`
a6c4623b	150	setroubleshoot_dbus_chat(unconfined_t)
3eaa9939 DW	151	setroubleshoot_dbus_chat_fixit(unconfined_t)
	152	')
	153
	154	optional_policy(`
a6c4623b	155	sandbox_transition(unconfined_t, unconfined_r)
3eaa9939 DW	156	')
	157
	158	optional_policy(`
	159	shutdown_run(unconfined_t, unconfined_r)
	160	')
	161
3eaa9939	162	optional_policy(`
2d4a79a0 DW	163	gen_require(`
	164	type user_tmpfs_t;
	165	')
	166
a6c4623b DW	167	xserver_rw_session(unconfined_t, user_tmpfs_t)
	168	xserver_run_xauth(unconfined_t, unconfined_r)
	169	xserver_dbus_chat_xdm(unconfined_t)
3eaa9939 DW	170	')
	171	')
	172
	173	ifdef(`distro_gentoo',`
	174	seutil_run_runinit(unconfined_t, unconfined_r)
	175	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
	176	')
	177
	178	optional_policy(`
	179	accountsd_dbus_chat(unconfined_t)
	180	')
	181
3eaa9939 DW	182	optional_policy(`
	183	apache_run_helper(unconfined_t, unconfined_r)
	184	')
	185
	186	optional_policy(`
	187	bind_run_ndc(unconfined_t, unconfined_r)
	188	')
	189
3eaa9939 DW	190	optional_policy(`
	191	dbus_role_template(unconfined, unconfined_r, unconfined_t)
	192
	193	optional_policy(`
	194	unconfined_domain(unconfined_dbusd_t)
3eaa9939 DW	195
	196	optional_policy(`
	197	xserver_rw_shm(unconfined_dbusd_t)
	198	')
	199	')
	200
a6c4623b DW	201	init_dbus_chat(unconfined_t)
a6c4623b DW	202	init_dbus_chat_script(unconfined_t)
3eaa9939 DW	203
	204	dbus_stub(unconfined_t)
	205
	206	optional_policy(`
a6c4623b	207	bluetooth_dbus_chat(unconfined_t)
3eaa9939 DW	208	')
	209
	210	optional_policy(`
a6c4623b	211	consolekit_dbus_chat(unconfined_t)
3eaa9939 DW	212	')
	213
	214	optional_policy(`
a6c4623b	215	cups_dbus_chat_config(unconfined_t)
3eaa9939 DW	216	')
	217
	218	optional_policy(`
a6c4623b	219	fprintd_dbus_chat(unconfined_t)
3eaa9939 DW	220	')
	221
	222	optional_policy(`
a6c4623b DW	223	gnomeclock_dbus_chat(unconfined_t)
a6c4623b DW	224	gnome_dbus_chat_gconfdefault(unconfined_t)
3a7aacc9	225	gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
3eaa9939 DW	226	')
	227
	228	optional_policy(`
a6c4623b	229	ipsec_mgmt_dbus_chat(unconfined_t)
3eaa9939 DW	230	')
	231
	232	optional_policy(`
a6c4623b	233	kerneloops_dbus_chat(unconfined_t)
3eaa9939 DW	234	')
3eaa9939 DW	235
1f7f2241 MG	236	optional_policy(`
	237	telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
	238	')
	239
3eaa9939	240	optional_policy(`
a6c4623b	241	oddjob_dbus_chat(unconfined_t)
3eaa9939 DW	242	')
	243
	244	optional_policy(`
a6c4623b	245	vpn_dbus_chat(unconfined_t)
3eaa9939 DW	246	')
	247	')
	248
	249	optional_policy(`
a6c4623b	250	firewallgui_dbus_chat(unconfined_t)
3eaa9939 DW	251	')
	252
	253	optional_policy(`
	254	firstboot_run(unconfined_t, unconfined_r)
	255	')
	256
	257	optional_policy(`
	258	ftp_run_ftpdctl(unconfined_t, unconfined_r)
	259	')
	260
	261	optional_policy(`
	262	gpsd_run(unconfined_t, unconfined_r)
	263	')
	264
	265	optional_policy(`
	266	java_run_unconfined(unconfined_t, unconfined_r)
	267	')
	268
	269	optional_policy(`
	270	livecd_run(unconfined_t, unconfined_r)
	271	')
	272
	273	optional_policy(`
	274	lpd_run_checkpc(unconfined_t, unconfined_r)
	275	')
	276
e98849ce DW	277	#optional_policy(`
	278	# mock_role(unconfined_r, unconfined_t)
	279	#')
28545264	280
3eaa9939 DW	281	optional_policy(`
	282	modutils_run_update_mods(unconfined_t, unconfined_r)
	283	')
	284
3eaa9939 DW	285	optional_policy(`
	286	ncftool_run(unconfined_t, unconfined_r)
	287	')
	288
	289	optional_policy(`
	290	oddjob_run_mkhomedir(unconfined_t, unconfined_r)
	291	')
	292
	293	optional_policy(`
	294	prelink_run(unconfined_t, unconfined_r)
	295	')
	296
	297	optional_policy(`
	298	portmap_run_helper(unconfined_t, unconfined_r)
	299	')
	300
3eaa9939 DW	301	optional_policy(`
	302	rpm_run(unconfined_t, unconfined_r)
	303	# Allow SELinux aware applications to request rpm_script execution
	304	rpm_transition_script(unconfined_t)
	305	rpm_dbus_chat(unconfined_t)
	306	')
	307
	308	optional_policy(`
6ed3f15e DW	309	optional_policy(`
	310	samba_run_unconfined_net(unconfined_t, unconfined_r)
	311	')
	312
3eaa9939	313	samba_role_notrans(unconfined_r)
3eaa9939 DW	314	samba_run_smbcontrol(unconfined_t, unconfined_r)
	315	')
	316
3eaa9939 DW	317	optional_policy(`
	318	sysnet_run_dhcpc(unconfined_t, unconfined_r)
	319	sysnet_dbus_chat_dhcpc(unconfined_t)
	320	sysnet_role_transition_dhcpc(unconfined_r)
	321	')
	322
60e9557d DW	323	optional_policy(`
	324	usermanage_run_useradd(unconfined_t, unconfined_r)
	325	')
	326
3eaa9939 DW	327	optional_policy(`
	328	vbetool_run(unconfined_t, unconfined_r)
	329	')
	330
	331	optional_policy(`
	332	virt_transition_svirt(unconfined_t, unconfined_r)
	333	')
	334
	335	optional_policy(`
	336	vpn_run(unconfined_t, unconfined_r)
	337	')
	338
	339	optional_policy(`
	340	webalizer_run(unconfined_t, unconfined_r)
	341	')
	342
	343	optional_policy(`
	344	wine_run(unconfined_t, unconfined_r)
	345	')
	346
	347	optional_policy(`
	348	xserver_run(unconfined_t, unconfined_r)
d141ac47	349	xserver_manage_home_fonts(unconfined_t)
3eaa9939 DW	350	')
3eaa9939 DW	351
3eaa9939	352	gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
3550b7f0	353