]>
Commit | Line | Data |
---|---|---|
490639cd | 1 | ## <summary>Policy for user domains</summary> |
b16c6b8c | 2 | |
8fd36732 CP |
3 | ####################################### |
4 | ## <summary> | |
5 | ## The template containing rules common to unprivileged | |
6 | ## users and administrative users. | |
7 | ## </summary> | |
8 | ## <desc> | |
9 | ## <p> | |
10 | ## This template creates a user domain, types, and | |
11 | ## rules for the user's tty, pty, home directories, | |
12 | ## tmp, and tmpfs files. | |
13 | ## </p> | |
14 | ## <p> | |
15 | ## This generally should not be used, rather the | |
16 | ## unpriv_user_template or admin_user_template should | |
17 | ## be used. | |
18 | ## </p> | |
19 | ## </desc> | |
20 | ## <param name="userdomain_prefix"> | |
21 | ## The prefix of the user domain (e.g., user | |
22 | ## is the prefix for user_t). | |
23 | ## </param> | |
b16c6b8c | 24 | # |
8fd36732 | 25 | template(`base_user_template',` |
b16c6b8c | 26 | |
0c73cd25 CP |
27 | attribute $1_file_type; |
28 | ||
29 | type $1_t, userdomain; | |
c9428d33 CP |
30 | domain_type($1_t) |
31 | corecmd_shell_entry_type($1_t) | |
0c73cd25 CP |
32 | role $1_r types $1_t; |
33 | allow system_r $1_r; | |
34 | ||
35 | # user pseudoterminal | |
36 | type $1_devpts_t; | |
0fd9dc55 | 37 | term_user_pty($1_t,$1_devpts_t) |
0c73cd25 CP |
38 | |
39 | # type for contents of home directory | |
40 | type $1_home_t, $1_file_type, home_type; | |
8fd36732 | 41 | files_type($1_home_t) |
0c73cd25 CP |
42 | |
43 | # type of home directory | |
44 | type $1_home_dir_t, home_dir_type, home_type; | |
8fd36732 | 45 | files_type($1_home_t) |
0c73cd25 CP |
46 | |
47 | type $1_tmp_t, $1_file_type; | |
c9428d33 | 48 | files_tmp_file($1_tmp_t) |
0c73cd25 CP |
49 | |
50 | type $1_tmpfs_t; | |
c9428d33 | 51 | files_tmpfs_file($1_tmpfs_t) |
0c73cd25 CP |
52 | |
53 | type $1_tty_device_t; | |
0fd9dc55 | 54 | term_tty($1_t,$1_tty_device_t) |
0c73cd25 CP |
55 | |
56 | ############################## | |
57 | # | |
58 | # Local policy | |
59 | # | |
60 | ||
61 | allow $1_t self:capability { setgid chown fowner }; | |
62 | dontaudit $1_t self:capability { sys_nice fsetid }; | |
63 | allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; | |
64 | allow $1_t self:process { ptrace setfscreate }; | |
65 | allow $1_t self:fd use; | |
cc41a97c CP |
66 | allow $1_t self:fifo_file rw_file_perms; |
67 | allow $1_t self:unix_dgram_socket create_socket_perms; | |
0fd9dc55 | 68 | allow $1_t self:unix_stream_socket create_stream_socket_perms; |
0c73cd25 CP |
69 | allow $1_t self:unix_dgram_socket sendto; |
70 | allow $1_t self:unix_stream_socket connectto; | |
cc41a97c CP |
71 | allow $1_t self:shm create_shm_perms; |
72 | allow $1_t self:sem create_sem_perms; | |
73 | allow $1_t self:msgq create_msgq_perms; | |
0c73cd25 CP |
74 | allow $1_t self:msg { send receive }; |
75 | dontaudit $1_t self:socket create; | |
76 | # Irrelevant until we have labeled networking. | |
77 | #allow $1_t self:udp_socket { sendto recvfrom }; | |
78 | ||
79 | # evolution and gnome-session try to create a netlink socket | |
80 | dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; | |
81 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
82 | ||
83 | # execute files in the home directory | |
cc41a97c | 84 | allow $1_t $1_home_t:file { rx_file_perms execute_no_trans }; |
0c73cd25 CP |
85 | |
86 | # full control of the home directory | |
cc41a97c CP |
87 | allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto }; |
88 | allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto }; | |
89 | allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto }; | |
90 | allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto }; | |
91 | allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto }; | |
92 | allow $1_t $1_home_dir_t:dir create_dir_perms; | |
93 | type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; | |
0c73cd25 | 94 | |
cc41a97c | 95 | allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans }; |
0c73cd25 CP |
96 | |
97 | # Bind to a Unix domain socket in /tmp. | |
98 | # cjp: this is combination is not checked and should be removed | |
99 | allow $1_t $1_tmp_t:unix_stream_socket name_bind; | |
100 | ||
cc41a97c CP |
101 | allow $1_t $1_tmpfs_t:dir rw_dir_perms; |
102 | allow $1_t $1_tmpfs_t:file create_file_perms; | |
103 | allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms; | |
104 | allow $1_t $1_tmpfs_t:sock_file create_file_perms; | |
105 | allow $1_t $1_tmpfs_t:fifo_file create_file_perms; | |
0fd9dc55 | 106 | fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) |
0c73cd25 | 107 | |
cc41a97c | 108 | allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; |
0c73cd25 CP |
109 | |
110 | allow $1_t unpriv_userdomain:fd use; | |
111 | ||
112 | # Instantiate derived domains for a number of programs. | |
113 | # These derived domains encode both information about the calling | |
114 | # user domain and the program, and allow us to maintain separation | |
115 | # between different instances of the program being run by different | |
116 | # user domains. | |
117 | per_userdomain_templates($1) | |
118 | ||
119 | kernel_read_kernel_sysctl($1_t) | |
5e0da6a0 | 120 | selinux_get_fs_mount($1_t) |
0c73cd25 CP |
121 | # Very permissive allowing every domain to see every type: |
122 | kernel_get_sysvipc_info($1_t) | |
123 | # Find CDROM devices: | |
124 | kernel_read_device_sysctl($1_t) | |
ebdc3b79 CP |
125 | |
126 | dev_rw_power_management($1_t) | |
0c73cd25 | 127 | # GNOME checks for usb and other devices: |
8bd67899 | 128 | dev_rw_usbfs($1_t) |
0fd9dc55 CP |
129 | |
130 | corenet_tcp_sendrecv_all_if($1_t) | |
131 | corenet_raw_sendrecv_all_if($1_t) | |
132 | corenet_udp_sendrecv_all_if($1_t) | |
133 | corenet_tcp_sendrecv_all_nodes($1_t) | |
134 | corenet_raw_sendrecv_all_nodes($1_t) | |
135 | corenet_udp_sendrecv_all_nodes($1_t) | |
136 | corenet_tcp_sendrecv_all_ports($1_t) | |
137 | corenet_udp_sendrecv_all_ports($1_t) | |
138 | corenet_tcp_bind_all_nodes($1_t) | |
139 | corenet_udp_bind_all_nodes($1_t) | |
0c73cd25 | 140 | # allow port_t name binding for UDP because it is not very usable otherwise |
0fd9dc55 | 141 | corenet_udp_bind_generic_port($1_t) |
0c73cd25 | 142 | |
f0c985ca KM |
143 | dev_read_input($1_t) |
144 | dev_read_misc($1_t) | |
145 | dev_write_misc($1_t) | |
146 | dev_write_snd_dev($1_t) | |
147 | dev_read_snd_dev($1_t) | |
148 | dev_read_snd_mixer_dev($1_t) | |
149 | dev_write_snd_mixer_dev($1_t) | |
150 | dev_read_rand($1_t) | |
151 | dev_read_urand($1_t) | |
0c73cd25 | 152 | # open office is looking for the following |
