2005-07-05 20:59:51 +00:00
|
|
|
## <summary>The unconfined domain.</summary>
|
|
|
|
|
2020-05-08 17:54:43 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Unconfined stub interface. No access allowed.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain" unused="true">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_stub',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2005-07-05 20:59:51 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2006-02-06 22:47:46 +00:00
|
|
|
## Make the specified domain unconfined.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-05 20:59:51 +00:00
|
|
|
## Domain to make unconfined.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-05 20:59:51 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-06 22:47:46 +00:00
|
|
|
interface(`unconfined_domain_noaudit',`
|
2005-09-21 14:49:41 +00:00
|
|
|
gen_require(`
|
|
|
|
class dbus all_dbus_perms;
|
|
|
|
class nscd all_nscd_perms;
|
|
|
|
class passwd all_passwd_perms;
|
2017-04-06 21:37:50 +00:00
|
|
|
class service all_service_perms;
|
2005-09-21 14:49:41 +00:00
|
|
|
')
|
2005-07-05 20:59:51 +00:00
|
|
|
|
2020-05-08 17:54:43 +00:00
|
|
|
unconfined_stub($1)
|
|
|
|
|
2011-09-13 18:45:14 +00:00
|
|
|
# Use most Linux capabilities
|
2019-11-13 19:23:57 +00:00
|
|
|
allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
|
|
|
|
allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm };
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 self:fifo_file manage_fifo_file_perms;
|
2005-07-05 20:59:51 +00:00
|
|
|
|
|
|
|
# Transition to myself, to make get_ordered_context_list happy.
|
|
|
|
allow $1 self:process transition;
|
|
|
|
|
|
|
|
# Write access is for setting attributes under /proc/self/attr.
|
|
|
|
allow $1 self:file rw_file_perms;
|
|
|
|
|
|
|
|
# Userland object managers
|
2017-08-13 20:21:44 +00:00
|
|
|
allow $1 self:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv };
|
|
|
|
allow $1 self:dbus { acquire_svc send_msg };
|
|
|
|
allow $1 self:passwd { passwd chfn chsh rootok crontab };
|
|
|
|
allow $1 self:association { sendto recvfrom setcontext polmatch };
|
2005-07-05 20:59:51 +00:00
|
|
|
|
|
|
|
kernel_unconfined($1)
|
2005-07-19 20:38:26 +00:00
|
|
|
corenet_unconfined($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
dev_unconfined($1)
|
2005-12-13 20:38:19 +00:00
|
|
|
domain_unconfined($1)
|
2006-01-17 17:50:10 +00:00
|
|
|
domain_dontaudit_read_all_domains_state($1)
|
2006-08-29 02:41:00 +00:00
|
|
|
domain_dontaudit_ptrace_all_domains($1)
|
2005-12-13 20:38:19 +00:00
|
|
|
files_unconfined($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
fs_unconfined($1)
|
|
|
|
selinux_unconfined($1)
|
2017-04-06 21:37:50 +00:00
|
|
|
files_get_etc_unit_status($1)
|
|
|
|
files_start_etc_service($1)
|
|
|
|
files_stop_etc_service($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
|
2006-01-19 23:00:23 +00:00
|
|
|
tunable_policy(`allow_execheap',`
|
|
|
|
# Allow making the stack executable via mprotect.
|
|
|
|
allow $1 self:process execheap;
|
|
|
|
')
|
|
|
|
|
2005-07-05 20:59:51 +00:00
|
|
|
tunable_policy(`allow_execmem',`
|
2016-12-06 12:28:10 +00:00
|
|
|
# Allow making anonymous memory executable, e.g.
|
2005-09-15 21:03:29 +00:00
|
|
|
# for runtime-code generation or executable stack.
|
2005-07-05 20:59:51 +00:00
|
|
|
allow $1 self:process execmem;
|
|
|
|
')
|
|
|
|
|
2006-07-28 15:13:58 +00:00
|
|
|
tunable_policy(`allow_execstack',`
|
|
|
|
# Allow making the stack executable via mprotect;
|
|
|
|
# execstack implies execmem;
|
|
|
|
allow $1 self:process { execstack execmem };
|
2006-04-12 15:04:28 +00:00
|
|
|
# auditallow $1 self:process execstack;
|
2005-09-15 21:03:29 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-19 18:40:19 +00:00
|
|
|
auth_unconfined($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2013-09-24 13:39:11 +00:00
|
|
|
dbus_unconfined($1)
|
2005-09-21 14:49:41 +00:00
|
|
|
')
|
|
|
|
|
2007-11-14 14:38:45 +00:00
|
|
|
optional_policy(`
|
|
|
|
ipsec_setcontext_default_spd($1)
|
2007-11-14 15:53:18 +00:00
|
|
|
ipsec_match_default_spd($1)
|
2007-11-14 14:38:45 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-13 20:48:51 +00:00
|
|
|
nscd_unconfined($1)
|
|
|
|
')
|
|
|
|
|
2008-06-10 15:33:18 +00:00
|
|
|
optional_policy(`
|
|
|
|
postgresql_unconfined($1)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-02 21:08:12 +00:00
|
|
|
seutil_create_bin_policy($1)
|
|
|
|
seutil_relabelto_bin_policy($1)
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-07-05 20:59:51 +00:00
|
|
|
storage_unconfined($1)
|
|
|
|
')
|
2008-04-01 20:23:23 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
xserver_unconfined($1)
|
|
|
|
')
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
2005-07-06 20:28:29 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Make the specified domain unconfined and
