]>
Commit | Line | Data |
---|---|---|
b598c442 | 1 | policy_module(userdomain, 4.5.2) |
b16c6b8c CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
56e1b3d2 CP |
8 | ## <desc> |
9 | ## <p> | |
0cdf72b9 | 10 | ## Allow users to connect to the local mysql server |
56e1b3d2 CP |
11 | ## </p> |
12 | ## </desc> | |
3f67f722 | 13 | gen_tunable(allow_user_mysql_connect, false) |
56e1b3d2 | 14 | |
cb10a2d5 CP |
15 | ## <desc> |
16 | ## <p> | |
17 | ## Allow users to connect to PostgreSQL | |
18 | ## </p> | |
19 | ## </desc> | |
3f67f722 | 20 | gen_tunable(allow_user_postgresql_connect, false) |
cb10a2d5 | 21 | |
56e1b3d2 CP |
22 | ## <desc> |
23 | ## <p> | |
24 | ## Allow regular users direct mouse access | |
25 | ## </p> | |
26 | ## </desc> | |
3f67f722 | 27 | gen_tunable(user_direct_mouse, false) |
56e1b3d2 CP |
28 | |
29 | ## <desc> | |
30 | ## <p> | |
31 | ## Allow users to read system messages. | |
32 | ## </p> | |
33 | ## </desc> | |
3f67f722 | 34 | gen_tunable(user_dmesg, false) |
56e1b3d2 CP |
35 | |
36 | ## <desc> | |
37 | ## <p> | |
38 | ## Allow user to r/w files on filesystems | |
39 | ## that do not have extended attributes (FAT, CDROM, FLOPPY) | |
40 | ## </p> | |
41 | ## </desc> | |
3f67f722 | 42 | gen_tunable(user_rw_noexattrfile, false) |
56e1b3d2 | 43 | |
40068f3d DW |
44 | ## <desc> |
45 | ## <p> | |
46 | ## Allow user music sharing | |
47 | ## </p> | |
48 | ## </desc> | |
49 | gen_tunable(user_share_music, false) | |
50 | ||
3eaa9939 DW |
51 | ## <desc> |
52 | ## <p> | |
53 | ## Allow user processes to change their priority | |
54 | ## </p> | |
55 | ## </desc> | |
56 | gen_tunable(user_setrlimit, false) | |
57 | ||
56e1b3d2 CP |
58 | ## <desc> |
59 | ## <p> | |
60 | ## Allow w to display everyone | |
61 | ## </p> | |
62 | ## </desc> | |
3f67f722 | 63 | gen_tunable(user_ttyfile_stat, false) |
56e1b3d2 | 64 | |
0be901ba | 65 | attribute admindomain; |
bd75703c | 66 | |
b16c6b8c CP |
67 | # all user domains |
68 | attribute userdomain; | |
69 | ||
70 | # unprivileged user domains | |
71 | attribute unpriv_userdomain; | |
72 | ||
8dca6b97 CP |
73 | attribute untrusted_content_type; |
74 | attribute untrusted_content_tmp_type; | |
296273a7 | 75 | |
ed2ac112 DW |
76 | attribute userdom_home_reader_type; |
77 | attribute userdom_home_manager_type; | |
78 | ||
3eaa9939 DW |
79 | # unprivileged user domains |
80 | attribute user_home_type; | |
ca9e8850 DW |
81 | attribute user_tmp_type; |
82 | attribute user_tmpfs_type; | |
3eaa9939 DW |
83 | |
84 | type admin_home_t; | |
85 | files_type(admin_home_t) | |
86 | files_associate_tmp(admin_home_t) | |
87 | fs_associate_tmpfs(admin_home_t) | |
88 | files_mountpoint(admin_home_t) | |
793be6b5 MG |
89 | files_poly_member(admin_home_t) |
90 | files_poly_parent(admin_home_t) | |
3eaa9939 | 91 | |
296273a7 CP |
92 | type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; |
93 | fs_associate_tmpfs(user_home_dir_t) | |
94 | files_type(user_home_dir_t) | |
95 | files_mountpoint(user_home_dir_t) | |
96 | files_associate_tmp(user_home_dir_t) | |
97 | files_poly(user_home_dir_t) | |
98 | files_poly_member(user_home_dir_t) | |
99 | files_poly_parent(user_home_dir_t) | |
100 | ubac_constrained(user_home_dir_t) | |
101 | ||
102 | type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; | |
103 | typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; | |
3eaa9939 | 104 | typeattribute user_home_t user_home_type; |
296273a7 CP |
105 | userdom_user_home_content(user_home_t) |
106 | fs_associate_tmpfs(user_home_t) | |
107 | files_associate_tmp(user_home_t) | |
3eaa9939 | 108 | files_poly_member(user_home_t) |
