## <summary>Policy for user domains</summary>
#######################################
## <summary>
## The template containing rules common to unprivileged
## users and administrative users.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## <p>
## This generally should not be used, rather the
## unpriv_user_template or admin_user_template should
## be used.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
#
template(`base_user_template',`
attribute $1_file_type;
type $1_t, userdomain;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
domain_user_exemption_target($1_t)
role $1_r types $1_t;
allow system_r $1_r;
# user pseudoterminal
type $1_devpts_t;
term_user_pty($1_t,$1_devpts_t)
files_type($1_devpts_t)
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
files_associate_tmp($1_home_t)
fs_associate_tmpfs($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
files_type($1_home_dir_t)
files_associate_tmp($1_home_dir_t)
fs_associate_tmpfs($1_home_dir_t)
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
# types for network-obtained content
type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
files_type($1_untrusted_content_t)
files_poly_member($1_untrusted_content_t)
type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
files_tmp_file($1_untrusted_content_tmp_t)
type $1_tty_device_t;
term_tty($1_t,$1_tty_device_t)
##############################
#
# User home directory file rules
#
allow $1_file_type $1_home_t:filesystem associate;
##############################
#
# User domain Local policy
#
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:process { ptrace setfscreate };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
dontaudit $1_t self:socket create;
allow $1_t self:udp_socket { sendto recvfrom };
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
# execute files in the home directory
can_exec($1_t,$1_home_t)
# full control of the home directory
allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
files_search_home($1_t)
can_exec($1_t,$1_tmp_t)
# user temporary files
allow $1_t $1_tmp_t:file create_file_perms;
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
allow $1_t $1_tmp_t:dir create_dir_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms;
files_filetrans_tmp($1_t, $1_tmp_t, { dir notdevfile_class_set })
# Bind to a Unix domain socket in /tmp.
# cjp: this is combination is not checked and should be removed
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
allow $1_t $1_tmpfs_t:dir rw_dir_perms;
allow $1_t $1_tmpfs_t:file create_file_perms;
allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
allow $1_t $1_tmpfs_t:sock_file create_file_perms;
allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
fs_filetrans_tmpfs($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
# Allow user to relabel untrusted content
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
allow $1_t unpriv_userdomain:fd use;
kernel_read_kernel_sysctl($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_file($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
kernel_dontaudit_getattr_unlabeled_pipes($1_t)
kernel_dontaudit_getattr_unlabeled_sockets($1_t)
kernel_dontaudit_getattr_unlabeled_blk_dev($1_t)
kernel_dontaudit_getattr_unlabeled_chr_dev($1_t)
# Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_t)
# Find CDROM devices:
kernel_read_device_sysctl($1_t)
dev_rw_power_management($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_udp_bind_generic_port($1_t)
corenet_tcp_connect_all_ports($1_t)
dev_read_input($1_t)
dev_read_misc($1_t)
dev_write_misc($1_t)
dev_write_snd_dev($1_t)
dev_read_snd_dev($1_t)
dev_read_snd_mixer_dev($1_t)
dev_write_snd_mixer_dev($1_t)
dev_read_rand($1_t)
dev_read_urand($1_t)
# open office is looking for the following
dev_getattr_agp_dev($1_t)
dev_dontaudit_rw_dri_dev($1_t)
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
fs_getattr_all_dirs($1_t)
fs_search_auto_mountpoints($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
selinux_compute_access_vector($1_t)
selinux_compute_create_context($1_t)
selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t)
# for eject
storage_getattr_fixed_disk($1_t)
auth_read_login_records($1_t)
auth_dontaudit_write_login_records($1_t)
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
corecmd_exec_bin($1_t)
corecmd_exec_sbin($1_t)
corecmd_exec_ls($1_t)
domain_use_wide_inherit_fd($1_t)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
domain_dontaudit_getattr_all_domains($1_t)
domain_dontaudit_getsession_all_domains($1_t)
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
files_search_mnt($1_t)
# old broswer_domain():
files_dontaudit_list_non_security($1_t)
files_dontaudit_getattr_non_security_files($1_t)
files_dontaudit_getattr_non_security_symlinks($1_t)
files_dontaudit_getattr_non_security_pipes($1_t)
files_dontaudit_getattr_non_security_sockets($1_t)
files_dontaudit_getattr_non_security_blk_dev($1_t)
files_dontaudit_getattr_non_security_chr_dev($1_t)
# Caused by su - init scripts
init_dontaudit_use_script_pty($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
libs_exec_ld_so($1_t)
libs_exec_lib_files($1_t)
logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_localization($1_t)
miscfiles_read_fonts($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
mta_rw_spool($1_t)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
')
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
tunable_policy(`read_default_t',`
files_list_default($1_t)
files_read_default_files($1_t)
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
',`
files_dontaudit_list_default($1_t)
files_dontaudit_read_default_files($1_t)
')
tunable_policy(`read_untrusted_content',`
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
',`
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_t)
fs_manage_nfs_files($1_t)
fs_manage_nfs_symlinks($1_t)
fs_manage_nfs_named_sockets($1_t)
fs_manage_nfs_named_pipes($1_t)
fs_execute_nfs_files($1_t)
',`
fs_dontaudit_manage_nfs_dirs($1_t)
fs_dontaudit_manage_nfs_files($1_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_t)
fs_manage_cifs_files($1_t)
fs_manage_cifs_symlinks($1_t)
fs_manage_cifs_named_sockets($1_t)
fs_manage_cifs_named_pipes($1_t)
fs_execute_cifs_files($1_t)
',`
fs_dontaudit_manage_cifs_dirs($1_t)
fs_dontaudit_manage_cifs_files($1_t)
')
tunable_policy(`user_direct_mouse',`
