]>
Commit | Line | Data |
---|---|---|
490639cd | 1 | ## <summary>Policy for user domains</summary> |
b16c6b8c | 2 | |
8fd36732 CP |
3 | ####################################### |
4 | ## <summary> | |
bbcd3c97 | 5 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
6 | ## </summary> |
7 | ## <desc> | |
8 | ## <p> | |
bbcd3c97 | 9 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
10 | ## </p> |
11 | ## <p> | |
bbcd3c97 CP |
12 | ## This template creates a user domain, types, and |
13 | ## rules for the user's tty and pty. | |
8fd36732 CP |
14 | ## </p> |
15 | ## </desc> | |
16 | ## <param name="userdomain_prefix"> | |
885b83ec | 17 | ## <summary> |
8fd36732 CP |
18 | ## The prefix of the user domain (e.g., user |
19 | ## is the prefix for user_t). | |
885b83ec | 20 | ## </summary> |
8fd36732 | 21 | ## </param> |
bbcd3c97 | 22 | ## <rolebase/> |
b16c6b8c | 23 | # |
bbcd3c97 | 24 | template(`userdom_base_user_template',` |
c6a60bb2 CP |
25 | |
26 | gen_require(` | |
d6d16b97 | 27 | attribute userdomain; |
296273a7 | 28 | type user_devpts_t, user_tty_device_t; |
c6a60bb2 CP |
29 | class context contains; |
30 | ') | |
31 | ||
0c73cd25 | 32 | attribute $1_file_type; |
3eaa9939 | 33 | attribute $1_usertype; |
0c73cd25 | 34 | |
3eaa9939 | 35 | type $1_t, userdomain, $1_usertype; |
c9428d33 CP |
36 | domain_type($1_t) |
37 | corecmd_shell_entry_type($1_t) | |
d40c0ecf | 38 | corecmd_bin_entry_type($1_t) |
2e863f8a | 39 | domain_user_exemption_target($1_t) |
296273a7 | 40 | ubac_constrained($1_t) |
0c73cd25 CP |
41 | role $1_r types $1_t; |
42 | allow system_r $1_r; | |
43 | ||
296273a7 | 44 | term_user_pty($1_t, user_devpts_t) |
0c73cd25 | 45 | |
296273a7 | 46 | term_user_tty($1_t, user_tty_device_t) |
3eaa9939 DW |
47 | term_dontaudit_getattr_generic_ptys($1_t) |
48 | ||
49 | allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; | |
50 | allow $1_usertype $1_usertype:fd use; | |
51 | allow $1_usertype $1_t:key { create view read write search link setattr }; | |
52 | ||
53 | allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; | |
54 | allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; | |
55 | allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; | |
56 | allow $1_usertype $1_usertype:shm create_shm_perms; | |
57 | allow $1_usertype $1_usertype:sem create_sem_perms; | |
58 | allow $1_usertype $1_usertype:msgq create_msgq_perms; | |
59 | allow $1_usertype $1_usertype:msg { send receive }; | |
60 | allow $1_usertype $1_usertype:context contains; | |
61 | dontaudit $1_usertype $1_usertype:socket create; | |
62 | ||
63 | allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; | |
64 | term_create_pty($1_usertype, user_devpts_t) | |
296273a7 | 65 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 | 66 | dontaudit $1_usertype user_devpts_t:chr_file ioctl; |
0c73cd25 | 67 | |
3eaa9939 | 68 | allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; |
296273a7 | 69 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 DW |
70 | dontaudit $1_usertype user_tty_device_t:chr_file ioctl; |
71 | ||
72 | application_exec_all($1_usertype) | |
73 | ||
74 | kernel_read_kernel_sysctls($1_usertype) | |
75 | kernel_read_all_sysctls($1_usertype) | |
76 | kernel_dontaudit_list_unlabeled($1_usertype) | |
77 | kernel_dontaudit_getattr_unlabeled_files($1_usertype) | |
78 | kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) | |
79 | kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) | |
80 | kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) | |
81 | kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) | |
82 | kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) | |
83 | kernel_dontaudit_list_proc($1_usertype) | |
84 | ||
85 | dev_dontaudit_getattr_all_blk_files($1_usertype) | |
86 | dev_dontaudit_getattr_all_chr_files($1_usertype) | |
87 | dev_getattr_mtrr_dev($1_t) | |
847937da | 88 | |
2ec4c9d3 | 89 | # When the user domain runs ps, there will be a number of access |
ff8f0a63 | 90 | # denials when ps tries to search /proc. Do not audit these denials. |
3eaa9939 DW |
91 | domain_dontaudit_read_all_domains_state($1_usertype) |
92 | domain_dontaudit_getattr_all_domains($1_usertype) | |
93 | domain_dontaudit_getsession_all_domains($1_usertype) | |
94 | ||
95 | files_read_etc_files($1_usertype) | |
96 | files_list_mnt($1_usertype) | |
97 | files_read_mnt_files($1_usertype) | |
98 | files_read_etc_runtime_files($1_usertype) | |
99 | files_read_usr_files($1_usertype) | |
100 | files_read_usr_src_files($1_usertype) | |
bbcd3c97 CP |
101 | # Read directories and files with the readable_t type. |
102 | # This type is a general type for "world"-readable files. | |
3eaa9939 DW |
103 | files_list_world_readable($1_usertype) |
104 | files_read_world_readable_files($1_usertype) | |
105 | files_read_world_readable_symlinks($1_usertype) | |
106 | files_read_world_readable_pipes($1_usertype) | |
107 | files_read_world_readable_sockets($1_usertype) | |
a2868f6e | 108 | # old broswer_domain(): |
3eaa9939 DW |
109 | files_dontaudit_getattr_all_dirs($1_usertype) |
110 | files_dontaudit_list_non_security($1_usertype) | |
111 | files_dontaudit_getattr_all_files($1_usertype) | |
112 | files_dontaudit_getattr_non_security_symlinks($1_usertype) | |
113 | files_dontaudit_getattr_non_security_pipes($1_usertype) | |
114 | files_dontaudit_getattr_non_security_sockets($1_usertype) | |
115 | ||
116 | files_exec_usr_files($1_t) | |
117 | ||
118 | fs_list_cgroup_dirs($1_usertype) | |
119 | fs_dontaudit_rw_cgroup_files($1_usertype) | |
120 | ||
121 | storage_rw_fuse($1_usertype) | |
122 | ||
123 | auth_use_nsswitch($1_usertype) | |
0c73cd25 | 124 | |
3eaa9939 | 125 | init_stream_connect($1_usertype) |
bbcd3c97 | 126 | |
3eaa9939 | 127 | libs_exec_ld_so($1_usertype) |
6b19be33 | 128 | |
bbcd3c97 | 129 | miscfiles_read_localization($1_t) |
83406219 | 130 | miscfiles_read_generic_certs($1_t) |
6b19be33 | 131 | |
cab9bc9c | 132 | miscfiles_read_all_certs($1_usertype) |
3eaa9939 DW |
133 | miscfiles_read_localization($1_usertype) |
134 | miscfiles_read_man_pages($1_usertype) | |
135 | miscfiles_read_public_files($1_usertype) | |
bbcd3c97 CP |
136 | |
137 | tunable_policy(`allow_execmem',` | |
138 | # Allow loading DSOs that require executable stack. | |
139 | allow $1_t self:process execmem; | |
140 | ') | |
141 | ||
142 | tunable_policy(`allow_execmem && allow_execstack',` | |
143 | # Allow making the stack executable via mprotect. | |
144 | allow $1_t self:process execstack; | |
145 | ') | |
3eaa9939 DW |
146 | |
147 | optional_policy(` | |
148 | fs_list_cgroup_dirs($1_usertype) | |
149 | ') | |
150 | ||
151 | optional_policy(` | |
152 | ssh_rw_stream_sockets($1_usertype) | |
153 | ssh_delete_tmp($1_t) | |
154 | ssh_signal($1_t) | |
155 | ') | |
bbcd3c97 CP |
156 | ') |
157 | ||
158 | ####################################### | |
159 | ## <summary> | |
296273a7 CP |
160 | ## Allow a home directory for which the |
161 | ## role has read-only access. | |
bbcd3c97 CP |
162 | ## </summary> |
163 | ## <desc> | |
164 | ## <p> | |
296273a7 CP |
165 | ## Allow a home directory for which the |
166 | ## role has read-only access. | |
bbcd3c97 CP |
167 | ## </p> |
168 | ## <p> | |
169 | ## This does not allow execute access. | |
170 | ## </p> | |
171 | ## </desc> | |
296273a7 | 172 | ## <param name="role"> |
bbcd3c97 | 173 | ## <summary> |
296273a7 CP |
174 | ## The user role |
175 | ## </summary> | |
176 | ## </param> | |
177 | ## <param name="userdomain"> | |
178 | ## <summary> | |
179 | ## The user domain | |
bbcd3c97 CP |
180 | ## </summary> |
181 | ## </param> | |
182 | ## <rolebase/> | |
183 | # | |
296273a7 | 184 | interface(`userdom_ro_home_role',` |
d6d16b97 | 185 | gen_require(` |
296273a7 | 186 | type user_home_t, user_home_dir_t; |
d6d16b97 CP |
187 | ') |
188 | ||
3eaa9939 DW |
189 | role $1 types { user_home_t user_home_dir_t }; |
190 | ||
bbcd3c97 CP |
191 | ############################## |
192 | # | |
193 | # Domain access to home dir | |
194 | # | |
195 | ||
296273a7 CP |
196 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
197 | ||
bbcd3c97 | 198 | # read-only home directory |
296273a7 CP |
199 | allow $2 user_home_dir_t:dir list_dir_perms; |
200 | allow $2 user_home_t:dir list_dir_perms; | |
201 | allow $2 user_home_t:file entrypoint; | |
202 | read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
203 | read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
204 | read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
205 | read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
206 | files_list_home($2) | |
bbcd3c97 | 207 | |
bbcd3c97 CP |
208 | ') |
209 | ||
210 | ####################################### | |
211 | ## <summary> | |
296273a7 CP |
212 | ## Allow a home directory for which the |
213 | ## role has full access. | |
bbcd3c97 CP |
214 | ## </summary> |
215 | ## <desc> | |
216 | ## <p> | |
296273a7 CP |
217 | ## Allow a home directory for which the |
218 | ## role has full access. | |
bbcd3c97 CP |
219 | ## </p> |
220 | ## <p> | |
221 | ## This does not allow execute access. | |
222 | ## </p> | |
223 | ## </desc> | |
296273a7 | 224 | ## <param name="role"> |
bbcd3c97 | 225 | ## <summary> |
296273a7 CP |
226 | ## The user role |
227 | ## </summary> | |
228 | ## </param> | |
229 | ## <param name="userdomain"> | |
230 | ## <summary> | |
231 | ## The user domain | |
bbcd3c97 CP |
232 | ## </summary> |
233 | ## </param> | |
234 | ## <rolebase/> | |
235 | # | |
296273a7 | 236 | interface(`userdom_manage_home_role',` |
d6d16b97 | 237 | gen_require(` |
296273a7 | 238 | type user_home_t, user_home_dir_t; |
3eaa9939 | 239 | attribute user_home_type; |
d6d16b97 CP |
240 | ') |
241 | ||
3eaa9939 DW |
242 | role $1 types { user_home_type user_home_dir_t }; |
243 | ||
bbcd3c97 CP |
244 | ############################## |
245 | # | |
246 | # Domain access to home dir | |
247 | # | |
248 | ||
296273a7 CP |
249 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
250 | ||
bbcd3c97 | 251 | # full control of the home directory |
3eaa9939 | 252 | allow $2 user_home_t:dir mounton; |
296273a7 | 253 | allow $2 user_home_t:file entrypoint; |
3eaa9939 DW |
254 | |
255 | allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; | |
256 | allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; | |
257 | manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
258 | manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
259 | manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
260 | manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
261 | manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
262 | relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
263 | relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
264 | relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
265 | relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
266 | relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
296273a7 CP |
267 | filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) |
268 | files_list_home($2) | |
bbcd3c97 | 269 | |
c0868a7a | 270 | # cjp: this should probably be removed: |
296273a7 | 271 | allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; |
c0868a7a | 272 | |
bbcd3c97 | 273 | tunable_policy(`use_nfs_home_dirs',` |
3eaa9939 DW |
274 | fs_mount_nfs($2) |
275 | fs_mounton_nfs($2) | |
296273a7 CP |
276 | fs_manage_nfs_dirs($2) |
277 | fs_manage_nfs_files($2) | |
278 | fs_manage_nfs_symlinks($2) | |
279 | fs_manage_nfs_named_sockets($2) | |
280 | fs_manage_nfs_named_pipes($2) | |
bbcd3c97 CP |
281 | ') |
282 | ||
283 | tunable_policy(`use_samba_home_dirs',` | |
3eaa9939 DW |
284 | fs_mount_cifs($2) |
285 | fs_mounton_cifs($2) | |
296273a7 CP |
286 | fs_manage_cifs_dirs($2) |
287 | fs_manage_cifs_files($2) | |
288 | fs_manage_cifs_symlinks($2) | |
289 | fs_manage_cifs_named_sockets($2) | |
290 | fs_manage_cifs_named_pipes($2) | |
bbcd3c97 CP |
291 | ') |
292 | ') | |
293 | ||
294 | ####################################### | |
295 | ## <summary> | |
296273a7 | 296 | ## Manage user temporary files |
bbcd3c97 | 297 | ## </summary> |
296273a7 | 298 | ## <param name="role"> |
bbcd3c97 | 299 | ## <summary> |
296273a7 | 300 | ## Role allowed access. |
bbcd3c97 CP |
301 | ## </summary> |
302 | ## </param> | |
296273a7 | 303 | ## <param name="domain"> |
bbcd3c97 | 304 | ## <summary> |
296273a7 | 305 | ## Domain allowed access. |
bbcd3c97 CP |
306 | ## </summary> |
307 | ## </param> | |
308 | ## <rolebase/> | |
309 | # | |
296273a7 | 310 | interface(`userdom_manage_tmp_role',` |
d6d16b97 | 311 | gen_require(` |
296273a7 | 312 | type user_tmp_t; |
d6d16b97 CP |
313 | ') |
314 | ||
3eaa9939 DW |
315 | role $1 types user_tmp_t; |
316 | ||
296273a7 | 317 | files_poly_member_tmp($2, user_tmp_t) |
bbcd3c97 | 318 | |
296273a7 CP |
319 | manage_dirs_pattern($2, user_tmp_t, user_tmp_t) |
320 | manage_files_pattern($2, user_tmp_t, user_tmp_t) | |
321 | manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) | |
322 | manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) | |
323 | manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) | |
324 | files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) | |
3eaa9939 DW |
325 | relabel_files_pattern($2, user_tmp_t, user_tmp_t) |
326 | ') | |
327 | ||
328 | ####################################### | |
329 | ## <summary> | |
330 | ## Dontaudit search of user bin dirs. | |
331 | ## </summary> | |
332 | ## <param name="domain"> | |
333 | ## <summary> | |
334 | ## Domain allowed access. | |
335 | ## </summary> | |
336 | ## </param> | |
337 | # | |
338 | interface(`userdom_dontaudit_search_user_bin_dirs',` | |
339 | gen_require(` | |
340 | type home_bin_t; | |
341 | ') | |
342 | ||
343 | dontaudit $1 home_bin_t:dir search_dir_perms; | |
344 | ') | |
345 | ||
346 | ####################################### | |
347 | ## <summary> | |
348 | ## Execute user bin files. | |
349 | ## </summary> | |
350 | ## <param name="domain"> | |
351 | ## <summary> | |
352 | ## Domain allowed access. | |
353 | ## </summary> | |
354 | ## </param> | |
355 | # | |
356 | interface(`userdom_exec_user_bin_files',` | |
357 | gen_require(` | |
358 | attribute user_home_type; | |
359 | type home_bin_t, user_home_dir_t; | |
360 | ') | |
361 | ||
362 | exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) | |
363 | files_search_home($1) | |
bbcd3c97 CP |
364 | ') |
365 | ||
366 | ####################################### | |
367 | ## <summary> | |
296273a7 | 368 | ## The execute access user temporary files. |
bbcd3c97 | 369 | ## </summary> |
296273a7 | 370 | ## <param name="domain"> |
bbcd3c97 | 371 | ## <summary> |
296273a7 | 372 | ## Domain allowed access. |
bbcd3c97 CP |
373 | ## </summary> |
374 | ## </param> | |
375 | ## <rolebase/> | |
376 | # | |
296273a7 CP |
377 | interface(`userdom_exec_user_tmp_files',` |
378 | gen_require(` | |
379 | type user_tmp_t; | |
380 | ') | |
381 | ||
382 | exec_files_pattern($1, user_tmp_t, user_tmp_t) | |
3eaa9939 | 383 | dontaudit $1 user_tmp_t:sock_file execute; |
296273a7 | 384 | files_search_tmp($1) |
bbcd3c97 CP |
385 | ') |
386 | ||
387 | ####################################### | |
388 | ## <summary> | |
296273a7 | 389 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
390 | ## that the user has full access. |
391 | ## </summary> | |
392 | ## <desc> | |
393 | ## <p> | |
296273a7 | 394 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
395 | ## that the user has full access. |
396 | ## </p> | |
397 | ## <p> | |
398 | ## This does not allow execute access. | |
399 | ## </p> | |
400 | ## </desc> | |
296273a7 | 401 | ## <param name="role"> |
bbcd3c97 | 402 | ## <summary> |
296273a7 | 403 | ## Role allowed access. |
bbcd3c97 CP |
404 | ## </summary> |
405 | ## </param> | |
296273a7 | 406 | ## <param name="domain"> |
bbcd3c97 | 407 | ## <summary> |
296273a7 | 408 | ## Domain allowed access. |
bbcd3c97 CP |
409 | ## </summary> |
410 | ## </param> | |
296273a7 | 411 | ## <rolecap/> |
bbcd3c97 | 412 | # |
296273a7 | 413 | interface(`userdom_manage_tmpfs_role',` |
bbcd3c97 | 414 | gen_require(` |
296273a7 | 415 | type user_tmpfs_t; |
bbcd3c97 | 416 | ') |
bbcd3c97 | 417 | |
3eaa9939 DW |
418 | role $1 types user_tmpfs_t; |
419 | ||
296273a7 CP |
420 | manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) |
421 | manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
422 | manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
423 | manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
424 | manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
425 | fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) | |
bbcd3c97 CP |
426 | ') |
427 | ||
428 | ####################################### | |
429 | ## <summary> | |
3eaa9939 | 430 | ## The interface allowing the user basic |
bbcd3c97 CP |
431 | ## network permissions |
432 | ## </summary> | |
3eaa9939 | 433 | ## <param name="userdomain"> |
bbcd3c97 | 434 | ## <summary> |
3eaa9939 | 435 | ## The user domain |
bbcd3c97 CP |
436 | ## </summary> |
437 | ## </param> | |
438 | ## <rolebase/> | |
439 | # | |
3eaa9939 DW |
440 | interface(`userdom_basic_networking',` |
441 | ||
442 | allow $1 self:tcp_socket create_stream_socket_perms; | |
443 | allow $1 self:udp_socket create_socket_perms; | |
444 | ||
445 | corenet_all_recvfrom_unlabeled($1) | |
446 | corenet_all_recvfrom_netlabel($1) | |
447 | corenet_tcp_sendrecv_generic_if($1) | |
448 | corenet_udp_sendrecv_generic_if($1) | |
449 | corenet_tcp_sendrecv_generic_node($1) | |
450 | corenet_udp_sendrecv_generic_node($1) | |
451 | corenet_tcp_sendrecv_all_ports($1) | |
452 | corenet_udp_sendrecv_all_ports($1) | |
453 | corenet_tcp_connect_all_ports($1) | |
454 | corenet_sendrecv_all_client_packets($1) | |
dc1920b2 CP |
455 | |
456 | optional_policy(` | |
3eaa9939 DW |
457 | init_tcp_recvfrom_all_daemons($1) |
458 | init_udp_recvfrom_all_daemons($1) | |
dc1920b2 CP |
459 | ') |
460 | ||
0b6acad1 | 461 | optional_policy(` |
3eaa9939 | 462 | ipsec_match_default_spd($1) |
0b6acad1 | 463 | ') |
3eaa9939 | 464 | |
bbcd3c97 CP |
465 | ') |
466 | ||
467 | ####################################### | |
468 | ## <summary> | |
93c49bdb | 469 | ## The template for creating a user xwindows client. (Deprecated) |
bbcd3c97 CP |
470 | ## </summary> |
471 | ## <param name="userdomain_prefix"> | |
472 | ## <summary> | |
473 | ## The prefix of the user domain (e.g., user | |
474 | ## is the prefix for user_t). | |
475 | ## </summary> | |
476 | ## </param> | |
477 | ## <rolebase/> | |
478 | # | |
479 | template(`userdom_xwindows_client_template',` | |
93c49bdb | 480 | refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.') |
bbcd3c97 | 481 | gen_require(` |
296273a7 | 482 | type $1_t, user_tmpfs_t; |
bbcd3c97 CP |
483 | ') |
484 | ||
847937da CP |
485 | dev_rw_xserver_misc($1_t) |
486 | dev_rw_power_management($1_t) | |
487 | dev_read_input($1_t) | |
488 | dev_read_misc($1_t) | |
489 | dev_write_misc($1_t) | |
490 | # open office is looking for the following | |
491 | dev_getattr_agp_dev($1_t) | |
492 | dev_dontaudit_rw_dri($1_t) | |
493 | # GNOME checks for usb and other devices: | |
494 | dev_rw_usbfs($1_t) | |
3eaa9939 | 495 | dev_rw_generic_usb_dev($1_t) |
847937da | 496 | |
4279891d | 497 | xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) |
847937da CP |
498 | xserver_xsession_entry_type($1_t) |
499 | xserver_dontaudit_write_log($1_t) | |
500 | xserver_stream_connect_xdm($1_t) | |
501 | # certain apps want to read xdm.pid file | |
502 | xserver_read_xdm_pid($1_t) | |
503 | # gnome-session creates socket under /tmp/.ICE-unix/ | |
504 | xserver_create_xdm_tmp_sockets($1_t) | |
505 | # Needed for escd, remove if we get escd policy | |
506 | xserver_manage_xdm_tmp_files($1_t) | |
bbcd3c97 CP |
507 | ') |
508 | ||
509 | ####################################### | |
510 | ## <summary> | |
511 | ## The template for allowing the user to change passwords. | |
512 | ## </summary> | |
513 | ## <param name="userdomain_prefix"> | |
514 | ## <summary> | |
515 | ## The prefix of the user domain (e.g., user | |
516 | ## is the prefix for user_t). | |
517 | ## </summary> | |
518 | ## </param> | |
519 | ## <rolebase/> | |
520 | # | |
521 | template(`userdom_change_password_template',` | |
522 | gen_require(` | |
296273a7 | 523 | type $1_t; |
bbcd3c97 CP |
524 | role $1_r; |
525 | ') | |
526 | ||
527 | optional_policy(` | |
296273a7 CP |
528 | usermanage_run_chfn($1_t,$1_r) |
529 | usermanage_run_passwd($1_t,$1_r) | |
bbcd3c97 | 530 | ') |
bbcd3c97 CP |
531 | ') |
532 | ||
533 | ####################################### | |
534 | ## <summary> | |
535 | ## The template containing rules common to unprivileged | |
536 | ## users and administrative users. | |
537 | ## </summary> | |
538 | ## <desc> | |
539 | ## <p> | |
540 | ## This template creates a user domain, types, and | |
541 | ## rules for the user's tty, pty, tmp, and tmpfs files. | |
542 | ## </p> | |
543 | ## </desc> | |
544 | ## <param name="userdomain_prefix"> | |
545 | ## <summary> | |
546 | ## The prefix of the user domain (e.g., user | |
547 | ## is the prefix for user_t). | |
548 | ## </summary> | |
549 | ## </param> | |
550 | # | |
551 | template(`userdom_common_user_template',` | |
563e58e8 CP |
552 | gen_require(` |
553 | attribute unpriv_userdomain; | |
554 | ') | |
bbcd3c97 | 555 | |
3eaa9939 | 556 | userdom_basic_networking($1_usertype) |
bbcd3c97 | 557 | |
bbcd3c97 CP |
558 | ############################## |
559 | # | |
560 | # User domain Local policy | |
561 | # | |
562 | ||
bbcd3c97 CP |
563 | # evolution and gnome-session try to create a netlink socket |
564 | dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; | |
565 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
3eaa9939 DW |
566 | allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; |
567 | allow $1_t self:socket create_socket_perms; | |
bbcd3c97 | 568 | |
3eaa9939 | 569 | allow $1_usertype unpriv_userdomain:fd use; |
bbcd3c97 | 570 | |
3eaa9939 DW |
571 | kernel_read_system_state($1_usertype) |
572 | kernel_read_network_state($1_usertype) | |
573 | kernel_read_net_sysctls($1_usertype) | |
bbcd3c97 | 574 | # Very permissive allowing every domain to see every type: |
3eaa9939 | 575 | kernel_get_sysvipc_info($1_usertype) |
bbcd3c97 | 576 | # Find CDROM devices: |
3eaa9939 DW |
577 | kernel_read_device_sysctls($1_usertype) |
578 | kernel_request_load_module($1_usertype) | |
296273a7 | 579 | |
3eaa9939 DW |
580 | corenet_udp_bind_generic_node($1_usertype) |
581 | corenet_udp_bind_generic_port($1_usertype) | |
bbcd3c97 | 582 | |
3eaa9939 DW |
583 | dev_read_rand($1_usertype) |
584 | dev_write_sound($1_usertype) | |
585 | dev_read_sound($1_usertype) | |
586 | dev_read_sound_mixer($1_usertype) | |
587 | dev_write_sound_mixer($1_usertype) | |
bbcd3c97 | 588 | |
3eaa9939 DW |
589 | files_exec_etc_files($1_usertype) |
590 | files_search_locks($1_usertype) | |
bbcd3c97 | 591 | # Check to see if cdrom is mounted |
3eaa9939 | 592 | files_search_mnt($1_usertype) |
bbcd3c97 | 593 | # cjp: perhaps should cut back on file reads: |
3eaa9939 DW |
594 | files_read_var_files($1_usertype) |
595 | files_read_var_symlinks($1_usertype) | |
596 | files_read_generic_spool($1_usertype) | |
597 | files_read_var_lib_files($1_usertype) | |
bbcd3c97 | 598 | # Stat lost+found. |
3eaa9939 DW |
599 | files_getattr_lost_found_dirs($1_usertype) |
600 | files_read_config_files($1_usertype) | |
601 | fs_read_noxattr_fs_files($1_usertype) | |
602 | fs_read_noxattr_fs_symlinks($1_usertype) | |
603 | fs_rw_cgroup_files($1_usertype) | |
bbcd3c97 | 604 | |
3eaa9939 DW |
605 | logging_send_syslog_msg($1_usertype) |
606 | logging_send_audit_msgs($1_usertype) | |
607 | selinux_get_enforce_mode($1_usertype) | |
e2b9add5 | 608 | |
bbcd3c97 | 609 | # cjp: some of this probably can be removed |
3eaa9939 DW |
610 | selinux_get_fs_mount($1_usertype) |
611 | selinux_validate_context($1_usertype) | |
612 | selinux_compute_access_vector($1_usertype) | |
613 | selinux_compute_create_context($1_usertype) | |
614 | selinux_compute_relabel_context($1_usertype) | |
615 | selinux_compute_user_contexts($1_usertype) | |
bbcd3c97 CP |
616 | |
617 | # for eject | |
3eaa9939 | 618 | storage_getattr_fixed_disk_dev($1_usertype) |
bbcd3c97 | 619 | |
3eaa9939 | 620 | auth_read_login_records($1_usertype) |
296273a7 CP |
621 | auth_run_pam($1_t,$1_r) |
622 | auth_run_utempter($1_t,$1_r) | |
bbcd3c97 | 623 | |
3eaa9939 | 624 | init_read_utmp($1_usertype) |
0c73cd25 | 625 | |
3eaa9939 DW |
626 | seutil_read_file_contexts($1_usertype) |
627 | seutil_read_default_contexts($1_usertype) | |
296273a7 | 628 | seutil_run_newrole($1_t,$1_r) |
6b19be33 | 629 | seutil_exec_checkpolicy($1_t) |
3eaa9939 | 630 | seutil_exec_setfiles($1_usertype) |
bbcd3c97 CP |
631 | # for when the network connection is killed |
632 | # this is needed when a login role can change | |
633 | # to this one. | |
634 | seutil_dontaudit_signal_newrole($1_t) | |
a1fcff33 | 635 | |
34c8fabe | 636 | tunable_policy(`user_direct_mouse',` |
3eaa9939 | 637 | dev_read_mouse($1_usertype) |
34c8fabe | 638 | ') |
0c73cd25 | 639 | |
34c8fabe | 640 | tunable_policy(`user_ttyfile_stat',` |
c3c753f7 | 641 | term_getattr_all_ttys($1_t) |
34c8fabe | 642 | ') |
0c73cd25 | 643 | |
6b19be33 | 644 | optional_policy(` |
3eaa9939 | 645 | alsa_read_rw_config($1_usertype) |
6b19be33 CP |
646 | ') |
647 | ||
bb7170f6 | 648 | optional_policy(` |
ac9aa26d | 649 | # Allow graphical boot to check battery lifespan |
3eaa9939 | 650 | apm_stream_connect($1_usertype) |
ac9aa26d CP |
651 | ') |
652 | ||
bb7170f6 | 653 | optional_policy(` |
3eaa9939 | 654 | canna_stream_connect($1_usertype) |
3509484c CP |
655 | ') |
656 | ||
bb7170f6 | 657 | optional_policy(` |
3eaa9939 DW |
658 | chrome_role($1_r, $1_usertype) |
659 | ') | |
660 | ||
661 | optional_policy(` | |
662 | dbus_system_bus_client($1_usertype) | |
663 | ||
664 | allow $1_usertype $1_usertype:dbus send_msg; | |
665 | ||
666 | optional_policy(` | |
667 | avahi_dbus_chat($1_usertype) | |
668 | ') | |
669 | ||
670 | optional_policy(` | |
671 | policykit_dbus_chat($1_usertype) | |
672 | ') | |
673 | ||
674 | optional_policy(` | |
675 | bluetooth_dbus_chat($1_usertype) | |
676 | ') | |
677 | ||
678 | optional_policy(` | |
679 | consolekit_dbus_chat($1_usertype) | |
680 | consolekit_read_log($1_usertype) | |
681 | ') | |
682 | ||
683 | optional_policy(` | |
684 | devicekit_dbus_chat($1_usertype) | |
685 | devicekit_dbus_chat_power($1_usertype) | |
686 | devicekit_dbus_chat_disk($1_usertype) | |
687 | ') | |
688 | ||
689 | optional_policy(` | |
690 | evolution_dbus_chat($1_usertype) | |
691 | evolution_alarm_dbus_chat($1_usertype) | |
692 | ') | |
d828b5ca | 693 | |
bbcd3c97 | 694 | optional_policy(` |
3eaa9939 | 695 | gnome_dbus_chat_gconfdefault($1_usertype) |
bbcd3c97 CP |
696 | ') |
697 | ||
6b19be33 | 698 | optional_policy(` |
3eaa9939 | 699 | hal_dbus_chat($1_usertype) |
6b19be33 CP |
700 | ') |
701 | ||
bb7170f6 | 702 | optional_policy(` |
3eaa9939 | 703 | modemmanager_dbus_chat($1_usertype) |
9fd4b818 CP |
704 | ') |
705 | ||
bb7170f6 | 706 | optional_policy(` |
3eaa9939 DW |
707 | networkmanager_dbus_chat($1_usertype) |
708 | networkmanager_read_lib_files($1_usertype) | |
ac9aa26d CP |
709 | ') |
710 | ||
bb7170f6 | 711 | optional_policy(` |
3eaa9939 | 712 | vpn_dbus_chat($1_usertype) |
d828b5ca | 713 | ') |
0c3d1705 CP |
714 | ') |
715 | ||
bb7170f6 | 716 | optional_policy(` |
3eaa9939 DW |
717 | git_session_role($1_r, $1_usertype) |
718 | ') | |
719 | ||
720 | optional_policy(` | |
721 | inetd_use_fds($1_usertype) | |
722 | inetd_rw_tcp_sockets($1_usertype) | |
b24f35d8 CP |
723 | ') |
724 | ||
bb7170f6 | 725 | optional_policy(` |
3eaa9939 DW |
726 | inn_read_config($1_usertype) |
727 | inn_read_news_lib($1_usertype) | |
728 | inn_read_news_spool($1_usertype) | |
9b06402e CP |
729 | ') |
730 | ||
6b19be33 | 731 | optional_policy(` |
3eaa9939 | 732 | locate_read_lib_files($1_usertype) |
6b19be33 CP |
733 | ') |
734 | ||
bbcd3c97 CP |
735 | # for running depmod as part of the kernel packaging process |
736 | optional_policy(` | |
3eaa9939 DW |
737 | modutils_read_module_config($1_usertype) |
738 | ') | |
739 | ||
740 | optional_policy(` | |
741 | mta_rw_spool($1_usertype) | |
742 | mta_manage_queue($1_usertype) | |
bbcd3c97 CP |
743 | ') |
744 | ||
cc0c00d0 | 745 | optional_policy(` |
3eaa9939 | 746 | nsplugin_role($1_r, $1_usertype) |
cc0c00d0 CP |
747 | ') |
748 | ||
bb7170f6 | 749 | optional_policy(` |
bbcd3c97 CP |
750 | tunable_policy(`allow_user_mysql_connect',` |
751 | mysql_stream_connect($1_t) | |
42be7c21 CP |
752 | ') |
753 | ') | |
754 | ||
bb7170f6 | 755 | optional_policy(` |
2ec4c9d3 | 756 | # to allow monitoring of pcmcia status |
3eaa9939 | 757 | pcmcia_read_pid($1_usertype) |
2ec4c9d3 CP |
758 | ') |
759 | ||
6b19be33 | 760 | optional_policy(` |
3eaa9939 DW |
761 | pcscd_read_pub_files($1_usertype) |
762 | pcscd_stream_connect($1_usertype) | |
6b19be33 CP |
763 | ') |
764 | ||
cb10a2d5 CP |
765 | optional_policy(` |
766 | tunable_policy(`allow_user_postgresql_connect',` | |
3eaa9939 DW |
767 | postgresql_stream_connect($1_usertype) |
768 | postgresql_tcp_connect($1_usertype) | |
cb10a2d5 CP |
769 | ') |
770 | ') | |
771 | ||
b057be8d | 772 | optional_policy(` |
3eaa9939 | 773 | resmgr_stream_connect($1_usertype) |
b057be8d CP |
774 | ') |
775 | ||
bb7170f6 | 776 | optional_policy(` |
3eaa9939 DW |
777 | rpc_dontaudit_getattr_exports($1_usertype) |
778 | rpc_manage_nfs_rw_content($1_usertype) | |
f00434fa CP |
779 | ') |
780 | ||
bb7170f6 | 781 | optional_policy(` |
3eaa9939 | 782 | rpcbind_stream_connect($1_usertype) |
ac9aa26d CP |
783 | ') |
784 | ||
bb7170f6 | 785 | optional_policy(` |
3eaa9939 | 786 | samba_stream_connect_winbind($1_usertype) |
1d427acc CP |
787 | ') |
788 | ||
bb7170f6 | 789 | optional_policy(` |
3eaa9939 | 790 | sandbox_transition($1_usertype, $1_r) |
8cc49473 | 791 | ') |
3eaa9939 DW |
792 | |
793 | optional_policy(` | |
794 | seunshare_role_template($1, $1_r, $1_t) | |
795 | ') | |
796 | ||
797 | optional_policy(` | |
798 | slrnpull_search_spool($1_usertype) | |
799 | ') | |
800 | ||
2ec4c9d3 | 801 | ') |
b16c6b8c | 802 | |
8fd36732 CP |
803 | ####################################### |
804 | ## <summary> | |
847937da | 805 | ## The template for creating a login user. |
8fd36732 CP |
806 | ## </summary> |
807 | ## <desc> | |
808 | ## <p> | |
809 | ## This template creates a user domain, types, and | |
810 | ## rules for the user's tty, pty, home directories, | |
811 | ## tmp, and tmpfs files. | |
812 | ## </p> | |
813 | ## </desc> | |
814 | ## <param name="userdomain_prefix"> | |
885b83ec | 815 | ## <summary> |
8fd36732 CP |
816 | ## The prefix of the user domain (e.g., user |
817 | ## is the prefix for user_t). | |
885b83ec | 818 | ## </summary> |
8fd36732 | 819 | ## </param> |
b16c6b8c | 820 | # |
847937da | 821 | template(`userdom_login_user_template', ` |
b1a90365 CP |
822 | gen_require(` |
823 | class context contains; | |
824 | ') | |
825 | ||
847937da | 826 | userdom_base_user_template($1) |
563e58e8 | 827 | |
3eaa9939 DW |
828 | userdom_manage_home_role($1_r, $1_usertype) |
829 | ||
830 | userdom_manage_tmp_role($1_r, $1_usertype) | |
831 | userdom_manage_tmpfs_role($1_r, $1_usertype) | |
847937da | 832 | |
3eaa9939 DW |
833 | ifelse(`$1',`unconfined',`',` |
834 | gen_tunable(allow_$1_exec_content, true) | |
847937da | 835 | |
3eaa9939 DW |
836 | tunable_policy(`allow_$1_exec_content',` |
837 | userdom_exec_user_tmp_files($1_usertype) | |
838 | userdom_exec_user_home_content_files($1_usertype) | |
839 | ') | |
840 | tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` | |
841 | fs_exec_nfs_files($1_usertype) | |
842 | ') | |
843 | ||
844 | tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` | |
845 | fs_exec_cifs_files($1_usertype) | |
846 | ') | |
847 | ') | |
847937da CP |
848 | |
849 | userdom_change_password_template($1) | |
563e58e8 | 850 | |
0c73cd25 CP |
851 | ############################## |
852 | # | |
847937da | 853 | # User domain Local policy |
0c73cd25 | 854 | # |
b16c6b8c | 855 | |
847937da CP |
856 | allow $1_t self:capability { setgid chown fowner }; |
857 | dontaudit $1_t self:capability { sys_nice fsetid }; | |
858 | ||
859 | allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; | |
860 | dontaudit $1_t self:process setrlimit; | |
861 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
862 | ||
863 | allow $1_t self:context contains; | |
864 | ||
3eaa9939 DW |
865 | kernel_dontaudit_read_system_state($1_usertype) |
866 | kernel_dontaudit_list_all_proc($1_usertype) | |
847937da | 867 | |
3eaa9939 DW |
868 | dev_read_sysfs($1_usertype) |
869 | dev_read_urand($1_usertype) | |
847937da | 870 | |
3eaa9939 | 871 | domain_use_interactive_fds($1_usertype) |
847937da | 872 | # Command completion can fire hundreds of denials |
3eaa9939 | 873 | domain_dontaudit_exec_all_entry_files($1_usertype) |
847937da | 874 | |
3eaa9939 DW |
875 | files_dontaudit_list_default($1_usertype) |
876 | files_dontaudit_read_default_files($1_usertype) | |
847937da | 877 | # Stat lost+found. |
3eaa9939 | 878 | files_getattr_lost_found_dirs($1_usertype) |
847937da | 879 | |
3eaa9939 DW |
880 | fs_get_all_fs_quotas($1_usertype) |
881 | fs_getattr_all_fs($1_usertype) | |
882 | fs_search_all($1_usertype) | |
883 | fs_list_inotifyfs($1_usertype) | |
884 | fs_rw_anon_inodefs_files($1_usertype) | |
847937da CP |
885 | |
886 | auth_dontaudit_write_login_records($1_t) | |
3eaa9939 | 887 | auth_rw_cache($1_t) |
847937da CP |
888 | |
889 | # The library functions always try to open read-write first, | |
890 | # then fall back to read-only if it fails. | |
3eaa9939 | 891 | init_dontaudit_rw_utmp($1_usertype) |
847937da | 892 | # Stop warnings about access to /dev/console |
3eaa9939 DW |
893 | init_dontaudit_use_fds($1_usertype) |
894 | init_dontaudit_use_script_fds($1_usertype) | |
847937da | 895 | |
3eaa9939 | 896 | libs_exec_lib_files($1_usertype) |
847937da | 897 | |
3eaa9939 | 898 | logging_dontaudit_getattr_all_logs($1_usertype) |
847937da | 899 | |
847937da | 900 | # for running TeX programs |
3eaa9939 DW |
901 | miscfiles_read_tetex_data($1_usertype) |
902 | miscfiles_exec_tetex_data($1_usertype) | |
903 | ||
904 | seutil_read_config($1_usertype) | |
847937da | 905 | |
3eaa9939 DW |
906 | optional_policy(` |
907 | cups_read_config($1_usertype) | |
908 | cups_stream_connect($1_usertype) | |
909 | cups_stream_connect_ptal($1_usertype) | |
910 | ') | |
847937da CP |
911 | |
912 | optional_policy(` | |
3eaa9939 DW |
913 | kerberos_use($1_usertype) |
914 | kerberos_connect_524($1_usertype) | |
847937da CP |
915 | ') |
916 | ||
917 | optional_policy(` | |
3eaa9939 | 918 | mta_dontaudit_read_spool_symlinks($1_usertype) |
847937da CP |
919 | ') |
920 | ||
921 | optional_policy(` | |
3eaa9939 | 922 | quota_dontaudit_getattr_db($1_usertype) |
847937da CP |
923 | ') |
924 | ||
925 | optional_policy(` | |
3eaa9939 DW |
926 | rpm_read_db($1_usertype) |
927 | rpm_dontaudit_manage_db($1_usertype) | |
928 | rpm_read_cache($1_usertype) | |
847937da CP |
929 | ') |
930 | ||
931 | optional_policy(` | |
3eaa9939 | 932 | oddjob_run_mkhomedir($1_t, $1_r) |
847937da CP |
933 | ') |
934 | ') | |
935 | ||
936 | ####################################### | |
937 | ## <summary> | |
938 | ## The template for creating a unprivileged login user. | |
939 | ## </summary> | |
940 | ## <desc> | |
941 | ## <p> | |
942 | ## This template creates a user domain, types, and | |
943 | ## rules for the user's tty, pty, home directories, | |
944 | ## tmp, and tmpfs files. | |
945 | ## </p> | |
946 | ## </desc> | |
947 | ## <param name="userdomain_prefix"> | |
948 | ## <summary> | |
949 | ## The prefix of the user domain (e.g., user | |
950 | ## is the prefix for user_t). | |
951 | ## </summary> | |
952 | ## </param> | |
953 | # | |
954 | template(`userdom_restricted_user_template',` | |
955 | gen_require(` | |
956 | attribute unpriv_userdomain; | |
847937da CP |
957 | ') |
958 | ||
959 | userdom_login_user_template($1) | |
b16c6b8c | 960 | |
0f707d52 | 961 | typeattribute $1_t unpriv_userdomain; |
15722ec9 | 962 | domain_interactive_fd($1_t) |
b16c6b8c | 963 | |
3eaa9939 DW |
964 | allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; |
965 | dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; | |
966 | ||
0c73cd25 CP |
967 | ############################## |
968 | # | |
969 | # Local policy | |
970 | # | |
971 | ||
847937da | 972 | optional_policy(` |
296273a7 | 973 | loadkeys_run($1_t,$1_r) |
847937da CP |
974 | ') |
975 | ') | |
976 | ||
977 | ####################################### | |
978 | ## <summary> | |
979 | ## The template for creating a unprivileged xwindows login user. | |
980 | ## </summary> | |
981 | ## <desc> | |
982 | ## <p> | |
983 | ## The template for creating a unprivileged xwindows login user. | |
984 | ## </p> | |
985 | ## <p> | |
986 | ## This template creates a user domain, types, and | |
987 | ## rules for the user's tty, pty, home directories, | |
988 | ## tmp, and tmpfs files. | |
989 | ## </p> | |
990 | ## </desc> | |
991 | ## <param name="userdomain_prefix"> | |
992 | ## <summary> | |
993 | ## The prefix of the user domain (e.g., user | |
994 | ## is the prefix for user_t). | |
995 | ## </summary> | |
996 | ## </param> | |
997 | # | |
998 | template(`userdom_restricted_xwindows_user_template',` | |
999 | ||
1000 | userdom_restricted_user_template($1) | |
1001 | ||
847937da CP |
1002 | ############################## |
1003 | # | |
1004 | # Local policy | |
1005 | # | |
1006 | ||
296273a7 | 1007 | auth_role($1_r, $1_t) |
3eaa9939 | 1008 | auth_search_pam_console_data($1_usertype) |
847937da | 1009 | |
3eaa9939 DW |
1010 | dev_read_sound($1_usertype) |
1011 | dev_write_sound($1_usertype) | |
847937da | 1012 | # gnome keyring wants to read this. |
3eaa9939 DW |
1013 | dev_dontaudit_read_rand($1_usertype) |
1014 | # temporarily allow since openoffice requires this | |
1015 | dev_read_rand($1_usertype) | |
847937da | 1016 | |
3eaa9939 DW |
1017 | dev_read_video_dev($1_usertype) |
1018 | dev_write_video_dev($1_usertype) | |
1019 | dev_rw_wireless($1_usertype) | |
1020 | ||
1021 | tunable_policy(`user_rw_noexattrfile',` | |
