1 ## <summary>Policy for user domains</summary>
3 #######################################
5 ## The template containing rules common to unprivileged
6 ## users and administrative users.
10 ## This template creates a user domain, types, and
11 ## rules for the user's tty, pty, home directories,
12 ## tmp, and tmpfs files.
15 ## This generally should not be used, rather the
16 ## unpriv_user_template or admin_user_template should
20 ## <param name="userdomain_prefix">
21 ## The prefix of the user domain (e.g., user
22 ## is the prefix for user_t).
25 template(`base_user_template',`
27 attribute $1_file_type;
29 type $1_t, userdomain;
31 corecmd_shell_entry_type($1_t)
32 domain_user_exemption_target($1_t)
38 term_user_pty($1_t,$1_devpts_t)
39 files_type($1_devpts_t)
41 # type for contents of home directory
42 type $1_home_t, $1_file_type, home_type;
44 files_associate_tmp($1_home_t)
45 fs_associate_tmpfs($1_home_t)
47 # type of home directory
48 type $1_home_dir_t, home_dir_type, home_type;
49 files_type($1_home_dir_t)
50 files_associate_tmp($1_home_dir_t)
51 fs_associate_tmpfs($1_home_dir_t)
53 type $1_tmp_t, $1_file_type;
54 files_tmp_file($1_tmp_t)
57 files_tmpfs_file($1_tmpfs_t)
59 # types for network-obtained content
60 type $1_untrusted_content_t, $1_file_type; #, customizable
61 files_type($1_untrusted_content_t)
62 files_poly_member($1_untrusted_content_t)
64 type $1_untrusted_content_tmp_t, $1_file_type; # customizable
65 files_tmp_file($1_untrusted_content_tmp_t)
68 term_tty($1_t,$1_tty_device_t)
70 ##############################
75 allow $1_t self:capability { setgid chown fowner };
76 dontaudit $1_t self:capability { sys_nice fsetid };
77 allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
78 allow $1_t self:process { ptrace setfscreate };
79 allow $1_t self:fd use;
80 allow $1_t self:fifo_file rw_file_perms;
81 allow $1_t self:unix_dgram_socket create_socket_perms;
82 allow $1_t self:unix_stream_socket create_stream_socket_perms;
83 allow $1_t self:unix_dgram_socket sendto;
84 allow $1_t self:unix_stream_socket connectto;
85 allow $1_t self:shm create_shm_perms;
86 allow $1_t self:sem create_sem_perms;
87 allow $1_t self:msgq create_msgq_perms;
88 allow $1_t self:msg { send receive };
89 dontaudit $1_t self:socket create;
90 allow $1_t self:udp_socket { sendto recvfrom };
92 # evolution and gnome-session try to create a netlink socket
93 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
94 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
96 # execute files in the home directory
97 can_exec($1_t,$1_home_t)
99 # full control of the home directory
100 allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
101 allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
102 allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
103 allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
104 allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
105 allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
106 type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
108 can_exec($1_t,$1_tmp_t)
110 # user temporary files
111 allow $1_t $1_tmp_t:file create_file_perms;
112 allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
113 allow $1_t $1_tmp_t:dir create_dir_perms;
114 allow $1_t $1_tmp_t:sock_file create_file_perms;
115 allow $1_t $1_tmp_t:fifo_file create_file_perms;
116 files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
118 # Bind to a Unix domain socket in /tmp.
119 # cjp: this is combination is not checked and should be removed
120 allow $1_t $1_tmp_t:unix_stream_socket name_bind;
122 allow $1_t $1_tmpfs_t:dir rw_dir_perms;
123 allow $1_t $1_tmpfs_t:file create_file_perms;
124 allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
125 allow $1_t $1_tmpfs_t:sock_file create_file_perms;
126 allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
127 fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
129 allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
131 # Allow user to relabel untrusted content
132 allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
133 allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
135 allow $1_t unpriv_userdomain:fd use;
137 # Instantiate derived domains for a number of programs.
138 # These derived domains encode both information about the calling
139 # user domain and the program, and allow us to maintain separation
140 # between different instances of the program being run by different
142 per_userdomain_templates($1,$1_t,$1_r)
144 kernel_read_kernel_sysctl($1_t)
145 selinux_get_fs_mount($1_t)
146 # Very permissive allowing every domain to see every type:
147 kernel_get_sysvipc_info($1_t)
148 # Find CDROM devices:
149 kernel_read_device_sysctl($1_t)
151 dev_rw_power_management($1_t)
152 # GNOME checks for usb and other devices:
155 corenet_tcp_sendrecv_all_if($1_t)
156 corenet_raw_sendrecv_all_if($1_t)
157 corenet_udp_sendrecv_all_if($1_t)
158 corenet_tcp_sendrecv_all_nodes($1_t)
159 corenet_raw_sendrecv_all_nodes($1_t)
160 corenet_udp_sendrecv_all_nodes($1_t)
161 corenet_tcp_sendrecv_all_ports($1_t)
162 corenet_udp_sendrecv_all_ports($1_t)
163 corenet_tcp_bind_all_nodes($1_t)
164 corenet_udp_bind_all_nodes($1_t)
165 corenet_udp_bind_generic_port($1_t)
166 corenet_tcp_connect_all_ports($1_t)
171 dev_write_snd_dev($1_t)
172 dev_read_snd_dev($1_t)
173 dev_read_snd_mixer_dev($1_t)
174 dev_write_snd_mixer_dev($1_t)
177 # open office is looking for the following
178 dev_getattr_agp_dev($1_t)
179 dev_dontaudit_rw_dri_dev($1_t)
181 fs_get_all_fs_quotas($1_t)
182 fs_getattr_all_fs($1_t)
183 fs_search_auto_mountpoints($1_t)
185 # cjp: some of this probably can be removed
186 selinux_get_fs_mount($1_t)
187 selinux_validate_context($1_t)
188 selinux_compute_access_vector($1_t)
189 selinux_compute_create_context($1_t)
190 selinux_compute_relabel_context($1_t)
191 selinux_compute_user_contexts($1_t)
194 storage_getattr_fixed_disk($1_t)
196 auth_read_login_records($1_t)
197 auth_dontaudit_write_login_records($1_t)
198 auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
199 auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
201 corecmd_exec_bin($1_t)
202 corecmd_exec_sbin($1_t)
203 corecmd_exec_ls($1_t)
205 domain_exec_all_entry_files($1_t)
206 domain_use_wide_inherit_fd($1_t)
207 # When the user domain runs ps, there will be a number of access
208 # denials when ps tries to search /proc. Do not audit these denials.