dev_read_mouse($1_t)
')
tunable_policy(`user_ttyfile_stat',`
term_getattr_all_user_ttys($1_t)
')
optional_policy(`apm',`
# Allow graphical boot to check battery lifespan
apm_stream_connect($1_t)
')
optional_policy(`canna',`
canna_stream_connect($1_t)
')
optional_policy(`cups',`
cups_stream_connect_ptal($1_t)
')
optional_policy(`dbus',`
dbus_system_bus_client_template($1,$1_t)
optional_policy(`cups',`
cups_dbus_chat_config($1_t)
')
optional_policy(`hal',`
hal_dbus_chat($1_t)
')
optional_policy(`networkmanager',`
networkmanager_dbus_chat($1_t)
')
')
optional_policy(`dictd',`
dictd_use($1_t)
')
optional_policy(`ftp',`
tunable_policy(`ftpd_is_daemon',`
ftp_tcp_connect($1_t)
')
')
optional_policy(`finger',`
finger_tcp_connect($1_t)
')
optional_policy(`i18n_input',`
i18n_use($1_t)
')
optional_policy(`inetd',`
inetd_tcp_connect($1_t)
inetd_udp_sendto($1_t)
inetd_use_fd($1_t)
inetd_rw_tcp_socket($1_t)
')
optional_policy(`inn',`
inn_read_config($1_t)
inn_read_news_lib($1_t)
inn_read_news_spool($1_t)
')
optional_policy(`nis',`
nis_use_ypbind($1_t)
')
optional_policy(`mysql',`
ifdef(`strict_policy',`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
')
')
')
optional_policy(`nscd',`
nscd_use_socket($1_t)
')
optional_policy(`pcmcia',`
# to allow monitoring of pcmcia status
pcmcia_read_pid($1_t)
')
optional_policy(`portmap',`
portmap_tcp_connect($1_t)
')
optional_policy(`quota',`
quota_dontaudit_getattr_db($1_t)
')
optional_policy(`rpc',`
rpc_dontaudit_getattr_exports($1_t)
rpc_manage_nfs_rw_content($1_t)
')
optional_policy(`rpm',`
files_getattr_var_lib_dir($1_t)
files_search_var_lib($1_t)
')
optional_policy(`samba',`
samba_connect_winbind($1_t)
')
optional_policy(`slrnpull',`
slrnpull_search_spool($1_t)
')
optional_policy(`squid',`
squid_use($1_t)
')
optional_policy(`usermanage',`
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
optional_policy(`usernetctl',`
usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
ifdef(`TODO',`
#
# Cups daemon running as user tries to write /etc/printcap
#
dontaudit $1_t usr_t:file setattr;
# /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir getattr;
#
# Running ifconfig as a user generates the following
#
dontaudit $1_t sysctl_net_t:dir search;
r_dir_file($1_t, usercanread)
# old browser_domain():
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
allow $1_t usbtty_device_t:chr_file read;
can_resmgrd_connect($1_t)
# Use X
x_client_domain($1, $1)
ifdef(`xserver.te', `
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
')
ifdef(`xdm.te', `
# Connect to the X server run by the X Display Manager.
can_unix_connect($1_t, xdm_t)
# certain apps want to read xdm.pid file
r_dir_file($1_t, xdm_var_run_t)
allow $1_t xdm_var_lib_t:file r_file_perms;
allow xdm_t $1_home_dir_t:dir getattr;
ifdef(`xauth.te', `
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
')
')
# start read_fonts()
# cjp: these types come in from fontconfig
# Manipulate the global font cache
create_dir_file($1, $1_fonts_cache_t)
# Read per user fonts and font config
r_dir_file($1, $1_fonts_t)
r_dir_file($1, $1_fonts_config_t)
# There are some fonts in .gnome2
ifdef(`gnome.te', `
allow $1 $2_gnome_settings_t:dir { getattr search };
')
# end read_fonts()
') dnl endif TODO
')
#######################################
## <summary>
## The template for creating a unprivileged user.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
#
template(`unpriv_user_template', `
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
base_user_template($1)
typeattribute $1_t unpriv_userdomain;
domain_wide_inherit_fd($1_t)
domain_exec_all_entry_files($1_t)
typeattribute $1_devpts_t user_ptynode;
typeattribute $1_home_dir_t user_home_dir_type;
files_poly($1_home_dir_t)
typeattribute $1_home_t user_home_type;
files_poly_member($1_home_t)
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
##############################
#
# Local policy
#
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
term_create_pty($1_t,$1_devpts_t)
# Rules used to associate a homedir as a mountpoint
allow $1_home_t self:filesystem associate;
allow $1_file_type $1_home_t:filesystem associate;
# privileged home directory writers
allow privhome $1_home_t:file create_file_perms;
allow privhome $1_home_t:lnk_file create_lnk_perms;
allow privhome $1_home_t:dir create_dir_perms;
allow privhome $1_home_t:sock_file create_file_perms;
allow privhome $1_home_t:fifo_file create_file_perms;
type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
dev_read_sysfs($1_t)
# cjp: why?
bootloader_read_kernel_symbol_table($1_t)
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
files_list_home($1_t)
files_read_usr_files($1_t)
files_exec_usr_files($1_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_t)
files_read_world_readable_files($1_t)
files_read_world_readable_symlinks($1_t)
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
init_read_utmp($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_write_utmp($1_t)
# Stop warnings about access to /dev/console
init_dontaudit_use_fd($1_t)
init_dontaudit_use_script_fd($1_t)
miscfiles_read_man_pages($1_t)
seutil_read_config($1_t)
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
seutil_exec_checkpol($1_t)
ifdef(`enable_polyinstantiation',`
type_member $1_t $1_home_dir_t:dir $1_home_t;
files_poly_member_tmp($1_t,$1_tmp_t)
')
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
kernel_dontaudit_read_ring_buffer($1_t)
')
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_generic_port($1_t)
')
optional_policy(`dbus',`
dbus_stub($1_t)
optional_policy(`bluetooth',`
bluetooth_dbus_chat($1_t)
')
')
optional_policy(`kerberos',`
kerberos_use($1_t)
')
optional_policy(`loadkeys',`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
# for running depmod as part of the kernel packaging process
optional_policy(`modutils',`
modutils_read_module_conf($1_t)
')
optional_policy(`netutils',`
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
# Run pppd in pppd_t by default for user
optional_policy(`ppp', `
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
optional_policy(`selinuxutil',`
# for when the network connection is killed
seutil_dontaudit_signal_newrole($1_t)
')
# Need the following rule to allow users to run vpnc
optional_policy(`xserver', `
corenet_tcp_bind_xserver_port($1_t)
')
ifdef(`TODO',`
ifdef(`enable_mls',`',`
fs_exec_noxattr($1_t)
tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
# cjp: what does this have to do with removable devices?
allow $1_t usbtty_device_t:chr_file write;
',`
r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms;
')
')
dontaudit $1_t boot_t:lnk_file read;
dontaudit $1_t boot_t:file read;
# do not audit read on disk devices
dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
ifdef(`xdm.te', `
allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search;
#
# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
#
dontaudit xdm_t $1_home_t:file rw_file_perms;
')
ifdef(`ftpd.te', `
tunable_policy(`ftp_home_dir',`
file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
')
')
ifdef(`useradd.te', `
# Useradd relabels /etc/skel files so needs these privs
allow useradd_t $1_file_type:dir create_dir_perms;
allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
')
# Stat lost+found.
allow $1_t lost_found_t:dir getattr;
# Read /var, /var/spool, /var/run.
r_dir_file($1_t, var_t)
# what about pipes and sockets under /var/spool?
r_dir_file($1_t, var_spool_t)
r_dir_file($1_t, var_run_t)
allow $1_t var_lib_t:dir r_dir_perms;
allow $1_t var_lib_t:file { getattr read };
# Allow users to rw usb devices
tunable_policy(`user_rw_usb',`
rw_dir_create_file($1_t,usbdevfs_t)
',`
r_dir_file($1_t,usbdevfs_t)
')
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
dontaudit $1_t sysadm_home_t:file { read append };
ifdef(`syslogd.te', `
# Some programs that are left in $1_t will try to connect
# to syslogd, but we do not want to let them generate log messages.
# Do not audit.
dontaudit $1_t devlog_t:sock_file { read write };
dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
')
allow $1_t initrc_t:fifo_file write;
') dnl end TODO
')
#######################################
## <summary>
## The template for creating an administrative user.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## <p>
## The privileges given to administrative users are:
## <ul>
## <li>Raw disk access</li>
## <li>Set all sysctls</li>
## <li>All kernel ring buffer controls</li>
## <li>Set SELinux enforcement mode (enforcing/permissive)</li>
## <li>Set SELinux booleans</li>
## <li>Relabel all files but shadow</li>
## <li>Create, read, write, and delete all files but shadow</li>
## <li>Manage source and binary format SELinux policy</li>
## <li>Run insmod</li>
## </ul>
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., sysadm
## is the prefix for sysadm_t).
## </param>
#
template(`admin_user_template',`
gen_require(`
class passwd { passwd chfn chsh rootok crontab };
')
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
base_user_template($1)
typeattribute $1_t privhome;
domain_obj_id_change_exempt($1_t)
role system_r types $1_t;
ifdef(`direct_sysadm_daemon',`
domain_system_change_exempt($1_t)
')
typeattribute $1_devpts_t admin_terminal;
typeattribute $1_tty_device_t admin_terminal;
##############################
#
# $1_t local policy
#
allow $1_t self:capability ~sys_module;
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
allow $1_t self:passwd { passwd chfn chsh };
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
# for the administrator to run TCP servers directly
allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
term_create_pty($1_t,$1_devpts_t)
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core($1_t)
kernel_getattr_message_if($1_t)
kernel_change_ring_buffer_level($1_t)
kernel_clear_ring_buffer($1_t)
kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctl($1_t)
# signal unlabeled processes:
kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
# for the administrator to run TCP servers directly
kernel_tcp_recvfrom($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
corenet_use_tun_tap_device($1_t)
dev_getattr_generic_blk_file($1_t)
dev_getattr_generic_chr_file($1_t)
dev_getattr_all_blk_files($1_t)
dev_getattr_all_chr_files($1_t)
fs_getattr_all_fs($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
selinux_set_enforce_mode($1_t)
selinux_set_boolean($1_t)
selinux_set_parameters($1_t)
# Get security policy decisions:
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
selinux_compute_access_vector($1_t)
selinux_compute_create_context($1_t)
selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t)
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
term_use_console($1_t)
term_use_unallocated_tty($1_t)
term_use_all_user_ptys($1_t)
term_use_all_user_ttys($1_t)
auth_getattr_shadow($1_t)
# Manage almost all files
auth_manage_all_files_except_shadow($1_t)
# Relabel almost all files
auth_relabel_all_files_except_shadow($1_t)
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
domain_getattr_all_domains($1_t)
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
domain_signal_all_domains($1_t)
domain_signull_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
files_exec_usr_src_files($1_t)
init_use_initctl($1_t)
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
seutil_read_config($1_t)
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
seutil_manage_src_pol($1_t)
# Violates the goal of limiting write access to checkpolicy.
# But presently necessary for installing the file_contexts file.
seutil_manage_binary_pol($1_t)
optional_policy(`cron',`
cron_admin_template($1,$1_t,$1_r)
')
optional_policy(`lpd',`
lpr_admin_template($1,$1_t,$1_r)
')
optional_policy(`mta',`
mta_admin_template($1,$1_t,$1_r)
')
ifdef(`TODO',`
# for lsof
allow $1_t mtrr_device_t:file getattr;
allow $1_t eventpollfs_t:file getattr;
allow $1_t serial_device:chr_file setattr;
allow $1_t ptyfile:chr_file getattr;
