]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - refpolicy/policy/modules/system/userdomain.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
* Rename ipsec connect interface for consistency.
[people/stevee/selinux-policy.git] / refpolicy / policy / modules / system / userdomain.if
CommitLineData
490639cd 1## <summary>Policy for user domains</summary>
b16c6b8c 2
8fd36732
CP		 3#######################################
4## <summary>
5## The template containing rules common to unprivileged
6## users and administrative users.
7## </summary>
8## <desc>
9## <p>
10## This template creates a user domain, types, and
11## rules for the user's tty, pty, home directories,
12## tmp, and tmpfs files.
13## </p>
14## <p>
15## This generally should not be used, rather the
16## unpriv_user_template or admin_user_template should
17## be used.
18## </p>
19## </desc>
20## <param name="userdomain_prefix">
21## The prefix of the user domain (e.g., user
22## is the prefix for user_t).
23## </param>
b16c6b8c 24#
8fd36732 25template(`base_user_template',`
b16c6b8c 26
0c73cd25
CP		 27 attribute $1_file_type;
28
29 type $1_t, userdomain;
c9428d33
CP		 30 domain_type($1_t)
31 corecmd_shell_entry_type($1_t)
0c73cd25
CP		 32 role $1_r types $1_t;
33 allow system_r $1_r;
34
35 # user pseudoterminal
36 type $1_devpts_t;
0fd9dc55 37 term_user_pty($1_t,$1_devpts_t)
0c73cd25
CP		 38
39 # type for contents of home directory
40 type $1_home_t, $1_file_type, home_type;
8fd36732 41 files_type($1_home_t)
0c73cd25
CP		 42
43 # type of home directory
44 type $1_home_dir_t, home_dir_type, home_type;
8fd36732 45 files_type($1_home_t)
0c73cd25
CP		 46
47 type $1_tmp_t, $1_file_type;
c9428d33 48 files_tmp_file($1_tmp_t)
0c73cd25
CP		 49
50 type $1_tmpfs_t;
c9428d33 51 files_tmpfs_file($1_tmpfs_t)
0c73cd25
CP		 52
53 type $1_tty_device_t;
0fd9dc55 54 term_tty($1_t,$1_tty_device_t)
0c73cd25
CP		 55
56 ##############################
57 #
58 # Local policy
59 #
60
61 allow $1_t self:capability { setgid chown fowner };
62 dontaudit $1_t self:capability { sys_nice fsetid };
63 allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
64 allow $1_t self:process { ptrace setfscreate };
65 allow $1_t self:fd use;
cc41a97c
CP		 66 allow $1_t self:fifo_file rw_file_perms;
67 allow $1_t self:unix_dgram_socket create_socket_perms;
0fd9dc55 68 allow $1_t self:unix_stream_socket create_stream_socket_perms;
0c73cd25
CP		 69 allow $1_t self:unix_dgram_socket sendto;
70 allow $1_t self:unix_stream_socket connectto;
cc41a97c
CP		 71 allow $1_t self:shm create_shm_perms;
72 allow $1_t self:sem create_sem_perms;
73 allow $1_t self:msgq create_msgq_perms;
0c73cd25
CP		 74 allow $1_t self:msg { send receive };
75 dontaudit $1_t self:socket create;
76 # Irrelevant until we have labeled networking.
77 #allow $1_t self:udp_socket { sendto recvfrom };
78
79 # evolution and gnome-session try to create a netlink socket
80 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
81 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
82
83 # execute files in the home directory
cc41a97c 84 allow $1_t $1_home_t:file { rx_file_perms execute_no_trans };
0c73cd25
CP		 85
86 # full control of the home directory
cc41a97c
CP		 87 allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
88 allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
89 allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
90 allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
91 allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
92 allow $1_t $1_home_dir_t:dir create_dir_perms;
93 type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
0c73cd25 94
cc41a97c 95 allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans };
0c73cd25
CP		 96
97 # Bind to a Unix domain socket in /tmp.
98 # cjp: this is combination is not checked and should be removed
99 allow $1_t $1_tmp_t:unix_stream_socket name_bind;
100
cc41a97c
CP		 101 allow $1_t $1_tmpfs_t:dir rw_dir_perms;
102 allow $1_t $1_tmpfs_t:file create_file_perms;
103 allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
104 allow $1_t $1_tmpfs_t:sock_file create_file_perms;
105 allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
0fd9dc55 106 fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
0c73cd25 107
cc41a97c 108 allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
0c73cd25
CP		 109
110 allow $1_t unpriv_userdomain:fd use;
111
112 # Instantiate derived domains for a number of programs.
113 # These derived domains encode both information about the calling
114 # user domain and the program, and allow us to maintain separation
115 # between different instances of the program being run by different
116 # user domains.
117 per_userdomain_templates($1)
118
119 kernel_read_kernel_sysctl($1_t)
5e0da6a0 120 selinux_get_fs_mount($1_t)
0c73cd25
CP		 121 # Very permissive allowing every domain to see every type:
122 kernel_get_sysvipc_info($1_t)
123 # Find CDROM devices:
124 kernel_read_device_sysctl($1_t)
ebdc3b79
CP		 125
126 dev_rw_power_management($1_t)
0c73cd25 127 # GNOME checks for usb and other devices:
8bd67899 128 dev_rw_usbfs($1_t)
0fd9dc55
CP		 129
130 corenet_tcp_sendrecv_all_if($1_t)
131 corenet_raw_sendrecv_all_if($1_t)
132 corenet_udp_sendrecv_all_if($1_t)
133 corenet_tcp_sendrecv_all_nodes($1_t)
134 corenet_raw_sendrecv_all_nodes($1_t)
135 corenet_udp_sendrecv_all_nodes($1_t)
136 corenet_tcp_sendrecv_all_ports($1_t)
137 corenet_udp_sendrecv_all_ports($1_t)
138 corenet_tcp_bind_all_nodes($1_t)
139 corenet_udp_bind_all_nodes($1_t)
0c73cd25 140 # allow port_t name binding for UDP because it is not very usable otherwise
0fd9dc55 141 corenet_udp_bind_generic_port($1_t)
0c73cd25 142
f0c985ca
KM		 143 dev_read_input($1_t)
144 dev_read_misc($1_t)
145 dev_write_misc($1_t)
146 dev_write_snd_dev($1_t)
147 dev_read_snd_dev($1_t)
148 dev_read_snd_mixer_dev($1_t)
149 dev_write_snd_mixer_dev($1_t)
150 dev_read_rand($1_t)
151 dev_read_urand($1_t)
0c73cd25 152 # open office is looking for the following
f0c985ca
KM		 153 dev_getattr_agp_dev($1_t)
154 dev_dontaudit_rw_dri_dev($1_t)
0c73cd25 155
763c441e 156 fs_get_all_fs_quotas($1_t)
0fd9dc55 157 fs_getattr_all_fs($1_t)
ab940a4c 158 fs_search_auto_mountpoints($1_t)
2ec4c9d3 159 fs_exec_noxattr($1_t)
0c73cd25
CP		 160
161 # for eject
0fd9dc55 162 storage_getattr_fixed_disk($1_t)
0c73cd25 163
c9428d33
CP		 164 auth_read_login_records($1_t)
165 auth_dontaudit_write_login_records($1_t)
166 auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
167 auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
0c73cd25 168
c9428d33
CP		 169 corecmd_exec_bin($1_t)
170 corecmd_exec_sbin($1_t)
171 corecmd_exec_ls($1_t)
0c73cd25 172
c9428d33
CP		 173 domain_exec_all_entry_files($1_t)
174 domain_use_wide_inherit_fd($1_t)
2ec4c9d3
CP		 175 # When the user domain runs ps, there will be a number of access
176 # denials when ps tries to search /proc. Do not audit these denials.
