--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/system/unconfined.fc 2008-08-14 13:53:54.000000000 -0400
@@ -2,15 +2,11 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
ifdef(`distro_gentoo',`
/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
@@ -14,3 +10,20 @@
ifdef(`distro_gentoo',`
/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
+/usr/bin/haddock.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/runghc -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/system/unconfined.if 2008-08-14 13:53:54.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
- type unconfined_t;
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
# Use any Linux capability.
- allow $1 self:capability *;
+ allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
# Transition to myself, to make get_ordered_context_list happy.
@@ -27,12 +26,13 @@
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
+ allow $1 self:dir rw_dir_perms;
# Userland object managers
- allow $1 self:nscd *;
- allow $1 self:dbus *;
- allow $1 self:passwd *;
- allow $1 self:association *;
+ allow $1 self:nscd all_nscd_perms;
+ allow $1 self:dbus all_dbus_perms;
+ allow $1 self:passwd all_passwd_perms;
+ allow $1 self:association all_association_perms;
kernel_unconfined($1)
corenet_unconfined($1)
@@ -44,6 +44,11 @@
fs_unconfined($1)
selinux_unconfined($1)
+ domain_mmap_low_type($1)
+ tunable_policy(`allow_unconfined_mmap_low',`
+ domain_mmap_low($1)
+ ')
+
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
@@ -70,6 +75,7 @@
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
+ dbus_unconfined($1)
')
optional_policy(`
@@ -380,6 +386,24 @@
########################################
##
+## Send a SIGNULL signal to the unconfined execmem domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_execmem_signull',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signull;
+')
+
+########################################
+##
## Send generic signals to the unconfined domain.
##
##
@@ -597,7 +621,7 @@
########################################
##
-## Read files in unconfined users home directories.
+## Allow ptrace of unconfined domain
##
##
##
@@ -605,20 +629,53 @@
##
##
#
-interface(`unconfined_read_home_content_files',`
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+##
+## Read and write to unconfined shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`unconfined_rw_shm',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Read and write to unconfined execmem shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`unconfined_execmem_rw_shm',`
gen_require(`
- type unconfined_home_dir_t, unconfined_home_t;
+ type unconfined_execmem_t;
')
- files_search_home($1)
- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
')
########################################
##
-## Read unconfined users temporary files.
+## Transition to the unconfined_execmem domain.
##
##
##
@@ -626,20 +683,58 @@
##
##
#
-interface(`unconfined_read_tmp_files',`
+interface(`unconfined_execmem_domtrans',`
+
gen_require(`
- type unconfined_tmp_t;
+ type unconfined_execmem_t, unconfined_execmem_exec_t;
')
- files_search_tmp($1)
- allow $1 unconfined_tmp_t:dir list_dir_perms;
- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+ domtrans_pattern($1, unconfined_execmem_exec_t, unconfined_execmem_t)
')
########################################
##
-## Write unconfined users temporary files.
+## allow attempts to use unconfined ttys and ptys.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_use_terminals',`
+ gen_require(`
+ type unconfined_devpts_t;
+ type unconfined_tty_device_t;
+ ')
+
+ allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
+ allow $1 unconfined_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Do not audit attempts to use unconfined ttys and ptys.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_use_terminals',`
+ gen_require(`
+ type unconfined_devpts_t;
+ type unconfined_tty_device_t;
+ ')
+
+ dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
+ dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Allow apps to set rlimits on userdomain
##
##
##
@@ -647,10 +742,124 @@
##
##
#
-interface(`unconfined_write_tmp_files',`
+interface(`unconfined_set_rlimitnh',`
gen_require(`
- type unconfined_tmp_t;
+ type unconfined_t;
')
- allow $1 unconfined_tmp_t:file { getattr write append };
+ allow $1 unconfined_t:process rlimitinh;
')
+
+########################################
+##
+## Read/write unconfined tmpfs files.
+##
+##
+##
+## Read/write unconfined tmpfs files.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_rw_tmpfs_files',`
+ gen_require(`
+ type unconfined_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t)
+ read_lnk_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t)
+')
+
+########################################
+##
+## Delete unconfined tmpfs files.
+##
+##
+##
+## Read/write unconfined tmpfs files.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_delete_tmpfs_files',`
+ gen_require(`
+ type unconfined_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+ delete_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t)
+ read_lnk_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t)
+')
+
+########################################
+##
+## Get the process group of unconfined.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_getpgid',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+##
+## Change to the unconfined role.
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+#
+template(`unconfined_role_change_template',`
+ userdom_role_change_template($1, unconfined)
+')
+
+########################################
+##
+## Change from the unconfined role.
+##
+##
+##
+## Change from the unconfined role to
+## the specified role.
