]>
Commit | Line | Data |
---|---|---|
490639cd | 1 | ## <summary>Policy for user domains</summary> |
b16c6b8c | 2 | |
8fd36732 CP |
3 | ####################################### |
4 | ## <summary> | |
bbcd3c97 | 5 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
6 | ## </summary> |
7 | ## <desc> | |
8 | ## <p> | |
bbcd3c97 | 9 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
10 | ## </p> |
11 | ## <p> | |
bbcd3c97 CP |
12 | ## This template creates a user domain, types, and |
13 | ## rules for the user's tty and pty. | |
8fd36732 CP |
14 | ## </p> |
15 | ## </desc> | |
16 | ## <param name="userdomain_prefix"> | |
885b83ec | 17 | ## <summary> |
8fd36732 CP |
18 | ## The prefix of the user domain (e.g., user |
19 | ## is the prefix for user_t). | |
885b83ec | 20 | ## </summary> |
8fd36732 | 21 | ## </param> |
bbcd3c97 | 22 | ## <rolebase/> |
b16c6b8c | 23 | # |
bbcd3c97 | 24 | template(`userdom_base_user_template',` |
c6a60bb2 CP |
25 | |
26 | gen_require(` | |
d6d16b97 | 27 | attribute userdomain; |
296273a7 | 28 | type user_devpts_t, user_tty_device_t; |
c6a60bb2 CP |
29 | class context contains; |
30 | ') | |
31 | ||
0c73cd25 | 32 | attribute $1_file_type; |
3eaa9939 | 33 | attribute $1_usertype; |
0c73cd25 | 34 | |
3eaa9939 | 35 | type $1_t, userdomain, $1_usertype; |
c9428d33 CP |
36 | domain_type($1_t) |
37 | corecmd_shell_entry_type($1_t) | |
d40c0ecf | 38 | corecmd_bin_entry_type($1_t) |
2e863f8a | 39 | domain_user_exemption_target($1_t) |
296273a7 | 40 | ubac_constrained($1_t) |
0c73cd25 CP |
41 | role $1_r types $1_t; |
42 | allow system_r $1_r; | |
43 | ||
296273a7 | 44 | term_user_pty($1_t, user_devpts_t) |
0c73cd25 | 45 | |
296273a7 | 46 | term_user_tty($1_t, user_tty_device_t) |
3eaa9939 DW |
47 | term_dontaudit_getattr_generic_ptys($1_t) |
48 | ||
49 | allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; | |
50 | allow $1_usertype $1_usertype:fd use; | |
51 | allow $1_usertype $1_t:key { create view read write search link setattr }; | |
52 | ||
53 | allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; | |
54 | allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; | |
55 | allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; | |
56 | allow $1_usertype $1_usertype:shm create_shm_perms; | |
57 | allow $1_usertype $1_usertype:sem create_sem_perms; | |
58 | allow $1_usertype $1_usertype:msgq create_msgq_perms; | |
59 | allow $1_usertype $1_usertype:msg { send receive }; | |
60 | allow $1_usertype $1_usertype:context contains; | |
61 | dontaudit $1_usertype $1_usertype:socket create; | |
62 | ||
63 | allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; | |
64 | term_create_pty($1_usertype, user_devpts_t) | |
296273a7 | 65 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 | 66 | dontaudit $1_usertype user_devpts_t:chr_file ioctl; |
0c73cd25 | 67 | |
3eaa9939 | 68 | allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; |
296273a7 | 69 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 DW |
70 | dontaudit $1_usertype user_tty_device_t:chr_file ioctl; |
71 | ||
72 | application_exec_all($1_usertype) | |
73 | ||
74 | kernel_read_kernel_sysctls($1_usertype) | |
75 | kernel_read_all_sysctls($1_usertype) | |
76 | kernel_dontaudit_list_unlabeled($1_usertype) | |
77 | kernel_dontaudit_getattr_unlabeled_files($1_usertype) | |
78 | kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) | |
79 | kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) | |
80 | kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) | |
81 | kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) | |
82 | kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) | |
83 | kernel_dontaudit_list_proc($1_usertype) | |
84 | ||
85 | dev_dontaudit_getattr_all_blk_files($1_usertype) | |
86 | dev_dontaudit_getattr_all_chr_files($1_usertype) | |
87 | dev_getattr_mtrr_dev($1_t) | |
847937da | 88 | |
2ec4c9d3 | 89 | # When the user domain runs ps, there will be a number of access |
ff8f0a63 | 90 | # denials when ps tries to search /proc. Do not audit these denials. |
3eaa9939 DW |