f0c985ca KM |
153 | dev_getattr_agp_dev($1_t) |
154 | dev_dontaudit_rw_dri_dev($1_t) | |
0c73cd25 | 155 | |
763c441e | 156 | fs_get_all_fs_quotas($1_t) |
0fd9dc55 | 157 | fs_getattr_all_fs($1_t) |
ab940a4c | 158 | fs_search_auto_mountpoints($1_t) |
2ec4c9d3 | 159 | fs_exec_noxattr($1_t) |
0c73cd25 CP |
160 | |
161 | # for eject | |
0fd9dc55 | 162 | storage_getattr_fixed_disk($1_t) |
0c73cd25 | 163 | |
c9428d33 CP |
164 | auth_read_login_records($1_t) |
165 | auth_dontaudit_write_login_records($1_t) | |
166 | auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) | |
167 | auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) | |
0c73cd25 | 168 | |
c9428d33 CP |
169 | corecmd_exec_bin($1_t) |
170 | corecmd_exec_sbin($1_t) | |
171 | corecmd_exec_ls($1_t) | |
0c73cd25 | 172 | |
c9428d33 CP |
173 | domain_exec_all_entry_files($1_t) |
174 | domain_use_wide_inherit_fd($1_t) | |
2ec4c9d3 CP |
175 | # When the user domain runs ps, there will be a number of access |
176 | # denials when ps tries to search /proc. Do not audit these denials. | |
177 | domain_dontaudit_read_all_domains_state($1_t) | |
178 | domain_dontaudit_getsession_all_domains($1_t) | |
0c73cd25 | 179 | |
8fd36732 CP |
180 | files_exec_etc_files($1_t) |
181 | files_read_usr_src_files($1_t) | |
ae9e2716 | 182 | files_search_locks($1_t) |
0c73cd25 CP |
183 | |
184 | # Caused by su - init scripts | |
c9428d33 | 185 | init_dontaudit_use_script_pty($1_t) |
0c73cd25 | 186 | |
c9428d33 CP |
187 | libs_use_ld_so($1_t) |
188 | libs_use_shared_libs($1_t) | |
189 | libs_exec_ld_so($1_t) | |
190 | libs_exec_lib_files($1_t) | |
0c73cd25 | 191 | |
c9428d33 | 192 | logging_dontaudit_getattr_all_logs($1_t) |
0c73cd25 CP |
193 | |
194 | miscfiles_read_localization($1_t) | |
c9428d33 | 195 | miscfiles_rw_man_cache($1_t) |
2ec4c9d3 CP |
196 | # for running TeX programs |
197 | miscfiles_read_tetex_data($1_t) | |
198 | miscfiles_exec_tetex_data($1_t) | |
0c73cd25 | 199 | |
5e0da6a0 | 200 | seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) |
0c73cd25 | 201 | |
c9428d33 | 202 | mta_rw_spool($1_t) |
0c73cd25 | 203 | |
34c8fabe | 204 | tunable_policy(`allow_execmem',` |
0c73cd25 CP |
205 | # Allow loading DSOs that require executable stack. |
206 | allow $1_t self:process execmem; | |
34c8fabe | 207 | ') |
0c73cd25 | 208 | |
2ec4c9d3 CP |
209 | tunable_policy(`read_default_t',` |
210 | files_list_default($1_t) | |
211 | files_read_default_files($1_t) | |
212 | files_read_default_symlinks($1_t) | |
213 | files_read_default_sockets($1_t) | |
214 | files_read_default_pipes($1_t) | |
215 | ') | |
216 | ||
34c8fabe | 217 | tunable_policy(`use_nfs_home_dirs',` |
0fd9dc55 | 218 | fs_manage_nfs_dirs($1_t) |
763c441e | 219 | fs_manage_nfs_files($1_t) |
0fd9dc55 | 220 | fs_manage_nfs_symlinks($1_t) |
763c441e CP |
221 | fs_manage_nfs_named_sockets($1_t) |
222 | fs_manage_nfs_named_pipes($1_t) | |
223 | fs_execute_nfs_files($1_t) | |
34c8fabe | 224 | ') |
0c73cd25 | 225 | |
34c8fabe | 226 | tunable_policy(`use_samba_home_dirs',` |
0fd9dc55 CP |
227 | fs_manage_cifs_dirs($1_t) |
228 | fs_manage_cifs_files($1_t) | |
229 | fs_manage_cifs_symlinks($1_t) | |
230 | fs_manage_cifs_named_sockets($1_t) | |
231 | fs_manage_cifs_named_pipes($1_t) | |
232 | fs_execute_cifs_files($1_t) | |
34c8fabe | 233 | ') |
0c73cd25 | 234 | |
34c8fabe | 235 | tunable_policy(`user_direct_mouse',` |
f0c985ca | 236 | dev_read_mouse($1_t) |
34c8fabe | 237 | ') |
0c73cd25 | 238 | |
34c8fabe | 239 | tunable_policy(`user_ttyfile_stat',` |
0fd9dc55 | 240 | term_getattr_all_user_ttys($1_t) |
34c8fabe | 241 | ') |
0c73cd25 | 242 | |
b24f35d8 | 243 | optional_policy(`inetd.te',` |
81343a6f | 244 | inetd_tcp_connect($1_t) |
b24f35d8 CP |
245 | ') |
246 | ||
ab940a4c CP |
247 | optional_policy(`nis.te',` |
248 | nis_use_ypbind($1_t) | |
249 | ') | |
250 | ||
493d6c4a CP |
251 | optional_policy(`nscd.te',` |
252 | nscd_use_socket($1_t) | |
253 | ') | |
254 | ||
2ec4c9d3 CP |
255 | optional_policy(`pcmcia.te',` |
256 | # to allow monitoring of pcmcia status | |
257 | pcmcia_read_pid($1_t) | |
258 | ') | |
259 | ||
b24f35d8 CP |
260 | optional_policy(`rpm.te',` |
261 | files_getattr_var_lib_dir($1_t) | |
262 | files_search_var_lib($1_t) | |
263 | ') | |
264 | ||
0c73cd25 | 265 | optional_policy(`usermanage.te',` |
c9428d33 CP |
266 | usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) |
267 | usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) | |
0c73cd25 CP |
268 | ') |
269 | ||
270 | ifdef(`TODO',` | |
271 | ||
0c73cd25 CP |
272 | # |
273 | # Cups daemon running as user tries to write /etc/printcap | |
274 | # | |
275 | dontaudit $1_t usr_t:file setattr; | |
276 | ||
0c73cd25 CP |
277 | # Check to see if cdrom is mounted |
278 | allow $1_t mnt_t:dir { getattr search }; | |
279 | ||
280 | # | |
281 | # Added to allow reading of cdrom | |
282 | # | |
283 | allow $1_t rpc_pipefs_t:dir getattr; | |
284 | allow $1_t nfsd_fs_t:dir getattr; | |
285 | allow $1_t binfmt_misc_fs_t:dir getattr; | |
286 | ||
287 | # /initrd is left mounted, various programs try to look at it | |
288 | dontaudit $1_t ramfs_t:dir getattr; | |
289 | ||
0c73cd25 CP |
290 | # |
291 | # Running ifconfig as a user generates the following | |
292 | # | |
293 | dontaudit $1_t sysctl_net_t:dir search; | |
294 | ||
295 | dontaudit $1_t default_context_t:dir search; | |
296 | ||
297 | r_dir_file($1_t, usercanread) | |
298 | ||
3eed1090 | 299 | tunable_policy(`allow_execmod',` |
0c73cd25 CP |
300 | # Allow text relocations on system shared libraries, e.g. libGL. |
301 | allow $1_t texrel_shlib_t:file execmod; | |
3eed1090 | 302 | ') |
0c73cd25 CP |
303 | |
304 | allow $1_t fs_type:dir getattr; | |
305 | ||
306 | # old "file_browse_domain": | |
307 | # Regular files/directories that are not security sensitive | |
308 | dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr; | |
309 | dontaudit $1_t file_type - secure_file_type:dir { read search }; | |
310 | # /dev | |
311 | dontaudit $1_t dev_fs:dir_file_class_set getattr; | |
312 | dontaudit $1_t dev_fs:dir { read search }; | |
313 | # /proc | |
314 | dontaudit $1_t sysctl_t:dir_file_class_set getattr; | |
315 | dontaudit $1_t proc_fs:dir { read search }; | |
316 | ||
3eed1090 | 317 | tunable_policy(`user_rw_noexattrfile',` |
0c73cd25 | 318 | create_dir_file($1_t, noexattrfile) |
0c73cd25 | 319 | # Write floppies |
ebdc3b79 CP |
320 | storage_raw_read_removable_device($1_t) |
321 | storage_raw_write_removable_device($1_t) | |
322 | # cjp: what does this have to do with removable devices? | |
0c73cd25 | 323 | allow $1_t usbtty_device_t:chr_file write; |