177 domain_dontaudit_read_all_domains_state($1_t)
178 domain_dontaudit_getsession_all_domains($1_t)
0c73cd25 179
8fd36732
CP		 180 files_exec_etc_files($1_t)
181 files_read_usr_src_files($1_t)
ae9e2716 182 files_search_locks($1_t)
0c73cd25
CP		 183
184 # Caused by su - init scripts
c9428d33 185 init_dontaudit_use_script_pty($1_t)
0c73cd25 186
c9428d33
CP		 187 libs_use_ld_so($1_t)
188 libs_use_shared_libs($1_t)
189 libs_exec_ld_so($1_t)
190 libs_exec_lib_files($1_t)
0c73cd25 191
c9428d33 192 logging_dontaudit_getattr_all_logs($1_t)
0c73cd25
CP		 193
194 miscfiles_read_localization($1_t)
c9428d33 195 miscfiles_rw_man_cache($1_t)
2ec4c9d3
CP		 196 # for running TeX programs
197 miscfiles_read_tetex_data($1_t)
198 miscfiles_exec_tetex_data($1_t)
0c73cd25 199
5e0da6a0 200 seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
0c73cd25 201
c9428d33 202 mta_rw_spool($1_t)
0c73cd25 203
34c8fabe 204 tunable_policy(`allow_execmem',`
0c73cd25
CP		 205 # Allow loading DSOs that require executable stack.
206 allow $1_t self:process execmem;
34c8fabe 207 ')
0c73cd25 208
2ec4c9d3
CP		 209 tunable_policy(`read_default_t',`
210 files_list_default($1_t)
211 files_read_default_files($1_t)
212 files_read_default_symlinks($1_t)
213 files_read_default_sockets($1_t)
214 files_read_default_pipes($1_t)
215 ')
216
34c8fabe 217 tunable_policy(`use_nfs_home_dirs',`
0fd9dc55 218 fs_manage_nfs_dirs($1_t)
763c441e 219 fs_manage_nfs_files($1_t)
0fd9dc55 220 fs_manage_nfs_symlinks($1_t)
763c441e
CP		 221 fs_manage_nfs_named_sockets($1_t)
222 fs_manage_nfs_named_pipes($1_t)
223 fs_execute_nfs_files($1_t)
34c8fabe 224 ')
0c73cd25 225
34c8fabe 226 tunable_policy(`use_samba_home_dirs',`
0fd9dc55
CP		 227 fs_manage_cifs_dirs($1_t)
228 fs_manage_cifs_files($1_t)
229 fs_manage_cifs_symlinks($1_t)
230 fs_manage_cifs_named_sockets($1_t)
231 fs_manage_cifs_named_pipes($1_t)
232 fs_execute_cifs_files($1_t)
34c8fabe 233 ')
0c73cd25 234
34c8fabe 235 tunable_policy(`user_direct_mouse',`
f0c985ca 236 dev_read_mouse($1_t)
34c8fabe 237 ')
0c73cd25 238
34c8fabe 239 tunable_policy(`user_ttyfile_stat',`
0fd9dc55 240 term_getattr_all_user_ttys($1_t)
34c8fabe 241 ')
0c73cd25 242
b24f35d8 243 optional_policy(`inetd.te',`
81343a6f 244 inetd_tcp_connect($1_t)
b24f35d8
CP		 245 ')
246
ab940a4c
CP		 247 optional_policy(`nis.te',`
248 nis_use_ypbind($1_t)
249 ')
250
493d6c4a
CP		 251 optional_policy(`nscd.te',`
252 nscd_use_socket($1_t)
253 ')
254
2ec4c9d3
CP		 255 optional_policy(`pcmcia.te',`
256 # to allow monitoring of pcmcia status
257 pcmcia_read_pid($1_t)
258 ')
259
b24f35d8
CP		 260 optional_policy(`rpm.te',`
261 files_getattr_var_lib_dir($1_t)
262 files_search_var_lib($1_t)
263 ')
264
0c73cd25 265 optional_policy(`usermanage.te',`
c9428d33
CP		 266 usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
267 usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
0c73cd25
CP		 268 ')
269
270 ifdef(`TODO',`
271
0c73cd25
CP		 272 #
273 # Cups daemon running as user tries to write /etc/printcap
274 #
275 dontaudit $1_t usr_t:file setattr;
276
0c73cd25
CP		 277 # Check to see if cdrom is mounted
278 allow $1_t mnt_t:dir { getattr search };
279
280 #
281 # Added to allow reading of cdrom
282 #
283 allow $1_t rpc_pipefs_t:dir getattr;
284 allow $1_t nfsd_fs_t:dir getattr;
285 allow $1_t binfmt_misc_fs_t:dir getattr;
286
287 # /initrd is left mounted, various programs try to look at it
288 dontaudit $1_t ramfs_t:dir getattr;
289
0c73cd25
CP		 290 #
291 # Running ifconfig as a user generates the following
292 #
293 dontaudit $1_t sysctl_net_t:dir search;
294
295 dontaudit $1_t default_context_t:dir search;
296
297 r_dir_file($1_t, usercanread)
298
3eed1090 299 tunable_policy(`allow_execmod',`
0c73cd25
CP		 300 # Allow text relocations on system shared libraries, e.g. libGL.
