[selinux-policy: 514/3172] unconfined can pass all constraints

[Daniel J Walsh]

commit 53857c8c05e1d3520f551bd816104e7228058a15
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Jul 20 17:24:23 2005 +0000

    unconfined can pass all constraints

 refpolicy/policy/modules/system/domain.if |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 13cafe0..1b9c837 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -614,6 +614,9 @@ interface(`domain_read_all_entry_files',`
 interface(`domain_unconfined',`
 	gen_require(`
 		attribute domain, set_curr_context;
+		attribute can_change_process_identity;
+		attribute can_change_process_role;
+		attribute can_change_object_identity;
 		class fd use;
 		class fifo_file rw_file_perms;
 		class process { transition dyntransition execmem };
@@ -622,6 +625,12 @@ interface(`domain_unconfined',`
 		class lnk_file r_file_perms;
 	')
 
+	# pass all constraints
+	typeattribute $1 can_change_process_identity;
+	typeattribute $1 can_change_process_role;
+	typeattribute $1 can_change_object_identity;
+	typeattribute $1 set_curr_context;
+
 	# Use/sendto/connectto sockets created by any domain.
 	allow $1 domain:{ socket_class_set socket key_socket } *;
 
@@ -631,7 +640,6 @@ interface(`domain_unconfined',`
 
 	# Act upon any other process.
 	allow $1 domain:process ~{ transition dyntransition execmem };
-	typeattribute $1 set_curr_context;
 
 	# Create/access any System V IPC objects.
 	allow $1 domain:{ sem msgq shm } *;