1022 | dev_rw_usbfs($1_t) | |
1023 | dev_rw_generic_usb_dev($1_usertype) | |
1024 | ||
1025 | fs_manage_noxattr_fs_files($1_usertype) | |
1026 | fs_manage_noxattr_fs_dirs($1_usertype) | |
1027 | fs_manage_dos_dirs($1_usertype) | |
1028 | fs_manage_dos_files($1_usertype) | |
1029 | storage_raw_read_removable_device($1_usertype) | |
1030 | storage_raw_write_removable_device($1_usertype) | |
1031 | ') | |
1032 | ||
1033 | logging_send_syslog_msg($1_usertype) | |
847937da CP |
1034 | logging_dontaudit_send_audit_msgs($1_t) |
1035 | ||
1036 | # Need to to this just so screensaver will work. Should be moved to screensaver domain | |
1037 | logging_send_audit_msgs($1_t) | |
1038 | selinux_get_enforce_mode($1_t) | |
3eaa9939 DW |
1039 | seutil_exec_restorecond($1_t) |
1040 | seutil_read_file_contexts($1_t) | |
1041 | seutil_read_default_contexts($1_t) | |
847937da | 1042 | |
93c49bdb CP |
1043 | xserver_restricted_role($1_r, $1_t) |
1044 | ||
847937da | 1045 | optional_policy(` |
3eaa9939 | 1046 | alsa_read_rw_config($1_usertype) |
847937da CP |
1047 | ') |
1048 | ||
1049 | optional_policy(` | |
3eaa9939 DW |
1050 | dbus_role_template($1, $1_r, $1_usertype) |
1051 | dbus_system_bus_client($1_usertype) | |
1052 | allow $1_usertype $1_usertype:dbus send_msg; | |
1053 | ||
1054 | optional_policy(` | |
1055 | abrt_dbus_chat($1_usertype) | |
1056 | abrt_run_helper($1_usertype, $1_r) | |
1057 | ') | |
1058 | ||
1059 | optional_policy(` | |
1060 | consolekit_dbus_chat($1_usertype) | |
1061 | ') | |
1062 | ||
1063 | optional_policy(` | |
1064 | cups_dbus_chat($1_usertype) | |
1065 | cups_dbus_chat_config($1_usertype) | |
1066 | ') | |
847937da CP |
1067 | |
1068 | optional_policy(` | |
3eaa9939 DW |
1069 | devicekit_dbus_chat($1_usertype) |
1070 | devicekit_dbus_chat_disk($1_usertype) | |
1071 | devicekit_dbus_chat_power($1_usertype) | |
847937da CP |
1072 | ') |
1073 | ||
1074 | optional_policy(` | |
3eaa9939 | 1075 | fprintd_dbus_chat($1_t) |
847937da CP |
1076 | ') |
1077 | ') | |
1078 | ||
1079 | optional_policy(` | |
3eaa9939 DW |
1080 | openoffice_role_template($1, $1_r, $1_usertype) |
1081 | ') | |
1082 | ||
1083 | optional_policy(` | |
1084 | policykit_role($1_r, $1_usertype) | |
1085 | ') | |
1086 | ||
1087 | optional_policy(` | |
1088 | pulseaudio_role($1_r, $1_usertype) | |
1089 | ') | |
1090 | ||
1091 | optional_policy(` | |
1092 | rtkit_scheduled($1_usertype) | |
847937da CP |
1093 | ') |
1094 | ||
847937da CP |
1095 | optional_policy(` |
1096 | setroubleshoot_dontaudit_stream_connect($1_t) | |
3eaa9939 DW |
1097 | ') |
1098 | ||
1099 | optional_policy(` | |
1100 | udev_read_db($1_usertype) | |
1101 | ') | |
1102 | ||
1103 | optional_policy(` | |
1104 | wm_role_template($1, $1_r, $1_t) | |
847937da CP |
1105 | ') |
1106 | ') | |
1107 | ||
1108 | ####################################### | |
1109 | ## <summary> | |
1110 | ## The template for creating a unprivileged user roughly | |
1111 | ## equivalent to a regular linux user. | |
1112 | ## </summary> | |
1113 | ## <desc> | |
1114 | ## <p> | |
1115 | ## The template for creating a unprivileged user roughly | |
1116 | ## equivalent to a regular linux user. | |
1117 | ## </p> | |
1118 | ## <p> | |
1119 | ## This template creates a user domain, types, and | |
1120 | ## rules for the user's tty, pty, home directories, | |
1121 | ## tmp, and tmpfs files. | |
1122 | ## </p> | |
1123 | ## </desc> | |
1124 | ## <param name="userdomain_prefix"> | |
1125 | ## <summary> | |
1126 | ## The prefix of the user domain (e.g., user | |
1127 | ## is the prefix for user_t). | |
1128 | ## </summary> | |
1129 | ## </param> | |
1130 | # | |
1131 | template(`userdom_unpriv_user_template', ` | |
1132 | ||
1133 | ############################## | |
1134 | # | |
1135 | # Declarations | |
1136 | # | |
1137 | ||
1138 | # Inherit rules for ordinary users. | |
3eaa9939 | 1139 | userdom_restricted_xwindows_user_template($1) |
847937da CP |
1140 | userdom_common_user_template($1) |
1141 | ||
1142 | ############################## | |
1143 | # | |
1144 | # Local policy | |
1145 | # | |
0c73cd25 CP |
1146 | |
1147 | # port access is audited even if dac would not have allowed it, so dontaudit it here | |
3eaa9939 | 1148 | # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) |
bbcd3c97 CP |
1149 | # Need the following rule to allow users to run vpnc |
1150 | corenet_tcp_bind_xserver_port($1_t) | |
3eaa9939 | 1151 | corenet_tcp_bind_all_nodes($1_usertype) |
0c73cd25 | 1152 | |
3eaa9939 | 1153 | storage_rw_fuse($1_t) |
a1fcff33 | 1154 | |
3eaa9939 | 1155 | miscfiles_read_hwdata($1_usertype) |
0c73cd25 CP |
1156 | |
1157 | # Allow users to run TCP servers (bind to ports and accept connection from | |
6073ea1e | 1158 | # the same domain and outside users) disabling this forces FTP passive mode |
0c73cd25 | 1159 | # and may change other protocols |
34c8fabe | 1160 | tunable_policy(`user_tcp_server',` |
3eaa9939 DW |
1161 | corenet_tcp_bind_all_unreserved_ports($1_usertype) |
1162 | ') | |
1163 | ||
1164 | tunable_policy(`user_setrlimit',` | |
1165 | allow $1_usertype self:process setrlimit; | |
34c8fabe | 1166 | ') |
0c73cd25 | 1167 | |
bb7170f6 | 1168 | optional_policy(` |
3eaa9939 DW |
1169 | cdrecord_role($1_r, $1_t) |
1170 | ') | |
1171 | ||
1172 | optional_policy(` | |
1173 | cron_role($1_r, $1_t) | |
1174 | ') | |
1175 | ||
1176 | optional_policy(` | |
1177 | games_rw_data($1_usertype) | |
1178 | ') | |
1179 | ||
1180 | optional_policy(` | |
1181 | gpg_role($1_r, $1_usertype) | |
1182 | ') | |
1183 | ||
1184 | optional_policy(` | |
1185 | gnomeclock_dbus_chat($1_t) | |
1186 | ') | |
1187 | ||
1188 | optional_policy(` | |
1189 | gpm_stream_connect($1_usertype) | |
1190 | ') | |
1191 | ||
1192 | optional_policy(` | |
1193 | execmem_role_template($1, $1_r, $1_t) | |
1194 | ') | |
1195 | ||
1196 | optional_policy(` | |
1197 | java_role_template($1, $1_r, $1_t) | |
1198 | ') | |
1199 | ||
1200 | optional_policy(` | |
1201 | mono_role_template($1, $1_r, $1_t) | |
1202 | ') | |
1203 | ||
1204 | optional_policy(` | |
1205 | mount_run_fusermount($1_t, $1_r) | |
1206 | ') | |
1207 | ||
1208 | optional_policy(` | |
1209 | wine_role_template($1, $1_r, $1_t) | |
1f91e1bf CP |
1210 | ') |
1211 | ||
bb7170f6 | 1212 | optional_policy(` |
3eaa9939 | 1213 | postfix_run_postdrop($1_t, $1_r) |
e08118a5 CP |
1214 | ') |
1215 | ||
3eaa9939 | 1216 | # Run pppd in pppd_t by default for user |
6b19be33 | 1217 | optional_policy(` |
3eaa9939 | 1218 | ppp_run_cond($1_t, $1_r) |
6b19be33 | 1219 | ') |
b16c6b8c | 1220 | ') |
4d8ddf9a | 1221 | |
8fd36732 CP |
1222 | ####################################### |
1223 | ## <summary> | |
1224 | ## The template for creating an administrative user. | |
1225 | ## </summary> | |
1226 | ## <desc> | |
1227 | ## <p> | |
1228 | ## This template creates a user domain, types, and | |
1229 | ## rules for the user's tty, pty, home directories, | |
1230 | ## tmp, and tmpfs files. | |
1231 | ## </p> | |
2ec4c9d3 | 1232 | ## <p> |
8fd36732 CP |
1233 | ## The privileges given to administrative users are: |
1234 | ## <ul> | |
1235 | ## <li>Raw disk access</li> | |
1236 | ## <li>Set all sysctls</li> | |
1237 | ## <li>All kernel ring buffer controls</li> | |
8fd36732 CP |
1238 | ## <li>Create, read, write, and delete all files but shadow</li> |
1239 | ## <li>Manage source and binary format SELinux policy</li> | |
1240 | ## <li>Run insmod</li> | |
1241 | ## </ul> | |
2ec4c9d3 CP |
1242 | ## </p> |
1243 | ## </desc> | |
8fd36732 | 1244 | ## <param name="userdomain_prefix"> |
885b83ec | 1245 | ## <summary> |
8fd36732 CP |
1246 | ## The prefix of the user domain (e.g., sysadm |
1247 | ## is the prefix for sysadm_t). | |
885b83ec | 1248 | ## </summary> |
8fd36732 | 1249 | ## </param> |
4d8ddf9a | 1250 | # |
bbcd3c97 | 1251 | template(`userdom_admin_user_template',` |
142e9f40 | 1252 | gen_require(` |
0be901ba | 1253 | attribute admindomain; |
3eaa9939 | 1254 | class passwd { passwd chfn chsh rootok crontab }; |
142e9f40 CP |
1255 | ') |
1256 | ||
0c73cd25 CP |
1257 | ############################## |
1258 | # | |
1259 | # Declarations | |
1260 | # | |
1261 | ||
1262 | # Inherit rules for ordinary users. | |
847937da | 1263 | userdom_login_user_template($1) |
bbcd3c97 | 1264 | userdom_common_user_template($1) |
0c73cd25 | 1265 | |
1815bad1 | 1266 | domain_obj_id_change_exemption($1_t) |
0c73cd25 CP |
1267 | role system_r types $1_t; |
1268 | ||
0be901ba | 1269 | typeattribute $1_t admindomain; |
bd75703c | 1270 | |
142e9f40 | 1271 | ifdef(`direct_sysadm_daemon',` |
1815bad1 | 1272 | domain_system_change_exemption($1_t) |
142e9f40 | 1273 | ') |
2a98379a | 1274 | |
0c73cd25 CP |
1275 | ############################## |
1276 | # | |
1277 | # $1_t local policy | |
1278 | # | |
1279 | ||
847937da | 1280 | allow $1_t self:capability ~{ sys_module audit_control audit_write }; |
0c73cd25 | 1281 | allow $1_t self:process { setexec setfscreate }; |
bd75703c CP |
1282 | allow $1_t self:netlink_audit_socket nlmsg_readpriv; |
1283 | allow $1_t self:tun_socket create; | |
0c73cd25 CP |
1284 | # Set password information for other users. |
1285 | allow $1_t self:passwd { passwd chfn chsh }; | |
0c73cd25 CP |
1286 | # Skip authentication when pam_rootok is specified. |
1287 | allow $1_t self:passwd rootok; | |
1288 | ||
3eaa9939 DW |
1289 | # Manipulate other users crontab. |
1290 | allow $1_t self:passwd crontab; | |
1291 | ||
0c73cd25 | 1292 | kernel_read_software_raid_state($1_t) |
445522dc | 1293 | kernel_getattr_core_if($1_t) |
0fd9dc55 | 1294 | kernel_getattr_message_if($1_t) |
0c73cd25 CP |
1295 | kernel_change_ring_buffer_level($1_t) |
1296 | kernel_clear_ring_buffer($1_t) | |
1297 | kernel_read_ring_buffer($1_t) | |
1298 | kernel_get_sysvipc_info($1_t) | |
445522dc | 1299 | kernel_rw_all_sysctls($1_t) |
8fd36732 CP |
1300 | # signal unlabeled processes: |
1301 | kernel_kill_unlabeled($1_t) | |
1302 | kernel_signal_unlabeled($1_t) | |
1303 | kernel_sigstop_unlabeled($1_t) | |
1304 | kernel_signull_unlabeled($1_t) | |
1305 | kernel_sigchld_unlabeled($1_t) | |
3eaa9939 | 1306 | kernel_signal($1_t) |
2ec4c9d3 CP |
1307 | |
1308 | corenet_tcp_bind_generic_port($1_t) | |
1309 | # allow setting up tunnels | |
5b6ddb98 | 1310 | corenet_rw_tun_tap_dev($1_t) |
2ec4c9d3 | 1311 | |
207c4763 CP |
1312 | dev_getattr_generic_blk_files($1_t) |
1313 | dev_getattr_generic_chr_files($1_t) | |
bbcd3c97 CP |
1314 | # for lsof |
1315 | dev_getattr_mtrr_dev($1_t) | |
1316 | # Allow MAKEDEV to work | |
1317 | dev_create_all_blk_files($1_t) | |
1318 | dev_create_all_chr_files($1_t) | |
1319 | dev_delete_all_blk_files($1_t) | |
1320 | dev_delete_all_chr_files($1_t) | |
1321 | dev_rename_all_blk_files($1_t) | |
1322 | dev_rename_all_chr_files($1_t) | |
1323 | dev_create_generic_symlinks($1_t) | |
0c73cd25 | 1324 | |
c9428d33 CP |
1325 | domain_setpriority_all_domains($1_t) |
1326 | domain_read_all_domains_state($1_t) | |
ccc59782 CP |
1327 | domain_getattr_all_domains($1_t) |
1328 | domain_dontaudit_ptrace_all_domains($1_t) | |
0c73cd25 CP |
1329 | # signal all domains: |
1330 | domain_kill_all_domains($1_t) | |
1331 | domain_signal_all_domains($1_t) | |
1332 | domain_signull_all_domains($1_t) | |
1333 | domain_sigstop_all_domains($1_t) | |
1334 | domain_sigstop_all_domains($1_t) | |
1335 | domain_sigchld_all_domains($1_t) | |
2ec4c9d3 CP |
1336 | # for lsof |
1337 | domain_getattr_all_sockets($1_t) | |
3eaa9939 | 1338 | domain_dontaudit_getattr_all_sockets($1_t) |
0c73cd25 | 1339 | |
99505c1c | 1340 | files_exec_usr_src_files($1_t) |
0c73cd25 | 1341 | |
bbcd3c97 | 1342 | fs_getattr_all_fs($1_t) |
3eaa9939 DW |
1343 | fs_getattr_all_files($1_t) |
1344 | fs_list_all($1_t) | |
bbcd3c97 CP |
1345 | fs_set_all_quotas($1_t) |
1346 | fs_exec_noxattr($1_t) | |
1347 | ||
1348 | storage_raw_read_removable_device($1_t) | |
1349 | storage_raw_write_removable_device($1_t) | |
1350 | ||
1351 | term_use_all_terms($1_t) | |
1352 | ||
1353 | auth_getattr_shadow($1_t) | |
1354 | # Manage almost all files | |
1355 | auth_manage_all_files_except_shadow($1_t) | |
1356 | # Relabel almost all files | |
1357 | auth_relabel_all_files_except_shadow($1_t) | |
1358 | ||
1359 | init_telinit($1_t) | |
0c73cd25 | 1360 | |
c9428d33 | 1361 | logging_send_syslog_msg($1_t) |
0c73cd25 | 1362 | |
c9428d33 | 1363 | modutils_domtrans_insmod($1_t) |
3eaa9939 | 1364 | modutils_domtrans_depmod($1_t) |
0c73cd25 | 1365 | |
0c73cd25 CP |
1366 | # The following rule is temporary until such time that a complete |
1367 | # policy management infrastructure is in place so that an administrator | |
1368 | # cannot directly manipulate policy files with arbitrary programs. | |
1815bad1 | 1369 | seutil_manage_src_policy($1_t) |
0c73cd25 CP |
1370 | # Violates the goal of limiting write access to checkpolicy. |
1371 | # But presently necessary for installing the file_contexts file. | |
1815bad1 | 1372 | seutil_manage_bin_policy($1_t) |
0c73cd25 | 1373 | |
296273a7 CP |
1374 | userdom_manage_user_home_content_dirs($1_t) |
1375 | userdom_manage_user_home_content_files($1_t) | |
1376 | userdom_manage_user_home_content_symlinks($1_t) | |
1377 | userdom_manage_user_home_content_pipes($1_t) | |
1378 | userdom_manage_user_home_content_sockets($1_t) | |
1379 | userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) | |
1380 | ||
bbcd3c97 CP |
1381 | tunable_policy(`user_rw_noexattrfile',` |
1382 | fs_manage_noxattr_fs_files($1_t) | |
1383 | fs_manage_noxattr_fs_dirs($1_t) | |
1384 | ',` | |
1385 | fs_read_noxattr_fs_files($1_t) | |
1386 | ') | |
1387 | ||
e8cb08ae CP |
1388 | optional_policy(` |
1389 | postgresql_unconfined($1_t) | |
1390 | ') | |
1391 | ||
6b19be33 CP |
1392 | optional_policy(` |
1393 | userhelper_exec($1_t) | |
1394 | ') | |
1395 | ') | |
1396 | ||
1397 | ######################################## | |
1398 | ## <summary> | |
1399 | ## Allow user to run as a secadm | |
1400 | ## </summary> | |
1401 | ## <desc> | |
1402 | ## <p> | |
1403 | ## Create objects in a user home directory | |
1404 | ## with an automatic type transition to | |
1405 | ## a specified private type. | |
1406 | ## </p> | |
1407 | ## <p> | |
1408 | ## This is a templated interface, and should only | |
1409 | ## be called from a per-userdomain template. | |
1410 | ## </p> | |
1411 | ## </desc> | |
6b19be33 CP |
1412 | ## <param name="domain"> |
1413 | ## <summary> | |
1414 | ## Domain allowed access. | |
1415 | ## </summary> | |
1416 | ## </param> | |
1417 | ## <param name="role"> | |
1418 | ## <summary> | |
1419 | ## The role of the object to create. | |
1420 | ## </summary> | |
1421 | ## </param> | |
6b19be33 CP |
1422 | # |
1423 | template(`userdom_security_admin_template',` | |
1424 | allow $1 self:capability { dac_read_search dac_override }; | |
1425 | ||
1426 | corecmd_exec_shell($1) | |
1427 | ||
1428 | domain_obj_id_change_exemption($1) | |
1429 | ||
1430 | dev_relabel_all_dev_nodes($1) | |
1431 | ||
1432 | files_create_boot_flag($1) | |
3eaa9939 DW |
1433 | files_create_default_dir($1) |
1434 | files_root_filetrans_default($1, dir) | |
6b19be33 CP |
1435 | |
1436 | # Necessary for managing /boot/efi | |
1437 | fs_manage_dos_files($1) | |
1438 | ||
1439 | mls_process_read_up($1) | |
f8233ab7 | 1440 | mls_file_read_all_levels($1) |
6b19be33 CP |
1441 | mls_file_upgrade($1) |
1442 | mls_file_downgrade($1) | |
1443 | ||
1444 | selinux_set_enforce_mode($1) | |
f0435b1a | 1445 | selinux_set_all_booleans($1) |
6b19be33 CP |
1446 | selinux_set_parameters($1) |
1447 | ||
1448 | auth_relabel_all_files_except_shadow($1) | |
1449 | auth_relabel_shadow($1) | |
1450 | ||
1451 | init_exec($1) | |
1452 | ||
1453 | logging_send_syslog_msg($1) | |
1454 | logging_read_audit_log($1) | |
1455 | logging_read_generic_logs($1) | |
1456 | logging_read_audit_config($1) | |
1457 | ||
1458 | seutil_manage_bin_policy($1) | |
296273a7 CP |
1459 | seutil_run_checkpolicy($1,$2) |
1460 | seutil_run_loadpolicy($1,$2) | |
1461 | seutil_run_semanage($1,$2) | |
3eaa9939 | 1462 | seutil_run_setsebool($1,$2) |
296273a7 | 1463 | seutil_run_setfiles($1, $2) |
6b19be33 CP |
1464 | |
1465 | optional_policy(` | |
296273a7 | 1466 | aide_run($1,$2) |
6b19be33 CP |
1467 | ') |
1468 | ||
1469 | optional_policy(` | |
1470 | consoletype_exec($1) | |
1471 | ') | |
1472 | ||
1473 | optional_policy(` | |
1474 | dmesg_exec($1) | |
1475 | ') | |
1476 | ||
9e8f65c8 | 1477 | optional_policy(` |
296273a7 | 1478 | ipsec_run_setkey($1,$2) |
9e8f65c8 CP |
1479 | ') |
1480 | ||
6b19be33 | 1481 | optional_policy(` |
296273a7 | 1482 | netlabel_run_mgmt($1,$2) |
a1fcff33 | 1483 | ') |
4d8ddf9a | 1484 | ') |
490639cd | 1485 | |
b1bf2f78 CP |
1486 | ######################################## |
1487 | ## <summary> | |
296273a7 CP |
1488 | ## Make the specified type usable in a |
1489 | ## user home directory. | |
b1bf2f78 | 1490 | ## </summary> |
296273a7 | 1491 | ## <param name="type"> |
b1bf2f78 | 1492 | ## <summary> |
296273a7 CP |
1493 | ## Type to be used as a file in the |
1494 | ## user home directory. | |
b1bf2f78 CP |
1495 | ## </summary> |
1496 | ## </param> | |
b1bf2f78 | 1497 | # |
296273a7 CP |
1498 | interface(`userdom_user_home_content',` |
1499 | gen_require(` | |
1500 | type user_home_t; | |
3eaa9939 | 1501 | attribute user_home_type; |
296273a7 CP |
1502 | ') |
1503 | ||
1504 | allow $1 user_home_t:filesystem associate; | |
1505 | files_type($1) | |
1506 | ubac_constrained($1) | |
3eaa9939 DW |
1507 | |
1508 | files_poly_member($1) | |
1509 | typeattribute $1 user_home_type; | |
b1bf2f78 CP |
1510 | ') |
1511 | ||
bd75703c CP |
1512 | ######################################## |
1513 | ## <summary> | |
1514 | ## Allow domain to attach to TUN devices created by administrative users. | |
1515 | ## </summary> | |
1516 | ## <param name="domain"> | |
1517 | ## <summary> | |
1518 | ## Domain allowed access. | |
1519 | ## </summary> | |
1520 | ## </param> | |
1521 | # | |
1522 | interface(`userdom_attach_admin_tun_iface',` | |
1523 | gen_require(` | |
0be901ba | 1524 | attribute admindomain; |
bd75703c CP |
1525 | ') |
1526 | ||
0be901ba | 1527 | allow $1 admindomain:tun_socket relabelfrom; |
bd75703c CP |
1528 | allow $1 self:tun_socket relabelto; |
1529 | ') | |
1530 | ||
b1bf2f78 CP |
1531 | ######################################## |
1532 | ## <summary> | |
296273a7 | 1533 | ## Set the attributes of a user pty. |
b1bf2f78 | 1534 | ## </summary> |
296273a7 | 1535 | ## <param name="domain"> |
b1bf2f78 | 1536 | ## <summary> |
296273a7 | 1537 | ## Domain allowed access. |
b1bf2f78 CP |
1538 | ## </summary> |
1539 | ## </param> | |
b1bf2f78 | 1540 | # |
296273a7 CP |
1541 | interface(`userdom_setattr_user_ptys',` |
1542 | gen_require(` | |
1543 | type user_devpts_t; | |
1544 | ') | |
1545 | ||
bf530f53 | 1546 | allow $1 user_devpts_t:chr_file setattr_chr_file_perms; |
b1bf2f78 CP |
1547 | ') |
1548 | ||
1549 | ######################################## | |
1550 | ## <summary> | |
296273a7 | 1551 | ## Create a user pty. |
b1bf2f78 | 1552 | ## </summary> |
296273a7 | 1553 | ## <param name="domain"> |
b1bf2f78 | 1554 | ## <summary> |
296273a7 | 1555 | ## Domain allowed access. |
