unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit()

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This commit is contained in:
Christian Göttsche 2020-05-08 19:54:43 +02:00
parent f6a7365cc0
commit 8f308eb846
1 changed files with 18 additions and 1 deletions

View File

@ -1,5 +1,21 @@
## <summary>The unconfined domain.</summary>
########################################
## <summary>
## Unconfined stub interface. No access allowed.
## </summary>
## <param name="domain" unused="true">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_stub',`
gen_require(`
type unconfined_t;
')
')
########################################
## <summary>
## Make the specified domain unconfined.
@ -12,13 +28,14 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
type unconfined_t;
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
class service all_service_perms;
')
unconfined_stub($1)
# Use most Linux capabilities
allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm };