]>
Commit | Line | Data |
---|---|---|
b16c6b8c CP |
1 | # Copyright (C) 2005 Tresys Technology, LLC |
2 | ||
3 | policy_module(userdomain,1.0) | |
4 | ||
5 | ######################################## | |
6 | # | |
7 | # Declarations | |
8 | # | |
9 | ||
10 | # The privhome attribute identifies every domain that can create files under | |
11 | # regular user home directories in the regular context (IE act on behalf of | |
12 | # a user in writing regular files) | |
13 | attribute privhome; | |
14 | ||
15 | # all user domains | |
16 | attribute userdomain; | |
17 | ||
18 | # unprivileged user domains | |
19 | attribute unpriv_userdomain; | |
20 | ||
21 | # Allow execution of anonymous mappings, e.g. executable stack. | |
22 | bool allow_execmem false; | |
23 | ||
24 | # Support Share libraries with Text Relocation | |
25 | bool allow_execmod false; | |
26 | ||
27 | # Allow system to run with kerberos | |
28 | bool allow_kerberos false; | |
29 | ||
30 | # Allow system to run with NIS | |
31 | bool allow_ypbind false; | |
32 | ||
33 | # Allow reading of default_t files. | |
34 | bool read_default_t false; | |
35 | ||
36 | # Allow staff_r users to search the sysadm home dir and read | |
37 | # files (such as ~/.bashrc) | |
38 | bool staff_read_sysadm_file false; | |
39 | ||
40 | # Support NFS home directories | |
41 | bool use_nfs_home_dirs false; | |
42 | ||
43 | # Support SAMBA home directories | |
44 | bool use_samba_home_dirs false; | |
45 | ||
46 | # Allow regular users direct mouse access | |
47 | bool user_direct_mouse false; | |
48 | ||
49 | # Allow users to read system messages. | |
50 | bool user_dmesg false; | |
51 | ||
52 | # Allow users to control network interfaces (also needs USERCTL=true) | |
53 | bool user_net_control false; | |
54 | ||
55 | # Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) | |
56 | bool user_rw_noexattrfile false; | |
57 | ||
58 | # Allow users to rw usb devices | |
59 | bool user_rw_usb false; | |
60 | ||
61 | # Allow users to run TCP servers (bind to ports and accept connection from | |
62 | # the same domain and outside users) disabling this forces FTP passive mode | |
63 | # and may change other protocols | |
64 | bool user_tcp_server false; | |
65 | ||
66 | # Allow w to display everyone | |
67 | bool user_ttyfile_stat false; | |
68 | ||
69 | user_domain_template(staff) | |
70 | user_domain_template(user) | |
71 | ||
72 | type sysadm_t; | |
73 | domain_make_domain(sysadm_t) | |
74 | per_userdomain_templates(sysadm) | |
75 | ||
76 | ######################################## | |
77 | # | |
78 | # Local policy | |
79 | # |