91 | domain_dontaudit_read_all_domains_state($1_usertype) |
92 | domain_dontaudit_getattr_all_domains($1_usertype) | |
93 | domain_dontaudit_getsession_all_domains($1_usertype) | |
7bbb31df | 94 | dev_dontaudit_all_access_check($1_usertype) |
3eaa9939 DW |
95 | |
96 | files_read_etc_files($1_usertype) | |
97 | files_list_mnt($1_usertype) | |
98 | files_read_mnt_files($1_usertype) | |
7455c4b3 | 99 | files_dontaudit_access_check_mnt($1_usertype) |
3eaa9939 DW |
100 | files_read_etc_runtime_files($1_usertype) |
101 | files_read_usr_files($1_usertype) | |
102 | files_read_usr_src_files($1_usertype) | |
bbcd3c97 CP |
103 | # Read directories and files with the readable_t type. |
104 | # This type is a general type for "world"-readable files. | |
3eaa9939 DW |
105 | files_list_world_readable($1_usertype) |
106 | files_read_world_readable_files($1_usertype) | |
107 | files_read_world_readable_symlinks($1_usertype) | |
108 | files_read_world_readable_pipes($1_usertype) | |
109 | files_read_world_readable_sockets($1_usertype) | |
a2868f6e | 110 | # old broswer_domain(): |
3eaa9939 DW |
111 | files_dontaudit_getattr_all_dirs($1_usertype) |
112 | files_dontaudit_list_non_security($1_usertype) | |
113 | files_dontaudit_getattr_all_files($1_usertype) | |
114 | files_dontaudit_getattr_non_security_symlinks($1_usertype) | |
115 | files_dontaudit_getattr_non_security_pipes($1_usertype) | |
116 | files_dontaudit_getattr_non_security_sockets($1_usertype) | |
d255399f | 117 | files_dontaudit_setattr_etc_runtime_files($1_usertype) |
3eaa9939 DW |
118 | |
119 | files_exec_usr_files($1_t) | |
120 | ||
121 | fs_list_cgroup_dirs($1_usertype) | |
122 | fs_dontaudit_rw_cgroup_files($1_usertype) | |
123 | ||
124 | storage_rw_fuse($1_usertype) | |
125 | ||
126 | auth_use_nsswitch($1_usertype) | |
0c73cd25 | 127 | |
3eaa9939 | 128 | init_stream_connect($1_usertype) |
9461b606 DW |
129 | # The library functions always try to open read-write first, |
130 | # then fall back to read-only if it fails. | |
131 | init_dontaudit_rw_utmp($1_usertype) | |
bbcd3c97 | 132 | |
3eaa9939 | 133 | libs_exec_ld_so($1_usertype) |
6b19be33 | 134 | |
7e9cab9c DW |
135 | logging_send_audit_msgs($1_t) |
136 | ||
bbcd3c97 | 137 | miscfiles_read_localization($1_t) |
83406219 | 138 | miscfiles_read_generic_certs($1_t) |
6b19be33 | 139 | |
cab9bc9c | 140 | miscfiles_read_all_certs($1_usertype) |
3eaa9939 DW |
141 | miscfiles_read_localization($1_usertype) |
142 | miscfiles_read_man_pages($1_usertype) | |
143 | miscfiles_read_public_files($1_usertype) | |
bbcd3c97 CP |
144 | |
145 | tunable_policy(`allow_execmem',` | |
146 | # Allow loading DSOs that require executable stack. | |
147 | allow $1_t self:process execmem; | |
148 | ') | |
149 | ||
150 | tunable_policy(`allow_execmem && allow_execstack',` | |
151 | # Allow making the stack executable via mprotect. | |
152 | allow $1_t self:process execstack; | |
153 | ') | |
3eaa9939 | 154 | |
d0f23a26 DW |
155 | optional_policy(` |
156 | abrt_stream_connect($1_usertype) | |
157 | ') | |
158 | ||
3eaa9939 DW |
159 | optional_policy(` |
160 | fs_list_cgroup_dirs($1_usertype) | |
161 | ') | |
a8183914 | 162 | |
3eaa9939 DW |
163 | optional_policy(` |
164 | ssh_rw_stream_sockets($1_usertype) | |
165 | ssh_delete_tmp($1_t) | |
166 | ssh_signal($1_t) | |
167 | ') | |
bbcd3c97 CP |
168 | ') |
169 | ||
170 | ####################################### | |
171 | ## <summary> | |
296273a7 CP |
172 | ## Allow a home directory for which the |
173 | ## role has read-only access. | |
bbcd3c97 CP |
174 | ## </summary> |
175 | ## <desc> | |
176 | ## <p> | |
296273a7 CP |
177 | ## Allow a home directory for which the |
178 | ## role has read-only access. | |
bbcd3c97 CP |
179 | ## </p> |
180 | ## <p> | |
181 | ## This does not allow execute access. | |
182 | ## </p> | |
183 | ## </desc> | |
296273a7 | 184 | ## <param name="role"> |
bbcd3c97 | 185 | ## <summary> |
296273a7 CP |
186 | ## The user role |
187 | ## </summary> | |
188 | ## </param> | |
189 | ## <param name="userdomain"> | |
190 | ## <summary> | |
191 | ## The user domain | |
