[people/stevee/selinux-policy.git] / policy / modules / system / userdomain.te

policy_module(userdomain, 4.5.2)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow users to connect to the local mysql server
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect, false)

## <desc>
## <p>
## Allow users to connect to PostgreSQL
## </p>
## </desc>
gen_tunable(allow_user_postgresql_connect, false)

## <desc>
## <p>
## Allow regular users direct mouse access
## </p>
## </desc>
gen_tunable(user_direct_mouse, false)

## <desc>
## <p>
## Allow users to read system messages.
## </p>
## </desc>
gen_tunable(user_dmesg, false)

## <desc>
## <p>
## Allow user to r/w files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
gen_tunable(user_rw_noexattrfile, false)

## <desc>
## <p>
## Allow user music sharing
## </p>
## </desc>
gen_tunable(user_share_music, false)

## <desc>
## <p>
## Allow user processes to change their priority 
## </p>
## </desc>
gen_tunable(user_setrlimit, false)

## <desc>
## <p>
## Allow w to display everyone
## </p>
## </desc>
gen_tunable(user_ttyfile_stat, false)

attribute admindomain;

# all user domains
attribute userdomain;

# unprivileged user domains
attribute unpriv_userdomain;

attribute untrusted_content_type;
attribute untrusted_content_tmp_type;

attribute userdom_home_reader_type;
attribute userdom_home_manager_type;

# unprivileged user domains
attribute user_home_type;
attribute user_tmp_type;
attribute user_tmpfs_type;

type admin_home_t;
files_type(admin_home_t)
files_associate_tmp(admin_home_t)
fs_associate_tmpfs(admin_home_t)
files_mountpoint(admin_home_t)
files_poly_member(admin_home_t)
files_poly_parent(admin_home_t)

type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
files_mountpoint(user_home_dir_t)
files_associate_tmp(user_home_dir_t)
files_poly(user_home_dir_t)
files_poly_member(user_home_dir_t)
files_poly_parent(user_home_dir_t)
ubac_constrained(user_home_dir_t)

type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
typeattribute user_home_t user_home_type;
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
files_poly_member(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)
ubac_constrained(user_home_t)

type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
dev_node(user_devpts_t)
files_type(user_devpts_t)
ubac_constrained(user_devpts_t)

type user_tmp_t, user_tmp_type;
typealias user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
files_poly_parent(user_tmp_t)

type user_tmpfs_t, user_tmpfs_type;
typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
files_tmpfs_file(user_tmpfs_t)
userdom_user_home_content(user_tmpfs_t)

type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)

type audio_home_t;
userdom_user_home_content(audio_home_t)
ubac_constrained(audio_home_t)

type home_bin_t;
userdom_user_home_content(home_bin_t)
ubac_constrained(home_bin_t)

type home_cert_t;
miscfiles_cert_type(home_cert_t)
userdom_user_home_content(home_cert_t)
ubac_constrained(home_cert_t)

tunable_policy(`allow_console_login',`
	term_use_console(userdomain)
')

allow userdomain userdomain:process signull;

# Nautilus causes this avc
dontaudit unpriv_userdomain self:dir setattr;
allow unpriv_userdomain self:key manage_key_perms;

optional_policy(`
	alsa_read_rw_config(unpriv_userdomain)
	alsa_manage_home_files(unpriv_userdomain)
	alsa_relabel_home_files(unpriv_userdomain)
')

optional_policy(`
	ssh_filetrans_home_content(userdomain)
')

optional_policy(`
	xserver_filetrans_home_content(userdomain)
')


tunable_policy(`use_nfs_home_dirs',`
    fs_read_nfs_files(userdom_home_reader_type)
')

tunable_policy(`use_samba_home_dirs',`
    fs_read_cifs_files(userdom_home_reader_type)
')

tunable_policy(`use_fusefs_home_dirs',`
    fs_read_fusefs_files(userdom_home_reader_type)
')

tunable_policy(`use_nfs_home_dirs',`
    fs_list_auto_mountpoints(userdom_home_manager_type)
    fs_manage_nfs_dirs(userdom_home_manager_type)
    fs_manage_nfs_files(userdom_home_manager_type)
    fs_manage_nfs_symlinks(userdom_home_manager_type)
')