# Run admin programs that require different permissions in their own domain.
# These rules were moved into the appropriate program domain file.
ifdef(`xserver.te', `
# Create files in /tmp/.X11-unix with our X servers derived
# tmp type rather than user_xserver_tmp_t.
file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
')
ifdef(`xdm.te', `
tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search;
')
can_pipe_xdm($1_t)
')
# Connect data port to ftpd.
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
# Connect second port to rshd.
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
# Allow MAKEDEV to work
allow $1_t device_t:dir rw_dir_perms;
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
allow $1_t device_t:lnk_file { create read };
#
# A user who is authorized for sysadm_t may nonetheless have
# a home directory labeled with user_home_t if the user is expected
# to login in either user_t or sysadm_t. Hence, the derived domains
# for programs need to be able to access user_home_t.
#
# Allow our gph domain to write to .xsession-errors.
ifdef(`gnome-pty-helper.te', `
allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
allow $1_gph_t user_home_type:file create_file_perms;
')
# Run programs from staff home directories.
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
can_exec($1_t, staff_home_t)
tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
# cjp: what does this have to do with removable devices?
allow $1_t usbtty_device_t:chr_file write;
',`
r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms;
')
allow $1 removable_t:filesystem getattr;
') dnl endif TODO
')
########################################
## <summary>
## Make the specified type usable in a
## user home directory.
## </summary>
## <desc>
## <p>
## Make the specified type usable in a
## user home directory.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="type">
## Type to be used as a file in the
## user home directory.
## </param>
#
template(`userdom_home_file',`
gen_require(`
attribute $1_file_type;
')
typeattribute $2 $1_file_type;
files_type($2)
')
########################################
## <summary>
## Set the attributes of a user pty.
## </summary>
## <desc>
## <p>
## Set the attributes of a user pty.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_setattr_user_pty',`
ifdef(`strict_policy',`
gen_require(`
type $1_devpts_t;
')
allow $2 $1_devpts_t:chr_file setattr;
')
')
########################################
## <summary>
## Create a user pty.
## </summary>
## <desc>
## <p>
## Create a user pty.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_create_user_pty',`
ifdef(`strict_policy',`
gen_require(`
type $1_devpts_t;
')
term_create_pty($2,$1_devpts_t)
')
')
########################################
## <summary>
## Search user home directories.
## </summary>
## <desc>
## <p>
## Search user home directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_search_user_home',`
gen_require(`
type $1_home_dir_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir { getattr search };
')
########################################
## <summary>
## List user home directories.
## </summary>
## <desc>
## <p>
## List user home directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_list_user_home',`
gen_require(`
type $1_home_dir_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir r_dir_perms;
')
########################################
## <summary>
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
## </summary>
## <desc>
## <p>
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="source_domain">
## Domain allowed access.
## </param>
## <param name="target_domain">
## Domain to transition to.
## </param>
#
template(`userdom_user_home_domtrans',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
domain_auto_trans($2,$1_home_t,$3)
')
########################################
## <summary>
## Do not audit attempts to list user home subdirectories.
## </summary>
## <desc>
## <p>
## Do not audit attempts to list user home subdirectories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain to not audit
## </param>
#
template(`userdom_dontaudit_list_user_home_dir',`
gen_require(`
type $1_home_dir_t;
')
dontaudit $2 $1_home_dir_t:dir r_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete directories
## in a user home subdirectory.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete directories
## in a user home subdirectory.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_home_subdirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir rw_dir_perms;
allow $2 $1_home_t:dir manage_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
## <desc>
## <p>
## Do not audit attempts to set the
## attributes of user home files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_dontaudit_setattr_user_home_files',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
dontaudit $2 $1_home_t:file setattr;
')
########################################
## <summary>
## Read user home files.
## </summary>
## <desc>
## <p>
## Read user home files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_read_user_home_files',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search;
allow $2 $1_home_t:dir search_dir_perms;
allow $2 $1_home_t:file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read user home files.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read user home files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain to not audit.
## </param>
#
template(`userdom_dontaudit_read_user_home_files',`
gen_require(`
type $1_home_t;
')
dontaudit $2 $1_home_t:dir r_dir_perms;
dontaudit $2 $1_home_t:file r_file_perms;
')
########################################
## <summary>
## Read user home subdirectory symbolic links.
## </summary>
## <desc>
## <p>
## Read user home subdirectory symbolic links.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_read_user_home_symlinks',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search;
allow $2 $1_home_t:dir search;
allow $2 $1_home_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Execute user home files.
## </summary>
## <desc>
## <p>
## Execute user home files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_exec_user_home_files',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search;
allow $2 $1_home_t:dir search;
can_exec($2,$1_home_t)
')
########################################
## <summary>
## Do not audit attempts to execute user home files.
## </summary>
## <desc>
## <p>
## Do not audit attempts to execute user home files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_dontaudit_exec_user_home_files',`
gen_require(`
type $1_home_t;
')
dontaudit $2 $1_home_t:file execute;
')
########################################
## <summary>
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete files
## in a user home subdirectory.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_home_subdir_files',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search;
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete symbolic links
## in a user home subdirectory.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete symbolic links
## in a user home subdirectory.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_home_subdir_symlinks',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search;
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:lnk_file create_lnk_perms;
')
########################################
## <summary>
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_home_subdir_pipes',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search;
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:fifo_file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete named sockets
## in a user home subdirectory.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete named sockets
## in a user home subdirectory.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_home_subdir_sockets',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search;
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:sock_file create_file_perms;
')