bbcd3c97 CP |
192 | ## </summary> |
193 | ## </param> | |
194 | ## <rolebase/> | |
195 | # | |
296273a7 | 196 | interface(`userdom_ro_home_role',` |
d6d16b97 | 197 | gen_require(` |
296273a7 | 198 | type user_home_t, user_home_dir_t; |
d6d16b97 CP |
199 | ') |
200 | ||
3eaa9939 DW |
201 | role $1 types { user_home_t user_home_dir_t }; |
202 | ||
bbcd3c97 CP |
203 | ############################## |
204 | # | |
205 | # Domain access to home dir | |
206 | # | |
207 | ||
296273a7 CP |
208 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
209 | ||
bbcd3c97 | 210 | # read-only home directory |
296273a7 CP |
211 | allow $2 user_home_dir_t:dir list_dir_perms; |
212 | allow $2 user_home_t:dir list_dir_perms; | |
213 | allow $2 user_home_t:file entrypoint; | |
214 | read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
215 | read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
216 | read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
217 | read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
218 | files_list_home($2) | |
bbcd3c97 | 219 | |
bbcd3c97 CP |
220 | ') |
221 | ||
222 | ####################################### | |
223 | ## <summary> | |
296273a7 CP |
224 | ## Allow a home directory for which the |
225 | ## role has full access. | |
bbcd3c97 CP |
226 | ## </summary> |
227 | ## <desc> | |
228 | ## <p> | |
296273a7 CP |
229 | ## Allow a home directory for which the |
230 | ## role has full access. | |
bbcd3c97 CP |
231 | ## </p> |
232 | ## <p> | |
233 | ## This does not allow execute access. | |
234 | ## </p> | |
235 | ## </desc> | |
296273a7 | 236 | ## <param name="role"> |
bbcd3c97 | 237 | ## <summary> |
296273a7 CP |
238 | ## The user role |
239 | ## </summary> | |
240 | ## </param> | |
241 | ## <param name="userdomain"> | |
242 | ## <summary> | |
243 | ## The user domain | |
bbcd3c97 CP |
244 | ## </summary> |
245 | ## </param> | |
246 | ## <rolebase/> | |
247 | # | |
296273a7 | 248 | interface(`userdom_manage_home_role',` |
d6d16b97 | 249 | gen_require(` |
296273a7 | 250 | type user_home_t, user_home_dir_t; |
3eaa9939 | 251 | attribute user_home_type; |
d6d16b97 CP |
252 | ') |
253 | ||
3eaa9939 DW |
254 | role $1 types { user_home_type user_home_dir_t }; |
255 | ||
bbcd3c97 CP |
256 | ############################## |
257 | # | |
258 | # Domain access to home dir | |
259 | # | |
260 | ||
296273a7 CP |
261 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
262 | ||
bbcd3c97 | 263 | # full control of the home directory |
3eaa9939 | 264 | allow $2 user_home_t:dir mounton; |
296273a7 | 265 | allow $2 user_home_t:file entrypoint; |
3eaa9939 DW |
266 | |
267 | allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; | |
268 | allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; | |
269 | manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
270 | manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
271 | manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
272 | manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
273 | manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
274 | relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
275 | relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
276 | relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
277 | relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
278 | relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
296273a7 CP |
279 | filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) |
280 | files_list_home($2) | |
bbcd3c97 | 281 | |
c0868a7a | 282 | # cjp: this should probably be removed: |
296273a7 | 283 | allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; |
c0868a7a | 284 | |
bbcd3c97 | 285 | tunable_policy(`use_nfs_home_dirs',` |
3eaa9939 DW |
286 | fs_mount_nfs($2) |
287 | fs_mounton_nfs($2) | |
296273a7 CP |
288 | fs_manage_nfs_dirs($2) |
289 | fs_manage_nfs_files($2) | |
290 | fs_manage_nfs_symlinks($2) | |
291 | fs_manage_nfs_named_sockets($2) | |
292 | fs_manage_nfs_named_pipes($2) | |
bbcd3c97 CP |
293 | ') |
294 | ||
295 | tunable_policy(`use_samba_home_dirs',` | |