tunable_policy(`use_samba_home_dirs',`
    fs_manage_cifs_dirs(userdom_home_manager_type)
    fs_manage_cifs_files(userdom_home_manager_type)
    fs_manage_cifs_symlinks(userdom_home_manager_type)
')

tunable_policy(`use_fusefs_home_dirs',`
    fs_manage_fusefs_dirs(userdom_home_manager_type)
    fs_manage_fusefs_files(userdom_home_manager_type)
    fs_manage_fusefs_symlinks(userdom_home_manager_type)
')
Commit	Line	Data
b598c442	1	policy_module(userdomain, 4.5.2)
b16c6b8c CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
56e1b3d2 CP	8	## <desc>
56e1b3d2 CP	9	## <p>
0cdf72b9	10	## Allow users to connect to the local mysql server
56e1b3d2 CP	11	## </p>
56e1b3d2 CP	12	## </desc>
3f67f722	13	gen_tunable(allow_user_mysql_connect, false)
56e1b3d2	14
cb10a2d5 CP	15	## <desc>
	16	## <p>
	17	## Allow users to connect to PostgreSQL
	18	## </p>
	19	## </desc>
3f67f722	20	gen_tunable(allow_user_postgresql_connect, false)
cb10a2d5	21
56e1b3d2 CP	22	## <desc>
	23	## <p>
	24	## Allow regular users direct mouse access
	25	## </p>
	26	## </desc>
3f67f722	27	gen_tunable(user_direct_mouse, false)
56e1b3d2 CP	28
	29	## <desc>
	30	## <p>
	31	## Allow users to read system messages.
	32	## </p>
	33	## </desc>
3f67f722	34	gen_tunable(user_dmesg, false)
56e1b3d2 CP	35
	36	## <desc>
	37	## <p>
	38	## Allow user to r/w files on filesystems
	39	## that do not have extended attributes (FAT, CDROM, FLOPPY)
	40	## </p>
	41	## </desc>
3f67f722	42	gen_tunable(user_rw_noexattrfile, false)
56e1b3d2	43
40068f3d DW	44	## <desc>
	45	## <p>
	46	## Allow user music sharing
	47	## </p>
	48	## </desc>
	49	gen_tunable(user_share_music, false)
	50
3eaa9939 DW	51	## <desc>
	52	## <p>
	53	## Allow user processes to change their priority
	54	## </p>
	55	## </desc>
	56	gen_tunable(user_setrlimit, false)
	57
56e1b3d2 CP	58	## <desc>
	59	## <p>
	60	## Allow w to display everyone
	61	## </p>
	62	## </desc>
3f67f722	63	gen_tunable(user_ttyfile_stat, false)
56e1b3d2	64
0be901ba	65	attribute admindomain;
bd75703c	66
b16c6b8c CP	67	# all user domains
	68	attribute userdomain;
	69
	70	# unprivileged user domains
	71	attribute unpriv_userdomain;
	72
8dca6b97 CP	73	attribute untrusted_content_type;
8dca6b97 CP	74	attribute untrusted_content_tmp_type;
296273a7	75
ed2ac112 DW	76	attribute userdom_home_reader_type;
	77	attribute userdom_home_manager_type;
	78
3eaa9939 DW	79	# unprivileged user domains
3eaa9939 DW	80	attribute user_home_type;
ca9e8850 DW	81	attribute user_tmp_type;
ca9e8850 DW	82	attribute user_tmpfs_type;
3eaa9939 DW	83
	84	type admin_home_t;
	85	files_type(admin_home_t)
	86	files_associate_tmp(admin_home_t)
	87	fs_associate_tmpfs(admin_home_t)
	88	files_mountpoint(admin_home_t)
793be6b5 MG	89	files_poly_member(admin_home_t)
793be6b5 MG	90	files_poly_parent(admin_home_t)
3eaa9939	91
296273a7 CP	92	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
	93	fs_associate_tmpfs(user_home_dir_t)
	94	files_type(user_home_dir_t)
	95	files_mountpoint(user_home_dir_t)
	96	files_associate_tmp(user_home_dir_t)
	97	files_poly(user_home_dir_t)
	98	files_poly_member(user_home_dir_t)
	99	files_poly_parent(user_home_dir_t)
	100	ubac_constrained(user_home_dir_t)
	101
	102	type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
	103	typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
3eaa9939	104	typeattribute user_home_t user_home_type;
