]>
Commit | Line | Data |
---|---|---|
b598c442 | 1 | policy_module(userdomain, 4.5.2) |
b16c6b8c CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
56e1b3d2 CP |
8 | ## <desc> |
9 | ## <p> | |
0cdf72b9 | 10 | ## Allow users to connect to the local mysql server |
56e1b3d2 CP |
11 | ## </p> |
12 | ## </desc> | |
3f67f722 | 13 | gen_tunable(allow_user_mysql_connect, false) |
56e1b3d2 | 14 | |
cb10a2d5 CP |
15 | ## <desc> |
16 | ## <p> | |
17 | ## Allow users to connect to PostgreSQL | |
18 | ## </p> | |
19 | ## </desc> | |
3f67f722 | 20 | gen_tunable(allow_user_postgresql_connect, false) |
cb10a2d5 | 21 | |
56e1b3d2 CP |
22 | ## <desc> |
23 | ## <p> | |
24 | ## Allow regular users direct mouse access | |
25 | ## </p> | |
26 | ## </desc> | |
3f67f722 | 27 | gen_tunable(user_direct_mouse, false) |
56e1b3d2 CP |
28 | |
29 | ## <desc> | |
30 | ## <p> | |
31 | ## Allow users to read system messages. | |
32 | ## </p> | |
33 | ## </desc> | |
3f67f722 | 34 | gen_tunable(user_dmesg, false) |
56e1b3d2 CP |
35 | |
36 | ## <desc> | |
37 | ## <p> | |
38 | ## Allow user to r/w files on filesystems | |
39 | ## that do not have extended attributes (FAT, CDROM, FLOPPY) | |
40 | ## </p> | |
41 | ## </desc> | |
3f67f722 | 42 | gen_tunable(user_rw_noexattrfile, false) |
56e1b3d2 | 43 | |
40068f3d DW |
44 | ## <desc> |
45 | ## <p> | |
46 | ## Allow user music sharing | |
47 | ## </p> | |
48 | ## </desc> | |
49 | gen_tunable(user_share_music, false) | |
50 | ||
3eaa9939 DW |
51 | ## <desc> |
52 | ## <p> | |
53 | ## Allow user processes to change their priority | |
54 | ## </p> | |
55 | ## </desc> | |
56 | gen_tunable(user_setrlimit, false) | |
57 | ||
56e1b3d2 CP |
58 | ## <desc> |
59 | ## <p> | |
60 | ## Allow w to display everyone | |
61 | ## </p> | |
62 | ## </desc> | |
3f67f722 | 63 | gen_tunable(user_ttyfile_stat, false) |
56e1b3d2 | 64 | |
0be901ba | 65 | attribute admindomain; |
bd75703c | 66 | |
b16c6b8c CP |
67 | # all user domains |
68 | attribute userdomain; | |
69 | ||
70 | # unprivileged user domains | |
71 | attribute unpriv_userdomain; | |
72 | ||
8dca6b97 CP |
73 | attribute untrusted_content_type; |
74 | attribute untrusted_content_tmp_type; | |
296273a7 | 75 | |
3eaa9939 DW |
76 | # unprivileged user domains |
77 | attribute user_home_type; | |
ca9e8850 DW |
78 | attribute user_tmp_type; |
79 | attribute user_tmpfs_type; | |
3eaa9939 DW |
80 | |
81 | type admin_home_t; | |
82 | files_type(admin_home_t) | |
83 | files_associate_tmp(admin_home_t) | |
84 | fs_associate_tmpfs(admin_home_t) | |
85 | files_mountpoint(admin_home_t) | |
793be6b5 MG |
86 | files_poly_member(admin_home_t) |
87 | files_poly_parent(admin_home_t) | |
3eaa9939 | 88 | |
296273a7 CP |
89 | type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; |
90 | fs_associate_tmpfs(user_home_dir_t) | |
91 | files_type(user_home_dir_t) | |
92 | files_mountpoint(user_home_dir_t) | |
93 | files_associate_tmp(user_home_dir_t) | |
94 | files_poly(user_home_dir_t) | |
95 | files_poly_member(user_home_dir_t) | |
96 | files_poly_parent(user_home_dir_t) | |
