[people/stevee/selinux-policy.git] / refpolicy / policy / modules / system / userdomain.te

# Copyright (C) 2005 Tresys Technology, LLC

policy_module(userdomain,1.0)

########################################
#
# Declarations
#

# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;

# all user domains
attribute userdomain;

# unprivileged user domains
attribute unpriv_userdomain;

# Allow execution of anonymous mappings, e.g. executable stack.
bool allow_execmem false;

# Support Share libraries with Text Relocation
bool allow_execmod false;

# Allow system to run with kerberos
bool allow_kerberos false;

# Allow system to run with NIS
bool allow_ypbind false;

# Allow reading of default_t files.
bool read_default_t false;

# Allow staff_r users to search the sysadm home dir and read
# files (such as ~/.bashrc)
bool staff_read_sysadm_file false;

# Support NFS home directories
bool use_nfs_home_dirs false;

# Support SAMBA home directories
bool use_samba_home_dirs false;

# Allow regular users direct mouse access 
bool user_direct_mouse false;

# Allow users to read system messages.
bool user_dmesg false;

# Allow users to control network interfaces (also needs USERCTL=true)
bool user_net_control false;

# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
bool user_rw_noexattrfile false;

# Allow users to rw usb devices
bool user_rw_usb false;

# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users)  disabling this forces FTP passive mode
# and may change other protocols 
bool user_tcp_server false;

# Allow w to display everyone
bool user_ttyfile_stat false;

user_domain_template(staff)
user_domain_template(user)

type sysadm_t;
domain_make_domain(sysadm_t)
per_userdomain_templates(sysadm)

########################################
#
# Local policy
#
Commit	Line	Data
b16c6b8c CP	1	# Copyright (C) 2005 Tresys Technology, LLC
	2
	3	policy_module(userdomain,1.0)
	4
	5	########################################
	6	#
	7	# Declarations
	8	#
	9
	10	# The privhome attribute identifies every domain that can create files under
	11	# regular user home directories in the regular context (IE act on behalf of
	12	# a user in writing regular files)
	13	attribute privhome;
	14
	15	# all user domains
	16	attribute userdomain;
	17
	18	# unprivileged user domains
	19	attribute unpriv_userdomain;
	20
	21	# Allow execution of anonymous mappings, e.g. executable stack.
	22	bool allow_execmem false;
	23
	24	# Support Share libraries with Text Relocation
	25	bool allow_execmod false;
	26
	27	# Allow system to run with kerberos
	28	bool allow_kerberos false;
	29
	30	# Allow system to run with NIS
	31	bool allow_ypbind false;
	32
	33	# Allow reading of default_t files.
	34	bool read_default_t false;
	35
	36	# Allow staff_r users to search the sysadm home dir and read
	37	# files (such as ~/.bashrc)
	38	bool staff_read_sysadm_file false;
	39
	40	# Support NFS home directories
	41	bool use_nfs_home_dirs false;
	42
	43	# Support SAMBA home directories
	44	bool use_samba_home_dirs false;
	45
	46	# Allow regular users direct mouse access
	47	bool user_direct_mouse false;
	48
	49	# Allow users to read system messages.
	50	bool user_dmesg false;
	51
	52	# Allow users to control network interfaces (also needs USERCTL=true)
	53	bool user_net_control false;
	54
	55	# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
	56	bool user_rw_noexattrfile false;
	57
	58	# Allow users to rw usb devices
	59	bool user_rw_usb false;
	60
	61	# Allow users to run TCP servers (bind to ports and accept connection from
	62	# the same domain and outside users) disabling this forces FTP passive mode
	63	# and may change other protocols
	64	bool user_tcp_server false;
65
66	# Allow w to display everyone
67	bool user_ttyfile_stat false;
68
69	user_domain_template(staff)
70	user_domain_template(user)
71
72	type sysadm_t;
73	domain_make_domain(sysadm_t)
74	per_userdomain_templates(sysadm)
75
76	########################################
77	#
78	# Local policy
79	#