209 domain_dontaudit_read_all_domains_state($1_t)
210 domain_dontaudit_getsession_all_domains($1_t)
212 files_exec_etc_files($1_t)
213 files_search_locks($1_t)
214 # old broswer_domain():
215 files_dontaudit_list_non_security($1_t)
216 files_dontaudit_getattr_non_security_files($1_t)
217 files_dontaudit_getattr_non_security_symlinks($1_t)
218 files_dontaudit_getattr_non_security_pipes($1_t)
219 files_dontaudit_getattr_non_security_sockets($1_t)
220 files_dontaudit_getattr_non_security_blk_dev($1_t)
221 files_dontaudit_getattr_non_security_chr_dev($1_t)
223 # Caused by su - init scripts
224 init_dontaudit_use_script_pty($1_t)
227 libs_use_shared_libs($1_t)
228 libs_exec_ld_so($1_t)
229 libs_exec_lib_files($1_t)
231 logging_dontaudit_getattr_all_logs($1_t)
233 miscfiles_read_localization($1_t)
234 miscfiles_read_fonts($1_t)
235 # for running TeX programs
236 miscfiles_read_tetex_data($1_t)
237 miscfiles_exec_tetex_data($1_t)
239 seutil_read_file_contexts($1_t)
240 seutil_read_default_contexts($1_t)
241 seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
245 tunable_policy(`allow_execmem',`
246 # Allow loading DSOs that require executable stack.
247 allow $1_t self:process execmem;
250 tunable_policy(`allow_execmem && allow_execstack',`
251 # Allow making the stack executable via mprotect.
252 allow $1_t self:process execstack;
255 tunable_policy(`read_default_t',`
256 files_list_default($1_t)
257 files_read_default_files($1_t)
258 files_read_default_symlinks($1_t)
259 files_read_default_sockets($1_t)
260 files_read_default_pipes($1_t)
262 files_dontaudit_list_default($1_t)
263 files_dontaudit_read_default_files($1_t)
266 tunable_policy(`read_untrusted_content',`
267 allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
268 allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
269 allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
271 dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
272 dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
275 tunable_policy(`use_nfs_home_dirs',`
276 fs_manage_nfs_dirs($1_t)
277 fs_manage_nfs_files($1_t)
278 fs_manage_nfs_symlinks($1_t)
279 fs_manage_nfs_named_sockets($1_t)
280 fs_manage_nfs_named_pipes($1_t)
281 fs_execute_nfs_files($1_t)
283 fs_dontaudit_manage_nfs_dirs($1_t)
284 fs_dontaudit_manage_nfs_files($1_t)
287 tunable_policy(`use_samba_home_dirs',`
288 fs_manage_cifs_dirs($1_t)
289 fs_manage_cifs_files($1_t)
290 fs_manage_cifs_symlinks($1_t)
291 fs_manage_cifs_named_sockets($1_t)
292 fs_manage_cifs_named_pipes($1_t)
293 fs_execute_cifs_files($1_t)
295 fs_dontaudit_manage_cifs_dirs($1_t)
296 fs_dontaudit_manage_cifs_files($1_t)
299 tunable_policy(`user_direct_mouse',`
303 tunable_policy(`user_ttyfile_stat',`
304 term_getattr_all_user_ttys($1_t)
307 optional_policy(`dbus.te',`
308 dbus_system_bus_client_template($1,$1_t)
311 optional_policy(`dictd.te',`
315 optional_policy(`ftp.te',`
316 tunable_policy(`ftpd_is_daemon',`
317 ftp_tcp_connect($1_t)
321 optional_policy(`finger.te',`
322 finger_tcp_connect($1_t)
325 optional_policy(`inetd.te',`
326 inetd_tcp_connect($1_t)
329 optional_policy(`inn.te',`
330 inn_read_config($1_t)
331 inn_read_news_lib($1_t)
332 inn_read_news_spool($1_t)
335 optional_policy(`nis.te',`
339 optional_policy(`mysql.te',`
340 ifdef(`targeted_policy',`',`
341 tunable_policy(`allow_user_mysql_connect',`
342 mysql_stream_connect($1_t)
347 optional_policy(`nscd.te',`
348 nscd_use_socket($1_t)
351 optional_policy(`pcmcia.te',`
352 # to allow monitoring of pcmcia status
353 pcmcia_read_pid($1_t)
356 optional_policy(`quota.te',`
357 quota_dontaudit_getattr_db($1_t)
360 optional_policy(`rpm.te',`
361 files_getattr_var_lib_dir($1_t)
362 files_search_var_lib($1_t)
365 optional_policy(`squid.te',`
369 optional_policy(`usermanage.te',`
370 usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
371 usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
379 # Cups daemon running as user tries to write /etc/printcap
381 dontaudit $1_t usr_t:file setattr;
383 # Check to see if cdrom is mounted
384 allow $1_t mnt_t:dir { getattr search };
387 # Added to allow reading of cdrom
389 allow $1_t rpc_pipefs_t:dir getattr;
390 allow $1_t nfsd_fs_t:dir getattr;
391 allow $1_t binfmt_misc_fs_t:dir getattr;
393 # /initrd is left mounted, various programs try to look at it
394 dontaudit $1_t ramfs_t:dir getattr;
397 # Running ifconfig as a user generates the following
399 dontaudit $1_t sysctl_net_t:dir search;
401 r_dir_file($1_t, usercanread)
403 allow $1_t fs_type:dir getattr;
405 # old browser_domain():
406 dontaudit $1 unlabeled_t:dir_file_class_set getattr;
407 dontaudit $1 unlabeled_t:dir search;
408 dontaudit $1 unlabeled_t:dir read;
409 dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
410 dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
411 dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
413 allow $1_t usbtty_device_t:chr_file read;
415 can_resmgrd_connect($1_t)
417 # Grant permissions to access the system DBus
420 allow $1_t hald_t:dbus send_msg;
421 allow hald_t $1_t:dbus send_msg;
425 # Gnome pannel binds to the following
427 allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
432 inetd_tcp_connect($1_t)
433 can_udp_send($1_t, inetd_t)
434 can_udp_send(inetd_t, $1_t)
435 # Inherit and use sockets from inetd
437 allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
440 # Connect to portmap.
441 ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
444 x_client_domain($1, $1)
446 ifdef(`xserver.te', `
447 allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
451 # Connect to the X server run by the X Display Manager.
452 can_unix_connect($1_t, xdm_t)
453 # certain apps want to read xdm.pid file
454 r_dir_file($1_t, xdm_var_run_t)
455 allow $1_t xdm_var_lib_t:file r_file_perms;
456 allow xdm_t $1_home_dir_t:dir getattr;
458 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
464 # cjp: this macro is unconditional, though
465 # its in a conditional file.
467 # Manipulate the global font cache
468 create_dir_file($1, $1_fonts_cache_t)
470 # Read per user fonts and font config
471 r_dir_file($1, $1_fonts_t)
472 r_dir_file($1, $1_fonts_config_t)
474 # There are some fonts in .gnome2
476 allow $1 $2_gnome_settings_t:dir { getattr search };
481 create_dir_file($1_t, nfsd_rw_t)
485 # Allow graphical boot to check battery lifespan
488 allow $1_t apmd_t:unix_stream_socket connectto;
489 allow $1_t apmd_var_run_t:sock_file write;
492 ifdef(`pamconsole.te', `
493 allow $1_t pam_var_console_t:dir search;
500 #######################################
502 ## The template for creating a unprivileged user.
506 ## This template creates a user domain, types, and
507 ## rules for the user's tty, pty, home directories,
508 ## tmp, and tmpfs files.
511 ## <param name="userdomain_prefix">
512 ## The prefix of the user domain (e.g., user
513 ## is the prefix for user_t).
516 template(`unpriv_user_template', `
517 ##############################
522 # Inherit rules for ordinary users.
523 base_user_template($1)
525 typeattribute $1_t unpriv_userdomain;
526 domain_wide_inherit_fd($1_t)
528 typeattribute $1_devpts_t user_ptynode;
530 typeattribute $1_home_dir_t user_home_dir_type;
531 files_poly($1_home_dir_t)
533 typeattribute $1_home_t user_home_type;
534 files_poly_member($1_home_t)
536 typeattribute $1_tmp_t user_tmpfile;
537 typeattribute $1_tty_device_t user_ttynode;
539 ##############################
544 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
545 term_create_pty($1_t,$1_devpts_t)
547 # Rules used to associate a homedir as a mountpoint
548 allow $1_home_t self:filesystem associate;
549 allow $1_file_type $1_home_t:filesystem associate;
551 # privileged home directory writers
552 allow privhome $1_home_t:file create_file_perms;
553 allow privhome $1_home_t:lnk_file create_lnk_perms;
554 allow privhome $1_home_t:dir create_dir_perms;
555 allow privhome $1_home_t:sock_file create_file_perms;
556 allow privhome $1_home_t:fifo_file create_file_perms;
557 type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
559 kernel_read_system_state($1_t)
560 kernel_read_network_state($1_t)
564 bootloader_read_kernel_symbol_table($1_t)
566 # port access is audited even if dac would not have allowed it, so dontaudit it here
567 corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
569 files_read_etc_files($1_t)
570 files_list_home($1_t)
571 files_read_usr_files($1_t)
572 files_exec_usr_files($1_t)
573 # Read directories and files with the readable_t type.
574 # This type is a general type for "world"-readable files.
575 files_list_world_readable($1_t)
576 files_read_world_readable_files($1_t)
577 files_read_world_readable_symlinks($1_t)
578 files_read_world_readable_pipes($1_t)
579 files_read_world_readable_sockets($1_t)
581 init_read_script_pid($1_t)
582 # The library functions always try to open read-write first,
583 # then fall back to read-only if it fails.
584 init_dontaudit_write_script_pid($1_t)
585 # Stop warnings about access to /dev/console
586 init_dontaudit_use_fd($1_t)
587 init_dontaudit_use_script_fd($1_t)
589 miscfiles_read_man_pages($1_t)
591 seutil_read_config($1_t)
592 # Allow users to execute checkpolicy without a domain transition
593 # so it can be used without privilege to write real binary policy file
594 seutil_exec_checkpol($1_t)
596 ifdef(`enable_polyinstantiation',`
597 type_member $1_t $1_home_dir_t:dir $1_home_t;
598 files_poly_member_tmp($1_t)
601 tunable_policy(`user_dmesg',`
602 kernel_read_ring_buffer($1_t)
604 kernel_dontaudit_read_ring_buffer($1_t)
607 # Allow users to run TCP servers (bind to ports and accept connection from
608 # the same domain and outside users) disabling this forces FTP passive mode
609 # and may change other protocols
610 tunable_policy(`user_tcp_server',`
611 corenet_tcp_bind_generic_port($1_t)
614 optional_policy(`kerberos.te',`
618 optional_policy(`loadkeys.te',`
619 loadkeys_run($1_t,$1_r,$1_tty_device_t)
622 # for running depmod as part of the kernel packaging process
623 optional_policy(`modutils.te',`
624 modutils_read_module_conf($1_t)
627 optional_policy(`netutils.te',`
628 netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
629 netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
632 optional_policy(`selinuxutil.te',`
633 # for when the network connection is killed
634 seutil_dontaudit_signal_newrole($1_t)
637 # Need the following rule to allow users to run vpnc
638 optional_policy(`xserver.te', `
639 corenetwork_bind_tcp_on_xserver_port($1_t)
644 ifdef(`enable_mls',`',`
645 fs_exec_noxattr($1_t)
646 tunable_policy(`user_rw_noexattrfile',`
647 create_dir_file($1_t, noexattrfile)
649 storage_raw_read_removable_device($1_t)
650 storage_raw_write_removable_device($1_t)
651 # cjp: what does this have to do with removable devices?
652 allow $1_t usbtty_device_t:chr_file write;
654 r_dir_file($1_t, noexattrfile)
655 r_dir_file($1_t, removable_t)
656 allow $1_t removable_device_t:blk_file r_file_perms;
660 dontaudit $1_t boot_t:lnk_file read;
661 dontaudit $1_t boot_t:file read;
663 # do not audit read on disk devices
664 dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
667 allow xdm_t $1_home_t:lnk_file read;
668 allow xdm_t $1_home_t:dir search;
670 # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
672 dontaudit xdm_t $1_home_t:file rw_file_perms;
676 tunable_policy(`ftp_home_dir',`
677 file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
681 ifdef(`useradd.te', `
682 # Useradd relabels /etc/skel files so needs these privs
683 allow useradd_t $1_file_type:dir create_dir_perms;
684 allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
688 allow $1_t lost_found_t:dir getattr;
690 # Read /var, /var/spool, /var/run.
691 r_dir_file($1_t, var_t)
692 # what about pipes and sockets under /var/spool?
693 r_dir_file($1_t, var_spool_t)
694 r_dir_file($1_t, var_run_t)
695 allow $1_t var_lib_t:dir r_dir_perms;
696 allow $1_t var_lib_t:file { getattr read };
698 # Allow users to rw usb devices
699 tunable_policy(`user_rw_usb',`
700 rw_dir_create_file($1_t,usbdevfs_t)
702 r_dir_file($1_t,usbdevfs_t)
705 # Do not audit write denials to /etc/ld.so.cache.
706 dontaudit $1_t ld_so_cache_t:file write;
708 dontaudit $1_t sysadm_home_t:file { read append };
710 ifdef(`syslogd.te', `
711 # Some programs that are left in $1_t will try to connect
712 # to syslogd, but we do not want to let them generate log messages.
714 dontaudit $1_t devlog_t:sock_file { read write };
715 dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
718 allow $1_t initrc_t:fifo_file write;
723 #######################################
725 ## The template for creating an administrative user.
729 ## This template creates a user domain, types, and
730 ## rules for the user's tty, pty, home directories,
731 ## tmp, and tmpfs files.
734 ## The privileges given to administrative users are:
736 ## <li>Raw disk access</li>
737 ## <li>Set all sysctls</li>
738 ## <li>All kernel ring buffer controls</li>
739 ## <li>Set SELinux enforcement mode (enforcing/permissive)</li>
740 ## <li>Set SELinux booleans</li>
741 ## <li>Relabel all files but shadow</li>
742 ## <li>Create, read, write, and delete all files but shadow</li>
743 ## <li>Manage source and binary format SELinux policy</li>
744 ## <li>Run insmod</li>
748 ## <param name="userdomain_prefix">
749 ## The prefix of the user domain (e.g., sysadm
750 ## is the prefix for sysadm_t).
753 template(`admin_user_template',`
755 class passwd { passwd chfn chsh rootok crontab };
758 ##############################
763 # Inherit rules for ordinary users.
764 base_user_template($1)
766 typeattribute $1_t privhome;
767 domain_obj_id_change_exempt($1_t)
768 role system_r types $1_t;
770 ifdef(`direct_sysadm_daemon',`
771 domain_system_change_exempt($1_t)
774 typeattribute $1_devpts_t admin_terminal;
776 typeattribute $1_tty_device_t admin_terminal;
778 ##############################
783 allow $1_t self:capability ~sys_module;
784 allow $1_t self:process { setexec setfscreate };
786 # Set password information for other users.
787 allow $1_t self:passwd { passwd chfn chsh };
789 # Skip authentication when pam_rootok is specified.
790 allow $1_t self:passwd rootok;
792 # Manipulate other users crontab.
793 allow $1_t self:passwd crontab;
795 # for the administrator to run TCP servers directly
796 allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
798 allow $1_t self:netlink_audit_socket nlmsg_readpriv;
800 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
801 term_create_pty($1_t,$1_devpts_t)
803 kernel_read_system_state($1_t)
804 kernel_read_network_state($1_t)
805 kernel_read_software_raid_state($1_t)
806 kernel_getattr_core($1_t)
807 kernel_getattr_message_if($1_t)
808 kernel_change_ring_buffer_level($1_t)
809 kernel_clear_ring_buffer($1_t)
810 kernel_read_ring_buffer($1_t)
811 kernel_get_sysvipc_info($1_t)
812 kernel_rw_all_sysctl($1_t)
813 # signal unlabeled processes:
814 kernel_kill_unlabeled($1_t)
815 kernel_signal_unlabeled($1_t)
816 kernel_sigstop_unlabeled($1_t)
817 kernel_signull_unlabeled($1_t)
818 kernel_sigchld_unlabeled($1_t)
819 # for the administrator to run TCP servers directly
820 kernel_tcp_recvfrom($1_t)
822 corenet_tcp_bind_generic_port($1_t)
823 # allow setting up tunnels
824 corenet_use_tun_tap_device($1_t)
826 dev_getattr_generic_blk_file($1_t)
827 dev_getattr_generic_chr_file($1_t)
828 dev_getattr_all_blk_files($1_t)
829 dev_getattr_all_chr_files($1_t)
831 fs_getattr_all_fs($1_t)
832 fs_set_all_quotas($1_t)
833 fs_exec_noxattr($1_t)
835 selinux_set_enforce_mode($1_t)
836 selinux_set_boolean($1_t)
837 selinux_set_parameters($1_t)
838 # Get security policy decisions:
839 selinux_get_fs_mount($1_t)
840 selinux_validate_context($1_t)
841 selinux_compute_access_vector($1_t)
842 selinux_compute_create_context($1_t)
843 selinux_compute_relabel_context($1_t)
844 selinux_compute_user_contexts($1_t)
846 storage_raw_read_removable_device($1_t)
847 storage_raw_write_removable_device($1_t)
849 term_use_console($1_t)
850 term_use_unallocated_tty($1_t)
851 term_use_all_user_ptys($1_t)
852 term_use_all_user_ttys($1_t)
854 auth_getattr_shadow($1_t)
855 # Manage almost all files
856 auth_manage_all_files_except_shadow($1_t)
857 # Relabel almost all files
858 auth_relabel_all_files_except_shadow($1_t)
860 domain_setpriority_all_domains($1_t)
861 domain_read_all_domains_state($1_t)
862 domain_getattr_all_domains($1_t)
863 domain_dontaudit_ptrace_all_domains($1_t)
864 # signal all domains:
865 domain_kill_all_domains($1_t)
866 domain_signal_all_domains($1_t)
867 domain_signull_all_domains($1_t)
868 domain_sigstop_all_domains($1_t)
869 domain_sigstop_all_domains($1_t)
870 domain_sigchld_all_domains($1_t)
872 domain_getattr_all_sockets($1_t)
874 files_exec_usr_src_files($1_t)
876 init_use_initctl($1_t)
878 logging_send_syslog_msg($1_t)
880 modutils_domtrans_insmod($1_t)
882 seutil_read_config($1_t)
883 # The following rule is temporary until such time that a complete
884 # policy management infrastructure is in place so that an administrator
885 # cannot directly manipulate policy files with arbitrary programs.
886 seutil_manage_src_pol($1_t)
887 # Violates the goal of limiting write access to checkpolicy.
888 # But presently necessary for installing the file_contexts file.
889 seutil_manage_binary_pol($1_t)
891 optional_policy(`cron.te',`
892 cron_admin_template($1)
898 allow $1_t mtrr_device_t:file getattr;
899 allow $1_t eventpollfs_t:file getattr;
901 allow $1_t serial_device:chr_file setattr;
903 allow $1_t ptyfile:chr_file getattr;
905 # Run admin programs that require different permissions in their own domain.
906 # These rules were moved into the appropriate program domain file.
908 ifdef(`xserver.te', `
909 # Create files in /tmp/.X11-unix with our X servers derived
910 # tmp type rather than user_xserver_tmp_t.
911 file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
916 tunable_policy(`xdm_sysadm_login',`
917 allow xdm_t $1_home_t:lnk_file read;
918 allow xdm_t $1_home_t:dir search;
923 # Connect data port to ftpd.
924 ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
926 # Connect second port to rshd.
927 ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
929 # Allow MAKEDEV to work
930 allow $1_t device_t:dir rw_dir_perms;
931 allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
932 allow $1_t device_t:lnk_file { create read };
935 # A user who is authorized for sysadm_t may nonetheless have
936 # a home directory labeled with user_home_t if the user is expected
937 # to login in either user_t or sysadm_t. Hence, the derived domains
938 # for programs need to be able to access user_home_t.
941 # Allow our gph domain to write to .xsession-errors.
942 ifdef(`gnome-pty-helper.te', `
943 allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
944 allow $1_gph_t user_home_type:file create_file_perms;
947 # Run programs from staff home directories.
948 # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
949 can_exec($1_t, staff_home_t)
951 tunable_policy(`user_rw_noexattrfile',`
952 create_dir_file($1_t, noexattrfile)
954 storage_raw_read_removable_device($1_t)
955 storage_raw_write_removable_device($1_t)
956 # cjp: what does this have to do with removable devices?
957 allow $1_t usbtty_device_t:chr_file write;
959 r_dir_file($1_t, noexattrfile)
960 r_dir_file($1_t, removable_t)
961 allow $1_t removable_device_t:blk_file r_file_perms;
963 allow $1 removable_t:filesystem getattr;
968 ########################################
970 ## Search user home directories.