296273a7 CP	105	userdom_user_home_content(user_home_t)
	106	fs_associate_tmpfs(user_home_t)
	107	files_associate_tmp(user_home_t)
3eaa9939	108	files_poly_member(user_home_t)
296273a7 CP	109	files_poly_parent(user_home_t)
296273a7 CP	110	files_mountpoint(user_home_t)
3eaa9939	111	ubac_constrained(user_home_t)
296273a7 CP	112
	113	type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
	114	dev_node(user_devpts_t)
	115	files_type(user_devpts_t)
	116	ubac_constrained(user_devpts_t)
	117
ca9e8850 DW	118	type user_tmp_t, user_tmp_type;
ca9e8850 DW	119	typealias user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
296273a7 CP	120	typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
	121	files_tmp_file(user_tmp_t)
	122	userdom_user_home_content(user_tmp_t)
8ba1f41a	123	files_poly_parent(user_tmp_t)
296273a7	124
ca9e8850 DW	125	type user_tmpfs_t, user_tmpfs_type;
ca9e8850 DW	126	typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
296273a7 CP	127	files_tmpfs_file(user_tmpfs_t)
	128	userdom_user_home_content(user_tmpfs_t)
	129
	130	type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
	131	dev_node(user_tty_device_t)
	132	ubac_constrained(user_tty_device_t)
3eaa9939 DW	133
	134	type audio_home_t;
	135	userdom_user_home_content(audio_home_t)
	136	ubac_constrained(audio_home_t)
	137
	138	type home_bin_t;
	139	userdom_user_home_content(home_bin_t)
	140	ubac_constrained(home_bin_t)
	141
	142	type home_cert_t;
	143	miscfiles_cert_type(home_cert_t)
	144	userdom_user_home_content(home_cert_t)
	145	ubac_constrained(home_cert_t)
	146
	147	tunable_policy(`allow_console_login',`
	148	term_use_console(userdomain)
	149	')
	150
	151	allow userdomain userdomain:process signull;
	152
	153	# Nautilus causes this avc
	154	dontaudit unpriv_userdomain self:dir setattr;
de55768d	155	allow unpriv_userdomain self:key manage_key_perms;
72eaebd0	156
450041a1 DW	157	optional_policy(`
	158	alsa_read_rw_config(unpriv_userdomain)
	159	alsa_manage_home_files(unpriv_userdomain)
	160	alsa_relabel_home_files(unpriv_userdomain)
450041a1 DW	161	')
450041a1 DW	162
15b2e336	163	optional_policy(`
a11cc065	164	ssh_filetrans_home_content(userdomain)
2ea29241 DW	165	')
2ea29241 DW	166
a11cc065 DW	167	optional_policy(`
	168	xserver_filetrans_home_content(userdomain)
	169	')
ed2ac112 DW	170
	171
	172	tunable_policy(`use_nfs_home_dirs',`
	173	fs_read_nfs_files(userdom_home_reader_type)
	174	')
	175
	176	tunable_policy(`use_samba_home_dirs',`
	177	fs_read_cifs_files(userdom_home_reader_type)
	178	')
	179
	180	tunable_policy(`use_fusefs_home_dirs',`
	181	fs_read_fusefs_files(userdom_home_reader_type)
	182	')
	183
	184	tunable_policy(`use_nfs_home_dirs',`
	185	fs_list_auto_mountpoints(userdom_home_manager_type)
	186	fs_manage_nfs_dirs(userdom_home_manager_type)
	187	fs_manage_nfs_files(userdom_home_manager_type)
	188	fs_manage_nfs_symlinks(userdom_home_manager_type)
	189	')
	190
	191	tunable_policy(`use_samba_home_dirs',`
	192	fs_manage_cifs_dirs(userdom_home_manager_type)
	193	fs_manage_cifs_files(userdom_home_manager_type)
	194	fs_manage_cifs_symlinks(userdom_home_manager_type)
	195	')
	196
	197	tunable_policy(`use_fusefs_home_dirs',`
	198	fs_manage_fusefs_dirs(userdom_home_manager_type)
	199	fs_manage_fusefs_files(userdom_home_manager_type)
	200	fs_manage_fusefs_symlinks(userdom_home_manager_type)
	201	')
	202