]>
Commit | Line | Data |
---|---|---|
3eaa9939 DW |
1 | policy_module(unconfineduser, 1.0.0) |
2 | ||
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | attribute unconfined_login_domain; | |
8 | ||
dfe675b8 DW |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow vidio playing tools to tun unconfined | |
12 | ## </p> | |
13 | ## </desc> | |
14 | gen_tunable(unconfined_mplayer, false) | |
15 | ||
3eaa9939 DW |
16 | ## <desc> |
17 | ## <p> | |
18 | ## Allow a user to login as an unconfined domain | |
19 | ## </p> | |
20 | ## </desc> | |
21 | gen_tunable(unconfined_login, true) | |
22 | ||
3eaa9939 DW |
23 | # usage in this module of types created by these |
24 | # calls is not correct, however we dont currently | |
25 | # have another method to add access to these types | |
26 | userdom_base_user_template(unconfined) | |
27 | userdom_manage_home_role(unconfined_r, unconfined_t) | |
28 | userdom_manage_tmp_role(unconfined_r, unconfined_t) | |
29 | userdom_manage_tmpfs_role(unconfined_r, unconfined_t) | |
8592752f | 30 | userdom_unpriv_type(unconfined_r, unconfined_t) |
3eaa9939 DW |
31 | |
32 | type unconfined_exec_t; | |
33 | init_system_domain(unconfined_t, unconfined_exec_t) | |
34 | role unconfined_r types unconfined_t; | |
35 | role_transition system_r unconfined_exec_t unconfined_r; | |
36 | allow system_r unconfined_r; | |
37 | ||
38 | domain_user_exemption_target(unconfined_t) | |
39 | allow system_r unconfined_r; | |
40 | allow unconfined_r system_r; | |
41 | init_script_role_transition(unconfined_r) | |
42 | role system_r types unconfined_t; | |
43 | typealias unconfined_t alias unconfined_crontab_t; | |
44 | ||
3eaa9939 DW |
45 | ######################################## |
46 | # | |
47 | # Local policy | |
48 | # | |
49 | ||
50 | dontaudit unconfined_t self:dir write; | |
51 | dontaudit unconfined_t self:file setattr; | |
52 | ||
53 | allow unconfined_t self:system syslog_read; | |
54 | dontaudit unconfined_t self:capability sys_module; | |
55 | ||
e3007c2a MG |
56 | kernel_rw_unlabeled_socket(unconfined_t) |
57 | kernel_rw_unlabeled_rawip_socket(unconfined_t) | |
58 | ||
3eaa9939 DW |
59 | files_create_boot_flag(unconfined_t) |
60 | files_create_default_dir(unconfined_t) | |
61 | files_root_filetrans_default(unconfined_t, dir) | |
62 | ||
63 | mcs_killall(unconfined_t) | |
64 | mcs_ptrace_all(unconfined_t) | |
65 | mls_file_write_all_levels(unconfined_t) | |
66 | ||
67 | init_run_daemon(unconfined_t, unconfined_r) | |
68 | init_domtrans_script(unconfined_t) | |
69 | init_telinit(unconfined_t) | |
70 | ||
3eaa9939 DW |
71 | logging_send_syslog_msg(unconfined_t) |
72 | logging_run_auditctl(unconfined_t, unconfined_r) | |
73 | ||
eedf23b8 DW |
74 | systemd_config_all_services(unconfined_t) |
75 | ||
ef04987e | 76 | seutil_run_loadpolicy(unconfined_t, unconfined_r) |
3eaa9939 DW |