974 ## Search user home directories.
977 ## This is a templated interface, and should only
978 ## be called from a per-userdomain template.
981 ## <param name="userdomain_prefix">
982 ## The prefix of the user domain (e.g., user
983 ## is the prefix for user_t).
985 ## <param name="domain">
986 ## The type of the process performing this action.
989 template(`userdom_search_user_home',`
991 class dir { getattr search };
994 files_search_home($2)
995 allow $2 $1_home_dir_t:dir { getattr search };
998 ########################################
1000 ## Read user home files.
1004 ## Read user home files.
1007 ## This is a templated interface, and should only
1008 ## be called from a per-userdomain template.
1011 ## <param name="userdomain_prefix">
1012 ## The prefix of the user domain (e.g., user
1013 ## is the prefix for user_t).
1015 ## <param name="domain">
1016 ## The type of the process performing this action.
1019 template(`userdom_read_user_home_files',`
1022 class file r_file_perms;
1025 files_search_home($2)
1026 allow $2 $1_home_dir_t:dir search;
1027 allow $2 $1_home_t:dir search;
1028 allow $2 $1_home_t:file r_file_perms;
1031 ########################################
1033 ## Execute user home files.
1037 ## Execute user home files.
1040 ## This is a templated interface, and should only
1041 ## be called from a per-userdomain template.
1044 ## <param name="userdomain_prefix">
1045 ## The prefix of the user domain (e.g., user
1046 ## is the prefix for user_t).
1048 ## <param name="domain">
1049 ## The type of the process performing this action.
1052 template(`userdom_exec_user_home_files',`
1057 files_search_home($2)
1058 allow $2 $1_home_dir_t:dir search;
1059 allow $2 $1_home_t:dir search;
1060 can_exec($2,$1_home_t)
1063 ########################################
1065 ## Create, read, write, and delete files
1066 ## in a user home subdirectory.
1070 ## Create, read, write, and delete files
1071 ## in a user home subdirectory.
1074 ## This is a templated interface, and should only
1075 ## be called from a per-userdomain template.
1078 ## <param name="userdomain_prefix">
1079 ## The prefix of the user domain (e.g., user
1080 ## is the prefix for user_t).
1082 ## <param name="domain">
1083 ## The type of the process performing this action.
1086 template(`userdom_manage_user_home_subdir_files',`
1088 class dir rw_dir_perms;
1089 class file create_file_perms;
1092 files_search_home($2)
1093 allow $2 $1_home_dir_t:dir search;
1094 allow $2 $1_home_t:dir rw_dir_perms;
1095 allow $2 $1_home_t:file create_file_perms;
1098 ########################################
1100 ## Create, read, write, and delete symbolic links
1101 ## in a user home subdirectory.
1105 ## Create, read, write, and delete symbolic links
1106 ## in a user home subdirectory.
1109 ## This is a templated interface, and should only
1110 ## be called from a per-userdomain template.
1113 ## <param name="userdomain_prefix">
1114 ## The prefix of the user domain (e.g., user
1115 ## is the prefix for user_t).
1117 ## <param name="domain">
1118 ## The type of the process performing this action.
1121 template(`userdom_manage_user_home_subdir_symlinks',`
1123 class dir rw_dir_perms;
1124 class lnk_file create_lnk_perms;
1127 files_search_home($2)
1128 allow $2 $1_home_dir_t:dir search;
1129 allow $2 $1_home_t:dir rw_dir_perms;
1130 allow $2 $1_home_t:lnk_file create_lnk_perms;
1133 ########################################
1135 ## Create, read, write, and delete named pipes
1136 ## in a user home subdirectory.
1140 ## Create, read, write, and delete named pipes
1141 ## in a user home subdirectory.
1144 ## This is a templated interface, and should only
1145 ## be called from a per-userdomain template.
1148 ## <param name="userdomain_prefix">
1149 ## The prefix of the user domain (e.g., user
1150 ## is the prefix for user_t).
1152 ## <param name="domain">
1153 ## The type of the process performing this action.
1156 template(`userdom_manage_user_home_subdir_pipes',`
1158 class dir rw_dir_perms;
1159 class fifo_file create_file_perms;
1162 files_search_home($2)
1163 allow $2 $1_home_dir_t:dir search;
1164 allow $2 $1_home_t:dir rw_dir_perms;
1165 allow $2 $1_home_t:fifo_file create_file_perms;
1168 ########################################
1170 ## Create, read, write, and delete named sockets
1171 ## in a user home subdirectory.
1175 ## Create, read, write, and delete named sockets
1176 ## in a user home subdirectory.
1179 ## This is a templated interface, and should only
1180 ## be called from a per-userdomain template.
1183 ## <param name="userdomain_prefix">
1184 ## The prefix of the user domain (e.g., user
1185 ## is the prefix for user_t).
1187 ## <param name="domain">
1188 ## The type of the process performing this action.
1191 template(`userdom_manage_user_home_subdir_sockets',`
1193 class dir rw_dir_perms;
1194 class sock_file create_file_perms;
1197 files_search_home($2)
1198 allow $2 $1_home_dir_t:dir search;
1199 allow $2 $1_home_t:dir rw_dir_perms;
1200 allow $2 $1_home_t:sock_file create_file_perms;
1203 ########################################
1209 ## Create, read, write, and delete named sockets
1210 ## in a user home subdirectory.
1213 ## This is a templated interface, and should only
1214 ## be called from a per-userdomain template.
1217 ## <param name="userdomain_prefix">
1218 ## The prefix of the user domain (e.g., user
1219 ## is the prefix for user_t).
1221 ## <param name="domain">
1222 ## The type of the process performing this action.
1224 ## <param name="object_class" optional="true">
1225 ## The class of the object to be created. If not
1226 ## specified, file is used.
1229 template(`userdom_create_user_home',`
1231 class dir rw_dir_perms;
1234 files_search_home($2)
1236 allow $2 $1_home_dir_t:dir rw_dir_perms;
1239 type_transition $2 $1_home_dir_t:file $1_home_t;
1241 type_transition $2 $1_home_dir_t:$3 $1_home_t;
1245 ########################################
1247 ## Create, read, write, and delete user
1248 ## temporary directories.
1252 ## Create, read, write, and delete user
1253 ## temporary directories.
1256 ## This is a templated interface, and should only
1257 ## be called from a per-userdomain template.
1260 ## <param name="userdomain_prefix">
1261 ## The prefix of the user domain (e.g., user
1262 ## is the prefix for user_t).
1264 ## <param name="domain">
1265 ## The type of the process performing this action.
1268 template(`userdom_manage_user_tmp_dirs',`
1270 class dir create_dir_perms;
1273 files_search_tmp($2)
1274 allow $2 $1_tmp_t:dir create_dir_perms;
1277 ########################################
1279 ## Create, read, write, and delete user
1284 ## Create, read, write, and delete user
1288 ## This is a templated interface, and should only
1289 ## be called from a per-userdomain template.