301 allow $1_t texrel_shlib_t:file execmod;
3eed1090 302 ')
0c73cd25
CP		 303
304 allow $1_t fs_type:dir getattr;
305
306 # old "file_browse_domain":
307 # Regular files/directories that are not security sensitive
308 dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
309 dontaudit $1_t file_type - secure_file_type:dir { read search };
310 # /dev
311 dontaudit $1_t dev_fs:dir_file_class_set getattr;
312 dontaudit $1_t dev_fs:dir { read search };
313 # /proc
314 dontaudit $1_t sysctl_t:dir_file_class_set getattr;
315 dontaudit $1_t proc_fs:dir { read search };
316
3eed1090 317 tunable_policy(`user_rw_noexattrfile',`
0c73cd25 318 create_dir_file($1_t, noexattrfile)
0c73cd25 319 # Write floppies
ebdc3b79
CP		 320 storage_raw_read_removable_device($1_t)
321 storage_raw_write_removable_device($1_t)
322 # cjp: what does this have to do with removable devices?
0c73cd25 323 allow $1_t usbtty_device_t:chr_file write;
3eed1090 324 ',`
0c73cd25
CP		 325 r_dir_file($1_t, noexattrfile)
326 r_dir_file($1_t, removable_t)
327 allow $1_t removable_device_t:blk_file r_file_perms;
3eed1090
CP		 328 ')
329
0c73cd25
CP		 330 allow $1_t usbtty_device_t:chr_file read;
331
0c73cd25
CP		 332 can_resmgrd_connect($1_t)
333
0c73cd25
CP		 334 # Grant permissions to access the system DBus
335 ifdef(`dbusd.te', `
336 dbusd_client(system, $1)
337 can_network_server_tcp($1_dbusd_t)
338 allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
339
340 allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
341 dbusd_client($1, $1)
342 allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
343 dbusd_domain($1)
344 ifdef(`hald.te', `
345 allow $1_t hald_t:dbus send_msg;
346 allow hald_t $1_t:dbus send_msg;
347 ')
348 ')
349
350 # Gnome pannel binds to the following
351 ifdef(`cups.te', `
cc41a97c 352 allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
0c73cd25
CP		 353 ')
354
0c73cd25 355 ifdef(`inetd.te', `
2ec4c9d3 356 # Connect to inetd.
0c73cd25
CP		 357 can_tcp_connect($1_t, inetd_t)
358 can_udp_send($1_t, inetd_t)
359 can_udp_send(inetd_t, $1_t)
2ec4c9d3
CP		 360 # Inherit and use sockets from inetd
361 allow $1_t inetd_t:fd use;
362 allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
0c73cd25
CP		 363 ')
364
365 # Connect to portmap.
366 ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
367
0c73cd25
CP		 368 ifdef(`xserver.te', `
369 # for /tmp/.ICE-unix
370 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
371 allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
372 ')
373
374 ifdef(`xdm.te', `
375 # Connect to the X server run by the X Display Manager.
376 can_unix_connect($1_t, xdm_t)
377 allow $1_t xdm_tmp_t:sock_file rw_file_perms;
378 allow $1_t xdm_tmp_t:dir r_dir_perms;
cc41a97c 379 allow $1_t xdm_tmp_t:file r_file_perms;
0c73cd25
CP		 380 allow $1_t xdm_xserver_tmp_t:sock_file { read write };
381 allow $1_t xdm_xserver_tmp_t:dir search;
382 allow $1_t xdm_xserver_t:unix_stream_socket connectto;
383 # certain apps want to read xdm.pid file
384 r_dir_file($1_t, xdm_var_run_t)
cc41a97c 385 allow $1_t xdm_var_lib_t:file r_file_perms;
0c73cd25
CP		 386 allow xdm_t $1_home_dir_t:dir getattr;
387 ifdef(`xauth.te', `
388 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
389 ')
390
391 # for shared memory
392 allow xdm_xserver_t $1_tmpfs_t:file { read write };
393
394 ')
395
396 ifdef(`rpcd.te', `
397 create_dir_file($1_t, nfsd_rw_t)
398 ')
399
0c73cd25
CP		 400 #
401 # Allow graphical boot to check battery lifespan
402 #
403 ifdef(`apmd.te', `
404 allow $1_t apmd_t:unix_stream_socket connectto;
405 allow $1_t apmd_var_run_t:sock_file write;
406 ')
407
0c73cd25
CP		 408 ifdef(`pamconsole.te', `
409 allow $1_t pam_var_console_t:dir search;
410 ')
411
412 ') dnl endif TODO
b16c6b8c 413
2ec4c9d3 414')
b16c6b8c 415
8fd36732
CP		 416#######################################
417## <summary>
418## The template for creating a unprivileged user.
419## </summary>
420## <desc>
421## <p>
422## This template creates a user domain, types, and
423## rules for the user's tty, pty, home directories,
424## tmp, and tmpfs files.
425## </p>
426## </desc>
427## <param name="userdomain_prefix">
428## The prefix of the user domain (e.g., user
429## is the prefix for user_t).
430## </param>
b16c6b8c 431#
8fd36732 432template(`unpriv_user_template', `
0c73cd25
CP		 433 ##############################
434 #
435 # Declarations
436 #
b16c6b8c 437
0c73cd25 438 # Inherit rules for ordinary users.
8fd36732 439 base_user_template($1)
b16c6b8c 440
493d6c4a 441 typeattribute $1_t unpriv_userdomain; #, web_client_domain
c9428d33 442 domain_wide_inherit_fd($1_t)
b16c6b8c 443
0c73cd25
CP		 444 #typeattribute $1_devpts_t userpty_type, user_tty_type;
445 #typeattribute $1_home_dir_t user_home_dir_type;
446 #typeattribute $1_home_t user_home_type;
b16c6b8c 447
ab940a4c 448 typeattribute $1_tmp_t user_tmpfile;
b16c6b8c 449
ebdc3b79 450 typeattribute $1_tty_device_t user_ttynode;
b16c6b8c 451
0c73cd25
CP		 452 ##############################
453 #
454 # Local policy
455 #
456
457 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
0fd9dc55 458 term_create_pty($1_t,$1_devpts_t)
0c73cd25
CP		 459
460 # Rules used to associate a homedir as a mountpoint
461 allow $1_home_t self:filesystem associate;
462 allow $1_file_type $1_home_t:filesystem associate;
463
464 # user temporary files
cc41a97c
CP		 465 allow $1_t $1_tmp_t:file create_file_perms;
466 allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
467 allow $1_t $1_tmp_t:dir create_dir_perms;
468 allow $1_t $1_tmp_t:sock_file create_file_perms;
469 allow $1_t $1_tmp_t:fifo_file create_file_perms;
c9428d33 470 files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
0c73cd25
CP		 471
472 # privileged home directory writers
cc41a97c
CP		 473 allow privhome $1_home_t:file create_file_perms;
474 allow privhome $1_home_t:lnk_file create_lnk_perms;
475 allow privhome $1_home_t:dir create_dir_perms;
476 allow privhome $1_home_t:sock_file create_file_perms;
477 allow privhome $1_home_t:fifo_file create_file_perms;
478 type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
0c73cd25
CP		 479
480 kernel_read_system_state($1_t)
481 kernel_read_network_state($1_t)
8bd67899 482 dev_read_sysfs($1_t)
0c73cd25
CP		 483
484 # cjp: why?