97 | ubac_constrained(user_home_dir_t) | |
98 | ||
99 | type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; | |
100 | typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; | |
3eaa9939 | 101 | typeattribute user_home_t user_home_type; |
296273a7 CP |
102 | userdom_user_home_content(user_home_t) |
103 | fs_associate_tmpfs(user_home_t) | |
104 | files_associate_tmp(user_home_t) | |
3eaa9939 | 105 | files_poly_member(user_home_t) |
296273a7 CP |
106 | files_poly_parent(user_home_t) |
107 | files_mountpoint(user_home_t) | |
3eaa9939 | 108 | ubac_constrained(user_home_t) |
296273a7 CP |
109 | |
110 | type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; | |
111 | dev_node(user_devpts_t) | |
112 | files_type(user_devpts_t) | |
113 | ubac_constrained(user_devpts_t) | |
114 | ||
ca9e8850 DW |
115 | type user_tmp_t, user_tmp_type; |
116 | typealias user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; | |
296273a7 CP |
117 | typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; |
118 | files_tmp_file(user_tmp_t) | |
119 | userdom_user_home_content(user_tmp_t) | |
8ba1f41a | 120 | files_poly_parent(user_tmp_t) |
296273a7 | 121 | |
ca9e8850 DW |
122 | type user_tmpfs_t, user_tmpfs_type; |
123 | typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; | |
296273a7 CP |
124 | files_tmpfs_file(user_tmpfs_t) |
125 | userdom_user_home_content(user_tmpfs_t) | |
126 | ||
127 | type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; | |
128 | dev_node(user_tty_device_t) | |
129 | ubac_constrained(user_tty_device_t) | |
3eaa9939 DW |
130 | |
131 | type audio_home_t; | |
132 | userdom_user_home_content(audio_home_t) | |
133 | ubac_constrained(audio_home_t) | |
134 | ||
135 | type home_bin_t; | |
136 | userdom_user_home_content(home_bin_t) | |
137 | ubac_constrained(home_bin_t) | |
138 | ||
139 | type home_cert_t; | |
140 | miscfiles_cert_type(home_cert_t) | |
141 | userdom_user_home_content(home_cert_t) | |
142 | ubac_constrained(home_cert_t) | |
143 | ||
144 | tunable_policy(`allow_console_login',` | |
145 | term_use_console(userdomain) | |
146 | ') | |
147 | ||
148 | allow userdomain userdomain:process signull; | |
149 | ||
150 | # Nautilus causes this avc | |
151 | dontaudit unpriv_userdomain self:dir setattr; | |
de55768d | 152 | allow unpriv_userdomain self:key manage_key_perms; |
72eaebd0 | 153 | |
450041a1 DW |
154 | optional_policy(` |
155 | alsa_read_rw_config(unpriv_userdomain) | |
156 | alsa_manage_home_files(unpriv_userdomain) | |
157 | alsa_relabel_home_files(unpriv_userdomain) | |
450041a1 DW |
158 | ') |
159 | ||
72eaebd0 | 160 | optional_policy(` |
a11cc065 | 161 | gnome_filetrans_home_content(userdomain) |
15b2e336 DW |
162 | ') |
163 | ||
164 | optional_policy(` | |
a11cc065 | 165 | ssh_filetrans_home_content(userdomain) |
72eaebd0 DW |
166 | ') |
167 | ||
2ea29241 DW |
168 | optional_policy(` |
169 | telepathy_filetrans_home_content(userdomain) | |
170 | ') | |
171 | ||
a11cc065 DW |
172 | optional_policy(` |
173 | xserver_filetrans_home_content(userdomain) | |
174 | ') |