]>
Commit | Line | Data |
---|---|---|
490639cd | 1 | ## <summary>Policy for user domains</summary> |
b16c6b8c | 2 | |
8fd36732 CP |
3 | ####################################### |
4 | ## <summary> | |
bbcd3c97 | 5 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
6 | ## </summary> |
7 | ## <desc> | |
8 | ## <p> | |
bbcd3c97 | 9 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
10 | ## </p> |
11 | ## <p> | |
bbcd3c97 CP |
12 | ## This template creates a user domain, types, and |
13 | ## rules for the user's tty and pty. | |
8fd36732 CP |
14 | ## </p> |
15 | ## </desc> | |
16 | ## <param name="userdomain_prefix"> | |
885b83ec | 17 | ## <summary> |
8fd36732 CP |
18 | ## The prefix of the user domain (e.g., user |
19 | ## is the prefix for user_t). | |
885b83ec | 20 | ## </summary> |
8fd36732 | 21 | ## </param> |
bbcd3c97 | 22 | ## <rolebase/> |
b16c6b8c | 23 | # |
bbcd3c97 | 24 | template(`userdom_base_user_template',` |
c6a60bb2 CP |
25 | |
26 | gen_require(` | |
d6d16b97 | 27 | attribute userdomain; |
296273a7 | 28 | type user_devpts_t, user_tty_device_t; |
c6a60bb2 CP |
29 | class context contains; |
30 | ') | |
31 | ||
0c73cd25 | 32 | attribute $1_file_type; |
3eaa9939 | 33 | attribute $1_usertype; |
0c73cd25 | 34 | |
3eaa9939 | 35 | type $1_t, userdomain, $1_usertype; |
c9428d33 CP |
36 | domain_type($1_t) |
37 | corecmd_shell_entry_type($1_t) | |
d40c0ecf | 38 | corecmd_bin_entry_type($1_t) |
2e863f8a | 39 | domain_user_exemption_target($1_t) |
296273a7 | 40 | ubac_constrained($1_t) |
0c73cd25 CP |
41 | role $1_r types $1_t; |
42 | allow system_r $1_r; | |
43 | ||
296273a7 | 44 | term_user_pty($1_t, user_devpts_t) |
0c73cd25 | 45 | |
296273a7 | 46 | term_user_tty($1_t, user_tty_device_t) |
3eaa9939 DW |
47 | term_dontaudit_getattr_generic_ptys($1_t) |
48 | ||
49 | allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; | |
50 | allow $1_usertype $1_usertype:fd use; | |
51 | allow $1_usertype $1_t:key { create view read write search link setattr }; | |
52 | ||
53 | allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; | |
54 | allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; | |
55 | allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; | |
56 | allow $1_usertype $1_usertype:shm create_shm_perms; | |
57 | allow $1_usertype $1_usertype:sem create_sem_perms; | |
58 | allow $1_usertype $1_usertype:msgq create_msgq_perms; | |
59 | allow $1_usertype $1_usertype:msg { send receive }; | |
60 | allow $1_usertype $1_usertype:context contains; | |
61 | dontaudit $1_usertype $1_usertype:socket create; | |
62 | ||
63 | allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; | |
64 | term_create_pty($1_usertype, user_devpts_t) | |
296273a7 | 65 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 | 66 | dontaudit $1_usertype user_devpts_t:chr_file ioctl; |
0c73cd25 | 67 | |
3eaa9939 | 68 | allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; |
296273a7 | 69 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 DW |
70 | dontaudit $1_usertype user_tty_device_t:chr_file ioctl; |
71 | ||
72 | application_exec_all($1_usertype) | |
73 | ||
74 | kernel_read_kernel_sysctls($1_usertype) | |
75 | kernel_read_all_sysctls($1_usertype) | |
76 | kernel_dontaudit_list_unlabeled($1_usertype) | |
77 | kernel_dontaudit_getattr_unlabeled_files($1_usertype) | |
78 | kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) | |
79 | kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) | |
80 | kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) | |
81 | kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) | |
82 | kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) | |
83 | kernel_dontaudit_list_proc($1_usertype) | |
84 | ||
85 | dev_dontaudit_getattr_all_blk_files($1_usertype) | |
86 | dev_dontaudit_getattr_all_chr_files($1_usertype) | |
87 | dev_getattr_mtrr_dev($1_t) | |
847937da | 88 | |
2ec4c9d3 | 89 | # When the user domain runs ps, there will be a number of access |
ff8f0a63 | 90 | # denials when ps tries to search /proc. Do not audit these denials. |
3eaa9939 DW |
91 | domain_dontaudit_read_all_domains_state($1_usertype) |
92 | domain_dontaudit_getattr_all_domains($1_usertype) | |
93 | domain_dontaudit_getsession_all_domains($1_usertype) | |
7bbb31df | 94 | dev_dontaudit_all_access_check($1_usertype) |
3eaa9939 DW |
95 | |
96 | files_read_etc_files($1_usertype) | |
97 | files_list_mnt($1_usertype) | |
98 | files_read_mnt_files($1_usertype) | |
7455c4b3 | 99 | files_dontaudit_access_check_mnt($1_usertype) |
3eaa9939 DW |
100 | files_read_etc_runtime_files($1_usertype) |
101 | files_read_usr_files($1_usertype) | |
102 | files_read_usr_src_files($1_usertype) | |
bbcd3c97 CP |
103 | # Read directories and files with the readable_t type. |
104 | # This type is a general type for "world"-readable files. | |
3eaa9939 DW |
105 | files_list_world_readable($1_usertype) |
106 | files_read_world_readable_files($1_usertype) | |
107 | files_read_world_readable_symlinks($1_usertype) | |
108 | files_read_world_readable_pipes($1_usertype) | |
109 | files_read_world_readable_sockets($1_usertype) | |
a2868f6e | 110 | # old broswer_domain(): |
3eaa9939 DW |
111 | files_dontaudit_getattr_all_dirs($1_usertype) |
112 | files_dontaudit_list_non_security($1_usertype) | |
113 | files_dontaudit_getattr_all_files($1_usertype) | |
114 | files_dontaudit_getattr_non_security_symlinks($1_usertype) | |
115 | files_dontaudit_getattr_non_security_pipes($1_usertype) | |
116 | files_dontaudit_getattr_non_security_sockets($1_usertype) | |
d255399f | 117 | files_dontaudit_setattr_etc_runtime_files($1_usertype) |
3eaa9939 DW |
118 | |
119 | files_exec_usr_files($1_t) | |
120 | ||
121 | fs_list_cgroup_dirs($1_usertype) | |
122 | fs_dontaudit_rw_cgroup_files($1_usertype) | |
123 | ||
124 | storage_rw_fuse($1_usertype) | |
125 | ||
126 | auth_use_nsswitch($1_usertype) | |
0c73cd25 | 127 | |
3eaa9939 | 128 | init_stream_connect($1_usertype) |
9461b606 DW |
129 | # The library functions always try to open read-write first, |
130 | # then fall back to read-only if it fails. | |
131 | init_dontaudit_rw_utmp($1_usertype) | |
bbcd3c97 | 132 | |
3eaa9939 | 133 | libs_exec_ld_so($1_usertype) |
6b19be33 | 134 | |
bbcd3c97 | 135 | miscfiles_read_localization($1_t) |
83406219 | 136 | miscfiles_read_generic_certs($1_t) |
6b19be33 | 137 | |
cab9bc9c | 138 | miscfiles_read_all_certs($1_usertype) |
3eaa9939 DW |
139 | miscfiles_read_localization($1_usertype) |
140 | miscfiles_read_man_pages($1_usertype) | |
141 | miscfiles_read_public_files($1_usertype) | |
bbcd3c97 CP |
142 | |
143 | tunable_policy(`allow_execmem',` | |
144 | # Allow loading DSOs that require executable stack. | |
145 | allow $1_t self:process execmem; | |
146 | ') | |
147 | ||
148 | tunable_policy(`allow_execmem && allow_execstack',` | |
149 | # Allow making the stack executable via mprotect. | |
150 | allow $1_t self:process execstack; | |
151 | ') | |
3eaa9939 DW |
152 | |
153 | optional_policy(` | |
154 | fs_list_cgroup_dirs($1_usertype) | |
155 | ') | |
a8183914 | 156 | |
3eaa9939 DW |
157 | optional_policy(` |
158 | ssh_rw_stream_sockets($1_usertype) | |
159 | ssh_delete_tmp($1_t) | |
160 | ssh_signal($1_t) | |
161 | ') | |
bbcd3c97 CP |
162 | ') |
163 | ||
164 | ####################################### | |
165 | ## <summary> | |
296273a7 CP |
166 | ## Allow a home directory for which the |
167 | ## role has read-only access. | |
bbcd3c97 CP |
168 | ## </summary> |
169 | ## <desc> | |
170 | ## <p> | |
296273a7 CP |
171 | ## Allow a home directory for which the |
172 | ## role has read-only access. | |
bbcd3c97 CP |
173 | ## </p> |
174 | ## <p> | |
175 | ## This does not allow execute access. | |
176 | ## </p> | |
177 | ## </desc> | |
296273a7 | 178 | ## <param name="role"> |
bbcd3c97 | 179 | ## <summary> |
296273a7 CP |
180 | ## The user role |
181 | ## </summary> | |
182 | ## </param> | |
183 | ## <param name="userdomain"> | |
184 | ## <summary> | |
185 | ## The user domain | |
bbcd3c97 CP |
186 | ## </summary> |
187 | ## </param> | |
188 | ## <rolebase/> | |
189 | # | |
296273a7 | 190 | interface(`userdom_ro_home_role',` |
d6d16b97 | 191 | gen_require(` |
296273a7 | 192 | type user_home_t, user_home_dir_t; |
d6d16b97 CP |
193 | ') |
194 | ||
3eaa9939 DW |
195 | role $1 types { user_home_t user_home_dir_t }; |
196 | ||
bbcd3c97 CP |
197 | ############################## |
198 | # | |
199 | # Domain access to home dir | |
200 | # | |
201 | ||
296273a7 CP |
202 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
203 | ||
bbcd3c97 | 204 | # read-only home directory |
296273a7 CP |
205 | allow $2 user_home_dir_t:dir list_dir_perms; |
206 | allow $2 user_home_t:dir list_dir_perms; | |
207 | allow $2 user_home_t:file entrypoint; | |
208 | read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
209 | read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
210 | read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
211 | read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
212 | files_list_home($2) | |
bbcd3c97 | 213 | |
bbcd3c97 CP |
214 | ') |
215 | ||
216 | ####################################### | |
217 | ## <summary> | |
296273a7 CP |
218 | ## Allow a home directory for which the |
219 | ## role has full access. | |
bbcd3c97 CP |
220 | ## </summary> |
221 | ## <desc> | |
222 | ## <p> | |
296273a7 CP |
223 | ## Allow a home directory for which the |
224 | ## role has full access. | |
bbcd3c97 CP |
225 | ## </p> |
226 | ## <p> | |
227 | ## This does not allow execute access. | |
228 | ## </p> | |
229 | ## </desc> | |
296273a7 | 230 | ## <param name="role"> |
bbcd3c97 | 231 | ## <summary> |
296273a7 CP |
232 | ## The user role |
233 | ## </summary> | |
234 | ## </param> | |
235 | ## <param name="userdomain"> | |
236 | ## <summary> | |
237 | ## The user domain | |
bbcd3c97 CP |
238 | ## </summary> |
239 | ## </param> | |
240 | ## <rolebase/> | |
241 | # | |
296273a7 | 242 | interface(`userdom_manage_home_role',` |
d6d16b97 | 243 | gen_require(` |
296273a7 | 244 | type user_home_t, user_home_dir_t; |
3eaa9939 | 245 | attribute user_home_type; |
d6d16b97 CP |
246 | ') |
247 | ||
3eaa9939 DW |
248 | role $1 types { user_home_type user_home_dir_t }; |
249 | ||
bbcd3c97 CP |
250 | ############################## |
251 | # | |
252 | # Domain access to home dir | |
253 | # | |
254 | ||
296273a7 CP |
255 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
256 | ||
bbcd3c97 | 257 | # full control of the home directory |
3eaa9939 | 258 | allow $2 user_home_t:dir mounton; |
296273a7 | 259 | allow $2 user_home_t:file entrypoint; |
3eaa9939 DW |
260 | |
261 | allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; | |
262 | allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; | |
263 | manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
264 | manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
265 | manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
266 | manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
267 | manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
268 | relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
269 | relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
270 | relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
271 | relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
272 | relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
296273a7 CP |
273 | filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) |
274 | files_list_home($2) | |
bbcd3c97 | 275 | |
c0868a7a | 276 | # cjp: this should probably be removed: |
296273a7 | 277 | allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; |
c0868a7a | 278 | |
bbcd3c97 | 279 | tunable_policy(`use_nfs_home_dirs',` |
3eaa9939 DW |
280 | fs_mount_nfs($2) |
281 | fs_mounton_nfs($2) | |
296273a7 CP |
282 | fs_manage_nfs_dirs($2) |
283 | fs_manage_nfs_files($2) | |
284 | fs_manage_nfs_symlinks($2) | |
285 | fs_manage_nfs_named_sockets($2) | |
286 | fs_manage_nfs_named_pipes($2) | |
bbcd3c97 CP |
287 | ') |
288 | ||
289 | tunable_policy(`use_samba_home_dirs',` | |
3eaa9939 DW |
290 | fs_mount_cifs($2) |
291 | fs_mounton_cifs($2) | |
296273a7 CP |
292 | fs_manage_cifs_dirs($2) |
293 | fs_manage_cifs_files($2) | |
294 | fs_manage_cifs_symlinks($2) | |
295 | fs_manage_cifs_named_sockets($2) | |
296 | fs_manage_cifs_named_pipes($2) | |
bbcd3c97 CP |
297 | ') |
298 | ') | |
299 | ||
300 | ####################################### | |
301 | ## <summary> | |
296273a7 | 302 | ## Manage user temporary files |
bbcd3c97 | 303 | ## </summary> |
296273a7 | 304 | ## <param name="role"> |
bbcd3c97 | 305 | ## <summary> |
296273a7 | 306 | ## Role allowed access. |
bbcd3c97 CP |
307 | ## </summary> |
308 | ## </param> | |
296273a7 | 309 | ## <param name="domain"> |
bbcd3c97 | 310 | ## <summary> |
296273a7 | 311 | ## Domain allowed access. |
bbcd3c97 CP |
312 | ## </summary> |
313 | ## </param> | |
314 | ## <rolebase/> | |
315 | # | |
296273a7 | 316 | interface(`userdom_manage_tmp_role',` |
d6d16b97 | 317 | gen_require(` |
296273a7 | 318 | type user_tmp_t; |
d6d16b97 CP |
319 | ') |
320 | ||
3eaa9939 DW |
321 | role $1 types user_tmp_t; |
322 | ||
296273a7 | 323 | files_poly_member_tmp($2, user_tmp_t) |
bbcd3c97 | 324 | |
296273a7 CP |
325 | manage_dirs_pattern($2, user_tmp_t, user_tmp_t) |
326 | manage_files_pattern($2, user_tmp_t, user_tmp_t) | |
327 | manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) | |
328 | manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) | |
329 | manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) | |
330 | files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) | |
3eaa9939 DW |
331 | relabel_files_pattern($2, user_tmp_t, user_tmp_t) |
332 | ') | |
333 | ||
334 | ####################################### | |
335 | ## <summary> | |
336 | ## Dontaudit search of user bin dirs. | |
337 | ## </summary> | |
338 | ## <param name="domain"> | |
339 | ## <summary> | |
24280f35 | 340 | ## Domain to not audit. |
3eaa9939 DW |
341 | ## </summary> |
342 | ## </param> | |
343 | # | |
344 | interface(`userdom_dontaudit_search_user_bin_dirs',` | |
345 | gen_require(` | |
346 | type home_bin_t; | |
347 | ') | |
348 | ||
349 | dontaudit $1 home_bin_t:dir search_dir_perms; | |
350 | ') | |
351 | ||
352 | ####################################### | |
353 | ## <summary> | |
354 | ## Execute user bin files. | |
355 | ## </summary> | |
356 | ## <param name="domain"> | |
357 | ## <summary> | |
358 | ## Domain allowed access. | |
359 | ## </summary> | |
360 | ## </param> | |
361 | # | |
362 | interface(`userdom_exec_user_bin_files',` | |
363 | gen_require(` | |
364 | attribute user_home_type; | |
365 | type home_bin_t, user_home_dir_t; | |
366 | ') | |
367 | ||
368 | exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) | |
369 | files_search_home($1) | |
bbcd3c97 CP |
370 | ') |
371 | ||
372 | ####################################### | |
373 | ## <summary> | |
296273a7 | 374 | ## The execute access user temporary files. |
bbcd3c97 | 375 | ## </summary> |
296273a7 | 376 | ## <param name="domain"> |
bbcd3c97 | 377 | ## <summary> |
296273a7 | 378 | ## Domain allowed access. |
bbcd3c97 CP |
379 | ## </summary> |
380 | ## </param> | |
381 | ## <rolebase/> | |
382 | # | |
296273a7 CP |
383 | interface(`userdom_exec_user_tmp_files',` |
384 | gen_require(` | |
385 | type user_tmp_t; | |
386 | ') | |
387 | ||
388 | exec_files_pattern($1, user_tmp_t, user_tmp_t) | |
3eaa9939 | 389 | dontaudit $1 user_tmp_t:sock_file execute; |
296273a7 | 390 | files_search_tmp($1) |
bbcd3c97 CP |
391 | ') |
392 | ||
393 | ####################################### | |
394 | ## <summary> | |
296273a7 | 395 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
396 | ## that the user has full access. |
397 | ## </summary> | |
398 | ## <desc> | |
399 | ## <p> | |
296273a7 | 400 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
401 | ## that the user has full access. |
402 | ## </p> | |
403 | ## <p> | |
404 | ## This does not allow execute access. | |
405 | ## </p> | |
406 | ## </desc> | |
296273a7 | 407 | ## <param name="role"> |
bbcd3c97 | 408 | ## <summary> |
296273a7 | 409 | ## Role allowed access. |
bbcd3c97 CP |
410 | ## </summary> |
411 | ## </param> | |
296273a7 | 412 | ## <param name="domain"> |
bbcd3c97 | 413 | ## <summary> |
296273a7 | 414 | ## Domain allowed access. |
bbcd3c97 CP |
415 | ## </summary> |
416 | ## </param> | |
296273a7 | 417 | ## <rolecap/> |
bbcd3c97 | 418 | # |
296273a7 | 419 | interface(`userdom_manage_tmpfs_role',` |
bbcd3c97 | 420 | gen_require(` |
296273a7 | 421 | type user_tmpfs_t; |
bbcd3c97 | 422 | ') |
bbcd3c97 | 423 | |
3eaa9939 DW |
424 | role $1 types user_tmpfs_t; |
425 | ||
296273a7 CP |
426 | manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) |
427 | manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
428 | manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
429 | manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
430 | manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
431 | fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) | |
bbcd3c97 CP |
432 | ') |
433 | ||
434 | ####################################### | |
435 | ## <summary> | |
3eaa9939 | 436 | ## The interface allowing the user basic |
bbcd3c97 CP |
437 | ## network permissions |
438 | ## </summary> | |
3eaa9939 | 439 | ## <param name="userdomain"> |
bbcd3c97 | 440 | ## <summary> |
3eaa9939 | 441 | ## The user domain |
bbcd3c97 CP |
442 | ## </summary> |
443 | ## </param> | |
444 | ## <rolebase/> | |
445 | # | |
3eaa9939 DW |
446 | interface(`userdom_basic_networking',` |
447 | ||
448 | allow $1 self:tcp_socket create_stream_socket_perms; | |
449 | allow $1 self:udp_socket create_socket_perms; | |
450 | ||
451 | corenet_all_recvfrom_unlabeled($1) | |
452 | corenet_all_recvfrom_netlabel($1) | |
453 | corenet_tcp_sendrecv_generic_if($1) | |
454 | corenet_udp_sendrecv_generic_if($1) | |
455 | corenet_tcp_sendrecv_generic_node($1) | |
456 | corenet_udp_sendrecv_generic_node($1) | |
457 | corenet_tcp_sendrecv_all_ports($1) | |
458 | corenet_udp_sendrecv_all_ports($1) | |
459 | corenet_tcp_connect_all_ports($1) | |
460 | corenet_sendrecv_all_client_packets($1) | |
dc1920b2 CP |
461 | |
462 | optional_policy(` | |
3eaa9939 DW |
463 | init_tcp_recvfrom_all_daemons($1) |
464 | init_udp_recvfrom_all_daemons($1) | |
dc1920b2 CP |
465 | ') |
466 | ||
0b6acad1 | 467 | optional_policy(` |
3eaa9939 | 468 | ipsec_match_default_spd($1) |
0b6acad1 | 469 | ') |
3eaa9939 | 470 | |
bbcd3c97 CP |
471 | ') |
472 | ||
473 | ####################################### | |
474 | ## <summary> | |
93c49bdb | 475 | ## The template for creating a user xwindows client. (Deprecated) |
bbcd3c97 CP |
476 | ## </summary> |
477 | ## <param name="userdomain_prefix"> | |
478 | ## <summary> | |
479 | ## The prefix of the user domain (e.g., user | |
480 | ## is the prefix for user_t). | |
481 | ## </summary> | |
482 | ## </param> | |
483 | ## <rolebase/> | |
484 | # | |
485 | template(`userdom_xwindows_client_template',` | |
93c49bdb | 486 | refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.') |
bbcd3c97 | 487 | gen_require(` |
296273a7 | 488 | type $1_t, user_tmpfs_t; |
bbcd3c97 CP |
489 | ') |
490 | ||
847937da CP |
491 | dev_rw_xserver_misc($1_t) |
492 | dev_rw_power_management($1_t) | |
493 | dev_read_input($1_t) | |
494 | dev_read_misc($1_t) | |
495 | dev_write_misc($1_t) | |
496 | # open office is looking for the following | |
497 | dev_getattr_agp_dev($1_t) | |
498 | dev_dontaudit_rw_dri($1_t) | |
499 | # GNOME checks for usb and other devices: | |
500 | dev_rw_usbfs($1_t) | |
3eaa9939 | 501 | dev_rw_generic_usb_dev($1_t) |
847937da | 502 | |
4279891d | 503 | xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) |
847937da CP |
504 | xserver_xsession_entry_type($1_t) |
505 | xserver_dontaudit_write_log($1_t) | |
506 | xserver_stream_connect_xdm($1_t) | |
507 | # certain apps want to read xdm.pid file | |
508 | xserver_read_xdm_pid($1_t) | |
509 | # gnome-session creates socket under /tmp/.ICE-unix/ | |
510 | xserver_create_xdm_tmp_sockets($1_t) | |
511 | # Needed for escd, remove if we get escd policy | |
512 | xserver_manage_xdm_tmp_files($1_t) | |
bbcd3c97 CP |
513 | ') |
514 | ||
515 | ####################################### | |
516 | ## <summary> | |
517 | ## The template for allowing the user to change passwords. | |
518 | ## </summary> | |
519 | ## <param name="userdomain_prefix"> | |
520 | ## <summary> | |
521 | ## The prefix of the user domain (e.g., user | |
522 | ## is the prefix for user_t). | |
523 | ## </summary> | |
524 | ## </param> | |
525 | ## <rolebase/> | |
526 | # | |
527 | template(`userdom_change_password_template',` | |