1292 ## <param name="userdomain_prefix">
1293 ## The prefix of the user domain (e.g., user
1294 ## is the prefix for user_t).
1296 ## <param name="domain">
1297 ## The type of the process performing this action.
1300 template(`userdom_manage_user_tmp_files',`
1302 class dir rw_dir_perms;
1303 class file create_file_perms;
1306 files_search_tmp($2)
1307 allow $2 $1_tmp_t:dir rw_dir_perms;
1308 allow $2 $1_tmp_t:file create_file_perms;
1311 ########################################
1313 ## Create, read, write, and delete user
1314 ## temporary symbolic links.
1318 ## Create, read, write, and delete user
1319 ## temporary symbolic links.
1322 ## This is a templated interface, and should only
1323 ## be called from a per-userdomain template.
1326 ## <param name="userdomain_prefix">
1327 ## The prefix of the user domain (e.g., user
1328 ## is the prefix for user_t).
1330 ## <param name="domain">
1331 ## The type of the process performing this action.
1334 template(`userdom_manage_user_tmp_symlinks',`
1336 class dir rw_dir_perms;
1337 class lnk_file create_lnk_perms;
1340 files_search_tmp($2)
1341 allow $2 $1_tmp_t:dir rw_dir_perms;
1342 allow $2 $1_tmp_t:lnk_file create_lnk_perms;
1345 ########################################
1347 ## Create, read, write, and delete user
1348 ## temporary named pipes.
1352 ## Create, read, write, and delete user
1353 ## temporary named pipes.
1356 ## This is a templated interface, and should only
1357 ## be called from a per-userdomain template.
1360 ## <param name="userdomain_prefix">
1361 ## The prefix of the user domain (e.g., user
1362 ## is the prefix for user_t).
1364 ## <param name="domain">
1365 ## The type of the process performing this action.
1368 template(`userdom_manage_user_tmp_pipes',`
1370 class dir rw_dir_perms;
1371 class fifo_file create_file_perms;
1374 files_search_tmp($2)
1375 allow $2 $1_tmp_t:dir rw_dir_perms;
1376 allow $2 $1_tmp_t:fifo_file create_file_perms;
1379 ########################################
1381 ## Create, read, write, and delete user
1382 ## temporary named sockets.
1386 ## Create, read, write, and delete user
1387 ## temporary named sockets.
1390 ## This is a templated interface, and should only
1391 ## be called from a per-userdomain template.
1394 ## <param name="userdomain_prefix">
1395 ## The prefix of the user domain (e.g., user
1396 ## is the prefix for user_t).
1398 ## <param name="domain">
1399 ## The type of the process performing this action.
1402 template(`userdom_manage_user_tmp_sockets',`
1404 class dir rw_dir_perms;
1405 class sock_file create_file_perms;
1408 files_search_tmp($2)
1409 allow $2 $1_tmp_t:dir rw_dir_perms;
1410 allow $2 $1_tmp_t:sock_file create_file_perms;
1413 ########################################
1415 ## Read and write a user domain tty and pty.
1419 ## Read and write a user domain tty and pty.
1422 ## This is a templated interface, and should only
1423 ## be called from a per-userdomain template.
1426 ## <param name="userdomain_prefix">
1427 ## The prefix of the user domain (e.g., user
1428 ## is the prefix for user_t).
1430 ## <param name="domain">
1431 ## The type of the process performing this action.
1434 template(`userdom_use_user_terminals',`
1436 class chr_file rw_term_perms;
1439 allow $2 $1_tty_device_t:chr_file rw_term_perms;
1440 allow $2 $1_devpts_t:chr_file rw_term_perms;
1444 ########################################
1446 ## Execute a shell in all user domains. This
1447 ## is an explicit transition, requiring the
1448 ## caller to use setexeccon().
1450 ## <param name="domain">
1451 ## The type of the process performing this action.
1454 interface(`userdom_spec_domtrans_all_users',`
1456 attribute userdomain;
1459 corecmd_shell_spec_domtrans($1,userdomain)
1462 ########################################
1464 ## Execute a shell in all unprivileged user domains. This
1465 ## is an explicit transition, requiring the
1466 ## caller to use setexeccon().
1468 ## <param name="domain">
1469 ## The type of the process performing this action.
1472 interface(`userdom_spec_domtrans_unpriv_users',`
1474 attribute unpriv_userdomain;
1477 corecmd_shell_spec_domtrans($1,unpriv_userdomain)
1480 ########################################
1482 ## Execute a shell in the sysadm domain.
1484 ## <param name="domain">
1485 ## The type of the process performing this action.
1488 interface(`userdom_shell_domtrans_sysadm',`
1489 ifdef(`targeted_policy',`
1490 #cjp: need to doublecheck this one
1491 unconfined_shell_domtrans($1)
1496 class fifo_file rw_file_perms;
1497 class process sigchld;
1500 corecmd_shell_domtrans($1,sysadm_t)
1502 allow $1 sysadm_t:fd use;
1503 allow sysadm_t $1:fd use;
1504 allow sysadm_t $1:fifo_file rw_file_perms;
1505 allow sysadm_t $1:process sigchld;
1509 ########################################
1511 ## Search the staff users home directory.
1513 ## <param name="domain">
1514 ## Domain to not audit.
1517 interface(`userdom_search_staff_home_dir',`
1519 type staff_home_dir_t;
1523 files_search_home($1)
1524 allow $1 staff_home_dir_t:dir search;
1527 ########################################
1529 ## Do not audit attempts to search the staff
1530 ## users home directory.
1532 ## <param name="domain">
1533 ## Domain to not audit.
1536 interface(`userdom_dontaudit_search_staff_home_dir',`
1538 type staff_home_dir_t;
1542 dontaudit $1 staff_home_dir_t:dir search;
1545 ########################################
1547 ## Read files in the staff users home directory.
1549 ## <param name="domain">
1550 ## The type of the process performing this action.
1553 interface(`userdom_read_staff_home_files',`
1555 type staff_home_dir_t, staff_home_t;
1556 class dir r_dir_perms;
1557 class file r_file_perms;
1558 class lnk_file r_file_perms;
1561 files_search_home($1)
1562 allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
1563 allow $1 staff_home_t:{ file lnk_file } r_file_perms;
1566 ########################################
1568 ## Send a SIGCHLD signal to sysadm users.
1570 ## <param name="domain">
1571 ## The type of the process performing this action.
1574 interface(`userdom_sigchld_sysadm',`
1579 allow $1 sysadm_t:process sigchld;
1582 ########################################
1584 ## Read and write sysadm ttys.
1586 ## <param name="domain">
1587 ## The type of the process performing this action.
1590 interface(`userdom_use_sysadm_tty',`
1591 ifdef(`targeted_policy',`
1592 term_use_unallocated_tty($1)
1595 type sysadm_tty_device_t;
1596 class chr_file rw_term_perms;
1599 dev_list_all_dev_nodes($1)
1601 allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
1605 ########################################
1607 ## Do not audit attempts to use sysadm ttys.
