#DESC Unconfined - The unconfined domain

# This is the initial domain, and is used for everything that
# is not explicitly confined.  It has no restrictions.
# It needs to be carefully protected from the confined domains.

type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem;
role system_r types unconfined_t;
role user_r types unconfined_t;
role sysadm_r types unconfined_t;
unconfined_domain(unconfined_t)

# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
typealias bin_t alias su_exec_t;
typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t };
type mount_t, domain;
type initrc_devpts_t, ptyfile;
define(`admin_tty_type', `{ tty_device_t devpts_t }')

# User home directory type.
type user_home_t, file_type, sysadmfile;
type user_home_dir_t, file_type, sysadmfile;
file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)

define(`user_typealias', `
ifelse($1,`user',`',`
typealias user_home_t alias $1_home_t;
typealias user_home_dir_t alias $1_home_dir_t;
')
typealias tty_device_t alias $1_tty_device_t;
typealias devpts_t alias $1_devpts_t;
')
user_typealias(sysadm)
user_typealias(staff)
user_typealias(user)

allow unconfined_t unlabeled_t:filesystem *;
allow unlabeled_t unlabeled_t:filesystem associate;
bool read_default_t false;