528 | gen_require(` | |
296273a7 | 529 | type $1_t; |
bbcd3c97 CP |
530 | role $1_r; |
531 | ') | |
532 | ||
533 | optional_policy(` | |
296273a7 CP |
534 | usermanage_run_chfn($1_t,$1_r) |
535 | usermanage_run_passwd($1_t,$1_r) | |
bbcd3c97 | 536 | ') |
bbcd3c97 CP |
537 | ') |
538 | ||
539 | ####################################### | |
540 | ## <summary> | |
541 | ## The template containing rules common to unprivileged | |
542 | ## users and administrative users. | |
543 | ## </summary> | |
544 | ## <desc> | |
545 | ## <p> | |
546 | ## This template creates a user domain, types, and | |
547 | ## rules for the user's tty, pty, tmp, and tmpfs files. | |
548 | ## </p> | |
549 | ## </desc> | |
550 | ## <param name="userdomain_prefix"> | |
551 | ## <summary> | |
552 | ## The prefix of the user domain (e.g., user | |
553 | ## is the prefix for user_t). | |
554 | ## </summary> | |
555 | ## </param> | |
556 | # | |
557 | template(`userdom_common_user_template',` | |
563e58e8 CP |
558 | gen_require(` |
559 | attribute unpriv_userdomain; | |
560 | ') | |
bbcd3c97 | 561 | |
3eaa9939 | 562 | userdom_basic_networking($1_usertype) |
bbcd3c97 | 563 | |
bbcd3c97 CP |
564 | ############################## |
565 | # | |
566 | # User domain Local policy | |
567 | # | |
568 | ||
bbcd3c97 CP |
569 | # evolution and gnome-session try to create a netlink socket |
570 | dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; | |
571 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
3eaa9939 DW |
572 | allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; |
573 | allow $1_t self:socket create_socket_perms; | |
bbcd3c97 | 574 | |
3eaa9939 | 575 | allow $1_usertype unpriv_userdomain:fd use; |
bbcd3c97 | 576 | |
3eaa9939 DW |
577 | kernel_read_system_state($1_usertype) |
578 | kernel_read_network_state($1_usertype) | |
5aff16e1 | 579 | kernel_read_software_raid_state($1_usertype) |
3eaa9939 | 580 | kernel_read_net_sysctls($1_usertype) |
bbcd3c97 | 581 | # Very permissive allowing every domain to see every type: |
3eaa9939 | 582 | kernel_get_sysvipc_info($1_usertype) |
bbcd3c97 | 583 | # Find CDROM devices: |
3eaa9939 DW |
584 | kernel_read_device_sysctls($1_usertype) |
585 | kernel_request_load_module($1_usertype) | |
296273a7 | 586 | |
3eaa9939 DW |
587 | corenet_udp_bind_generic_node($1_usertype) |
588 | corenet_udp_bind_generic_port($1_usertype) | |
bbcd3c97 | 589 | |
3eaa9939 DW |
590 | dev_read_rand($1_usertype) |
591 | dev_write_sound($1_usertype) | |
592 | dev_read_sound($1_usertype) | |
593 | dev_read_sound_mixer($1_usertype) | |
594 | dev_write_sound_mixer($1_usertype) | |
bbcd3c97 | 595 | |
3eaa9939 DW |
596 | files_exec_etc_files($1_usertype) |
597 | files_search_locks($1_usertype) | |
bbcd3c97 | 598 | # Check to see if cdrom is mounted |
3eaa9939 | 599 | files_search_mnt($1_usertype) |
bbcd3c97 | 600 | # cjp: perhaps should cut back on file reads: |
3eaa9939 DW |
601 | files_read_var_files($1_usertype) |
602 | files_read_var_symlinks($1_usertype) | |
603 | files_read_generic_spool($1_usertype) | |
604 | files_read_var_lib_files($1_usertype) | |
bbcd3c97 | 605 | # Stat lost+found. |
3eaa9939 DW |
606 | files_getattr_lost_found_dirs($1_usertype) |
607 | files_read_config_files($1_usertype) | |
608 | fs_read_noxattr_fs_files($1_usertype) | |
609 | fs_read_noxattr_fs_symlinks($1_usertype) | |
610 | fs_rw_cgroup_files($1_usertype) | |
bbcd3c97 | 611 | |
f3ef2629 DW |
612 | application_getattr_socket($1_usertype) |
613 | ||
3eaa9939 DW |
614 | logging_send_syslog_msg($1_usertype) |
615 | logging_send_audit_msgs($1_usertype) | |
616 | selinux_get_enforce_mode($1_usertype) | |
e2b9add5 | 617 | |
bbcd3c97 | 618 | # cjp: some of this probably can be removed |
3eaa9939 DW |
619 | selinux_get_fs_mount($1_usertype) |
620 | selinux_validate_context($1_usertype) | |
621 | selinux_compute_access_vector($1_usertype) | |
622 | selinux_compute_create_context($1_usertype) | |
623 | selinux_compute_relabel_context($1_usertype) | |
624 | selinux_compute_user_contexts($1_usertype) | |
bbcd3c97 CP |
625 | |
626 | # for eject | |
3eaa9939 | 627 | storage_getattr_fixed_disk_dev($1_usertype) |
bbcd3c97 | 628 | |
3eaa9939 | 629 | auth_read_login_records($1_usertype) |
296273a7 CP |
630 | auth_run_pam($1_t,$1_r) |
631 | auth_run_utempter($1_t,$1_r) | |
bbcd3c97 | 632 | |
3eaa9939 | 633 | init_read_utmp($1_usertype) |
0c73cd25 | 634 | |
3eaa9939 DW |
635 | seutil_read_file_contexts($1_usertype) |
636 | seutil_read_default_contexts($1_usertype) | |
296273a7 | 637 | seutil_run_newrole($1_t,$1_r) |
6b19be33 | 638 | seutil_exec_checkpolicy($1_t) |
3eaa9939 | 639 | seutil_exec_setfiles($1_usertype) |
bbcd3c97 CP |
640 | # for when the network connection is killed |
641 | # this is needed when a login role can change | |
642 | # to this one. | |
643 | seutil_dontaudit_signal_newrole($1_t) | |
a1fcff33 | 644 | |
34c8fabe | 645 | tunable_policy(`user_direct_mouse',` |
3eaa9939 | 646 | dev_read_mouse($1_usertype) |
34c8fabe | 647 | ') |
0c73cd25 | 648 | |
34c8fabe | 649 | tunable_policy(`user_ttyfile_stat',` |
c3c753f7 | 650 | term_getattr_all_ttys($1_t) |
34c8fabe | 651 | ') |
0c73cd25 | 652 | |
6b19be33 | 653 | optional_policy(` |
3eaa9939 | 654 | alsa_read_rw_config($1_usertype) |
413aac13 | 655 | alsa_manage_home_files($1_t) |
413aac13 | 656 | alsa_relabel_home_files($1_t) |
6b19be33 CP |
657 | ') |
658 | ||
bb7170f6 | 659 | optional_policy(` |
ac9aa26d | 660 | # Allow graphical boot to check battery lifespan |
3eaa9939 | 661 | apm_stream_connect($1_usertype) |
ac9aa26d CP |
662 | ') |
663 | ||
bb7170f6 | 664 | optional_policy(` |
3eaa9939 | 665 | canna_stream_connect($1_usertype) |
3509484c CP |
666 | ') |
667 | ||
bb7170f6 | 668 | optional_policy(` |
3eaa9939 DW |
669 | chrome_role($1_r, $1_usertype) |
670 | ') | |
671 | ||
bfc1cfe9 MG |
672 | optional_policy(` |
673 | colord_read_lib_files($1_usertype) | |
674 | ') | |
675 | ||
3eaa9939 DW |
676 | optional_policy(` |
677 | dbus_system_bus_client($1_usertype) | |
678 | ||
679 | allow $1_usertype $1_usertype:dbus send_msg; | |
680 | ||
681 | optional_policy(` | |
682 | avahi_dbus_chat($1_usertype) | |
683 | ') | |
684 | ||
685 | optional_policy(` | |
686 | policykit_dbus_chat($1_usertype) | |
687 | ') | |
688 | ||
689 | optional_policy(` | |
690 | bluetooth_dbus_chat($1_usertype) | |
691 | ') | |
692 | ||
693 | optional_policy(` | |
694 | consolekit_dbus_chat($1_usertype) | |
695 | consolekit_read_log($1_usertype) | |
696 | ') | |
697 | ||
698 | optional_policy(` | |
699 | devicekit_dbus_chat($1_usertype) | |
700 | devicekit_dbus_chat_power($1_usertype) | |
701 | devicekit_dbus_chat_disk($1_usertype) | |
702 | ') | |
703 | ||
704 | optional_policy(` | |
705 | evolution_dbus_chat($1_usertype) | |
706 | evolution_alarm_dbus_chat($1_usertype) | |
707 | ') | |
d828b5ca | 708 | |
bbcd3c97 | 709 | optional_policy(` |
3eaa9939 | 710 | gnome_dbus_chat_gconfdefault($1_usertype) |
bbcd3c97 CP |
711 | ') |
712 | ||
6b19be33 | 713 | optional_policy(` |
3eaa9939 | 714 | hal_dbus_chat($1_usertype) |
6b19be33 CP |
715 | ') |
716 | ||
1acd60e5 MG |
717 | optional_policy(` |
718 | kde_dbus_chat_backlighthelper($1_usertype) | |
719 | ') | |
720 | ||
bb7170f6 | 721 | optional_policy(` |
3eaa9939 | 722 | modemmanager_dbus_chat($1_usertype) |
9fd4b818 CP |
723 | ') |
724 | ||
bb7170f6 | 725 | optional_policy(` |
3eaa9939 DW |
726 | networkmanager_dbus_chat($1_usertype) |
727 | networkmanager_read_lib_files($1_usertype) | |
ac9aa26d CP |
728 | ') |
729 | ||
bb7170f6 | 730 | optional_policy(` |
3eaa9939 | 731 | vpn_dbus_chat($1_usertype) |
d828b5ca | 732 | ') |
0c3d1705 CP |
733 | ') |
734 | ||
bb7170f6 | 735 | optional_policy(` |
3eaa9939 DW |
736 | git_session_role($1_r, $1_usertype) |
737 | ') | |
738 | ||
739 | optional_policy(` | |
740 | inetd_use_fds($1_usertype) | |
741 | inetd_rw_tcp_sockets($1_usertype) | |
b24f35d8 CP |
742 | ') |
743 | ||
bb7170f6 | 744 | optional_policy(` |
3eaa9939 DW |
745 | inn_read_config($1_usertype) |
746 | inn_read_news_lib($1_usertype) | |
747 | inn_read_news_spool($1_usertype) | |
9b06402e CP |
748 | ') |
749 | ||
cdd2b8d2 MG |
750 | optional_policy(` |
751 | lircd_stream_connect($1_usertype) | |
752 | ') | |
753 | ||
6b19be33 | 754 | optional_policy(` |
3eaa9939 | 755 | locate_read_lib_files($1_usertype) |
6b19be33 CP |
756 | ') |
757 | ||
bbcd3c97 CP |
758 | # for running depmod as part of the kernel packaging process |
759 | optional_policy(` | |
3eaa9939 DW |
760 | modutils_read_module_config($1_usertype) |
761 | ') | |
762 | ||
763 | optional_policy(` | |
764 | mta_rw_spool($1_usertype) | |
765 | mta_manage_queue($1_usertype) | |
780198a1 | 766 | mta_filetrans_home_content($1_usertype) |
bbcd3c97 CP |
767 | ') |
768 | ||
cc0c00d0 | 769 | optional_policy(` |
3eaa9939 | 770 | nsplugin_role($1_r, $1_usertype) |
cc0c00d0 CP |
771 | ') |
772 | ||
bb7170f6 | 773 | optional_policy(` |
bbcd3c97 CP |
774 | tunable_policy(`allow_user_mysql_connect',` |
775 | mysql_stream_connect($1_t) | |
42be7c21 CP |
776 | ') |
777 | ') | |
778 | ||
329138be DG |
779 | optional_policy(` |
780 | oident_manage_user_content($1_t) | |
781 | oident_relabel_user_content($1_t) | |
782 | ') | |
783 | ||
bb7170f6 | 784 | optional_policy(` |
2ec4c9d3 | 785 | # to allow monitoring of pcmcia status |
3eaa9939 | 786 | pcmcia_read_pid($1_usertype) |
2ec4c9d3 CP |
787 | ') |
788 | ||
6b19be33 | 789 | optional_policy(` |
3eaa9939 DW |
790 | pcscd_read_pub_files($1_usertype) |
791 | pcscd_stream_connect($1_usertype) | |
6b19be33 CP |
792 | ') |
793 | ||
cb10a2d5 CP |
794 | optional_policy(` |
795 | tunable_policy(`allow_user_postgresql_connect',` | |
3eaa9939 DW |
796 | postgresql_stream_connect($1_usertype) |
797 | postgresql_tcp_connect($1_usertype) | |
cb10a2d5 CP |
798 | ') |
799 | ') | |
800 | ||
b057be8d | 801 | optional_policy(` |
3eaa9939 | 802 | resmgr_stream_connect($1_usertype) |
b057be8d CP |
803 | ') |
804 | ||
bb7170f6 | 805 | optional_policy(` |
3eaa9939 DW |
806 | rpc_dontaudit_getattr_exports($1_usertype) |
807 | rpc_manage_nfs_rw_content($1_usertype) | |
f00434fa CP |
808 | ') |
809 | ||
bb7170f6 | 810 | optional_policy(` |
3eaa9939 | 811 | rpcbind_stream_connect($1_usertype) |
ac9aa26d CP |
812 | ') |
813 | ||
bb7170f6 | 814 | optional_policy(` |
3eaa9939 | 815 | samba_stream_connect_winbind($1_usertype) |
1d427acc CP |
816 | ') |
817 | ||
bb7170f6 | 818 | optional_policy(` |
3eaa9939 | 819 | sandbox_transition($1_usertype, $1_r) |
8cc49473 | 820 | ') |
3eaa9939 DW |
821 | |
822 | optional_policy(` | |
823 | seunshare_role_template($1, $1_r, $1_t) | |
824 | ') | |
825 | ||
826 | optional_policy(` | |
827 | slrnpull_search_spool($1_usertype) | |
828 | ') | |
829 | ||
2ec4c9d3 | 830 | ') |
b16c6b8c | 831 | |
8fd36732 CP |
832 | ####################################### |
833 | ## <summary> | |
847937da | 834 | ## The template for creating a login user. |
8fd36732 CP |
835 | ## </summary> |
836 | ## <desc> | |
837 | ## <p> | |
838 | ## This template creates a user domain, types, and | |
839 | ## rules for the user's tty, pty, home directories, | |
840 | ## tmp, and tmpfs files. | |
841 | ## </p> | |
842 | ## </desc> | |
843 | ## <param name="userdomain_prefix"> | |
885b83ec | 844 | ## <summary> |
8fd36732 CP |
845 | ## The prefix of the user domain (e.g., user |
846 | ## is the prefix for user_t). | |
885b83ec | 847 | ## </summary> |
8fd36732 | 848 | ## </param> |
b16c6b8c | 849 | # |
847937da | 850 | template(`userdom_login_user_template', ` |
b1a90365 CP |
851 | gen_require(` |
852 | class context contains; | |
853 | ') | |
854 | ||
847937da | 855 | userdom_base_user_template($1) |
563e58e8 | 856 | |
3eaa9939 DW |
857 | userdom_manage_home_role($1_r, $1_usertype) |
858 | ||
859 | userdom_manage_tmp_role($1_r, $1_usertype) | |
860 | userdom_manage_tmpfs_role($1_r, $1_usertype) | |
847937da | 861 | |
3eaa9939 DW |
862 | ifelse(`$1',`unconfined',`',` |
863 | gen_tunable(allow_$1_exec_content, true) | |
847937da | 864 | |
3eaa9939 DW |
865 | tunable_policy(`allow_$1_exec_content',` |
866 | userdom_exec_user_tmp_files($1_usertype) | |
867 | userdom_exec_user_home_content_files($1_usertype) | |
868 | ') | |
869 | tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` | |
870 | fs_exec_nfs_files($1_usertype) | |
871 | ') | |
872 | ||
873 | tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` | |
874 | fs_exec_cifs_files($1_usertype) | |
875 | ') | |
876 | ') | |
847937da CP |
877 | |
878 | userdom_change_password_template($1) | |
563e58e8 | 879 | |
0c73cd25 CP |
880 | ############################## |
881 | # | |
847937da | 882 | # User domain Local policy |
0c73cd25 | 883 | # |
b16c6b8c | 884 | |
847937da CP |
885 | allow $1_t self:capability { setgid chown fowner }; |
886 | dontaudit $1_t self:capability { sys_nice fsetid }; | |
887 | ||
888 | allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; | |
889 | dontaudit $1_t self:process setrlimit; | |
890 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
891 | ||
892 | allow $1_t self:context contains; | |
893 | ||
3eaa9939 DW |
894 | kernel_dontaudit_read_system_state($1_usertype) |
895 | kernel_dontaudit_list_all_proc($1_usertype) | |
847937da | 896 | |
3eaa9939 DW |
897 | dev_read_sysfs($1_usertype) |
898 | dev_read_urand($1_usertype) | |
847937da | 899 | |
3eaa9939 | 900 | domain_use_interactive_fds($1_usertype) |
847937da | 901 | # Command completion can fire hundreds of denials |
3eaa9939 | 902 | domain_dontaudit_exec_all_entry_files($1_usertype) |
847937da | 903 | |
3eaa9939 DW |
904 | files_dontaudit_list_default($1_usertype) |
905 | files_dontaudit_read_default_files($1_usertype) | |
847937da | 906 | # Stat lost+found. |
3eaa9939 | 907 | files_getattr_lost_found_dirs($1_usertype) |
847937da | 908 | |
3eaa9939 DW |
909 | fs_get_all_fs_quotas($1_usertype) |
910 | fs_getattr_all_fs($1_usertype) | |
911 | fs_search_all($1_usertype) | |
912 | fs_list_inotifyfs($1_usertype) | |
913 | fs_rw_anon_inodefs_files($1_usertype) | |
847937da CP |
914 | |
915 | auth_dontaudit_write_login_records($1_t) | |
3eaa9939 | 916 | auth_rw_cache($1_t) |
847937da | 917 | |
847937da | 918 | # Stop warnings about access to /dev/console |
3eaa9939 DW |
919 | init_dontaudit_use_fds($1_usertype) |
920 | init_dontaudit_use_script_fds($1_usertype) | |
847937da | 921 | |
3eaa9939 | 922 | libs_exec_lib_files($1_usertype) |
847937da | 923 | |
3eaa9939 | 924 | logging_dontaudit_getattr_all_logs($1_usertype) |
847937da | 925 | |
847937da | 926 | # for running TeX programs |
3eaa9939 DW |
927 | miscfiles_read_tetex_data($1_usertype) |
928 | miscfiles_exec_tetex_data($1_usertype) | |
929 | ||
930 | seutil_read_config($1_usertype) | |
847937da | 931 | |
3eaa9939 DW |
932 | optional_policy(` |
933 | cups_read_config($1_usertype) | |
934 | cups_stream_connect($1_usertype) | |
935 | cups_stream_connect_ptal($1_usertype) | |
936 | ') | |
847937da CP |
937 | |
938 | optional_policy(` | |
3eaa9939 | 939 | kerberos_use($1_usertype) |
d141ac47 | 940 | kerberos_filetrans_home_content($1_usertype) |
847937da CP |
941 | ') |
942 | ||
943 | optional_policy(` | |
3eaa9939 | 944 | mta_dontaudit_read_spool_symlinks($1_usertype) |
847937da CP |
945 | ') |
946 | ||
947 | optional_policy(` | |
3eaa9939 | 948 | quota_dontaudit_getattr_db($1_usertype) |
847937da CP |
949 | ') |
950 | ||
951 | optional_policy(` | |
3eaa9939 DW |
952 | rpm_read_db($1_usertype) |
953 | rpm_dontaudit_manage_db($1_usertype) | |
954 | rpm_read_cache($1_usertype) | |
847937da CP |
955 | ') |
956 | ||
957 | optional_policy(` | |
3eaa9939 | 958 | oddjob_run_mkhomedir($1_t, $1_r) |
847937da CP |
959 | ') |
960 | ') | |
961 | ||
962 | ####################################### | |
963 | ## <summary> | |
964 | ## The template for creating a unprivileged login user. | |
965 | ## </summary> | |
966 | ## <desc> | |
967 | ## <p> | |
968 | ## This template creates a user domain, types, and | |
969 | ## rules for the user's tty, pty, home directories, | |
970 | ## tmp, and tmpfs files. | |
971 | ## </p> | |
972 | ## </desc> | |
973 | ## <param name="userdomain_prefix"> | |
974 | ## <summary> | |
975 | ## The prefix of the user domain (e.g., user | |
976 | ## is the prefix for user_t). | |
977 | ## </summary> | |
978 | ## </param> | |
979 | # | |
980 | template(`userdom_restricted_user_template',` | |
981 | gen_require(` | |
982 | attribute unpriv_userdomain; | |
847937da CP |
983 | ') |
984 | ||
985 | userdom_login_user_template($1) | |
b16c6b8c | 986 | |
0f707d52 | 987 | typeattribute $1_t unpriv_userdomain; |
15722ec9 | 988 | domain_interactive_fd($1_t) |
b16c6b8c | 989 | |
3eaa9939 DW |
990 | allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; |
991 | dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; | |
992 | ||
0c73cd25 CP |
993 | ############################## |
994 | # | |
995 | # Local policy | |
996 | # | |
997 | ||
847937da | 998 | optional_policy(` |
296273a7 | 999 | loadkeys_run($1_t,$1_r) |
847937da CP |
1000 | ') |
1001 | ') | |
1002 | ||
1003 | ####################################### | |
1004 | ## <summary> | |
1005 | ## The template for creating a unprivileged xwindows login user. | |
1006 | ## </summary> | |
1007 | ## <desc> | |
1008 | ## <p> | |
1009 | ## The template for creating a unprivileged xwindows login user. | |
1010 | ## </p> | |
1011 | ## <p> | |
1012 | ## This template creates a user domain, types, and | |
1013 | ## rules for the user's tty, pty, home directories, | |
1014 | ## tmp, and tmpfs files. | |
1015 | ## </p> | |
1016 | ## </desc> | |
1017 | ## <param name="userdomain_prefix"> | |
1018 | ## <summary> | |
1019 | ## The prefix of the user domain (e.g., user | |
1020 | ## is the prefix for user_t). | |
1021 | ## </summary> | |
1022 | ## </param> | |
1023 | # | |
1024 | template(`userdom_restricted_xwindows_user_template',` | |
1025 | ||
1026 | userdom_restricted_user_template($1) | |
1027 | ||
847937da CP |
1028 | ############################## |
1029 | # | |
1030 | # Local policy | |
1031 | # | |
1032 | ||
296273a7 | 1033 | auth_role($1_r, $1_t) |
3eaa9939 | 1034 | auth_search_pam_console_data($1_usertype) |
b45aaab9 | 1035 | auth_dontaudit_read_login_records($1_usertype) |
847937da | 1036 | |
3eaa9939 DW |
1037 | dev_read_sound($1_usertype) |
1038 | dev_write_sound($1_usertype) | |
847937da | 1039 | # gnome keyring wants to read this. |
3eaa9939 DW |
1040 | dev_dontaudit_read_rand($1_usertype) |
1041 | # temporarily allow since openoffice requires this | |
1042 | dev_read_rand($1_usertype) | |
847937da | 1043 | |
3eaa9939 DW |
1044 | dev_read_video_dev($1_usertype) |
1045 | dev_write_video_dev($1_usertype) | |
1046 | dev_rw_wireless($1_usertype) | |
1047 | ||
773094ba DW |
1048 | libs_dontaudit_setattr_lib_files($1_usertype) |
1049 | ||
3eaa9939 DW |
1050 | tunable_policy(`user_rw_noexattrfile',` |
1051 | dev_rw_usbfs($1_t) | |
1052 | dev_rw_generic_usb_dev($1_usertype) | |
1053 | ||
1054 | fs_manage_noxattr_fs_files($1_usertype) | |
1055 | fs_manage_noxattr_fs_dirs($1_usertype) | |
1056 | fs_manage_dos_dirs($1_usertype) | |
1057 | fs_manage_dos_files($1_usertype) | |
1058 | storage_raw_read_removable_device($1_usertype) | |
1059 | storage_raw_write_removable_device($1_usertype) | |
1060 | ') | |
1061 | ||
1062 | logging_send_syslog_msg($1_usertype) | |
847937da CP |
1063 | logging_dontaudit_send_audit_msgs($1_t) |
1064 | ||
1065 | # Need to to this just so screensaver will work. Should be moved to screensaver domain | |
1066 | logging_send_audit_msgs($1_t) | |
1067 | selinux_get_enforce_mode($1_t) | |
3eaa9939 DW |
1068 | seutil_exec_restorecond($1_t) |
1069 | seutil_read_file_contexts($1_t) | |
1070 | seutil_read_default_contexts($1_t) | |
847937da | 1071 | |
93c49bdb CP |
1072 | xserver_restricted_role($1_r, $1_t) |
1073 | ||
847937da | 1074 | optional_policy(` |
3eaa9939 | 1075 | alsa_read_rw_config($1_usertype) |
847937da CP |
1076 | ') |
1077 | ||
a8183914 MG |
1078 | # cjp: needed by KDE apps |
1079 | # bug: #682499 | |
1080 | optional_policy(` | |
1081 | gnome_read_usr_config($1_usertype) | |
1082 | ') | |
1083 | ||
847937da | 1084 | optional_policy(` |
3eaa9939 DW |
1085 | dbus_role_template($1, $1_r, $1_usertype) |
1086 | dbus_system_bus_client($1_usertype) | |
1087 | allow $1_usertype $1_usertype:dbus send_msg; | |
1088 | ||
1089 | optional_policy(` | |
1090 | abrt_dbus_chat($1_usertype) | |
1091 | abrt_run_helper($1_usertype, $1_r) | |
1092 | ') | |
1093 | ||
1094 | optional_policy(` | |
b45aaab9 | 1095 | consolekit_dontaudit_read_log($1_usertype) |
3eaa9939 DW |
1096 | consolekit_dbus_chat($1_usertype) |
1097 | ') | |
1098 | ||
1099 | optional_policy(` | |
1100 | cups_dbus_chat($1_usertype) | |
1101 | cups_dbus_chat_config($1_usertype) | |
1102 | ') | |
847937da CP |