77 | seutil_run_setsebool(unconfined_t, unconfined_r) |
78 | seutil_run_setfiles(unconfined_t, unconfined_r) | |
79 | seutil_run_semanage(unconfined_t, unconfined_r) | |
80 | ||
81 | unconfined_domain_noaudit(unconfined_t) | |
82 | ||
3eaa9939 DW |
83 | usermanage_run_passwd(unconfined_t, unconfined_r) |
84 | usermanage_run_chfn(unconfined_t, unconfined_r) | |
85 | ||
4a093096 | 86 | tunable_policy(`deny_execmem',`',` |
3eaa9939 DW |
87 | allow unconfined_t self:process execmem; |
88 | ') | |
89 | ||
4a093096 | 90 | tunable_policy(`allow_execstack',` |
3eaa9939 DW |
91 | allow unconfined_t self:process execstack; |
92 | ') | |
93 | ||
94 | tunable_policy(`allow_execmod',` | |
a6c4623b | 95 | userdom_execmod_user_home_files(unconfined_t) |
3eaa9939 DW |
96 | ') |
97 | ||
98 | tunable_policy(`unconfined_login',` | |
99 | corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) | |
100 | allow unconfined_t unconfined_login_domain:fd use; | |
101 | allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; | |
102 | allow unconfined_t unconfined_login_domain:process sigchld; | |
103 | ') | |
104 | ||
105 | optional_policy(` | |
106 | gen_require(` | |
8592752f | 107 | type unconfined_t; |
3eaa9939 DW |
108 | ') |
109 | ||
3eaa9939 | 110 | optional_policy(` |
a6c4623b DW |
111 | abrt_dbus_chat(unconfined_t) |
112 | abrt_run_helper(unconfined_t, unconfined_r) | |
3eaa9939 DW |
113 | ') |
114 | ||
115 | optional_policy(` | |
a6c4623b | 116 | avahi_dbus_chat(unconfined_t) |
3eaa9939 DW |
117 | ') |
118 | ||
0b544ffb | 119 | optional_policy(` |
a6c4623b | 120 | blueman_dbus_chat(unconfined_t) |
0b544ffb DW |
121 | ') |
122 | ||
3eaa9939 | 123 | optional_policy(` |
a6c4623b | 124 | certmonger_dbus_chat(unconfined_t) |
3eaa9939 DW |
125 | ') |
126 | ||
127 | optional_policy(` | |
a6c4623b DW |
128 | devicekit_dbus_chat(unconfined_t) |
129 | devicekit_dbus_chat_disk(unconfined_t) | |
130 | devicekit_dbus_chat_power(unconfined_t) | |
3eaa9939 DW |
131 | ') |
132 | ||
133 | optional_policy(` | |
a6c4623b | 134 | hal_dbus_chat(unconfined_t) |
3eaa9939 DW |
135 | ') |
136 | ||
3eaa9939 | 137 | optional_policy(` |
a6c4623b | 138 | networkmanager_dbus_chat(unconfined_t) |
3eaa9939 DW |
139 | ') |
140 | ||
141 | optional_policy(` | |
a6c4623b | 142 | policykit_role(unconfined_r, unconfined_t) |
3eaa9939 DW |
143 | ') |
144 | ||
145 | optional_policy(` | |
a6c4623b | 146 | rtkit_scheduled(unconfined_t) |
3eaa9939 DW |
147 | ') |
148 | ||
149 | optional_policy(` | |
a6c4623b | 150 | setroubleshoot_dbus_chat(unconfined_t) |
3eaa9939 DW |
151 | setroubleshoot_dbus_chat_fixit(unconfined_t) |
152 | ') | |
153 | ||
154 | optional_policy(` | |
a6c4623b | 155 | sandbox_transition(unconfined_t, unconfined_r) |
3eaa9939 DW |
156 | ') |
157 | ||
158 | optional_policy(` | |
159 | shutdown_run(unconfined_t, unconfined_r) | |
160 | ') | |
161 | ||