########################################
## <summary>
##
## </summary>
## <desc>
## <p>
## Create, read, write, and delete named sockets
## in a user home subdirectory.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
## <param name="object_class" optional="true">
## The class of the object to be created. If not
## specified, file is used.
## </param>
## <param name="private_type" optional="true">
## The type of the object to create. If this is
## not specified, the regular home directory
## type is used.
## </param>
#
template(`userdom_create_user_home',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir rw_dir_perms;
ifelse(`$4',`',`
ifelse(`$3',`',`
type_transition $2 $1_home_dir_t:file $1_home_t;
',`
type_transition $2 $1_home_dir_t:$3 $1_home_t;
')
',`
ifelse(`$3',`',`
type_transition $2 $1_home_dir_t:file $4;
',`
type_transition $2 $1_home_dir_t:$3 $4;
')
')
')
########################################
## <summary>
## Create objects in a user home directory with
## a type transition to a specified type.
## </summary>
## <desc>
## <p>
## Create objects in a user home directory with
## a type transition to a specified type.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
## <param name="private_type">
## The type of the object to create. If this is
## not specified, the regular home directory
## type is used.
## </param>
## <param name="object_class">
## The class of the object to be created. If not
## specified, file is used.
## </param>
#
template(`userdom_filetrans_user_home_dir',`
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir rw_dir_perms;
type_transition $2 $1_home_dir_t:$4 $3;
')
########################################
## <summary>
## Write to user temporary named sockets.
## </summary>
## <desc>
## <p>
## Write to user temporary named sockets.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:sock_file write;
')
########################################
## <summary>
## List user temporary directories.
## </summary>
## <desc>
## <p>
## List user temporary directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_list_user_tmp',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir r_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to list user
## temporary directories.
## </summary>
## <desc>
## <p>
## Do not audit attempts to list user
## temporary directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain to not audit.
## </param>
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
type $1_tmp_t;
')
dontaudit $2 $1_tmp_t:dir r_dir_perms;
')
########################################
## <summary>
## Read user temporary files.
## </summary>
## <desc>
## <p>
## Read user temporary files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_read_user_tmp_files',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir r_dir_perms;
allow $2 $1_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read users
## temporary files.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read users
## temporary files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain to not audit.
## </param>
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
type $1_tmp_t;
')
dontaudit $2 $1_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Read user
## temporary symbolic links.
## </summary>
## <desc>
## <p>
## Read user
## temporary symbolic links.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir r_dir_perms;
allow $2 $1_tmp_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary directories.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete user
## temporary directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir create_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary files.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete user
## temporary files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir rw_dir_perms;
allow $2 $1_tmp_t:file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary symbolic links.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete user
## temporary symbolic links.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir rw_dir_perms;
allow $2 $1_tmp_t:lnk_file create_lnk_perms;
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary named pipes.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete user
## temporary named pipes.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir rw_dir_perms;
allow $2 $1_tmp_t:fifo_file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary named sockets.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete user
## temporary named sockets.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir rw_dir_perms;
allow $2 $1_tmp_t:sock_file create_file_perms;
')
########################################
## <summary>
## Read user tmpfs files.
## </summary>
## <desc>
## <p>
## Read user tmpfs files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
')
fs_search_tmpfs($2)
allow $2 $1_tmpfs_t:dir list_dir_perms;
allow $2 $1_tmpfs_t:file rw_file_perms;
allow $2 $1_tmpfs_t:lnk_file { getattr read };
')
########################################
## <summary>
## List users untrusted directories.
## </summary>
## <desc>
## <p>
## List users untrusted directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_list_user_untrusted_content',`
gen_require(`
type $1_untrusted_content_t;
')
allow $2 $1_untrusted_content_t:dir r_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to list user
## untrusted directories.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read user
## untrusted directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain to not audit.
## </param>
#
template(`userdom_dontaudit_list_user_untrusted_content',`
gen_require(`
type $1_untrusted_content_t;
')
dontaudit $2 $1_untrusted_content_t:dir r_dir_perms;
')
########################################
## <summary>
## Read user untrusted files.
## </summary>
## <desc>
## <p>
## Read user untrusted files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_read_user_untrusted_content_files',`
gen_require(`
type $1_untrusted_content_t;
')
allow $2 $1_untrusted_content_t:dir rw_dir_perms;
allow $2 $1_untrusted_content_t:file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read users
## untrusted files.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read users
## untrusted files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain to not audit.
## </param>
#
template(`userdom_dontaudit_read_user_untrusted_content_files',`
gen_require(`
type $1_untrusted_content_t;
')
dontaudit $2 $1_untrusted_content_t:file r_file_perms;
')
########################################
## <summary>
## Read user untrusted symbolic links.
## </summary>
## <desc>
## <p>
## Read user untrusted symbolic links.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_read_user_untrusted_content_symlinks',`
gen_require(`
type $1_untrusted_content_t;
')
allow $2 $1_untrusted_content_t:dir rw_dir_perms;
allow $2 $1_untrusted_content_t:lnk_file r_file_perms;
')
########################################
## <summary>
## List users temporary untrusted directories.
## </summary>
## <desc>
## <p>
## List users temporary untrusted directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_list_user_tmp_untrusted_content',`
gen_require(`
type $1_untrusted_content_tmp_t;
')
allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to list user
## temporary untrusted directories.
## </summary>
## <desc>
## <p>
## Do not audit attempts to list user
## temporary directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain to not audit.
## </param>
#
template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
gen_require(`
type $1_untrusted_content_tmp_t;
')
dontaudit $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
')
########################################
## <summary>
## Read user temporary untrusted files.
## </summary>
## <desc>
## <p>
## Read user temporary untrusted files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_read_user_tmp_untrusted_content_files',`
gen_require(`
type $1_untrusted_content_tmp_t;
')
allow $2 $1_untrusted_content_tmp_t:dir rw_dir_perms;
allow $2 $1_untrusted_content_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read users
## temporary untrusted files.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read users
## temporary untrusted files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain to not audit.
## </param>
#
template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
gen_require(`
type $1_untrusted_content_tmp_t;
')
dontaudit $2 $1_untrusted_content_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Read user temporary untrusted symbolic links.