1103 | |
1104 | optional_policy(` | |
3eaa9939 DW |
1105 | devicekit_dbus_chat($1_usertype) |
1106 | devicekit_dbus_chat_disk($1_usertype) | |
1107 | devicekit_dbus_chat_power($1_usertype) | |
847937da CP |
1108 | ') |
1109 | ||
1110 | optional_policy(` | |
3eaa9939 | 1111 | fprintd_dbus_chat($1_t) |
847937da CP |
1112 | ') |
1113 | ') | |
1114 | ||
1115 | optional_policy(` | |
3eaa9939 DW |
1116 | openoffice_role_template($1, $1_r, $1_usertype) |
1117 | ') | |
1118 | ||
1119 | optional_policy(` | |
1120 | policykit_role($1_r, $1_usertype) | |
1121 | ') | |
1122 | ||
1123 | optional_policy(` | |
1124 | pulseaudio_role($1_r, $1_usertype) | |
1125 | ') | |
1126 | ||
1127 | optional_policy(` | |
1128 | rtkit_scheduled($1_usertype) | |
847937da CP |
1129 | ') |
1130 | ||
847937da CP |
1131 | optional_policy(` |
1132 | setroubleshoot_dontaudit_stream_connect($1_t) | |
3eaa9939 DW |
1133 | ') |
1134 | ||
1135 | optional_policy(` | |
1136 | udev_read_db($1_usertype) | |
1137 | ') | |
1138 | ||
1139 | optional_policy(` | |
1140 | wm_role_template($1, $1_r, $1_t) | |
847937da CP |
1141 | ') |
1142 | ') | |
1143 | ||
1144 | ####################################### | |
1145 | ## <summary> | |
1146 | ## The template for creating a unprivileged user roughly | |
1147 | ## equivalent to a regular linux user. | |
1148 | ## </summary> | |
1149 | ## <desc> | |
1150 | ## <p> | |
1151 | ## The template for creating a unprivileged user roughly | |
1152 | ## equivalent to a regular linux user. | |
1153 | ## </p> | |
1154 | ## <p> | |
1155 | ## This template creates a user domain, types, and | |
1156 | ## rules for the user's tty, pty, home directories, | |
1157 | ## tmp, and tmpfs files. | |
1158 | ## </p> | |
1159 | ## </desc> | |
1160 | ## <param name="userdomain_prefix"> | |
1161 | ## <summary> | |
1162 | ## The prefix of the user domain (e.g., user | |
1163 | ## is the prefix for user_t). | |
1164 | ## </summary> | |
1165 | ## </param> | |
1166 | # | |
1167 | template(`userdom_unpriv_user_template', ` | |
1168 | ||
1169 | ############################## | |
1170 | # | |
1171 | # Declarations | |
1172 | # | |
1173 | ||
1174 | # Inherit rules for ordinary users. | |
3eaa9939 | 1175 | userdom_restricted_xwindows_user_template($1) |
847937da CP |
1176 | userdom_common_user_template($1) |
1177 | ||
1178 | ############################## | |
1179 | # | |
1180 | # Local policy | |
1181 | # | |
0c73cd25 CP |
1182 | |
1183 | # port access is audited even if dac would not have allowed it, so dontaudit it here | |
3eaa9939 | 1184 | # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) |
bbcd3c97 CP |
1185 | # Need the following rule to allow users to run vpnc |
1186 | corenet_tcp_bind_xserver_port($1_t) | |
8b456c73 | 1187 | corenet_tcp_bind_generic_node($1_usertype) |
0c73cd25 | 1188 | |
3eaa9939 | 1189 | storage_rw_fuse($1_t) |
a1fcff33 | 1190 | |
3eaa9939 | 1191 | miscfiles_read_hwdata($1_usertype) |
0c73cd25 CP |
1192 | |
1193 | # Allow users to run TCP servers (bind to ports and accept connection from | |
6073ea1e | 1194 | # the same domain and outside users) disabling this forces FTP passive mode |
0c73cd25 | 1195 | # and may change other protocols |
40068f3d DW |
1196 | |
1197 | tunable_policy(`user_share_music',` | |
7d5759fd | 1198 | corenet_tcp_bind_daap_port($1_usertype) |
40068f3d DW |
1199 | ') |
1200 | ||
34c8fabe | 1201 | tunable_policy(`user_tcp_server',` |
3eaa9939 DW |
1202 | corenet_tcp_bind_all_unreserved_ports($1_usertype) |
1203 | ') | |
1204 | ||
1205 | tunable_policy(`user_setrlimit',` | |
1206 | allow $1_usertype self:process setrlimit; | |
34c8fabe | 1207 | ') |
0c73cd25 | 1208 | |
bb7170f6 | 1209 | optional_policy(` |
3eaa9939 DW |
1210 | cdrecord_role($1_r, $1_t) |
1211 | ') | |
1212 | ||
1213 | optional_policy(` | |
1214 | cron_role($1_r, $1_t) | |
1215 | ') | |
1216 | ||
1217 | optional_policy(` | |
1218 | games_rw_data($1_usertype) | |
1219 | ') | |
1220 | ||
1221 | optional_policy(` | |
1222 | gpg_role($1_r, $1_usertype) | |
1223 | ') | |
1224 | ||
1225 | optional_policy(` | |
1226 | gnomeclock_dbus_chat($1_t) | |
1227 | ') | |
1228 | ||
1229 | optional_policy(` | |
1230 | gpm_stream_connect($1_usertype) | |
1231 | ') | |
1232 | ||
1233 | optional_policy(` | |
1234 | execmem_role_template($1, $1_r, $1_t) | |
1235 | ') | |
1236 | ||
1237 | optional_policy(` | |
1238 | java_role_template($1, $1_r, $1_t) | |
1239 | ') | |
1240 | ||
1241 | optional_policy(` | |
1242 | mono_role_template($1, $1_r, $1_t) | |
1243 | ') | |
1244 | ||
1245 | optional_policy(` | |
1246 | mount_run_fusermount($1_t, $1_r) | |
5598732f | 1247 | mount_read_pid_files($1_t) |
3eaa9939 DW |
1248 | ') |
1249 | ||
1250 | optional_policy(` | |
1251 | wine_role_template($1, $1_r, $1_t) | |
1f91e1bf CP |
1252 | ') |
1253 | ||
bb7170f6 | 1254 | optional_policy(` |
3eaa9939 | 1255 | postfix_run_postdrop($1_t, $1_r) |
e08118a5 CP |
1256 | ') |
1257 | ||
3eaa9939 | 1258 | # Run pppd in pppd_t by default for user |
6b19be33 | 1259 | optional_policy(` |
3eaa9939 | 1260 | ppp_run_cond($1_t, $1_r) |
6b19be33 | 1261 | ') |
b16c6b8c | 1262 | ') |
4d8ddf9a | 1263 | |
8fd36732 CP |
1264 | ####################################### |
1265 | ## <summary> | |
1266 | ## The template for creating an administrative user. | |
1267 | ## </summary> | |
1268 | ## <desc> | |
1269 | ## <p> | |
1270 | ## This template creates a user domain, types, and | |
1271 | ## rules for the user's tty, pty, home directories, | |
1272 | ## tmp, and tmpfs files. | |
1273 | ## </p> | |
2ec4c9d3 | 1274 | ## <p> |
8fd36732 CP |
1275 | ## The privileges given to administrative users are: |
1276 | ## <ul> | |
1277 | ## <li>Raw disk access</li> | |
1278 | ## <li>Set all sysctls</li> | |
1279 | ## <li>All kernel ring buffer controls</li> | |
8fd36732 CP |
1280 | ## <li>Create, read, write, and delete all files but shadow</li> |
1281 | ## <li>Manage source and binary format SELinux policy</li> | |
1282 | ## <li>Run insmod</li> | |
1283 | ## </ul> | |
2ec4c9d3 CP |
1284 | ## </p> |
1285 | ## </desc> | |
8fd36732 | 1286 | ## <param name="userdomain_prefix"> |
885b83ec | 1287 | ## <summary> |
8fd36732 CP |
1288 | ## The prefix of the user domain (e.g., sysadm |
1289 | ## is the prefix for sysadm_t). | |
885b83ec | 1290 | ## </summary> |
8fd36732 | 1291 | ## </param> |
4d8ddf9a | 1292 | # |
bbcd3c97 | 1293 | template(`userdom_admin_user_template',` |
142e9f40 | 1294 | gen_require(` |
0be901ba | 1295 | attribute admindomain; |
3eaa9939 | 1296 | class passwd { passwd chfn chsh rootok crontab }; |
142e9f40 CP |
1297 | ') |
1298 | ||
0c73cd25 CP |
1299 | ############################## |
1300 | # | |
1301 | # Declarations | |
1302 | # | |
1303 | ||
1304 | # Inherit rules for ordinary users. | |
847937da | 1305 | userdom_login_user_template($1) |
bbcd3c97 | 1306 | userdom_common_user_template($1) |
0c73cd25 | 1307 | |
1815bad1 | 1308 | domain_obj_id_change_exemption($1_t) |
0c73cd25 CP |
1309 | role system_r types $1_t; |
1310 | ||
0be901ba | 1311 | typeattribute $1_t admindomain; |
bd75703c | 1312 | |
142e9f40 | 1313 | ifdef(`direct_sysadm_daemon',` |
1815bad1 | 1314 | domain_system_change_exemption($1_t) |
142e9f40 | 1315 | ') |
2a98379a | 1316 | |
0c73cd25 CP |
1317 | ############################## |
1318 | # | |
1319 | # $1_t local policy | |
1320 | # | |
1321 | ||
847937da | 1322 | allow $1_t self:capability ~{ sys_module audit_control audit_write }; |
4ba442da | 1323 | allow $1_t self:capability2 syslog; |
0c73cd25 | 1324 | allow $1_t self:process { setexec setfscreate }; |
bd75703c CP |
1325 | allow $1_t self:netlink_audit_socket nlmsg_readpriv; |
1326 | allow $1_t self:tun_socket create; | |
0c73cd25 CP |
1327 | # Set password information for other users. |
1328 | allow $1_t self:passwd { passwd chfn chsh }; | |
0c73cd25 CP |
1329 | # Skip authentication when pam_rootok is specified. |
1330 | allow $1_t self:passwd rootok; | |
1331 | ||
3eaa9939 DW |
1332 | # Manipulate other users crontab. |
1333 | allow $1_t self:passwd crontab; | |
1334 | ||
0c73cd25 | 1335 | kernel_read_software_raid_state($1_t) |
445522dc | 1336 | kernel_getattr_core_if($1_t) |
0fd9dc55 | 1337 | kernel_getattr_message_if($1_t) |
0c73cd25 CP |
1338 | kernel_change_ring_buffer_level($1_t) |
1339 | kernel_clear_ring_buffer($1_t) | |
1340 | kernel_read_ring_buffer($1_t) | |
1341 | kernel_get_sysvipc_info($1_t) | |
445522dc | 1342 | kernel_rw_all_sysctls($1_t) |
8fd36732 CP |
1343 | # signal unlabeled processes: |
1344 | kernel_kill_unlabeled($1_t) | |
1345 | kernel_signal_unlabeled($1_t) | |
1346 | kernel_sigstop_unlabeled($1_t) | |
1347 | kernel_signull_unlabeled($1_t) | |
1348 | kernel_sigchld_unlabeled($1_t) | |
3eaa9939 | 1349 | kernel_signal($1_t) |
2ec4c9d3 CP |
1350 | |
1351 | corenet_tcp_bind_generic_port($1_t) | |
1352 | # allow setting up tunnels | |
5b6ddb98 | 1353 | corenet_rw_tun_tap_dev($1_t) |
2ec4c9d3 | 1354 | |
207c4763 CP |
1355 | dev_getattr_generic_blk_files($1_t) |
1356 | dev_getattr_generic_chr_files($1_t) | |
bbcd3c97 CP |
1357 | # for lsof |
1358 | dev_getattr_mtrr_dev($1_t) | |
1359 | # Allow MAKEDEV to work | |
1360 | dev_create_all_blk_files($1_t) | |
1361 | dev_create_all_chr_files($1_t) | |
1362 | dev_delete_all_blk_files($1_t) | |
1363 | dev_delete_all_chr_files($1_t) | |
1364 | dev_rename_all_blk_files($1_t) | |
1365 | dev_rename_all_chr_files($1_t) | |
1366 | dev_create_generic_symlinks($1_t) | |
bba79b24 DW |
1367 | dev_rw_generic_usb_dev($1_t) |
1368 | dev_rw_usbfs($1_t) | |
0c73cd25 | 1369 | |
c9428d33 CP |
1370 | domain_setpriority_all_domains($1_t) |
1371 | domain_read_all_domains_state($1_t) | |
ccc59782 | 1372 | domain_getattr_all_domains($1_t) |
d79b5476 | 1373 | domain_getcap_all_domains($1_t) |
ccc59782 | 1374 | domain_dontaudit_ptrace_all_domains($1_t) |
0c73cd25 CP |
1375 | # signal all domains: |
1376 | domain_kill_all_domains($1_t) | |
1377 | domain_signal_all_domains($1_t) | |
1378 | domain_signull_all_domains($1_t) | |
1379 | domain_sigstop_all_domains($1_t) | |
1380 | domain_sigstop_all_domains($1_t) | |
1381 | domain_sigchld_all_domains($1_t) | |
2ec4c9d3 CP |
1382 | # for lsof |
1383 | domain_getattr_all_sockets($1_t) | |
3eaa9939 | 1384 | domain_dontaudit_getattr_all_sockets($1_t) |
0c73cd25 | 1385 | |
99505c1c | 1386 | files_exec_usr_src_files($1_t) |
0c73cd25 | 1387 | |
bbcd3c97 | 1388 | fs_getattr_all_fs($1_t) |
3eaa9939 DW |
1389 | fs_getattr_all_files($1_t) |
1390 | fs_list_all($1_t) | |
bbcd3c97 CP |
1391 | fs_set_all_quotas($1_t) |
1392 | fs_exec_noxattr($1_t) | |
1393 | ||
1394 | storage_raw_read_removable_device($1_t) | |
1395 | storage_raw_write_removable_device($1_t) | |
579a217f | 1396 | storage_dontaudit_read_fixed_disk($1_t) |
bbcd3c97 | 1397 | |
af2d8802 | 1398 | term_use_all_inherited_terms($1_t) |
bbcd3c97 CP |
1399 | |
1400 | auth_getattr_shadow($1_t) | |
1401 | # Manage almost all files | |
1402 | auth_manage_all_files_except_shadow($1_t) | |
1403 | # Relabel almost all files | |
1404 | auth_relabel_all_files_except_shadow($1_t) | |
1405 | ||
1406 | init_telinit($1_t) | |
0c73cd25 | 1407 | |
c9428d33 | 1408 | logging_send_syslog_msg($1_t) |
0c73cd25 | 1409 | |
2371d8d8 MG |
1410 | optional_policy(` |
1411 | modutils_domtrans_insmod($1_t) | |
1412 | modutils_domtrans_depmod($1_t) | |
1413 | ') | |
0c73cd25 | 1414 | |
0c73cd25 CP |
1415 | # The following rule is temporary until such time that a complete |
1416 | # policy management infrastructure is in place so that an administrator | |
1417 | # cannot directly manipulate policy files with arbitrary programs. | |
1815bad1 | 1418 | seutil_manage_src_policy($1_t) |
0c73cd25 CP |
1419 | # Violates the goal of limiting write access to checkpolicy. |
1420 | # But presently necessary for installing the file_contexts file. | |
1815bad1 | 1421 | seutil_manage_bin_policy($1_t) |
0c73cd25 | 1422 | |
296273a7 CP |
1423 | userdom_manage_user_home_content_dirs($1_t) |
1424 | userdom_manage_user_home_content_files($1_t) | |
1425 | userdom_manage_user_home_content_symlinks($1_t) | |
1426 | userdom_manage_user_home_content_pipes($1_t) | |
1427 | userdom_manage_user_home_content_sockets($1_t) | |
1428 | userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) | |
1429 | ||
bbcd3c97 CP |
1430 | tunable_policy(`user_rw_noexattrfile',` |
1431 | fs_manage_noxattr_fs_files($1_t) | |
1432 | fs_manage_noxattr_fs_dirs($1_t) | |
1433 | ',` | |
1434 | fs_read_noxattr_fs_files($1_t) | |
1435 | ') | |
1436 | ||
e8cb08ae CP |
1437 | optional_policy(` |
1438 | postgresql_unconfined($1_t) | |
1439 | ') | |
1440 | ||
6b19be33 CP |
1441 | optional_policy(` |
1442 | userhelper_exec($1_t) | |
1443 | ') | |
1444 | ') | |
1445 | ||
1446 | ######################################## | |
1447 | ## <summary> | |
1448 | ## Allow user to run as a secadm | |
1449 | ## </summary> | |
1450 | ## <desc> | |
1451 | ## <p> | |
1452 | ## Create objects in a user home directory | |
1453 | ## with an automatic type transition to | |
1454 | ## a specified private type. | |
1455 | ## </p> | |
1456 | ## <p> | |
1457 | ## This is a templated interface, and should only | |
1458 | ## be called from a per-userdomain template. | |
1459 | ## </p> | |
1460 | ## </desc> | |
6b19be33 CP |
1461 | ## <param name="domain"> |
1462 | ## <summary> | |
1463 | ## Domain allowed access. | |
1464 | ## </summary> | |
1465 | ## </param> | |
1466 | ## <param name="role"> | |
1467 | ## <summary> | |
1468 | ## The role of the object to create. | |
1469 | ## </summary> | |
1470 | ## </param> | |
6b19be33 CP |
1471 | # |
1472 | template(`userdom_security_admin_template',` | |
1473 | allow $1 self:capability { dac_read_search dac_override }; | |
1474 | ||
1475 | corecmd_exec_shell($1) | |
1476 | ||
1477 | domain_obj_id_change_exemption($1) | |
1478 | ||
1479 | dev_relabel_all_dev_nodes($1) | |
1480 | ||
1481 | files_create_boot_flag($1) | |
3eaa9939 DW |
1482 | files_create_default_dir($1) |
1483 | files_root_filetrans_default($1, dir) | |
6b19be33 CP |
1484 | |
1485 | # Necessary for managing /boot/efi | |
1486 | fs_manage_dos_files($1) | |
1487 | ||
1488 | mls_process_read_up($1) | |
f8233ab7 | 1489 | mls_file_read_all_levels($1) |
6b19be33 CP |
1490 | mls_file_upgrade($1) |
1491 | mls_file_downgrade($1) | |
1492 | ||
1493 | selinux_set_enforce_mode($1) | |
f0435b1a | 1494 | selinux_set_all_booleans($1) |
6b19be33 | 1495 | selinux_set_parameters($1) |
4ba442da | 1496 | selinux_read_policy($1) |
6b19be33 CP |
1497 | |
1498 | auth_relabel_all_files_except_shadow($1) | |
1499 | auth_relabel_shadow($1) | |
1500 | ||
1501 | init_exec($1) | |
1502 | ||
1503 | logging_send_syslog_msg($1) | |
1504 | logging_read_audit_log($1) | |
1505 | logging_read_generic_logs($1) | |
1506 | logging_read_audit_config($1) | |
1507 | ||
1508 | seutil_manage_bin_policy($1) | |
296273a7 CP |
1509 | seutil_run_checkpolicy($1,$2) |
1510 | seutil_run_loadpolicy($1,$2) | |
1511 | seutil_run_semanage($1,$2) | |
3eaa9939 | 1512 | seutil_run_setsebool($1,$2) |
296273a7 | 1513 | seutil_run_setfiles($1, $2) |
6b19be33 CP |
1514 | |
1515 | optional_policy(` | |
296273a7 | 1516 | aide_run($1,$2) |
6b19be33 CP |
1517 | ') |
1518 | ||
1519 | optional_policy(` | |
1520 | consoletype_exec($1) | |
1521 | ') | |
1522 | ||
1523 | optional_policy(` | |
1524 | dmesg_exec($1) | |
1525 | ') | |
1526 | ||
9e8f65c8 | 1527 | optional_policy(` |
296273a7 | 1528 | ipsec_run_setkey($1,$2) |
9e8f65c8 CP |
1529 | ') |
1530 | ||
6b19be33 | 1531 | optional_policy(` |
296273a7 | 1532 | netlabel_run_mgmt($1,$2) |
a1fcff33 | 1533 | ') |
ff449b62 CP |
1534 | |
1535 | optional_policy(` | |
1536 | samhain_run($1, $2) | |
1537 | ') | |
4d8ddf9a | 1538 | ') |
490639cd | 1539 | |
b1bf2f78 CP |
1540 | ######################################## |
1541 | ## <summary> | |
296273a7 CP |
1542 | ## Make the specified type usable in a |
1543 | ## user home directory. | |
b1bf2f78 | 1544 | ## </summary> |
296273a7 | 1545 | ## <param name="type"> |
b1bf2f78 | 1546 | ## <summary> |
296273a7 CP |
1547 | ## Type to be used as a file in the |
1548 | ## user home directory. | |
b1bf2f78 CP |
1549 | ## </summary> |
1550 | ## </param> | |
b1bf2f78 | 1551 | # |
296273a7 CP |
1552 | interface(`userdom_user_home_content',` |
1553 | gen_require(` | |
1554 | type user_home_t; | |
3eaa9939 | 1555 | attribute user_home_type; |
296273a7 CP |
1556 | ') |
1557 | ||
1558 | allow $1 user_home_t:filesystem associate; | |
1559 | files_type($1) | |
1560 | ubac_constrained($1) | |
3eaa9939 DW |
1561 | |
1562 | files_poly_member($1) | |
1563 | typeattribute $1 user_home_type; | |
b1bf2f78 CP |
1564 | ') |
1565 | ||
ca9e8850 DW |
1566 | ######################################## |
1567 | ## <summary> | |
1568 | ## Make the specified type usable in a | |
1569 | ## generic temporary directory. | |
1570 | ## </summary> | |
1571 | ## <param name="type"> | |
1572 | ## <summary> | |
1573 | ## Type to be used as a file in the | |
1574 | ## generic temporary directory. | |
1575 | ## </summary> | |
1576 | ## </param> | |
1577 | # | |
1578 | interface(`userdom_user_tmp_content',` | |
1579 | gen_require(` | |
1580 | attribute user_tmp_type; | |
1581 | ') | |
1582 | ||
1583 | typeattribute $1 user_tmp_type; | |
1584 | ||
1585 | files_tmp_file($1) | |
1586 | ubac_constrained($1) | |
1587 | ') | |
1588 | ||
bd75703c CP |
1589 | ######################################## |
1590 | ## <summary> | |
1591 | ## Allow domain to attach to TUN devices created by administrative users. | |
1592 | ## </summary> | |
1593 | ## <param name="domain"> | |
1594 | ## <summary> | |
1595 | ## Domain allowed access. | |
1596 | ## </summary> | |
1597 | ## </param> | |
1598 | # | |
1599 | interface(`userdom_attach_admin_tun_iface',` | |
1600 | gen_require(` | |
0be901ba | 1601 | attribute admindomain; |
bd75703c CP |
1602 | ') |
1603 | ||
0be901ba | 1604 | allow $1 admindomain:tun_socket relabelfrom; |
bd75703c CP |
1605 | allow $1 self:tun_socket relabelto; |
1606 | ') | |
1607 | ||
b1bf2f78 CP |
1608 | ######################################## |
1609 | ## <summary> | |
296273a7 | 1610 | ## Set the attributes of a user pty. |
b1bf2f78 | 1611 | ## </summary> |
296273a7 | 1612 | ## <param name="domain"> |
b1bf2f78 | 1613 | ## <summary> |
296273a7 | 1614 | ## Domain allowed access. |
b1bf2f78 CP |
1615 | ## </summary> |
1616 | ## </param> | |
b1bf2f78 | 1617 | # |
296273a7 CP |
1618 | interface(`userdom_setattr_user_ptys',` |
1619 | gen_require(` | |
1620 | type user_devpts_t; | |
1621 | ') | |
1622 | ||
bf530f53 | 1623 | allow $1 user_devpts_t:chr_file setattr_chr_file_perms; |
b1bf2f78 CP |
1624 | ') |
1625 | ||
1626 | ######################################## | |
1627 | ## <summary> | |
296273a7 | 1628 | ## Create a user pty. |
b1bf2f78 | 1629 | ## </summary> |
296273a7 | 1630 | ## <param name="domain"> |
b1bf2f78 | 1631 | ## <summary> |
296273a7 | 1632 | ## Domain allowed access. |
b1bf2f78 CP |
1633 | ## </summary> |
1634 | ## </param> | |
b1bf2f78 | 1635 | # |
296273a7 CP |
1636 | interface(`userdom_create_user_pty',` |
1637 | gen_require(` | |
1638 | type user_devpts_t; | |
1639 | ') | |
1640 | ||
1641 | term_create_pty($1, user_devpts_t) | |
b1bf2f78 CP |
1642 | ') |
1643 | ||
1644 | ######################################## | |
1645 | ## <summary> | |
296273a7 | 1646 | ## Get the attributes of user home directories. |
b1bf2f78 | 1647 | ## </summary> |
296273a7 | 1648 | ## <param name="domain"> |
b1bf2f78 | 1649 | ## <summary> |
296273a7 | 1650 | ## Domain allowed access. |
b1bf2f78 CP |
1651 | ## </summary> |
1652 | ## </param> | |
b1bf2f78 | 1653 | # |
296273a7 CP |
1654 | interface(`userdom_getattr_user_home_dirs',` |
1655 | gen_require(` | |
1656 | type user_home_dir_t; | |
1657 | ') | |
1658 | ||
1659 | allow $1 user_home_dir_t:dir getattr_dir_perms; | |
1660 | files_search_home($1) | |
b1bf2f78 CP |
1661 | ') |
1662 | ||
1663 | ######################################## | |
1664 | ## <summary> | |
296273a7 | 1665 | ## Do not audit attempts to get the attributes of user home directories. |
b1bf2f78 | 1666 | ## </summary> |
296273a7 | 1667 | ## <param name="domain"> |
b1bf2f78 | 1668 | ## <summary> |
a0546c9d | 1669 | ## Domain to not audit. |
b1bf2f78 CP |
1670 | ## </summary> |
1671 | ## </param> | |
b1bf2f78 | 1672 | # |
296273a7 CP |
1673 | interface(`userdom_dontaudit_getattr_user_home_dirs',` |
1674 | gen_require(` | |
1675 | type user_home_dir_t; | |
1676 | ') | |
1677 | ||
1678 | dontaudit $1 user_home_dir_t:dir getattr_dir_perms; | |
b1bf2f78 CP |
1679 | ') |
1680 | ||
1681 | ######################################## | |
1682 | ## <summary> | |
296273a7 | 1683 | ## Search user home directories. |
b1bf2f78 | 1684 | ## </summary> |
296273a7 | 1685 | ## <param name="domain"> |
b1bf2f78 | 1686 | ## <summary> |