3eaa9939 DW |
296 | fs_mount_cifs($2) |
297 | fs_mounton_cifs($2) | |
296273a7 CP |
298 | fs_manage_cifs_dirs($2) |
299 | fs_manage_cifs_files($2) | |
300 | fs_manage_cifs_symlinks($2) | |
301 | fs_manage_cifs_named_sockets($2) | |
302 | fs_manage_cifs_named_pipes($2) | |
bbcd3c97 CP |
303 | ') |
304 | ') | |
305 | ||
306 | ####################################### | |
307 | ## <summary> | |
296273a7 | 308 | ## Manage user temporary files |
bbcd3c97 | 309 | ## </summary> |
296273a7 | 310 | ## <param name="role"> |
bbcd3c97 | 311 | ## <summary> |
296273a7 | 312 | ## Role allowed access. |
bbcd3c97 CP |
313 | ## </summary> |
314 | ## </param> | |
296273a7 | 315 | ## <param name="domain"> |
bbcd3c97 | 316 | ## <summary> |
296273a7 | 317 | ## Domain allowed access. |
bbcd3c97 CP |
318 | ## </summary> |
319 | ## </param> | |
320 | ## <rolebase/> | |
321 | # | |
296273a7 | 322 | interface(`userdom_manage_tmp_role',` |
d6d16b97 | 323 | gen_require(` |
8c9f6ee9 | 324 | attribute user_tmp_type; |
296273a7 | 325 | type user_tmp_t; |
d6d16b97 CP |
326 | ') |
327 | ||
3eaa9939 DW |
328 | role $1 types user_tmp_t; |
329 | ||
296273a7 | 330 | files_poly_member_tmp($2, user_tmp_t) |
bbcd3c97 | 331 | |
8c9f6ee9 DG |
332 | manage_dirs_pattern($2, user_tmp_type, user_tmp_type) |
333 | manage_files_pattern($2, user_tmp_type, user_tmp_type) | |
334 | manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) | |
335 | manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) | |
336 | manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) | |
296273a7 | 337 | files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) |
8c9f6ee9 DG |
338 | relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) |
339 | relabel_files_pattern($2, user_tmp_type, user_tmp_type) | |
340 | relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) | |
341 | relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type) | |
342 | relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) | |
3eaa9939 DW |
343 | ') |
344 | ||
345 | ####################################### | |
346 | ## <summary> | |
347 | ## Dontaudit search of user bin dirs. | |
348 | ## </summary> | |
349 | ## <param name="domain"> | |
350 | ## <summary> | |
24280f35 | 351 | ## Domain to not audit. |
3eaa9939 DW |
352 | ## </summary> |
353 | ## </param> | |
354 | # | |
355 | interface(`userdom_dontaudit_search_user_bin_dirs',` | |
356 | gen_require(` | |
357 | type home_bin_t; | |
358 | ') | |
359 | ||
360 | dontaudit $1 home_bin_t:dir search_dir_perms; | |
361 | ') | |
362 | ||
363 | ####################################### | |
364 | ## <summary> | |
365 | ## Execute user bin files. | |
366 | ## </summary> | |
367 | ## <param name="domain"> | |
368 | ## <summary> | |
369 | ## Domain allowed access. | |
370 | ## </summary> | |
371 | ## </param> | |
372 | # | |
373 | interface(`userdom_exec_user_bin_files',` | |
374 | gen_require(` | |
375 | attribute user_home_type; | |
376 | type home_bin_t, user_home_dir_t; | |
377 | ') | |
378 | ||
379 | exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) | |
380 | files_search_home($1) | |
bbcd3c97 CP |
381 | ') |
382 | ||
383 | ####################################### | |
384 | ## <summary> | |
296273a7 | 385 | ## The execute access user temporary files. |
bbcd3c97 | 386 | ## </summary> |
296273a7 | 387 | ## <param name="domain"> |
bbcd3c97 | 388 | ## <summary> |
296273a7 | 389 | ## Domain allowed access. |
bbcd3c97 CP |
390 | ## </summary> |
391 | ## </param> | |
392 | ## <rolebase/> | |
393 | # | |
296273a7 CP |
394 | interface(`userdom_exec_user_tmp_files',` |
395 | gen_require(` | |
396 | type user_tmp_t; | |
397 | ') | |
398 | ||
399 | exec_files_pattern($1, user_tmp_t, user_tmp_t) | |
3eaa9939 | 400 | dontaudit $1 user_tmp_t:sock_file execute; |
296273a7 | 401 | files_search_tmp($1) |
bbcd3c97 CP |
402 | ') |
403 | ||
404 | ####################################### | |
405 | ## <summary> | |
296273a7 | 406 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
407 | ## that the user has full access. |
408 | ## </summary> | |