1609 ## <param name="domain">
1610 ## Domain to not audit.
1613 interface(`userdom_dontaudit_use_sysadm_tty',`
1614 ifdef(`targeted_policy',`
1615 term_dontaudit_use_unallocated_tty($1)
1618 type sysadm_tty_device_t;
1619 class chr_file { read write };
1622 dontaudit $1 sysadm_tty_device_t:chr_file { read write };
1626 ########################################
1628 ## Read and write sysadm ptys.
1630 ## <param name="domain">
1631 ## The type of the process performing this action.
1634 interface(`userdom_use_sysadm_pty',`
1635 ifdef(`targeted_policy',`
1636 term_use_generic_pty($1)
1639 type sysadm_devpts_t;
1640 class chr_file rw_term_perms;
1643 dev_list_all_dev_nodes($1)
1645 allow $1 sysadm_devpts_t:chr_file rw_term_perms;
1649 ########################################
1651 ## Dont audit attempts to read and write sysadm ptys.
1653 ## <param name="domain">
1654 ## Domain to not audit.
1657 interface(`userdom_dontaudit_use_sysadm_pty',`
1658 ifdef(`targeted_policy',`
1659 term_dontaudit_use_generic_pty($1)
1662 type sysadm_devpts_t;
1665 dontaudit $1 sysadm_devpts_t:chr_file { read write };
1669 ########################################
1671 ## Read and write sysadm ttys and ptys.
1673 ## <param name="domain">
1674 ## The type of the process performing this action.
1677 interface(`userdom_use_sysadm_terms',`
1678 userdom_use_sysadm_tty($1)
1679 userdom_use_sysadm_pty($1)
1682 ########################################
1684 ## Do not audit attempts to use sysadm ttys and ptys.
1686 ## <param name="domain">
1687 ## Domain to not audit.
1690 interface(`userdom_dontaudit_use_sysadm_terms',`
1691 ifdef(`targeted_policy',`
1692 term_dontaudit_use_generic_pty($1)
1695 attribute admin_terminal;
1696 class chr_file { read write };
1699 dontaudit $1 admin_terminal:chr_file { read write };
1703 ########################################
1705 ## Inherit and use sysadm file descriptors
1707 ## <param name="domain">
1708 ## The type of the process performing this action.
1711 interface(`userdom_use_sysadm_fd',`
1712 ifdef(`targeted_policy',`
1713 #cjp: need to doublecheck this one
1714 unconfined_use_fd($1)
1721 allow $1 sysadm_t:fd use;
1725 ########################################
1727 ## Read and write sysadm user unnamed pipes.
1729 ## <param name="domain">
1730 ## The type of the process performing this action.
1733 interface(`userdom_rw_sysadm_pipe',`
1734 ifdef(`targeted_policy',`
1735 #cjp: need to doublecheck this one
1736 unconfined_rw_pipe($1)
1740 class fifo_file rw_file_perms;
1743 allow $1 sysadm_t:fifo_file rw_file_perms;
1747 ########################################
1749 ## Search the sysadm users home directory.
1751 ## <param name="domain">
1752 ## Domain to not audit.
1755 interface(`userdom_search_sysadm_home_dir',`
1757 type sysadm_home_dir_t;
1761 files_search_home($1)
1762 allow $1 sysadm_home_dir_t:dir search;
1765 ########################################
1767 ## Do not audit attempts to search the sysadm
1768 ## users home directory.
1770 ## <param name="domain">
1771 ## Domain to not audit.
1774 interface(`userdom_dontaudit_search_sysadm_home_dir',`
1776 type sysadm_home_dir_t;
1780 dontaudit $1 sysadm_home_dir_t:dir search;
1783 ########################################
1785 ## Do not audit attempts to list the sysadm
1786 ## users home directory.
1788 ## <param name="domain">
1789 ## Domain to not audit.
1792 interface(`userdom_dontaudit_list_sysadm_home_dir',`
1794 type sysadm_home_dir_t;
1795 class dir r_dir_perms;
1798 dontaudit $1 sysadm_home_dir_t:dir r_dir_perms;
1801 ########################################
1803 ## Read files in the sysadm users home directory.
1805 ## <param name="domain">
1806 ## The type of the process performing this action.
1809 interface(`userdom_read_sysadm_home_files',`
1811 type sysadm_home_dir_t, sysadm_home_t;
1812 class dir r_dir_perms;
1813 class file r_file_perms;
1814 class lnk_file r_file_perms;
1817 files_search_home($1)
1818 allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
1819 allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
1822 ########################################
1824 ## Search all users home directories.
1826 ## <param name="domain">
1827 ## The type of the process performing this action.
1830 interface(`userdom_search_all_users_home',`
1832 attribute home_dir_type, home_type;
1837 allow $1 { home_dir_type home_type }:dir search;
1840 ########################################
1842 ## Do not audit attempts to search all users home directories.
1844 ## <param name="domain">
1845 ## Domain to not audit.
1848 interface(`userdom_dontaudit_search_all_users_home',`
1850 attribute home_dir_type, home_type;
1854 dontaudit $1 { home_dir_type home_type }:dir search;
1857 ########################################
1859 ## Read all files in all users home directories.
1861 ## <param name="domain">
1862 ## The type of the process performing this action.
1865 interface(`userdom_read_all_user_files',`
1867 attribute home_type;
1868 class dir r_dir_perms;
1869 class file r_file_perms;
1873 allow $1 home_type:dir r_dir_perms;
1874 allow $1 home_type:file r_file_perms;
1877 ########################################
1879 ## Create, read, write, and delete all directories
1880 ## in all users home directories.
1882 ## <param name="domain">
1883 ## The type of the process performing this action.
1886 interface(`userdom_manage_all_user_dirs',`
1888 attribute home_type;
1892 allow $1 home_type:dir create_dir_perms;
1895 ########################################
1897 ## Create, read, write, and delete all files
1898 ## in all users home directories.
1900 ## <param name="domain">
1901 ## The type of the process performing this action.
1904 interface(`userdom_manage_all_user_files',`
1906 attribute home_type;
1910 allow $1 home_type:dir rw_dir_perms;
1911 allow $1 home_type:file create_file_perms;
1914 ########################################
1916 ## Create, read, write, and delete all symlinks
1917 ## in all users home directories.
1919 ## <param name="domain">
1920 ## The type of the process performing this action.
1923 interface(`userdom_manage_all_user_symlinks',`
1925 attribute home_type;
1929 allow $1 home_type:dir rw_dir_perms;
1930 allow $1 home_type:lnk_file create_lnk_perms;
1933 ########################################
1935 ## Send general signals to unprivileged user domains.
1937 ## <param name="domain">
1938 ## The type of the process performing this action.
1941 interface(`userdom_signal_unpriv_users',`
1943 attribute unpriv_userdomain;
1944 class process signal;
1947 allow $1 unpriv_userdomain:process signal;
1950 ########################################
1952 ## Inherit the file descriptors from unprivileged user domains.