|
2010-02-26 18:47:17 +00:00
|
|
|
## audit executable heap usage.
|
2006-02-06 22:47:46 +00:00
|
|
|
## </summary>
|
2010-02-26 18:47:17 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Make the specified domain unconfined and
|
|
|
|
## audit executable heap usage. With exception
|
|
|
|
## of memory protections, usage of this interface
|
|
|
|
## will result in the level of access the domain has
|
|
|
|
## is like SELinux was not being used.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## Only completely trusted domains should use this interface.
|
|
|
|
## </p>
|
2019-01-14 16:02:56 +00:00
|
|
|
## <p>
|
|
|
|
## Does not allow return communications from confined
|
|
|
|
## domains via message based mechanisms such as dbus or
|
|
|
|
## SysV message queues.
|
|
|
|
## </p>
|
2010-02-26 18:47:17 +00:00
|
|
|
## </desc>
|
2006-02-06 22:47:46 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-02-06 22:47:46 +00:00
|
|
|
## Domain to make unconfined.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-02-06 22:47:46 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_domain',`
|
|
|
|
unconfined_domain_noaudit($1)
|
|
|
|
|
|
|
|
tunable_policy(`allow_execheap',`
|
|
|
|
auditallow $1 self:process execheap;
|
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2005-07-12 20:34:24 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Transition to the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed to transition.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-12 20:34:24 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_domtrans',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t, unconfined_exec_t;
|
|
|
|
')
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
domtrans_pattern($1, unconfined_exec_t, unconfined_t)
|
2005-07-12 20:34:24 +00:00
|
|
|
')
|
|
|
|
|
2005-07-18 18:31:49 +00:00
|
|
|
########################################
|
2005-08-11 17:46:39 +00:00
|
|
|
## <summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## Execute specified programs in the unconfined domain.
|
2005-08-11 17:46:39 +00:00
|
|
|
## </summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed to transition.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## The role to allow the unconfined domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_run',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
unconfined_domtrans($1)
|
|
|
|
role $2 types unconfined_t;
|
|
|
|
')
|
|
|
|
|
2005-07-06 20:28:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Transition to the unconfined domain by executing a shell.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain allowed to transition.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-06 20:28:29 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2005-07-08 20:44:57 +00:00
|
|
|
interface(`unconfined_shell_domtrans',`
|
2005-07-06 20:28:29 +00:00
|
|
|
gen_require(`
|
2005-07-12 20:34:24 +00:00
|
|
|
type unconfined_t;
|
2005-07-06 20:28:29 +00:00
|
|
|
')
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
corecmd_shell_domtrans($1, unconfined_t)
|
2006-12-12 20:08:08 +00:00
|
|
|
allow unconfined_t $1:fd use;
|
2020-04-14 21:47:06 +00:00
|
|
|
allow unconfined_t $1:fifo_file rw_inherited_fifo_file_perms;
|
2006-12-12 20:08:08 +00:00
|
|
|
allow unconfined_t $1:process sigchld;
|
2005-07-06 20:28:29 +00:00
|
|
|
')
|
|
|
|
|
2006-07-10 13:31:28 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow unconfined to execute the specified program in
|
|
|
|
## the specified domain.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Allow unconfined to execute the specified program in
|
|
|
|
## the specified domain.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This is a interface to support third party modules
|
|
|
|
## and its use is not allowed in upstream reference
|
|
|
|
## policy.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to execute in.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="entry_file">
|
|
|
|
## <summary>
|
|
|
|
## Domain entry point file.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_domtrans_to',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
domtrans_pattern(unconfined_t,$2,$1)
|
2006-07-10 13:31:28 +00:00
|
|
|
')
|
|
|
|
|
2007-11-16 19:50:34 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow unconfined to execute the specified program in
|
|
|
|
## the specified domain. Allow the specified domain the
|
|
|
|
## unconfined role and use of unconfined user terminals.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Allow unconfined to execute the specified program in
|
|
|
|
## the specified domain. Allow the specified domain the
|
|
|
|
## unconfined role and use of unconfined user terminals.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This is a interface to support third party modules
|
|
|
|
## and its use is not allowed in upstream reference
|
|
|
|
## policy.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to execute in.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="entry_file">
|
|
|
|
## <summary>
|
|
|
|
## Domain entry point file.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_run_to',`
|
|
|
|
gen_require(`
|
2008-11-05 16:10:46 +00:00
|
|
|
type unconfined_t;
|
2007-11-16 19:50:34 +00:00
|
|
|
role unconfined_r;
|
|
|
|
')
|
|
|
|
|
|
|
|
domtrans_pattern(unconfined_t,$2,$1)
|
|
|
|
role unconfined_r types $1;
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_use_user_terminals($1)
|
2007-11-16 19:50:34 +00:00
|
|
|
')
|
|
|
|
|
2005-07-06 20:28:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Inherit file descriptors from the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-06 20:28:29 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-06 20:28:29 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-03-02 23:41:11 +00:00
|
|
|
interface(`unconfined_use_fds',`
|
2005-07-06 20:28:29 +00:00
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:fd use;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send a SIGCHLD signal to the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-06 20:28:29 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-06 20:28:29 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_sigchld',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:process sigchld;