b1bf2f78 CP |
1556 | ## </summary> |
1557 | ## </param> | |
b1bf2f78 | 1558 | # |
296273a7 CP |
1559 | interface(`userdom_create_user_pty',` |
1560 | gen_require(` | |
1561 | type user_devpts_t; | |
1562 | ') | |
1563 | ||
1564 | term_create_pty($1, user_devpts_t) | |
b1bf2f78 CP |
1565 | ') |
1566 | ||
1567 | ######################################## | |
1568 | ## <summary> | |
296273a7 | 1569 | ## Get the attributes of user home directories. |
b1bf2f78 | 1570 | ## </summary> |
296273a7 | 1571 | ## <param name="domain"> |
b1bf2f78 | 1572 | ## <summary> |
296273a7 | 1573 | ## Domain allowed access. |
b1bf2f78 CP |
1574 | ## </summary> |
1575 | ## </param> | |
b1bf2f78 | 1576 | # |
296273a7 CP |
1577 | interface(`userdom_getattr_user_home_dirs',` |
1578 | gen_require(` | |
1579 | type user_home_dir_t; | |
1580 | ') | |
1581 | ||
1582 | allow $1 user_home_dir_t:dir getattr_dir_perms; | |
1583 | files_search_home($1) | |
b1bf2f78 CP |
1584 | ') |
1585 | ||
1586 | ######################################## | |
1587 | ## <summary> | |
296273a7 | 1588 | ## Do not audit attempts to get the attributes of user home directories. |
b1bf2f78 | 1589 | ## </summary> |
296273a7 | 1590 | ## <param name="domain"> |
b1bf2f78 | 1591 | ## <summary> |
a0546c9d | 1592 | ## Domain to not audit. |
b1bf2f78 CP |
1593 | ## </summary> |
1594 | ## </param> | |
b1bf2f78 | 1595 | # |
296273a7 CP |
1596 | interface(`userdom_dontaudit_getattr_user_home_dirs',` |
1597 | gen_require(` | |
1598 | type user_home_dir_t; | |
1599 | ') | |
1600 | ||
1601 | dontaudit $1 user_home_dir_t:dir getattr_dir_perms; | |
b1bf2f78 CP |
1602 | ') |
1603 | ||
1604 | ######################################## | |
1605 | ## <summary> | |
296273a7 | 1606 | ## Search user home directories. |
b1bf2f78 | 1607 | ## </summary> |
296273a7 | 1608 | ## <param name="domain"> |
b1bf2f78 | 1609 | ## <summary> |
296273a7 | 1610 | ## Domain allowed access. |
b1bf2f78 CP |
1611 | ## </summary> |
1612 | ## </param> | |
b1bf2f78 | 1613 | # |
296273a7 CP |
1614 | interface(`userdom_search_user_home_dirs',` |
1615 | gen_require(` | |
1616 | type user_home_dir_t; | |
1617 | ') | |
1618 | ||
1619 | allow $1 user_home_dir_t:dir search_dir_perms; | |
3eaa9939 | 1620 | allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; |
296273a7 | 1621 | files_search_home($1) |
b1bf2f78 CP |
1622 | ') |
1623 | ||
1624 | ######################################## | |
1625 | ## <summary> | |
c46376e6 | 1626 | ## Do not audit attempts to search user home directories. |
b1bf2f78 | 1627 | ## </summary> |
c46376e6 CP |
1628 | ## <desc> |
1629 | ## <p> | |
1630 | ## Do not audit attempts to search user home directories. | |
1631 | ## This will supress SELinux denial messages when the specified | |
1632 | ## domain is denied the permission to search these directories. | |
1633 | ## </p> | |
1634 | ## </desc> | |
296273a7 | 1635 | ## <param name="domain"> |
b1bf2f78 | 1636 | ## <summary> |
c46376e6 | 1637 | ## Domain to not audit. |
b1bf2f78 CP |
1638 | ## </summary> |
1639 | ## </param> | |
c46376e6 | 1640 | ## <infoflow type="none"/> |
b1bf2f78 | 1641 | # |
296273a7 CP |
1642 | interface(`userdom_dontaudit_search_user_home_dirs',` |
1643 | gen_require(` | |
1644 | type user_home_dir_t; | |
1645 | ') | |
1646 | ||
1647 | dontaudit $1 user_home_dir_t:dir search_dir_perms; | |
b1bf2f78 CP |
1648 | ') |
1649 | ||
1650 | ######################################## | |
1651 | ## <summary> | |
ff8f0a63 | 1652 | ## List user home directories. |
b1bf2f78 | 1653 | ## </summary> |
296273a7 | 1654 | ## <param name="domain"> |
b1bf2f78 | 1655 | ## <summary> |
ff8f0a63 | 1656 | ## Domain allowed access. |
b1bf2f78 CP |
1657 | ## </summary> |
1658 | ## </param> | |
b1bf2f78 | 1659 | # |
296273a7 CP |
1660 | interface(`userdom_list_user_home_dirs',` |
1661 | gen_require(` | |
1662 | type user_home_dir_t; | |
1663 | ') | |
b1bf2f78 | 1664 | |
296273a7 CP |
1665 | allow $1 user_home_dir_t:dir list_dir_perms; |
1666 | files_search_home($1) | |
3eaa9939 DW |
1667 | |
1668 | tunable_policy(`use_nfs_home_dirs',` | |
1669 | fs_list_nfs($1) | |
1670 | ') | |
1671 | ||
1672 | tunable_policy(`use_samba_home_dirs',` | |
1673 | fs_list_cifs($1) | |
1674 | ') | |
de8af9dc CP |
1675 | ') |
1676 | ||
7c2f5a82 CP |
1677 | ######################################## |
1678 | ## <summary> | |
296273a7 | 1679 | ## Do not audit attempts to list user home subdirectories. |
7c2f5a82 CP |
1680 | ## </summary> |
1681 | ## <param name="domain"> | |
885b83ec | 1682 | ## <summary> |
a7ee7f81 | 1683 | ## Domain to not audit. |
885b83ec | 1684 | ## </summary> |
7c2f5a82 CP |
1685 | ## </param> |
1686 | # | |
296273a7 | 1687 | interface(`userdom_dontaudit_list_user_home_dirs',` |
7c2f5a82 | 1688 | gen_require(` |
296273a7 | 1689 | type user_home_dir_t; |
3eaa9939 | 1690 | type user_home_t; |
7c2f5a82 CP |
1691 | ') |
1692 | ||
296273a7 | 1693 | dontaudit $1 user_home_dir_t:dir list_dir_perms; |
3eaa9939 | 1694 | dontaudit $1 user_home_t:dir list_dir_perms; |
7c2f5a82 CP |
1695 | ') |
1696 | ||
1697 | ######################################## | |
1698 | ## <summary> | |
296273a7 | 1699 | ## Create user home directories. |
7c2f5a82 CP |
1700 | ## </summary> |
1701 | ## <param name="domain"> | |
885b83ec | 1702 | ## <summary> |
7c2f5a82 | 1703 | ## Domain allowed access. |
885b83ec | 1704 | ## </summary> |
7c2f5a82 CP |
1705 | ## </param> |
1706 | # | |
296273a7 CP |
1707 | interface(`userdom_create_user_home_dirs',` |
1708 | gen_require(` | |
1709 | type user_home_dir_t; | |
1710 | ') | |
1711 | ||
1712 | allow $1 user_home_dir_t:dir create_dir_perms; | |
7c2f5a82 CP |
1713 | ') |
1714 | ||
1715 | ######################################## | |
1716 | ## <summary> | |
296273a7 | 1717 | ## Create user home directories. |
7c2f5a82 CP |
1718 | ## </summary> |
1719 | ## <param name="domain"> | |
885b83ec | 1720 | ## <summary> |
7c2f5a82 | 1721 | ## Domain allowed access. |
885b83ec | 1722 | ## </summary> |
7c2f5a82 CP |
1723 | ## </param> |
1724 | # | |
296273a7 | 1725 | interface(`userdom_manage_user_home_dirs',` |
7c2f5a82 | 1726 | gen_require(` |
296273a7 | 1727 | type user_home_dir_t; |
7c2f5a82 CP |
1728 | ') |
1729 | ||
296273a7 | 1730 | allow $1 user_home_dir_t:dir manage_dir_perms; |
7c2f5a82 CP |
1731 | ') |
1732 | ||
d490eb6b | 1733 | ######################################## |
ab940a4c | 1734 | ## <summary> |
296273a7 | 1735 | ## Relabel to user home directories. |
ab940a4c | 1736 | ## </summary> |
414e4151 | 1737 | ## <param name="domain"> |
885b83ec | 1738 | ## <summary> |
725926c5 | 1739 | ## Domain allowed access. |
885b83ec | 1740 | ## </summary> |
414e4151 | 1741 | ## </param> |
d490eb6b | 1742 | # |
296273a7 CP |
1743 | interface(`userdom_relabelto_user_home_dirs',` |
1744 | gen_require(` | |
1745 | type user_home_dir_t; | |
1746 | ') | |
d490eb6b | 1747 | |
296273a7 | 1748 | allow $1 user_home_dir_t:dir relabelto; |
7c2f5a82 CP |
1749 | ') |
1750 | ||
3eaa9939 DW |
1751 | |
1752 | ######################################## | |
1753 | ## <summary> | |
1754 | ## Relabel to user home files. | |
1755 | ## </summary> | |
1756 | ## <param name="domain"> | |
1757 | ## <summary> | |
1758 | ## Domain allowed access. | |
1759 | ## </summary> | |
1760 | ## </param> | |
1761 | # | |
1762 | interface(`userdom_relabelto_user_home_files',` | |
1763 | gen_require(` | |
1764 | type user_home_t; | |
1765 | ') | |
1766 | ||
1767 | allow $1 user_home_t:file relabelto; | |
1768 | ') | |
1769 | ######################################## | |
1770 | ## <summary> | |
1771 | ## Relabel user home files. | |
1772 | ## </summary> | |
1773 | ## <param name="domain"> | |
1774 | ## <summary> | |
1775 | ## Domain allowed access. | |
1776 | ## </summary> | |
1777 | ## </param> | |
1778 | # | |
1779 | interface(`userdom_relabel_user_home_files',` | |
1780 | gen_require(` | |
1781 | type user_home_t; | |
1782 | ') | |
1783 | ||
1784 | allow $1 user_home_t:file { relabelto relabelfrom }; | |
1785 | ') | |
1786 | ||
7c2f5a82 CP |
1787 | ######################################## |
1788 | ## <summary> | |
296273a7 CP |
1789 | ## Create directories in the home dir root with |
1790 | ## the user home directory type. | |
7c2f5a82 CP |
1791 | ## </summary> |
1792 | ## <param name="domain"> | |
885b83ec | 1793 | ## <summary> |
7c2f5a82 | 1794 | ## Domain allowed access. |
885b83ec | 1795 | ## </summary> |
7c2f5a82 CP |
1796 | ## </param> |
1797 | # | |
296273a7 CP |
1798 | interface(`userdom_home_filetrans_user_home_dir',` |
1799 | gen_require(` | |
1800 | type user_home_dir_t; | |
1801 | ') | |
7c2f5a82 | 1802 | |
296273a7 | 1803 | files_home_filetrans($1, user_home_dir_t, dir) |
7c2f5a82 CP |
1804 | ') |
1805 | ||
d42c7ede CP |
1806 | ######################################## |
1807 | ## <summary> | |
296273a7 CP |
1808 | ## Do a domain transition to the specified |
1809 | ## domain when executing a program in the | |
1810 | ## user home directory. | |
d42c7ede CP |
1811 | ## </summary> |
1812 | ## <desc> | |
1813 | ## <p> | |
296273a7 CP |
1814 | ## Do a domain transition to the specified |
1815 | ## domain when executing a program in the | |
1816 | ## user home directory. | |
d42c7ede CP |
1817 | ## </p> |
1818 | ## <p> | |
296273a7 CP |
1819 | ## No interprocess communication (signals, pipes, |
1820 | ## etc.) is provided by this interface since | |
1821 | ## the domains are not owned by this module. | |
d42c7ede CP |
1822 | ## </p> |
1823 | ## </desc> | |
296273a7 | 1824 | ## <param name="source_domain"> |
d42c7ede | 1825 | ## <summary> |
a0546c9d | 1826 | ## Domain allowed to transition. |
d42c7ede CP |
1827 | ## </summary> |
1828 | ## </param> | |
296273a7 | 1829 | ## <param name="target_domain"> |
d42c7ede | 1830 | ## <summary> |
296273a7 | 1831 | ## Domain to transition to. |
d42c7ede CP |
1832 | ## </summary> |
1833 | ## </param> | |
1834 | # | |
296273a7 CP |
1835 | interface(`userdom_user_home_domtrans',` |
1836 | gen_require(` | |
1837 | type user_home_dir_t, user_home_t; | |
1838 | ') | |
d42c7ede | 1839 | |
296273a7 CP |
1840 | domain_auto_trans($1, user_home_t, $2) |
1841 | allow $1 user_home_dir_t:dir search_dir_perms; | |
1842 | files_search_home($1) | |
d42c7ede CP |
1843 | ') |
1844 | ||
ae9e2716 CP |
1845 | ######################################## |
1846 | ## <summary> | |
296273a7 | 1847 | ## Do not audit attempts to search user home content directories. |
ae9e2716 CP |
1848 | ## </summary> |
1849 | ## <param name="domain"> | |
885b83ec | 1850 | ## <summary> |
a7ee7f81 | 1851 | ## Domain to not audit. |
885b83ec | 1852 | ## </summary> |
ae9e2716 CP |
1853 | ## </param> |
1854 | # | |
296273a7 CP |
1855 | interface(`userdom_dontaudit_search_user_home_content',` |
1856 | gen_require(` | |
1857 | type user_home_t; | |
1858 | ') | |
ae9e2716 | 1859 | |
296273a7 | 1860 | dontaudit $1 user_home_t:dir search_dir_perms; |
3eaa9939 DW |
1861 | fs_dontaudit_list_nfs($1) |
1862 | fs_dontaudit_list_cifs($1) | |
ae9e2716 CP |
1863 | ') |
1864 | ||
2d743657 CP |
1865 | ######################################## |
1866 | ## <summary> | |
1867 | ## List contents of users home directory. | |
1868 | ## </summary> | |
1869 | ## <param name="domain"> | |
1870 | ## <summary> | |
1871 | ## Domain allowed access. | |
1872 | ## </summary> | |
1873 | ## </param> | |
1874 | # | |
1875 | interface(`userdom_list_user_home_content',` | |
1876 | gen_require(` | |
3eaa9939 DW |
1877 | type user_home_dir_t; |
1878 | attribute user_home_type; | |
2d743657 CP |
1879 | ') |
1880 | ||
3eaa9939 DW |
1881 | files_list_home($1) |
1882 | allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; | |
2d743657 CP |
1883 | ') |
1884 | ||
cdc86ee5 CP |
1885 | ######################################## |
1886 | ## <summary> | |
296273a7 CP |
1887 | ## Create, read, write, and delete directories |
1888 | ## in a user home subdirectory. | |
cdc86ee5 CP |
1889 | ## </summary> |
1890 | ## <param name="domain"> | |
1891 | ## <summary> | |
1892 | ## Domain allowed access. | |
1893 | ## </summary> | |
1894 | ## </param> | |
1895 | # | |
296273a7 CP |
1896 | interface(`userdom_manage_user_home_content_dirs',` |
1897 | gen_require(` | |
1898 | type user_home_dir_t, user_home_t; | |
1899 | ') | |
1900 | ||
1901 | manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) | |
1902 | files_search_home($1) | |
cdc86ee5 CP |
1903 | ') |
1904 | ||
4083191c CP |
1905 | ######################################## |
1906 | ## <summary> | |
1907 | ## Delete directories in a user home subdirectory. | |
1908 | ## </summary> | |
1909 | ## <param name="domain"> | |
1910 | ## <summary> | |
1911 | ## Domain allowed access. | |
1912 | ## </summary> | |
1913 | ## </param> | |
1914 | # | |
1915 | interface(`userdom_delete_user_home_content_dirs',` | |
1916 | gen_require(` | |
1917 | type user_home_t; | |
1918 | ') | |
1919 | ||
1920 | allow $1 user_home_t:dir delete_dir_perms; | |
1921 | ') | |
1922 | ||
3eaa9939 DW |
1923 | ######################################## |
1924 | ## <summary> | |
1925 | ## Set the attributes of user home files. | |
1926 | ## </summary> | |
1927 | ## <param name="domain"> | |
1928 | ## <summary> | |
1929 | ## Domain allowed access. | |
1930 | ## </summary> | |
1931 | ## </param> | |
1932 | ## <rolecap/> | |
1933 | # | |
1934 | interface(`userdom_setattr_user_home_content_files',` | |
1935 | gen_require(` | |
1936 | type user_home_t; | |
1937 | ') | |
1938 | ||
1939 | allow $1 user_home_t:file setattr; | |
1940 | ') | |
1941 | ||
d6d16b97 CP |
1942 | ######################################## |
1943 | ## <summary> | |
296273a7 CP |
1944 | ## Do not audit attempts to set the |
1945 | ## attributes of user home files. | |
d6d16b97 CP |
1946 | ## </summary> |
1947 | ## <param name="domain"> | |
1948 | ## <summary> | |
a0546c9d | 1949 | ## Domain to not audit. |
d6d16b97 CP |
1950 | ## </summary> |
1951 | ## </param> | |
1952 | # | |
296273a7 CP |
1953 | interface(`userdom_dontaudit_setattr_user_home_content_files',` |
1954 | gen_require(` | |
1955 | type user_home_t; | |
1956 | ') | |
d6d16b97 | 1957 | |
bf530f53 | 1958 | dontaudit $1 user_home_t:file setattr_file_perms; |
b0d2243c CP |
1959 | ') |
1960 | ||
fd89e19f CP |
1961 | ######################################## |
1962 | ## <summary> | |
296273a7 | 1963 | ## Mmap user home files. |
fd89e19f CP |
1964 | ## </summary> |
1965 | ## <param name="domain"> | |
885b83ec | 1966 | ## <summary> |
725926c5 | 1967 | ## Domain allowed access. |
885b83ec | 1968 | ## </summary> |
fd89e19f CP |
1969 | ## </param> |
1970 | # | |
296273a7 CP |
1971 | interface(`userdom_mmap_user_home_content_files',` |
1972 | gen_require(` | |
1973 | type user_home_dir_t, user_home_t; | |
1974 | ') | |
fd89e19f | 1975 | |
296273a7 CP |
1976 | mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
1977 | files_search_home($1) | |
1f91e1bf CP |
1978 | ') |
1979 | ||
725926c5 CP |
1980 | ######################################## |
1981 | ## <summary> | |
296273a7 | 1982 | ## Read user home files. |
725926c5 CP |
1983 | ## </summary> |
1984 | ## <param name="domain"> | |
885b83ec | 1985 | ## <summary> |
725926c5 | 1986 | ## Domain allowed access. |
885b83ec | 1987 | ## </summary> |
725926c5 CP |
1988 | ## </param> |
1989 | # | |
296273a7 CP |
1990 | interface(`userdom_read_user_home_content_files',` |
1991 | gen_require(` | |
1992 | type user_home_dir_t, user_home_t; | |
1993 | ') | |
1994 | ||
3eaa9939 | 1995 | list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) |
296273a7 CP |
1996 | read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
1997 | files_search_home($1) | |
725926c5 CP |
1998 | ') |
1999 | ||
daa0e0b0 | 2000 | ######################################## |
ab940a4c | 2001 | ## <summary> |
3eaa9939 | 2002 | ## Do not audit attempts to getattr user home files. |
ab940a4c | 2003 | ## </summary> |
414e4151 | 2004 | ## <param name="domain"> |
885b83ec | 2005 | ## <summary> |
296273a7 | 2006 | ## Domain to not audit. |
885b83ec | 2007 | ## </summary> |
414e4151 | 2008 | ## </param> |
490639cd | 2009 | # |
3eaa9939 | 2010 | interface(`userdom_dontaudit_getattr_user_home_content',` |
296273a7 | 2011 | gen_require(` |
3eaa9939 | 2012 | attribute user_home_type; |
296273a7 CP |
2013 | ') |
2014 | ||
3eaa9939 DW |
2015 | dontaudit $1 user_home_type:dir getattr; |
2016 | dontaudit $1 user_home_type:file getattr; | |
2017 | ') | |
2018 | ||
2019 | ######################################## | |
2020 | ## <summary> | |
2021 | ## Do not audit attempts to read user home files. | |
2022 | ## </summary> | |
2023 | ## <param name="domain"> | |
2024 | ## <summary> | |
2025 | ## Domain to not audit. | |
2026 | ## </summary> | |
2027 | ## </param> | |
2028 | # | |
2029 | interface(`userdom_dontaudit_read_user_home_content_files',` | |
2030 | gen_require(` | |
2031 | attribute user_home_type; | |
2032 | type user_home_dir_t; | |
2033 | ') | |
2034 | ||
2035 | dontaudit $1 user_home_dir_t:dir list_dir_perms; | |
2036 | dontaudit $1 user_home_type:dir list_dir_perms; | |
2037 | dontaudit $1 user_home_type:file read_file_perms; | |
2038 | dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; | |
fd89e19f CP |
2039 | ') |
2040 | ||
50aca6d2 CP |
2041 | ######################################## |
2042 | ## <summary> | |
296273a7 | 2043 | ## Do not audit attempts to append user home files. |
50aca6d2 CP |
2044 | ## </summary> |
2045 | ## <param name="domain"> | |
885b83ec | 2046 | ## <summary> |
50aca6d2 | 2047 | ## Domain to not audit. |
885b83ec | 2048 | ## </summary> |
50aca6d2 CP |
2049 | ## </param> |
2050 | # | |
296273a7 CP |
2051 | interface(`userdom_dontaudit_append_user_home_content_files',` |
2052 | gen_require(` | |
2053 | type user_home_t; | |
2054 | ') | |
2055 | ||
bf530f53 | 2056 | dontaudit $1 user_home_t:file append_file_perms; |
50aca6d2 CP |
2057 | ') |
2058 | ||
fd89e19f CP |
2059 | ######################################## |
2060 | ## <summary> | |
296273a7 | 2061 | ## Do not audit attempts to write user home files. |
fd89e19f CP |
2062 | ## </summary> |
2063 | ## <param name="domain"> | |
885b83ec | 2064 | ## <summary> |
296273a7 | 2065 | ## Domain to not audit. |
885b83ec | 2066 | ## </summary> |
fd89e19f CP |
2067 | ## </param> |
2068 | # | |
296273a7 CP |
2069 | interface(`userdom_dontaudit_write_user_home_content_files',` |
2070 | gen_require(` | |
2071 | type user_home_t; | |
2072 | ') | |
2073 | ||
bf530f53 | 2074 | dontaudit $1 user_home_t:file write_file_perms; |
daa0e0b0 CP |
2075 | ') |
2076 | ||
4083191c CP |
2077 | ######################################## |
2078 | ## <summary> | |
2079 | ## Delete files in a user home subdirectory. | |
2080 | ## </summary> | |
2081 | ## <param name="domain"> | |
2082 | ## <summary> | |
2083 | ## Domain allowed access. | |
2084 | ## </summary> | |
2085 | ## </param> | |
2086 | # | |
2087 | interface(`userdom_delete_user_home_content_files',` | |
2088 | gen_require(` | |
2089 | type user_home_t; | |
2090 | ') | |
2091 | ||
2092 | allow $1 user_home_t:file delete_file_perms; | |
2093 | ') | |
2094 | ||
d4dca585 CP |
2095 | ######################################## |