296273a7 | 1687 | ## Domain allowed access. |
b1bf2f78 CP |
1688 | ## </summary> |
1689 | ## </param> | |
b1bf2f78 | 1690 | # |
296273a7 CP |
1691 | interface(`userdom_search_user_home_dirs',` |
1692 | gen_require(` | |
1693 | type user_home_dir_t; | |
1694 | ') | |
1695 | ||
1696 | allow $1 user_home_dir_t:dir search_dir_perms; | |
3eaa9939 | 1697 | allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; |
296273a7 | 1698 | files_search_home($1) |
b1bf2f78 CP |
1699 | ') |
1700 | ||
1701 | ######################################## | |
1702 | ## <summary> | |
c46376e6 | 1703 | ## Do not audit attempts to search user home directories. |
b1bf2f78 | 1704 | ## </summary> |
c46376e6 CP |
1705 | ## <desc> |
1706 | ## <p> | |
1707 | ## Do not audit attempts to search user home directories. | |
1708 | ## This will supress SELinux denial messages when the specified | |
1709 | ## domain is denied the permission to search these directories. | |
1710 | ## </p> | |
1711 | ## </desc> | |
296273a7 | 1712 | ## <param name="domain"> |
b1bf2f78 | 1713 | ## <summary> |
c46376e6 | 1714 | ## Domain to not audit. |
b1bf2f78 CP |
1715 | ## </summary> |
1716 | ## </param> | |
c46376e6 | 1717 | ## <infoflow type="none"/> |
b1bf2f78 | 1718 | # |
296273a7 CP |
1719 | interface(`userdom_dontaudit_search_user_home_dirs',` |
1720 | gen_require(` | |
1721 | type user_home_dir_t; | |
1722 | ') | |
1723 | ||
1724 | dontaudit $1 user_home_dir_t:dir search_dir_perms; | |
b1bf2f78 CP |
1725 | ') |
1726 | ||
1727 | ######################################## | |
1728 | ## <summary> | |
ff8f0a63 | 1729 | ## List user home directories. |
b1bf2f78 | 1730 | ## </summary> |
296273a7 | 1731 | ## <param name="domain"> |
b1bf2f78 | 1732 | ## <summary> |
ff8f0a63 | 1733 | ## Domain allowed access. |
b1bf2f78 CP |
1734 | ## </summary> |
1735 | ## </param> | |
b1bf2f78 | 1736 | # |
296273a7 CP |
1737 | interface(`userdom_list_user_home_dirs',` |
1738 | gen_require(` | |
1739 | type user_home_dir_t; | |
1740 | ') | |
b1bf2f78 | 1741 | |
296273a7 CP |
1742 | allow $1 user_home_dir_t:dir list_dir_perms; |
1743 | files_search_home($1) | |
3eaa9939 DW |
1744 | |
1745 | tunable_policy(`use_nfs_home_dirs',` | |
1746 | fs_list_nfs($1) | |
1747 | ') | |
1748 | ||
1749 | tunable_policy(`use_samba_home_dirs',` | |
1750 | fs_list_cifs($1) | |
1751 | ') | |
de8af9dc CP |
1752 | ') |
1753 | ||
7c2f5a82 CP |
1754 | ######################################## |
1755 | ## <summary> | |
296273a7 | 1756 | ## Do not audit attempts to list user home subdirectories. |
7c2f5a82 CP |
1757 | ## </summary> |
1758 | ## <param name="domain"> | |
885b83ec | 1759 | ## <summary> |
a7ee7f81 | 1760 | ## Domain to not audit. |
885b83ec | 1761 | ## </summary> |
7c2f5a82 CP |
1762 | ## </param> |
1763 | # | |
296273a7 | 1764 | interface(`userdom_dontaudit_list_user_home_dirs',` |
7c2f5a82 | 1765 | gen_require(` |
296273a7 | 1766 | type user_home_dir_t; |
3eaa9939 | 1767 | type user_home_t; |
7c2f5a82 CP |
1768 | ') |
1769 | ||
296273a7 | 1770 | dontaudit $1 user_home_dir_t:dir list_dir_perms; |
3eaa9939 | 1771 | dontaudit $1 user_home_t:dir list_dir_perms; |
7c2f5a82 CP |
1772 | ') |
1773 | ||
1774 | ######################################## | |
1775 | ## <summary> | |
296273a7 | 1776 | ## Create user home directories. |
7c2f5a82 CP |
1777 | ## </summary> |
1778 | ## <param name="domain"> | |
885b83ec | 1779 | ## <summary> |
7c2f5a82 | 1780 | ## Domain allowed access. |
885b83ec | 1781 | ## </summary> |
7c2f5a82 CP |
1782 | ## </param> |
1783 | # | |
296273a7 CP |
1784 | interface(`userdom_create_user_home_dirs',` |
1785 | gen_require(` | |
1786 | type user_home_dir_t; | |
1787 | ') | |
1788 | ||
1789 | allow $1 user_home_dir_t:dir create_dir_perms; | |
7c2f5a82 CP |
1790 | ') |
1791 | ||
1792 | ######################################## | |
1793 | ## <summary> | |
296273a7 | 1794 | ## Create user home directories. |
7c2f5a82 CP |
1795 | ## </summary> |
1796 | ## <param name="domain"> | |
885b83ec | 1797 | ## <summary> |
7c2f5a82 | 1798 | ## Domain allowed access. |
885b83ec | 1799 | ## </summary> |
7c2f5a82 CP |
1800 | ## </param> |
1801 | # | |
296273a7 | 1802 | interface(`userdom_manage_user_home_dirs',` |
7c2f5a82 | 1803 | gen_require(` |
296273a7 | 1804 | type user_home_dir_t; |
7c2f5a82 CP |
1805 | ') |
1806 | ||
296273a7 | 1807 | allow $1 user_home_dir_t:dir manage_dir_perms; |
7c2f5a82 CP |
1808 | ') |
1809 | ||
d490eb6b | 1810 | ######################################## |
ab940a4c | 1811 | ## <summary> |
296273a7 | 1812 | ## Relabel to user home directories. |
ab940a4c | 1813 | ## </summary> |
414e4151 | 1814 | ## <param name="domain"> |
885b83ec | 1815 | ## <summary> |
725926c5 | 1816 | ## Domain allowed access. |
885b83ec | 1817 | ## </summary> |
414e4151 | 1818 | ## </param> |
d490eb6b | 1819 | # |
296273a7 CP |
1820 | interface(`userdom_relabelto_user_home_dirs',` |
1821 | gen_require(` | |
1822 | type user_home_dir_t; | |
1823 | ') | |
d490eb6b | 1824 | |
296273a7 | 1825 | allow $1 user_home_dir_t:dir relabelto; |
7c2f5a82 CP |
1826 | ') |
1827 | ||
3eaa9939 DW |
1828 | |
1829 | ######################################## | |
1830 | ## <summary> | |
1831 | ## Relabel to user home files. | |
1832 | ## </summary> | |
1833 | ## <param name="domain"> | |
1834 | ## <summary> | |
1835 | ## Domain allowed access. | |
1836 | ## </summary> | |
1837 | ## </param> | |
1838 | # | |
1839 | interface(`userdom_relabelto_user_home_files',` | |
1840 | gen_require(` | |
1841 | type user_home_t; | |
1842 | ') | |
1843 | ||
1844 | allow $1 user_home_t:file relabelto; | |
1845 | ') | |
1846 | ######################################## | |
1847 | ## <summary> | |
1848 | ## Relabel user home files. | |
1849 | ## </summary> | |
1850 | ## <param name="domain"> | |
1851 | ## <summary> | |
1852 | ## Domain allowed access. | |
1853 | ## </summary> | |
1854 | ## </param> | |
1855 | # | |
1856 | interface(`userdom_relabel_user_home_files',` | |
1857 | gen_require(` | |
1858 | type user_home_t; | |
1859 | ') | |
1860 | ||
83029ff3 | 1861 | allow $1 user_home_t:file relabel_file_perms; |
3eaa9939 DW |
1862 | ') |
1863 | ||
7c2f5a82 CP |
1864 | ######################################## |
1865 | ## <summary> | |
296273a7 CP |
1866 | ## Create directories in the home dir root with |
1867 | ## the user home directory type. | |
7c2f5a82 CP |
1868 | ## </summary> |
1869 | ## <param name="domain"> | |
885b83ec | 1870 | ## <summary> |
7c2f5a82 | 1871 | ## Domain allowed access. |
885b83ec | 1872 | ## </summary> |
7c2f5a82 CP |
1873 | ## </param> |
1874 | # | |
296273a7 CP |
1875 | interface(`userdom_home_filetrans_user_home_dir',` |
1876 | gen_require(` | |
1877 | type user_home_dir_t; | |
1878 | ') | |
7c2f5a82 | 1879 | |
296273a7 | 1880 | files_home_filetrans($1, user_home_dir_t, dir) |
7c2f5a82 CP |
1881 | ') |
1882 | ||
d42c7ede CP |
1883 | ######################################## |
1884 | ## <summary> | |
296273a7 CP |
1885 | ## Do a domain transition to the specified |
1886 | ## domain when executing a program in the | |
1887 | ## user home directory. | |
d42c7ede CP |
1888 | ## </summary> |
1889 | ## <desc> | |
1890 | ## <p> | |
296273a7 CP |
1891 | ## Do a domain transition to the specified |
1892 | ## domain when executing a program in the | |
1893 | ## user home directory. | |
d42c7ede CP |
1894 | ## </p> |
1895 | ## <p> | |
296273a7 CP |
1896 | ## No interprocess communication (signals, pipes, |
1897 | ## etc.) is provided by this interface since | |
1898 | ## the domains are not owned by this module. | |
d42c7ede CP |
1899 | ## </p> |
1900 | ## </desc> | |
296273a7 | 1901 | ## <param name="source_domain"> |
d42c7ede | 1902 | ## <summary> |
a0546c9d | 1903 | ## Domain allowed to transition. |
d42c7ede CP |
1904 | ## </summary> |
1905 | ## </param> | |
296273a7 | 1906 | ## <param name="target_domain"> |
d42c7ede | 1907 | ## <summary> |
296273a7 | 1908 | ## Domain to transition to. |
d42c7ede CP |
1909 | ## </summary> |
1910 | ## </param> | |
1911 | # | |
296273a7 CP |
1912 | interface(`userdom_user_home_domtrans',` |
1913 | gen_require(` | |
1914 | type user_home_dir_t, user_home_t; | |
1915 | ') | |
d42c7ede | 1916 | |
296273a7 CP |
1917 | domain_auto_trans($1, user_home_t, $2) |
1918 | allow $1 user_home_dir_t:dir search_dir_perms; | |
1919 | files_search_home($1) | |
d42c7ede CP |
1920 | ') |
1921 | ||
ae9e2716 CP |
1922 | ######################################## |
1923 | ## <summary> | |
296273a7 | 1924 | ## Do not audit attempts to search user home content directories. |
ae9e2716 CP |
1925 | ## </summary> |
1926 | ## <param name="domain"> | |
885b83ec | 1927 | ## <summary> |
a7ee7f81 | 1928 | ## Domain to not audit. |
885b83ec | 1929 | ## </summary> |
ae9e2716 CP |
1930 | ## </param> |
1931 | # | |
296273a7 CP |
1932 | interface(`userdom_dontaudit_search_user_home_content',` |
1933 | gen_require(` | |
1934 | type user_home_t; | |
1935 | ') | |
ae9e2716 | 1936 | |
296273a7 | 1937 | dontaudit $1 user_home_t:dir search_dir_perms; |
3eaa9939 DW |
1938 | fs_dontaudit_list_nfs($1) |
1939 | fs_dontaudit_list_cifs($1) | |
ae9e2716 CP |
1940 | ') |
1941 | ||
2d743657 CP |
1942 | ######################################## |
1943 | ## <summary> | |
1944 | ## List contents of users home directory. | |
1945 | ## </summary> | |
1946 | ## <param name="domain"> | |
1947 | ## <summary> | |
1948 | ## Domain allowed access. | |
1949 | ## </summary> | |
1950 | ## </param> | |
1951 | # | |
1952 | interface(`userdom_list_user_home_content',` | |
1953 | gen_require(` | |
3eaa9939 DW |
1954 | type user_home_dir_t; |
1955 | attribute user_home_type; | |
2d743657 CP |
1956 | ') |
1957 | ||
3eaa9939 DW |
1958 | files_list_home($1) |
1959 | allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; | |
2d743657 CP |
1960 | ') |
1961 | ||
cdc86ee5 CP |
1962 | ######################################## |
1963 | ## <summary> | |
296273a7 CP |
1964 | ## Create, read, write, and delete directories |
1965 | ## in a user home subdirectory. | |
cdc86ee5 CP |
1966 | ## </summary> |
1967 | ## <param name="domain"> | |
1968 | ## <summary> | |
1969 | ## Domain allowed access. | |
1970 | ## </summary> | |
1971 | ## </param> | |
1972 | # | |
296273a7 CP |
1973 | interface(`userdom_manage_user_home_content_dirs',` |
1974 | gen_require(` | |
1975 | type user_home_dir_t, user_home_t; | |
1976 | ') | |
1977 | ||
1978 | manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) | |
1979 | files_search_home($1) | |
cdc86ee5 CP |
1980 | ') |
1981 | ||
4083191c CP |
1982 | ######################################## |
1983 | ## <summary> | |
1984 | ## Delete directories in a user home subdirectory. | |
1985 | ## </summary> | |
1986 | ## <param name="domain"> | |
1987 | ## <summary> | |
1988 | ## Domain allowed access. | |
1989 | ## </summary> | |
1990 | ## </param> | |
1991 | # | |
1992 | interface(`userdom_delete_user_home_content_dirs',` | |
1993 | gen_require(` | |
1994 | type user_home_t; | |
1995 | ') | |
1996 | ||
1997 | allow $1 user_home_t:dir delete_dir_perms; | |
1998 | ') | |
1999 | ||
3eaa9939 DW |
2000 | ######################################## |
2001 | ## <summary> | |
2002 | ## Set the attributes of user home files. | |
2003 | ## </summary> | |
2004 | ## <param name="domain"> | |
2005 | ## <summary> | |
2006 | ## Domain allowed access. | |
2007 | ## </summary> | |
2008 | ## </param> | |
2009 | ## <rolecap/> | |
2010 | # | |
2011 | interface(`userdom_setattr_user_home_content_files',` | |
2012 | gen_require(` | |
2013 | type user_home_t; | |
2014 | ') | |
2015 | ||
2016 | allow $1 user_home_t:file setattr; | |
2017 | ') | |
2018 | ||
d6d16b97 CP |
2019 | ######################################## |
2020 | ## <summary> | |
296273a7 CP |
2021 | ## Do not audit attempts to set the |
2022 | ## attributes of user home files. | |
d6d16b97 CP |
2023 | ## </summary> |
2024 | ## <param name="domain"> | |
2025 | ## <summary> | |
a0546c9d | 2026 | ## Domain to not audit. |
d6d16b97 CP |
2027 | ## </summary> |
2028 | ## </param> | |
2029 | # | |
296273a7 CP |
2030 | interface(`userdom_dontaudit_setattr_user_home_content_files',` |
2031 | gen_require(` | |
2032 | type user_home_t; | |
2033 | ') | |
d6d16b97 | 2034 | |
bf530f53 | 2035 | dontaudit $1 user_home_t:file setattr_file_perms; |
b0d2243c CP |
2036 | ') |
2037 | ||
fd89e19f CP |
2038 | ######################################## |
2039 | ## <summary> | |
296273a7 | 2040 | ## Mmap user home files. |
fd89e19f CP |
2041 | ## </summary> |
2042 | ## <param name="domain"> | |
885b83ec | 2043 | ## <summary> |
725926c5 | 2044 | ## Domain allowed access. |
885b83ec | 2045 | ## </summary> |
fd89e19f CP |
2046 | ## </param> |
2047 | # | |
296273a7 CP |
2048 | interface(`userdom_mmap_user_home_content_files',` |
2049 | gen_require(` | |
2050 | type user_home_dir_t, user_home_t; | |
2051 | ') | |
fd89e19f | 2052 | |
296273a7 CP |
2053 | mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
2054 | files_search_home($1) | |
1f91e1bf CP |
2055 | ') |
2056 | ||
725926c5 CP |
2057 | ######################################## |
2058 | ## <summary> | |
296273a7 | 2059 | ## Read user home files. |
725926c5 CP |
2060 | ## </summary> |
2061 | ## <param name="domain"> | |
885b83ec | 2062 | ## <summary> |
725926c5 | 2063 | ## Domain allowed access. |
885b83ec | 2064 | ## </summary> |
725926c5 CP |
2065 | ## </param> |
2066 | # | |
296273a7 CP |
2067 | interface(`userdom_read_user_home_content_files',` |
2068 | gen_require(` | |
2069 | type user_home_dir_t, user_home_t; | |
2070 | ') | |
2071 | ||
3eaa9939 | 2072 | list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) |
296273a7 CP |
2073 | read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
2074 | files_search_home($1) | |
725926c5 CP |
2075 | ') |
2076 | ||
daa0e0b0 | 2077 | ######################################## |
ab940a4c | 2078 | ## <summary> |
3eaa9939 | 2079 | ## Do not audit attempts to getattr user home files. |
ab940a4c | 2080 | ## </summary> |
414e4151 | 2081 | ## <param name="domain"> |
885b83ec | 2082 | ## <summary> |
296273a7 | 2083 | ## Domain to not audit. |
885b83ec | 2084 | ## </summary> |
414e4151 | 2085 | ## </param> |
490639cd | 2086 | # |
3eaa9939 | 2087 | interface(`userdom_dontaudit_getattr_user_home_content',` |
296273a7 | 2088 | gen_require(` |
3eaa9939 | 2089 | attribute user_home_type; |
296273a7 CP |
2090 | ') |
2091 | ||
3eaa9939 DW |
2092 | dontaudit $1 user_home_type:dir getattr; |
2093 | dontaudit $1 user_home_type:file getattr; | |
2094 | ') | |
2095 | ||
2096 | ######################################## | |
2097 | ## <summary> | |
2098 | ## Do not audit attempts to read user home files. | |
2099 | ## </summary> | |
2100 | ## <param name="domain"> | |
2101 | ## <summary> | |
2102 | ## Domain to not audit. | |
2103 | ## </summary> | |
2104 | ## </param> | |
2105 | # | |
2106 | interface(`userdom_dontaudit_read_user_home_content_files',` | |
2107 | gen_require(` | |
2108 | attribute user_home_type; | |
2109 | type user_home_dir_t; | |
2110 | ') | |
2111 | ||
2112 | dontaudit $1 user_home_dir_t:dir list_dir_perms; | |
2113 | dontaudit $1 user_home_type:dir list_dir_perms; | |
2114 | dontaudit $1 user_home_type:file read_file_perms; | |
2115 | dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; | |
fd89e19f CP |
2116 | ') |
2117 | ||
50aca6d2 CP |
2118 | ######################################## |
2119 | ## <summary> | |
296273a7 | 2120 | ## Do not audit attempts to append user home files. |
50aca6d2 CP |
2121 | ## </summary> |
2122 | ## <param name="domain"> | |
885b83ec | 2123 | ## <summary> |
50aca6d2 | 2124 | ## Domain to not audit. |
885b83ec | 2125 | ## </summary> |
50aca6d2 CP |
2126 | ## </param> |
2127 | # | |
296273a7 CP |
2128 | interface(`userdom_dontaudit_append_user_home_content_files',` |
2129 | gen_require(` | |
2130 | type user_home_t; | |
2131 | ') | |
2132 | ||
bf530f53 | 2133 | dontaudit $1 user_home_t:file append_file_perms; |
50aca6d2 CP |
2134 | ') |
2135 | ||
fd89e19f CP |
2136 | ######################################## |
2137 | ## <summary> | |
296273a7 | 2138 | ## Do not audit attempts to write user home files. |
fd89e19f CP |
2139 | ## </summary> |
2140 | ## <param name="domain"> | |
885b83ec | 2141 | ## <summary> |
296273a7 | 2142 | ## Domain to not audit. |
885b83ec | 2143 | ## </summary> |
fd89e19f CP |
2144 | ## </param> |
2145 | # | |
296273a7 CP |
2146 | interface(`userdom_dontaudit_write_user_home_content_files',` |
2147 | gen_require(` | |
2148 | type user_home_t; | |
2149 | ') | |
2150 | ||
bf530f53 | 2151 | dontaudit $1 user_home_t:file write_file_perms; |
daa0e0b0 CP |
2152 | ') |
2153 | ||
4083191c CP |
2154 | ######################################## |
2155 | ## <summary> | |
2156 | ## Delete files in a user home subdirectory. | |
2157 | ## </summary> | |
2158 | ## <param name="domain"> | |
2159 | ## <summary> | |
2160 | ## Domain allowed access. | |
2161 | ## </summary> | |
2162 | ## </param> | |
2163 | # | |
2164 | interface(`userdom_delete_user_home_content_files',` | |
2165 | gen_require(` | |
2166 | type user_home_t; | |
2167 | ') | |
2168 | ||
2169 | allow $1 user_home_t:file delete_file_perms; | |
2170 | ') | |
2171 | ||
d4dca585 | 2172 | ######################################## |
ae841c05 DW |
2173 | ## <summary> |
2174 | ## Delete sock files in a user home subdirectory. | |
2175 | ## </summary> | |
2176 | ## <param name="domain"> | |
2177 | ## <summary> | |
2178 | ## Domain allowed access. | |
2179 | ## </summary> | |
2180 | ## </param> | |
2181 | # | |
2182 | interface(`userdom_delete_user_home_content_sock_files',` | |
2183 | gen_require(` | |
2184 | type user_home_t; | |
2185 | ') | |
2186 | ||
2187 | allow $1 user_home_t:sock_file delete_file_perms; | |
2188 | ') | |
2189 | ||
d4dca585 CP |
2190 | ######################################## |
2191 | ## <summary> | |
296273a7 | 2192 | ## Do not audit attempts to write user home files. |
d4dca585 CP |
2193 | ## </summary> |
2194 | ## <param name="domain"> | |
885b83ec | 2195 | ## <summary> |
d4dca585 | 2196 | ## Domain to not audit. |
885b83ec | 2197 | ## </summary> |
d4dca585 CP |
2198 | ## </param> |
2199 | # | |
296273a7 CP |
2200 | interface(`userdom_dontaudit_relabel_user_home_content_files',` |
2201 | gen_require(` | |
2202 | type user_home_t; | |
2203 | ') | |
2204 | ||
2205 | dontaudit $1 user_home_t:file relabel_file_perms; | |
d4dca585 CP |
2206 | ') |
2207 | ||
0404a390 | 2208 | ######################################## |
ab940a4c | 2209 | ## <summary> |
296273a7 | 2210 | ## Read user home subdirectory symbolic links. |
ab940a4c | 2211 | ## </summary> |
414e4151 | 2212 | ## <param name="domain"> |
885b83ec | 2213 | ## <summary> |
725926c5 | 2214 | ## Domain allowed access. |
885b83ec | 2215 | ## </summary> |
414e4151 | 2216 | ## </param> |
0404a390 | 2217 | # |
296273a7 CP |
2218 | interface(`userdom_read_user_home_content_symlinks',` |
2219 | gen_require(` | |
2220 | type user_home_dir_t, user_home_t; | |
2221 | ') | |
2222 | ||
3eaa9939 | 2223 | allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; |
daa0e0b0 CP |
2224 | ') |
2225 | ||
763c441e | 2226 | ######################################## |
ab940a4c | 2227 | ## <summary> |
296273a7 | 2228 | ## Execute user home files. |
ab940a4c | 2229 | ## </summary> |
414e4151 | 2230 | ## <param name="domain"> |
885b83ec | 2231 | ## <summary> |
296273a7 | 2232 | ## Domain allowed access. |
885b83ec | 2233 | ## </summary> |
414e4151 | 2234 | ## </param> |
296273a7 | 2235 | ## <rolecap/> |
763c441e | 2236 | # |
296273a7 CP |
2237 | interface(`userdom_exec_user_home_content_files',` |
2238 | gen_require(` | |
3eaa9939 DW |
2239 | type user_home_dir_t; |
2240 | attribute user_home_type; | |
296273a7 CP |
2241 | ') |
2242 | ||
2243 | files_search_home($1) | |
3eaa9939 DW |
2244 | exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) |
2245 | dontaudit $1 user_home_type:sock_file execute; | |
296273a7 | 2246 | ') |
763c441e | 2247 | |
fd89e19f CP |
2248 | ######################################## |
2249 | ## <summary> | |
296273a7 | 2250 | ## Do not audit attempts to execute user home files. |
fd89e19f CP |
2251 | ## </summary> |
2252 | ## <param name="domain"> | |
885b83ec | 2253 | ## <summary> |
a0546c9d | 2254 | ## Domain to not audit. |
885b83ec | 2255 | ## </summary> |
fd89e19f CP |
2256 | ## </param> |
2257 | # | |
296273a7 CP |
2258 | interface(`userdom_dontaudit_exec_user_home_content_files',` |
2259 | gen_require(` | |
2260 | type user_home_t; | |
2261 | ') | |
2262 | ||
bf530f53 | 2263 | dontaudit $1 user_home_t:file exec_file_perms; |
fd89e19f CP |
2264 | ') |
2265 | ||
2266 | ######################################## | |
2267 | ## <summary> | |
296273a7 CP |