3eed1090 | 324 | ',` |
0c73cd25 CP |
325 | r_dir_file($1_t, noexattrfile) |
326 | r_dir_file($1_t, removable_t) | |
327 | allow $1_t removable_device_t:blk_file r_file_perms; | |
3eed1090 CP |
328 | ') |
329 | ||
0c73cd25 CP |
330 | allow $1_t usbtty_device_t:chr_file read; |
331 | ||
0c73cd25 CP |
332 | can_resmgrd_connect($1_t) |
333 | ||
0c73cd25 CP |
334 | # Grant permissions to access the system DBus |
335 | ifdef(`dbusd.te', ` | |
336 | dbusd_client(system, $1) | |
337 | can_network_server_tcp($1_dbusd_t) | |
338 | allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; | |
339 | ||
340 | allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; | |
341 | dbusd_client($1, $1) | |
342 | allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; | |
343 | dbusd_domain($1) | |
344 | ifdef(`hald.te', ` | |
345 | allow $1_t hald_t:dbus send_msg; | |
346 | allow hald_t $1_t:dbus send_msg; | |
347 | ') | |
348 | ') | |
349 | ||
350 | # Gnome pannel binds to the following | |
351 | ifdef(`cups.te', ` | |
cc41a97c | 352 | allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms; |
0c73cd25 CP |
353 | ') |
354 | ||
0c73cd25 | 355 | ifdef(`inetd.te', ` |
2ec4c9d3 | 356 | # Connect to inetd. |
0c73cd25 CP |
357 | can_tcp_connect($1_t, inetd_t) |
358 | can_udp_send($1_t, inetd_t) | |
359 | can_udp_send(inetd_t, $1_t) | |
2ec4c9d3 CP |
360 | # Inherit and use sockets from inetd |
361 | allow $1_t inetd_t:fd use; | |
362 | allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; | |
0c73cd25 CP |
363 | ') |
364 | ||
365 | # Connect to portmap. | |
366 | ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') | |
367 | ||
0c73cd25 CP |
368 | ifdef(`xserver.te', ` |
369 | # for /tmp/.ICE-unix | |
370 | file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) | |
371 | allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; | |
372 | ') | |
373 | ||
374 | ifdef(`xdm.te', ` | |
375 | # Connect to the X server run by the X Display Manager. | |
376 | can_unix_connect($1_t, xdm_t) | |
377 | allow $1_t xdm_tmp_t:sock_file rw_file_perms; | |
378 | allow $1_t xdm_tmp_t:dir r_dir_perms; | |
cc41a97c | 379 | allow $1_t xdm_tmp_t:file r_file_perms; |
0c73cd25 CP |
380 | allow $1_t xdm_xserver_tmp_t:sock_file { read write }; |
381 | allow $1_t xdm_xserver_tmp_t:dir search; | |
382 | allow $1_t xdm_xserver_t:unix_stream_socket connectto; | |
383 | # certain apps want to read xdm.pid file | |
384 | r_dir_file($1_t, xdm_var_run_t) | |
cc41a97c | 385 | allow $1_t xdm_var_lib_t:file r_file_perms; |
0c73cd25 CP |
386 | allow xdm_t $1_home_dir_t:dir getattr; |
387 | ifdef(`xauth.te', ` | |
388 | file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) | |
389 | ') | |
390 | ||
391 | # for shared memory | |
392 | allow xdm_xserver_t $1_tmpfs_t:file { read write }; | |
393 | ||
394 | ') | |
395 | ||
396 | ifdef(`rpcd.te', ` | |
397 | create_dir_file($1_t, nfsd_rw_t) | |
398 | ') | |
399 | ||
0c73cd25 CP |
400 | # |
401 | # Allow graphical boot to check battery lifespan | |
402 | # | |
403 | ifdef(`apmd.te', ` | |
404 | allow $1_t apmd_t:unix_stream_socket connectto; | |
405 | allow $1_t apmd_var_run_t:sock_file write; | |
406 | ') | |
407 | ||
0c73cd25 CP |
408 | ifdef(`pamconsole.te', ` |
409 | allow $1_t pam_var_console_t:dir search; | |
410 | ') | |
411 | ||
412 | ') dnl endif TODO | |
b16c6b8c | 413 | |
2ec4c9d3 | 414 | ') |
b16c6b8c | 415 | |
8fd36732 CP |
416 | ####################################### |
417 | ## <summary> | |
418 | ## The template for creating a unprivileged user. | |
419 | ## </summary> | |
420 | ## <desc> | |
421 | ## <p> | |
422 | ## This template creates a user domain, types, and | |
423 | ## rules for the user's tty, pty, home directories, | |
424 | ## tmp, and tmpfs files. | |
425 | ## </p> | |
426 | ## </desc> | |
427 | ## <param name="userdomain_prefix"> | |
428 | ## The prefix of the user domain (e.g., user | |
429 | ## is the prefix for user_t). | |
430 | ## </param> | |
b16c6b8c | 431 | # |
8fd36732 | 432 | template(`unpriv_user_template', ` |
0c73cd25 CP |
433 | ############################## |
434 | # | |
435 | # Declarations | |
436 | # | |
b16c6b8c | 437 | |
0c73cd25 | 438 | # Inherit rules for ordinary users. |
8fd36732 | 439 | base_user_template($1) |
b16c6b8c | 440 | |
493d6c4a | 441 | typeattribute $1_t unpriv_userdomain; #, web_client_domain |
c9428d33 | 442 | domain_wide_inherit_fd($1_t) |
b16c6b8c | 443 | |
0c73cd25 CP |
444 | #typeattribute $1_devpts_t userpty_type, user_tty_type; |
445 | #typeattribute $1_home_dir_t user_home_dir_type; | |
446 | #typeattribute $1_home_t user_home_type; | |
b16c6b8c | 447 | |
ab940a4c | 448 | typeattribute $1_tmp_t user_tmpfile; |
b16c6b8c | 449 | |
ebdc3b79 | 450 | typeattribute $1_tty_device_t user_ttynode; |
b16c6b8c | 451 | |
0c73cd25 CP |
452 | ############################## |
453 | # | |
454 | # Local policy | |
455 | # | |
456 | ||
457 | allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; | |
0fd9dc55 | 458 | term_create_pty($1_t,$1_devpts_t) |
0c73cd25 CP |
459 | |
460 | # Rules used to associate a homedir as a mountpoint | |
461 | allow $1_home_t self:filesystem associate; | |
462 | allow $1_file_type $1_home_t:filesystem associate; | |
463 | ||
464 | # user temporary files | |
cc41a97c CP |
465 | allow $1_t $1_tmp_t:file create_file_perms; |
466 | allow $1_t $1_tmp_t:lnk_file create_lnk_perms; | |
467 | allow $1_t $1_tmp_t:dir create_dir_perms; | |
468 | allow $1_t $1_tmp_t:sock_file create_file_perms; | |
469 | allow $1_t $1_tmp_t:fifo_file create_file_perms; | |
c9428d33 | 470 | files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) |
0c73cd25 CP |
471 | |
472 | # privileged home directory writers | |
cc41a97c CP |
473 | allow privhome $1_home_t:file create_file_perms; |
474 | allow privhome $1_home_t:lnk_file create_lnk_perms; | |
475 | allow privhome $1_home_t:dir create_dir_perms; | |
476 | allow privhome $1_home_t:sock_file create_file_perms; | |
477 | allow privhome $1_home_t:fifo_file create_file_perms; | |
478 | type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; | |
0c73cd25 CP |
479 | |
480 | kernel_read_system_state($1_t) | |
481 | kernel_read_network_state($1_t) | |
8bd67899 | 482 | dev_read_sysfs($1_t) |
0c73cd25 CP |
483 | |
484 | # cjp: why? | |
485 | bootloader_read_kernel_symbol_table($1_t) | |
486 | ||
487 | # port access is audited even if dac would not have allowed it, so dontaudit it here | |
0fd9dc55 | 488 | corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) |
0c73cd25 | 489 | |
8fd36732 | 490 | files_read_etc_files($1_t) |
c9428d33 CP |