2096 | ## <summary> | |
296273a7 | 2097 | ## Do not audit attempts to write user home files. |
d4dca585 CP |
2098 | ## </summary> |
2099 | ## <param name="domain"> | |
885b83ec | 2100 | ## <summary> |
d4dca585 | 2101 | ## Domain to not audit. |
885b83ec | 2102 | ## </summary> |
d4dca585 CP |
2103 | ## </param> |
2104 | # | |
296273a7 CP |
2105 | interface(`userdom_dontaudit_relabel_user_home_content_files',` |
2106 | gen_require(` | |
2107 | type user_home_t; | |
2108 | ') | |
2109 | ||
2110 | dontaudit $1 user_home_t:file relabel_file_perms; | |
d4dca585 CP |
2111 | ') |
2112 | ||
0404a390 | 2113 | ######################################## |
ab940a4c | 2114 | ## <summary> |
296273a7 | 2115 | ## Read user home subdirectory symbolic links. |
ab940a4c | 2116 | ## </summary> |
414e4151 | 2117 | ## <param name="domain"> |
885b83ec | 2118 | ## <summary> |
725926c5 | 2119 | ## Domain allowed access. |
885b83ec | 2120 | ## </summary> |
414e4151 | 2121 | ## </param> |
0404a390 | 2122 | # |
296273a7 CP |
2123 | interface(`userdom_read_user_home_content_symlinks',` |
2124 | gen_require(` | |
2125 | type user_home_dir_t, user_home_t; | |
2126 | ') | |
2127 | ||
3eaa9939 | 2128 | allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; |
daa0e0b0 CP |
2129 | ') |
2130 | ||
763c441e | 2131 | ######################################## |
ab940a4c | 2132 | ## <summary> |
296273a7 | 2133 | ## Execute user home files. |
ab940a4c | 2134 | ## </summary> |
414e4151 | 2135 | ## <param name="domain"> |
885b83ec | 2136 | ## <summary> |
296273a7 | 2137 | ## Domain allowed access. |
885b83ec | 2138 | ## </summary> |
414e4151 | 2139 | ## </param> |
296273a7 | 2140 | ## <rolecap/> |
763c441e | 2141 | # |
296273a7 CP |
2142 | interface(`userdom_exec_user_home_content_files',` |
2143 | gen_require(` | |
3eaa9939 DW |
2144 | type user_home_dir_t; |
2145 | attribute user_home_type; | |
296273a7 CP |
2146 | ') |
2147 | ||
2148 | files_search_home($1) | |
3eaa9939 DW |
2149 | exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) |
2150 | dontaudit $1 user_home_type:sock_file execute; | |
296273a7 | 2151 | ') |
763c441e | 2152 | |
fd89e19f CP |
2153 | ######################################## |
2154 | ## <summary> | |
296273a7 | 2155 | ## Do not audit attempts to execute user home files. |
fd89e19f CP |
2156 | ## </summary> |
2157 | ## <param name="domain"> | |
885b83ec | 2158 | ## <summary> |
a0546c9d | 2159 | ## Domain to not audit. |
885b83ec | 2160 | ## </summary> |
fd89e19f CP |
2161 | ## </param> |
2162 | # | |
296273a7 CP |
2163 | interface(`userdom_dontaudit_exec_user_home_content_files',` |
2164 | gen_require(` | |
2165 | type user_home_t; | |
2166 | ') | |
2167 | ||
bf530f53 | 2168 | dontaudit $1 user_home_t:file exec_file_perms; |
fd89e19f CP |
2169 | ') |
2170 | ||
2171 | ######################################## | |
2172 | ## <summary> | |
296273a7 CP |
2173 | ## Create, read, write, and delete files |
2174 | ## in a user home subdirectory. | |
fd89e19f CP |
2175 | ## </summary> |
2176 | ## <param name="domain"> | |
885b83ec | 2177 | ## <summary> |
725926c5 | 2178 | ## Domain allowed access. |
885b83ec | 2179 | ## </summary> |
fd89e19f CP |
2180 | ## </param> |
2181 | # | |
296273a7 CP |
2182 | interface(`userdom_manage_user_home_content_files',` |
2183 | gen_require(` | |
2184 | type user_home_dir_t, user_home_t; | |
2185 | ') | |
2186 | ||
2187 | manage_files_pattern($1, user_home_t, user_home_t) | |
2188 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2189 | files_search_home($1) | |
fd89e19f CP |
2190 | ') |
2191 | ||
799a0b43 CP |
2192 | ######################################## |
2193 | ## <summary> | |
296273a7 CP |
2194 | ## Do not audit attempts to create, read, write, and delete directories |
2195 | ## in a user home subdirectory. | |
799a0b43 CP |
2196 | ## </summary> |
2197 | ## <param name="domain"> | |
885b83ec | 2198 | ## <summary> |
a0546c9d | 2199 | ## Domain to not audit. |
885b83ec | 2200 | ## </summary> |
799a0b43 CP |
2201 | ## </param> |
2202 | # | |
296273a7 CP |
2203 | interface(`userdom_dontaudit_manage_user_home_content_dirs',` |
2204 | gen_require(` | |
2205 | type user_home_dir_t, user_home_t; | |
2206 | ') | |
2207 | ||
2208 | dontaudit $1 user_home_t:dir manage_dir_perms; | |
799a0b43 CP |
2209 | ') |
2210 | ||
44fc06b0 CP |
2211 | ######################################## |
2212 | ## <summary> | |
296273a7 CP |
2213 | ## Create, read, write, and delete symbolic links |
2214 | ## in a user home subdirectory. | |
44fc06b0 CP |
2215 | ## </summary> |
2216 | ## <param name="domain"> | |
885b83ec | 2217 | ## <summary> |
296273a7 | 2218 | ## Domain allowed access. |
885b83ec | 2219 | ## </summary> |
44fc06b0 CP |
2220 | ## </param> |
2221 | # | |
296273a7 CP |
2222 | interface(`userdom_manage_user_home_content_symlinks',` |
2223 | gen_require(` | |
2224 | type user_home_dir_t, user_home_t; | |
2225 | ') | |
2226 | ||
2227 | manage_lnk_files_pattern($1, user_home_t, user_home_t) | |
2228 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2229 | files_search_home($1) | |
44fc06b0 CP |
2230 | ') |
2231 | ||
4083191c CP |
2232 | ######################################## |
2233 | ## <summary> | |
2234 | ## Delete symbolic links in a user home directory. | |
2235 | ## </summary> | |
2236 | ## <param name="domain"> | |
2237 | ## <summary> | |
2238 | ## Domain allowed access. | |
2239 | ## </summary> | |
2240 | ## </param> | |
2241 | # | |
2242 | interface(`userdom_delete_user_home_content_symlinks',` | |
2243 | gen_require(` | |
2244 | type user_home_t; | |
2245 | ') | |
2246 | ||
2247 | allow $1 user_home_t:lnk_file delete_lnk_file_perms; | |
2248 | ') | |
2249 | ||
ae9e2716 CP |
2250 | ######################################## |
2251 | ## <summary> | |
296273a7 CP |
2252 | ## Create, read, write, and delete named pipes |
2253 | ## in a user home subdirectory. | |
ae9e2716 CP |
2254 | ## </summary> |
2255 | ## <param name="domain"> | |
885b83ec | 2256 | ## <summary> |
296273a7 | 2257 | ## Domain allowed access. |
885b83ec | 2258 | ## </summary> |
ae9e2716 CP |
2259 | ## </param> |
2260 | # | |
296273a7 CP |
2261 | interface(`userdom_manage_user_home_content_pipes',` |
2262 | gen_require(` | |
2263 | type user_home_dir_t, user_home_t; | |
2264 | ') | |
2265 | ||
2266 | manage_fifo_files_pattern($1, user_home_t, user_home_t) | |
2267 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2268 | files_search_home($1) | |
ae9e2716 CP |
2269 | ') |
2270 | ||
2271 | ######################################## | |
2272 | ## <summary> | |
296273a7 CP |
2273 | ## Create, read, write, and delete named sockets |
2274 | ## in a user home subdirectory. | |
ae9e2716 CP |
2275 | ## </summary> |
2276 | ## <param name="domain"> | |
885b83ec | 2277 | ## <summary> |
296273a7 | 2278 | ## Domain allowed access. |
885b83ec | 2279 | ## </summary> |
ae9e2716 CP |
2280 | ## </param> |
2281 | # | |
296273a7 CP |
2282 | interface(`userdom_manage_user_home_content_sockets',` |
2283 | gen_require(` | |
2284 | type user_home_dir_t, user_home_t; | |
2285 | ') | |
2286 | ||
2287 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2288 | manage_sock_files_pattern($1, user_home_t, user_home_t) | |
2289 | files_search_home($1) | |
ae9e2716 CP |
2290 | ') |
2291 | ||
725926c5 CP |
2292 | ######################################## |
2293 | ## <summary> | |
296273a7 CP |
2294 | ## Create objects in a user home directory |
2295 | ## with an automatic type transition to | |
2296 | ## a specified private type. | |
725926c5 CP |
2297 | ## </summary> |
2298 | ## <param name="domain"> | |
885b83ec | 2299 | ## <summary> |
725926c5 | 2300 | ## Domain allowed access. |
885b83ec | 2301 | ## </summary> |
725926c5 | 2302 | ## </param> |
296273a7 | 2303 | ## <param name="private_type"> |
885b83ec | 2304 | ## <summary> |
296273a7 | 2305 | ## The type of the object to create. |
885b83ec | 2306 | ## </summary> |
b11a75a5 | 2307 | ## </param> |
296273a7 | 2308 | ## <param name="object_class"> |
885b83ec | 2309 | ## <summary> |
296273a7 | 2310 | ## The class of the object to be created. |
885b83ec | 2311 | ## </summary> |
e1c41428 CP |
2312 | ## </param> |
2313 | # | |
296273a7 CP |
2314 | interface(`userdom_user_home_dir_filetrans',` |
2315 | gen_require(` | |
2316 | type user_home_dir_t; | |
2317 | ') | |
2318 | ||
2319 | filetrans_pattern($1, user_home_dir_t, $2, $3) | |
2320 | files_search_home($1) | |
e1c41428 CP |
2321 | ') |
2322 | ||
10b1f324 CP |
2323 | ######################################## |
2324 | ## <summary> | |
296273a7 CP |
2325 | ## Create objects in a user home directory |
2326 | ## with an automatic type transition to | |
2327 | ## a specified private type. | |
10b1f324 CP |
2328 | ## </summary> |
2329 | ## <param name="domain"> | |
885b83ec | 2330 | ## <summary> |
10b1f324 | 2331 | ## Domain allowed access. |
885b83ec | 2332 | ## </summary> |
10b1f324 | 2333 | ## </param> |
296273a7 | 2334 | ## <param name="private_type"> |
885b83ec | 2335 | ## <summary> |
296273a7 | 2336 | ## The type of the object to create. |
885b83ec | 2337 | ## </summary> |
ee9500ec CP |
2338 | ## </param> |
2339 | ## <param name="object_class"> | |
885b83ec | 2340 | ## <summary> |
10b1f324 | 2341 | ## The class of the object to be created. |
885b83ec | 2342 | ## </summary> |
10b1f324 CP |
2343 | ## </param> |
2344 | # | |
296273a7 CP |
2345 | interface(`userdom_user_home_content_filetrans',` |
2346 | gen_require(` | |
2347 | type user_home_dir_t, user_home_t; | |
2348 | ') | |
2349 | ||
2350 | filetrans_pattern($1, user_home_t, $2, $3) | |
2351 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2352 | files_search_home($1) | |
10b1f324 CP |
2353 | ') |
2354 | ||
2355 | ######################################## | |
2356 | ## <summary> | |
296273a7 CP |
2357 | ## Create objects in a user home directory |
2358 | ## with an automatic type transition to | |
2359 | ## the user home file type. | |
10b1f324 CP |
2360 | ## </summary> |
2361 | ## <param name="domain"> | |
885b83ec | 2362 | ## <summary> |
296273a7 CP |
2363 | ## Domain allowed access. |
2364 | ## </summary> | |
2365 | ## </param> | |
2366 | ## <param name="object_class"> | |
2367 | ## <summary> | |
2368 | ## The class of the object to be created. | |
885b83ec | 2369 | ## </summary> |
10b1f324 CP |
2370 | ## </param> |
2371 | # | |
296273a7 CP |
2372 | interface(`userdom_user_home_dir_filetrans_user_home_content',` |
2373 | gen_require(` | |
2374 | type user_home_dir_t, user_home_t; | |
2375 | ') | |
2376 | ||
2377 | filetrans_pattern($1, user_home_dir_t, user_home_t, $2) | |
2378 | files_search_home($1) | |
10b1f324 CP |
2379 | ') |
2380 | ||
fd89e19f CP |
2381 | ######################################## |
2382 | ## <summary> | |
ff8f0a63 | 2383 | ## Write to user temporary named sockets. |
fd89e19f CP |
2384 | ## </summary> |
2385 | ## <param name="domain"> | |
885b83ec | 2386 | ## <summary> |
ff8f0a63 | 2387 | ## Domain allowed access. |
885b83ec | 2388 | ## </summary> |
fd89e19f CP |
2389 | ## </param> |
2390 | # | |
296273a7 CP |
2391 | interface(`userdom_write_user_tmp_sockets',` |
2392 | gen_require(` | |
2393 | type user_tmp_t; | |
2394 | ') | |
2395 | ||
4cb24aed | 2396 | allow $1 user_tmp_t:sock_file write_sock_file_perms; |
296273a7 | 2397 | files_search_tmp($1) |
ed38ca9f | 2398 | ') |
fd89e19f | 2399 | |
ed38ca9f CP |
2400 | ######################################## |
2401 | ## <summary> | |
296273a7 | 2402 | ## List user temporary directories. |
ed38ca9f CP |
2403 | ## </summary> |
2404 | ## <param name="domain"> | |
2405 | ## <summary> | |
2406 | ## Domain allowed access. | |
2407 | ## </summary> | |
2408 | ## </param> | |
2409 | # | |
296273a7 CP |
2410 | interface(`userdom_list_user_tmp',` |
2411 | gen_require(` | |
2412 | type user_tmp_t; | |
2413 | ') | |
2414 | ||
2415 | allow $1 user_tmp_t:dir list_dir_perms; | |
2416 | files_search_tmp($1) | |
fd89e19f CP |
2417 | ') |
2418 | ||
1786478c CP |
2419 | ######################################## |
2420 | ## <summary> | |
296273a7 CP |
2421 | ## Do not audit attempts to list user |
2422 | ## temporary directories. | |
1786478c CP |
2423 | ## </summary> |
2424 | ## <param name="domain"> | |
2425 | ## <summary> | |
296273a7 | 2426 | ## Domain to not audit. |
1786478c CP |
2427 | ## </summary> |
2428 | ## </param> | |
2429 | # | |
296273a7 | 2430 | interface(`userdom_dontaudit_list_user_tmp',` |
1786478c | 2431 | gen_require(` |
296273a7 | 2432 | type user_tmp_t; |
1786478c CP |
2433 | ') |
2434 | ||
296273a7 | 2435 | dontaudit $1 user_tmp_t:dir list_dir_perms; |
1786478c CP |
2436 | ') |
2437 | ||
9778406f CP |
2438 | ######################################## |
2439 | ## <summary> | |
296273a7 CP |
2440 | ## Do not audit attempts to manage users |
2441 | ## temporary directories. | |
9778406f CP |
2442 | ## </summary> |
2443 | ## <param name="domain"> | |
885b83ec | 2444 | ## <summary> |
296273a7 | 2445 | ## Domain to not audit. |
885b83ec | 2446 | ## </summary> |
9778406f CP |
2447 | ## </param> |
2448 | # | |
296273a7 | 2449 | interface(`userdom_dontaudit_manage_user_tmp_dirs',` |
9778406f | 2450 | gen_require(` |
296273a7 | 2451 | type user_tmp_t; |
9778406f CP |
2452 | ') |
2453 | ||
296273a7 | 2454 | dontaudit $1 user_tmp_t:dir manage_dir_perms; |
9778406f CP |
2455 | ') |
2456 | ||
4bf4ed9e | 2457 | ######################################## |
ab940a4c | 2458 | ## <summary> |
296273a7 | 2459 | ## Read user temporary files. |
ab940a4c | 2460 | ## </summary> |
414e4151 | 2461 | ## <param name="domain"> |
885b83ec | 2462 | ## <summary> |
725926c5 | 2463 | ## Domain allowed access. |
885b83ec | 2464 | ## </summary> |
414e4151 | 2465 | ## </param> |
4bf4ed9e | 2466 | # |
296273a7 | 2467 | interface(`userdom_read_user_tmp_files',` |
0404a390 | 2468 | gen_require(` |
296273a7 | 2469 | type user_tmp_t; |
0404a390 | 2470 | ') |
0c73cd25 | 2471 | |
296273a7 CP |
2472 | read_files_pattern($1, user_tmp_t, user_tmp_t) |
2473 | allow $1 user_tmp_t:dir list_dir_perms; | |
2474 | files_search_tmp($1) | |
4bf4ed9e CP |
2475 | ') |
2476 | ||
ae9e2716 CP |
2477 | ######################################## |
2478 | ## <summary> | |
296273a7 CP |
2479 | ## Do not audit attempts to read users |
2480 | ## temporary files. | |
ae9e2716 CP |
2481 | ## </summary> |
2482 | ## <param name="domain"> | |
885b83ec | 2483 | ## <summary> |
ae9e2716 | 2484 | ## Domain to not audit. |
885b83ec | 2485 | ## </summary> |
ae9e2716 CP |
2486 | ## </param> |
2487 | # | |
296273a7 | 2488 | interface(`userdom_dontaudit_read_user_tmp_files',` |
ae9e2716 | 2489 | gen_require(` |
296273a7 | 2490 | type user_tmp_t; |
ae9e2716 CP |
2491 | ') |
2492 | ||
3eaa9939 | 2493 | dontaudit $1 user_tmp_t:file read_inherited_file_perms; |
ae9e2716 CP |
2494 | ') |
2495 | ||
daa0e0b0 | 2496 | ######################################## |
ab940a4c | 2497 | ## <summary> |
296273a7 CP |
2498 | ## Do not audit attempts to append users |
2499 | ## temporary files. | |
ab940a4c | 2500 | ## </summary> |
414e4151 | 2501 | ## <param name="domain"> |
885b83ec | 2502 | ## <summary> |
296273a7 | 2503 | ## Domain to not audit. |
885b83ec | 2504 | ## </summary> |
414e4151 | 2505 | ## </param> |
daa0e0b0 | 2506 | # |
296273a7 | 2507 | interface(`userdom_dontaudit_append_user_tmp_files',` |
0404a390 | 2508 | gen_require(` |
296273a7 | 2509 | type user_tmp_t; |
0404a390 | 2510 | ') |
0c73cd25 | 2511 | |
bf530f53 | 2512 | dontaudit $1 user_tmp_t:file append_file_perms; |
daa0e0b0 CP |
2513 | ') |
2514 | ||
fc6524d7 CP |
2515 | ######################################## |
2516 | ## <summary> | |
296273a7 | 2517 | ## Read and write user temporary files. |
fc6524d7 CP |
2518 | ## </summary> |
2519 | ## <param name="domain"> | |
885b83ec | 2520 | ## <summary> |
725926c5 | 2521 | ## Domain allowed access. |
885b83ec | 2522 | ## </summary> |
fc6524d7 CP |
2523 | ## </param> |
2524 | # | |
296273a7 | 2525 | interface(`userdom_rw_user_tmp_files',` |
fc6524d7 | 2526 | gen_require(` |
296273a7 | 2527 | type user_tmp_t; |
fc6524d7 CP |
2528 | ') |
2529 | ||
296273a7 CP |
2530 | allow $1 user_tmp_t:dir list_dir_perms; |
2531 | rw_files_pattern($1, user_tmp_t, user_tmp_t) | |
2532 | files_search_tmp($1) | |
fc6524d7 CP |
2533 | ') |
2534 | ||
2535 | ######################################## | |
2536 | ## <summary> | |
296273a7 CP |
2537 | ## Do not audit attempts to manage users |
2538 | ## temporary files. | |
fc6524d7 CP |
2539 | ## </summary> |
2540 | ## <param name="domain"> | |
885b83ec | 2541 | ## <summary> |
296273a7 | 2542 | ## Domain to not audit. |
885b83ec | 2543 | ## </summary> |
fc6524d7 CP |
2544 | ## </param> |
2545 | # | |
296273a7 | 2546 | interface(`userdom_dontaudit_manage_user_tmp_files',` |
fc6524d7 | 2547 | gen_require(` |
296273a7 | 2548 | type user_tmp_t; |
fc6524d7 CP |
2549 | ') |
2550 | ||
296273a7 | 2551 | dontaudit $1 user_tmp_t:file manage_file_perms; |
fc6524d7 CP |
2552 | ') |
2553 | ||
2554 | ######################################## | |
2555 | ## <summary> | |
296273a7 | 2556 | ## Read user temporary symbolic links. |
fc6524d7 CP |
2557 | ## </summary> |
2558 | ## <param name="domain"> | |
885b83ec | 2559 | ## <summary> |
725926c5 | 2560 | ## Domain allowed access. |
885b83ec | 2561 | ## </summary> |
fc6524d7 CP |
2562 | ## </param> |
2563 | # | |
296273a7 | 2564 | interface(`userdom_read_user_tmp_symlinks',` |
fc6524d7 | 2565 | gen_require(` |
296273a7 | 2566 | type user_tmp_t; |
fc6524d7 CP |
2567 | ') |
2568 | ||
296273a7 CP |
2569 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2570 | allow $1 user_tmp_t:dir list_dir_perms; | |
2571 | files_search_tmp($1) | |
fc6524d7 CP |
2572 | ') |
2573 | ||
784a3bbc CP |
2574 | ######################################## |
2575 | ## <summary> | |
296273a7 CP |
2576 | ## Create, read, write, and delete user |
2577 | ## temporary directories. | |
784a3bbc | 2578 | ## </summary> |
784a3bbc | 2579 | ## <param name="domain"> |
885b83ec | 2580 | ## <summary> |
725926c5 | 2581 | ## Domain allowed access. |
885b83ec | 2582 | ## </summary> |
784a3bbc CP |
2583 | ## </param> |
2584 | # | |
296273a7 | 2585 | interface(`userdom_manage_user_tmp_dirs',` |
784a3bbc | 2586 | gen_require(` |
296273a7 | 2587 | type user_tmp_t; |
784a3bbc CP |
2588 | ') |
2589 | ||
296273a7 CP |
2590 | manage_dirs_pattern($1, user_tmp_t, user_tmp_t) |
2591 | files_search_tmp($1) | |
784a3bbc CP |
2592 | ') |
2593 | ||
daa0e0b0 | 2594 | ######################################## |
ab940a4c | 2595 | ## <summary> |
296273a7 CP |
2596 | ## Create, read, write, and delete user |
2597 | ## temporary files. | |
ab940a4c CP |
2598 | ## </summary> |
2599 | ## <param name="domain"> | |
885b83ec | 2600 | ## <summary> |
725926c5 | 2601 | ## Domain allowed access. |
885b83ec | 2602 | ## </summary> |
ab940a4c CP |
2603 | ## </param> |
2604 | # | |
296273a7 | 2605 | interface(`userdom_manage_user_tmp_files',` |
ab940a4c | 2606 | gen_require(` |
296273a7 | 2607 | type user_tmp_t; |
ab940a4c CP |
2608 | ') |
2609 | ||
296273a7 CP |
2610 | manage_files_pattern($1, user_tmp_t, user_tmp_t) |
2611 | files_search_tmp($1) | |
