]>
Commit | Line | Data |
---|---|---|
e29f6bf0 | 1 | policy_module(userdomain, 4.4.4) |
b16c6b8c CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
56e1b3d2 CP |
8 | ## <desc> |
9 | ## <p> | |
b42ceb94 | 10 | ## Allow users to connect to mysql server |
56e1b3d2 CP |
11 | ## </p> |
12 | ## </desc> | |
3f67f722 | 13 | gen_tunable(allow_user_mysql_connect, false) |
56e1b3d2 | 14 | |
cb10a2d5 CP |
15 | ## <desc> |
16 | ## <p> | |
17 | ## Allow users to connect to PostgreSQL | |
18 | ## </p> | |
19 | ## </desc> | |
3f67f722 | 20 | gen_tunable(allow_user_postgresql_connect, false) |
cb10a2d5 | 21 | |
56e1b3d2 CP |
22 | ## <desc> |
23 | ## <p> | |
24 | ## Allow regular users direct mouse access | |
25 | ## </p> | |
26 | ## </desc> | |
3f67f722 | 27 | gen_tunable(user_direct_mouse, false) |
56e1b3d2 CP |
28 | |
29 | ## <desc> | |
30 | ## <p> | |
31 | ## Allow users to read system messages. | |
32 | ## </p> | |
33 | ## </desc> | |
3f67f722 | 34 | gen_tunable(user_dmesg, false) |
56e1b3d2 CP |
35 | |
36 | ## <desc> | |
37 | ## <p> | |
38 | ## Allow user to r/w files on filesystems | |
39 | ## that do not have extended attributes (FAT, CDROM, FLOPPY) | |
40 | ## </p> | |
41 | ## </desc> | |
3f67f722 | 42 | gen_tunable(user_rw_noexattrfile, false) |
56e1b3d2 | 43 | |
3eaa9939 DW |
44 | ## <desc> |
45 | ## <p> | |
46 | ## Allow user processes to change their priority | |
47 | ## </p> | |
48 | ## </desc> | |
49 | gen_tunable(user_setrlimit, false) | |
50 | ||
56e1b3d2 CP |
51 | ## <desc> |
52 | ## <p> | |
53 | ## Allow w to display everyone | |
54 | ## </p> | |
55 | ## </desc> | |
3f67f722 | 56 | gen_tunable(user_ttyfile_stat, false) |
56e1b3d2 | 57 | |
0be901ba | 58 | attribute admindomain; |
bd75703c | 59 | |
b16c6b8c CP |
60 | # all user domains |
61 | attribute userdomain; | |
62 | ||
63 | # unprivileged user domains | |
64 | attribute unpriv_userdomain; | |
65 | ||
8dca6b97 CP |
66 | attribute untrusted_content_type; |
67 | attribute untrusted_content_tmp_type; | |
296273a7 | 68 | |
3eaa9939 DW |
69 | # unprivileged user domains |
70 | attribute user_home_type; | |
71 | ||
72 | type admin_home_t; | |
73 | files_type(admin_home_t) | |
74 | files_associate_tmp(admin_home_t) | |
75 | fs_associate_tmpfs(admin_home_t) | |
76 | files_mountpoint(admin_home_t) | |
77 | ||
296273a7 CP |
78 | type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; |
79 | fs_associate_tmpfs(user_home_dir_t) | |
80 | files_type(user_home_dir_t) | |
81 | files_mountpoint(user_home_dir_t) | |
82 | files_associate_tmp(user_home_dir_t) | |
83 | files_poly(user_home_dir_t) | |
84 | files_poly_member(user_home_dir_t) | |
85 | files_poly_parent(user_home_dir_t) | |
86 | ubac_constrained(user_home_dir_t) | |
87 | ||
88 | type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; | |
89 | typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; | |
3eaa9939 | 90 | typeattribute user_home_t user_home_type; |
296273a7 CP |
91 | userdom_user_home_content(user_home_t) |
92 | fs_associate_tmpfs(user_home_t) | |
93 | files_associate_tmp(user_home_t) | |
3eaa9939 | 94 | files_poly_member(user_home_t) |
296273a7 CP |
95 | files_poly_parent(user_home_t) |
96 | files_mountpoint(user_home_t) | |
3eaa9939 | 97 | ubac_constrained(user_home_t) |
296273a7 CP |
98 | |
99 | type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; | |
100 | dev_node(user_devpts_t) | |
101 | files_type(user_devpts_t) | |
102 | ubac_constrained(user_devpts_t) | |
103 | ||
3eaa9939 | 104 | type user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; |
296273a7 CP |
105 | typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; |
106 | files_tmp_file(user_tmp_t) | |
107 | userdom_user_home_content(user_tmp_t) | |
108 | ||
109 | type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; | |
110 | files_tmpfs_file(user_tmpfs_t) | |
111 | userdom_user_home_content(user_tmpfs_t) | |
112 | ||
113 | type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; | |
114 | dev_node(user_tty_device_t) | |
115 | ubac_constrained(user_tty_device_t) | |
3eaa9939 DW |
116 | |
117 | type audio_home_t; | |
118 | userdom_user_home_content(audio_home_t) | |
119 | ubac_constrained(audio_home_t) | |
120 | ||
121 | type home_bin_t; | |
122 | userdom_user_home_content(home_bin_t) | |
123 | ubac_constrained(home_bin_t) | |
124 | ||
125 | type home_cert_t; | |
126 | miscfiles_cert_type(home_cert_t) | |
127 | userdom_user_home_content(home_cert_t) | |
128 | ubac_constrained(home_cert_t) | |
129 | ||
130 | tunable_policy(`allow_console_login',` | |
131 | term_use_console(userdomain) | |
132 | ') | |
133 | ||
134 | allow userdomain userdomain:process signull; | |
135 | ||
136 | # Nautilus causes this avc | |
137 | dontaudit unpriv_userdomain self:dir setattr; |