491 | files_list_home($1_t) |
492 | files_read_usr_files($1_t) | |
2ec4c9d3 CP |
493 | files_exec_usr_files($1_t) |
494 | # Read directories and files with the readable_t type. | |
495 | # This type is a general type for "world"-readable files. | |
496 | files_list_world_readable($1_t) | |
497 | files_read_world_readable_files($1_t) | |
498 | files_read_world_readable_symlinks($1_t) | |
499 | files_read_world_readable_pipes($1_t) | |
500 | files_read_world_readable_sockets($1_t) | |
0c73cd25 | 501 | |
c9428d33 | 502 | init_read_script_pid($1_t) |
0c73cd25 CP |
503 | # The library functions always try to open read-write first, |
504 | # then fall back to read-only if it fails. | |
c9428d33 | 505 | init_dontaudit_write_script_pid($1_t) |
0c73cd25 | 506 | # Stop warnings about access to /dev/console |
c9428d33 CP |
507 | init_dontaudit_use_fd($1_t) |
508 | init_dontaudit_use_script_fd($1_t) | |
0c73cd25 CP |
509 | |
510 | miscfiles_read_man_pages($1_t) | |
511 | ||
5e0da6a0 | 512 | seutil_read_config($1_t) |
0c73cd25 CP |
513 | # Allow users to execute checkpolicy without a domain transition |
514 | # so it can be used without privilege to write real binary policy file | |
5e0da6a0 | 515 | seutil_exec_checkpol($1_t) |
0c73cd25 | 516 | |
34c8fabe | 517 | tunable_policy(`user_dmesg',` |
0c73cd25 | 518 | kernel_read_ring_buffer($1_t) |
34c8fabe | 519 | ',` |
0fd9dc55 | 520 | kernel_dontaudit_read_ring_buffer($1_t) |
34c8fabe | 521 | ') |
0c73cd25 CP |
522 | |
523 | # Allow users to run TCP servers (bind to ports and accept connection from | |
524 | # the same domain and outside users) disabling this forces FTP passive mode | |
525 | # and may change other protocols | |
34c8fabe | 526 | tunable_policy(`user_tcp_server',` |
0fd9dc55 | 527 | corenet_tcp_bind_generic_port($1_t) |
34c8fabe | 528 | ') |
0c73cd25 | 529 | |
a7a9799d CP |
530 | optional_policy(`kerberos.te',` |
531 | kerberos_use($1_t) | |
532 | ') | |
533 | ||
0c73cd25 CP |
534 | # for running depmod as part of the kernel packaging process |
535 | optional_policy(`modutils.te',` | |
c9428d33 | 536 | modutils_read_module_conf($1_t) |
0c73cd25 CP |
537 | ') |
538 | ||
ae9e2716 | 539 | optional_policy(`selinuxutil.te',` |
0c73cd25 | 540 | # for when the network connection is killed |
8fd36732 | 541 | seutil_dontaudit_signal_newrole($1_t) |
0c73cd25 CP |
542 | ') |
543 | ||
544 | # Need the following rule to allow users to run vpnc | |
545 | optional_policy(`xserver.te', ` | |
546 | corenetwork_bind_tcp_on_xserver_port($1_t) | |
547 | ') | |
548 | ||
549 | ifdef(`TODO',` | |
550 | ||
551 | dontaudit $1_t boot_t:lnk_file read; | |
552 | dontaudit $1_t boot_t:file read; | |
553 | ||
0c73cd25 CP |
554 | # do not audit read on disk devices |
555 | dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; | |
556 | ||
557 | ifdef(`xdm.te', ` | |
558 | allow xdm_t $1_home_t:lnk_file read; | |
559 | allow xdm_t $1_home_t:dir search; | |
560 | # | |
561 | # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp | |
562 | # | |
563 | dontaudit xdm_t $1_home_t:file rw_file_perms; | |
564 | ') | |
565 | ||
566 | ifdef(`ftpd.te', ` | |
3eed1090 | 567 | tunable_policy(`ftp_home_dir',` |
0c73cd25 | 568 | file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) |
3eed1090 | 569 | ') |
0c73cd25 CP |
570 | ') |
571 | ||
0c73cd25 CP |
572 | # Stat lost+found. |
573 | allow $1_t lost_found_t:dir getattr; | |
574 | ||
575 | # Read /var, /var/spool, /var/run. | |
576 | allow $1_t var_t:dir r_dir_perms; | |
577 | allow $1_t var_t:notdevfile_class_set r_file_perms; | |
578 | allow $1_t var_spool_t:dir r_dir_perms; | |
579 | allow $1_t var_spool_t:notdevfile_class_set r_file_perms; | |
580 | allow $1_t var_run_t:dir r_dir_perms; | |
581 | allow $1_t var_run_t:{ file lnk_file } r_file_perms; | |
582 | allow $1_t var_lib_t:dir r_dir_perms; | |
583 | allow $1_t var_lib_t:file { getattr read }; | |
584 | ||
585 | # Allow users to rw usb devices | |
3eed1090 | 586 | tunable_policy(`user_rw_usb',` |
0c73cd25 | 587 | rw_dir_create_file($1_t,usbdevfs_t) |
3eed1090 | 588 | ',` |
0c73cd25 | 589 | r_dir_file($1_t,usbdevfs_t) |
3eed1090 | 590 | ') |
0c73cd25 CP |
591 | |
592 | # Do not audit write denials to /etc/ld.so.cache. | |
593 | dontaudit $1_t ld_so_cache_t:file write; | |
594 | ||
595 | dontaudit $1_t sysadm_home_t:file { read append }; | |
596 | ||
597 | ifdef(`syslogd.te', ` | |
598 | # Some programs that are left in $1_t will try to connect | |
599 | # to syslogd, but we do not want to let them generate log messages. | |
600 | # Do not audit. | |
601 | dontaudit $1_t devlog_t:sock_file { read write }; | |
602 | dontaudit $1_t syslogd_t:unix_dgram_socket sendto; | |
603 | ') | |
604 | ||
605 | allow $1_t initrc_t:fifo_file write; | |
606 | ||
607 | ifdef(`user_can_mount', ` | |
608 | # | |
609 | # Allow users to mount file systems like floppies and cdrom | |
610 | # | |
611 | mount_domain($1, $1_mount, `, fs_domain') | |
612 | r_dir_file($1_t, mnt_t) | |
613 | allow $1_mount_t device_t:lnk_file read; | |
614 | allow $1_mount_t removable_device_t:blk_file read; | |
615 | allow $1_mount_t iso9660_t:filesystem relabelfrom; | |
616 | allow $1_mount_t removable_t:filesystem { mount relabelto }; | |
617 | allow $1_mount_t removable_t:dir mounton; | |
618 | ifdef(`xdm.te', ` | |
619 | allow $1_mount_t xdm_t:fd use; | |
620 | allow $1_mount_t xdm_t:fifo_file { read write }; | |
621 | ') | |
622 | ') | |
623 | ||
624 | ') dnl end TODO | |
b16c6b8c | 625 | ') |
4d8ddf9a | 626 | |
8fd36732 CP |
627 | ####################################### |
628 | ## <summary> | |
629 | ## The template for creating an administrative user. | |
630 | ## </summary> | |
631 | ## <desc> | |
632 | ## <p> | |
633 | ## This template creates a user domain, types, and | |
634 | ## rules for the user's tty, pty, home directories, | |
635 | ## tmp, and tmpfs files. | |
636 | ## </p> | |
2ec4c9d3 | 637 | ## <p> |
8fd36732 CP |
638 | ## The privileges given to administrative users are: |
639 | ## <ul> | |
640 | ## <li>Raw disk access</li> | |
641 | ## <li>Set all sysctls</li> | |
642 | ## <li>All kernel ring buffer controls</li> | |
643 | ## <li>Set SELinux enforcement mode (enforcing/permissive)</li> | |
644 | ## <li>Set SELinux booleans</li> | |
645 | ## <li>Relabel all files but shadow</li> | |
646 | ## <li>Create, read, write, and delete all files but shadow</li> | |
647 | ## <li>Manage source and binary format SELinux policy</li> | |
648 | ## <li>Run insmod</li> | |
649 | ## </ul> | |
2ec4c9d3 CP |
650 | ## </p> |
651 | ## </desc> | |
8fd36732 CP |
652 | ## <param name="userdomain_prefix"> |
