Introduce new boolean unconfined_dyntrans_all.

Default value is set to off. If the boolean is turned on, there is possible using setcon to dyntrans to any process type which is part of domain attribute.
fedora-selinux · Mar 20, 2019 · 2d537ca · 2d537ca
1 parent f0a193b
commit 2d537ca
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
@@ -1789,3 +1789,21 @@ interface(`domain_noatsecure_all_domains',`
 
     allow $1 domain:process { noatsecure };
 ')
+
+######################################
+## <summary>
+##  Allow domain dyntransition to all domains in domain attribute.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`domain_dyntrans',`
+    gen_require(`
+        attribute domain;
+    ')
+
+    dyntrans_pattern($1, domain)
+')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
@@ -27,6 +27,13 @@ gen_tunable(unconfined_mozilla_plugin_transition, false)
 ## </desc>
 gen_tunable(unconfined_login, true)
 
+## <desc>
+## <p>
+## Allow a unconfined user to dynamically transition to a new context using setcon.
+## </p>
+## </desc>
+gen_tunable(unconfined_dyntrans_all, false)
+
 # usage in this module of types created by these
 # calls is not correct, however we dont currently
 # have another method to add access to these types
@@ -106,6 +113,10 @@ tunable_policy(`unconfined_login',`
 	allow unconfined_t unconfined_login_domain:process sigchld;
 ')
 
+tunable_policy(`unconfined_dyntrans_all',`
+    domain_dyntrans(unconfined_t)
+')
+
 optional_policy(`
 	gen_require(`
 		type unconfined_t;