+##
+##
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+#
+template(`unconfined_role_change_to_template',`
+ userdom_role_change_template(unconfined, $1)
+')
+
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/system/unconfined.te 2008-08-14 13:53:54.000000000 -0400
@@ -6,35 +6,75 @@
# Declarations
#
+##
+##
+## Transition to confined nsplugin domains from unconfined user
+##
+##
+gen_tunable(allow_unconfined_nsplugin_transition, false)
+
+##
+##
+## Allow unconfined domain to map low memory in the kernel
+##
+##
+gen_tunable(allow_unconfined_mmap_low, false)
+
+##
+##
+## Transition to confined qemu domains from unconfined user
+##
+##
+gen_tunable(allow_unconfined_qemu_transition, false)
+
# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
-userdom_base_user_template(unconfined)
-userdom_manage_home_template(unconfined)
-userdom_manage_tmp_template(unconfined)
-userdom_manage_tmpfs_template(unconfined)
+userdom_restricted_user_template(unconfined)
+#userdom_common_user_template(unconfined)
+#userdom_xwindows_client_template(unconfined)
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
+role system_r types unconfined_t;
type unconfined_execmem_t;
type unconfined_execmem_exec_t;
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
+
########################################
#
# Local policy
#
+dontaudit unconfined_t self:dir write;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)
init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+init_domtrans_script(unconfined_t)
+init_chat(unconfined_t)
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -42,28 +82,37 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+# Unconfined running as system_r
+mount_domtrans_unconfined(unconfined_t)
+seutil_run_setsebool(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
unconfined_domain(unconfined_t)
+domain_mmap_low(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
+optional_policy(`
+ nsplugin_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
+ nsplugin_domtrans_user(unconfined, unconfined_t)
+ nsplugin_domtrans_user_config(unconfined, unconfined_t)
+ ')
+')
+
ifdef(`distro_gentoo',`
seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
seutil_init_script_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- ada_domtrans(unconfined_t)
+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
')
optional_policy(`
@@ -75,12 +124,6 @@
')
optional_policy(`
- cron_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(unconfined_crond_t)
-')
-
-optional_policy(`
init_dbus_chat_script(unconfined_t)
dbus_stub(unconfined_t)
@@ -106,48 +149,48 @@
')
optional_policy(`
- networkmanager_dbus_chat(unconfined_t)
+ gnomeclock_dbus_chat(unconfined_t)
')
optional_policy(`
- oddjob_dbus_chat(unconfined_t)
- ')
+ kerneloops_dbus_chat(unconfined_t)
')
optional_policy(`
- firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ networkmanager_dbus_chat(unconfined_t)
')
optional_policy(`
- ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ oddjob_dbus_chat(unconfined_t)
')
optional_policy(`
- inn_domtrans(unconfined_t)
+ vpnc_dbus_chat(unconfined_t)
+ ')
')
optional_policy(`
- java_domtrans(unconfined_t)
+ firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- mono_domtrans(unconfined_t)
+ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
+ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
+ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
@@ -159,38 +202,48 @@
')
optional_policy(`
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-')
+ qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
-
-optional_policy(`
- pyzor_per_role_template(unconfined)
+ tunable_policy(`allow_unconfined_qemu_transition',`
+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ',`
+ qemu_runas_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+ qemu_role(unconfined_r)
+ qemu_unconfined_role(unconfined_r)
')
optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
+ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_role_transition(unconfined_r)
')
optional_policy(`
- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ cron_per_role_template(unconfined, unconfined_t, unconfined_r)
+ # this is disallowed usage:
+ unconfined_domain(unconfined_crond_t)
+ unconfined_domain(unconfined_crontab_t)
+ role system_r types unconfined_crontab_t;
+ rpm_transition_script(unconfined_crond_t)
')
optional_policy(`
samba_per_role_template(unconfined)
- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
+ sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
')
optional_policy(`
@@ -198,23 +251,34 @@
')
optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ mono_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mono_t)
+ role system_r types unconfined_mono_t;
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+')
+
+optional_policy(`
+ xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t)
')
########################################
@@ -224,14 +288,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t unconfined_t:process transition;
optional_policy(`
- dbus_stub(unconfined_execmem_t)
-
init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t)
+')
+
+optional_policy(`
+ avahi_dbus_chat(unconfined_execmem_t)
+')
optional_policy(`
hal_dbus_chat(unconfined_execmem_t)
')
+
+optional_policy(`
+ xserver_xdm_rw_shm(unconfined_execmem_t)
')
+
+########################################
+#
+# Unconfined notrans Local policy
+#
+
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
+# Allow SELinux aware applications to request rpm_script execution
+rpm_transition_script(unconfined_notrans_t)
+domain_ptrace_all_domains(unconfined_notrans_t)