653 | ## The prefix of the user domain (e.g., sysadm | |
654 | ## is the prefix for sysadm_t). | |
655 | ## </param> | |
4d8ddf9a | 656 | # |
8fd36732 | 657 | template(`admin_user_template',` |
0c73cd25 CP |
658 | ############################## |
659 | # | |
660 | # Declarations | |
661 | # | |
662 | ||
663 | # Inherit rules for ordinary users. | |
8fd36732 | 664 | base_user_template($1) |
0c73cd25 | 665 | |
493d6c4a | 666 | typeattribute $1_t privhome; #, admin, web_client_domain |
8bd67899 | 667 | domain_obj_id_change_exempt($1_t) |
0c73cd25 CP |
668 | role system_r types $1_t; |
669 | ||
670 | #ifdef(`direct_sysadm_daemon', `, priv_system_role') | |
671 | #; dnl end of sysadm_t type declaration | |
672 | ||
673 | typeattribute $1_devpts_t admin_terminal; | |
674 | ||
675 | typeattribute $1_tty_device_t admin_terminal; | |
676 | ||
677 | ############################## | |
678 | # | |
679 | # $1_t local policy | |
680 | # | |
681 | ||
682 | allow $1_t self:capability ~sys_module; | |
683 | allow $1_t self:process { setexec setfscreate }; | |
684 | ||
685 | # Set password information for other users. | |
686 | allow $1_t self:passwd { passwd chfn chsh }; | |
687 | ||
688 | # Skip authentication when pam_rootok is specified. | |
689 | allow $1_t self:passwd rootok; | |
690 | ||
691 | # Manipulate other users crontab. | |
692 | allow $1_t self:passwd crontab; | |
693 | ||
694 | # for the administrator to run TCP servers directly | |
695 | allow $1_t self:tcp_socket { acceptfrom connectto recvfrom }; | |
696 | ||
697 | allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; | |
0fd9dc55 | 698 | term_create_pty($1_t,$1_devpts_t) |
0c73cd25 | 699 | |
cc41a97c CP |
700 | allow $1_t $1_tmp_t:dir create_dir_perms; |
701 | allow $1_t $1_tmp_t:file create_file_perms; | |
702 | allow $1_t $1_tmp_t:lnk_file create_file_perms; | |
703 | allow $1_t $1_tmp_t:fifo_file create_file_perms; | |
704 | allow $1_t $1_tmp_t:sock_file create_file_perms; | |
c9428d33 | 705 | files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) |
0c73cd25 CP |
706 | |
707 | kernel_read_system_state($1_t) | |
708 | kernel_read_network_state($1_t) | |
709 | kernel_read_software_raid_state($1_t) | |
0fd9dc55 CP |
710 | kernel_getattr_core($1_t) |
711 | kernel_getattr_message_if($1_t) | |
0c73cd25 CP |
712 | kernel_change_ring_buffer_level($1_t) |
713 | kernel_clear_ring_buffer($1_t) | |
714 | kernel_read_ring_buffer($1_t) | |
715 | kernel_get_sysvipc_info($1_t) | |
0fd9dc55 | 716 | kernel_rw_all_sysctl($1_t) |
8fd36732 CP |
717 | # signal unlabeled processes: |
718 | kernel_kill_unlabeled($1_t) | |
719 | kernel_signal_unlabeled($1_t) | |
720 | kernel_sigstop_unlabeled($1_t) | |
721 | kernel_signull_unlabeled($1_t) | |
722 | kernel_sigchld_unlabeled($1_t) | |
2ec4c9d3 CP |
723 | # for the administrator to run TCP servers directly |
724 | kernel_tcp_recvfrom($1_t) | |
725 | ||
726 | corenet_tcp_bind_generic_port($1_t) | |
727 | # allow setting up tunnels | |
728 | corenet_use_tun_tap_device($1_t) | |
729 | ||
730 | dev_getattr_generic_blk_file($1_t) | |
731 | dev_getattr_generic_chr_file($1_t) | |
732 | dev_getattr_all_blk_files($1_t) | |
733 | dev_getattr_all_chr_files($1_t) | |
734 | ||
735 | fs_getattr_all_fs($1_t) | |
736 | fs_set_all_quotas($1_t) | |
8fd36732 | 737 | |
5e0da6a0 CP |
738 | selinux_set_enforce_mode($1_t) |
739 | selinux_set_boolean($1_t) | |
740 | selinux_set_parameters($1_t) | |
0c73cd25 | 741 | # Get security policy decisions: |
5e0da6a0 CP |
742 | selinux_get_fs_mount($1_t) |
743 | selinux_validate_context($1_t) | |
744 | selinux_compute_access_vector($1_t) | |
745 | selinux_compute_create_context($1_t) | |
746 | selinux_compute_relabel_context($1_t) | |
747 | selinux_compute_user_contexts($1_t) | |
0c73cd25 | 748 | |
0c73cd25 CP |
749 | storage_raw_read_removable_device($1_t) |
750 | storage_raw_write_removable_device($1_t) | |
751 | ||
0fd9dc55 CP |
752 | term_use_console($1_t) |
753 | term_use_unallocated_tty($1_t) | |
754 | term_use_all_user_ptys($1_t) | |
755 | term_use_all_user_ttys($1_t) | |
0c73cd25 | 756 | |
2ec4c9d3 | 757 | auth_getattr_shadow($1_t) |
0c73cd25 | 758 | # Manage almost all files |
c9428d33 | 759 | auth_manage_all_files_except_shadow($1_t) |
0c73cd25 | 760 | # Relabel almost all files |
c9428d33 | 761 | auth_relabel_all_files_except_shadow($1_t) |
0c73cd25 | 762 | |
c9428d33 CP |
763 | domain_setpriority_all_domains($1_t) |
764 | domain_read_all_domains_state($1_t) | |
0c73cd25 CP |
765 | # signal all domains: |
766 | domain_kill_all_domains($1_t) | |
767 | domain_signal_all_domains($1_t) | |
768 | domain_signull_all_domains($1_t) | |
769 | domain_sigstop_all_domains($1_t) | |
770 | domain_sigstop_all_domains($1_t) | |
771 | domain_sigchld_all_domains($1_t) | |
2ec4c9d3 CP |
772 | # for lsof |
773 | domain_getattr_all_sockets($1_t) | |
0c73cd25 | 774 | |
c9428d33 | 775 | files_exec_usr_files($1_t) |
0c73cd25 | 776 | |
c9428d33 | 777 | init_use_initctl($1_t) |
0c73cd25 | 778 | |
c9428d33 | 779 | logging_send_syslog_msg($1_t) |
0c73cd25 | 780 | |
c9428d33 | 781 | modutils_domtrans_insmod($1_t) |
0c73cd25 | 782 | |
5e0da6a0 | 783 | seutil_read_config($1_t) |
0c73cd25 CP |
784 | # The following rule is temporary until such time that a complete |
785 | # policy management infrastructure is in place so that an administrator | |
786 | # cannot directly manipulate policy files with arbitrary programs. | |
5e0da6a0 | 787 | seutil_manage_src_pol($1_t) |
0c73cd25 CP |
788 | # Violates the goal of limiting write access to checkpolicy. |
789 | # But presently necessary for installing the file_contexts file. | |
5e0da6a0 | 790 | seutil_manage_binary_pol($1_t) |
0c73cd25 CP |
791 | |
792 | optional_policy(`cron.te',` | |
793 | cron_admin_template($1) | |
794 | ') | |
795 | ||
796 | ifdef(`TODO',` | |
797 | ||
0c73cd25 CP |
798 | # for lsof |
799 | allow $1_t mtrr_device_t:file getattr; | |
800 | ||
2ec4c9d3 CP |
801 | # for lsof |
802 | allow $1_t eventpollfs_t:file getattr; | |
0c73cd25 | 803 | |
2ec4c9d3 | 804 | allow $1_t serial_device:chr_file setattr; |
0c73cd25 CP |
805 | |
806 | allow $1_t ptyfile:chr_file getattr; | |
807 | ||
0c73cd25 CP |
808 | # Run admin programs that require different permissions in their own domain. |
809 | # These rules were moved into the appropriate program domain file. | |
810 | ||
2ec4c9d3 CP |
811 | ifdef(`xserver.te', ` |
812 | # Create files in /tmp/.X11-unix with our X servers derived | |
813 | # tmp type rather than user_xserver_tmp_t. | |
814 | file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) | |
0c73cd25 CP |
815 | ') |
816 | ||
2ec4c9d3 | 817 | |