ab940a4c CP |
2612 | ') |
2613 | ||
2614 | ######################################## | |
2615 | ## <summary> | |
296273a7 CP |
2616 | ## Create, read, write, and delete user |
2617 | ## temporary symbolic links. | |
ab940a4c | 2618 | ## </summary> |
414e4151 | 2619 | ## <param name="domain"> |
885b83ec | 2620 | ## <summary> |
725926c5 | 2621 | ## Domain allowed access. |
885b83ec | 2622 | ## </summary> |
414e4151 | 2623 | ## </param> |
490639cd | 2624 | # |
296273a7 | 2625 | interface(`userdom_manage_user_tmp_symlinks',` |
0404a390 | 2626 | gen_require(` |
296273a7 | 2627 | type user_tmp_t; |
0404a390 | 2628 | ') |
0c73cd25 | 2629 | |
296273a7 CP |
2630 | manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2631 | files_search_tmp($1) | |
490639cd CP |
2632 | ') |
2633 | ||
4bf4ed9e | 2634 | ######################################## |
ab940a4c | 2635 | ## <summary> |
296273a7 CP |
2636 | ## Create, read, write, and delete user |
2637 | ## temporary named pipes. | |
ab940a4c | 2638 | ## </summary> |
414e4151 | 2639 | ## <param name="domain"> |
885b83ec | 2640 | ## <summary> |
725926c5 | 2641 | ## Domain allowed access. |
885b83ec | 2642 | ## </summary> |
414e4151 | 2643 | ## </param> |
4bf4ed9e | 2644 | # |
296273a7 | 2645 | interface(`userdom_manage_user_tmp_pipes',` |
0404a390 | 2646 | gen_require(` |
296273a7 | 2647 | type user_tmp_t; |
0404a390 | 2648 | ') |
0c73cd25 | 2649 | |
296273a7 CP |
2650 | manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) |
2651 | files_search_tmp($1) | |
4bf4ed9e CP |
2652 | ') |
2653 | ||
0404a390 | 2654 | ######################################## |
ab940a4c | 2655 | ## <summary> |
296273a7 CP |
2656 | ## Create, read, write, and delete user |
2657 | ## temporary named sockets. | |
ab940a4c | 2658 | ## </summary> |
414e4151 | 2659 | ## <param name="domain"> |
885b83ec | 2660 | ## <summary> |
57a96cbd | 2661 | ## Domain allowed access. |
885b83ec | 2662 | ## </summary> |
414e4151 | 2663 | ## </param> |
0404a390 | 2664 | # |
296273a7 CP |
2665 | interface(`userdom_manage_user_tmp_sockets',` |
2666 | gen_require(` | |
2667 | type user_tmp_t; | |
2668 | ') | |
2669 | ||
2670 | manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) | |
2671 | files_search_tmp($1) | |
4bf4ed9e CP |
2672 | ') |
2673 | ||
4614e83f CP |
2674 | ######################################## |
2675 | ## <summary> | |
296273a7 CP |
2676 | ## Create objects in a user temporary directory |
2677 | ## with an automatic type transition to | |
2678 | ## a specified private type. | |
4614e83f CP |
2679 | ## </summary> |
2680 | ## <param name="domain"> | |
885b83ec | 2681 | ## <summary> |
4614e83f | 2682 | ## Domain allowed access. |
885b83ec | 2683 | ## </summary> |
4614e83f | 2684 | ## </param> |
296273a7 CP |
2685 | ## <param name="private_type"> |
2686 | ## <summary> | |
2687 | ## The type of the object to create. | |
2688 | ## </summary> | |
2689 | ## </param> | |
2690 | ## <param name="object_class"> | |
2691 | ## <summary> | |
2692 | ## The class of the object to be created. | |
2693 | ## </summary> | |
2694 | ## </param> | |
4614e83f | 2695 | # |
296273a7 CP |
2696 | interface(`userdom_user_tmp_filetrans',` |
2697 | gen_require(` | |
2698 | type user_tmp_t; | |
2699 | ') | |
2700 | ||
2701 | filetrans_pattern($1, user_tmp_t, $2, $3) | |
2702 | files_search_tmp($1) | |
4614e83f CP |
2703 | ') |
2704 | ||
daa0e0b0 | 2705 | ######################################## |
ab940a4c | 2706 | ## <summary> |
296273a7 CP |
2707 | ## Create objects in the temporary directory |
2708 | ## with an automatic type transition to | |
2709 | ## the user temporary type. | |
57a96cbd CP |
2710 | ## </summary> |
2711 | ## <param name="domain"> | |
885b83ec | 2712 | ## <summary> |
57a96cbd | 2713 | ## Domain allowed access. |
885b83ec | 2714 | ## </summary> |
57a96cbd | 2715 | ## </param> |
1c1ac67f | 2716 | ## <param name="object_class"> |
885b83ec | 2717 | ## <summary> |
57a96cbd | 2718 | ## The class of the object to be created. |
885b83ec | 2719 | ## </summary> |
57a96cbd CP |
2720 | ## </param> |
2721 | # | |
296273a7 CP |
2722 | interface(`userdom_tmp_filetrans_user_tmp',` |
2723 | gen_require(` | |
2724 | type user_tmp_t; | |
2725 | ') | |
2726 | ||
2727 | files_tmp_filetrans($1, user_tmp_t, $2) | |
57a96cbd CP |
2728 | ') |
2729 | ||
a9e9678f CP |
2730 | ######################################## |
2731 | ## <summary> | |
2732 | ## Read user tmpfs files. | |
2733 | ## </summary> | |
2734 | ## <param name="domain"> | |
2735 | ## <summary> | |
2736 | ## Domain allowed access. | |
2737 | ## </summary> | |
2738 | ## </param> | |
2739 | # | |
2740 | interface(`userdom_read_user_tmpfs_files',` | |
2741 | gen_require(` | |
2742 | type user_tmpfs_t; | |
2743 | ') | |
2744 | ||
2745 | read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
3eaa9939 | 2746 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) |
a9e9678f CP |
2747 | allow $1 user_tmpfs_t:dir list_dir_perms; |
2748 | fs_search_tmpfs($1) | |
2749 | ') | |
2750 | ||
d4dca585 CP |
2751 | ######################################## |
2752 | ## <summary> | |
3eaa9939 | 2753 | ## Read/Write user tmpfs files. |
d4dca585 CP |
2754 | ## </summary> |
2755 | ## <param name="domain"> | |
885b83ec | 2756 | ## <summary> |
d4dca585 | 2757 | ## Domain allowed access. |
885b83ec | 2758 | ## </summary> |
d4dca585 CP |
2759 | ## </param> |
2760 | # | |
296273a7 CP |
2761 | interface(`userdom_rw_user_tmpfs_files',` |
2762 | gen_require(` | |
2763 | type user_tmpfs_t; | |
2764 | ') | |
2765 | ||
2766 | rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
2767 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
2768 | allow $1 user_tmpfs_t:dir list_dir_perms; | |
2769 | fs_search_tmpfs($1) | |
d4dca585 CP |
2770 | ') |
2771 | ||
d9845ae9 CP |
2772 | ######################################## |
2773 | ## <summary> | |
296273a7 | 2774 | ## Get the attributes of a user domain tty. |
d9845ae9 CP |
2775 | ## </summary> |
2776 | ## <param name="domain"> | |
2777 | ## <summary> | |
2778 | ## Domain allowed access. | |
2779 | ## </summary> | |
2780 | ## </param> | |
2781 | # | |
296273a7 CP |
2782 | interface(`userdom_getattr_user_ttys',` |
2783 | gen_require(` | |
2784 | type user_tty_device_t; | |
2785 | ') | |
2786 | ||
bf530f53 | 2787 | allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
d9845ae9 CP |
2788 | ') |
2789 | ||
57a96cbd CP |
2790 | ######################################## |
2791 | ## <summary> | |
296273a7 | 2792 | ## Do not audit attempts to get the attributes of a user domain tty. |
57a96cbd CP |
2793 | ## </summary> |
2794 | ## <param name="domain"> | |
885b83ec | 2795 | ## <summary> |
a0546c9d | 2796 | ## Domain to not audit. |
885b83ec | 2797 | ## </summary> |
57a96cbd CP |
2798 | ## </param> |
2799 | # | |
296273a7 CP |
2800 | interface(`userdom_dontaudit_getattr_user_ttys',` |
2801 | gen_require(` | |
2802 | type user_tty_device_t; | |
2803 | ') | |
2804 | ||
bf530f53 | 2805 | dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
57a96cbd CP |
2806 | ') |
2807 | ||
d6d16b97 CP |
2808 | ######################################## |
2809 | ## <summary> | |
296273a7 | 2810 | ## Set the attributes of a user domain tty. |
d6d16b97 CP |
2811 | ## </summary> |
2812 | ## <param name="domain"> | |
2813 | ## <summary> | |
2814 | ## Domain allowed access. | |
2815 | ## </summary> | |
2816 | ## </param> | |
2817 | # | |
296273a7 CP |
2818 | interface(`userdom_setattr_user_ttys',` |
2819 | gen_require(` | |
2820 | type user_tty_device_t; | |
2821 | ') | |
2822 | ||
bf530f53 | 2823 | allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
d6d16b97 CP |
2824 | ') |
2825 | ||
165b42d2 CP |
2826 | ######################################## |
2827 | ## <summary> | |
296273a7 | 2828 | ## Do not audit attempts to set the attributes of a user domain tty. |
165b42d2 CP |
2829 | ## </summary> |
2830 | ## <param name="domain"> | |
2831 | ## <summary> | |
a0546c9d | 2832 | ## Domain to not audit. |
165b42d2 CP |
2833 | ## </summary> |
2834 | ## </param> | |
2835 | # | |
296273a7 CP |
2836 | interface(`userdom_dontaudit_setattr_user_ttys',` |
2837 | gen_require(` | |
2838 | type user_tty_device_t; | |
2839 | ') | |
2840 | ||
bf530f53 | 2841 | dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
165b42d2 CP |
2842 | ') |
2843 | ||
d6d16b97 CP |
2844 | ######################################## |
2845 | ## <summary> | |
296273a7 | 2846 | ## Read and write a user domain tty. |
d6d16b97 CP |
2847 | ## </summary> |
2848 | ## <param name="domain"> | |
2849 | ## <summary> | |
2850 | ## Domain allowed access. | |
2851 | ## </summary> | |
2852 | ## </param> | |
2853 | # | |
296273a7 CP |
2854 | interface(`userdom_use_user_ttys',` |
2855 | gen_require(` | |
2856 | type user_tty_device_t; | |
2857 | ') | |
2858 | ||
2859 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
d6d16b97 CP |
2860 | ') |
2861 | ||
57a96cbd CP |
2862 | ######################################## |
2863 | ## <summary> | |
296273a7 | 2864 | ## Read and write a user domain pty. |
57a96cbd CP |
2865 | ## </summary> |
2866 | ## <param name="domain"> | |
885b83ec | 2867 | ## <summary> |
57a96cbd | 2868 | ## Domain allowed access. |
885b83ec | 2869 | ## </summary> |
57a96cbd CP |
2870 | ## </param> |
2871 | # | |
296273a7 CP |
2872 | interface(`userdom_use_user_ptys',` |
2873 | gen_require(` | |
2874 | type user_devpts_t; | |
2875 | ') | |
2876 | ||
2877 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
2878 | ') |
2879 | ||
d6d16b97 CP |
2880 | ######################################## |
2881 | ## <summary> | |
c46376e6 | 2882 | ## Read and write a user TTYs and PTYs. |
d6d16b97 | 2883 | ## </summary> |
c46376e6 CP |
2884 | ## <desc> |
2885 | ## <p> | |
2886 | ## Allow the specified domain to read and write user | |
2887 | ## TTYs and PTYs. This will allow the domain to | |
2888 | ## interact with the user via the terminal. Typically | |
2889 | ## all interactive applications will require this | |
2890 | ## access. | |
2891 | ## </p> | |
2892 | ## <p> | |
2893 | ## However, this also allows the applications to spy | |
2894 | ## on user sessions or inject information into the | |
2895 | ## user session. Thus, this access should likely | |
2896 | ## not be allowed for non-interactive domains. | |
2897 | ## </p> | |
2898 | ## </desc> | |
d6d16b97 CP |
2899 | ## <param name="domain"> |
2900 | ## <summary> | |
2901 | ## Domain allowed access. | |
2902 | ## </summary> | |
2903 | ## </param> | |
c46376e6 | 2904 | ## <infoflow type="both" weight="10"/> |
d6d16b97 | 2905 | # |
296273a7 CP |
2906 | interface(`userdom_use_user_terminals',` |
2907 | gen_require(` | |
2908 | type user_tty_device_t, user_devpts_t; | |
2909 | ') | |
2910 | ||
2911 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
2912 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
2913 | term_list_ptys($1) | |
d6d16b97 CP |
2914 | ') |
2915 | ||
57a96cbd CP |
2916 | ######################################## |
2917 | ## <summary> | |
296273a7 CP |
2918 | ## Do not audit attempts to read and write |
2919 | ## a user domain tty and pty. | |
57a96cbd CP |
2920 | ## </summary> |
2921 | ## <param name="domain"> | |
885b83ec | 2922 | ## <summary> |
a0546c9d | 2923 | ## Domain to not audit. |
885b83ec | 2924 | ## </summary> |
57a96cbd CP |
2925 | ## </param> |
2926 | # | |
296273a7 CP |
2927 | interface(`userdom_dontaudit_use_user_terminals',` |
2928 | gen_require(` | |
2929 | type user_tty_device_t, user_devpts_t; | |
2930 | ') | |
2931 | ||
2932 | dontaudit $1 user_tty_device_t:chr_file rw_term_perms; | |
2933 | dontaudit $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
2934 | ') |
2935 | ||
2936 | ######################################## | |
2937 | ## <summary> | |
296273a7 CP |
2938 | ## Execute a shell in all user domains. This |
2939 | ## is an explicit transition, requiring the | |
2940 | ## caller to use setexeccon(). | |
57a96cbd CP |
2941 | ## </summary> |
2942 | ## <param name="domain"> | |
885b83ec | 2943 | ## <summary> |
a0546c9d | 2944 | ## Domain allowed to transition. |
885b83ec | 2945 | ## </summary> |
57a96cbd CP |
2946 | ## </param> |
2947 | # | |
296273a7 CP |
2948 | interface(`userdom_spec_domtrans_all_users',` |
2949 | gen_require(` | |
2950 | attribute userdomain; | |
2951 | ') | |
2952 | ||
3f67f722 | 2953 | corecmd_shell_spec_domtrans($1, userdomain) |
296273a7 CP |
2954 | allow userdomain $1:fd use; |
2955 | allow userdomain $1:fifo_file rw_file_perms; | |
2956 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
2957 | ') |
2958 | ||
2959 | ######################################## | |
2960 | ## <summary> | |
296273a7 CP |
2961 | ## Execute an Xserver session in all unprivileged user domains. This |
2962 | ## is an explicit transition, requiring the | |
2963 | ## caller to use setexeccon(). | |
57a96cbd CP |
2964 | ## </summary> |
2965 | ## <param name="domain"> | |
885b83ec | 2966 | ## <summary> |
a0546c9d | 2967 | ## Domain allowed to transition. |
885b83ec | 2968 | ## </summary> |
57a96cbd CP |
2969 | ## </param> |
2970 | # | |
296273a7 CP |
2971 | interface(`userdom_xsession_spec_domtrans_all_users',` |
2972 | gen_require(` | |
2973 | attribute userdomain; | |
2974 | ') | |
2975 | ||
3f67f722 | 2976 | xserver_xsession_spec_domtrans($1, userdomain) |
296273a7 CP |
2977 | allow userdomain $1:fd use; |
2978 | allow userdomain $1:fifo_file rw_file_perms; | |
2979 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
2980 | ') |
2981 | ||
e08118a5 CP |
2982 | ######################################## |
2983 | ## <summary> | |
296273a7 CP |
2984 | ## Execute a shell in all unprivileged user domains. This |
2985 | ## is an explicit transition, requiring the | |
2986 | ## caller to use setexeccon(). | |
e08118a5 CP |
2987 | ## </summary> |
2988 | ## <param name="domain"> | |
885b83ec | 2989 | ## <summary> |
a0546c9d | 2990 | ## Domain allowed to transition. |
885b83ec | 2991 | ## </summary> |
e08118a5 CP |
2992 | ## </param> |
2993 | # | |
296273a7 | 2994 | interface(`userdom_spec_domtrans_unpriv_users',` |
e08118a5 | 2995 | gen_require(` |
296273a7 | 2996 | attribute unpriv_userdomain; |
e08118a5 CP |
2997 | ') |
2998 | ||
3f67f722 | 2999 | corecmd_shell_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3000 | allow unpriv_userdomain $1:fd use; |
3001 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3002 | allow unpriv_userdomain $1:process sigchld; | |
e08118a5 CP |
3003 | ') |
3004 | ||
d4dca585 CP |
3005 | ######################################## |
3006 | ## <summary> | |
296273a7 CP |
3007 | ## Execute an Xserver session in all unprivileged user domains. This |
3008 | ## is an explicit transition, requiring the | |
3009 | ## caller to use setexeccon(). | |
d4dca585 CP |
3010 | ## </summary> |
3011 | ## <param name="domain"> | |
885b83ec | 3012 | ## <summary> |
a0546c9d | 3013 | ## Domain allowed to transition. |
885b83ec | 3014 | ## </summary> |
d4dca585 CP |
3015 | ## </param> |
3016 | # | |
296273a7 | 3017 | interface(`userdom_xsession_spec_domtrans_unpriv_users',` |
d4dca585 | 3018 | gen_require(` |
296273a7 | 3019 | attribute unpriv_userdomain; |
d4dca585 CP |
3020 | ') |
3021 | ||
3f67f722 | 3022 | xserver_xsession_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3023 | allow unpriv_userdomain $1:fd use; |
3024 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3025 | allow unpriv_userdomain $1:process sigchld; | |
d4dca585 CP |
3026 | ') |
3027 | ||
6f8cda96 CP |
3028 | ######################################## |
3029 | ## <summary> | |
296273a7 | 3030 | ## Manage unpriviledged user SysV sempaphores. |
6f8cda96 CP |
3031 | ## </summary> |
3032 | ## <param name="domain"> | |
3033 | ## <summary> | |
3034 | ## Domain allowed access. | |
3035 | ## </summary> | |
3036 | ## </param> | |
3037 | # | |
296273a7 | 3038 | interface(`userdom_manage_unpriv_user_semaphores',` |
6f8cda96 | 3039 | gen_require(` |
296273a7 | 3040 | attribute unpriv_userdomain; |
6f8cda96 CP |
3041 | ') |
3042 | ||
296273a7 | 3043 | allow $1 unpriv_userdomain:sem create_sem_perms; |
6f8cda96 CP |
3044 | ') |
3045 | ||
3046 | ######################################## | |
3047 | ## <summary> | |
296273a7 CP |
3048 | ## Manage unpriviledged user SysV shared |
3049 | ## memory segments. | |
6f8cda96 CP |
3050 | ## </summary> |
3051 | ## <param name="domain"> | |
3052 | ## <summary> | |
3053 | ## Domain allowed access. | |
3054 | ## </summary> | |
3055 | ## </param> | |
3056 | # | |
296273a7 | 3057 | interface(`userdom_manage_unpriv_user_shared_mem',` |
6f8cda96 | 3058 | gen_require(` |
296273a7 | 3059 | attribute unpriv_userdomain; |
6f8cda96 CP |
3060 | ') |
3061 | ||
296273a7 | 3062 | allow $1 unpriv_userdomain:shm create_shm_perms; |
6f8cda96 CP |
3063 | ') |
3064 | ||
43989f82 CP |
3065 | ######################################## |
3066 | ## <summary> | |
296273a7 CP |
3067 | ## Execute bin_t in the unprivileged user domains. This |
3068 | ## is an explicit transition, requiring the | |
3069 | ## caller to use setexeccon(). | |
43989f82 CP |
3070 | ## </summary> |
3071 | ## <param name="domain"> | |
885b83ec | 3072 | ## <summary> |
a0546c9d | 3073 | ## Domain allowed to transition. |
885b83ec | 3074 | ## </summary> |
43989f82 CP |
3075 | ## </param> |
3076 | # | |
296273a7 | 3077 | interface(`userdom_bin_spec_domtrans_unpriv_users',` |
43989f82 | 3078 | gen_require(` |
296273a7 | 3079 | attribute unpriv_userdomain; |
43989f82 CP |
3080 | ') |
3081 | ||
3f67f722 | 3082 | corecmd_bin_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3083 | allow unpriv_userdomain $1:fd use; |
3084 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3085 | allow unpriv_userdomain $1:process sigchld; | |
725926c5 CP |
3086 | ') |
3087 | ||
6820a398 CP |
3088 | ######################################## |
3089 | ## <summary> | |
296273a7 CP |
3090 | ## Execute all entrypoint files in unprivileged user |
3091 | ## domains. This is an explicit transition, requiring the | |
3092 | ## caller to use setexeccon(). | |
6820a398 CP |
3093 | ## </summary> |
3094 | ## <param name="domain"> | |
885b83ec | 3095 | ## <summary> |
6820a398 | 3096 | ## Domain allowed access. |
885b83ec | 3097 | ## </summary> |
6820a398 CP |
3098 | ## </param> |
3099 | # | |
296273a7 | 3100 | interface(`userdom_entry_spec_domtrans_unpriv_users',` |
350b6ab7 | 3101 | gen_require(` |
296273a7 | 3102 | attribute unpriv_userdomain; |
6820a398 | 3103 | ') |
350b6ab7 | 3104 | |
3f67f722 | 3105 | domain_entry_file_spec_domtrans($1, unpriv_userdomain) |
296273a7 | 3106 | allow unpriv_userdomain $1:fd use; |
3eaa9939 | 3107 | allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; |
296273a7 | 3108 | allow unpriv_userdomain $1:process sigchld; |
6820a398 CP |
3109 | ') |
3110 | ||
1504ff3e CP |
3111 | ######################################## |
3112 | ## <summary> | |
296273a7 | 3113 | ## Search users home directories. |
1504ff3e CP |
3114 | ## </summary> |
3115 | ## <param name="domain"> | |
885b83ec | 3116 | ## <summary> |
296273a7 | 3117 | ## Domain allowed access. |
885b83ec | 3118 | ## </summary> |
1504ff3e CP |
3119 | ## </param> |
