Hoshpak
/
debian-selinux-policies


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607
							## <summary>The unconfined domain.</summary>

########################################
## <summary>
##	Make the specified domain unconfined.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to make unconfined.
##	</summary>
## </param>
#
interface(`unconfined_domain_noaudit',`
	gen_require(`
		type unconfined_t;
		class dbus all_dbus_perms;
		class nscd all_nscd_perms;
		class passwd all_passwd_perms;
	')

	# Use most Linux capabilities
	allow $1 self:capability ~sys_module;
	allow $1 self:fifo_file manage_fifo_file_perms;

	# Transition to myself, to make get_ordered_context_list happy.
	allow $1 self:process transition;

	# Write access is for setting attributes under /proc/self/attr.
	allow $1 self:file rw_file_perms;

	# Userland object managers
	allow $1 self:nscd *;
	allow $1 self:dbus *;
	allow $1 self:passwd *;
	allow $1 self:association *;

	kernel_unconfined($1)
	corenet_unconfined($1)
	dev_unconfined($1)
	domain_unconfined($1)
	domain_dontaudit_read_all_domains_state($1)
	domain_dontaudit_ptrace_all_domains($1)
	files_unconfined($1)
	fs_unconfined($1)
	selinux_unconfined($1)

	tunable_policy(`allow_execheap',`
		# Allow making the stack executable via mprotect.
		allow $1 self:process execheap;
	')

	tunable_policy(`allow_execmem',`
		# Allow making anonymous memory executable, e.g. 
		# for runtime-code generation or executable stack.
		allow $1 self:process execmem;
	')

	tunable_policy(`allow_execstack',`
		# Allow making the stack executable via mprotect;
		# execstack implies execmem;
		allow $1 self:process { execstack execmem };
#		auditallow $1 self:process execstack;
	')

	optional_policy(`
		auth_unconfined($1)
	')

	optional_policy(`
		dbus_unconfined($1)
	')

	optional_policy(`
		ipsec_setcontext_default_spd($1)
		ipsec_match_default_spd($1)
	')

	optional_policy(`
		nscd_unconfined($1)
	')

	optional_policy(`
		postgresql_unconfined($1)
	')

	optional_policy(`
		seutil_create_bin_policy($1)
		seutil_relabelto_bin_policy($1)
	')

	optional_policy(`
		storage_unconfined($1)
	')

	optional_policy(`
		xserver_unconfined($1)
	')
')

########################################
## <summary>
##	Make the specified domain unconfined and
##	audit executable heap usage.
## </summary>
## <desc>
##	<p>
##	Make the specified domain unconfined and
##	audit executable heap usage.  With exception
##	of memory protections, usage of this interface
##	will result in the level of access the domain has
##	is like SELinux	was not being used.
##	</p>
##	<p>
##	Only completely trusted domains should use this interface.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to make unconfined.
##	</summary>
## </param>
#
interface(`unconfined_domain',`
	unconfined_domain_noaudit($1)

	tunable_policy(`allow_execheap',`
		auditallow $1 self:process execheap;
	')
')

########################################
## <summary>
##	Add an alias type to the unconfined domain.  (Deprecated)
## </summary>
## <desc>
##	<p>
##	Add an alias type to the unconfined domain.  (Deprecated)
##	</p>
##	<p>
##	This is added to support targeted policy.  Its
##	use should be limited.  It has no effect
##	on the strict policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	New alias of the unconfined domain.
##	</summary>
## </param>
#
interface(`unconfined_alias_domain',`
	refpolicywarn(`$0($1) has been deprecated.')
')

########################################
## <summary>
##	Add an alias type to the unconfined execmem
##	program file type.  (Deprecated)
## </summary>
## <desc>
##	<p>
##	Add an alias type to the unconfined execmem
##	program file type.  (Deprecated)
##	</p>
##	<p>
##	This is added to support targeted policy.  Its
##	use should be limited.  It has no effect
##	on the strict policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	New alias of the unconfined execmem program type.
##	</summary>
## </param>
#
interface(`unconfined_execmem_alias_program',`
	refpolicywarn(`$0($1) has been deprecated.')
')

########################################
## <summary>
##	Transition to the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`unconfined_domtrans',`
	gen_require(`
		type unconfined_t, unconfined_exec_t;
	')

	domtrans_pattern($1, unconfined_exec_t, unconfined_t)
')

########################################
## <summary>
##	Execute specified programs in the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to allow the unconfined domain.
##	</summary>
## </param>
#
interface(`unconfined_run',`
	gen_require(`
		type unconfined_t;
	')

	unconfined_domtrans($1)
	role $2 types unconfined_t;
')

