Skip to content
Permalink
Browse files

Introduce new boolean unconfined_dyntrans_all.

Default value is set to off. If the boolean is turned on, there is
possible using setcon to dyntrans to any process type which is part of
domain attribute.
  • Loading branch information...
wrabcak committed Mar 20, 2019
1 parent f0a193b commit 2d537cabbb2df614ea598ac20873c653cbf271a8
Showing with 29 additions and 0 deletions.
  1. +18 −0 policy/modules/kernel/domain.if
  2. +11 −0 policy/modules/roles/unconfineduser.te
@@ -1789,3 +1789,21 @@ interface(`domain_noatsecure_all_domains',`

allow $1 domain:process { noatsecure };
')

######################################
## <summary>
## Allow domain dyntransition to all domains in domain attribute.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`domain_dyntrans',`
gen_require(`
attribute domain;
')

dyntrans_pattern($1, domain)
')
@@ -27,6 +27,13 @@ gen_tunable(unconfined_mozilla_plugin_transition, false)
## </desc>
gen_tunable(unconfined_login, true)

## <desc>
## <p>
## Allow a unconfined user to dynamically transition to a new context using setcon.
## </p>
## </desc>
gen_tunable(unconfined_dyntrans_all, false)

# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
@@ -106,6 +113,10 @@ tunable_policy(`unconfined_login',`
allow unconfined_t unconfined_login_domain:process sigchld;
')

tunable_policy(`unconfined_dyntrans_all',`
domain_dyntrans(unconfined_t)
')

optional_policy(`
gen_require(`
type unconfined_t;

0 comments on commit 2d537ca

Please sign in to comment.
You can’t perform that action at this time.