485 bootloader_read_kernel_symbol_table($1_t)
486
487 # port access is audited even if dac would not have allowed it, so dontaudit it here
0fd9dc55 488 corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
0c73cd25 489
8fd36732 490 files_read_etc_files($1_t)
c9428d33
CP		 491 files_list_home($1_t)
492 files_read_usr_files($1_t)
2ec4c9d3
CP		 493 files_exec_usr_files($1_t)
494 # Read directories and files with the readable_t type.
495 # This type is a general type for "world"-readable files.
496 files_list_world_readable($1_t)
497 files_read_world_readable_files($1_t)
498 files_read_world_readable_symlinks($1_t)
499 files_read_world_readable_pipes($1_t)
500 files_read_world_readable_sockets($1_t)
0c73cd25 501
c9428d33 502 init_read_script_pid($1_t)
0c73cd25
CP		 503 # The library functions always try to open read-write first,
504 # then fall back to read-only if it fails.
c9428d33 505 init_dontaudit_write_script_pid($1_t)
0c73cd25 506 # Stop warnings about access to /dev/console
c9428d33
CP		 507 init_dontaudit_use_fd($1_t)
508 init_dontaudit_use_script_fd($1_t)
0c73cd25
CP		 509
510 miscfiles_read_man_pages($1_t)
511
5e0da6a0 512 seutil_read_config($1_t)
0c73cd25
CP		 513 # Allow users to execute checkpolicy without a domain transition
514 # so it can be used without privilege to write real binary policy file
5e0da6a0 515 seutil_exec_checkpol($1_t)
0c73cd25 516
34c8fabe 517 tunable_policy(`user_dmesg',`
0c73cd25 518 kernel_read_ring_buffer($1_t)
34c8fabe 519 ',`
0fd9dc55 520 kernel_dontaudit_read_ring_buffer($1_t)
34c8fabe 521 ')
0c73cd25
CP		 522
523 # Allow users to run TCP servers (bind to ports and accept connection from
524 # the same domain and outside users) disabling this forces FTP passive mode
525 # and may change other protocols
34c8fabe 526 tunable_policy(`user_tcp_server',`
0fd9dc55 527 corenet_tcp_bind_generic_port($1_t)
34c8fabe 528 ')
0c73cd25 529
a7a9799d
CP		 530 optional_policy(`kerberos.te',`
531 kerberos_use($1_t)
532 ')
533
0c73cd25
CP		 534 # for running depmod as part of the kernel packaging process
535 optional_policy(`modutils.te',`
c9428d33 536 modutils_read_module_conf($1_t)
0c73cd25
CP		 537 ')
538
ae9e2716 539 optional_policy(`selinuxutil.te',`
0c73cd25 540 # for when the network connection is killed
8fd36732 541 seutil_dontaudit_signal_newrole($1_t)
0c73cd25
CP		 542 ')
543
544 # Need the following rule to allow users to run vpnc
545 optional_policy(`xserver.te', `
546 corenetwork_bind_tcp_on_xserver_port($1_t)
547 ')
548
549 ifdef(`TODO',`
550
551 dontaudit $1_t boot_t:lnk_file read;
552 dontaudit $1_t boot_t:file read;
553
0c73cd25
CP		 554 # do not audit read on disk devices
555 dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
556
557 ifdef(`xdm.te', `
558 allow xdm_t $1_home_t:lnk_file read;
559 allow xdm_t $1_home_t:dir search;
560 #
561 # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
562 #
563 dontaudit xdm_t $1_home_t:file rw_file_perms;
564 ')
565
566 ifdef(`ftpd.te', `
3eed1090 567 tunable_policy(`ftp_home_dir',`
0c73cd25 568 file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
3eed1090 569 ')
0c73cd25
CP		 570 ')
571
0c73cd25
CP		 572 # Stat lost+found.
573 allow $1_t lost_found_t:dir getattr;
574
575 # Read /var, /var/spool, /var/run.
576 allow $1_t var_t:dir r_dir_perms;
577 allow $1_t var_t:notdevfile_class_set r_file_perms;
578 allow $1_t var_spool_t:dir r_dir_perms;
579 allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
580 allow $1_t var_run_t:dir r_dir_perms;
581 allow $1_t var_run_t:{ file lnk_file } r_file_perms;
582 allow $1_t var_lib_t:dir r_dir_perms;
583 allow $1_t var_lib_t:file { getattr read };
584
585 # Allow users to rw usb devices
3eed1090 586 tunable_policy(`user_rw_usb',`
0c73cd25 587 rw_dir_create_file($1_t,usbdevfs_t)
3eed1090 588 ',`
0c73cd25 589 r_dir_file($1_t,usbdevfs_t)
3eed1090 590 ')
0c73cd25
CP		 591
592 # Do not audit write denials to /etc/ld.so.cache.
593 dontaudit $1_t ld_so_cache_t:file write;
594
595 dontaudit $1_t sysadm_home_t:file { read append };
596
597 ifdef(`syslogd.te', `
598 # Some programs that are left in $1_t will try to connect
599 # to syslogd, but we do not want to let them generate log messages.
600 # Do not audit.
601 dontaudit $1_t devlog_t:sock_file { read write };
602 dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
603 ')
604
605 allow $1_t initrc_t:fifo_file write;
606
607 ifdef(`user_can_mount', `
608 #
609 # Allow users to mount file systems like floppies and cdrom
610 #
611 mount_domain($1, $1_mount, `, fs_domain')
612 r_dir_file($1_t, mnt_t)
613 allow $1_mount_t device_t:lnk_file read;
614 allow $1_mount_t removable_device_t:blk_file read;
615 allow $1_mount_t iso9660_t:filesystem relabelfrom;
616 allow $1_mount_t removable_t:filesystem { mount relabelto };
617 allow $1_mount_t removable_t:dir mounton;
618 ifdef(`xdm.te', `
619 allow $1_mount_t xdm_t:fd use;
620 allow $1_mount_t xdm_t:fifo_file { read write };
621 ')
622 ')
623
624 ') dnl end TODO
b16c6b8c 625')
4d8ddf9a 626
8fd36732
CP		 627#######################################
628## <summary>
629## The template for creating an administrative user.