0c73cd25 | 818 | ifdef(`xdm.te', ` |
2ec4c9d3 CP |
819 | tunable_policy(`xdm_sysadm_login',` |
820 | allow xdm_t $1_home_t:lnk_file read; | |
821 | allow xdm_t $1_home_t:dir search; | |
0c73cd25 | 822 | ') |
2ec4c9d3 | 823 | allow $1_t xdm_t:fifo_file rw_file_perms; |
0c73cd25 CP |
824 | ') |
825 | ||
2ec4c9d3 CP |
826 | # Connect data port to ftpd. |
827 | ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') | |
828 | ||
829 | # Connect second port to rshd. | |
830 | ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') | |
831 | ||
832 | # Allow MAKEDEV to work | |
833 | allow $1_t device_t:dir rw_dir_perms; | |
834 | allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; | |
835 | allow $1_t device_t:lnk_file { create read }; | |
836 | ||
0c73cd25 CP |
837 | # |
838 | # A user who is authorized for sysadm_t may nonetheless have | |
839 | # a home directory labeled with user_home_t if the user is expected | |
840 | # to login in either user_t or sysadm_t. Hence, the derived domains | |
841 | # for programs need to be able to access user_home_t. | |
842 | # | |
4d8ddf9a | 843 | |
0c73cd25 CP |
844 | # Allow our gph domain to write to .xsession-errors. |
845 | ifdef(`gnome-pty-helper.te', ` | |
846 | allow $1_gph_t user_home_dir_type:dir rw_dir_perms; | |
847 | allow $1_gph_t user_home_type:file create_file_perms; | |
848 | ') | |
4d8ddf9a | 849 | |
2ec4c9d3 CP |
850 | # Run programs from staff home directories. |
851 | # Not ideal, but typical if users want to login as both sysadm_t or staff_t. | |
852 | can_exec($1_t, staff_home_t) | |
0c73cd25 | 853 | ') dnl endif TODO |
4d8ddf9a | 854 | ') |
490639cd | 855 | |
4bf4ed9e | 856 | ######################################## |
ab940a4c | 857 | ## <summary> |
414e4151 CP |
858 | ## Execute a shell in all user domains. This |
859 | ## is an explicit transition, requiring the | |
860 | ## caller to use setexeccon(). | |
ab940a4c | 861 | ## </summary> |
414e4151 CP |
862 | ## <param name="domain"> |
863 | ## The type of the process performing this action. | |
864 | ## </param> | |
4bf4ed9e | 865 | # |
199895e2 | 866 | interface(`userdom_spec_domtrans_all_users',` |
21871a5c CP |
867 | gen_require(` |
868 | attribute userdomain; | |
869 | ') | |
870 | ||
c9428d33 | 871 | corecmd_shell_spec_domtrans($1,userdomain) |
4bf4ed9e CP |
872 | ') |
873 | ||
21871a5c | 874 | ######################################## |
ab940a4c | 875 | ## <summary> |
414e4151 CP |
876 | ## Execute a shell in all unprivileged user domains. This |
877 | ## is an explicit transition, requiring the | |
878 | ## caller to use setexeccon(). | |
ab940a4c | 879 | ## </summary> |
414e4151 CP |
880 | ## <param name="domain"> |
881 | ## The type of the process performing this action. | |
882 | ## </param> | |
21871a5c | 883 | # |
199895e2 | 884 | interface(`userdom_spec_domtrans_unpriv_users',` |
21871a5c CP |
885 | gen_require(` |
886 | attribute unpriv_userdomain; | |
887 | ') | |
888 | ||
889 | corecmd_shell_spec_domtrans($1,unpriv_userdomain) | |
4bf4ed9e CP |
890 | ') |
891 | ||
d490eb6b | 892 | ######################################## |
ab940a4c | 893 | ## <summary> |
414e4151 | 894 | ## Execute a shell in the sysadm domain. |
ab940a4c | 895 | ## </summary> |
414e4151 CP |
896 | ## <param name="domain"> |
897 | ## The type of the process performing this action. | |
898 | ## </param> | |
d490eb6b | 899 | # |
199895e2 | 900 | interface(`userdom_shell_domtrans_sysadm',` |
c98340cf CP |
901 | ifdef(`targeted_policy',` |
902 | #cjp: need to doublecheck this one | |
a42ca7eb | 903 | unconfined_shell_domtrans($1) |
c98340cf CP |
904 | ',` |
905 | gen_require(` | |
906 | type sysadm_t; | |
df00b2e2 CP |
907 | class fd use; |
908 | class fifo_file rw_file_perms; | |
909 | class process sigchld; | |
c98340cf | 910 | ') |
0c73cd25 | 911 | |
df00b2e2 CP |
912 | corecmd_shell_domtrans($1,sysadm_t) |
913 | ||
914 | allow $1 sysadm_t:fd use; | |
915 | allow sysadm_t $1:fd use; | |
916 | allow sysadm_t $1:fifo_file rw_file_perms; | |
917 | allow sysadm_t $1:process sigchld; | |
c98340cf | 918 | ') |
d490eb6b CP |
919 | ') |
920 | ||
ae9e2716 CP |
921 | ######################################## |
922 | ## <summary> | |
923 | ## Search the staff users home directory. | |
924 | ## </summary> | |
925 | ## <param name="domain"> | |
926 | ## Domain to not audit. | |
927 | ## </param> | |
928 | # | |
929 | interface(`userdom_search_staff_home_dir',` | |
930 | gen_require(` | |
931 | type staff_home_dir_t; | |
932 | class dir search; | |
933 | ') | |
934 | ||
935 | files_search_home($1) | |
936 | allow $1 staff_home_dir_t:dir search; | |
937 | ') | |
938 | ||
939 | ######################################## | |
940 | ## <summary> | |
941 | ## Do not audit attempts to search the staff | |
942 | ## users home directory. | |
943 | ## </summary> | |
944 | ## <param name="domain"> | |
945 | ## Domain to not audit. | |
946 | ## </param> | |
947 | # | |
948 | interface(`userdom_dontaudit_search_staff_home_dir',` | |
949 | gen_require(` | |
950 | type staff_home_dir_t; | |
951 | class dir search; | |
952 | ') | |
953 | ||
954 | dontaudit $1 staff_home_dir_t:dir search; | |
955 | ') | |
956 | ||
fd89e19f CP |
957 | ######################################## |
958 | ## <summary> | |
959 | ## Read files in the staff users home directory. | |
960 | ## </summary> | |
961 | ## <param name="domain"> | |
962 | ## The type of the process performing this action. | |
963 | ## </param> | |
964 | # | |
965 | interface(`userdom_read_staff_home_files',` | |
966 | gen_require(` | |
967 | type staff_home_dir_t, staff_home_t; | |
968 | class dir r_dir_perms; | |
969 | class file r_file_perms; | |
970 | class lnk_file r_file_perms; | |
971 | ') | |
972 | ||
973 | files_search_home($1) | |
974 | allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms; | |
975 | allow $1 staff_home_t:{ file lnk_file } r_file_perms; | |
976 | ') | |
977 | ||
daa0e0b0 | 978 | ######################################## |
ab940a4c | 979 | ## <summary> |
414e4151 | 980 | ## Read and write sysadm ttys. |
ab940a4c | 981 | ## </summary> |
414e4151 CP |
982 | ## <param name="domain"> |
983 | ## The type of the process performing this action. | |
984 | ## </param> | |
490639cd | 985 | # |
199895e2 | 986 | interface(`userdom_use_sysadm_tty',` |
c98340cf CP |
987 | ifdef(`targeted_policy',` |
988 | term_use_unallocated_tty($1) | |
989 | ',` | |
990 | gen_require(` | |
991 | type sysadm_tty_device_t; | |
992 | class chr_file rw_term_perms; | |
993 | ') | |
fd89e19f | 994 | |
c98340cf CP |
995 | dev_list_all_dev_nodes($1) |