2268 | ## Create, read, write, and delete files |
2269 | ## in a user home subdirectory. | |
fd89e19f CP |
2270 | ## </summary> |
2271 | ## <param name="domain"> | |
885b83ec | 2272 | ## <summary> |
725926c5 | 2273 | ## Domain allowed access. |
885b83ec | 2274 | ## </summary> |
fd89e19f CP |
2275 | ## </param> |
2276 | # | |
296273a7 CP |
2277 | interface(`userdom_manage_user_home_content_files',` |
2278 | gen_require(` | |
2279 | type user_home_dir_t, user_home_t; | |
2280 | ') | |
2281 | ||
2282 | manage_files_pattern($1, user_home_t, user_home_t) | |
2283 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2284 | files_search_home($1) | |
fd89e19f CP |
2285 | ') |
2286 | ||
799a0b43 CP |
2287 | ######################################## |
2288 | ## <summary> | |
296273a7 CP |
2289 | ## Do not audit attempts to create, read, write, and delete directories |
2290 | ## in a user home subdirectory. | |
799a0b43 CP |
2291 | ## </summary> |
2292 | ## <param name="domain"> | |
885b83ec | 2293 | ## <summary> |
a0546c9d | 2294 | ## Domain to not audit. |
885b83ec | 2295 | ## </summary> |
799a0b43 CP |
2296 | ## </param> |
2297 | # | |
296273a7 CP |
2298 | interface(`userdom_dontaudit_manage_user_home_content_dirs',` |
2299 | gen_require(` | |
2300 | type user_home_dir_t, user_home_t; | |
2301 | ') | |
2302 | ||
2303 | dontaudit $1 user_home_t:dir manage_dir_perms; | |
799a0b43 CP |
2304 | ') |
2305 | ||
44fc06b0 CP |
2306 | ######################################## |
2307 | ## <summary> | |
296273a7 CP |
2308 | ## Create, read, write, and delete symbolic links |
2309 | ## in a user home subdirectory. | |
44fc06b0 CP |
2310 | ## </summary> |
2311 | ## <param name="domain"> | |
885b83ec | 2312 | ## <summary> |
296273a7 | 2313 | ## Domain allowed access. |
885b83ec | 2314 | ## </summary> |
44fc06b0 CP |
2315 | ## </param> |
2316 | # | |
296273a7 CP |
2317 | interface(`userdom_manage_user_home_content_symlinks',` |
2318 | gen_require(` | |
2319 | type user_home_dir_t, user_home_t; | |
2320 | ') | |
2321 | ||
2322 | manage_lnk_files_pattern($1, user_home_t, user_home_t) | |
2323 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2324 | files_search_home($1) | |
44fc06b0 CP |
2325 | ') |
2326 | ||
4083191c CP |
2327 | ######################################## |
2328 | ## <summary> | |
2329 | ## Delete symbolic links in a user home directory. | |
2330 | ## </summary> | |
2331 | ## <param name="domain"> | |
2332 | ## <summary> | |
2333 | ## Domain allowed access. | |
2334 | ## </summary> | |
2335 | ## </param> | |
2336 | # | |
2337 | interface(`userdom_delete_user_home_content_symlinks',` | |
2338 | gen_require(` | |
2339 | type user_home_t; | |
2340 | ') | |
2341 | ||
2342 | allow $1 user_home_t:lnk_file delete_lnk_file_perms; | |
2343 | ') | |
2344 | ||
ae9e2716 CP |
2345 | ######################################## |
2346 | ## <summary> | |
296273a7 CP |
2347 | ## Create, read, write, and delete named pipes |
2348 | ## in a user home subdirectory. | |
ae9e2716 CP |
2349 | ## </summary> |
2350 | ## <param name="domain"> | |
885b83ec | 2351 | ## <summary> |
296273a7 | 2352 | ## Domain allowed access. |
885b83ec | 2353 | ## </summary> |
ae9e2716 CP |
2354 | ## </param> |
2355 | # | |
296273a7 CP |
2356 | interface(`userdom_manage_user_home_content_pipes',` |
2357 | gen_require(` | |
2358 | type user_home_dir_t, user_home_t; | |
2359 | ') | |
2360 | ||
2361 | manage_fifo_files_pattern($1, user_home_t, user_home_t) | |
2362 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2363 | files_search_home($1) | |
ae9e2716 CP |
2364 | ') |
2365 | ||
2366 | ######################################## | |
2367 | ## <summary> | |
296273a7 CP |
2368 | ## Create, read, write, and delete named sockets |
2369 | ## in a user home subdirectory. | |
ae9e2716 CP |
2370 | ## </summary> |
2371 | ## <param name="domain"> | |
885b83ec | 2372 | ## <summary> |
296273a7 | 2373 | ## Domain allowed access. |
885b83ec | 2374 | ## </summary> |
ae9e2716 CP |
2375 | ## </param> |
2376 | # | |
296273a7 CP |
2377 | interface(`userdom_manage_user_home_content_sockets',` |
2378 | gen_require(` | |
2379 | type user_home_dir_t, user_home_t; | |
2380 | ') | |
2381 | ||
2382 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2383 | manage_sock_files_pattern($1, user_home_t, user_home_t) | |
2384 | files_search_home($1) | |
ae9e2716 CP |
2385 | ') |
2386 | ||
725926c5 CP |
2387 | ######################################## |
2388 | ## <summary> | |
296273a7 CP |
2389 | ## Create objects in a user home directory |
2390 | ## with an automatic type transition to | |
2391 | ## a specified private type. | |
725926c5 CP |
2392 | ## </summary> |
2393 | ## <param name="domain"> | |
885b83ec | 2394 | ## <summary> |
725926c5 | 2395 | ## Domain allowed access. |
885b83ec | 2396 | ## </summary> |
725926c5 | 2397 | ## </param> |
296273a7 | 2398 | ## <param name="private_type"> |
885b83ec | 2399 | ## <summary> |
296273a7 | 2400 | ## The type of the object to create. |
885b83ec | 2401 | ## </summary> |
b11a75a5 | 2402 | ## </param> |
296273a7 | 2403 | ## <param name="object_class"> |
885b83ec | 2404 | ## <summary> |
296273a7 | 2405 | ## The class of the object to be created. |
885b83ec | 2406 | ## </summary> |
e1c41428 CP |
2407 | ## </param> |
2408 | # | |
296273a7 CP |
2409 | interface(`userdom_user_home_dir_filetrans',` |
2410 | gen_require(` | |
2411 | type user_home_dir_t; | |
2412 | ') | |
2413 | ||
ae4832c7 | 2414 | filetrans_pattern($1, user_home_dir_t, $2, $3, $4) |
296273a7 | 2415 | files_search_home($1) |
e1c41428 CP |
2416 | ') |
2417 | ||
10b1f324 CP |
2418 | ######################################## |
2419 | ## <summary> | |
296273a7 CP |
2420 | ## Create objects in a user home directory |
2421 | ## with an automatic type transition to | |
2422 | ## a specified private type. | |
10b1f324 CP |
2423 | ## </summary> |
2424 | ## <param name="domain"> | |
885b83ec | 2425 | ## <summary> |
10b1f324 | 2426 | ## Domain allowed access. |
885b83ec | 2427 | ## </summary> |
10b1f324 | 2428 | ## </param> |
296273a7 | 2429 | ## <param name="private_type"> |
885b83ec | 2430 | ## <summary> |
296273a7 | 2431 | ## The type of the object to create. |
885b83ec | 2432 | ## </summary> |
ee9500ec CP |
2433 | ## </param> |
2434 | ## <param name="object_class"> | |
885b83ec | 2435 | ## <summary> |
10b1f324 | 2436 | ## The class of the object to be created. |
885b83ec | 2437 | ## </summary> |
10b1f324 CP |
2438 | ## </param> |
2439 | # | |
296273a7 CP |
2440 | interface(`userdom_user_home_content_filetrans',` |
2441 | gen_require(` | |
2442 | type user_home_dir_t, user_home_t; | |
2443 | ') | |
2444 | ||
2445 | filetrans_pattern($1, user_home_t, $2, $3) | |
2446 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2447 | files_search_home($1) | |
10b1f324 CP |
2448 | ') |
2449 | ||
2450 | ######################################## | |
2451 | ## <summary> | |
296273a7 CP |
2452 | ## Create objects in a user home directory |
2453 | ## with an automatic type transition to | |
2454 | ## the user home file type. | |
10b1f324 CP |
2455 | ## </summary> |
2456 | ## <param name="domain"> | |
885b83ec | 2457 | ## <summary> |
296273a7 CP |
2458 | ## Domain allowed access. |
2459 | ## </summary> | |
2460 | ## </param> | |
2461 | ## <param name="object_class"> | |
2462 | ## <summary> | |
2463 | ## The class of the object to be created. | |
885b83ec | 2464 | ## </summary> |
10b1f324 CP |
2465 | ## </param> |
2466 | # | |
296273a7 CP |
2467 | interface(`userdom_user_home_dir_filetrans_user_home_content',` |
2468 | gen_require(` | |
2469 | type user_home_dir_t, user_home_t; | |
2470 | ') | |
2471 | ||
2472 | filetrans_pattern($1, user_home_dir_t, user_home_t, $2) | |
2473 | files_search_home($1) | |
10b1f324 CP |
2474 | ') |
2475 | ||
fd89e19f CP |
2476 | ######################################## |
2477 | ## <summary> | |
ff8f0a63 | 2478 | ## Write to user temporary named sockets. |
fd89e19f CP |
2479 | ## </summary> |
2480 | ## <param name="domain"> | |
885b83ec | 2481 | ## <summary> |
ff8f0a63 | 2482 | ## Domain allowed access. |
885b83ec | 2483 | ## </summary> |
fd89e19f CP |
2484 | ## </param> |
2485 | # | |
296273a7 CP |
2486 | interface(`userdom_write_user_tmp_sockets',` |
2487 | gen_require(` | |
2488 | type user_tmp_t; | |
2489 | ') | |
2490 | ||
4cb24aed | 2491 | allow $1 user_tmp_t:sock_file write_sock_file_perms; |
296273a7 | 2492 | files_search_tmp($1) |
ed38ca9f | 2493 | ') |
fd89e19f | 2494 | |
ed38ca9f CP |
2495 | ######################################## |
2496 | ## <summary> | |
296273a7 | 2497 | ## List user temporary directories. |
ed38ca9f CP |
2498 | ## </summary> |
2499 | ## <param name="domain"> | |
2500 | ## <summary> | |
2501 | ## Domain allowed access. | |
2502 | ## </summary> | |
2503 | ## </param> | |
2504 | # | |
296273a7 CP |
2505 | interface(`userdom_list_user_tmp',` |
2506 | gen_require(` | |
2507 | type user_tmp_t; | |
2508 | ') | |
2509 | ||
2510 | allow $1 user_tmp_t:dir list_dir_perms; | |
2511 | files_search_tmp($1) | |
fd89e19f CP |
2512 | ') |
2513 | ||
1786478c CP |
2514 | ######################################## |
2515 | ## <summary> | |
296273a7 CP |
2516 | ## Do not audit attempts to list user |
2517 | ## temporary directories. | |
1786478c CP |
2518 | ## </summary> |
2519 | ## <param name="domain"> | |
2520 | ## <summary> | |
296273a7 | 2521 | ## Domain to not audit. |
1786478c CP |
2522 | ## </summary> |
2523 | ## </param> | |
2524 | # | |
296273a7 | 2525 | interface(`userdom_dontaudit_list_user_tmp',` |
1786478c | 2526 | gen_require(` |
296273a7 | 2527 | type user_tmp_t; |
1786478c CP |
2528 | ') |
2529 | ||
296273a7 | 2530 | dontaudit $1 user_tmp_t:dir list_dir_perms; |
1786478c CP |
2531 | ') |
2532 | ||
9778406f CP |
2533 | ######################################## |
2534 | ## <summary> | |
296273a7 CP |
2535 | ## Do not audit attempts to manage users |
2536 | ## temporary directories. | |
9778406f CP |
2537 | ## </summary> |
2538 | ## <param name="domain"> | |
885b83ec | 2539 | ## <summary> |
296273a7 | 2540 | ## Domain to not audit. |
885b83ec | 2541 | ## </summary> |
9778406f CP |
2542 | ## </param> |
2543 | # | |
296273a7 | 2544 | interface(`userdom_dontaudit_manage_user_tmp_dirs',` |
9778406f | 2545 | gen_require(` |
296273a7 | 2546 | type user_tmp_t; |
9778406f CP |
2547 | ') |
2548 | ||
296273a7 | 2549 | dontaudit $1 user_tmp_t:dir manage_dir_perms; |
9778406f CP |
2550 | ') |
2551 | ||
4bf4ed9e | 2552 | ######################################## |
ab940a4c | 2553 | ## <summary> |
296273a7 | 2554 | ## Read user temporary files. |
ab940a4c | 2555 | ## </summary> |
414e4151 | 2556 | ## <param name="domain"> |
885b83ec | 2557 | ## <summary> |
725926c5 | 2558 | ## Domain allowed access. |
885b83ec | 2559 | ## </summary> |
414e4151 | 2560 | ## </param> |
4bf4ed9e | 2561 | # |
296273a7 | 2562 | interface(`userdom_read_user_tmp_files',` |
0404a390 | 2563 | gen_require(` |
296273a7 | 2564 | type user_tmp_t; |
0404a390 | 2565 | ') |
0c73cd25 | 2566 | |
296273a7 CP |
2567 | read_files_pattern($1, user_tmp_t, user_tmp_t) |
2568 | allow $1 user_tmp_t:dir list_dir_perms; | |
2569 | files_search_tmp($1) | |
4bf4ed9e CP |
2570 | ') |
2571 | ||
ae9e2716 CP |
2572 | ######################################## |
2573 | ## <summary> | |
296273a7 CP |
2574 | ## Do not audit attempts to read users |
2575 | ## temporary files. | |
ae9e2716 CP |
2576 | ## </summary> |
2577 | ## <param name="domain"> | |
885b83ec | 2578 | ## <summary> |
ae9e2716 | 2579 | ## Domain to not audit. |
885b83ec | 2580 | ## </summary> |
ae9e2716 CP |
2581 | ## </param> |
2582 | # | |
296273a7 | 2583 | interface(`userdom_dontaudit_read_user_tmp_files',` |
ae9e2716 | 2584 | gen_require(` |
296273a7 | 2585 | type user_tmp_t; |
ae9e2716 CP |
2586 | ') |
2587 | ||
3eaa9939 | 2588 | dontaudit $1 user_tmp_t:file read_inherited_file_perms; |
ae9e2716 CP |
2589 | ') |
2590 | ||
daa0e0b0 | 2591 | ######################################## |
ab940a4c | 2592 | ## <summary> |
296273a7 CP |
2593 | ## Do not audit attempts to append users |
2594 | ## temporary files. | |
ab940a4c | 2595 | ## </summary> |
414e4151 | 2596 | ## <param name="domain"> |
885b83ec | 2597 | ## <summary> |
296273a7 | 2598 | ## Domain to not audit. |
885b83ec | 2599 | ## </summary> |
414e4151 | 2600 | ## </param> |
daa0e0b0 | 2601 | # |
296273a7 | 2602 | interface(`userdom_dontaudit_append_user_tmp_files',` |
0404a390 | 2603 | gen_require(` |
296273a7 | 2604 | type user_tmp_t; |
0404a390 | 2605 | ') |
0c73cd25 | 2606 | |
bf530f53 | 2607 | dontaudit $1 user_tmp_t:file append_file_perms; |
daa0e0b0 CP |
2608 | ') |
2609 | ||
fc6524d7 CP |
2610 | ######################################## |
2611 | ## <summary> | |
296273a7 | 2612 | ## Read and write user temporary files. |
fc6524d7 CP |
2613 | ## </summary> |
2614 | ## <param name="domain"> | |
885b83ec | 2615 | ## <summary> |
725926c5 | 2616 | ## Domain allowed access. |
885b83ec | 2617 | ## </summary> |
fc6524d7 CP |
2618 | ## </param> |
2619 | # | |
296273a7 | 2620 | interface(`userdom_rw_user_tmp_files',` |
fc6524d7 | 2621 | gen_require(` |
296273a7 | 2622 | type user_tmp_t; |
fc6524d7 CP |
2623 | ') |
2624 | ||
296273a7 CP |
2625 | allow $1 user_tmp_t:dir list_dir_perms; |
2626 | rw_files_pattern($1, user_tmp_t, user_tmp_t) | |
2627 | files_search_tmp($1) | |
fc6524d7 CP |
2628 | ') |
2629 | ||
2630 | ######################################## | |
2631 | ## <summary> | |
296273a7 CP |
2632 | ## Do not audit attempts to manage users |
2633 | ## temporary files. | |
fc6524d7 CP |
2634 | ## </summary> |
2635 | ## <param name="domain"> | |
885b83ec | 2636 | ## <summary> |
296273a7 | 2637 | ## Domain to not audit. |
885b83ec | 2638 | ## </summary> |
fc6524d7 CP |
2639 | ## </param> |
2640 | # | |
296273a7 | 2641 | interface(`userdom_dontaudit_manage_user_tmp_files',` |
fc6524d7 | 2642 | gen_require(` |
296273a7 | 2643 | type user_tmp_t; |
fc6524d7 CP |
2644 | ') |
2645 | ||
296273a7 | 2646 | dontaudit $1 user_tmp_t:file manage_file_perms; |
fc6524d7 CP |
2647 | ') |
2648 | ||
2649 | ######################################## | |
2650 | ## <summary> | |
296273a7 | 2651 | ## Read user temporary symbolic links. |
fc6524d7 CP |
2652 | ## </summary> |
2653 | ## <param name="domain"> | |
885b83ec | 2654 | ## <summary> |
725926c5 | 2655 | ## Domain allowed access. |
885b83ec | 2656 | ## </summary> |
fc6524d7 CP |
2657 | ## </param> |
2658 | # | |
296273a7 | 2659 | interface(`userdom_read_user_tmp_symlinks',` |
fc6524d7 | 2660 | gen_require(` |
296273a7 | 2661 | type user_tmp_t; |
fc6524d7 CP |
2662 | ') |
2663 | ||
296273a7 CP |
2664 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2665 | allow $1 user_tmp_t:dir list_dir_perms; | |
2666 | files_search_tmp($1) | |
fc6524d7 CP |
2667 | ') |
2668 | ||
784a3bbc CP |
2669 | ######################################## |
2670 | ## <summary> | |
296273a7 CP |
2671 | ## Create, read, write, and delete user |
2672 | ## temporary directories. | |
784a3bbc | 2673 | ## </summary> |
784a3bbc | 2674 | ## <param name="domain"> |
885b83ec | 2675 | ## <summary> |
725926c5 | 2676 | ## Domain allowed access. |
885b83ec | 2677 | ## </summary> |
784a3bbc CP |
2678 | ## </param> |
2679 | # | |
296273a7 | 2680 | interface(`userdom_manage_user_tmp_dirs',` |
784a3bbc | 2681 | gen_require(` |
296273a7 | 2682 | type user_tmp_t; |
784a3bbc CP |
2683 | ') |
2684 | ||
296273a7 CP |
2685 | manage_dirs_pattern($1, user_tmp_t, user_tmp_t) |
2686 | files_search_tmp($1) | |
784a3bbc CP |
2687 | ') |
2688 | ||
daa0e0b0 | 2689 | ######################################## |
ab940a4c | 2690 | ## <summary> |
296273a7 CP |
2691 | ## Create, read, write, and delete user |
2692 | ## temporary files. | |
ab940a4c CP |
2693 | ## </summary> |
2694 | ## <param name="domain"> | |
885b83ec | 2695 | ## <summary> |
725926c5 | 2696 | ## Domain allowed access. |
885b83ec | 2697 | ## </summary> |
ab940a4c CP |
2698 | ## </param> |
2699 | # | |
296273a7 | 2700 | interface(`userdom_manage_user_tmp_files',` |
ab940a4c | 2701 | gen_require(` |
296273a7 | 2702 | type user_tmp_t; |
ab940a4c CP |
2703 | ') |
2704 | ||
296273a7 CP |
2705 | manage_files_pattern($1, user_tmp_t, user_tmp_t) |
2706 | files_search_tmp($1) | |
ab940a4c CP |
2707 | ') |
2708 | ||
2709 | ######################################## | |
2710 | ## <summary> | |
296273a7 CP |
2711 | ## Create, read, write, and delete user |
2712 | ## temporary symbolic links. | |
ab940a4c | 2713 | ## </summary> |
414e4151 | 2714 | ## <param name="domain"> |
885b83ec | 2715 | ## <summary> |
725926c5 | 2716 | ## Domain allowed access. |
885b83ec | 2717 | ## </summary> |
414e4151 | 2718 | ## </param> |
490639cd | 2719 | # |
296273a7 | 2720 | interface(`userdom_manage_user_tmp_symlinks',` |
0404a390 | 2721 | gen_require(` |
296273a7 | 2722 | type user_tmp_t; |
0404a390 | 2723 | ') |
0c73cd25 | 2724 | |
296273a7 CP |
2725 | manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2726 | files_search_tmp($1) | |
490639cd CP |
2727 | ') |
2728 | ||
4bf4ed9e | 2729 | ######################################## |
ab940a4c | 2730 | ## <summary> |
296273a7 CP |
2731 | ## Create, read, write, and delete user |
2732 | ## temporary named pipes. | |
ab940a4c | 2733 | ## </summary> |
414e4151 | 2734 | ## <param name="domain"> |
885b83ec | 2735 | ## <summary> |
725926c5 | 2736 | ## Domain allowed access. |
885b83ec | 2737 | ## </summary> |
414e4151 | 2738 | ## </param> |
4bf4ed9e | 2739 | # |
296273a7 | 2740 | interface(`userdom_manage_user_tmp_pipes',` |
0404a390 | 2741 | gen_require(` |
296273a7 | 2742 | type user_tmp_t; |
0404a390 | 2743 | ') |
0c73cd25 | 2744 | |
296273a7 CP |
2745 | manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) |
2746 | files_search_tmp($1) | |
4bf4ed9e CP |
2747 | ') |
2748 | ||
0404a390 | 2749 | ######################################## |
ab940a4c | 2750 | ## <summary> |
296273a7 CP |
2751 | ## Create, read, write, and delete user |
2752 | ## temporary named sockets. | |
ab940a4c | 2753 | ## </summary> |
414e4151 | 2754 | ## <param name="domain"> |
885b83ec | 2755 | ## <summary> |
57a96cbd | 2756 | ## Domain allowed access. |
885b83ec | 2757 | ## </summary> |
414e4151 | 2758 | ## </param> |
0404a390 | 2759 | # |
296273a7 CP |
2760 | interface(`userdom_manage_user_tmp_sockets',` |
2761 | gen_require(` | |
2762 | type user_tmp_t; | |
2763 | ') | |
2764 | ||
2765 | manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) | |
2766 | files_search_tmp($1) | |
4bf4ed9e CP |
2767 | ') |
2768 | ||
4614e83f CP |
2769 | ######################################## |
2770 | ## <summary> | |
296273a7 CP |
2771 | ## Create objects in a user temporary directory |
2772 | ## with an automatic type transition to | |
2773 | ## a specified private type. | |
4614e83f CP |
2774 | ## </summary> |
2775 | ## <param name="domain"> | |
885b83ec | 2776 | ## <summary> |
4614e83f | 2777 | ## Domain allowed access. |
885b83ec | 2778 | ## </summary> |
4614e83f | 2779 | ## </param> |
296273a7 CP |
2780 | ## <param name="private_type"> |
2781 | ## <summary> | |
2782 | ## The type of the object to create. | |
2783 | ## </summary> | |
2784 | ## </param> | |
2785 | ## <param name="object_class"> | |
2786 | ## <summary> | |
2787 | ## The class of the object to be created. | |
2788 | ## </summary> | |
2789 | ## </param> | |
4614e83f | 2790 | # |
296273a7 CP |
2791 | interface(`userdom_user_tmp_filetrans',` |
2792 | gen_require(` | |
2793 | type user_tmp_t; | |
2794 | ') | |
2795 | ||
2796 | filetrans_pattern($1, user_tmp_t, $2, $3) | |
2797 | files_search_tmp($1) | |
4614e83f CP |
2798 | ') |
2799 | ||
daa0e0b0 | 2800 | ######################################## |
ab940a4c | 2801 | ## <summary> |
296273a7 CP |
2802 | ## Create objects in the temporary directory |
2803 | ## with an automatic type transition to | |
2804 | ## the user temporary type. | |
57a96cbd CP |
2805 | ## </summary> |
2806 | ## <param name="domain"> | |
885b83ec | 2807 | ## <summary> |
57a96cbd | 2808 | ## Domain allowed access. |
885b83ec | 2809 | ## </summary> |
57a96cbd | 2810 | ## </param> |
1c1ac67f | 2811 | ## <param name="object_class"> |
885b83ec | 2812 | ## <summary> |
57a96cbd | 2813 | ## The class of the object to be created. |
885b83ec | 2814 | ## </summary> |
57a96cbd CP |
2815 | ## </param> |
2816 | # | |
296273a7 CP |
2817 | interface(`userdom_tmp_filetrans_user_tmp',` |
2818 | gen_require(` | |
2819 | type user_tmp_t; | |
2820 | ') | |
2821 | ||
2822 | files_tmp_filetrans($1, user_tmp_t, $2) | |
57a96cbd CP |
2823 | ') |
2824 | ||
a9e9678f CP |
2825 | ######################################## |
2826 | ## <summary> | |
2827 | ## Read user tmpfs files. | |
2828 | ## </summary> | |
2829 | ## <param name="domain"> | |
