## The unconfined domain. ######################################## ## ## Make the specified domain unconfined. ## ## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain_noaudit',` gen_require(` class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. allow $1 self:capability ~{ sys_module }; allow $1 self:capability2 ~{ mac_admin mac_override }; allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process { dyntransition transition }; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file manage_file_perms; allow $1 self:dir rw_dir_perms; # Userland object managers allow $1 self:nscd all_nscd_perms; allow $1 self:dbus all_dbus_perms; allow $1 self:passwd all_passwd_perms; allow $1 self:association all_association_perms; allow $1 self:socket_class_set create_socket_perms; kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) domain_unconfined($1) files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) systemd_config_all_services($1) domain_mmap_low($1) domain_named_filetrans($1) ubac_process_exempt($1) tunable_policy(`selinuxuser_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; ') tunable_policy(`deny_execmem',`',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; ') tunable_policy(`selinuxuser_execstack',` allow $1 self:process execstack; # auditallow $1 self:process execstack; ') optional_policy(` auth_unconfined($1) ') optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) dbus_unconfined($1) ') optional_policy(` ipsec_setcontext_default_spd($1) ipsec_match_default_spd($1) ') optional_policy(` nscd_unconfined($1) ') optional_policy(` postgresql_unconfined($1) ') optional_policy(` seutil_create_bin_policy($1) seutil_relabelto_bin_policy($1) ') optional_policy(` storage_unconfined($1) ') optional_policy(` xserver_unconfined($1) ') ') ######################################## ## ## Make the specified domain unconfined and ## audit executable heap usage. ## ## ##

## Make the specified domain unconfined and ## audit executable heap usage. With exception ## of memory protections, usage of this interface ## will result in the level of access the domain has ## is like SELinux was not being used. ##

##

## Only completely trusted domains should use this interface. ##

##
## ## ## Domain to make unconfined. ## ## # interface(`unconfined_domain',` gen_require(` attribute unconfined_services; ') unconfined_domain_noaudit($1) tunable_policy(`selinuxuser_execheap',` auditallow $1 self:process execheap; ') ') ######################################## ## ## Add an alias type to the unconfined domain. (Deprecated) ## ## ##

## Add an alias type to the unconfined domain. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## New alias of the unconfined domain. ## ## # interface(`unconfined_alias_domain',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Add an alias type to the unconfined execmem ## program file type. (Deprecated) ## ## ##

## Add an alias type to the unconfined execmem ## program file type. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## New alias of the unconfined execmem program type. ## ## # interface(`unconfined_execmem_alias_program',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Connect to unconfined_server with a unix socket. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_stream_connect',` gen_require(` type unconfined_service_t; ') files_search_pids($1) files_write_generic_pid_pipes($1) allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; ') ######################################## ## ## Connect to unconfined_service_t with a unix socket. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_stream_connectto',` gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:unix_stream_socket connectto; ') ######################################## ## ## Connect to unconfined_server with a unix socket. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_domtrans',` gen_require(` type unconfined_service_t; ') corecmd_bin_domtrans($1, unconfined_service_t) ') ######################################## ## ## Allow caller domain to dbus chat unconfined_server. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_dbus_chat',` gen_require(` type unconfined_service_t; class dbus send_msg; ') allow $1 unconfined_service_t:dbus send_msg; allow unconfined_service_t $1:dbus send_msg; ') ######################################## ## ## Send signull to unconfined_service_t. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_signull',` gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:process signull; ') ######################################## ## ## Allow inherit signal state ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_siginh',` gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:process siginh; ') ######################################## ## ## Allow noatsecure. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_noatsecure',` gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:process { noatsecure }; ') ######################################## ## ## Create unconfined_service_t TCP sockets. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_create_tcp_sockets',` gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:tcp_socket create_stream_socket_perms; ') ######################################## ## ## Create unconfined_service_t UDP sockets. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_create_udp_sockets',` gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:udp_socket create_socket_perms; ') ######################################## ## ## Create unconfined_service_t UNIX sockets. ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_create_unix_sockets',` gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:unix_stream_socket create_stream_socket_perms; allow $1 unconfined_service_t:unix_dgram_socket create_socket_perms; ') ######################################## ## ## Do not audit attempts to read and write # unconfined service domain unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`unconfined_server_dontaudit_rw_pipes',` gen_require(` type unconfined_service_t; ') dontaudit $1 unconfined_service_t:fifo_file rw_file_perms; ') ######################################## ## ## Create and use unconfined service shared memory ## ## ## ## Domain to not audit. ## ## # interface(`unconfined_server_create_shm',` gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:shm create_shm_perms; ') ####################################### ## ## Allow the specified domain read unconfined service semaphores ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_read_semaphores',` gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:sem r_sem_perms; ') ####################################### ## ## Allow the specified domain read unconfined service process state ## ## ## ## Domain allowed access. ## ## # interface(`unconfined_server_read_state',` gen_require(` type unconfined_service_t; ') ps_process_pattern($1, unconfined_service_t) ')