996 | term_list_ptys($1) | |
997 | allow $1 sysadm_tty_device_t:chr_file rw_term_perms; | |
998 | ') | |
fd89e19f CP |
999 | ') |
1000 | ||
50aca6d2 CP |
1001 | ######################################## |
1002 | ## <summary> | |
1003 | ## Do not audit attempts to use sysadm ttys. | |
1004 | ## </summary> | |
1005 | ## <param name="domain"> | |
1006 | ## Domain to not audit. | |
1007 | ## </param> | |
1008 | # | |
1009 | interface(`userdom_dontaudit_use_sysadm_tty',` | |
1010 | ifdef(`targeted_policy',` | |
1011 | term_dontaudit_use_unallocated_tty($1) | |
1012 | ',` | |
1013 | gen_require(` | |
1014 | attribute sysadm_tty_device_t; | |
1015 | class chr_file { read write }; | |
1016 | ') | |
1017 | ||
1018 | dontaudit $1 sysadm_tty_device_t:chr_file { read write }; | |
1019 | ') | |
1020 | ') | |
1021 | ||
fd89e19f CP |
1022 | ######################################## |
1023 | ## <summary> | |
1024 | ## Read and write sysadm ptys. | |
1025 | ## </summary> | |
1026 | ## <param name="domain"> | |
1027 | ## The type of the process performing this action. | |
1028 | ## </param> | |
1029 | # | |
1030 | interface(`userdom_use_sysadm_pty',` | |
c98340cf CP |
1031 | ifdef(`targeted_policy',` |
1032 | term_use_generic_pty($1) | |
1033 | ',` | |
1034 | gen_require(` | |
1035 | type sysadm_devpts_t; | |
1036 | class chr_file rw_term_perms; | |
1037 | ') | |
0c73cd25 | 1038 | |
c98340cf CP |
1039 | dev_list_all_dev_nodes($1) |
1040 | term_list_ptys($1) | |
1041 | allow $1 sysadm_devpts_t:chr_file rw_term_perms; | |
1042 | ') | |
daa0e0b0 CP |
1043 | ') |
1044 | ||
0404a390 | 1045 | ######################################## |
ab940a4c | 1046 | ## <summary> |
414e4151 | 1047 | ## Read and write sysadm ttys and ptys. |
ab940a4c | 1048 | ## </summary> |
414e4151 CP |
1049 | ## <param name="domain"> |
1050 | ## The type of the process performing this action. | |
1051 | ## </param> | |
0404a390 | 1052 | # |
199895e2 | 1053 | interface(`userdom_use_sysadm_terms',` |
c98340cf CP |
1054 | userdom_use_sysadm_tty($1) |
1055 | userdom_use_sysadm_pty($1) | |
daa0e0b0 CP |
1056 | ') |
1057 | ||
763c441e | 1058 | ######################################## |
ab940a4c | 1059 | ## <summary> |
50aca6d2 | 1060 | ## Do not audit attempts to use sysadm ttys and ptys. |
ab940a4c | 1061 | ## </summary> |
414e4151 | 1062 | ## <param name="domain"> |
50aca6d2 | 1063 | ## Domain to not audit. |
414e4151 | 1064 | ## </param> |
763c441e | 1065 | # |
199895e2 | 1066 | interface(`userdom_dontaudit_use_sysadm_terms',` |
c98340cf CP |
1067 | ifdef(`targeted_policy',` |
1068 | term_dontaudit_use_generic_pty($1) | |
1069 | ',` | |
1070 | gen_require(` | |
1071 | attribute admin_terminal; | |
1072 | class chr_file { read write }; | |
1073 | ') | |
763c441e | 1074 | |
c98340cf CP |
1075 | dontaudit $1 admin_terminal:chr_file { read write }; |
1076 | ') | |
763c441e CP |
1077 | ') |
1078 | ||
fd89e19f CP |
1079 | ######################################## |
1080 | ## <summary> | |
1081 | ## Inherit and use sysadm file descriptors | |
1082 | ## </summary> | |
1083 | ## <param name="domain"> | |
1084 | ## The type of the process performing this action. | |
1085 | ## </param> | |
1086 | # | |
1087 | interface(`userdom_use_sysadm_fd',` | |
c98340cf CP |
1088 | ifdef(`targeted_policy',` |
1089 | #cjp: need to doublecheck this one | |
1090 | unconfined_use_fd($1) | |
1091 | ',` | |
1092 | gen_require(` | |
1093 | type sysadm_t; | |
1094 | class fd use; | |
1095 | ') | |
fd89e19f | 1096 | |
c98340cf CP |
1097 | allow $1 sysadm_t:fd use; |
1098 | ') | |
fd89e19f CP |
1099 | ') |
1100 | ||
1101 | ######################################## | |
1102 | ## <summary> | |
1103 | ## Read and write sysadm user unnamed pipes. | |
1104 | ## </summary> | |
1105 | ## <param name="domain"> | |
1106 | ## The type of the process performing this action. | |
1107 | ## </param> | |
1108 | # | |
1109 | interface(`userdom_rw_sysadm_pipe',` | |
c98340cf CP |
1110 | ifdef(`targeted_policy',` |
1111 | #cjp: need to doublecheck this one | |
1112 | unconfined_rw_pipe($1) | |
1113 | ',` | |
1114 | gen_require(` | |
1115 | type sysadm_t; | |
1116 | class fifo_file rw_file_perms; | |
1117 | ') | |
fd89e19f | 1118 | |
c98340cf CP |
1119 | allow $1 sysadm_t:fifo_file rw_file_perms; |
1120 | ') | |
fd89e19f CP |
1121 | ') |
1122 | ||
ae9e2716 CP |
1123 | ######################################## |
1124 | ## <summary> | |
1125 | ## Search the sysadm users home directory. | |
1126 | ## </summary> | |
1127 | ## <param name="domain"> | |
1128 | ## Domain to not audit. | |
1129 | ## </param> | |
1130 | # | |
1131 | interface(`userdom_search_sysadm_home_dir',` | |
1132 | gen_require(` | |
1133 | type sysadm_home_dir_t; | |
1134 | class dir search; | |
1135 | ') | |
1136 | ||
1137 | files_search_home($1) | |
1138 | allow $1 sysadm_home_dir_t:dir search; | |
1139 | ') | |
1140 | ||
1141 | ######################################## | |
1142 | ## <summary> | |
1143 | ## Do not audit attempts to search the sysadm | |
1144 | ## users home directory. | |
1145 | ## </summary> | |
1146 | ## <param name="domain"> | |
1147 | ## Domain to not audit. | |
1148 | ## </param> | |
1149 | # | |
1150 | interface(`userdom_dontaudit_search_sysadm_home_dir',` | |
1151 | gen_require(` | |
1152 | type sysadm_home_dir_t; | |
1153 | class dir search; | |
1154 | ') | |
1155 | ||
1156 | dontaudit $1 sysadm_home_dir_t:dir search; | |
1157 | ') | |
1158 | ||
fd89e19f CP |
1159 | ######################################## |
1160 | ## <summary> | |
1161 | ## Read files in the sysadm users home directory. | |
1162 | ## </summary> | |
1163 | ## <param name="domain"> | |
1164 | ## The type of the process performing this action. | |
1165 | ## </param> | |
1166 | # | |
1167 | interface(`userdom_read_sysadm_home_files',` | |
1168 | gen_require(` | |
1169 | type sysadm_home_dir_t, sysadm_home_t; | |
1170 | class dir r_dir_perms; | |
1171 | class file r_file_perms; | |
1172 | class lnk_file r_file_perms; | |
1173 | ') | |
1174 | ||
1175 | files_search_home($1) | |
1176 | allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms; | |
1177 | allow $1 sysadm_home_t:{ file lnk_file } r_file_perms; | |
1178 | ') | |
1179 | ||
4bf4ed9e | 1180 | ######################################## |
ab940a4c | 1181 | ## <summary> |
414e4151 | 1182 | ## Search all users home directories. |
ab940a4c | 1183 | ## </summary> |
414e4151 CP |
1184 | ## <param name="domain"> |
1185 | ## The type of the process performing this action. | |
1186 | ## </param> | |
4bf4ed9e | 1187 | # |
199895e2 | 1188 | interface(`userdom_search_all_users_home',` |
0404a390 CP |