########################################
## <summary>
##	Transition to the unconfined domain by executing a shell.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`unconfined_shell_domtrans',`
	gen_require(`
		type unconfined_t;
	')

	corecmd_shell_domtrans($1, unconfined_t)
	allow unconfined_t $1:fd use;
	allow unconfined_t $1:fifo_file rw_file_perms;
	allow unconfined_t $1:process sigchld;
')

########################################
## <summary>
##	Allow unconfined to execute the specified program in
##	the specified domain.
## </summary>
## <desc>
##	<p>
##	Allow unconfined to execute the specified program in
##	the specified domain.
##	</p>
##	<p>
##	This is a interface to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to execute in.
##	</summary>
## </param>
## <param name="entry_file">
##	<summary>
##	Domain entry point file.
##	</summary>
## </param>
#
interface(`unconfined_domtrans_to',`
	gen_require(`
		type unconfined_t;
	')

	domtrans_pattern(unconfined_t,$2,$1)
')

########################################
## <summary>
##	Allow unconfined to execute the specified program in
##	the specified domain.  Allow the specified domain the
##	unconfined role and use of unconfined user terminals.
## </summary>
## <desc>
##	<p>
##	Allow unconfined to execute the specified program in
##	the specified domain.  Allow the specified domain the
##	unconfined role and use of unconfined user terminals.
##	</p>
##	<p>
##	This is a interface to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to execute in.
##	</summary>
## </param>
## <param name="entry_file">
##	<summary>
##	Domain entry point file.
##	</summary>
## </param>
#
interface(`unconfined_run_to',`
	gen_require(`
		type unconfined_t;
		role unconfined_r;
	')

	domtrans_pattern(unconfined_t,$2,$1)
	role unconfined_r types $1;
	userdom_use_user_terminals($1)
')

########################################
## <summary>
##	Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_use_fds',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:fd use;
')

########################################
## <summary>
##	Send a SIGCHLD signal to the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_sigchld',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:process sigchld;
')

########################################
## <summary>
##	Send a SIGNULL signal to the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_signull',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:process signull;
')

########################################
## <summary>
##	Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_signal',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:process signal;
')

########################################
## <summary>
##	Read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_read_pipes',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:fifo_file read_fifo_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`unconfined_dontaudit_read_pipes',`
	gen_require(`
		type unconfined_t;
	')

	dontaudit $1 unconfined_t:fifo_file read;
')

########################################
## <summary>
##	Read and write unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_rw_pipes',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read and write
##	unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`unconfined_dontaudit_rw_pipes',`
	gen_require(`
		type unconfined_t;
	')

	dontaudit $1 unconfined_t:fifo_file rw_file_perms;
')

########################################
## <summary>
##	Connect to the unconfined domain using
##	a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_stream_connect',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	Do not audit attempts to read or write
##	unconfined domain tcp sockets.
## </summary>
## <desc>
##	<p>
##	Do not audit attempts to read or write
##	unconfined domain tcp sockets.
##	</p>
##	<p>
##	This interface was added due to a broken
##	symptom in ldconfig.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`unconfined_dontaudit_rw_tcp_sockets',`
	gen_require(`
		type unconfined_t;
	')

	dontaudit $1 unconfined_t:tcp_socket { read write };
')

########################################
## <summary>
##	Create keys for the unconfined domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_create_keys',`
	gen_require(`
		type unconfined_t;
	')

	allow $1 unconfined_t:key create;
')

########################################
## <summary>
##	Send messages to the unconfined domain over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_dbus_send',`
	gen_require(`
		type unconfined_t;
		class dbus send_msg;
	')

	allow $1 unconfined_t:dbus send_msg;
')

########################################
## <summary>
##	Send and receive messages from
##	unconfined_t over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_dbus_chat',`
	gen_require(`
		type unconfined_t;
		class dbus send_msg;
	')

	allow $1 unconfined_t:dbus send_msg;
	allow unconfined_t $1:dbus send_msg;
')

########################################
## <summary>
##	Connect to the the unconfined DBUS
##	for service (acquire_svc).
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unconfined_dbus_connect',`
	gen_require(`
		type unconfined_t;
		class dbus acquire_svc;
	')

	allow $1 unconfined_t:dbus acquire_svc;
')

########################################
## <summary>
##      Do not audit attempts to read and write
##      unconfined domain stream.
## </summary>
## <param name="domain">
##      <summary>
##      Domain to not audit.
##      </summary>
## </param>
#
interface(`unconfined_dontaudit_rw_stream',`
	gen_require(`
		type unconfined_t;
	')

	dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
')