630## </summary>
631## <desc>
632## <p>
633## This template creates a user domain, types, and
634## rules for the user's tty, pty, home directories,
635## tmp, and tmpfs files.
636## </p>
2ec4c9d3 637## <p>
8fd36732
CP		 638## The privileges given to administrative users are:
639## <ul>
640## <li>Raw disk access</li>
641## <li>Set all sysctls</li>
642## <li>All kernel ring buffer controls</li>
643## <li>Set SELinux enforcement mode (enforcing/permissive)</li>
644## <li>Set SELinux booleans</li>
645## <li>Relabel all files but shadow</li>
646## <li>Create, read, write, and delete all files but shadow</li>
647## <li>Manage source and binary format SELinux policy</li>
648## <li>Run insmod</li>
649## </ul>
2ec4c9d3
CP		 650## </p>
651## </desc>
8fd36732
CP		 652## <param name="userdomain_prefix">
653## The prefix of the user domain (e.g., sysadm
654## is the prefix for sysadm_t).
655## </param>
4d8ddf9a 656#
8fd36732 657template(`admin_user_template',`
0c73cd25
CP		 658 ##############################
659 #
660 # Declarations
661 #
662
663 # Inherit rules for ordinary users.
8fd36732 664 base_user_template($1)
0c73cd25 665
493d6c4a 666 typeattribute $1_t privhome; #, admin, web_client_domain
8bd67899 667 domain_obj_id_change_exempt($1_t)
0c73cd25
CP		 668 role system_r types $1_t;
669
670 #ifdef(`direct_sysadm_daemon', `, priv_system_role')
671 #; dnl end of sysadm_t type declaration
672
673 typeattribute $1_devpts_t admin_terminal;
674
675 typeattribute $1_tty_device_t admin_terminal;
676
677 ##############################
678 #
679 # $1_t local policy
680 #
681
682 allow $1_t self:capability ~sys_module;
683 allow $1_t self:process { setexec setfscreate };
684
685 # Set password information for other users.
686 allow $1_t self:passwd { passwd chfn chsh };
687
688 # Skip authentication when pam_rootok is specified.
689 allow $1_t self:passwd rootok;
690
691 # Manipulate other users crontab.
692 allow $1_t self:passwd crontab;
693
694 # for the administrator to run TCP servers directly
695 allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
696
697 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
0fd9dc55 698 term_create_pty($1_t,$1_devpts_t)
0c73cd25 699
cc41a97c
CP		 700 allow $1_t $1_tmp_t:dir create_dir_perms;
701 allow $1_t $1_tmp_t:file create_file_perms;
702 allow $1_t $1_tmp_t:lnk_file create_file_perms;
703 allow $1_t $1_tmp_t:fifo_file create_file_perms;
704 allow $1_t $1_tmp_t:sock_file create_file_perms;
c9428d33 705 files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
0c73cd25
CP		 706
707 kernel_read_system_state($1_t)
708 kernel_read_network_state($1_t)
709 kernel_read_software_raid_state($1_t)
0fd9dc55
CP		 710 kernel_getattr_core($1_t)
711 kernel_getattr_message_if($1_t)
0c73cd25
CP		 712 kernel_change_ring_buffer_level($1_t)
713 kernel_clear_ring_buffer($1_t)
714 kernel_read_ring_buffer($1_t)
715 kernel_get_sysvipc_info($1_t)
0fd9dc55 716 kernel_rw_all_sysctl($1_t)
8fd36732
CP		 717 # signal unlabeled processes:
718 kernel_kill_unlabeled($1_t)
719 kernel_signal_unlabeled($1_t)
720 kernel_sigstop_unlabeled($1_t)
721 kernel_signull_unlabeled($1_t)
722 kernel_sigchld_unlabeled($1_t)
2ec4c9d3
CP		 723 # for the administrator to run TCP servers directly
724 kernel_tcp_recvfrom($1_t)
725
726 corenet_tcp_bind_generic_port($1_t)
727 # allow setting up tunnels
728 corenet_use_tun_tap_device($1_t)
729
730 dev_getattr_generic_blk_file($1_t)
731 dev_getattr_generic_chr_file($1_t)
732 dev_getattr_all_blk_files($1_t)
733 dev_getattr_all_chr_files($1_t)
734
735 fs_getattr_all_fs($1_t)
736 fs_set_all_quotas($1_t)
8fd36732 737
5e0da6a0
CP		 738 selinux_set_enforce_mode($1_t)
739 selinux_set_boolean($1_t)
740 selinux_set_parameters($1_t)
0c73cd25 741 # Get security policy decisions:
5e0da6a0
CP		 742 selinux_get_fs_mount($1_t)
743 selinux_validate_context($1_t)
744 selinux_compute_access_vector($1_t)
745 selinux_compute_create_context($1_t)
746 selinux_compute_relabel_context($1_t)
747 selinux_compute_user_contexts($1_t)
0c73cd25 748
0c73cd25
CP		 749 storage_raw_read_removable_device($1_t)
750 storage_raw_write_removable_device($1_t)
751
0fd9dc55
CP		 752 term_use_console($1_t)
753 term_use_unallocated_tty($1_t)
754 term_use_all_user_ptys($1_t)
755 term_use_all_user_ttys($1_t)
0c73cd25 756
2ec4c9d3 757 auth_getattr_shadow($1_t)
0c73cd25 758 # Manage almost all files
c9428d33 759 auth_manage_all_files_except_shadow($1_t)
0c73cd25 760 # Relabel almost all files
c9428d33 761 auth_relabel_all_files_except_shadow($1_t)
0c73cd25 762
c9428d33
CP		 763 domain_setpriority_all_domains($1_t)
764 domain_read_all_domains_state($1_t)
0c73cd25
CP		 765 # signal all domains:
766 domain_kill_all_domains($1_t)
767 domain_signal_all_domains($1_t)
768 domain_signull_all_domains($1_t)
769 domain_sigstop_all_domains($1_t)
770 domain_sigstop_all_domains($1_t)
771 domain_sigchld_all_domains($1_t)
2ec4c9d3
CP		 772 # for lsof
773 domain_getattr_all_sockets($1_t)
0c73cd25 774
c9428d33 775 files_exec_usr_files($1_t)
0c73cd25 776
c9428d33 777 init_use_initctl($1_t)
0c73cd25 778
c9428d33 779 logging_send_syslog_msg($1_t)
0c73cd25 780
c9428d33 781 modutils_domtrans_insmod($1_t)
0c73cd25 782
5e0da6a0 783 seutil_read_config($1_t)
0c73cd25
CP		 784 # The following rule is temporary until such time that a complete
785 # policy management infrastructure is in place so that an administrator
786 # cannot directly manipulate policy files with arbitrary programs.
