]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/system/userdomain.te
fix copy paste errors
[people/stevee/selinux-policy.git] / policy / modules / system / userdomain.te
CommitLineData
b598c442 1policy_module(userdomain, 4.5.2)
b16c6b8c
CP
2
3########################################
4#
5# Declarations
6#
7
56e1b3d2
CP
8## <desc>
9## <p>
0cdf72b9 10## Allow users to connect to the local mysql server
56e1b3d2
CP
11## </p>
12## </desc>
3f67f722 13gen_tunable(allow_user_mysql_connect, false)
56e1b3d2 14
cb10a2d5
CP
15## <desc>
16## <p>
17## Allow users to connect to PostgreSQL
18## </p>
19## </desc>
3f67f722 20gen_tunable(allow_user_postgresql_connect, false)
cb10a2d5 21
56e1b3d2
CP
22## <desc>
23## <p>
24## Allow regular users direct mouse access
25## </p>
26## </desc>
3f67f722 27gen_tunable(user_direct_mouse, false)
56e1b3d2
CP
28
29## <desc>
30## <p>
31## Allow users to read system messages.
32## </p>
33## </desc>
3f67f722 34gen_tunable(user_dmesg, false)
56e1b3d2
CP
35
36## <desc>
37## <p>
38## Allow user to r/w files on filesystems
39## that do not have extended attributes (FAT, CDROM, FLOPPY)
40## </p>
41## </desc>
3f67f722 42gen_tunable(user_rw_noexattrfile, false)
56e1b3d2 43
40068f3d
DW
44## <desc>
45## <p>
46## Allow user music sharing
47## </p>
48## </desc>
49gen_tunable(user_share_music, false)
50
3eaa9939
DW
51## <desc>
52## <p>
53## Allow user processes to change their priority
54## </p>
55## </desc>
56gen_tunable(user_setrlimit, false)
57
56e1b3d2
CP
58## <desc>
59## <p>
60## Allow w to display everyone
61## </p>
62## </desc>
3f67f722 63gen_tunable(user_ttyfile_stat, false)
56e1b3d2 64
0be901ba 65attribute admindomain;
bd75703c 66
b16c6b8c
CP
67# all user domains
68attribute userdomain;
69
70# unprivileged user domains
71attribute unpriv_userdomain;
72
8dca6b97
CP
73attribute untrusted_content_type;
74attribute untrusted_content_tmp_type;
296273a7 75
3eaa9939
DW
76# unprivileged user domains
77attribute user_home_type;
ca9e8850
DW
78attribute user_tmp_type;
79attribute user_tmpfs_type;
3eaa9939
DW
80
81type admin_home_t;
82files_type(admin_home_t)
83files_associate_tmp(admin_home_t)
84fs_associate_tmpfs(admin_home_t)
85files_mountpoint(admin_home_t)
793be6b5
MG
86files_poly_member(admin_home_t)
87files_poly_parent(admin_home_t)
3eaa9939 88
296273a7
CP
89type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
90fs_associate_tmpfs(user_home_dir_t)
91files_type(user_home_dir_t)
92files_mountpoint(user_home_dir_t)
93files_associate_tmp(user_home_dir_t)
94files_poly(user_home_dir_t)
95files_poly_member(user_home_dir_t)
96files_poly_parent(user_home_dir_t)
97ubac_constrained(user_home_dir_t)
98
99type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
100typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
3eaa9939 101typeattribute user_home_t user_home_type;
296273a7
CP
102userdom_user_home_content(user_home_t)
103fs_associate_tmpfs(user_home_t)
104files_associate_tmp(user_home_t)
3eaa9939 105files_poly_member(user_home_t)
296273a7
CP
106files_poly_parent(user_home_t)
107files_mountpoint(user_home_t)
3eaa9939 108ubac_constrained(user_home_t)
296273a7
CP
109
110type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
111dev_node(user_devpts_t)
112files_type(user_devpts_t)
113ubac_constrained(user_devpts_t)
114
ca9e8850
DW
115type user_tmp_t, user_tmp_type;
116typealias user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
296273a7
CP
117typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
118files_tmp_file(user_tmp_t)
119userdom_user_home_content(user_tmp_t)
8ba1f41a 120files_poly_parent(user_tmp_t)
296273a7 121
ca9e8850
DW
122type user_tmpfs_t, user_tmpfs_type;
123typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
296273a7
CP
124files_tmpfs_file(user_tmpfs_t)
125userdom_user_home_content(user_tmpfs_t)
126
127type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
128dev_node(user_tty_device_t)
129ubac_constrained(user_tty_device_t)
3eaa9939
DW
130
131type audio_home_t;
132userdom_user_home_content(audio_home_t)
133ubac_constrained(audio_home_t)
134
135type home_bin_t;
136userdom_user_home_content(home_bin_t)
137ubac_constrained(home_bin_t)
138
139type home_cert_t;
140miscfiles_cert_type(home_cert_t)
141userdom_user_home_content(home_cert_t)
142ubac_constrained(home_cert_t)
143
144tunable_policy(`allow_console_login',`
145 term_use_console(userdomain)
146')
147
148allow userdomain userdomain:process signull;
149
150# Nautilus causes this avc
151dontaudit unpriv_userdomain self:dir setattr;
de55768d 152allow unpriv_userdomain self:key manage_key_perms;
72eaebd0 153
450041a1
DW
154optional_policy(`
155 alsa_read_rw_config(unpriv_userdomain)
156 alsa_manage_home_files(unpriv_userdomain)
157 alsa_relabel_home_files(unpriv_userdomain)
450041a1
DW
158')
159
72eaebd0 160optional_policy(`
a11cc065 161 gnome_filetrans_home_content(userdomain)
15b2e336
DW
162')
163
164optional_policy(`
a11cc065 165 ssh_filetrans_home_content(userdomain)
72eaebd0
DW
166')
167
2ea29241
DW
168optional_policy(`
169 telepathy_filetrans_home_content(userdomain)
170')
171
a11cc065
DW
172optional_policy(`
173 xserver_filetrans_home_content(userdomain)
174')