296273a7 CP |
109 | files_poly_parent(user_home_t) |
110 | files_mountpoint(user_home_t) | |
3eaa9939 | 111 | ubac_constrained(user_home_t) |
296273a7 CP |
112 | |
113 | type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; | |
114 | dev_node(user_devpts_t) | |
115 | files_type(user_devpts_t) | |
116 | ubac_constrained(user_devpts_t) | |
117 | ||
ca9e8850 DW |
118 | type user_tmp_t, user_tmp_type; |
119 | typealias user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; | |
296273a7 CP |
120 | typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; |
121 | files_tmp_file(user_tmp_t) | |
122 | userdom_user_home_content(user_tmp_t) | |
8ba1f41a | 123 | files_poly_parent(user_tmp_t) |
296273a7 | 124 | |
ca9e8850 DW |
125 | type user_tmpfs_t, user_tmpfs_type; |
126 | typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; | |
296273a7 CP |
127 | files_tmpfs_file(user_tmpfs_t) |
128 | userdom_user_home_content(user_tmpfs_t) | |
129 | ||
130 | type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; | |
131 | dev_node(user_tty_device_t) | |
132 | ubac_constrained(user_tty_device_t) | |
3eaa9939 DW |
133 | |
134 | type audio_home_t; | |
135 | userdom_user_home_content(audio_home_t) | |
136 | ubac_constrained(audio_home_t) | |
137 | ||
138 | type home_bin_t; | |
139 | userdom_user_home_content(home_bin_t) | |
140 | ubac_constrained(home_bin_t) | |
141 | ||
142 | type home_cert_t; | |
143 | miscfiles_cert_type(home_cert_t) | |
144 | userdom_user_home_content(home_cert_t) | |
145 | ubac_constrained(home_cert_t) | |
146 | ||
147 | tunable_policy(`allow_console_login',` | |
148 | term_use_console(userdomain) | |
149 | ') | |
150 | ||
151 | allow userdomain userdomain:process signull; | |
152 | ||
153 | # Nautilus causes this avc | |
154 | dontaudit unpriv_userdomain self:dir setattr; | |
de55768d | 155 | allow unpriv_userdomain self:key manage_key_perms; |
72eaebd0 | 156 | |
450041a1 DW |
157 | optional_policy(` |
158 | alsa_read_rw_config(unpriv_userdomain) | |
159 | alsa_manage_home_files(unpriv_userdomain) | |
160 | alsa_relabel_home_files(unpriv_userdomain) | |
450041a1 DW |
161 | ') |
162 | ||
15b2e336 | 163 | optional_policy(` |
a11cc065 | 164 | ssh_filetrans_home_content(userdomain) |
2ea29241 DW |
165 | ') |
166 | ||
a11cc065 DW |
167 | optional_policy(` |
168 | xserver_filetrans_home_content(userdomain) | |
169 | ') | |
ed2ac112 DW |
170 | |
171 | ||
172 | tunable_policy(`use_nfs_home_dirs',` | |
173 | fs_read_nfs_files(userdom_home_reader_type) | |
174 | ') | |
175 | ||
176 | tunable_policy(`use_samba_home_dirs',` | |
177 | fs_read_cifs_files(userdom_home_reader_type) | |
178 | ') | |
179 | ||
180 | tunable_policy(`use_fusefs_home_dirs',` | |
181 | fs_read_fusefs_files(userdom_home_reader_type) | |
182 | ') | |
183 | ||
184 | tunable_policy(`use_nfs_home_dirs',` | |
185 | fs_list_auto_mountpoints(userdom_home_manager_type) | |
186 | fs_manage_nfs_dirs(userdom_home_manager_type) | |
187 | fs_manage_nfs_files(userdom_home_manager_type) | |
188 | fs_manage_nfs_symlinks(userdom_home_manager_type) | |
189 | ') | |
190 | ||
191 | tunable_policy(`use_samba_home_dirs',` | |
192 | fs_manage_cifs_dirs(userdom_home_manager_type) | |
193 | fs_manage_cifs_files(userdom_home_manager_type) | |
194 | fs_manage_cifs_symlinks(userdom_home_manager_type) | |
195 | ') | |
196 | ||
197 | tunable_policy(`use_fusefs_home_dirs',` | |
198 | fs_manage_fusefs_dirs(userdom_home_manager_type) | |
199 | fs_manage_fusefs_files(userdom_home_manager_type) | |
200 | fs_manage_fusefs_symlinks(userdom_home_manager_type) | |
201 | ') | |
202 |