|
|
|
|
')
|
|
|
|
|
2006-04-26 15:22:33 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send a SIGNULL signal to the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_signull',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:process signull;
|
|
|
|
')
|
|
|
|
|
2005-11-18 18:38:37 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send generic signals to the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-18 18:38:37 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-18 18:38:37 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_signal',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:process signal;
|
|
|
|
')
|
|
|
|
|
2005-12-02 22:06:05 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read unconfined domain unnamed pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-12-02 22:06:05 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-12-02 22:06:05 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`unconfined_read_pipes',`
|
2005-12-02 22:06:05 +00:00
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 unconfined_t:fifo_file read_fifo_file_perms;
|
2005-12-02 22:06:05 +00:00
|
|
|
')
|
|
|
|
|
2005-10-26 16:00:13 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read unconfined domain unnamed pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2010-08-05 13:10:15 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-26 16:00:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`unconfined_dontaudit_read_pipes',`
|
2005-10-26 16:00:13 +00:00
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 unconfined_t:fifo_file read;
|
|
|
|
')
|
|
|
|
|
2005-07-06 20:28:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write unconfined domain unnamed pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-06 20:28:29 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-06 20:28:29 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`unconfined_rw_pipes',`
|
2005-07-06 20:28:29 +00:00
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
|
2005-07-06 20:28:29 +00:00
|
|
|
')
|
|
|
|
|
2006-12-04 20:10:56 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read and write
|
|
|
|
## unconfined domain unnamed pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_dontaudit_rw_pipes',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
2020-04-14 21:47:06 +00:00
|
|
|
dontaudit $1 unconfined_t:fifo_file rw_fifo_file_perms;
|
2006-12-04 20:10:56 +00:00
|
|
|
')
|
|
|
|
|
2006-03-29 14:31:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Connect to the unconfined domain using
|
|
|
|
## a unix domain stream socket.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_stream_connect',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:unix_stream_socket connectto;
|
|
|
|
')
|
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read and write
|
|
|
|
## unconfined domain stream.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2021-06-30 08:03:44 +00:00
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
2017-02-24 01:03:23 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_dontaudit_rw_stream_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
|
|
|
|
')
|
|
|
|
|
2005-07-08 20:44:57 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read or write
|
|
|
|
## unconfined domain tcp sockets.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Do not audit attempts to read or write
|
|
|
|
## unconfined domain tcp sockets.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This interface was added due to a broken
|
|
|
|
## symptom in ldconfig.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-08 20:44:57 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-08 20:44:57 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`unconfined_dontaudit_rw_tcp_sockets',`
|
2005-07-08 20:44:57 +00:00
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 unconfined_t:tcp_socket { read write };
|
|
|
|
')
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search keys for the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_search_keys',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:key search;
|
|
|
|
')
|
|
|
|
|
2006-06-21 21:02:49 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create keys for the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_create_keys',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:key create;
|
|
|
|
')
|
|
|
|
|
2019-04-19 15:50:59 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Write keys for the unconfined domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_write_keys',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:key write;
|
|
|
|
')
|
|
|
|
|
2005-12-02 22:06:05 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send messages to the unconfined domain over dbus.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-12-02 22:06:05 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-12-02 22:06:05 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_dbus_send',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
class dbus send_msg;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:dbus send_msg;
|
|
|
|
')
|
|
|
|
|
2006-05-03 19:58:01 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send and receive messages from
|
|
|
|
## unconfined_t over dbus.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`unconfined_dbus_chat',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
class dbus send_msg;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 unconfined_t:dbus send_msg;
|
|
|
|
allow unconfined_t $1:dbus send_msg;
|
|
|
|
')
|
|
|
|
|
2005-10-28 18:13:44 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2007-10-02 16:04:50 +00:00
|
|
|
## Connect to the the unconfined DBUS
|
|
|
|
## for service (acquire_svc).
|
2005-10-28 18:13:44 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2007-10-02 16:04:50 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-28 18:13:44 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2007-10-02 16:04:50 +00:00
|
|
|
interface(`unconfined_dbus_connect',`
|
|
|
|
gen_require(`
|
|
|
|
type unconfined_t;
|
|
|
|
class dbus acquire_svc;
|
2005-11-15 18:47:20 +00:00
|
|
|
')
|
2007-10-02 16:04:50 +00:00
|
|
|
|
|
|
|
allow $1 unconfined_t:dbus acquire_svc;
|
2005-10-28 18:13:44 +00:00
|
|
|
')
|