2830 | ## <summary> | |
2831 | ## Domain allowed access. | |
2832 | ## </summary> | |
2833 | ## </param> | |
2834 | # | |
2835 | interface(`userdom_read_user_tmpfs_files',` | |
2836 | gen_require(` | |
2837 | type user_tmpfs_t; | |
2838 | ') | |
2839 | ||
2840 | read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
3eaa9939 | 2841 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) |
a9e9678f CP |
2842 | allow $1 user_tmpfs_t:dir list_dir_perms; |
2843 | fs_search_tmpfs($1) | |
2844 | ') | |
2845 | ||
d4dca585 CP |
2846 | ######################################## |
2847 | ## <summary> | |
3eaa9939 | 2848 | ## Read/Write user tmpfs files. |
d4dca585 CP |
2849 | ## </summary> |
2850 | ## <param name="domain"> | |
885b83ec | 2851 | ## <summary> |
d4dca585 | 2852 | ## Domain allowed access. |
885b83ec | 2853 | ## </summary> |
d4dca585 CP |
2854 | ## </param> |
2855 | # | |
296273a7 CP |
2856 | interface(`userdom_rw_user_tmpfs_files',` |
2857 | gen_require(` | |
2858 | type user_tmpfs_t; | |
2859 | ') | |
2860 | ||
2861 | rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
2862 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
2863 | allow $1 user_tmpfs_t:dir list_dir_perms; | |
2864 | fs_search_tmpfs($1) | |
d4dca585 CP |
2865 | ') |
2866 | ||
d9845ae9 CP |
2867 | ######################################## |
2868 | ## <summary> | |
296273a7 | 2869 | ## Get the attributes of a user domain tty. |
d9845ae9 CP |
2870 | ## </summary> |
2871 | ## <param name="domain"> | |
2872 | ## <summary> | |
2873 | ## Domain allowed access. | |
2874 | ## </summary> | |
2875 | ## </param> | |
2876 | # | |
296273a7 CP |
2877 | interface(`userdom_getattr_user_ttys',` |
2878 | gen_require(` | |
2879 | type user_tty_device_t; | |
2880 | ') | |
2881 | ||
bf530f53 | 2882 | allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
d9845ae9 CP |
2883 | ') |
2884 | ||
57a96cbd CP |
2885 | ######################################## |
2886 | ## <summary> | |
296273a7 | 2887 | ## Do not audit attempts to get the attributes of a user domain tty. |
57a96cbd CP |
2888 | ## </summary> |
2889 | ## <param name="domain"> | |
885b83ec | 2890 | ## <summary> |
a0546c9d | 2891 | ## Domain to not audit. |
885b83ec | 2892 | ## </summary> |
57a96cbd CP |
2893 | ## </param> |
2894 | # | |
296273a7 CP |
2895 | interface(`userdom_dontaudit_getattr_user_ttys',` |
2896 | gen_require(` | |
2897 | type user_tty_device_t; | |
2898 | ') | |
2899 | ||
bf530f53 | 2900 | dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
57a96cbd CP |
2901 | ') |
2902 | ||
d6d16b97 CP |
2903 | ######################################## |
2904 | ## <summary> | |
296273a7 | 2905 | ## Set the attributes of a user domain tty. |
d6d16b97 CP |
2906 | ## </summary> |
2907 | ## <param name="domain"> | |
2908 | ## <summary> | |
2909 | ## Domain allowed access. | |
2910 | ## </summary> | |
2911 | ## </param> | |
2912 | # | |
296273a7 CP |
2913 | interface(`userdom_setattr_user_ttys',` |
2914 | gen_require(` | |
2915 | type user_tty_device_t; | |
2916 | ') | |
2917 | ||
bf530f53 | 2918 | allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
d6d16b97 CP |
2919 | ') |
2920 | ||
165b42d2 CP |
2921 | ######################################## |
2922 | ## <summary> | |
296273a7 | 2923 | ## Do not audit attempts to set the attributes of a user domain tty. |
165b42d2 CP |
2924 | ## </summary> |
2925 | ## <param name="domain"> | |
2926 | ## <summary> | |
a0546c9d | 2927 | ## Domain to not audit. |
165b42d2 CP |
2928 | ## </summary> |
2929 | ## </param> | |
2930 | # | |
296273a7 CP |
2931 | interface(`userdom_dontaudit_setattr_user_ttys',` |
2932 | gen_require(` | |
2933 | type user_tty_device_t; | |
2934 | ') | |
2935 | ||
bf530f53 | 2936 | dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
165b42d2 CP |
2937 | ') |
2938 | ||
d6d16b97 CP |
2939 | ######################################## |
2940 | ## <summary> | |
296273a7 | 2941 | ## Read and write a user domain tty. |
d6d16b97 CP |
2942 | ## </summary> |
2943 | ## <param name="domain"> | |
2944 | ## <summary> | |
2945 | ## Domain allowed access. | |
2946 | ## </summary> | |
2947 | ## </param> | |
2948 | # | |
296273a7 CP |
2949 | interface(`userdom_use_user_ttys',` |
2950 | gen_require(` | |
2951 | type user_tty_device_t; | |
2952 | ') | |
2953 | ||
2954 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
d6d16b97 CP |
2955 | ') |
2956 | ||
af2d8802 MG |
2957 | ######################################## |
2958 | ## <summary> | |
2959 | ## Read and write a inherited user domain tty. | |
2960 | ## </summary> | |
2961 | ## <param name="domain"> | |
2962 | ## <summary> | |
2963 | ## Domain allowed access. | |
2964 | ## </summary> | |
2965 | ## </param> | |
2966 | # | |
2967 | interface(`userdom_use_inherited_user_ttys',` | |
2968 | gen_require(` | |
2969 | type user_tty_device_t; | |
2970 | ') | |
2971 | ||
2972 | allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; | |
2973 | ') | |
2974 | ||
57a96cbd CP |
2975 | ######################################## |
2976 | ## <summary> | |
296273a7 | 2977 | ## Read and write a user domain pty. |
57a96cbd CP |
2978 | ## </summary> |
2979 | ## <param name="domain"> | |
885b83ec | 2980 | ## <summary> |
57a96cbd | 2981 | ## Domain allowed access. |
885b83ec | 2982 | ## </summary> |
57a96cbd CP |
2983 | ## </param> |
2984 | # | |
296273a7 CP |
2985 | interface(`userdom_use_user_ptys',` |
2986 | gen_require(` | |
2987 | type user_devpts_t; | |
2988 | ') | |
2989 | ||
2990 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
2991 | ') |
2992 | ||
d6d16b97 CP |
2993 | ######################################## |
2994 | ## <summary> | |
af2d8802 MG |
2995 | ## Read and write a inherited user domain pty. |
2996 | ## </summary> | |
2997 | ## <param name="domain"> | |
2998 | ## <summary> | |
2999 | ## Domain allowed access. | |
3000 | ## </summary> | |
3001 | ## </param> | |
3002 | # | |
3003 | interface(`userdom_use_inherited_user_ptys',` | |
3004 | gen_require(` | |
3005 | type user_devpts_t; | |
3006 | ') | |
3007 | ||
3008 | allow $1 user_devpts_t:chr_file rw_inherited_term_perms; | |
3009 | ') | |
3010 | ||
57a96cbd | 3011 | ######################################## |
af2d8802 MG |
3012 | ## <summary> |
3013 | ## Read and write a inherited user TTYs and PTYs. | |
d6d16b97 | 3014 | ## </summary> |
c46376e6 CP |
3015 | ## <desc> |
3016 | ## <p> | |
af2d8802 | 3017 | ## Allow the specified domain to read and write inherited user |
c46376e6 CP |
3018 | ## TTYs and PTYs. This will allow the domain to |
3019 | ## interact with the user via the terminal. Typically | |
3020 | ## all interactive applications will require this | |
3021 | ## access. | |
3022 | ## </p> | |
c46376e6 | 3023 | ## </desc> |
d6d16b97 CP |
3024 | ## <param name="domain"> |
3025 | ## <summary> | |
3026 | ## Domain allowed access. | |
3027 | ## </summary> | |
3028 | ## </param> | |
c46376e6 | 3029 | ## <infoflow type="both" weight="10"/> |
d6d16b97 | 3030 | # |
af2d8802 | 3031 | interface(`userdom_use_inherited_user_terminals',` |
296273a7 CP |
3032 | gen_require(` |
3033 | type user_tty_device_t, user_devpts_t; | |
3034 | ') | |
3035 | ||
af2d8802 MG |
3036 | allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; |
3037 | allow $1 user_devpts_t:chr_file rw_inherited_term_perms; | |
3038 | ') | |
3039 | ||
35afb663 MG |
3040 | ####################################### |
3041 | ## <summary> | |
3042 | ## Allow attempts to read and write | |
3043 | ## a user domain tty and pty. | |
3044 | ## </summary> | |
3045 | ## <param name="domain"> | |
3046 | ## <summary> | |
3047 | ## Domain to not audit. | |
3048 | ## </summary> | |
3049 | ## </param> | |
3050 | # | |
3051 | interface(`userdom_use_user_terminals',` | |
3052 | gen_require(` | |
3053 | type user_tty_device_t, user_devpts_t; | |
3054 | ') | |
3055 | ||
3056 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
3057 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
d6d16b97 CP |
3058 | ') |
3059 | ||
57a96cbd CP |
3060 | ######################################## |
3061 | ## <summary> | |
296273a7 CP |
3062 | ## Do not audit attempts to read and write |
3063 | ## a user domain tty and pty. | |
57a96cbd CP |
3064 | ## </summary> |
3065 | ## <param name="domain"> | |
885b83ec | 3066 | ## <summary> |
a0546c9d | 3067 | ## Domain to not audit. |
885b83ec | 3068 | ## </summary> |
57a96cbd CP |
3069 | ## </param> |
3070 | # | |
296273a7 CP |
3071 | interface(`userdom_dontaudit_use_user_terminals',` |
3072 | gen_require(` | |
3073 | type user_tty_device_t, user_devpts_t; | |
3074 | ') | |
3075 | ||
3076 | dontaudit $1 user_tty_device_t:chr_file rw_term_perms; | |
3077 | dontaudit $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
3078 | ') |
3079 | ||
3080 | ######################################## | |
3081 | ## <summary> | |
296273a7 CP |
3082 | ## Execute a shell in all user domains. This |
3083 | ## is an explicit transition, requiring the | |
3084 | ## caller to use setexeccon(). | |
57a96cbd CP |
3085 | ## </summary> |
3086 | ## <param name="domain"> | |
885b83ec | 3087 | ## <summary> |
a0546c9d | 3088 | ## Domain allowed to transition. |
885b83ec | 3089 | ## </summary> |
57a96cbd CP |
3090 | ## </param> |
3091 | # | |
296273a7 CP |
3092 | interface(`userdom_spec_domtrans_all_users',` |
3093 | gen_require(` | |
3094 | attribute userdomain; | |
3095 | ') | |
3096 | ||
3f67f722 | 3097 | corecmd_shell_spec_domtrans($1, userdomain) |
296273a7 CP |
3098 | allow userdomain $1:fd use; |
3099 | allow userdomain $1:fifo_file rw_file_perms; | |
3100 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
3101 | ') |
3102 | ||
3103 | ######################################## | |
3104 | ## <summary> | |
296273a7 CP |
3105 | ## Execute an Xserver session in all unprivileged user domains. This |
3106 | ## is an explicit transition, requiring the | |
3107 | ## caller to use setexeccon(). | |
57a96cbd CP |
3108 | ## </summary> |
3109 | ## <param name="domain"> | |
885b83ec | 3110 | ## <summary> |
a0546c9d | 3111 | ## Domain allowed to transition. |
885b83ec | 3112 | ## </summary> |
57a96cbd CP |
3113 | ## </param> |
3114 | # | |
296273a7 CP |
3115 | interface(`userdom_xsession_spec_domtrans_all_users',` |
3116 | gen_require(` | |
3117 | attribute userdomain; | |
3118 | ') | |
3119 | ||
3f67f722 | 3120 | xserver_xsession_spec_domtrans($1, userdomain) |
296273a7 CP |
3121 | allow userdomain $1:fd use; |
3122 | allow userdomain $1:fifo_file rw_file_perms; | |
3123 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
3124 | ') |
3125 | ||
e08118a5 CP |
3126 | ######################################## |
3127 | ## <summary> | |
296273a7 CP |
3128 | ## Execute a shell in all unprivileged user domains. This |
3129 | ## is an explicit transition, requiring the | |
3130 | ## caller to use setexeccon(). | |
e08118a5 CP |
3131 | ## </summary> |
3132 | ## <param name="domain"> | |
885b83ec | 3133 | ## <summary> |
a0546c9d | 3134 | ## Domain allowed to transition. |
885b83ec | 3135 | ## </summary> |
e08118a5 CP |
3136 | ## </param> |
3137 | # | |
296273a7 | 3138 | interface(`userdom_spec_domtrans_unpriv_users',` |
e08118a5 | 3139 | gen_require(` |
296273a7 | 3140 | attribute unpriv_userdomain; |
e08118a5 CP |
3141 | ') |
3142 | ||
3f67f722 | 3143 | corecmd_shell_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3144 | allow unpriv_userdomain $1:fd use; |
3145 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3146 | allow unpriv_userdomain $1:process sigchld; | |
e08118a5 CP |
3147 | ') |
3148 | ||
d4dca585 CP |
3149 | ######################################## |
3150 | ## <summary> | |
296273a7 CP |
3151 | ## Execute an Xserver session in all unprivileged user domains. This |
3152 | ## is an explicit transition, requiring the | |
3153 | ## caller to use setexeccon(). | |
d4dca585 CP |
3154 | ## </summary> |
3155 | ## <param name="domain"> | |
885b83ec | 3156 | ## <summary> |
a0546c9d | 3157 | ## Domain allowed to transition. |
885b83ec | 3158 | ## </summary> |
d4dca585 CP |
3159 | ## </param> |
3160 | # | |
296273a7 | 3161 | interface(`userdom_xsession_spec_domtrans_unpriv_users',` |
d4dca585 | 3162 | gen_require(` |
296273a7 | 3163 | attribute unpriv_userdomain; |
d4dca585 CP |
3164 | ') |
3165 | ||
3f67f722 | 3166 | xserver_xsession_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3167 | allow unpriv_userdomain $1:fd use; |
3168 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3169 | allow unpriv_userdomain $1:process sigchld; | |
d4dca585 CP |
3170 | ') |
3171 | ||
6f8cda96 CP |
3172 | ######################################## |
3173 | ## <summary> | |
296273a7 | 3174 | ## Manage unpriviledged user SysV sempaphores. |
6f8cda96 CP |
3175 | ## </summary> |
3176 | ## <param name="domain"> | |
3177 | ## <summary> | |
3178 | ## Domain allowed access. | |
3179 | ## </summary> | |
3180 | ## </param> | |
3181 | # | |
296273a7 | 3182 | interface(`userdom_manage_unpriv_user_semaphores',` |
6f8cda96 | 3183 | gen_require(` |
296273a7 | 3184 | attribute unpriv_userdomain; |
6f8cda96 CP |
3185 | ') |
3186 | ||
296273a7 | 3187 | allow $1 unpriv_userdomain:sem create_sem_perms; |
6f8cda96 CP |
3188 | ') |
3189 | ||
3190 | ######################################## | |
3191 | ## <summary> | |
296273a7 CP |
3192 | ## Manage unpriviledged user SysV shared |
3193 | ## memory segments. | |
6f8cda96 CP |
3194 | ## </summary> |
3195 | ## <param name="domain"> | |
3196 | ## <summary> | |
3197 | ## Domain allowed access. | |
3198 | ## </summary> | |
3199 | ## </param> | |
3200 | # | |
296273a7 | 3201 | interface(`userdom_manage_unpriv_user_shared_mem',` |
6f8cda96 | 3202 | gen_require(` |
296273a7 | 3203 | attribute unpriv_userdomain; |
6f8cda96 CP |
3204 | ') |
3205 | ||
296273a7 | 3206 | allow $1 unpriv_userdomain:shm create_shm_perms; |
6f8cda96 CP |
3207 | ') |
3208 | ||
43989f82 CP |
3209 | ######################################## |
3210 | ## <summary> | |
296273a7 CP |
3211 | ## Execute bin_t in the unprivileged user domains. This |
3212 | ## is an explicit transition, requiring the | |
3213 | ## caller to use setexeccon(). | |
43989f82 CP |
3214 | ## </summary> |
3215 | ## <param name="domain"> | |
885b83ec | 3216 | ## <summary> |
a0546c9d | 3217 | ## Domain allowed to transition. |
885b83ec | 3218 | ## </summary> |
43989f82 CP |
3219 | ## </param> |
3220 | # | |
296273a7 | 3221 | interface(`userdom_bin_spec_domtrans_unpriv_users',` |
43989f82 | 3222 | gen_require(` |
296273a7 | 3223 | attribute unpriv_userdomain; |
43989f82 CP |
3224 | ') |
3225 | ||
3f67f722 | 3226 | corecmd_bin_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3227 | allow unpriv_userdomain $1:fd use; |
3228 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3229 | allow unpriv_userdomain $1:process sigchld; | |
725926c5 CP |
3230 | ') |
3231 | ||
6820a398 CP |
3232 | ######################################## |
3233 | ## <summary> | |
296273a7 CP |
3234 | ## Execute all entrypoint files in unprivileged user |
3235 | ## domains. This is an explicit transition, requiring the | |
3236 | ## caller to use setexeccon(). | |
6820a398 CP |
3237 | ## </summary> |
3238 | ## <param name="domain"> | |
885b83ec | 3239 | ## <summary> |
6820a398 | 3240 | ## Domain allowed access. |
885b83ec | 3241 | ## </summary> |
6820a398 CP |
3242 | ## </param> |
3243 | # | |
296273a7 | 3244 | interface(`userdom_entry_spec_domtrans_unpriv_users',` |
350b6ab7 | 3245 | gen_require(` |
296273a7 | 3246 | attribute unpriv_userdomain; |
6820a398 | 3247 | ') |
350b6ab7 | 3248 | |
3f67f722 | 3249 | domain_entry_file_spec_domtrans($1, unpriv_userdomain) |
296273a7 | 3250 | allow unpriv_userdomain $1:fd use; |
3eaa9939 | 3251 | allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; |
296273a7 | 3252 | allow unpriv_userdomain $1:process sigchld; |
6820a398 CP |
3253 | ') |
3254 | ||
1504ff3e CP |
3255 | ######################################## |
3256 | ## <summary> | |
296273a7 | 3257 | ## Search users home directories. |
1504ff3e CP |
3258 | ## </summary> |
3259 | ## <param name="domain"> | |
885b83ec | 3260 | ## <summary> |
296273a7 | 3261 | ## Domain allowed access. |
885b83ec | 3262 | ## </summary> |
1504ff3e CP |
3263 | ## </param> |
3264 | # | |
296273a7 | 3265 | interface(`userdom_search_user_home_content',` |
350b6ab7 | 3266 | gen_require(` |
3eaa9939 DW |
3267 | type user_home_dir_t; |
3268 | attribute user_home_type; | |
1504ff3e | 3269 | ') |
350b6ab7 | 3270 | |
296273a7 | 3271 | files_list_home($1) |
3eaa9939 DW |
3272 | allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; |
3273 | allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; | |
1504ff3e CP |
3274 | ') |
3275 | ||
f6abfdb8 CP |
3276 | ######################################## |
3277 | ## <summary> | |
296273a7 | 3278 | ## Send general signals to unprivileged user domains. |
f6abfdb8 CP |
3279 | ## </summary> |
3280 | ## <param name="domain"> | |
885b83ec | 3281 | ## <summary> |
f6abfdb8 | 3282 | ## Domain allowed access. |
885b83ec | 3283 | ## </summary> |
f6abfdb8 CP |
3284 | ## </param> |
3285 | # | |
296273a7 | 3286 | interface(`userdom_signal_unpriv_users',` |
f6abfdb8 | 3287 | gen_require(` |
296273a7 | 3288 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3289 | ') |
3290 | ||
296273a7 | 3291 | allow $1 unpriv_userdomain:process signal; |
f6abfdb8 CP |
3292 | ') |
3293 | ||
3294 | ######################################## | |
3295 | ## <summary> | |
296273a7 | 3296 | ## Inherit the file descriptors from unprivileged user domains. |
f6abfdb8 CP |
3297 | ## </summary> |
3298 | ## <param name="domain"> | |
885b83ec | 3299 | ## <summary> |
f6abfdb8 | 3300 | ## Domain allowed access. |
885b83ec | 3301 | ## </summary> |
f6abfdb8 CP |
3302 | ## </param> |
3303 | # | |
296273a7 | 3304 | interface(`userdom_use_unpriv_users_fds',` |
f6abfdb8 | 3305 | gen_require(` |
296273a7 | 3306 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3307 | ') |
3308 | ||
296273a7 | 3309 | allow $1 unpriv_userdomain:fd use; |
f6abfdb8 CP |
3310 | ') |
3311 | ||
725926c5 CP |
3312 | ######################################## |
3313 | ## <summary> | |
c46376e6 CP |
3314 | ## Do not audit attempts to inherit the file descriptors |
3315 | ## from unprivileged user domains. | |
725926c5 | 3316 | ## </summary> |
c46376e6 CP |
3317 | ## <desc> |
3318 | ## <p> | |
3319 | ## Do not audit attempts to inherit the file descriptors | |
3320 | ## from unprivileged user domains. This will supress | |
3321 | ## SELinux denial messages when the specified domain is denied | |
3322 | ## the permission to inherit these file descriptors. | |
3323 | ## </p> | |
3324 | ## </desc> | |
725926c5 | 3325 | ## <param name="domain"> |
885b83ec | 3326 | ## <summary> |
c46376e6 | 3327 | ## Domain to not audit. |
885b83ec | 3328 | ## </summary> |
725926c5 | 3329 | ## </param> |
c46376e6 | 3330 | ## <infoflow type="none"/> |
725926c5 | 3331 | # |
296273a7 | 3332 | interface(`userdom_dontaudit_use_unpriv_user_fds',` |
350b6ab7 | 3333 | gen_require(` |
296273a7 | 3334 | attribute unpriv_userdomain; |
725926c5 | 3335 | ') |
350b6ab7 | 3336 | |
296273a7 | 3337 | dontaudit $1 unpriv_userdomain:fd use; |
43989f82 CP |
3338 | ') |
3339 | ||
3340 | ######################################## | |
3341 | ## <summary> | |
296273a7 | 3342 | ## Do not audit attempts to use user ptys. |
43989f82 CP |
3343 | ## </summary> |
3344 | ## <param name="domain"> | |
885b83ec | 3345 | ## <summary> |
296273a7 | 3346 | ## Domain to not audit. |
885b83ec | 3347 | ## </summary> |
43989f82 CP |
3348 | ## </param> |
3349 | # | |
296273a7 | 3350 | interface(`userdom_dontaudit_use_user_ptys',` |
350b6ab7 | 3351 | gen_require(` |
296273a7 | 3352 | type user_devpts_t; |
725926c5 | 3353 | ') |
350b6ab7 | 3354 | |
f5b49a5e | 3355 | dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; |
43989f82 CP |
3356 | ') |
3357 | ||
3358 | ######################################## | |
3359 | ## <summary> | |
296273a7 | 3360 | ## Relabel files to unprivileged user pty types. |
43989f82 CP |
3361 | ## </summary> |
3362 | ## <param name="domain"> | |
885b83ec | 3363 | ## <summary> |
43989f82 | 3364 | ## Domain allowed access. |
885b83ec | 3365 | ## </summary> |
43989f82 CP |
3366 | ## </param> |
3367 | # | |
296273a7 | 3368 | interface(`userdom_relabelto_user_ptys',` |
350b6ab7 | 3369 | gen_require(` |
296273a7 | 3370 | type user_devpts_t; |
725926c5 | 3371 | ') |
350b6ab7 | 3372 | |
296273a7 | 3373 | allow $1 user_devpts_t:chr_file relabelto; |
43989f82 CP |
3374 | ') |
3375 | ||
57a96cbd CP |
3376 | ######################################## |
3377 | ## <summary> | |
296273a7 CP |
3378 | ## Do not audit attempts to relabel files from |
3379 | ## user pty types. | |
ab940a4c | 3380 | ## </summary> |