409 | ## <desc> | |
410 | ## <p> | |
296273a7 | 411 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
412 | ## that the user has full access. |
413 | ## </p> | |
414 | ## <p> | |
415 | ## This does not allow execute access. | |
416 | ## </p> | |
417 | ## </desc> | |
296273a7 | 418 | ## <param name="role"> |
bbcd3c97 | 419 | ## <summary> |
296273a7 | 420 | ## Role allowed access. |
bbcd3c97 CP |
421 | ## </summary> |
422 | ## </param> | |
296273a7 | 423 | ## <param name="domain"> |
bbcd3c97 | 424 | ## <summary> |
296273a7 | 425 | ## Domain allowed access. |
bbcd3c97 CP |
426 | ## </summary> |
427 | ## </param> | |
296273a7 | 428 | ## <rolecap/> |
bbcd3c97 | 429 | # |
296273a7 | 430 | interface(`userdom_manage_tmpfs_role',` |
bbcd3c97 | 431 | gen_require(` |
faa4eacc | 432 | attribute user_tmpfs_type; |
296273a7 | 433 | type user_tmpfs_t; |
bbcd3c97 | 434 | ') |
bbcd3c97 | 435 | |
3eaa9939 DW |
436 | role $1 types user_tmpfs_t; |
437 | ||
8c9f6ee9 DG |
438 | manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) |
439 | manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
440 | manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
441 | manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
442 | manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
296273a7 | 443 | fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
8c9f6ee9 DG |
444 | relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) |
445 | relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
446 | relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
447 | relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
448 | relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
bbcd3c97 CP |
449 | ') |
450 | ||
451 | ####################################### | |
452 | ## <summary> | |
3eaa9939 | 453 | ## The interface allowing the user basic |
bbcd3c97 CP |
454 | ## network permissions |
455 | ## </summary> | |
3eaa9939 | 456 | ## <param name="userdomain"> |
bbcd3c97 | 457 | ## <summary> |
3eaa9939 | 458 | ## The user domain |
bbcd3c97 CP |
459 | ## </summary> |
460 | ## </param> | |
461 | ## <rolebase/> | |
462 | # | |
3eaa9939 DW |
463 | interface(`userdom_basic_networking',` |
464 | ||
465 | allow $1 self:tcp_socket create_stream_socket_perms; | |
466 | allow $1 self:udp_socket create_socket_perms; | |
467 | ||
468 | corenet_all_recvfrom_unlabeled($1) | |
469 | corenet_all_recvfrom_netlabel($1) | |
470 | corenet_tcp_sendrecv_generic_if($1) | |
471 | corenet_udp_sendrecv_generic_if($1) | |
472 | corenet_tcp_sendrecv_generic_node($1) | |
473 | corenet_udp_sendrecv_generic_node($1) | |
474 | corenet_tcp_sendrecv_all_ports($1) | |
475 | corenet_udp_sendrecv_all_ports($1) | |
476 | corenet_tcp_connect_all_ports($1) | |
477 | corenet_sendrecv_all_client_packets($1) | |
dc1920b2 CP |
478 | |
479 | optional_policy(` | |
3eaa9939 DW |
480 | init_tcp_recvfrom_all_daemons($1) |
481 | init_udp_recvfrom_all_daemons($1) | |
dc1920b2 CP |
482 | ') |
483 | ||
0b6acad1 | 484 | optional_policy(` |
3eaa9939 | 485 | ipsec_match_default_spd($1) |
0b6acad1 | 486 | ') |
3eaa9939 | 487 | |
bbcd3c97 CP |
488 | ') |
489 | ||
490 | ####################################### | |
491 | ## <summary> | |
93c49bdb | 492 | ## The template for creating a user xwindows client. (Deprecated) |
bbcd3c97 CP |
493 | ## </summary> |
494 | ## <param name="userdomain_prefix"> | |
495 | ## <summary> | |
496 | ## The prefix of the user domain (e.g., user | |
497 | ## is the prefix for user_t). | |
498 | ## </summary> | |
499 | ## </param> | |
500 | ## <rolebase/> | |
501 | # | |
502 | template(`userdom_xwindows_client_template',` | |
93c49bdb | 503 | refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.') |
bbcd3c97 | 504 | gen_require(` |
296273a7 | 505 | type $1_t, user_tmpfs_t; |
bbcd3c97 CP |
506 | ') |
507 | ||
847937da CP |
508 | dev_rw_xserver_misc($1_t) |
509 | dev_rw_power_management($1_t) | |
510 | dev_read_input($1_t) | |
511 | dev_read_misc($1_t) | |
512 | dev_write_misc($1_t) | |
513 | # open office is looking for the following | |