3120 | # | |
296273a7 | 3121 | interface(`userdom_search_user_home_content',` |
350b6ab7 | 3122 | gen_require(` |
3eaa9939 DW |
3123 | type user_home_dir_t; |
3124 | attribute user_home_type; | |
1504ff3e | 3125 | ') |
350b6ab7 | 3126 | |
296273a7 | 3127 | files_list_home($1) |
3eaa9939 DW |
3128 | allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; |
3129 | allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; | |
1504ff3e CP |
3130 | ') |
3131 | ||
f6abfdb8 CP |
3132 | ######################################## |
3133 | ## <summary> | |
296273a7 | 3134 | ## Send general signals to unprivileged user domains. |
f6abfdb8 CP |
3135 | ## </summary> |
3136 | ## <param name="domain"> | |
885b83ec | 3137 | ## <summary> |
f6abfdb8 | 3138 | ## Domain allowed access. |
885b83ec | 3139 | ## </summary> |
f6abfdb8 CP |
3140 | ## </param> |
3141 | # | |
296273a7 | 3142 | interface(`userdom_signal_unpriv_users',` |
f6abfdb8 | 3143 | gen_require(` |
296273a7 | 3144 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3145 | ') |
3146 | ||
296273a7 | 3147 | allow $1 unpriv_userdomain:process signal; |
f6abfdb8 CP |
3148 | ') |
3149 | ||
3150 | ######################################## | |
3151 | ## <summary> | |
296273a7 | 3152 | ## Inherit the file descriptors from unprivileged user domains. |
f6abfdb8 CP |
3153 | ## </summary> |
3154 | ## <param name="domain"> | |
885b83ec | 3155 | ## <summary> |
f6abfdb8 | 3156 | ## Domain allowed access. |
885b83ec | 3157 | ## </summary> |
f6abfdb8 CP |
3158 | ## </param> |
3159 | # | |
296273a7 | 3160 | interface(`userdom_use_unpriv_users_fds',` |
f6abfdb8 | 3161 | gen_require(` |
296273a7 | 3162 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3163 | ') |
3164 | ||
296273a7 | 3165 | allow $1 unpriv_userdomain:fd use; |
f6abfdb8 CP |
3166 | ') |
3167 | ||
725926c5 CP |
3168 | ######################################## |
3169 | ## <summary> | |
c46376e6 CP |
3170 | ## Do not audit attempts to inherit the file descriptors |
3171 | ## from unprivileged user domains. | |
725926c5 | 3172 | ## </summary> |
c46376e6 CP |
3173 | ## <desc> |
3174 | ## <p> | |
3175 | ## Do not audit attempts to inherit the file descriptors | |
3176 | ## from unprivileged user domains. This will supress | |
3177 | ## SELinux denial messages when the specified domain is denied | |
3178 | ## the permission to inherit these file descriptors. | |
3179 | ## </p> | |
3180 | ## </desc> | |
725926c5 | 3181 | ## <param name="domain"> |
885b83ec | 3182 | ## <summary> |
c46376e6 | 3183 | ## Domain to not audit. |
885b83ec | 3184 | ## </summary> |
725926c5 | 3185 | ## </param> |
c46376e6 | 3186 | ## <infoflow type="none"/> |
725926c5 | 3187 | # |
296273a7 | 3188 | interface(`userdom_dontaudit_use_unpriv_user_fds',` |
350b6ab7 | 3189 | gen_require(` |
296273a7 | 3190 | attribute unpriv_userdomain; |
725926c5 | 3191 | ') |
350b6ab7 | 3192 | |
296273a7 | 3193 | dontaudit $1 unpriv_userdomain:fd use; |
43989f82 CP |
3194 | ') |
3195 | ||
3196 | ######################################## | |
3197 | ## <summary> | |
296273a7 | 3198 | ## Do not audit attempts to use user ptys. |
43989f82 CP |
3199 | ## </summary> |
3200 | ## <param name="domain"> | |
885b83ec | 3201 | ## <summary> |
296273a7 | 3202 | ## Domain to not audit. |
885b83ec | 3203 | ## </summary> |
43989f82 CP |
3204 | ## </param> |
3205 | # | |
296273a7 | 3206 | interface(`userdom_dontaudit_use_user_ptys',` |
350b6ab7 | 3207 | gen_require(` |
296273a7 | 3208 | type user_devpts_t; |
725926c5 | 3209 | ') |
350b6ab7 | 3210 | |
f5b49a5e | 3211 | dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; |
43989f82 CP |
3212 | ') |
3213 | ||
3214 | ######################################## | |
3215 | ## <summary> | |
296273a7 | 3216 | ## Relabel files to unprivileged user pty types. |
43989f82 CP |
3217 | ## </summary> |
3218 | ## <param name="domain"> | |
885b83ec | 3219 | ## <summary> |
43989f82 | 3220 | ## Domain allowed access. |
885b83ec | 3221 | ## </summary> |
43989f82 CP |
3222 | ## </param> |
3223 | # | |
296273a7 | 3224 | interface(`userdom_relabelto_user_ptys',` |
350b6ab7 | 3225 | gen_require(` |
296273a7 | 3226 | type user_devpts_t; |
725926c5 | 3227 | ') |
350b6ab7 | 3228 | |
296273a7 | 3229 | allow $1 user_devpts_t:chr_file relabelto; |
43989f82 CP |
3230 | ') |
3231 | ||
57a96cbd CP |
3232 | ######################################## |
3233 | ## <summary> | |
296273a7 CP |
3234 | ## Do not audit attempts to relabel files from |
3235 | ## user pty types. | |
ab940a4c | 3236 | ## </summary> |
414e4151 | 3237 | ## <param name="domain"> |
885b83ec | 3238 | ## <summary> |
a0546c9d | 3239 | ## Domain to not audit. |
885b83ec | 3240 | ## </summary> |
414e4151 | 3241 | ## </param> |
daa0e0b0 | 3242 | # |
296273a7 | 3243 | interface(`userdom_dontaudit_relabelfrom_user_ptys',` |
0404a390 | 3244 | gen_require(` |
296273a7 | 3245 | type user_devpts_t; |
0404a390 | 3246 | ') |
0c73cd25 | 3247 | |
296273a7 | 3248 | dontaudit $1 user_devpts_t:chr_file relabelfrom; |
daa0e0b0 CP |
3249 | ') |
3250 | ||
693d4aed CP |
3251 | ######################################## |
3252 | ## <summary> | |
296273a7 | 3253 | ## Write all users files in /tmp |
693d4aed CP |
3254 | ## </summary> |
3255 | ## <param name="domain"> | |
3256 | ## <summary> | |
3257 | ## Domain allowed access. | |
3258 | ## </summary> | |
3259 | ## </param> | |
3260 | # | |
296273a7 | 3261 | interface(`userdom_write_user_tmp_files',` |
350b6ab7 | 3262 | gen_require(` |
296273a7 | 3263 | type user_tmp_t; |
693d4aed | 3264 | ') |
350b6ab7 | 3265 | |
3eaa9939 DW |
3266 | write_files_pattern($1, user_tmp_t, user_tmp_t) |
3267 | ') | |
3268 | ||
3269 | ######################################## | |
3270 | ## <summary> | |
3271 | ## Do not audit attempts to write users | |
3272 | ## temporary files. | |
3273 | ## </summary> | |
3274 | ## <param name="domain"> | |
3275 | ## <summary> | |
3276 | ## Domain to not audit. | |
3277 | ## </summary> | |
3278 | ## </param> | |
3279 | # | |
3280 | interface(`userdom_dontaudit_write_user_tmp_files',` | |
3281 | gen_require(` | |
3282 | type user_tmp_t; | |
3283 | ') | |
3284 | ||
3285 | dontaudit $1 user_tmp_t:file write; | |
3286 | ') | |
3287 | ||
3288 | ######################################## | |
3289 | ## <summary> | |
3290 | ## Do not audit attempts to read/write users | |
3291 | ## temporary fifo files. | |
3292 | ## </summary> | |
3293 | ## <param name="domain"> | |
3294 | ## <summary> | |
3295 | ## Domain to not audit. | |
3296 | ## </summary> | |
3297 | ## </param> | |
3298 | # | |
3299 | interface(`userdom_dontaudit_rw_user_tmp_pipes',` | |
3300 | gen_require(` | |
3301 | type user_tmp_t; | |
3302 | ') | |
3303 | ||
3304 | dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; | |
693d4aed CP |
3305 | ') |
3306 | ||
ebdc3b79 CP |
3307 | ######################################## |
3308 | ## <summary> | |
296273a7 | 3309 | ## Do not audit attempts to use user ttys. |
ebdc3b79 CP |
3310 | ## </summary> |
3311 | ## <param name="domain"> | |
885b83ec | 3312 | ## <summary> |
a0546c9d | 3313 | ## Domain to not audit. |
885b83ec | 3314 | ## </summary> |
ebdc3b79 CP |
3315 | ## </param> |
3316 | # | |
296273a7 | 3317 | interface(`userdom_dontaudit_use_user_ttys',` |
350b6ab7 | 3318 | gen_require(` |
296273a7 | 3319 | type user_tty_device_t; |
9cc2ccc4 | 3320 | ') |
350b6ab7 | 3321 | |
296273a7 | 3322 | dontaudit $1 user_tty_device_t:chr_file rw_file_perms; |
ebdc3b79 | 3323 | ') |
c98340cf | 3324 | |
2629c659 CP |
3325 | ######################################## |
3326 | ## <summary> | |
3327 | ## Read the process state of all user domains. | |
3328 | ## </summary> | |
3329 | ## <param name="domain"> | |
885b83ec | 3330 | ## <summary> |
2629c659 | 3331 | ## Domain allowed access. |
885b83ec | 3332 | ## </summary> |
2629c659 CP |
3333 | ## </param> |
3334 | # | |
1815bad1 | 3335 | interface(`userdom_read_all_users_state',` |
2629c659 CP |
3336 | gen_require(` |
3337 | attribute userdomain; | |
3338 | ') | |
3339 | ||
3f67f722 | 3340 | read_files_pattern($1, userdomain, userdomain) |
3eaa9939 | 3341 | read_lnk_files_pattern($1,userdomain,userdomain) |
2629c659 CP |
3342 | kernel_search_proc($1) |
3343 | ') | |
3344 | ||
3345 | ######################################## | |
3346 | ## <summary> | |
3347 | ## Get the attributes of all user domains. | |
3348 | ## </summary> | |
3349 | ## <param name="domain"> | |
885b83ec | 3350 | ## <summary> |
2629c659 | 3351 | ## Domain allowed access. |
885b83ec | 3352 | ## </summary> |
2629c659 CP |
3353 | ## </param> |
3354 | # | |
15722ec9 | 3355 | interface(`userdom_getattr_all_users',` |
2629c659 CP |
3356 | gen_require(` |
3357 | attribute userdomain; | |
3358 | ') | |
3359 | ||
3360 | allow $1 userdomain:process getattr; | |
3361 | ') | |
3362 | ||
57a96cbd CP |
3363 | ######################################## |
3364 | ## <summary> | |
3365 | ## Inherit the file descriptors from all user domains | |
3366 | ## </summary> | |
3367 | ## <param name="domain"> | |
885b83ec | 3368 | ## <summary> |
725926c5 | 3369 | ## Domain allowed access. |
885b83ec | 3370 | ## </summary> |
57a96cbd CP |
3371 | ## </param> |
3372 | # | |
15722ec9 | 3373 | interface(`userdom_use_all_users_fds',` |
57a96cbd CP |
3374 | gen_require(` |
3375 | attribute userdomain; | |
57a96cbd CP |
3376 | ') |
3377 | ||
3378 | allow $1 userdomain:fd use; | |
3379 | ') | |
3380 | ||
3381 | ######################################## | |
eb3cb682 CP |
3382 | ## <summary> |
3383 | ## Do not audit attempts to inherit the file | |
3384 | ## descriptors from any user domains. | |
3385 | ## </summary> | |
3386 | ## <param name="domain"> | |
885b83ec | 3387 | ## <summary> |
eb3cb682 | 3388 | ## Domain to not audit. |
885b83ec | 3389 | ## </summary> |
eb3cb682 CP |
3390 | ## </param> |
3391 | # | |
15722ec9 | 3392 | interface(`userdom_dontaudit_use_all_users_fds',` |
eb3cb682 CP |
3393 | gen_require(` |
3394 | attribute userdomain; | |
eb3cb682 CP |
3395 | ') |
3396 | ||
3397 | dontaudit $1 userdomain:fd use; | |
3398 | ') | |
3399 | ||
3400 | ######################################## | |
57a96cbd CP |
3401 | ## <summary> |
3402 | ## Send general signals to all user domains. | |
3403 | ## </summary> | |
3404 | ## <param name="domain"> | |
885b83ec | 3405 | ## <summary> |
725926c5 | 3406 | ## Domain allowed access. |
885b83ec | 3407 | ## </summary> |
57a96cbd CP |
3408 | ## </param> |
3409 | # | |
3410 | interface(`userdom_signal_all_users',` | |
3411 | gen_require(` | |
3412 | attribute userdomain; | |
57a96cbd CP |
3413 | ') |
3414 | ||
3415 | allow $1 userdomain:process signal; | |
3416 | ') | |
3417 | ||
246839f3 CP |
3418 | ######################################## |
3419 | ## <summary> | |
3420 | ## Send a SIGCHLD signal to all user domains. | |
3421 | ## </summary> | |
3422 | ## <param name="domain"> | |
885b83ec | 3423 | ## <summary> |
246839f3 | 3424 | ## Domain allowed access. |
885b83ec | 3425 | ## </summary> |
246839f3 CP |
3426 | ## </param> |
3427 | # | |
9fd4b818 | 3428 | interface(`userdom_sigchld_all_users',` |
246839f3 CP |
3429 | gen_require(` |
3430 | attribute userdomain; | |
246839f3 CP |
3431 | ') |
3432 | ||
a1fcff33 | 3433 | allow $1 userdomain:process sigchld; |
246839f3 CP |
3434 | ') |
3435 | ||
fe3a1eb8 CP |
3436 | ######################################## |
3437 | ## <summary> | |
3438 | ## Create keys for all user domains. | |
3439 | ## </summary> | |
3440 | ## <param name="domain"> | |
3441 | ## <summary> | |
3442 | ## Domain allowed access. | |
3443 | ## </summary> | |
3444 | ## </param> | |
3445 | # | |
3446 | interface(`userdom_create_all_users_keys',` | |
350b6ab7 CP |
3447 | gen_require(` |
3448 | attribute userdomain; | |
fe3a1eb8 | 3449 | ') |
350b6ab7 CP |
3450 | |
3451 | allow $1 userdomain:key create; | |
fe3a1eb8 CP |
3452 | ') |
3453 | ||
9fd4b818 CP |
3454 | ######################################## |
3455 | ## <summary> | |
3456 | ## Send a dbus message to all user domains. | |
3457 | ## </summary> | |
3458 | ## <param name="domain"> | |
885b83ec | 3459 | ## <summary> |
9fd4b818 | 3460 | ## Domain allowed access. |
885b83ec | 3461 | ## </summary> |
9fd4b818 CP |
3462 | ## </param> |
3463 | # | |
3464 | interface(`userdom_dbus_send_all_users',` | |
3465 | gen_require(` | |
3466 | attribute userdomain; | |
3467 | class dbus send_msg; | |
3468 | ') | |
3469 | ||
3470 | allow $1 userdomain:dbus send_msg; | |
3471 | ') | |
3eaa9939 DW |
3472 | |
3473 | ######################################## | |
3474 | ## <summary> | |
3475 | ## Allow apps to set rlimits on userdomain | |
3476 | ## </summary> | |
3477 | ## <param name="domain"> | |
3478 | ## <summary> | |
3479 | ## Domain allowed access. | |
3480 | ## </summary> | |
3481 | ## </param> | |
3482 | # | |
3483 | interface(`userdom_set_rlimitnh',` | |
3484 | gen_require(` | |
3485 | attribute userdomain; | |
3486 | ') | |
3487 | ||
3488 | allow $1 userdomain:process rlimitinh; | |
3489 | ') | |
3490 | ||
3491 | ######################################## | |
3492 | ## <summary> | |
3493 | ## Define this type as a Allow apps to set rlimits on userdomain | |
3494 | ## </summary> | |
3495 | ## <param name="domain"> | |
3496 | ## <summary> | |
3497 | ## Domain allowed access. | |
3498 | ## </summary> | |
3499 | ## </param> | |
3500 | ## <param name="userdomain_prefix"> | |
3501 | ## <summary> | |
3502 | ## The prefix of the user domain (e.g., user | |
3503 | ## is the prefix for user_t). | |
3504 | ## </summary> | |
3505 | ## </param> | |
3506 | ## <param name="domain"> | |
3507 | ## <summary> | |
3508 | ## Domain allowed access. | |
3509 | ## </summary> | |
3510 | ## </param> | |
3511 | # | |
3512 | template(`userdom_unpriv_usertype',` | |
3513 | gen_require(` | |
3514 | attribute unpriv_userdomain, userdomain; | |
3515 | attribute $1_usertype; | |
3516 | ') | |
3517 | typeattribute $2 $1_usertype; | |
3518 | typeattribute $2 unpriv_userdomain; | |
3519 | typeattribute $2 userdomain; | |
3520 | ||
3521 | ubac_constrained($2) | |
3522 | ') | |
3523 | ||
3524 | ######################################## | |
3525 | ## <summary> | |
3526 | ## Connect to users over an unix stream socket. | |
3527 | ## </summary> | |
3528 | ## <param name="domain"> | |
3529 | ## <summary> | |
3530 | ## Domain allowed access. | |
3531 | ## </summary> | |
3532 | ## </param> | |
3533 | # | |
3534 | interface(`userdom_stream_connect',` | |
3535 | gen_require(` | |
3536 | type user_tmp_t; | |
3537 | attribute userdomain; | |
3538 | ') | |
3539 | ||
3540 | stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) | |
3541 | ') | |
3542 | ||
3543 | ######################################## | |
3544 | ## <summary> | |
3545 | ## Ptrace user domains. | |
3546 | ## </summary> | |
3547 | ## <param name="domain"> | |
3548 | ## <summary> | |
3549 | ## Domain allowed access. | |
3550 | ## </summary> | |
3551 | ## </param> | |
3552 | # | |
3553 | interface(`userdom_ptrace_all_users',` | |
3554 | gen_require(` | |
3555 | attribute userdomain; | |
3556 | ') | |
3557 | ||
3558 | allow $1 userdomain:process ptrace; | |
3559 | ') | |
3560 | ||
3561 | ######################################## | |
3562 | ## <summary> | |
3563 | ## dontaudit Search /root | |
3564 | ## </summary> | |
3565 | ## <param name="domain"> | |
3566 | ## <summary> | |
3567 | ## Domain allowed access. | |
3568 | ## </summary> | |
3569 | ## </param> | |
3570 | # | |
3571 | interface(`userdom_dontaudit_search_admin_dir',` | |
3572 | gen_require(` | |
3573 | type admin_home_t; | |
3574 | ') | |
3575 | ||
3576 | dontaudit $1 admin_home_t:dir search_dir_perms; | |
3577 | ') | |
3578 | ||
3579 | ######################################## | |
3580 | ## <summary> | |
3581 | ## dontaudit list /root | |
3582 | ## </summary> | |
3583 | ## <param name="domain"> | |
3584 | ## <summary> | |
3585 | ## Domain allowed access. | |
3586 | ## </summary> | |
3587 | ## </param> | |
3588 | # | |
3589 | interface(`userdom_dontaudit_list_admin_dir',` | |
3590 | gen_require(` | |
3591 | type admin_home_t; | |
3592 | ') | |
3593 | ||
3594 | dontaudit $1 admin_home_t:dir list_dir_perms; | |
3595 | ') | |
3596 | ||
3597 | ######################################## | |
3598 | ## <summary> | |
3599 | ## Allow domain to list /root | |
3600 | ## </summary> | |
3601 | ## <param name="domain"> | |
3602 | ## <summary> | |
3603 | ## Domain allowed access. | |
3604 | ## </summary> | |
3605 | ## </param> | |
3606 | # | |
3607 | interface(`userdom_list_admin_dir',` | |
3608 | gen_require(` | |
3609 | type admin_home_t; | |
3610 | ') | |
3611 | ||
3612 | allow $1 admin_home_t:dir list_dir_perms; | |
3613 | ') | |
3614 | ||
3615 | ######################################## | |
3616 | ## <summary> | |
3617 | ## Allow Search /root | |
3618 | ## </summary> | |
3619 | ## <param name="domain"> | |
3620 | ## <summary> | |
3621 | ## Domain allowed access. | |
3622 | ## </summary> | |
3623 | ## </param> | |
3624 | # | |
3625 | interface(`userdom_search_admin_dir',` | |
3626 | gen_require(` | |
3627 | type admin_home_t; | |
3628 | ') | |
3629 | ||
3630 | allow $1 admin_home_t:dir search_dir_perms; | |
3631 | ') | |
3632 | ||
3633 | ######################################## | |
3634 | ## <summary> | |
3635 | ## RW unpriviledged user SysV sempaphores. | |
3636 | ## </summary> | |
3637 | ## <param name="domain"> | |
3638 | ## <summary> | |
3639 | ## Domain allowed access. | |
3640 | ## </summary> | |
3641 | ## </param> | |
3642 | # | |
3643 | interface(`userdom_rw_semaphores',` | |
3644 | gen_require(` | |
3645 | attribute unpriv_userdomain; | |
3646 | ') | |
3647 | ||
3648 | allow $1 unpriv_userdomain:sem rw_sem_perms; | |
3649 | ') | |
3650 | ||
3651 | ######################################## | |
3652 | ## <summary> | |
3653 | ## Send a message to unpriv users over a unix domain | |
3654 | ## datagram socket. | |
3655 | ## </summary> | |
3656 | ## <param name="domain"> | |
3657 | ## <summary> | |
3658 | ## Domain allowed access. | |
3659 | ## </summary> | |
3660 | ## </param> | |
3661 | # | |
3662 | interface(`userdom_dgram_send',` | |
3663 | gen_require(` | |
3664 | attribute unpriv_userdomain; | |
3665 | ') | |
3666 | ||
3667 | allow $1 unpriv_userdomain:unix_dgram_socket sendto; | |
3668 | ') | |
3669 | ||
3670 | ###################################### | |
3671 | ## <summary> | |
3672 | ## Send a message to users over a unix domain | |
3673 | ## datagram socket. | |
3674 | ## </summary> | |
3675 | ## <param name="domain"> | |
3676 | ## <summary> | |
3677 | ## Domain allowed access. | |
3678 | ## </summary> | |
3679 | ## </param> | |
3680 | # | |
3681 | interface(`userdom_users_dgram_send',` | |
3682 | gen_require(` | |
3683 | attribute userdomain; | |
3684 | ') | |
3685 | ||
3686 | allow $1 userdomain:unix_dgram_socket sendto; | |
3687 | ') | |
3688 | ||
3689 | ####################################### | |
3690 | ## <summary> | |
3691 | ## Allow execmod on files in homedirectory | |
3692 | ## </summary> | |
3693 | ## <param name="domain"> | |
3694 | ## <summary> | |
3695 | ## Domain allowed access. | |
3696 | ## </summary> | |
3697 | ## </param> | |
3698 | ## <rolebase/> | |