1189 | gen_require(` |
1190 | attribute home_dir_type, home_type; | |
1191 | class dir search; | |
1192 | ') | |
0c73cd25 | 1193 | |
c9428d33 | 1194 | files_list_home($1) |
0c73cd25 | 1195 | allow $1 { home_dir_type home_type }:dir search; |
4bf4ed9e CP |
1196 | ') |
1197 | ||
ae9e2716 CP |
1198 | ######################################## |
1199 | ## <summary> | |
1200 | ## Do not audit attempts to search all users home directories. | |
1201 | ## </summary> | |
1202 | ## <param name="domain"> | |
1203 | ## Domain to not audit. | |
1204 | ## </param> | |
1205 | # | |
1206 | interface(`userdom_dontaudit_search_all_users_home',` | |
1207 | gen_require(` | |
1208 | attribute home_dir_type, home_type; | |
1209 | class dir search; | |
1210 | ') | |
1211 | ||
1212 | dontaudit $1 { home_dir_type home_type }:dir search; | |
1213 | ') | |
1214 | ||
daa0e0b0 | 1215 | ######################################## |
ab940a4c | 1216 | ## <summary> |
414e4151 | 1217 | ## Read all files in all users home directories. |
ab940a4c | 1218 | ## </summary> |
414e4151 CP |
1219 | ## <param name="domain"> |
1220 | ## The type of the process performing this action. | |
1221 | ## </param> | |
daa0e0b0 | 1222 | # |
fd89e19f | 1223 | interface(`userdom_read_all_user_files',` |
0404a390 CP |
1224 | gen_require(` |
1225 | attribute home_type; | |
1226 | class dir r_dir_perms; | |
1227 | class file r_file_perms; | |
1228 | ') | |
0c73cd25 | 1229 | |
c9428d33 | 1230 | files_list_home($1) |
cc41a97c | 1231 | allow $1 home_type:dir r_dir_perms; |
0fd9dc55 | 1232 | allow $1 home_type:file r_file_perms; |
daa0e0b0 CP |
1233 | ') |
1234 | ||
daa0e0b0 | 1235 | ######################################## |
ab940a4c CP |
1236 | ## <summary> |
1237 | ## Write all unprivileged users files in /tmp | |
1238 | ## </summary> | |
1239 | ## <param name="domain"> | |
1240 | ## The type of the process performing this action. | |
1241 | ## </param> | |
1242 | # | |
1243 | interface(`userdom_write_unpriv_user_tmp',` | |
1244 | gen_require(` | |
1245 | attribute user_tmpfile; | |
1246 | class file { getattr write append }; | |
1247 | ') | |
1248 | ||
1249 | allow $1 user_tmpfile:file { getattr write append }; | |
1250 | ') | |
1251 | ||
1252 | ######################################## | |
1253 | ## <summary> | |
414e4151 | 1254 | ## Inherit the file descriptors from all user domains |
ab940a4c | 1255 | ## </summary> |
414e4151 CP |
1256 | ## <param name="domain"> |
1257 | ## The type of the process performing this action. | |
1258 | ## </param> | |
490639cd | 1259 | # |
199895e2 | 1260 | interface(`userdom_use_all_user_fd',` |
0404a390 CP |
1261 | gen_require(` |
1262 | attribute userdomain; | |
1263 | class fd use; | |
1264 | ') | |
0c73cd25 CP |
1265 | |
1266 | allow $1 userdomain:fd use; | |
490639cd CP |
1267 | ') |
1268 | ||
4bf4ed9e | 1269 | ######################################## |
ab940a4c | 1270 | ## <summary> |
414e4151 | 1271 | ## Send general signals to all user domains. |
ab940a4c | 1272 | ## </summary> |
414e4151 CP |
1273 | ## <param name="domain"> |
1274 | ## The type of the process performing this action. | |
1275 | ## </param> | |
4bf4ed9e | 1276 | # |
199895e2 | 1277 | interface(`userdom_signal_all_users',` |
0404a390 CP |
1278 | gen_require(` |
1279 | attribute userdomain; | |
1280 | class process signal; | |
1281 | ') | |
0c73cd25 CP |
1282 | |
1283 | allow $1 userdomain:process signal; | |
4bf4ed9e CP |
1284 | ') |
1285 | ||
0404a390 | 1286 | ######################################## |
ab940a4c | 1287 | ## <summary> |
414e4151 | 1288 | ## Send general signals to unprivileged user domains. |
ab940a4c | 1289 | ## </summary> |
414e4151 CP |
1290 | ## <param name="domain"> |
1291 | ## The type of the process performing this action. | |
1292 | ## </param> | |
0404a390 | 1293 | # |
199895e2 | 1294 | interface(`userdom_signal_unpriv_users',` |
0404a390 CP |
1295 | gen_require(` |
1296 | attribute unpriv_userdomain; | |
1297 | class process signal; | |
1298 | ') | |
0c73cd25 | 1299 | |
0404a390 | 1300 | allow $1 unpriv_userdomain:process signal; |
4bf4ed9e CP |
1301 | ') |
1302 | ||
daa0e0b0 | 1303 | ######################################## |
ab940a4c CP |
1304 | ## <summary> |
1305 | ## Inherit the file descriptors from unprivileged user domains. | |
1306 | ## </summary> | |
414e4151 CP |
1307 | ## <param name="domain"> |
1308 | ## The type of the process performing this action. | |
1309 | ## </param> | |
daa0e0b0 | 1310 | # |
199895e2 | 1311 | interface(`userdom_use_unpriv_users_fd',` |
0404a390 CP |
1312 | gen_require(` |
1313 | attribute unpriv_userdomain; | |
1314 | class fd use; | |
1315 | ') | |
0c73cd25 CP |
1316 | |
1317 | allow $1 unpriv_userdomain:fd use; | |
daa0e0b0 CP |
1318 | ') |
1319 | ||
daa0e0b0 | 1320 | ######################################## |
ab940a4c | 1321 | ## <summary> |
414e4151 CP |
1322 | ## Do not audit attempts to inherit the |
1323 | ## file descriptors from all user domains. | |
ab940a4c | 1324 | ## </summary> |
414e4151 CP |
1325 | ## <param name="domain"> |
1326 | ## The type of the process performing this action. | |
1327 | ## </param> | |
daa0e0b0 | 1328 | # |
199895e2 | 1329 | interface(`userdom_dontaudit_use_unpriv_user_fd',` |
0404a390 CP |
1330 | gen_require(` |
1331 | attribute unpriv_userdomain; | |
1332 | class fd use; | |
1333 | ') | |
0c73cd25 CP |
1334 | |
1335 | dontaudit $1 unpriv_userdomain:fd use; | |
daa0e0b0 CP |
1336 | ') |
1337 | ||
ebdc3b79 CP |
1338 | ######################################## |
1339 | ## <summary> | |
1340 | ## Do not audit attempts to use unprivileged | |
1341 | ## user ttys. | |
1342 | ## </summary> | |
1343 | ## <param name="domain"> | |
1344 | ## The type of the process performing this action. | |
1345 | ## </param> | |
1346 | # | |
1347 | interface(`userdom_dontaudit_use_unpriv_user_tty',` | |
1348 | gen_require(` | |
1349 | attribute user_ttynode; | |
1350 | class chr_file rw_file_perms; | |
1351 | ') | |
1352 | ||
1353 | dontaudit $1 user_ttynode:chr_file rw_file_perms; | |
1354 | ') | |
c98340cf CP |
1355 | |
1356 | ######################################## | |
1357 | ## <summary> | |
1358 | ## Unconfined access to user domains. | |
1359 | ## </summary> | |
1360 | ## <param name="domain"> | |
1361 | ## Domain allowed access. | |
1362 | ## </param> | |
1363 | # | |
1364 | interface(`userdom_unconfined',` | |
1365 | gen_require(` | |
1366 | type user_home_dir_t; | |
1367 | class dir create_dir_perms; | |
1368 | ') | |
1369 | ||
1370 | allow $1 user_home_dir_t:dir create_dir_perms; | |
1371 | files_create_home_dirs($1,user_home_dir_t) | |
1372 | ') |