[selinux-policy: 514/3172] unconfined can pass all constraints
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:49:02 UTC 2010
commit 53857c8c05e1d3520f551bd816104e7228058a15
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jul 20 17:24:23 2005 +0000
unconfined can pass all constraints
refpolicy/policy/modules/system/domain.if | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 13cafe0..1b9c837 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -614,6 +614,9 @@ interface(`domain_read_all_entry_files',`
interface(`domain_unconfined',`
gen_require(`
attribute domain, set_curr_context;
+ attribute can_change_process_identity;
+ attribute can_change_process_role;
+ attribute can_change_object_identity;
class fd use;
class fifo_file rw_file_perms;
class process { transition dyntransition execmem };
@@ -622,6 +625,12 @@ interface(`domain_unconfined',`
class lnk_file r_file_perms;
')
+ # pass all constraints
+ typeattribute $1 can_change_process_identity;
+ typeattribute $1 can_change_process_role;
+ typeattribute $1 can_change_object_identity;
+ typeattribute $1 set_curr_context;
+
# Use/sendto/connectto sockets created by any domain.
allow $1 domain:{ socket_class_set socket key_socket } *;
@@ -631,7 +640,6 @@ interface(`domain_unconfined',`
# Act upon any other process.
allow $1 domain:process ~{ transition dyntransition execmem };
- typeattribute $1 set_curr_context;
# Create/access any System V IPC objects.
allow $1 domain:{ sem msgq shm } *;
More information about the scm-commits
mailing list