1954 ## <param name="domain">
1955 ## The type of the process performing this action.
1958 interface(`userdom_use_unpriv_users_fd',`
1960 attribute unpriv_userdomain;
1964 allow $1 unpriv_userdomain:fd use;
1967 ########################################
1969 ## Do not audit attempts to inherit the
1970 ## file descriptors from all user domains.
1972 ## <param name="domain">
1973 ## The type of the process performing this action.
1976 interface(`userdom_dontaudit_use_unpriv_user_fd',`
1978 attribute unpriv_userdomain;
1982 dontaudit $1 unpriv_userdomain:fd use;
1985 ########################################
1987 ## Create generic user home directories
1988 ## with automatic file type transition.
1990 ## <param name="domain">
1991 ## Domain allowed access.
1994 interface(`userdom_create_user_home_dir',`
1996 type user_home_dir_t;
1999 files_create_home_dirs($1,user_home_dir_t)
2002 ########################################
2004 ## Create, read, write, and delete
2005 ## generic user home directories.
2007 ## <param name="domain">
2008 ## Domain allowed access.
2011 interface(`userdom_manage_user_home_dir',`
2013 type user_home_dir_t;
2014 class dir create_dir_perms;
2017 allow $1 user_home_dir_t:dir create_dir_perms;
2020 ########################################
2022 ## Create objects in generic user home directories
2023 ## with automatic file type transition.
2025 ## <param name="domain">
2026 ## Domain allowed access.
2028 ## <param name="object_class" optional="true">
2029 ## The class of the object to be created.
2030 ## If not specified, file is used.
2033 interface(`userdom_create_user_home',`
2035 type user_home_dir_t, user_home_t;
2036 class dir rw_dir_perms;
2039 allow $1 user_home_dir_t:dir rw_dir_perms;
2041 type_transition $1 user_home_dir_t:file user_home_t;
2043 type_transition $1 user_home_dir_t:$2 user_home_t;
2047 ########################################
2049 ## Don't audit search on the user home subdirectory.
2051 ## <param name="domain">
2052 ## Domain allowed access.
2055 interface(`userdom_dontaudit_search_user_home_dirs',`
2061 dontaudit $1 user_home_t:dir search;
2064 ########################################
2066 ## Create, read, write, and delete
2067 ## subdirectories of generic user
2068 ## home directories.
2070 ## <param name="domain">
2071 ## Domain allowed access.
2074 interface(`userdom_manage_user_home_dirs',`
2077 class dir create_dir_perms;
2080 allow $1 user_home_t:dir create_dir_perms;
2083 ########################################
2085 ## Create, read, write, and delete files
2086 ## in generic user home directories.
2088 ## <param name="domain">
2089 ## Domain allowed access.
2092 interface(`userdom_manage_user_home_files',`
2095 class dir rw_dir_perms;
2096 class file create_file_perms;
2099 allow $1 user_home_t:dir rw_dir_perms;
2100 allow $1 user_home_t:file create_file_perms;
2103 ########################################
2105 ## Create, read, write, and delete symbolic
2106 ## links in generic user home directories.
2108 ## <param name="domain">
2109 ## Domain allowed access.
2112 interface(`userdom_manage_user_home_symlinks',`
2115 class dir rw_dir_perms;
2116 class lnk_file create_lnk_perms;
2119 allow $1 user_home_t:dir rw_dir_perms;
2120 allow $1 user_home_t:lnk_file create_lnk_perms;
2123 ########################################
2125 ## Create, read, write, and delete named
2126 ## pipes in generic user home directories.
2128 ## <param name="domain">
2129 ## Domain allowed access.
2132 interface(`userdom_manage_user_home_pipes',`
2135 class dir rw_dir_perms;
2136 class fifo_file create_file_perms;
2139 allow $1 user_home_t:dir rw_dir_perms;
2140 allow $1 user_home_t:fifo_file create_file_perms;
2143 ########################################
2145 ## Create, read, write, and delete named
2146 ## sockets in generic user home directories.
2148 ## <param name="domain">
2149 ## Domain allowed access.
2152 interface(`userdom_manage_user_home_sockets',`
2155 class dir rw_dir_perms;
2156 class sock_file create_file_perms;
2159 allow $1 user_home_t:dir rw_dir_perms;
2160 allow $1 user_home_t:sock_file create_file_perms;
2163 ########################################
2165 ## Read all unprivileged users home directory
2168 ## <param name="domain">
2169 ## Domain allowed access.
2172 interface(`userdom_read_unpriv_user_home_files',`
2174 type user_home_dir_type, user_home_type;
2177 allow $1 user_home_dir_type:dir search;
2178 allow $1 user_home_type:file r_file_perms;
2181 ########################################
2183 ## Write all unprivileged users files in /tmp
2185 ## <param name="domain">
2186 ## The type of the process performing this action.
2189 interface(`userdom_write_unpriv_user_tmp',`
2191 attribute user_tmpfile;
2192 class file { getattr write append };
2195 allow $1 user_tmpfile:file { getattr write append };
2198 ########################################
2200 ## Do not audit attempts to use unprivileged
2203 ## <param name="domain">
2204 ## The type of the process performing this action.
2207 interface(`userdom_dontaudit_use_unpriv_user_tty',`
2209 attribute user_ttynode;
2210 class chr_file rw_file_perms;
2213 dontaudit $1 user_ttynode:chr_file rw_file_perms;
2216 ########################################
2218 ## Inherit the file descriptors from all user domains
2220 ## <param name="domain">
2221 ## The type of the process performing this action.
2224 interface(`userdom_use_all_user_fd',`
2226 attribute userdomain;
2230 allow $1 userdomain:fd use;
2233 ########################################
2235 ## Do not audit attempts to inherit the file
2236 ## descriptors from any user domains.
2238 ## <param name="domain">
2239 ## Domain to not audit.
2242 interface(`userdom_dontaudit_use_all_user_fd',`
2244 attribute userdomain;
2248 dontaudit $1 userdomain:fd use;
2251 ########################################
2253 ## Send general signals to all user domains.
2255 ## <param name="domain">
2256 ## The type of the process performing this action.
2259 interface(`userdom_signal_all_users',`
2261 attribute userdomain;
2262 class process signal;
2265 allow $1 userdomain:process signal;
2268 ########################################
2270 ## Send a SIGCHLD signal to all user domains.
2272 ## <param name="domain">
2273 ## Domain allowed access.
2276 interface(`userdom_sigcld_all_users',`
2278 attribute userdomain;
2279 class process sigchld;
2282 allow $1 userdomain:process sigchld;
2285 ########################################
2287 ## Unconfined access to user domains.
2289 ## <param name="domain">
2290 ## Domain allowed access.
2293 interface(`userdom_unconfined',`
2295 type user_home_dir_t;
2296 class dir create_dir_perms;
2299 allow $1 user_home_dir_t:dir create_dir_perms;
2300 files_create_home_dirs($1,user_home_dir_t)