## </summary>
## <desc>
## <p>
## Read user temporary untrusted symbolic links.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_read_user_tmp_untrusted_content_symlinks',`
gen_require(`
type $1_untrusted_content_tmp_t;
')
allow $2 $1_untrusted_content_tmp_t:dir rw_dir_perms;
allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Read all user untrusted content files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_read_all_untrusted_content',`
gen_require(`
attribute untrusted_content_type;
')
allow $1 untrusted_content_type:dir r_dir_perms;
allow $1 untrusted_content_type:{ file lnk_file } r_file_perms;
')
########################################
## <summary>
## Read all user temporary untrusted content files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_read_all_tmp_untrusted_content',`
gen_require(`
attribute untrusted_content_tmp_type;
')
allow $1 untrusted_content_tmp_type:dir r_dir_perms;
allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms;
')
########################################
## <summary>
## Set the attributes of a user domain tty.
## </summary>
## <desc>
## <p>
## Set the attributes of a user domain tty.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_setattr_user_tty',`
ifdef(`targeted_policy',`
term_setattr_unallocated_ttys($2)
',`
gen_require(`
type $1_tty_device_t;
')
allow $2 $1_tty_device_t:chr_file setattr;
')
')
########################################
## <summary>
## Read and write a user domain tty.
## </summary>
## <desc>
## <p>
## Read and write a user domain tty.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_use_user_tty',`
ifdef(`targeted_policy',`
term_use_unallocated_tty($2)
',`
gen_require(`
type $1_tty_device_t;
')
allow $2 $1_tty_device_t:chr_file rw_term_perms;
')
')
########################################
## <summary>
## Read and write a user domain tty and pty.
## </summary>
## <desc>
## <p>
## Read and write a user domain tty and pty.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_use_user_terminals',`
ifdef(`targeted_policy',`
term_use_unallocated_tty($2)
term_use_generic_pty($2)
',`
gen_require(`
type $1_tty_device_t, $1_devpts_t;
')
allow $2 $1_tty_device_t:chr_file rw_term_perms;
allow $2 $1_devpts_t:chr_file rw_term_perms;
term_list_ptys($2)
')
')
########################################
## <summary>
## Do not audit attempts to read and write
## a user domain tty and pty.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read and write
## a user domain tty and pty.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="domain">
## Domain allowed access.
## </param>
#
template(`userdom_dontaudit_use_user_terminals',`
gen_require(`
type $1_tty_device_t, $1_devpts_t;
')
dontaudit $2 $1_tty_device_t:chr_file rw_term_perms;
dontaudit $2 $1_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_spec_domtrans_all_users',`
gen_require(`
attribute userdomain;
')
corecmd_shell_spec_domtrans($1,userdomain)
allow $1 userdomain:fd use;
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
')
########################################
## <summary>
## Execute a shell in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
corecmd_shell_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_unpriv_user_semaphores',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:sem create_sem_perms;
')
########################################
## <summary>
## Manage unpriviledged user SysV shared
## memory segments.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_unpriv_user_shared_mem',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:shm create_shm_perms;
')
########################################
## <summary>
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_bin_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
corecmd_bin_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
## <summary>
## Execute generic sbin programs in all unprivileged user
## domains. This is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_sbin_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
corecmd_sbin_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
## <summary>
## Execute all entrypoint files in unprivileged user
## domains. This is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_entry_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
domain_entry_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
## <summary>
## Execute a shell in the sysadm domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_shell_domtrans_sysadm',`
ifdef(`targeted_policy',`
#cjp: need to doublecheck this one
unconfined_shell_domtrans($1)
',`
gen_require(`
type sysadm_t;
')
corecmd_shell_domtrans($1,sysadm_t)
allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
')
########################################
## <summary>
## Execute a generic bin program in the sysadm domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_bin_spec_domtrans_sysadm',`
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans($1,sysadm_t)
allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Execute a generic sbin program in the sysadm domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_sbin_spec_domtrans_sysadm',`
gen_require(`
type sysadm_t;
')
corecmd_sbin_spec_domtrans($1,sysadm_t)
allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Execute all entrypoint files in the sysadm domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_entry_spec_domtrans_sysadm',`
gen_require(`
type sysadm_t;
')
domain_entry_spec_domtrans($1,sysadm_t)
allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Search the staff users home directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_search_staff_home_dir',`
gen_require(`
type staff_home_dir_t;
')
files_search_home($1)
allow $1 staff_home_dir_t:dir search;
')
########################################
## <summary>
## Do not audit attempts to search the staff
## users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_search_staff_home_dir',`
gen_require(`
type staff_home_dir_t;
')
dontaudit $1 staff_home_dir_t:dir search;
')
########################################
## <summary>
## Read files in the staff users home directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_read_staff_home_files',`
gen_require(`
type staff_home_dir_t, staff_home_t;
')
files_search_home($1)
allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
allow $1 staff_home_t:{ file lnk_file } r_file_perms;
')
########################################
## <summary>
## Send a SIGCHLD signal to sysadm users.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_sigchld_sysadm',`
ifdef(`targeted_policy',`
unconfined_sigchld($1)
',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:process sigchld;
')
')
########################################
## <summary>
## Do not audit attepts to get the attributes
## of sysadm ttys.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_dontaudit_getattr_sysadm_tty',`
ifdef(`targeted_policy',`
term_dontaudit_getattr_unallocated_ttys($1)
',`
gen_require(`
type sysadm_tty_device_t;
')
dontaudit $1 sysadm_tty_device_t:chr_file getattr;
')
')
########################################
## <summary>
## Read and write sysadm ttys.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_use_sysadm_tty',`
ifdef(`targeted_policy',`
term_use_unallocated_tty($1)
',`
gen_require(`
type sysadm_tty_device_t;
')
dev_list_all_dev_nodes($1)
term_list_ptys($1)
allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
')
')
########################################
## <summary>
## Do not audit attempts to use sysadm ttys.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_use_sysadm_tty',`
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty($1)
',`
gen_require(`
type sysadm_tty_device_t;
')
dontaudit $1 sysadm_tty_device_t:chr_file { read write };
')
')
########################################
## <summary>
## Read and write sysadm ptys.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_use_sysadm_pty',`
ifdef(`targeted_policy',`
term_use_generic_pty($1)
',`
gen_require(`
type sysadm_devpts_t;
')
dev_list_all_dev_nodes($1)
term_list_ptys($1)