3eaa9939 | 162 | optional_policy(` |
2d4a79a0 DW |
163 | gen_require(` |
164 | type user_tmpfs_t; | |
165 | ') | |
166 | ||
a6c4623b DW |
167 | xserver_rw_session(unconfined_t, user_tmpfs_t) |
168 | xserver_run_xauth(unconfined_t, unconfined_r) | |
169 | xserver_dbus_chat_xdm(unconfined_t) | |
3eaa9939 DW |
170 | ') |
171 | ') | |
172 | ||
173 | ifdef(`distro_gentoo',` | |
174 | seutil_run_runinit(unconfined_t, unconfined_r) | |
175 | seutil_init_script_run_runinit(unconfined_t, unconfined_r) | |
176 | ') | |
177 | ||
178 | optional_policy(` | |
179 | accountsd_dbus_chat(unconfined_t) | |
180 | ') | |
181 | ||
3eaa9939 DW |
182 | optional_policy(` |
183 | apache_run_helper(unconfined_t, unconfined_r) | |
184 | ') | |
185 | ||
186 | optional_policy(` | |
187 | bind_run_ndc(unconfined_t, unconfined_r) | |
188 | ') | |
189 | ||
3eaa9939 DW |
190 | optional_policy(` |
191 | dbus_role_template(unconfined, unconfined_r, unconfined_t) | |
192 | ||
193 | optional_policy(` | |
194 | unconfined_domain(unconfined_dbusd_t) | |
3eaa9939 DW |
195 | |
196 | optional_policy(` | |
197 | xserver_rw_shm(unconfined_dbusd_t) | |
198 | ') | |
199 | ') | |
200 | ||
a6c4623b DW |
201 | init_dbus_chat(unconfined_t) |
202 | init_dbus_chat_script(unconfined_t) | |
3eaa9939 DW |
203 | |
204 | dbus_stub(unconfined_t) | |
205 | ||
206 | optional_policy(` | |
a6c4623b | 207 | bluetooth_dbus_chat(unconfined_t) |
3eaa9939 DW |
208 | ') |
209 | ||
210 | optional_policy(` | |
a6c4623b | 211 | consolekit_dbus_chat(unconfined_t) |
3eaa9939 DW |
212 | ') |
213 | ||
214 | optional_policy(` | |
a6c4623b | 215 | cups_dbus_chat_config(unconfined_t) |
3eaa9939 DW |
216 | ') |
217 | ||
218 | optional_policy(` | |
a6c4623b | 219 | fprintd_dbus_chat(unconfined_t) |
3eaa9939 DW |
220 | ') |
221 | ||
222 | optional_policy(` | |
a6c4623b DW |
223 | gnomeclock_dbus_chat(unconfined_t) |
224 | gnome_dbus_chat_gconfdefault(unconfined_t) | |
3a7aacc9 | 225 | gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) |
3eaa9939 DW |
226 | ') |
227 | ||
228 | optional_policy(` | |
a6c4623b | 229 | ipsec_mgmt_dbus_chat(unconfined_t) |
3eaa9939 DW |
230 | ') |
231 | ||
232 | optional_policy(` | |
a6c4623b | 233 | kerneloops_dbus_chat(unconfined_t) |
3eaa9939 DW |
234 | ') |
235 | ||
1f7f2241 MG |
236 | optional_policy(` |
237 | telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t) | |
238 | ') | |
239 | ||
3eaa9939 | 240 | optional_policy(` |
a6c4623b | 241 | oddjob_dbus_chat(unconfined_t) |
3eaa9939 DW |
242 | ') |
243 | ||
244 | optional_policy(` | |
a6c4623b | 245 | vpn_dbus_chat(unconfined_t) |
3eaa9939 DW |
246 | ') |
247 | ') | |
248 | ||
249 | optional_policy(` | |
a6c4623b | 250 | firewallgui_dbus_chat(unconfined_t) |
3eaa9939 DW |
251 | ') |
252 | ||
253 | optional_policy(` | |
254 | firstboot_run(unconfined_t, unconfined_r) | |
255 | ') | |
256 | ||
257 | optional_policy(` | |