514 | dev_getattr_agp_dev($1_t) | |
515 | dev_dontaudit_rw_dri($1_t) | |
516 | # GNOME checks for usb and other devices: | |
517 | dev_rw_usbfs($1_t) | |
3eaa9939 | 518 | dev_rw_generic_usb_dev($1_t) |
847937da | 519 | |
4279891d | 520 | xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) |
847937da CP |
521 | xserver_xsession_entry_type($1_t) |
522 | xserver_dontaudit_write_log($1_t) | |
523 | xserver_stream_connect_xdm($1_t) | |
524 | # certain apps want to read xdm.pid file | |
525 | xserver_read_xdm_pid($1_t) | |
526 | # gnome-session creates socket under /tmp/.ICE-unix/ | |
527 | xserver_create_xdm_tmp_sockets($1_t) | |
528 | # Needed for escd, remove if we get escd policy | |
529 | xserver_manage_xdm_tmp_files($1_t) | |
bbcd3c97 CP |
530 | ') |
531 | ||
532 | ####################################### | |
533 | ## <summary> | |
534 | ## The template for allowing the user to change passwords. | |
535 | ## </summary> | |
536 | ## <param name="userdomain_prefix"> | |
537 | ## <summary> | |
538 | ## The prefix of the user domain (e.g., user | |
539 | ## is the prefix for user_t). | |
540 | ## </summary> | |
541 | ## </param> | |
542 | ## <rolebase/> | |
543 | # | |
544 | template(`userdom_change_password_template',` | |
545 | gen_require(` | |
296273a7 | 546 | type $1_t; |
bbcd3c97 CP |
547 | role $1_r; |
548 | ') | |
549 | ||
550 | optional_policy(` | |
6c4f41ce CP |
551 | usermanage_run_chfn($1_t, $1_r) |
552 | usermanage_run_passwd($1_t, $1_r) | |
bbcd3c97 | 553 | ') |
bbcd3c97 CP |
554 | ') |
555 | ||
556 | ####################################### | |
557 | ## <summary> | |
558 | ## The template containing rules common to unprivileged | |
559 | ## users and administrative users. | |
560 | ## </summary> | |
561 | ## <desc> | |
562 | ## <p> | |
563 | ## This template creates a user domain, types, and | |
564 | ## rules for the user's tty, pty, tmp, and tmpfs files. | |
565 | ## </p> | |
566 | ## </desc> | |
567 | ## <param name="userdomain_prefix"> | |
568 | ## <summary> | |
569 | ## The prefix of the user domain (e.g., user | |
570 | ## is the prefix for user_t). | |
571 | ## </summary> | |
572 | ## </param> | |
573 | # | |
574 | template(`userdom_common_user_template',` | |
563e58e8 CP |
575 | gen_require(` |
576 | attribute unpriv_userdomain; | |
577 | ') | |
bbcd3c97 | 578 | |
3eaa9939 | 579 | userdom_basic_networking($1_usertype) |
bbcd3c97 | 580 | |
bbcd3c97 CP |
581 | ############################## |
582 | # | |
583 | # User domain Local policy | |
584 | # | |
585 | ||
bbcd3c97 CP |
586 | # evolution and gnome-session try to create a netlink socket |
587 | dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; | |
588 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
3eaa9939 DW |
589 | allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; |
590 | allow $1_t self:socket create_socket_perms; | |
bbcd3c97 | 591 | |
3eaa9939 | 592 | allow $1_usertype unpriv_userdomain:fd use; |
bbcd3c97 | 593 | |
3eaa9939 DW |
594 | kernel_read_system_state($1_usertype) |
595 | kernel_read_network_state($1_usertype) | |
5aff16e1 | 596 | kernel_read_software_raid_state($1_usertype) |
3eaa9939 | 597 | kernel_read_net_sysctls($1_usertype) |
bbcd3c97 | 598 | # Very permissive allowing every domain to see every type: |
3eaa9939 | 599 | kernel_get_sysvipc_info($1_usertype) |
bbcd3c97 | 600 | # Find CDROM devices: |
3eaa9939 DW |
601 | kernel_read_device_sysctls($1_usertype) |
602 | kernel_request_load_module($1_usertype) | |
296273a7 | 603 | |
3eaa9939 DW |
604 | corenet_udp_bind_generic_node($1_usertype) |
605 | corenet_udp_bind_generic_port($1_usertype) | |
bbcd3c97 | 606 | |
3eaa9939 DW |
607 | dev_read_rand($1_usertype) |
608 | dev_write_sound($1_usertype) | |
609 | dev_read_sound($1_usertype) | |
610 | dev_read_sound_mixer($1_usertype) | |
611 | dev_write_sound_mixer($1_usertype) | |
bbcd3c97 | 612 | |
3eaa9939 DW |
613 | files_exec_etc_files($1_usertype) |
614 | files_search_locks($1_usertype) | |
bbcd3c97 | 615 | # Check to see if cdrom is mounted |
3eaa9939 | 616 | files_search_mnt($1_usertype) |