3699 | # | |
3700 | interface(`userdom_execmod_user_home_files',` | |
3701 | gen_require(` | |
3702 | type user_home_type; | |
3703 | ') | |
3704 | ||
3705 | allow $1 user_home_type:file execmod; | |
3706 | ') | |
3707 | ||
3708 | ######################################## | |
3709 | ## <summary> | |
3710 | ## Read admin home files. | |
3711 | ## </summary> | |
3712 | ## <param name="domain"> | |
3713 | ## <summary> | |
3714 | ## Domain allowed access. | |
3715 | ## </summary> | |
3716 | ## </param> | |
3717 | ## <rolecap/> | |
3718 | # | |
3719 | interface(`userdom_read_admin_home_files',` | |
3720 | gen_require(` | |
3721 | type admin_home_t; | |
3722 | ') | |
3723 | ||
3724 | read_files_pattern($1, admin_home_t, admin_home_t) | |
3725 | ') | |
3726 | ||
3727 | ######################################## | |
3728 | ## <summary> | |
3729 | ## Execute admin home files. | |
3730 | ## </summary> | |
3731 | ## <param name="domain"> | |
3732 | ## <summary> | |
3733 | ## Domain allowed access. | |
3734 | ## </summary> | |
3735 | ## </param> | |
3736 | ## <rolecap/> | |
3737 | # | |
3738 | interface(`userdom_exec_admin_home_files',` | |
3739 | gen_require(` | |
3740 | type admin_home_t; | |
3741 | ') | |
3742 | ||
3743 | exec_files_pattern($1, admin_home_t, admin_home_t) | |
3744 | ') | |
3745 | ||
3746 | ######################################## | |
3747 | ## <summary> | |
3748 | ## Append files inherited | |
3749 | ## in the /root directory. | |
3750 | ## </summary> | |
3751 | ## <param name="domain"> | |
3752 | ## <summary> | |
3753 | ## Domain allowed access. | |
3754 | ## </summary> | |
3755 | ## </param> | |
3756 | # | |
3757 | interface(`userdom_inherit_append_admin_home_files',` | |
3758 | gen_require(` | |
3759 | type admin_home_t; | |
3760 | ') | |
3761 | ||
3762 | allow $1 admin_home_t:file { getattr append }; | |
3763 | ') | |
3764 | ||
3765 | ||
3766 | ####################################### | |
3767 | ## <summary> | |
3768 | ## Manage all files/directories in the homedir | |
3769 | ## </summary> | |
3770 | ## <param name="userdomain"> | |
3771 | ## <summary> | |
3772 | ## The user domain | |
3773 | ## </summary> | |
3774 | ## </param> | |
3775 | ## <rolebase/> | |
3776 | # | |
3777 | interface(`userdom_manage_user_home_content',` | |
3778 | gen_require(` | |
3779 | type user_home_dir_t, user_home_t; | |
3780 | attribute user_home_type; | |
3781 | ') | |
3782 | ||
3783 | files_list_home($1) | |
3784 | manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3785 | manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3786 | manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3787 | manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3788 | manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3789 | filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) | |
3790 | ||
3791 | ') | |
3792 | ||
3793 | ||
3794 | ######################################## | |
3795 | ## <summary> | |
3796 | ## Create objects in a user home directory | |
3797 | ## with an automatic type transition to | |
3798 | ## the user home file type. | |
3799 | ## </summary> | |
3800 | ## <param name="domain"> | |
3801 | ## <summary> | |
3802 | ## Domain allowed access. | |
3803 | ## </summary> | |
3804 | ## </param> | |
3805 | ## <param name="object_class"> | |
3806 | ## <summary> | |
3807 | ## The class of the object to be created. | |
3808 | ## </summary> | |
3809 | ## </param> | |
3810 | # | |
3811 | interface(`userdom_user_home_dir_filetrans_pattern',` | |
3812 | gen_require(` | |
3813 | type user_home_dir_t, user_home_t; | |
3814 | ') | |
3815 | ||
3816 | type_transition $1 user_home_dir_t:$2 user_home_t; | |
3817 | ') | |
3818 | ||
3819 | ######################################## | |
3820 | ## <summary> | |
3821 | ## Create objects in the /root directory | |
3822 | ## with an automatic type transition to | |
3823 | ## a specified private type. | |
3824 | ## </summary> | |
3825 | ## <param name="domain"> | |
3826 | ## <summary> | |
3827 | ## Domain allowed access. | |
3828 | ## </summary> | |
3829 | ## </param> | |
3830 | ## <param name="private_type"> | |
3831 | ## <summary> | |
3832 | ## The type of the object to create. | |
3833 | ## </summary> | |
3834 | ## </param> | |
3835 | ## <param name="object_class"> | |
3836 | ## <summary> | |
3837 | ## The class of the object to be created. | |
3838 | ## </summary> | |
3839 | ## </param> | |
3840 | # | |
3841 | interface(`userdom_admin_home_dir_filetrans',` | |
3842 | gen_require(` | |
3843 | type admin_home_t; | |
3844 | ') | |
3845 | ||
3846 | filetrans_pattern($1, admin_home_t, $2, $3) | |
3847 | ') | |
3848 | ||
3849 | ######################################## | |
3850 | ## <summary> | |
3851 | ## Send signull to unprivileged user domains. | |
3852 | ## </summary> | |
3853 | ## <param name="domain"> | |
3854 | ## <summary> | |
3855 | ## Domain allowed access. | |
3856 | ## </summary> | |
3857 | ## </param> | |
3858 | # | |
3859 | interface(`userdom_signull_unpriv_users',` | |
3860 | gen_require(` | |
3861 | attribute unpriv_userdomain; | |
3862 | ') | |
3863 | ||
3864 | allow $1 unpriv_userdomain:process signull; | |
3865 | ') | |
3866 | ||
3867 | ######################################## | |
3868 | ## <summary> | |
3869 | ## Write all users files in /tmp | |
3870 | ## </summary> | |
3871 | ## <param name="domain"> | |
3872 | ## <summary> | |
3873 | ## Domain allowed access. | |
3874 | ## </summary> | |
3875 | ## </param> | |
3876 | # | |
3877 | interface(`userdom_write_user_tmp_dirs',` | |
3878 | gen_require(` | |
3879 | type user_tmp_t; | |
3880 | ') | |
3881 | ||
3882 | write_files_pattern($1, user_tmp_t, user_tmp_t) | |
3883 | ') | |
3884 | ||
3885 | ######################################## | |
3886 | ## <summary> | |
3887 | ## Manage keys for all user domains. | |
3888 | ## </summary> | |
3889 | ## <param name="domain"> | |
3890 | ## <summary> | |
3891 | ## Domain allowed access. | |
3892 | ## </summary> | |
3893 | ## </param> | |
3894 | # | |
3895 | interface(`userdom_manage_all_users_keys',` | |
3896 | gen_require(` | |
3897 | attribute userdomain; | |
3898 | ') | |
3899 | ||
3900 | allow $1 userdomain:key manage_key_perms; | |
3901 | ') | |
3902 | ||
3903 | ||
3904 | ######################################## | |
3905 | ## <summary> | |
3906 | ## Do not audit attempts to read and write | |
3907 | ## unserdomain stream. | |
3908 | ## </summary> | |
3909 | ## <param name="domain"> | |
3910 | ## <summary> | |
3911 | ## Domain to not audit. | |
3912 | ## </summary> | |
3913 | ## </param> | |
3914 | # | |
3915 | interface(`userdom_dontaudit_rw_stream',` | |
3916 | gen_require(` | |
3917 | attribute userdomain; | |
3918 | ') | |
3919 | ||
3920 | dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; | |
3921 | ') | |
3922 | ||
3923 | ######################################## | |
3924 | ## <summary> | |
3925 | ## Append files | |
3926 | ## in a user home subdirectory. | |
3927 | ## </summary> | |
3928 | ## <param name="domain"> | |
3929 | ## <summary> | |
3930 | ## Domain allowed access. | |
3931 | ## </summary> | |
3932 | ## </param> | |
3933 | # | |
3934 | interface(`userdom_append_user_home_content_files',` | |
3935 | gen_require(` | |
3936 | type user_home_dir_t, user_home_t; | |
3937 | ') | |
3938 | ||
3939 | append_files_pattern($1, user_home_t, user_home_t) | |
3940 | allow $1 user_home_dir_t:dir search_dir_perms; | |
3941 | files_search_home($1) | |
3942 | ') | |
3943 | ||
3944 | ######################################## | |
3945 | ## <summary> | |
3946 | ## Read files inherited | |
3947 | ## in a user home subdirectory. | |
3948 | ## </summary> | |
3949 | ## <param name="domain"> | |
3950 | ## <summary> | |
3951 | ## Domain allowed access. | |
3952 | ## </summary> | |
3953 | ## </param> | |
3954 | # | |
3955 | interface(`userdom_read_inherited_user_home_content_files',` | |
3956 | gen_require(` | |
3957 | attribute user_home_type; | |
3958 | ') | |
3959 | ||
3960 | allow $1 user_home_type:file { getattr read }; | |
3961 | ') | |
3962 | ||
3963 | ######################################## | |
3964 | ## <summary> | |
3965 | ## Append files inherited | |
3966 | ## in a user home subdirectory. | |
3967 | ## </summary> | |
3968 | ## <param name="domain"> | |
3969 | ## <summary> | |
3970 | ## Domain allowed access. | |
3971 | ## </summary> | |
3972 | ## </param> | |
3973 | # | |
3974 | interface(`userdom_inherit_append_user_home_content_files',` | |
3975 | gen_require(` | |
3976 | type user_home_t; | |
3977 | ') | |
3978 | ||
3979 | allow $1 user_home_t:file { getattr append }; | |
3980 | ') | |
3981 | ||
3982 | ######################################## | |
3983 | ## <summary> | |
3984 | ## Append files inherited | |
3985 | ## in a user tmp files. | |
3986 | ## </summary> | |
3987 | ## <param name="domain"> | |
3988 | ## <summary> | |
3989 | ## Domain allowed access. | |
3990 | ## </summary> | |
3991 | ## </param> | |
3992 | # | |
3993 | interface(`userdom_inherit_append_user_tmp_files',` | |
3994 | gen_require(` | |
3995 | type user_tmp_t; | |
3996 | ') | |
3997 | ||
3998 | allow $1 user_tmp_t:file { getattr append }; | |
3999 | ') | |
4000 | ||
4001 | ###################################### | |
4002 | ## <summary> | |
4003 | ## Read audio files in the users homedir. | |
4004 | ## </summary> | |
4005 | ## <param name="domain"> | |
4006 | ## <summary> | |
4007 | ## Domain allowed access. | |
4008 | ## </summary> | |
4009 | ## </param> | |
4010 | ## <rolecap/> | |
4011 | # | |
4012 | interface(`userdom_read_home_audio_files',` | |
4013 | gen_require(` | |
4014 | type audio_home_t; | |
4015 | ') | |
4016 | ||
4017 | userdom_search_user_home_dirs($1) | |
4018 | allow $1 audio_home_t:dir list_dir_perms; | |
4019 | read_files_pattern($1, audio_home_t, audio_home_t) | |
4020 | read_lnk_files_pattern($1, audio_home_t, audio_home_t) | |
4021 | ') | |
4022 | ||
4023 | ######################################## | |
4024 | ## <summary> | |
4025 | ## Read system SSL certificates in the users homedir. | |
4026 | ## </summary> | |
4027 | ## <param name="domain"> | |
4028 | ## <summary> | |
4029 | ## Domain allowed access. | |
4030 | ## </summary> | |
4031 | ## </param> | |
4032 | ## <rolecap/> | |
4033 | # | |
4034 | interface(`userdom_read_home_certs',` | |
4035 | gen_require(` | |
4036 | type home_cert_t; | |
4037 | ') | |
4038 | ||
4039 | userdom_search_user_home_dirs($1) | |
4040 | allow $1 home_cert_t:dir list_dir_perms; | |
4041 | read_files_pattern($1, home_cert_t, home_cert_t) | |
4042 | read_lnk_files_pattern($1, home_cert_t, home_cert_t) | |
4043 | ') | |
4044 | ||
4045 | ######################################## | |
4046 | ## <summary> | |
4047 | ## dontaudit Search getatrr /root files | |
4048 | ## </summary> | |
4049 | ## <param name="domain"> | |
4050 | ## <summary> | |
4051 | ## Domain allowed access. | |
4052 | ## </summary> | |
4053 | ## </param> | |
4054 | # | |
4055 | interface(`userdom_dontaudit_getattr_admin_home_files',` | |
4056 | gen_require(` | |
4057 | type admin_home_t; | |
4058 | ') | |
4059 | ||
4060 | dontaudit $1 admin_home_t:file getattr; | |
4061 | ') | |
4062 | ||
4063 | ######################################## | |
4064 | ## <summary> | |
4065 | ## dontaudit read /root lnk files | |
4066 | ## </summary> | |
4067 | ## <param name="domain"> | |
4068 | ## <summary> | |
4069 | ## Domain allowed access. | |
4070 | ## </summary> | |
4071 | ## </param> | |
4072 | # | |
4073 | interface(`userdom_dontaudit_read_admin_home_lnk_files',` | |
4074 | gen_require(` | |
4075 | type admin_home_t; | |
4076 | ') | |
4077 | ||
4078 | dontaudit $1 admin_home_t:lnk_file read; | |
4079 | ') | |
4080 | ||
4081 | ######################################## | |
4082 | ## <summary> | |
4083 | ## dontaudit read /root files | |
4084 | ## </summary> | |
4085 | ## <param name="domain"> | |
4086 | ## <summary> | |
4087 | ## Domain allowed access. | |
4088 | ## </summary> | |
4089 | ## </param> | |
4090 | # | |
4091 | interface(`userdom_dontaudit_read_admin_home_files',` | |
4092 | gen_require(` | |
4093 | type admin_home_t; | |
4094 | ') | |
4095 | ||
4096 | dontaudit $1 admin_home_t:file read_file_perms; | |
4097 | ') | |
4098 | ||
4099 | ######################################## | |
4100 | ## <summary> | |
4101 | ## Create, read, write, and delete user | |
4102 | ## temporary chr files. | |
4103 | ## </summary> | |
4104 | ## <param name="domain"> | |
4105 | ## <summary> | |
4106 | ## Domain allowed access. | |
4107 | ## </summary> | |
4108 | ## </param> | |
4109 | # | |
4110 | interface(`userdom_manage_user_tmp_chr_files',` | |
4111 | gen_require(` | |
4112 | type user_tmp_t; | |
4113 | ') | |
4114 | ||
4115 | manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) | |
4116 | files_search_tmp($1) | |
4117 | ') | |
4118 | ||
4119 | ######################################## | |
4120 | ## <summary> | |
4121 | ## Create, read, write, and delete user | |
4122 | ## temporary blk files. | |
4123 | ## </summary> | |
4124 | ## <param name="domain"> | |
4125 | ## <summary> | |
4126 | ## Domain allowed access. | |
4127 | ## </summary> | |
4128 | ## </param> | |
4129 | # | |
4130 | interface(`userdom_manage_user_tmp_blk_files',` | |
4131 | gen_require(` | |
4132 | type user_tmp_t; | |
4133 | ') | |
4134 | ||
4135 | manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4136 | files_search_tmp($1) | |
4137 | ') | |
4138 | ||
4139 | ######################################## | |
4140 | ## <summary> | |
4141 | ## Dontaudit attempt to set attributes on user temporary directories. | |
4142 | ## </summary> | |
4143 | ## <param name="domain"> | |
4144 | ## <summary> | |
4145 | ## Domain allowed access. | |
4146 | ## </summary> | |
4147 | ## </param> | |
4148 | # | |
4149 | interface(`userdom_dontaudit_setattr_user_tmp',` | |
4150 | gen_require(` | |
4151 | type user_tmp_t; | |
4152 | ') | |
4153 | ||
4154 | dontaudit $1 user_tmp_t:dir setattr; | |
4155 | ') | |
4156 | ||
4157 | ######################################## | |
4158 | ## <summary> | |
4159 | ## Write all inherited users files in /tmp | |
4160 | ## </summary> | |
4161 | ## <param name="domain"> | |
4162 | ## <summary> | |
4163 | ## Domain allowed access. | |
4164 | ## </summary> | |
4165 | ## </param> | |
4166 | # | |
4167 | interface(`userdom_write_inherited_user_tmp_files',` | |
4168 | gen_require(` | |
4169 | type user_tmp_t; | |
4170 | ') | |
4171 | ||
4172 | allow $1 user_tmp_t:file write; | |
4173 | ') | |
4174 | ||
4175 | ######################################## | |
4176 | ## <summary> | |
4177 | ## Delete all users files in /tmp | |
4178 | ## </summary> | |
4179 | ## <param name="domain"> | |
4180 | ## <summary> | |
4181 | ## Domain allowed access. | |
4182 | ## </summary> | |
4183 | ## </param> | |
4184 | # | |
4185 | interface(`userdom_delete_user_tmp_files',` | |
4186 | gen_require(` | |
4187 | type user_tmp_t; | |
4188 | ') | |
4189 | ||
4190 | allow $1 user_tmp_t:file delete_file_perms; | |
4191 | ') | |
4192 | ||
4193 | ######################################## | |
4194 | ## <summary> | |
4195 | ## Delete user tmpfs files. | |
4196 | ## </summary> | |
4197 | ## <param name="domain"> | |
4198 | ## <summary> | |
4199 | ## Domain allowed access. | |
4200 | ## </summary> | |
4201 | ## </param> | |
4202 | # | |
4203 | interface(`userdom_delete_user_tmpfs_files',` | |
4204 | gen_require(` | |
4205 | type user_tmpfs_t; | |
4206 | ') | |
4207 | ||
4208 | allow $1 user_tmpfs_t:file delete_file_perms; | |
4209 | ') | |
4210 | ||
4211 | ######################################## | |
4212 | ## <summary> | |
4213 | ## Read/Write unpriviledged user SysV shared | |
4214 | ## memory segments. | |
4215 | ## </summary> | |
4216 | ## <param name="domain"> | |
4217 | ## <summary> | |
4218 | ## Domain allowed access. | |
4219 | ## </summary> | |
4220 | ## </param> | |
4221 | # | |
4222 | interface(`userdom_rw_unpriv_user_shared_mem',` | |
4223 | gen_require(` | |
4224 | attribute unpriv_userdomain; | |
4225 | ') | |
4226 | ||
4227 | allow $1 unpriv_userdomain:shm rw_shm_perms; | |
4228 | ') | |
4229 | ||
4230 | ######################################## | |
4231 | ## <summary> | |
4232 | ## Do not audit attempts to search user | |
4233 | ## temporary directories. | |
4234 | ## </summary> | |
4235 | ## <param name="domain"> | |
4236 | ## <summary> | |
4237 | ## Domain to not audit. | |
4238 | ## </summary> | |
4239 | ## </param> | |
4240 | # | |
4241 | interface(`userdom_dontaudit_search_user_tmp',` | |
4242 | gen_require(` | |
4243 | type user_tmp_t; | |
4244 | ') | |
4245 | ||
4246 | dontaudit $1 user_tmp_t:dir search_dir_perms; | |
4247 | ') | |
4248 | ||
4249 | ######################################## | |
4250 | ## <summary> | |
4251 | ## Execute a file in a user home directory | |
4252 | ## in the specified domain. | |
4253 | ## </summary> | |
4254 | ## <desc> | |
4255 | ## <p> | |
4256 | ## Execute a file in a user home directory | |
4257 | ## in the specified domain. | |
4258 | ## </p> | |
4259 | ## <p> | |
4260 | ## No interprocess communication (signals, pipes, | |
4261 | ## etc.) is provided by this interface since | |
4262 | ## the domains are not owned by this module. | |
4263 | ## </p> | |
4264 | ## </desc> | |
4265 | ## <param name="domain"> | |
4266 | ## <summary> | |
4267 | ## Domain allowed access. | |
4268 | ## </summary> | |
4269 | ## </param> | |
4270 | ## <param name="target_domain"> | |
4271 | ## <summary> | |
4272 | ## The type of the new process. | |
4273 | ## </summary> | |
4274 | ## </param> | |
4275 | # | |
4276 | interface(`userdom_domtrans_user_home',` | |
4277 | gen_require(` | |
4278 | type user_home_t; | |
4279 | ') | |
4280 | ||
4281 | read_lnk_files_pattern($1, user_home_t, user_home_t) | |
4282 | domain_transition_pattern($1, user_home_t, $2) | |
4283 | type_transition $1 user_home_t:process $2; | |
4284 | ') | |
4285 | ||
4286 | ######################################## | |
4287 | ## <summary> | |
4288 | ## Execute a file in a user tmp directory | |
4289 | ## in the specified domain. | |
4290 | ## </summary> | |
4291 | ## <desc> | |
4292 | ## <p> | |
4293 | ## Execute a file in a user tmp directory | |
4294 | ## in the specified domain. | |
4295 | ## </p> | |
4296 | ## <p> | |
4297 | ## No interprocess communication (signals, pipes, | |
4298 | ## etc.) is provided by this interface since | |
4299 | ## the domains are not owned by this module. | |
4300 | ## </p> | |
4301 | ## </desc> | |
4302 | ## <param name="domain"> | |
4303 | ## <summary> | |
4304 | ## Domain allowed access. | |
4305 | ## </summary> | |
4306 | ## </param> | |
4307 | ## <param name="target_domain"> | |
4308 | ## <summary> | |
4309 | ## The type of the new process. | |
4310 | ## </summary> | |
4311 | ## </param> | |
4312 | # | |
4313 | interface(`userdom_domtrans_user_tmp',` | |
4314 | gen_require(` | |
4315 | type user_tmp_t; | |
4316 | ') | |
4317 | ||
4318 | files_search_tmp($1) | |
4319 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4320 | domain_transition_pattern($1, user_tmp_t, $2) | |
4321 | type_transition $1 user_tmp_t:process $2; | |
4322 | ') |