## The unconfined domain. ######################################## ## ## Make the specified domain unconfined. ## ## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain_noaudit',` gen_require(` type unconfined_t; class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; class service all_service_perms; ') # Use most Linux capabilities allow $1 self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; allow $1 self:capability2 { syslog wake_alarm }; allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; # Userland object managers allow $1 self:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv }; allow $1 self:dbus { acquire_svc send_msg }; allow $1 self:passwd { passwd chfn chsh rootok crontab }; allow $1 self:association { sendto recvfrom setcontext polmatch }; kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) domain_unconfined($1) domain_dontaudit_read_all_domains_state($1) domain_dontaudit_ptrace_all_domains($1) files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) files_get_etc_unit_status($1) files_start_etc_service($1) files_stop_etc_service($1) tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; ') tunable_policy(`allow_execmem',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; ') tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect; # execstack implies execmem; allow $1 self:process { execstack execmem }; # auditallow $1 self:process execstack; ') optional_policy(` auth_unconfined($1) ') optional_policy(` dbus_unconfined($1) ') optional_policy(` ipsec_setcontext_default_spd($1) ipsec_match_default_spd($1) ') optional_policy(` nscd_unconfined($1) ') optional_policy(` postgresql_unconfined($1) ') optional_policy(` seutil_create_bin_policy($1) seutil_relabelto_bin_policy($1) ') optional_policy(` storage_unconfined($1) ') optional_policy(` xserver_unconfined($1) ') ') ######################################## ## ## Make the specified domain unconfined and ## audit executable heap usage. ## ## ##

## Make the specified domain unconfined and ## audit executable heap usage. With exception ## of memory protections, usage of this interface ## will result in the level of access the domain has ## is like SELinux was not being used. ##

##

## Only completely trusted domains should use this interface. ##

##

## Does not allow return communications from confined ## domains via message based mechanisms such as dbus or ## SysV message queues. ##

##
## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain',` unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` auditallow $1 self:process execheap; ') ') ######################################## ## ## Transition to the unconfined domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`unconfined_domtrans',` gen_require(` type unconfined_t, unconfined_exec_t; ') domtrans_pattern($1, unconfined_exec_t, unconfined_t) ') ######################################## ## ## Execute specified programs in the unconfined domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the unconfined domain. ## ## # interface(`unconfined_run',` gen_require(` type unconfined_t; ') unconfined_domtrans($1) role $2 types unconfined_t; ') ######################################## ## ## Transition to the unconfined domain by executing a shell. ## ## ## ## Domain allowed to transition. ## ## # interface(`unconfined_shell_domtrans',` gen_require(` type unconfined_t; ') corecmd_shell_domtrans($1, unconfined_t) allow unconfined_t $1:fd use; allow unconfined_t $1:fifo_file rw_file_perms; allow unconfined_t $1:process sigchld; ') ######################################## ## ## Allow unconfined to execute the specified program in ## the specified domain. ## ## ##

## Allow unconfined to execute the specified program in ## the specified domain. ##

##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain to execute in. ## ## ## ## ## Domain entry point file. ## ## # interface(`unconfined_domtrans_to',` gen_require(` type unconfined_t; ') domtrans_pattern(unconfined_t,$2,$1) ') ######################################## ## ## Allow unconfined to execute the specified program in ## the specified domain. Allow the specified domain the ## unconfined role and use of unconfined user terminals. ## ## ##

## Allow unconfined to execute the specified program in ## the specified domain. Allow the specified domain the ## unconfined role and use of unconfined user terminals. ##

##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain to execute in. ## ## ## ## ## Domain entry point file. ## ## # interface(`unconfined_run_to',` gen_require(` type unconfined_t; role unconfined_r; ') domtrans_pattern(unconfined_t,$2,$1) role unconfined_r types $1; userdom_use_user_terminals($1) ') ######################################## ## ## Inherit file descriptors from the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_use_fds',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:fd use; ') ######################################## ## ## Send a SIGCHLD signal to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_sigchld',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process sigchld; ') ######################################## ## ## Send a SIGNULL signal to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_signull',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process signull; ') ######################################## ## ## Send generic signals to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_signal',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:process signal; ') ######################################## ## ## Read unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_read_pipes',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:fifo_file read_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read unconfined domain unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`unconfined_dontaudit_read_pipes',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:fifo_file read; ') ######################################## ## ## Read and write unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_rw_pipes',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read and write ## unconfined domain unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`unconfined_dontaudit_rw_pipes',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:fifo_file rw_file_perms; ') ######################################## ## ## Connect to the unconfined domain using ## a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_stream_connect',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:unix_stream_socket connectto; ') ######################################## ## ## Do not audit attempts to read and write ## unconfined domain stream. ## ## ## ## Domain to not audit. ## ## # interface(`unconfined_dontaudit_rw_stream_sockets',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; ') ######################################## ## ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## ## ##

## Do not audit attempts to read or write ## unconfined domain tcp sockets. ##

##

## This interface was added due to a broken ## symptom in ldconfig. ##

##
## ## ## Domain to not audit. ## ## # interface(`unconfined_dontaudit_rw_tcp_sockets',` gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:tcp_socket { read write }; ') ######################################## ## ## Search keys for the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_search_keys',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:key search; ') ######################################## ## ## Create keys for the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_create_keys',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:key create; ') ######################################## ## ## Write keys for the unconfined domain. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_write_keys',` gen_require(` type unconfined_t; ') allow $1 unconfined_t:key write; ') ######################################## ## ## Send messages to the unconfined domain over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dbus_send',` gen_require(` type unconfined_t; class dbus send_msg; ') allow $1 unconfined_t:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## unconfined_t over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dbus_chat',` gen_require(` type unconfined_t; class dbus send_msg; ') allow $1 unconfined_t:dbus send_msg; allow unconfined_t $1:dbus send_msg; ') ######################################## ## ## Connect to the the unconfined DBUS ## for service (acquire_svc). ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_dbus_connect',` gen_require(` type unconfined_t; class dbus acquire_svc; ') allow $1 unconfined_t:dbus acquire_svc; ')