bbcd3c97 | 617 | # cjp: perhaps should cut back on file reads: |
3eaa9939 DW |
618 | files_read_var_files($1_usertype) |
619 | files_read_var_symlinks($1_usertype) | |
620 | files_read_generic_spool($1_usertype) | |
621 | files_read_var_lib_files($1_usertype) | |
bbcd3c97 | 622 | # Stat lost+found. |
3eaa9939 DW |
623 | files_getattr_lost_found_dirs($1_usertype) |
624 | files_read_config_files($1_usertype) | |
625 | fs_read_noxattr_fs_files($1_usertype) | |
626 | fs_read_noxattr_fs_symlinks($1_usertype) | |
627 | fs_rw_cgroup_files($1_usertype) | |
bbcd3c97 | 628 | |
f3ef2629 DW |
629 | application_getattr_socket($1_usertype) |
630 | ||
3eaa9939 DW |
631 | logging_send_syslog_msg($1_usertype) |
632 | logging_send_audit_msgs($1_usertype) | |
633 | selinux_get_enforce_mode($1_usertype) | |
e2b9add5 | 634 | |
bbcd3c97 | 635 | # cjp: some of this probably can be removed |
3eaa9939 DW |
636 | selinux_get_fs_mount($1_usertype) |
637 | selinux_validate_context($1_usertype) | |
638 | selinux_compute_access_vector($1_usertype) | |
639 | selinux_compute_create_context($1_usertype) | |
640 | selinux_compute_relabel_context($1_usertype) | |
641 | selinux_compute_user_contexts($1_usertype) | |
bbcd3c97 CP |
642 | |
643 | # for eject | |
3eaa9939 | 644 | storage_getattr_fixed_disk_dev($1_usertype) |
bbcd3c97 | 645 | |
847937da | 646 | auth_use_nsswitch($1_t) |
bbcd3c97 | 647 | auth_read_login_records($1_t) |
bbcd3c97 | 648 | auth_search_pam_console_data($1_t) |
6c4f41ce CP |
649 | auth_run_pam($1_t, $1_r) |
650 | auth_run_utempter($1_t, $1_r) | |
bbcd3c97 | 651 | |
3eaa9939 | 652 | init_read_utmp($1_usertype) |
0c73cd25 | 653 | |
3eaa9939 DW |
654 | seutil_read_file_contexts($1_usertype) |
655 | seutil_read_default_contexts($1_usertype) | |
296273a7 | 656 | seutil_run_newrole($1_t,$1_r) |
6b19be33 | 657 | seutil_exec_checkpolicy($1_t) |
3eaa9939 | 658 | seutil_exec_setfiles($1_usertype) |
bbcd3c97 CP |
659 | # for when the network connection is killed |
660 | # this is needed when a login role can change | |
661 | # to this one. | |
662 | seutil_dontaudit_signal_newrole($1_t) | |
a1fcff33 | 663 | |
34c8fabe | 664 | tunable_policy(`user_direct_mouse',` |
3eaa9939 | 665 | dev_read_mouse($1_usertype) |
34c8fabe | 666 | ') |
0c73cd25 | 667 | |
34c8fabe | 668 | tunable_policy(`user_ttyfile_stat',` |
c3c753f7 | 669 | term_getattr_all_ttys($1_t) |
34c8fabe | 670 | ') |
0c73cd25 | 671 | |
6b19be33 | 672 | optional_policy(` |
3eaa9939 | 673 | alsa_read_rw_config($1_usertype) |
413aac13 | 674 | alsa_manage_home_files($1_t) |
413aac13 | 675 | alsa_relabel_home_files($1_t) |
6b19be33 CP |
676 | ') |
677 | ||
bb7170f6 | 678 | optional_policy(` |
ac9aa26d | 679 | # Allow graphical boot to check battery lifespan |
3eaa9939 | 680 | apm_stream_connect($1_usertype) |
ac9aa26d CP |
681 | ') |
682 | ||
bb7170f6 | 683 | optional_policy(` |
3eaa9939 | 684 | canna_stream_connect($1_usertype) |
3509484c CP |
685 | ') |
686 | ||
bb7170f6 | 687 | optional_policy(` |
3eaa9939 DW |
688 | chrome_role($1_r, $1_usertype) |
689 | ') | |
690 | ||
bfc1cfe9 MG |
691 | optional_policy(` |
692 | colord_read_lib_files($1_usertype) | |
693 | ') | |
694 | ||
3eaa9939 DW |
695 | optional_policy(` |
696 | dbus_system_bus_client($1_usertype) | |
697 | ||
698 | allow $1_usertype $1_usertype:dbus send_msg; | |
699 | ||
700 | optional_policy(` | |
701 | avahi_dbus_chat($1_usertype) | |
702 | ') | |
703 | ||
704 | optional_policy(` | |
705 | policykit_dbus_chat($1_usertype) | |
706 | ') | |
707 | ||
708 | optional_policy(` | |
709 | bluetooth_dbus_chat($1_usertype) | |
710 | ') | |
711 | ||
712 | optional_policy(` | |
713 | consolekit_dbus_chat($1_usertype) | |
714 | consolekit_read_log($1_usertype) | |
715 | ') | |
716 | ||
717 | optional_policy(` | |
718 | devicekit_dbus_chat($1_usertype) | |
719 | devicekit_dbus_chat_power($1_usertype) | |
720 | devicekit_dbus_chat_disk($1_usertype) | |
721 | ') | |
722 | ||
723 | optional_policy(` | |
724 | evolution_dbus_chat($1_usertype) | |
725 | evolution_alarm_dbus_chat($1_usertype) | |
726 | ') | |
d828b5ca | 727 | |