414e4151 | 3381 | ## <param name="domain"> |
885b83ec | 3382 | ## <summary> |
a0546c9d | 3383 | ## Domain to not audit. |
885b83ec | 3384 | ## </summary> |
414e4151 | 3385 | ## </param> |
daa0e0b0 | 3386 | # |
296273a7 | 3387 | interface(`userdom_dontaudit_relabelfrom_user_ptys',` |
0404a390 | 3388 | gen_require(` |
296273a7 | 3389 | type user_devpts_t; |
0404a390 | 3390 | ') |
0c73cd25 | 3391 | |
296273a7 | 3392 | dontaudit $1 user_devpts_t:chr_file relabelfrom; |
daa0e0b0 CP |
3393 | ') |
3394 | ||
693d4aed CP |
3395 | ######################################## |
3396 | ## <summary> | |
296273a7 | 3397 | ## Write all users files in /tmp |
693d4aed CP |
3398 | ## </summary> |
3399 | ## <param name="domain"> | |
3400 | ## <summary> | |
3401 | ## Domain allowed access. | |
3402 | ## </summary> | |
3403 | ## </param> | |
3404 | # | |
296273a7 | 3405 | interface(`userdom_write_user_tmp_files',` |
350b6ab7 | 3406 | gen_require(` |
296273a7 | 3407 | type user_tmp_t; |
693d4aed | 3408 | ') |
350b6ab7 | 3409 | |
3eaa9939 DW |
3410 | write_files_pattern($1, user_tmp_t, user_tmp_t) |
3411 | ') | |
3412 | ||
3413 | ######################################## | |
3414 | ## <summary> | |
3415 | ## Do not audit attempts to write users | |
3416 | ## temporary files. | |
3417 | ## </summary> | |
3418 | ## <param name="domain"> | |
3419 | ## <summary> | |
3420 | ## Domain to not audit. | |
3421 | ## </summary> | |
3422 | ## </param> | |
3423 | # | |
3424 | interface(`userdom_dontaudit_write_user_tmp_files',` | |
3425 | gen_require(` | |
3426 | type user_tmp_t; | |
3427 | ') | |
3428 | ||
3429 | dontaudit $1 user_tmp_t:file write; | |
3430 | ') | |
3431 | ||
3432 | ######################################## | |
3433 | ## <summary> | |
3434 | ## Do not audit attempts to read/write users | |
3435 | ## temporary fifo files. | |
3436 | ## </summary> | |
3437 | ## <param name="domain"> | |
3438 | ## <summary> | |
3439 | ## Domain to not audit. | |
3440 | ## </summary> | |
3441 | ## </param> | |
3442 | # | |
3443 | interface(`userdom_dontaudit_rw_user_tmp_pipes',` | |
3444 | gen_require(` | |
3445 | type user_tmp_t; | |
3446 | ') | |
3447 | ||
3448 | dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; | |
693d4aed CP |
3449 | ') |
3450 | ||
ebdc3b79 CP |
3451 | ######################################## |
3452 | ## <summary> | |
296273a7 | 3453 | ## Do not audit attempts to use user ttys. |
ebdc3b79 CP |
3454 | ## </summary> |
3455 | ## <param name="domain"> | |
885b83ec | 3456 | ## <summary> |
a0546c9d | 3457 | ## Domain to not audit. |
885b83ec | 3458 | ## </summary> |
ebdc3b79 CP |
3459 | ## </param> |
3460 | # | |
296273a7 | 3461 | interface(`userdom_dontaudit_use_user_ttys',` |
350b6ab7 | 3462 | gen_require(` |
296273a7 | 3463 | type user_tty_device_t; |
9cc2ccc4 | 3464 | ') |
350b6ab7 | 3465 | |
296273a7 | 3466 | dontaudit $1 user_tty_device_t:chr_file rw_file_perms; |
ebdc3b79 | 3467 | ') |
c98340cf | 3468 | |
2629c659 CP |
3469 | ######################################## |
3470 | ## <summary> | |
3471 | ## Read the process state of all user domains. | |
3472 | ## </summary> | |
3473 | ## <param name="domain"> | |
885b83ec | 3474 | ## <summary> |
2629c659 | 3475 | ## Domain allowed access. |
885b83ec | 3476 | ## </summary> |
2629c659 CP |
3477 | ## </param> |
3478 | # | |
1815bad1 | 3479 | interface(`userdom_read_all_users_state',` |
2629c659 CP |
3480 | gen_require(` |
3481 | attribute userdomain; | |
3482 | ') | |
3483 | ||
3f67f722 | 3484 | read_files_pattern($1, userdomain, userdomain) |
3eaa9939 | 3485 | read_lnk_files_pattern($1,userdomain,userdomain) |
2629c659 CP |
3486 | kernel_search_proc($1) |
3487 | ') | |
3488 | ||
3489 | ######################################## | |
3490 | ## <summary> | |
3491 | ## Get the attributes of all user domains. | |
3492 | ## </summary> | |
3493 | ## <param name="domain"> | |
885b83ec | 3494 | ## <summary> |
2629c659 | 3495 | ## Domain allowed access. |
885b83ec | 3496 | ## </summary> |
2629c659 CP |
3497 | ## </param> |
3498 | # | |
15722ec9 | 3499 | interface(`userdom_getattr_all_users',` |
2629c659 CP |
3500 | gen_require(` |
3501 | attribute userdomain; | |
3502 | ') | |
3503 | ||
3504 | allow $1 userdomain:process getattr; | |
3505 | ') | |
3506 | ||
57a96cbd CP |
3507 | ######################################## |
3508 | ## <summary> | |
3509 | ## Inherit the file descriptors from all user domains | |
3510 | ## </summary> | |
3511 | ## <param name="domain"> | |
885b83ec | 3512 | ## <summary> |
725926c5 | 3513 | ## Domain allowed access. |
885b83ec | 3514 | ## </summary> |
57a96cbd CP |
3515 | ## </param> |
3516 | # | |
15722ec9 | 3517 | interface(`userdom_use_all_users_fds',` |
57a96cbd CP |
3518 | gen_require(` |
3519 | attribute userdomain; | |
57a96cbd CP |
3520 | ') |
3521 | ||
3522 | allow $1 userdomain:fd use; | |
3523 | ') | |
3524 | ||
3525 | ######################################## | |
eb3cb682 CP |
3526 | ## <summary> |
3527 | ## Do not audit attempts to inherit the file | |
3528 | ## descriptors from any user domains. | |
3529 | ## </summary> | |
3530 | ## <param name="domain"> | |
885b83ec | 3531 | ## <summary> |
eb3cb682 | 3532 | ## Domain to not audit. |
885b83ec | 3533 | ## </summary> |
eb3cb682 CP |
3534 | ## </param> |
3535 | # | |
15722ec9 | 3536 | interface(`userdom_dontaudit_use_all_users_fds',` |
eb3cb682 CP |
3537 | gen_require(` |
3538 | attribute userdomain; | |
eb3cb682 CP |
3539 | ') |
3540 | ||
3541 | dontaudit $1 userdomain:fd use; | |
3542 | ') | |
3543 | ||
3544 | ######################################## | |
57a96cbd CP |
3545 | ## <summary> |
3546 | ## Send general signals to all user domains. | |
3547 | ## </summary> | |
3548 | ## <param name="domain"> | |
885b83ec | 3549 | ## <summary> |
725926c5 | 3550 | ## Domain allowed access. |
885b83ec | 3551 | ## </summary> |
57a96cbd CP |
3552 | ## </param> |
3553 | # | |
3554 | interface(`userdom_signal_all_users',` | |
3555 | gen_require(` | |
3556 | attribute userdomain; | |
57a96cbd CP |
3557 | ') |
3558 | ||
3559 | allow $1 userdomain:process signal; | |
3560 | ') | |
3561 | ||
4f115e10 DW |
3562 | ######################################## |
3563 | ## <summary> | |
3564 | ## Send kill signals to all user domains. | |
3565 | ## </summary> | |
3566 | ## <param name="domain"> | |
3567 | ## <summary> | |
3568 | ## Domain allowed access. | |
3569 | ## </summary> | |
3570 | ## </param> | |
3571 | # | |
3572 | interface(`userdom_kill_all_users',` | |
3573 | gen_require(` | |
3574 | attribute userdomain; | |
3575 | ') | |
3576 | ||
3577 | allow $1 userdomain:process sigkill; | |
3578 | ') | |
3579 | ||
246839f3 CP |
3580 | ######################################## |
3581 | ## <summary> | |
3582 | ## Send a SIGCHLD signal to all user domains. | |
3583 | ## </summary> | |
3584 | ## <param name="domain"> | |
885b83ec | 3585 | ## <summary> |
246839f3 | 3586 | ## Domain allowed access. |
885b83ec | 3587 | ## </summary> |
246839f3 CP |
3588 | ## </param> |
3589 | # | |
9fd4b818 | 3590 | interface(`userdom_sigchld_all_users',` |
246839f3 CP |
3591 | gen_require(` |
3592 | attribute userdomain; | |
246839f3 CP |
3593 | ') |
3594 | ||
a1fcff33 | 3595 | allow $1 userdomain:process sigchld; |
246839f3 CP |
3596 | ') |
3597 | ||
fe3a1eb8 CP |
3598 | ######################################## |
3599 | ## <summary> | |
3600 | ## Create keys for all user domains. | |
3601 | ## </summary> | |
3602 | ## <param name="domain"> | |
3603 | ## <summary> | |
3604 | ## Domain allowed access. | |
3605 | ## </summary> | |
3606 | ## </param> | |
3607 | # | |
3608 | interface(`userdom_create_all_users_keys',` | |
350b6ab7 CP |
3609 | gen_require(` |
3610 | attribute userdomain; | |
fe3a1eb8 | 3611 | ') |
350b6ab7 CP |
3612 | |
3613 | allow $1 userdomain:key create; | |
fe3a1eb8 CP |
3614 | ') |
3615 | ||
9fd4b818 CP |
3616 | ######################################## |
3617 | ## <summary> | |
3618 | ## Send a dbus message to all user domains. | |
3619 | ## </summary> | |
3620 | ## <param name="domain"> | |
885b83ec | 3621 | ## <summary> |
9fd4b818 | 3622 | ## Domain allowed access. |
885b83ec | 3623 | ## </summary> |
9fd4b818 CP |
3624 | ## </param> |
3625 | # | |
3626 | interface(`userdom_dbus_send_all_users',` | |
3627 | gen_require(` | |
3628 | attribute userdomain; | |
3629 | class dbus send_msg; | |
3630 | ') | |
3631 | ||
3632 | allow $1 userdomain:dbus send_msg; | |
3633 | ') | |
3eaa9939 DW |
3634 | |
3635 | ######################################## | |
3636 | ## <summary> | |
3637 | ## Allow apps to set rlimits on userdomain | |
3638 | ## </summary> | |
3639 | ## <param name="domain"> | |
3640 | ## <summary> | |
3641 | ## Domain allowed access. | |
3642 | ## </summary> | |
3643 | ## </param> | |
3644 | # | |
3645 | interface(`userdom_set_rlimitnh',` | |
3646 | gen_require(` | |
3647 | attribute userdomain; | |
3648 | ') | |
3649 | ||
3650 | allow $1 userdomain:process rlimitinh; | |
3651 | ') | |
3652 | ||
3653 | ######################################## | |
3654 | ## <summary> | |
3655 | ## Define this type as a Allow apps to set rlimits on userdomain | |
3656 | ## </summary> | |
3657 | ## <param name="domain"> | |
3658 | ## <summary> | |
3659 | ## Domain allowed access. | |
3660 | ## </summary> | |
3661 | ## </param> | |
3662 | ## <param name="userdomain_prefix"> | |
3663 | ## <summary> | |
3664 | ## The prefix of the user domain (e.g., user | |
3665 | ## is the prefix for user_t). | |
3666 | ## </summary> | |
3667 | ## </param> | |
3668 | ## <param name="domain"> | |
3669 | ## <summary> | |
3670 | ## Domain allowed access. | |
3671 | ## </summary> | |
3672 | ## </param> | |
3673 | # | |
3674 | template(`userdom_unpriv_usertype',` | |
3675 | gen_require(` | |
3676 | attribute unpriv_userdomain, userdomain; | |
3677 | attribute $1_usertype; | |
3678 | ') | |
3679 | typeattribute $2 $1_usertype; | |
3680 | typeattribute $2 unpriv_userdomain; | |
3681 | typeattribute $2 userdomain; | |
3682 | ||
3683 | ubac_constrained($2) | |
3684 | ') | |
3685 | ||
3686 | ######################################## | |
3687 | ## <summary> | |
3688 | ## Connect to users over an unix stream socket. | |
3689 | ## </summary> | |
3690 | ## <param name="domain"> | |
3691 | ## <summary> | |
3692 | ## Domain allowed access. | |
3693 | ## </summary> | |
3694 | ## </param> | |
3695 | # | |
3696 | interface(`userdom_stream_connect',` | |
3697 | gen_require(` | |
3698 | type user_tmp_t; | |
3699 | attribute userdomain; | |
3700 | ') | |
3701 | ||
3702 | stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) | |
3703 | ') | |
3704 | ||
3705 | ######################################## | |
3706 | ## <summary> | |
3707 | ## Ptrace user domains. | |
3708 | ## </summary> | |
3709 | ## <param name="domain"> | |
3710 | ## <summary> | |
3711 | ## Domain allowed access. | |
3712 | ## </summary> | |
3713 | ## </param> | |
3714 | # | |
3715 | interface(`userdom_ptrace_all_users',` | |
3716 | gen_require(` | |
3717 | attribute userdomain; | |
3718 | ') | |
3719 | ||
3720 | allow $1 userdomain:process ptrace; | |
3721 | ') | |
3722 | ||
3723 | ######################################## | |
3724 | ## <summary> | |
3725 | ## dontaudit Search /root | |
3726 | ## </summary> | |
3727 | ## <param name="domain"> | |
3728 | ## <summary> | |
24280f35 | 3729 | ## Domain to not audit. |
3eaa9939 DW |
3730 | ## </summary> |
3731 | ## </param> | |
3732 | # | |
3733 | interface(`userdom_dontaudit_search_admin_dir',` | |
3734 | gen_require(` | |
3735 | type admin_home_t; | |
3736 | ') | |
3737 | ||
3738 | dontaudit $1 admin_home_t:dir search_dir_perms; | |
3739 | ') | |
3740 | ||
3741 | ######################################## | |
3742 | ## <summary> | |
3743 | ## dontaudit list /root | |
3744 | ## </summary> | |
3745 | ## <param name="domain"> | |
3746 | ## <summary> | |
24280f35 | 3747 | ## Domain to not audit. |
3eaa9939 DW |
3748 | ## </summary> |
3749 | ## </param> | |
3750 | # | |
3751 | interface(`userdom_dontaudit_list_admin_dir',` | |
3752 | gen_require(` | |
3753 | type admin_home_t; | |
3754 | ') | |
3755 | ||
3756 | dontaudit $1 admin_home_t:dir list_dir_perms; | |
3757 | ') | |
3758 | ||
3759 | ######################################## | |
3760 | ## <summary> | |
3761 | ## Allow domain to list /root | |
3762 | ## </summary> | |
3763 | ## <param name="domain"> | |
3764 | ## <summary> | |
3765 | ## Domain allowed access. | |
3766 | ## </summary> | |
3767 | ## </param> | |
3768 | # | |
3769 | interface(`userdom_list_admin_dir',` | |
3770 | gen_require(` | |
3771 | type admin_home_t; | |
3772 | ') | |
3773 | ||
3774 | allow $1 admin_home_t:dir list_dir_perms; | |
3775 | ') | |
3776 | ||
3777 | ######################################## | |
3778 | ## <summary> | |
3779 | ## Allow Search /root | |
3780 | ## </summary> | |
3781 | ## <param name="domain"> | |
3782 | ## <summary> | |
3783 | ## Domain allowed access. | |
3784 | ## </summary> | |
3785 | ## </param> | |
3786 | # | |
3787 | interface(`userdom_search_admin_dir',` | |
3788 | gen_require(` | |
3789 | type admin_home_t; | |
3790 | ') | |
3791 | ||
3792 | allow $1 admin_home_t:dir search_dir_perms; | |
3793 | ') | |
3794 | ||
3795 | ######################################## | |
3796 | ## <summary> | |
3797 | ## RW unpriviledged user SysV sempaphores. | |
3798 | ## </summary> | |
3799 | ## <param name="domain"> | |
3800 | ## <summary> | |
3801 | ## Domain allowed access. | |
3802 | ## </summary> | |
3803 | ## </param> | |
3804 | # | |
3805 | interface(`userdom_rw_semaphores',` | |
3806 | gen_require(` | |
3807 | attribute unpriv_userdomain; | |
3808 | ') | |
3809 | ||
3810 | allow $1 unpriv_userdomain:sem rw_sem_perms; | |
3811 | ') | |
3812 | ||
3813 | ######################################## | |
3814 | ## <summary> | |
3815 | ## Send a message to unpriv users over a unix domain | |
3816 | ## datagram socket. | |
3817 | ## </summary> | |
3818 | ## <param name="domain"> | |
3819 | ## <summary> | |
3820 | ## Domain allowed access. | |
3821 | ## </summary> | |
3822 | ## </param> | |
3823 | # | |
3824 | interface(`userdom_dgram_send',` | |
3825 | gen_require(` | |
3826 | attribute unpriv_userdomain; | |
3827 | ') | |
3828 | ||
3829 | allow $1 unpriv_userdomain:unix_dgram_socket sendto; | |
3830 | ') | |
3831 | ||
3832 | ###################################### | |
3833 | ## <summary> | |
3834 | ## Send a message to users over a unix domain | |
3835 | ## datagram socket. | |
3836 | ## </summary> | |
3837 | ## <param name="domain"> | |
3838 | ## <summary> | |
3839 | ## Domain allowed access. | |
3840 | ## </summary> | |
3841 | ## </param> | |
3842 | # | |
3843 | interface(`userdom_users_dgram_send',` | |
3844 | gen_require(` | |
3845 | attribute userdomain; | |
3846 | ') | |
3847 | ||
3848 | allow $1 userdomain:unix_dgram_socket sendto; | |
3849 | ') | |
3850 | ||
3851 | ####################################### | |
3852 | ## <summary> | |
3853 | ## Allow execmod on files in homedirectory | |
3854 | ## </summary> | |
3855 | ## <param name="domain"> | |
3856 | ## <summary> | |
3857 | ## Domain allowed access. | |
3858 | ## </summary> | |
3859 | ## </param> | |
3860 | ## <rolebase/> | |
3861 | # | |
3862 | interface(`userdom_execmod_user_home_files',` | |
3863 | gen_require(` | |
3864 | type user_home_type; | |
3865 | ') | |
3866 | ||
3867 | allow $1 user_home_type:file execmod; | |
3868 | ') | |
3869 | ||
3870 | ######################################## | |
3871 | ## <summary> | |
3872 | ## Read admin home files. | |
3873 | ## </summary> | |
3874 | ## <param name="domain"> | |
3875 | ## <summary> | |
3876 | ## Domain allowed access. | |
3877 | ## </summary> | |
3878 | ## </param> | |
3879 | ## <rolecap/> | |
3880 | # | |
3881 | interface(`userdom_read_admin_home_files',` | |
3882 | gen_require(` | |
3883 | type admin_home_t; | |
3884 | ') | |
3885 | ||
3886 | read_files_pattern($1, admin_home_t, admin_home_t) | |
3887 | ') | |
3888 | ||
3889 | ######################################## | |
3890 | ## <summary> | |
3891 | ## Execute admin home files. | |
3892 | ## </summary> | |
3893 | ## <param name="domain"> | |
3894 | ## <summary> | |
3895 | ## Domain allowed access. | |
3896 | ## </summary> | |
3897 | ## </param> | |
3898 | ## <rolecap/> | |
3899 | # | |
3900 | interface(`userdom_exec_admin_home_files',` | |
3901 | gen_require(` | |
3902 | type admin_home_t; | |
3903 | ') | |
3904 | ||
3905 | exec_files_pattern($1, admin_home_t, admin_home_t) | |
3906 | ') | |
3907 | ||
3908 | ######################################## | |
3909 | ## <summary> | |
3910 | ## Append files inherited | |
3911 | ## in the /root directory. | |
3912 | ## </summary> | |
3913 | ## <param name="domain"> | |
3914 | ## <summary> | |
3915 | ## Domain allowed access. | |
3916 | ## </summary> | |
3917 | ## </param> | |
3918 | # | |
3919 | interface(`userdom_inherit_append_admin_home_files',` | |
3920 | gen_require(` | |
3921 | type admin_home_t; | |
3922 | ') | |
3923 | ||
3924 | allow $1 admin_home_t:file { getattr append }; | |
3925 | ') | |
3926 | ||
3927 | ||
3928 | ####################################### | |
3929 | ## <summary> | |
3930 | ## Manage all files/directories in the homedir | |
3931 | ## </summary> | |
3932 | ## <param name="userdomain"> | |
3933 | ## <summary> | |
3934 | ## The user domain | |
3935 | ## </summary> | |
3936 | ## </param> | |
3937 | ## <rolebase/> | |
3938 | # | |
3939 | interface(`userdom_manage_user_home_content',` | |
3940 | gen_require(` | |
3941 | type user_home_dir_t, user_home_t; | |
3942 | attribute user_home_type; | |
3943 | ') | |
3944 | ||
3945 | files_list_home($1) | |
3946 | manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3947 | manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3948 | manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3949 | manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3950 | manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3951 | filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) | |
3952 | ||
3953 | ') | |
3954 | ||
3955 | ||
3956 | ######################################## | |
3957 | ## <summary> | |
3958 | ## Create objects in a user home directory | |
3959 | ## with an automatic type transition to | |
3960 | ## the user home file type. | |
3961 | ## </summary> | |
3962 | ## <param name="domain"> | |
3963 | ## <summary> | |
3964 | ## Domain allowed access. | |
3965 | ## </summary> | |
3966 | ## </param> | |
3967 | ## <param name="object_class"> | |
3968 | ## <summary> | |
3969 | ## The class of the object to be created. | |
3970 | ## </summary> | |
3971 | ## </param> | |
3972 | # | |
3973 | interface(`userdom_user_home_dir_filetrans_pattern',` | |
3974 | gen_require(` | |
3975 | type user_home_dir_t, user_home_t; | |
3976 | ') | |
3977 | ||
3978 | type_transition $1 user_home_dir_t:$2 user_home_t; | |
3979 | ') | |
3980 | ||
3981 | ######################################## | |
3982 | ## <summary> | |
3983 | ## Create objects in the /root directory | |
3984 | ## with an automatic type transition to | |
3985 | ## a specified private type. | |
3986 | ## </summary> | |
3987 | ## <param name="domain"> | |
3988 | ## <summary> | |
3989 | ## Domain allowed access. | |
3990 | ## </summary> | |
3991 | ## </param> | |
3992 | ## <param name="private_type"> | |
3993 | ## <summary> | |
3994 | ## The type of the object to create. | |
3995 | ## </summary> | |
3996 | ## </param> | |
3997 | ## <param name="object_class"> | |
3998 | ## <summary> | |
3999 | ## The class of the object to be created. | |
4000 | ## </summary> | |
4001 | ## </param> | |
4002 | # | |
4003 | interface(`userdom_admin_home_dir_filetrans',` | |
4004 | gen_require(` | |
4005 | type admin_home_t; | |
4006 | ') | |
4007 | ||
ae4832c7 | 4008 | filetrans_pattern($1, admin_home_t, $2, $3, $4) |
3eaa9939 DW |
4009 | ') |
4010 | ||
4011 | ######################################## | |
4012 | ## <summary> | |
4013 | ## Send signull to unprivileged user domains. | |
4014 | ## </summary> | |
4015 | ## <param name="domain"> | |
4016 | ## <summary> | |
4017 | ## Domain allowed access. | |
4018 | ## </summary> | |
4019 | ## </param> | |
4020 | # | |
4021 | interface(`userdom_signull_unpriv_users',` | |
4022 | gen_require(` | |
4023 | attribute unpriv_userdomain; | |
4024 | ') | |
4025 | ||
4026 | allow $1 unpriv_userdomain:process signull; | |
4027 | ') | |
4028 | ||
4029 | ######################################## | |
4030 | ## <summary> | |
4031 | ## Write all users files in /tmp | |
4032 | ## </summary> | |
4033 | ## <param name="domain"> | |
4034 | ## <summary> | |
4035 | ## Domain allowed access. | |
4036 | ## </summary> | |
4037 | ## </param> | |
4038 | # | |
4039 | interface(`userdom_write_user_tmp_dirs',` | |