258 | ftp_run_ftpdctl(unconfined_t, unconfined_r) | |
259 | ') | |
260 | ||
261 | optional_policy(` | |
262 | gpsd_run(unconfined_t, unconfined_r) | |
263 | ') | |
264 | ||
265 | optional_policy(` | |
266 | java_run_unconfined(unconfined_t, unconfined_r) | |
267 | ') | |
268 | ||
269 | optional_policy(` | |
270 | livecd_run(unconfined_t, unconfined_r) | |
271 | ') | |
272 | ||
273 | optional_policy(` | |
274 | lpd_run_checkpc(unconfined_t, unconfined_r) | |
275 | ') | |
276 | ||
e98849ce DW |
277 | #optional_policy(` |
278 | # mock_role(unconfined_r, unconfined_t) | |
279 | #') | |
28545264 | 280 | |
3eaa9939 DW |
281 | optional_policy(` |
282 | modutils_run_update_mods(unconfined_t, unconfined_r) | |
283 | ') | |
284 | ||
3eaa9939 DW |
285 | optional_policy(` |
286 | ncftool_run(unconfined_t, unconfined_r) | |
287 | ') | |
288 | ||
289 | optional_policy(` | |
290 | oddjob_run_mkhomedir(unconfined_t, unconfined_r) | |
291 | ') | |
292 | ||
293 | optional_policy(` | |
294 | prelink_run(unconfined_t, unconfined_r) | |
295 | ') | |
296 | ||
297 | optional_policy(` | |
298 | portmap_run_helper(unconfined_t, unconfined_r) | |
299 | ') | |
300 | ||
3eaa9939 DW |
301 | optional_policy(` |
302 | rpm_run(unconfined_t, unconfined_r) | |
303 | # Allow SELinux aware applications to request rpm_script execution | |
304 | rpm_transition_script(unconfined_t) | |
305 | rpm_dbus_chat(unconfined_t) | |
306 | ') | |
307 | ||
308 | optional_policy(` | |
6ed3f15e DW |
309 | optional_policy(` |
310 | samba_run_unconfined_net(unconfined_t, unconfined_r) | |
311 | ') | |
312 | ||
3eaa9939 | 313 | samba_role_notrans(unconfined_r) |
3eaa9939 DW |
314 | samba_run_smbcontrol(unconfined_t, unconfined_r) |
315 | ') | |
316 | ||
3eaa9939 DW |
317 | optional_policy(` |
318 | sysnet_run_dhcpc(unconfined_t, unconfined_r) | |
319 | sysnet_dbus_chat_dhcpc(unconfined_t) | |
320 | sysnet_role_transition_dhcpc(unconfined_r) | |
321 | ') | |
322 | ||
60e9557d DW |
323 | optional_policy(` |
324 | usermanage_run_useradd(unconfined_t, unconfined_r) | |
325 | ') | |
326 | ||
3eaa9939 DW |
327 | optional_policy(` |
328 | vbetool_run(unconfined_t, unconfined_r) | |
329 | ') | |
330 | ||
331 | optional_policy(` | |
332 | virt_transition_svirt(unconfined_t, unconfined_r) | |
333 | ') | |
334 | ||
335 | optional_policy(` | |
336 | vpn_run(unconfined_t, unconfined_r) | |
337 | ') | |
338 | ||
339 | optional_policy(` | |
340 | webalizer_run(unconfined_t, unconfined_r) | |
341 | ') | |
342 | ||
343 | optional_policy(` | |
344 | wine_run(unconfined_t, unconfined_r) | |
345 | ') | |
346 | ||
347 | optional_policy(` | |
348 | xserver_run(unconfined_t, unconfined_r) | |
d141ac47 | 349 | xserver_manage_home_fonts(unconfined_t) |
3eaa9939 DW |
350 | ') |
351 | ||
3eaa9939 | 352 | gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) |
3550b7f0 | 353 |