selinux-refpolicy/policy/modules/system/unconfined.if

643 lines
14 KiB
Plaintext

## <summary>The unconfined domain.</summary>
########################################
## <summary>
## Unconfined stub interface. No access allowed.
## </summary>
## <param name="domain" unused="true">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_stub',`
gen_require(`
type unconfined_t;
')
')
########################################
## <summary>
## Make the specified domain unconfined.
## </summary>
## <param name="domain">
## <summary>
## Domain to make unconfined.
## </summary>
## </param>
#
interface(`unconfined_domain_noaudit',`
gen_require(`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
unconfined_stub($1)
# Use most Linux capabilities
allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon };
allow $1 self:fifo_file manage_fifo_file_perms;
# Manage most namespace capabilities
allow $1 self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow $1 self:cap2_userns { audit_read bpf block_suspend mac_admin mac_override perfmon syslog wake_alarm };
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
# Userland object managers
allow $1 self:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv };
allow $1 self:dbus { acquire_svc send_msg };
allow $1 self:passwd { passwd chfn chsh rootok crontab };
allow $1 self:association { sendto recvfrom setcontext polmatch };
kernel_unconfined($1)
corenet_unconfined($1)
dev_unconfined($1)
domain_unconfined($1)
domain_dontaudit_read_all_domains_state($1)
domain_dontaudit_ptrace_all_domains($1)
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
files_get_etc_unit_status($1)
files_start_etc_service($1)
files_stop_etc_service($1)
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
')
tunable_policy(`allow_execmem',`
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
allow $1 self:process execmem;
')
tunable_policy(`allow_execstack',`
# Allow making the stack executable via mprotect;
# execstack implies execmem;
allow $1 self:process { execstack execmem };
# auditallow $1 self:process execstack;
')
optional_policy(`
auth_unconfined($1)
')
optional_policy(`
dbus_unconfined($1)
')
optional_policy(`
ipsec_setcontext_default_spd($1)
ipsec_match_default_spd($1)
')
optional_policy(`
nscd_unconfined($1)
')
optional_policy(`
postgresql_unconfined($1)
')
optional_policy(`
seutil_create_bin_policy($1)
seutil_relabelto_bin_policy($1)
')
optional_policy(`
storage_unconfined($1)
')
optional_policy(`
xserver_unconfined($1)
')
')
########################################
## <summary>
## Make the specified domain unconfined and
## audit executable heap usage.
## </summary>
## <desc>
## <p>
## Make the specified domain unconfined and
## audit executable heap usage. With exception
## of memory protections, usage of this interface
## will result in the level of access the domain has
## is like SELinux was not being used.
## </p>
## <p>
## Only completely trusted domains should use this interface.
## </p>
## <p>
## Does not allow return communications from confined
## domains via message based mechanisms such as dbus or
## SysV message queues.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to make unconfined.
## </summary>
## </param>
#
interface(`unconfined_domain',`
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
auditallow $1 self:process execheap;
')
')
########################################
## <summary>
## Transition to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`unconfined_domtrans',`
gen_require(`
type unconfined_t, unconfined_exec_t;
')
domtrans_pattern($1, unconfined_exec_t, unconfined_t)
')
########################################
## <summary>
## Execute specified programs in the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the unconfined domain.
## </summary>
## </param>
#
interface(`unconfined_run',`
gen_require(`
type unconfined_t;
')
unconfined_domtrans($1)
role $2 types unconfined_t;
')
########################################
## <summary>
## Transition to the unconfined domain by executing a shell.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`unconfined_shell_domtrans',`
gen_require(`
type unconfined_t;
')
corecmd_shell_domtrans($1, unconfined_t)
allow unconfined_t $1:fd use;
allow unconfined_t $1:fifo_file rw_inherited_fifo_file_perms;
allow unconfined_t $1:process sigchld;
')
########################################
## <summary>
## Allow unconfined to execute the specified program in
## the specified domain.
## </summary>
## <desc>
## <p>
## Allow unconfined to execute the specified program in
## the specified domain.
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to execute in.
## </summary>
## </param>
## <param name="entry_file">
## <summary>
## Domain entry point file.
## </summary>
## </param>
#
interface(`unconfined_domtrans_to',`
gen_require(`
type unconfined_t;
')
domtrans_pattern(unconfined_t,$2,$1)
')
########################################
## <summary>
## Allow unconfined to execute the specified program in
## the specified domain. Allow the specified domain the
## unconfined role and use of unconfined user terminals.
## </summary>
## <desc>
## <p>
## Allow unconfined to execute the specified program in
## the specified domain. Allow the specified domain the
## unconfined role and use of unconfined user terminals.
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to execute in.
## </summary>
## </param>
## <param name="entry_file">
## <summary>
## Domain entry point file.
## </summary>
## </param>
#
interface(`unconfined_run_to',`
gen_require(`
type unconfined_t;
role unconfined_r;
')
domtrans_pattern(unconfined_t,$2,$1)
role unconfined_r types $1;
userdom_use_user_terminals($1)
')
########################################
## <summary>
## Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_use_fds',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fd use;
')
########################################
## <summary>
## Send a SIGCHLD signal to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_sigchld',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process sigchld;
')
########################################
## <summary>
## Send a SIGNULL signal to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_signull',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process signull;
')
########################################
## <summary>
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_signal',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process signal;
')
########################################
## <summary>
## Read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_read_pipes',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_write_inherited_pipes',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fd use;
allow $1 unconfined_t:fifo_file write_inherited_fifo_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`unconfined_dontaudit_read_pipes',`
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:fifo_file read;
')
########################################
## <summary>
## Read and write unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_rw_pipes',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read and write
## unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`unconfined_dontaudit_rw_pipes',`
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Connect to the unconfined domain using
## a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_stream_connect',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Do not audit attempts to read and write
## unconfined domain stream.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`unconfined_dontaudit_rw_stream_sockets',`
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
')
########################################
## <summary>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </p>
## <p>
## This interface was added due to a broken
## symptom in ldconfig.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`unconfined_dontaudit_rw_tcp_sockets',`
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:tcp_socket { read write };
')
########################################
## <summary>
## Search keys for the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_search_keys',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:key search;
')
########################################
## <summary>
## Create keys for the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_create_keys',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:key create;
')
########################################
## <summary>
## Write keys for the unconfined domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_write_keys',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:key write;
')
########################################
## <summary>
## Send messages to the unconfined domain over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_dbus_send',`
gen_require(`
type unconfined_t;
class dbus send_msg;
')
allow $1 unconfined_t:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## unconfined_t over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_dbus_chat',`
gen_require(`
type unconfined_t;
class dbus send_msg;
')
allow $1 unconfined_t:dbus send_msg;
allow unconfined_t $1:dbus send_msg;
')
########################################
## <summary>
## Connect to the the unconfined DBUS
## for service (acquire_svc).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_dbus_connect',`
gen_require(`
type unconfined_t;
class dbus acquire_svc;
')
allow $1 unconfined_t:dbus acquire_svc;
')