/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
userdom_manage_home_role(unconfined_r, unconfined_t)
userdom_manage_tmp_role(unconfined_r, unconfined_t)
userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-userdom_unpriv_t(unconfined, unconfined_t)
+userdom_unpriv_type(unconfined_r, unconfined_t)
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
optional_policy(`
gen_require(`
- attribute unconfined_t;
+ type unconfined_t;
')
optional_policy(`
files_etc_filetrans($1, passwd_file_t, file, "passwd-")
files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
- files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
files_etc_filetrans($1, shadow_t, file, "group.lock")
files_etc_filetrans($1, shadow_t, file, "passwd.lock")
files_etc_filetrans($1, shadow_t, file, "passwd.adjunct")
mta_read_config(initrc_t)
mta_write_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
+')
optional_policy(`
ifdef(`distro_redhat',`
ubac_constrained($2)
')
+#######################################
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_unpriv_type',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ ')
+ typeattribute $2 unpriv_userdomain;
+ typeattribute $2 userdomain;
+
+ auth_use_nsswitch($2)
+ ubac_constrained($2)
+')
+
########################################
## <summary>
## Connect to users over an unix stream socket.