5e0da6a0 787 seutil_manage_src_pol($1_t)
0c73cd25
CP		 788 # Violates the goal of limiting write access to checkpolicy.
789 # But presently necessary for installing the file_contexts file.
5e0da6a0 790 seutil_manage_binary_pol($1_t)
0c73cd25
CP		 791
792 optional_policy(`cron.te',`
793 cron_admin_template($1)
794 ')
795
796 ifdef(`TODO',`
797
0c73cd25
CP		 798 # for lsof
799 allow $1_t mtrr_device_t:file getattr;
800
2ec4c9d3
CP		 801 # for lsof
802 allow $1_t eventpollfs_t:file getattr;
0c73cd25 803
2ec4c9d3 804 allow $1_t serial_device:chr_file setattr;
0c73cd25
CP		 805
806 allow $1_t ptyfile:chr_file getattr;
807
0c73cd25
CP		 808 # Run admin programs that require different permissions in their own domain.
809 # These rules were moved into the appropriate program domain file.
810
2ec4c9d3
CP		 811 ifdef(`xserver.te', `
812 # Create files in /tmp/.X11-unix with our X servers derived
813 # tmp type rather than user_xserver_tmp_t.
814 file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
0c73cd25
CP		 815 ')
816
2ec4c9d3 817
0c73cd25 818 ifdef(`xdm.te', `
2ec4c9d3
CP		 819 tunable_policy(`xdm_sysadm_login',`
820 allow xdm_t $1_home_t:lnk_file read;
821 allow xdm_t $1_home_t:dir search;
0c73cd25 822 ')
2ec4c9d3 823 allow $1_t xdm_t:fifo_file rw_file_perms;
0c73cd25
CP		 824 ')
825
2ec4c9d3
CP		 826 # Connect data port to ftpd.
827 ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
828
829 # Connect second port to rshd.
830 ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
831
832 # Allow MAKEDEV to work
833 allow $1_t device_t:dir rw_dir_perms;
834 allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
835 allow $1_t device_t:lnk_file { create read };
836
0c73cd25
CP		 837 #
838 # A user who is authorized for sysadm_t may nonetheless have
839 # a home directory labeled with user_home_t if the user is expected
840 # to login in either user_t or sysadm_t. Hence, the derived domains
841 # for programs need to be able to access user_home_t.
842 #
4d8ddf9a 843
0c73cd25
CP		 844 # Allow our gph domain to write to .xsession-errors.
845 ifdef(`gnome-pty-helper.te', `
846 allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
847 allow $1_gph_t user_home_type:file create_file_perms;
848 ')
4d8ddf9a 849
2ec4c9d3
CP		 850 # Run programs from staff home directories.
851 # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
852 can_exec($1_t, staff_home_t)
0c73cd25 853 ') dnl endif TODO
4d8ddf9a 854')
490639cd 855
4bf4ed9e 856########################################
ab940a4c 857## <summary>
414e4151
CP		 858## Execute a shell in all user domains. This
859## is an explicit transition, requiring the
860## caller to use setexeccon().
ab940a4c 861## </summary>
414e4151
CP		 862## <param name="domain">
863## The type of the process performing this action.
864## </param>
4bf4ed9e 865#
199895e2 866interface(`userdom_spec_domtrans_all_users',`
21871a5c
CP		 867 gen_require(`
868 attribute userdomain;
869 ')
870
c9428d33 871 corecmd_shell_spec_domtrans($1,userdomain)
4bf4ed9e
CP		 872')
873
21871a5c 874########################################
ab940a4c 875## <summary>
414e4151
CP		 876## Execute a shell in all unprivileged user domains. This
877## is an explicit transition, requiring the
878## caller to use setexeccon().
ab940a4c 879## </summary>
414e4151
CP		 880## <param name="domain">
881## The type of the process performing this action.
882## </param>
21871a5c 883#
199895e2 884interface(`userdom_spec_domtrans_unpriv_users',`
21871a5c
CP		 885 gen_require(`
886 attribute unpriv_userdomain;
887 ')
888
889 corecmd_shell_spec_domtrans($1,unpriv_userdomain)
4bf4ed9e
CP		 890')
891
d490eb6b 892########################################
ab940a4c 893## <summary>
414e4151 894## Execute a shell in the sysadm domain.
ab940a4c 895## </summary>
414e4151
CP		 896## <param name="domain">
897## The type of the process performing this action.
898## </param>
d490eb6b 899#
199895e2 900interface(`userdom_shell_domtrans_sysadm',`
c98340cf
CP		 901 ifdef(`targeted_policy',`
902 #cjp: need to doublecheck this one
a42ca7eb 903 unconfined_shell_domtrans($1)
c98340cf
CP		 904 ',`
905 gen_require(`
906 type sysadm_t;
df00b2e2
CP		 907 class fd use;
908 class fifo_file rw_file_perms;
909 class process sigchld;
c98340cf 910 ')
0c73cd25 911
df00b2e2
CP		 912 corecmd_shell_domtrans($1,sysadm_t)
913
914 allow $1 sysadm_t:fd use;
915 allow sysadm_t $1:fd use;
916 allow sysadm_t $1:fifo_file rw_file_perms;
917 allow sysadm_t $1:process sigchld;
c98340cf 918 ')
d490eb6b
CP		 919')
920
ae9e2716
CP		 921########################################
922## <summary>
923## Search the staff users home directory.
924## </summary>
925## <param name="domain">
926## Domain to not audit.
927## </param>
928#
929interface(`userdom_search_staff_home_dir',`
930 gen_require(`
931 type staff_home_dir_t;
932 class dir search;
933 ')
934
935 files_search_home($1)
936 allow $1 staff_home_dir_t:dir search;
937')
938
939########################################
940## <summary>
941## Do not audit attempts to search the staff
942## users home directory.
943## </summary>
944## <param name="domain">
945## Domain to not audit.
946## </param>
947#
948interface(`userdom_dontaudit_search_staff_home_dir',`
949 gen_require(`
950 type staff_home_dir_t;
951 class dir search;
952 ')
953
954 dontaudit $1 staff_home_dir_t:dir search;
955')
956
fd89e19f
CP		 957########################################
958## <summary>
959## Read files in the staff users home directory.
960## </summary>
961## <param name="domain">
962## The type of the process performing this action.