4040 | gen_require(` | |
4041 | type user_tmp_t; | |
4042 | ') | |
4043 | ||
4044 | write_files_pattern($1, user_tmp_t, user_tmp_t) | |
4045 | ') | |
4046 | ||
4047 | ######################################## | |
4048 | ## <summary> | |
4049 | ## Manage keys for all user domains. | |
4050 | ## </summary> | |
4051 | ## <param name="domain"> | |
4052 | ## <summary> | |
4053 | ## Domain allowed access. | |
4054 | ## </summary> | |
4055 | ## </param> | |
4056 | # | |
4057 | interface(`userdom_manage_all_users_keys',` | |
4058 | gen_require(` | |
4059 | attribute userdomain; | |
4060 | ') | |
4061 | ||
4062 | allow $1 userdomain:key manage_key_perms; | |
4063 | ') | |
4064 | ||
4065 | ||
4066 | ######################################## | |
4067 | ## <summary> | |
4068 | ## Do not audit attempts to read and write | |
4069 | ## unserdomain stream. | |
4070 | ## </summary> | |
4071 | ## <param name="domain"> | |
4072 | ## <summary> | |
4073 | ## Domain to not audit. | |
4074 | ## </summary> | |
4075 | ## </param> | |
4076 | # | |
4077 | interface(`userdom_dontaudit_rw_stream',` | |
4078 | gen_require(` | |
4079 | attribute userdomain; | |
4080 | ') | |
4081 | ||
4082 | dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; | |
4083 | ') | |
4084 | ||
3d3d47e4 DW |
4085 | ######################################## |
4086 | ## <summary> | |
4087 | ## Do not audit attempts to read and write | |
4088 | ## unserdomain datagram socket. | |
4089 | ## </summary> | |
4090 | ## <param name="domain"> | |
4091 | ## <summary> | |
4092 | ## Domain to not audit. | |
4093 | ## </summary> | |
4094 | ## </param> | |
4095 | # | |
4096 | interface(`userdom_dontaudit_rw_dgram_socket',` | |
4097 | gen_require(` | |
4098 | attribute userdomain; | |
4099 | ') | |
4100 | ||
6a074ab5 | 4101 | dontaudit $1 userdomain:unix_dgram_socket { read write }; |
3d3d47e4 DW |
4102 | ') |
4103 | ||
3eaa9939 DW |
4104 | ######################################## |
4105 | ## <summary> | |
4106 | ## Append files | |
4107 | ## in a user home subdirectory. | |
4108 | ## </summary> | |
4109 | ## <param name="domain"> | |
4110 | ## <summary> | |
4111 | ## Domain allowed access. | |
4112 | ## </summary> | |
4113 | ## </param> | |
4114 | # | |
4115 | interface(`userdom_append_user_home_content_files',` | |
4116 | gen_require(` | |
4117 | type user_home_dir_t, user_home_t; | |
4118 | ') | |
4119 | ||
4120 | append_files_pattern($1, user_home_t, user_home_t) | |
4121 | allow $1 user_home_dir_t:dir search_dir_perms; | |
4122 | files_search_home($1) | |
4123 | ') | |
4124 | ||
4125 | ######################################## | |
4126 | ## <summary> | |
4127 | ## Read files inherited | |
4128 | ## in a user home subdirectory. | |
4129 | ## </summary> | |
4130 | ## <param name="domain"> | |
4131 | ## <summary> | |
4132 | ## Domain allowed access. | |
4133 | ## </summary> | |
4134 | ## </param> | |
4135 | # | |
4136 | interface(`userdom_read_inherited_user_home_content_files',` | |
4137 | gen_require(` | |
4138 | attribute user_home_type; | |
4139 | ') | |
4140 | ||
4141 | allow $1 user_home_type:file { getattr read }; | |
4142 | ') | |
4143 | ||
4144 | ######################################## | |
4145 | ## <summary> | |
4146 | ## Append files inherited | |
4147 | ## in a user home subdirectory. | |
4148 | ## </summary> | |
4149 | ## <param name="domain"> | |
4150 | ## <summary> | |
4151 | ## Domain allowed access. | |
4152 | ## </summary> | |
4153 | ## </param> | |
4154 | # | |
4155 | interface(`userdom_inherit_append_user_home_content_files',` | |
4156 | gen_require(` | |
4157 | type user_home_t; | |
4158 | ') | |
4159 | ||
4160 | allow $1 user_home_t:file { getattr append }; | |
4161 | ') | |
4162 | ||
4163 | ######################################## | |
4164 | ## <summary> | |
4165 | ## Append files inherited | |
4166 | ## in a user tmp files. | |
4167 | ## </summary> | |
4168 | ## <param name="domain"> | |
4169 | ## <summary> | |
4170 | ## Domain allowed access. | |
4171 | ## </summary> | |
4172 | ## </param> | |
4173 | # | |
4174 | interface(`userdom_inherit_append_user_tmp_files',` | |
4175 | gen_require(` | |
4176 | type user_tmp_t; | |
4177 | ') | |
4178 | ||
4179 | allow $1 user_tmp_t:file { getattr append }; | |
4180 | ') | |
4181 | ||
4182 | ###################################### | |
4183 | ## <summary> | |
4184 | ## Read audio files in the users homedir. | |
4185 | ## </summary> | |
4186 | ## <param name="domain"> | |
4187 | ## <summary> | |
4188 | ## Domain allowed access. | |
4189 | ## </summary> | |
4190 | ## </param> | |
4191 | ## <rolecap/> | |
4192 | # | |
4193 | interface(`userdom_read_home_audio_files',` | |
4194 | gen_require(` | |
4195 | type audio_home_t; | |
4196 | ') | |
4197 | ||
4198 | userdom_search_user_home_dirs($1) | |
4199 | allow $1 audio_home_t:dir list_dir_perms; | |
4200 | read_files_pattern($1, audio_home_t, audio_home_t) | |
4201 | read_lnk_files_pattern($1, audio_home_t, audio_home_t) | |
4202 | ') | |
4203 | ||
ca9e8850 DW |
4204 | ######################################## |
4205 | ## <summary> | |
4206 | ## Do not audit attempts to write all user home content files. | |
4207 | ## </summary> | |
4208 | ## <param name="domain"> | |
4209 | ## <summary> | |
4210 | ## Domain to not audit. | |
4211 | ## </summary> | |
4212 | ## </param> | |
4213 | # | |
4214 | interface(`userdom_dontaudit_write_all_user_home_content_files',` | |
4215 | gen_require(` | |
4216 | attribute user_home_type; | |
4217 | ') | |
4218 | ||
4219 | dontaudit $1 user_home_type:file write_file_perms; | |
4220 | ') | |
4221 | ||
4222 | ######################################## | |
4223 | ## <summary> | |
4224 | ## Do not audit attempts to write all user tmp content files. | |
4225 | ## </summary> | |
4226 | ## <param name="domain"> | |
4227 | ## <summary> | |
4228 | ## Domain to not audit. | |
4229 | ## </summary> | |
4230 | ## </param> | |
4231 | # | |
4232 | interface(`userdom_dontaudit_write_all_user_tmp_content_files',` | |
4233 | gen_require(` | |
4234 | attribute user_tmp_type; | |
4235 | ') | |
4236 | ||
4237 | dontaudit $1 user_tmp_type:file write_file_perms; | |
4238 | ') | |
4239 | ||
4240 | ######################################## | |
4241 | ## <summary> | |
4242 | ## Manage all user temporary content. | |
4243 | ## </summary> | |
4244 | ## <param name="domain"> | |
4245 | ## <summary> | |
4246 | ## Domain allowed access. | |
4247 | ## </summary> | |
4248 | ## </param> | |
4249 | # | |
4250 | interface(`userdom_manage_all_user_tmp_content',` | |
4251 | gen_require(` | |
4252 | attribute user_tmp_type; | |
4253 | ') | |
4254 | ||
4255 | manage_dirs_pattern($1, user_tmp_type, user_tmp_type) | |
4256 | manage_files_pattern($1, user_tmp_type, user_tmp_type) | |
4257 | manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) | |
4258 | manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) | |
4259 | manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) | |
4260 | files_search_tmp($1) | |
4261 | ') | |
4262 | ||
4263 | ######################################## | |
4264 | ## <summary> | |
4265 | ## List all user temporary content. | |
4266 | ## </summary> | |
4267 | ## <param name="domain"> | |
4268 | ## <summary> | |
4269 | ## Domain allowed access. | |
4270 | ## </summary> | |
4271 | ## </param> | |
4272 | # | |
4273 | interface(`userdom_list_all_user_tmp_content',` | |
4274 | gen_require(` | |
4275 | attribute user_tmp_type; | |
4276 | ') | |
4277 | ||
4278 | list_dirs_pattern($1, user_tmp_type, user_tmp_type) | |
4279 | getattr_files_pattern($1, user_tmp_type, user_tmp_type) | |
4280 | read_lnk_files_pattern($1, user_tmp_type, user_tmp_type) | |
4281 | getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type) | |
4282 | getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type) | |
4283 | files_search_var($1) | |
4284 | files_search_tmp($1) | |
4285 | ') | |
4286 | ||
4287 | ######################################## | |
4288 | ## <summary> | |
4289 | ## Manage all user tmpfs content. | |
4290 | ## </summary> | |
4291 | ## <param name="domain"> | |
4292 | ## <summary> | |
4293 | ## Domain allowed access. | |
4294 | ## </summary> | |
4295 | ## </param> | |
4296 | # | |
4297 | interface(`userdom_manage_all_user_tmpfs_content',` | |
4298 | gen_require(` | |
4299 | attribute user_tmpfs_type; | |
4300 | ') | |
4301 | ||
4302 | manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4303 | manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4304 | manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4305 | manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4306 | manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4307 | fs_search_tmpfs($1) | |
4308 | ') | |
4309 | ||
4310 | ######################################## | |
4311 | ## <summary> | |
4312 | ## Delete all user temporary content. | |
4313 | ## </summary> | |
4314 | ## <param name="domain"> | |
4315 | ## <summary> | |
4316 | ## Domain allowed access. | |
4317 | ## </summary> | |
4318 | ## </param> | |
4319 | # | |
4320 | interface(`userdom_delete_all_user_tmp_content',` | |
4321 | gen_require(` | |
4322 | attribute user_tmp_type; | |
4323 | ') | |
4324 | ||
4325 | delete_dirs_pattern($1, user_tmp_type, user_tmp_type) | |
4326 | delete_files_pattern($1, user_tmp_type, user_tmp_type) | |
4327 | delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type) | |
4328 | delete_sock_files_pattern($1, user_tmp_type, user_tmp_type) | |
4329 | delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type) | |
4330 | # /var/tmp | |
4331 | files_search_var($1) | |
4332 | files_delete_tmp_dir_entry($1) | |
4333 | ') | |
4334 | ||
3eaa9939 DW |
4335 | ######################################## |
4336 | ## <summary> | |
4337 | ## Read system SSL certificates in the users homedir. | |
4338 | ## </summary> | |
4339 | ## <param name="domain"> | |
4340 | ## <summary> | |
4341 | ## Domain allowed access. | |
4342 | ## </summary> | |
4343 | ## </param> | |
3eaa9939 DW |
4344 | # |
4345 | interface(`userdom_read_home_certs',` | |
4346 | gen_require(` | |
4347 | type home_cert_t; | |
4348 | ') | |
4349 | ||
4982766c | 4350 | userdom_search_user_home_content($1) |
3eaa9939 DW |
4351 | allow $1 home_cert_t:dir list_dir_perms; |
4352 | read_files_pattern($1, home_cert_t, home_cert_t) | |
4353 | read_lnk_files_pattern($1, home_cert_t, home_cert_t) | |
4354 | ') | |
4355 | ||
f06e4c22 MG |
4356 | ####################################### |
4357 | ## <summary> | |
4358 | ## Dontaudit Write system SSL certificates in the users homedir. | |
4359 | ## </summary> | |
4360 | ## <param name="domain"> | |
4361 | ## <summary> | |
24280f35 | 4362 | ## Domain to not audit. |
f06e4c22 MG |
4363 | ## </summary> |
4364 | ## </param> | |
4365 | # | |
4366 | interface(`userdom_dontaudit_write_home_certs',` | |
4367 | gen_require(` | |
4368 | type home_cert_t; | |
4369 | ') | |
4370 | ||
4371 | dontaudit $1 home_cert_t:file write; | |
4372 | ') | |
4373 | ||
3eaa9939 DW |
4374 | ######################################## |
4375 | ## <summary> | |
4376 | ## dontaudit Search getatrr /root files | |
4377 | ## </summary> | |
4378 | ## <param name="domain"> | |
4379 | ## <summary> | |
24280f35 | 4380 | ## Domain to not audit. |
3eaa9939 DW |
4381 | ## </summary> |
4382 | ## </param> | |
4383 | # | |
4384 | interface(`userdom_dontaudit_getattr_admin_home_files',` | |
4385 | gen_require(` | |
4386 | type admin_home_t; | |
4387 | ') | |
4388 | ||
4389 | dontaudit $1 admin_home_t:file getattr; | |
4390 | ') | |
4391 | ||
4392 | ######################################## | |
4393 | ## <summary> | |
4394 | ## dontaudit read /root lnk files | |
4395 | ## </summary> | |
4396 | ## <param name="domain"> | |
4397 | ## <summary> | |
24280f35 | 4398 | ## Domain to not audit. |
3eaa9939 DW |
4399 | ## </summary> |
4400 | ## </param> | |
4401 | # | |
4402 | interface(`userdom_dontaudit_read_admin_home_lnk_files',` | |
4403 | gen_require(` | |
4404 | type admin_home_t; | |
4405 | ') | |
4406 | ||
4407 | dontaudit $1 admin_home_t:lnk_file read; | |
4408 | ') | |
4409 | ||
4410 | ######################################## | |
4411 | ## <summary> | |
4412 | ## dontaudit read /root files | |
4413 | ## </summary> | |
4414 | ## <param name="domain"> | |
4415 | ## <summary> | |
24280f35 | 4416 | ## Domain to not audit. |
3eaa9939 DW |
4417 | ## </summary> |
4418 | ## </param> | |
4419 | # | |
4420 | interface(`userdom_dontaudit_read_admin_home_files',` | |
4421 | gen_require(` | |
4422 | type admin_home_t; | |
4423 | ') | |
4424 | ||
4425 | dontaudit $1 admin_home_t:file read_file_perms; | |
4426 | ') | |
4427 | ||
4428 | ######################################## | |
4429 | ## <summary> | |
4430 | ## Create, read, write, and delete user | |
4431 | ## temporary chr files. | |
4432 | ## </summary> | |
4433 | ## <param name="domain"> | |
4434 | ## <summary> | |
4435 | ## Domain allowed access. | |
4436 | ## </summary> | |
4437 | ## </param> | |
4438 | # | |
4439 | interface(`userdom_manage_user_tmp_chr_files',` | |
4440 | gen_require(` | |
4441 | type user_tmp_t; | |
4442 | ') | |
4443 | ||
4444 | manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) | |
4445 | files_search_tmp($1) | |
4446 | ') | |
4447 | ||
4448 | ######################################## | |
4449 | ## <summary> | |
4450 | ## Create, read, write, and delete user | |
4451 | ## temporary blk files. | |
4452 | ## </summary> | |
4453 | ## <param name="domain"> | |
4454 | ## <summary> | |
4455 | ## Domain allowed access. | |
4456 | ## </summary> | |
4457 | ## </param> | |
4458 | # | |
4459 | interface(`userdom_manage_user_tmp_blk_files',` | |
4460 | gen_require(` | |
4461 | type user_tmp_t; | |
4462 | ') | |
4463 | ||
4464 | manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4465 | files_search_tmp($1) | |
4466 | ') | |
4467 | ||
4468 | ######################################## | |
4469 | ## <summary> | |
4470 | ## Dontaudit attempt to set attributes on user temporary directories. | |
4471 | ## </summary> | |
4472 | ## <param name="domain"> | |
4473 | ## <summary> | |
24280f35 | 4474 | ## Domain to not audit. |
3eaa9939 DW |
4475 | ## </summary> |
4476 | ## </param> | |
4477 | # | |
4478 | interface(`userdom_dontaudit_setattr_user_tmp',` | |
4479 | gen_require(` | |
4480 | type user_tmp_t; | |
4481 | ') | |
4482 | ||
4483 | dontaudit $1 user_tmp_t:dir setattr; | |
4484 | ') | |
4485 | ||
4486 | ######################################## | |
4487 | ## <summary> | |
4488 | ## Write all inherited users files in /tmp | |
4489 | ## </summary> | |
4490 | ## <param name="domain"> | |
4491 | ## <summary> | |
4492 | ## Domain allowed access. | |
4493 | ## </summary> | |
4494 | ## </param> | |
4495 | # | |
4496 | interface(`userdom_write_inherited_user_tmp_files',` | |
4497 | gen_require(` | |
4498 | type user_tmp_t; | |
4499 | ') | |
4500 | ||
4501 | allow $1 user_tmp_t:file write; | |
4502 | ') | |
4503 | ||
4504 | ######################################## | |
4505 | ## <summary> | |
4506 | ## Delete all users files in /tmp | |
4507 | ## </summary> | |
4508 | ## <param name="domain"> | |
4509 | ## <summary> | |
4510 | ## Domain allowed access. | |
4511 | ## </summary> | |
4512 | ## </param> | |
4513 | # | |
4514 | interface(`userdom_delete_user_tmp_files',` | |
4515 | gen_require(` | |
4516 | type user_tmp_t; | |
4517 | ') | |
4518 | ||
4519 | allow $1 user_tmp_t:file delete_file_perms; | |
4520 | ') | |
4521 | ||
4522 | ######################################## | |
4523 | ## <summary> | |
4524 | ## Delete user tmpfs files. | |
4525 | ## </summary> | |
4526 | ## <param name="domain"> | |
4527 | ## <summary> | |
4528 | ## Domain allowed access. | |
4529 | ## </summary> | |
4530 | ## </param> | |
4531 | # | |
4532 | interface(`userdom_delete_user_tmpfs_files',` | |
4533 | gen_require(` | |
4534 | type user_tmpfs_t; | |
4535 | ') | |
4536 | ||
4537 | allow $1 user_tmpfs_t:file delete_file_perms; | |
4538 | ') | |
4539 | ||
4540 | ######################################## | |
4541 | ## <summary> | |
4542 | ## Read/Write unpriviledged user SysV shared | |
4543 | ## memory segments. | |
4544 | ## </summary> | |
4545 | ## <param name="domain"> | |
4546 | ## <summary> | |
4547 | ## Domain allowed access. | |
4548 | ## </summary> | |
4549 | ## </param> | |
4550 | # | |
4551 | interface(`userdom_rw_unpriv_user_shared_mem',` | |
4552 | gen_require(` | |
4553 | attribute unpriv_userdomain; | |
4554 | ') | |
4555 | ||
4556 | allow $1 unpriv_userdomain:shm rw_shm_perms; | |
4557 | ') | |
4558 | ||
4559 | ######################################## | |
4560 | ## <summary> | |
4561 | ## Do not audit attempts to search user | |
4562 | ## temporary directories. | |
4563 | ## </summary> | |
4564 | ## <param name="domain"> | |
4565 | ## <summary> | |
4566 | ## Domain to not audit. | |
4567 | ## </summary> | |
4568 | ## </param> | |
4569 | # | |
4570 | interface(`userdom_dontaudit_search_user_tmp',` | |
4571 | gen_require(` | |
4572 | type user_tmp_t; | |
4573 | ') | |
4574 | ||
4575 | dontaudit $1 user_tmp_t:dir search_dir_perms; | |
4576 | ') | |
4577 | ||
4578 | ######################################## | |
4579 | ## <summary> | |
4580 | ## Execute a file in a user home directory | |
4581 | ## in the specified domain. | |
4582 | ## </summary> | |
4583 | ## <desc> | |
4584 | ## <p> | |
4585 | ## Execute a file in a user home directory | |
4586 | ## in the specified domain. | |
4587 | ## </p> | |
4588 | ## <p> | |
4589 | ## No interprocess communication (signals, pipes, | |
4590 | ## etc.) is provided by this interface since | |
4591 | ## the domains are not owned by this module. | |
4592 | ## </p> | |
4593 | ## </desc> | |
4594 | ## <param name="domain"> | |
4595 | ## <summary> | |
4596 | ## Domain allowed access. | |
4597 | ## </summary> | |
4598 | ## </param> | |
4599 | ## <param name="target_domain"> | |
4600 | ## <summary> | |
4601 | ## The type of the new process. | |
4602 | ## </summary> | |
4603 | ## </param> | |
4604 | # | |
4605 | interface(`userdom_domtrans_user_home',` | |
4606 | gen_require(` | |
4607 | type user_home_t; | |
4608 | ') | |
4609 | ||
4610 | read_lnk_files_pattern($1, user_home_t, user_home_t) | |
4611 | domain_transition_pattern($1, user_home_t, $2) | |
4612 | type_transition $1 user_home_t:process $2; | |
4613 | ') | |
4614 | ||
4615 | ######################################## | |
4616 | ## <summary> | |
4617 | ## Execute a file in a user tmp directory | |
4618 | ## in the specified domain. | |
4619 | ## </summary> | |
4620 | ## <desc> | |
4621 | ## <p> | |
4622 | ## Execute a file in a user tmp directory | |
4623 | ## in the specified domain. | |
4624 | ## </p> | |
4625 | ## <p> | |
4626 | ## No interprocess communication (signals, pipes, | |
4627 | ## etc.) is provided by this interface since | |
4628 | ## the domains are not owned by this module. | |
4629 | ## </p> | |
4630 | ## </desc> | |
4631 | ## <param name="domain"> | |
4632 | ## <summary> | |
4633 | ## Domain allowed access. | |
4634 | ## </summary> | |
4635 | ## </param> | |
4636 | ## <param name="target_domain"> | |
4637 | ## <summary> | |
4638 | ## The type of the new process. | |
4639 | ## </summary> | |
4640 | ## </param> | |
4641 | # | |
4642 | interface(`userdom_domtrans_user_tmp',` | |
4643 | gen_require(` | |
4644 | type user_tmp_t; | |
4645 | ') | |
4646 | ||
4647 | files_search_tmp($1) | |
4648 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4649 | domain_transition_pattern($1, user_tmp_t, $2) | |
4650 | type_transition $1 user_tmp_t:process $2; | |
4651 | ') | |
ca9e8850 DW |
4652 | |
4653 | ######################################## | |
4654 | ## <summary> | |
4655 | ## Do not audit attempts to read all user home content files. | |
4656 | ## </summary> | |
4657 | ## <param name="domain"> | |
4658 | ## <summary> | |
4659 | ## Domain to not audit. | |
4660 | ## </summary> | |
4661 | ## </param> | |
4662 | # | |
4663 | interface(`userdom_dontaudit_read_all_user_home_content_files',` | |
4664 | gen_require(` | |
4665 | attribute user_home_type; | |
4666 | ') | |
4667 | ||
4668 | dontaudit $1 user_home_type:file read_file_perms; | |
4669 | ') | |
4670 | ||
4671 | ######################################## | |
4672 | ## <summary> | |
4673 | ## Do not audit attempts to read all user tmp content files. | |
4674 | ## </summary> | |
4675 | ## <param name="domain"> | |
4676 | ## <summary> | |
4677 | ## Domain to not audit. | |
4678 | ## </summary> | |
4679 | ## </param> | |
4680 | # | |
4681 | interface(`userdom_dontaudit_read_all_user_tmp_content_files',` | |
4682 | gen_require(` | |
4683 | attribute user_tmp_type; | |
4684 | ') | |
4685 | ||
4686 | dontaudit $1 user_tmp_type:file read_file_perms; | |
4687 | ') | |
4688 |