allow $1 sysadm_devpts_t:chr_file rw_term_perms;
')
')
########################################
## <summary>
## Dont audit attempts to read and write sysadm ptys.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_use_sysadm_pty',`
ifdef(`targeted_policy',`
term_dontaudit_use_generic_pty($1)
',`
gen_require(`
type sysadm_devpts_t;
')
dontaudit $1 sysadm_devpts_t:chr_file { read write };
')
')
########################################
## <summary>
## Read and write sysadm ttys and ptys.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_use_sysadm_terms',`
userdom_use_sysadm_tty($1)
userdom_use_sysadm_pty($1)
')
########################################
## <summary>
## Do not audit attempts to use sysadm ttys and ptys.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_use_sysadm_terms',`
ifdef(`targeted_policy',`
term_dontaudit_use_generic_pty($1)
',`
gen_require(`
attribute admin_terminal;
')
dontaudit $1 admin_terminal:chr_file { read write };
')
')
########################################
## <summary>
## Inherit and use sysadm file descriptors
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_use_sysadm_fd',`
ifdef(`targeted_policy',`
#cjp: need to doublecheck this one
unconfined_use_fd($1)
',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fd use;
')
')
########################################
## <summary>
## Read and write sysadm user unnamed pipes.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_rw_sysadm_pipe',`
ifdef(`targeted_policy',`
#cjp: need to doublecheck this one
unconfined_rw_pipe($1)
',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fifo_file rw_file_perms;
')
')
########################################
## <summary>
## Get the attributes of the sysadm users
## home directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_getattr_sysadm_home_dir',`
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir getattr;
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of the sysadm users
## home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_getattr_sysadm_home_dir',`
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir getattr;
', `
gen_require(`
type sysadm_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir getattr;
')
')
########################################
## <summary>
## Search the sysadm users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_search_sysadm_home_dir',`
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir search;
')
########################################
## <summary>
## Do not audit attempts to search the sysadm
## users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_search_sysadm_home_dir',`
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
',`
gen_require(`
type sysadm_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
')
')
########################################
## <summary>
## List the sysadm users home directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_list_sysadm_home_dir',`
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to list the sysadm
## users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_list_sysadm_home_dir',`
gen_require(`
type sysadm_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to search the sysadm
## users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_read_sysadm_home_files',`
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t, user_home_t;
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
dontaudit $1 user_home_t:file r_file_perms;
',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
dontaudit $1 sysadm_home_t:dir r_file_perms;
')
')
########################################
## <summary>
## Create objects in sysadm home directories
## with automatic file type transition.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
## <param name="object_class" optional="true">
## The class of the object to be created.
## If not specified, file is used.
## </param>
#
interface(`userdom_create_sysadm_home',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
allow $1 sysadm_home_dir_t:dir rw_dir_perms;
ifelse(`$2',`',`
ifelse(`$3',`',`
type_transition $1 sysadm_home_dir_t:file sysadm_home_t;
',`
type_transition $1 sysadm_home_dir_t:$3 sysadm_home_t;
')
',`
ifelse(`$3',`',`
type_transition $1 sysadm_home_dir_t:file $2;
',`
type_transition $1 sysadm_home_dir_t:$3 $2;
')
')
')
########################################
## <summary>
## Search the sysadm users home sub directories.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_search_sysadm_home_subdirs',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
')
########################################
## <summary>
## Read files in the sysadm users home directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_read_sysadm_home_files',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
files_search_home($1)
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
')
########################################
## <summary>
## Search all users home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_search_all_users_home',`
gen_require(`
attribute home_dir_type, home_type;
')
files_list_home($1)
allow $1 { home_dir_type home_type }:dir search;
')
########################################
## <summary>
## Do not audit attempts to search all users home directories.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_search_all_users_home',`
gen_require(`
attribute home_dir_type, home_type;
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
')
########################################
## <summary>
## Read all files in all users home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_read_all_user_files',`
gen_require(`
attribute home_type;
')
files_list_home($1)
allow $1 home_type:dir r_dir_perms;
allow $1 home_type:file r_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_all_user_dirs',`
gen_require(`
attribute home_type;
')
files_list_home($1)
allow $1 home_type:dir create_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_all_user_files',`
gen_require(`
attribute home_type;
')
files_list_home($1)
allow $1 home_type:dir rw_dir_perms;
allow $1 home_type:file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_all_user_symlinks',`
gen_require(`
attribute home_type;
')
files_list_home($1)
allow $1 home_type:dir rw_dir_perms;
allow $1 home_type:lnk_file create_lnk_perms;
')
########################################
## <summary>
## Make the specified domain a privileged
## home directory manager.
## </summary>
## <desc>
## <p>
## Make the specified domain a privileged
## home directory manager. This domain will be
## able to manage the contents of all users
## general home directory content, and create
## files with the correct context.
## </p>
## </desc>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_priveleged_home_dir_manager',`
gen_require(`
attribute privhome;
')
files_list_home($1)
typeattribute $1 privhome;
')
########################################
## <summary>
## Send general signals to unprivileged user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_signal_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:process signal;
')
########################################
## <summary>
## Inherit the file descriptors from unprivileged user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_use_unpriv_users_fd',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit the
## file descriptors from all user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_dontaudit_use_unpriv_user_fd',`
gen_require(`
attribute unpriv_userdomain;
')
dontaudit $1 unpriv_userdomain:fd use;
')
########################################
## <summary>
## Create generic user home directories
## with automatic file type transition.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_filetrans_generic_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
files_filetrans_home($1,user_home_dir_t)
')
########################################
## <summary>
## Search generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_search_generic_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_generic_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir create_dir_perms;
')