963## </param>
964#
965interface(`userdom_read_staff_home_files',`
966 gen_require(`
967 type staff_home_dir_t, staff_home_t;
968 class dir r_dir_perms;
969 class file r_file_perms;
970 class lnk_file r_file_perms;
971 ')
972
973 files_search_home($1)
974 allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
975 allow $1 staff_home_t:{ file lnk_file } r_file_perms;
976')
977
daa0e0b0 978########################################
ab940a4c 979## <summary>
414e4151 980## Read and write sysadm ttys.
ab940a4c 981## </summary>
414e4151
CP		 982## <param name="domain">
983## The type of the process performing this action.
984## </param>
490639cd 985#
199895e2 986interface(`userdom_use_sysadm_tty',`
c98340cf
CP		 987 ifdef(`targeted_policy',`
988 term_use_unallocated_tty($1)
989 ',`
990 gen_require(`
991 type sysadm_tty_device_t;
992 class chr_file rw_term_perms;
993 ')
fd89e19f 994
c98340cf
CP		 995 dev_list_all_dev_nodes($1)
996 term_list_ptys($1)
997 allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
998 ')
fd89e19f
CP		 999')
1000
50aca6d2
CP		 1001########################################
1002## <summary>
1003## Do not audit attempts to use sysadm ttys.
1004## </summary>
1005## <param name="domain">
1006## Domain to not audit.
1007## </param>
1008#
1009interface(`userdom_dontaudit_use_sysadm_tty',`
1010 ifdef(`targeted_policy',`
1011 term_dontaudit_use_unallocated_tty($1)
1012 ',`
1013 gen_require(`
1014 attribute sysadm_tty_device_t;
1015 class chr_file { read write };
1016 ')
1017
1018 dontaudit $1 sysadm_tty_device_t:chr_file { read write };
1019 ')
1020')
1021
fd89e19f
CP		 1022########################################
1023## <summary>
1024## Read and write sysadm ptys.
1025## </summary>
1026## <param name="domain">
1027## The type of the process performing this action.
1028## </param>
1029#
1030interface(`userdom_use_sysadm_pty',`
c98340cf
CP		 1031 ifdef(`targeted_policy',`
1032 term_use_generic_pty($1)
1033 ',`
1034 gen_require(`
1035 type sysadm_devpts_t;
1036 class chr_file rw_term_perms;
1037 ')
0c73cd25 1038
c98340cf
CP		 1039 dev_list_all_dev_nodes($1)
1040 term_list_ptys($1)
1041 allow $1 sysadm_devpts_t:chr_file rw_term_perms;
1042 ')
daa0e0b0
CP		 1043')
1044
0404a390 1045########################################
ab940a4c 1046## <summary>
414e4151 1047## Read and write sysadm ttys and ptys.
ab940a4c 1048## </summary>
414e4151
CP		 1049## <param name="domain">
1050## The type of the process performing this action.
1051## </param>
0404a390 1052#
199895e2 1053interface(`userdom_use_sysadm_terms',`
c98340cf
CP		 1054 userdom_use_sysadm_tty($1)
1055 userdom_use_sysadm_pty($1)
daa0e0b0
CP		 1056')
1057
763c441e 1058########################################
ab940a4c 1059## <summary>
50aca6d2 1060## Do not audit attempts to use sysadm ttys and ptys.
ab940a4c 1061## </summary>
414e4151 1062## <param name="domain">
50aca6d2 1063## Domain to not audit.
414e4151 1064## </param>
763c441e 1065#
199895e2 1066interface(`userdom_dontaudit_use_sysadm_terms',`
c98340cf
CP		 1067 ifdef(`targeted_policy',`
1068 term_dontaudit_use_generic_pty($1)
1069 ',`
1070 gen_require(`
1071 attribute admin_terminal;
1072 class chr_file { read write };
1073 ')
763c441e 1074
c98340cf
CP		 1075 dontaudit $1 admin_terminal:chr_file { read write };
1076 ')
763c441e
CP		 1077')
1078
fd89e19f
CP		 1079########################################
1080## <summary>
1081## Inherit and use sysadm file descriptors
1082## </summary>
1083## <param name="domain">
1084## The type of the process performing this action.
1085## </param>
1086#
1087interface(`userdom_use_sysadm_fd',`
c98340cf
CP		 1088 ifdef(`targeted_policy',`
1089 #cjp: need to doublecheck this one
1090 unconfined_use_fd($1)
1091 ',`
1092 gen_require(`
1093 type sysadm_t;
1094 class fd use;
1095 ')
fd89e19f 1096
c98340cf
CP		 1097 allow $1 sysadm_t:fd use;
1098 ')
fd89e19f
CP		 1099')
1100
1101########################################
1102## <summary>
1103## Read and write sysadm user unnamed pipes.
1104## </summary>
1105## <param name="domain">
1106## The type of the process performing this action.
1107## </param>
1108#
1109interface(`userdom_rw_sysadm_pipe',`
c98340cf
CP		 1110 ifdef(`targeted_policy',`
1111 #cjp: need to doublecheck this one
1112 unconfined_rw_pipe($1)
1113 ',`
1114 gen_require(`
1115 type sysadm_t;
1116 class fifo_file rw_file_perms;
1117 ')
fd89e19f 1118
c98340cf
CP		 1119 allow $1 sysadm_t:fifo_file rw_file_perms;
1120 ')
fd89e19f
CP		 1121')
1122
ae9e2716
CP		 1123########################################
1124## <summary>
1125## Search the sysadm users home directory.
1126## </summary>
1127## <param name="domain">
1128## Domain to not audit.
1129## </param>
1130#
1131interface(`userdom_search_sysadm_home_dir',`
1132 gen_require(`
1133 type sysadm_home_dir_t;
1134 class dir search;
1135 ')
1136
1137 files_search_home($1)
1138 allow $1 sysadm_home_dir_t:dir search;
1139')
1140
1141########################################
1142## <summary>
1143## Do not audit attempts to search the sysadm
1144## users home directory.
1145## </summary>
1146## <param name="domain">
1147## Domain to not audit.
1148## </param>
1149#
1150interface(`userdom_dontaudit_search_sysadm_home_dir',`
1151 gen_require(`
1152 type sysadm_home_dir_t;
1153 class dir search;
1154 ')
1155
1156 dontaudit $1 sysadm_home_dir_t:dir search;
1157')
1158
fd89e19f
CP		 1159########################################
1160## <summary>
1161## Read files in the sysadm users home directory.
1162## </summary>
1163## <param name="domain">
1164## The type of the process performing this action.
1165## </param>
1166#
1167interface(`userdom_read_sysadm_home_files',`
1168 gen_require(`
1169 type sysadm_home_dir_t, sysadm_home_t;
1170 class dir r_dir_perms;
1171 class file r_file_perms;
1172 class lnk_file r_file_perms;
1173 ')
1174
1175 files_search_home($1)
1176 allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
1177 allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
1178')
1179
4bf4ed9e 1180########################################
ab940a4c 1181## <summary>
414e4151 1182## Search all users home directories.
ab940a4c 1183## </summary>
414e4151
CP		 1184## <param name="domain">
1185## The type of the process performing this action.
1186## </param>
4bf4ed9e 1187#
199895e2 1188interface(`userdom_search_all_users_home',`
0404a390
CP		 1189 gen_require(`
1190 attribute home_dir_type, home_type;
1191 class dir search;
1192 ')
0c73cd25 1193
c9428d33 1194 files_list_home($1)
0c73cd25 1195 allow $1 { home_dir_type home_type }:dir search;
4bf4ed9e
CP		 1196')
1197
ae9e2716
CP		 1198########################################
1199## <summary>
1200## Do not audit attempts to search all users home directories.
1201## </summary>
1202## <param name="domain">
1203## Domain to not audit.
1204## </param>
1205#
1206interface(`userdom_dontaudit_search_all_users_home',`
1207 gen_require(`
1208 attribute home_dir_type, home_type;
1209 class dir search;
1210 ')
1211
1212 dontaudit $1 { home_dir_type home_type }:dir search;
1213')
1214
daa0e0b0 1215########################################
ab940a4c 1216## <summary>
414e4151 1217## Read all files in all users home directories.
ab940a4c 1218## </summary>
414e4151
CP		 1219## <param name="domain">
1220## The type of the process performing this action.
1221## </param>
daa0e0b0 1222#
fd89e19f 1223interface(`userdom_read_all_user_files',`
0404a390
CP		 1224 gen_require(`
1225 attribute home_type;
1226 class dir r_dir_perms;
1227 class file r_file_perms;
1228 ')
0c73cd25 1229
c9428d33 1230 files_list_home($1)
cc41a97c 1231 allow $1 home_type:dir r_dir_perms;
0fd9dc55 1232 allow $1 home_type:file r_file_perms;
daa0e0b0
CP		 1233')
1234
daa0e0b0 1235########################################
ab940a4c
CP		 1236## <summary>
1237## Write all unprivileged users files in /tmp
1238## </summary>
1239## <param name="domain">
1240## The type of the process performing this action.
1241## </param>
1242#
1243interface(`userdom_write_unpriv_user_tmp',`
1244 gen_require(`
1245 attribute user_tmpfile;
1246 class file { getattr write append };
1247 ')
1248
1249 allow $1 user_tmpfile:file { getattr write append };
1250')
1251
1252########################################
1253## <summary>
414e4151 1254## Inherit the file descriptors from all user domains
ab940a4c 1255## </summary>
414e4151
CP		 1256## <param name="domain">
1257## The type of the process performing this action.
1258## </param>
490639cd 1259#
199895e2 1260interface(`userdom_use_all_user_fd',`
0404a390
CP		 1261 gen_require(`
1262 attribute userdomain;
1263 class fd use;
1264 ')
0c73cd25
CP		 1265
1266 allow $1 userdomain:fd use;
490639cd
CP		 1267')
1268
4bf4ed9e 1269########################################
ab940a4c 1270## <summary>
414e4151 1271## Send general signals to all user domains.
ab940a4c 1272## </summary>
414e4151
CP		 1273## <param name="domain">
1274## The type of the process performing this action.
1275## </param>
4bf4ed9e 1276#
199895e2 1277interface(`userdom_signal_all_users',`
0404a390
CP		 1278 gen_require(`
1279 attribute userdomain;
1280 class process signal;
1281 ')
0c73cd25
CP		 1282
1283 allow $1 userdomain:process signal;
4bf4ed9e
CP		 1284')
1285
0404a390 1286########################################
ab940a4c 1287## <summary>
414e4151 1288## Send general signals to unprivileged user domains.
ab940a4c 1289## </summary>
414e4151
CP		 1290## <param name="domain">
1291## The type of the process performing this action.
1292## </param>
0404a390 1293#
199895e2 1294interface(`userdom_signal_unpriv_users',`
0404a390
CP		 1295 gen_require(`
1296 attribute unpriv_userdomain;
1297 class process signal;
1298 ')
0c73cd25 1299
0404a390 1300 allow $1 unpriv_userdomain:process signal;
4bf4ed9e
CP		 1301')
1302
daa0e0b0 1303########################################
ab940a4c
CP		 1304## <summary>
1305## Inherit the file descriptors from unprivileged user domains.
1306## </summary>
414e4151
CP		 1307## <param name="domain">
1308## The type of the process performing this action.
1309## </param>
daa0e0b0 1310#
199895e2 1311interface(`userdom_use_unpriv_users_fd',`
0404a390
CP		 1312 gen_require(`
1313 attribute unpriv_userdomain;
1314 class fd use;
1315 ')
0c73cd25
CP		 1316
1317 allow $1 unpriv_userdomain:fd use;
daa0e0b0
CP		 1318')
1319
daa0e0b0 1320########################################
ab940a4c 1321## <summary>
414e4151
CP		 1322## Do not audit attempts to inherit the
1323## file descriptors from all user domains.
ab940a4c 1324## </summary>
414e4151
CP		 1325## <param name="domain">
1326## The type of the process performing this action.
1327## </param>
daa0e0b0 1328#
199895e2 1329interface(`userdom_dontaudit_use_unpriv_user_fd',`
0404a390
CP		 1330 gen_require(`
1331 attribute unpriv_userdomain;
1332 class fd use;
1333 ')
0c73cd25
CP		 1334
1335 dontaudit $1 unpriv_userdomain:fd use;
daa0e0b0
CP		 1336')
1337
ebdc3b79
CP		 1338########################################
1339## <summary>
1340## Do not audit attempts to use unprivileged
1341## user ttys.
1342## </summary>
1343## <param name="domain">
1344## The type of the process performing this action.
1345## </param>
1346#
1347interface(`userdom_dontaudit_use_unpriv_user_tty',`
1348 gen_require(`
1349 attribute user_ttynode;
1350 class chr_file rw_file_perms;
1351 ')
1352
1353 dontaudit $1 user_ttynode:chr_file rw_file_perms;
1354')
c98340cf
CP		 1355
1356########################################
1357## <summary>
1358## Unconfined access to user domains.
1359## </summary>
1360## <param name="domain">
1361## Domain allowed access.
1362## </param>
1363#
1364interface(`userdom_unconfined',`
1365 gen_require(`
1366 type user_home_dir_t;
1367 class dir create_dir_perms;
1368 ')
1369
1370 allow $1 user_home_dir_t:dir create_dir_perms;
1371 files_create_home_dirs($1,user_home_dir_t)
1372')
The IPFire selinux policy.