########################################
## <summary>
## Create objects in generic user home directories
## with automatic file type transition.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
## <param name="object_class" optional="true">
## The class of the object to be created.
## If not specified, file is used.
## </param>
#
interface(`userdom_filetrans_generic_user_home',`
gen_require(`
type user_home_dir_t, user_home_t;
')
allow $1 user_home_dir_t:dir rw_dir_perms;
ifelse(`$2',`',`
type_transition $1 user_home_dir_t:file user_home_t;
',`
type_transition $1 user_home_dir_t:$2 user_home_t;
')
')
########################################
## <summary>
## Don't audit search on the user home subdirectory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_dontaudit_search_user_home_dirs',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:dir search;
')
########################################
## <summary>
## Create, read, write, and delete
## subdirectories of generic user
## home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_generic_user_home_dirs',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir create_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete files
## in generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_generic_user_home_files',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete symbolic
## links in generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_generic_user_home_symlinks',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:lnk_file create_lnk_perms;
')
########################################
## <summary>
## Create, read, write, and delete named
## pipes in generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_generic_user_home_pipes',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:fifo_file create_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete named
## sockets in generic user home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_manage_generic_user_home_sockets',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:sock_file create_file_perms;
')
########################################
## <summary>
## Search all unprivileged users home directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_search_unpriv_user_home_dirs',`
gen_require(`
attribute user_home_dir_type;
')
files_search_home($1)
allow $1 user_home_dir_type:dir search_dir_perms;
')
########################################
## <summary>
## Read all unprivileged users home directory
## files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_read_unpriv_user_home_files',`
gen_require(`
attribute user_home_dir_type, user_home_type;
')
allow $1 user_home_dir_type:dir search_dir_perms;
allow $1 user_home_type:dir r_dir_perms;
allow $1 user_home_type:lnk_file { getattr read };
allow $1 user_home_type:file r_file_perms;
')
########################################
## <summary>
## Set the attributes of user ptys.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_setattr_unpriv_user_pty',`
gen_require(`
attribute user_ptynode;
')
allow $1 user_ptynode:chr_file setattr;
')
########################################
## <summary>
## Read and write unprivileged user ptys.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_use_unpriv_user_pty',`
ifdef(`targeted_policy',`
term_use_generic_pty($1)
',`
gen_require(`
attribute user_ptynode;
')
term_search_ptys($1)
allow $1 user_ptynode:chr_file rw_file_perms;
')
')
########################################
## <summary>
## Do not audit attempts to use unprivileged
## user ptys.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_use_unpriv_user_pty',`
ifdef(`targeted_policy',`
term_dontaudit_use_generic_pty($1)
',`
gen_require(`
attribute user_ptynode;
')
dontaudit $1 user_ptynode:chr_file rw_file_perms;
')
')
########################################
## <summary>
## Relabel files to unprivileged user pty types.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_relabelto_unpriv_user_pty',`
gen_require(`
attribute user_ptynode;
')
allow $1 user_ptynode:chr_file relabelto;
')
########################################
## <summary>
## Do not audit attempts to relabel files from
## unprivileged user pty types.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_dontaudit_relabelfrom_unpriv_user_pty',`
gen_require(`
attribute user_ptynode;
')
dontaudit $1 user_ptynode:chr_file relabelfrom;
')
########################################
## <summary>
## Read all unprivileged users temporary directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_list_unpriv_user_tmp',`
ifdef(`targeted_policy',`
files_list_tmp($1)
',`
gen_require(`
attribute user_tmpfile;
')
allow $1 user_tmpfile:dir list_dir_perms;
')
')
########################################
## <summary>
## Read all unprivileged users temporary files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_read_unpriv_user_tmp_files',`
ifdef(`targeted_policy',`
files_read_generic_tmp_files($1)
',`
gen_require(`
attribute user_tmpfile;
')
allow $1 user_tmpfile:file { read getattr };
')
')
########################################
## <summary>
## Read all unprivileged users temporary symbolic links.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_read_unpriv_user_tmp_symlinks',`
ifdef(`targeted_policy',`
files_read_generic_tmp_symlinks($1)
',`
gen_require(`
attribute user_tmpfile;
')
allow $1 user_tmpfile:lnk_file { getattr read };
')
')
########################################
## <summary>
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_write_unpriv_user_tmp',`
gen_require(`
attribute user_tmpfile;
')
allow $1 user_tmpfile:file { getattr write append };
')
########################################
## <summary>
## Do not audit attempts to use unprivileged
## user ttys.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_dontaudit_use_unpriv_user_tty',`
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty($1)
',`
gen_require(`
attribute user_ttynode;
')
dontaudit $1 user_ttynode:chr_file rw_file_perms;
')
')
########################################
## <summary>
## Read the process state of all user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_read_all_userdomains_state',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:dir search_dir_perms;
allow $1 userdomain:file r_file_perms;
kernel_search_proc($1)
')
########################################
## <summary>
## Get the attributes of all user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_getattr_all_userdomains',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process getattr;
')
########################################
## <summary>
## Inherit the file descriptors from all user domains
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_use_all_user_fd',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit the file
## descriptors from any user domains.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_use_all_user_fd',`
gen_require(`
attribute userdomain;
')
dontaudit $1 userdomain:fd use;
')
########################################
## <summary>
## Send general signals to all user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_signal_all_users',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process signal;
')
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_sigchld_all_users',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process sigchld;
')
########################################
## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_dbus_send_all_users',`
gen_require(`
attribute userdomain;
class dbus send_msg;
')
allow $1 userdomain:dbus send_msg;
')
########################################
## <summary>
## Unconfined access to user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_unconfined',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir create_dir_perms;
files_filetrans_home($1,user_home_dir_t)
')