bbcd3c97 | 728 | optional_policy(` |
3eaa9939 | 729 | gnome_dbus_chat_gconfdefault($1_usertype) |
bbcd3c97 CP |
730 | ') |
731 | ||
6b19be33 | 732 | optional_policy(` |
3eaa9939 | 733 | hal_dbus_chat($1_usertype) |
6b19be33 CP |
734 | ') |
735 | ||
1acd60e5 MG |
736 | optional_policy(` |
737 | kde_dbus_chat_backlighthelper($1_usertype) | |
738 | ') | |
739 | ||
bb7170f6 | 740 | optional_policy(` |
3eaa9939 | 741 | modemmanager_dbus_chat($1_usertype) |
9fd4b818 CP |
742 | ') |
743 | ||
bb7170f6 | 744 | optional_policy(` |
3eaa9939 DW |
745 | networkmanager_dbus_chat($1_usertype) |
746 | networkmanager_read_lib_files($1_usertype) | |
ac9aa26d CP |
747 | ') |
748 | ||
bb7170f6 | 749 | optional_policy(` |
3eaa9939 | 750 | vpn_dbus_chat($1_usertype) |
d828b5ca | 751 | ') |
0c3d1705 CP |
752 | ') |
753 | ||
bb7170f6 | 754 | optional_policy(` |
3eaa9939 DW |
755 | git_session_role($1_r, $1_usertype) |
756 | ') | |
757 | ||
758 | optional_policy(` | |
759 | inetd_use_fds($1_usertype) | |
760 | inetd_rw_tcp_sockets($1_usertype) | |
b24f35d8 CP |
761 | ') |
762 | ||
bb7170f6 | 763 | optional_policy(` |
3eaa9939 DW |
764 | inn_read_config($1_usertype) |
765 | inn_read_news_lib($1_usertype) | |
766 | inn_read_news_spool($1_usertype) | |
9b06402e CP |
767 | ') |
768 | ||
cdd2b8d2 MG |
769 | optional_policy(` |
770 | lircd_stream_connect($1_usertype) | |
771 | ') | |
772 | ||
6b19be33 | 773 | optional_policy(` |
3eaa9939 | 774 | locate_read_lib_files($1_usertype) |
6b19be33 CP |
775 | ') |
776 | ||
bbcd3c97 CP |
777 | # for running depmod as part of the kernel packaging process |
778 | optional_policy(` | |
3eaa9939 DW |
779 | modutils_read_module_config($1_usertype) |
780 | ') | |
781 | ||
782 | optional_policy(` | |
783 | mta_rw_spool($1_usertype) | |
784 | mta_manage_queue($1_usertype) | |
780198a1 | 785 | mta_filetrans_home_content($1_usertype) |
bbcd3c97 CP |
786 | ') |
787 | ||
cc0c00d0 | 788 | optional_policy(` |
3eaa9939 | 789 | nsplugin_role($1_r, $1_usertype) |
cc0c00d0 CP |
790 | ') |
791 | ||
bb7170f6 | 792 | optional_policy(` |
bbcd3c97 CP |
793 | tunable_policy(`allow_user_mysql_connect',` |
794 | mysql_stream_connect($1_t) | |
42be7c21 CP |
795 | ') |
796 | ') | |
797 | ||
329138be DG |
798 | optional_policy(` |
799 | oident_manage_user_content($1_t) | |
800 | oident_relabel_user_content($1_t) | |
801 | ') | |
802 | ||
bb7170f6 | 803 | optional_policy(` |
2ec4c9d3 | 804 | # to allow monitoring of pcmcia status |
3eaa9939 | 805 | pcmcia_read_pid($1_usertype) |
2ec4c9d3 CP |
806 | ') |
807 | ||
6b19be33 | 808 | optional_policy(` |
3eaa9939 DW |
809 | pcscd_read_pub_files($1_usertype) |
810 | pcscd_stream_connect($1_usertype) | |
6b19be33 CP |
811 | ') |
812 | ||
cb10a2d5 CP |
813 | optional_policy(` |
814 | tunable_policy(`allow_user_postgresql_connect',` | |
3eaa9939 DW |
815 | postgresql_stream_connect($1_usertype) |
816 | postgresql_tcp_connect($1_usertype) | |
cb10a2d5 CP |
817 | ') |
818 | ') | |
819 | ||
b057be8d | 820 | optional_policy(` |
3eaa9939 | 821 | resmgr_stream_connect($1_usertype) |
b057be8d CP |
822 | ') |
823 | ||
bb7170f6 | 824 | optional_policy(` |
3eaa9939 DW |
825 | rpc_dontaudit_getattr_exports($1_usertype) |
826 | rpc_manage_nfs_rw_content($1_usertype) | |
f00434fa CP |
827 | ') |
828 | ||
bb7170f6 | 829 | optional_policy(` |
3eaa9939 | 830 | rpcbind_stream_connect($1_usertype) |
ac9aa26d CP |
831 | ') |
832 | ||
bb7170f6 | 833 | optional_policy(` |
3eaa9939 | 834 | samba_stream_connect_winbind($1_usertype) |
1d427acc CP |
835 | ') |
836 | ||
bb7170f6 | 837 | optional_policy(` |
3eaa9939 | 838 | sandbox_transition($1_usertype, $1_r) |
8cc49473 | 839 | ') |
3eaa9939 DW |
840 | |
841 | optional_policy(` | |
842 | seunshare_role_template($1, $1_r, $1_t) | |
6c4f41ce | 843 | usernetctl_run($1_t, $1_r) |
3eaa9939 DW |
844 | ') |
845 | ||
846 | optional_policy(` | |
847 | slrnpull_search_spool($1_usertype) | |
848 | ') | |
849 | ||
2ec4c9d3 | 850 | ') |
b16c6b8c | 851 | |
8fd36732 CP |
852 | ####################################### |
853 | ## <summary> | |
847937da | 854 | ## The template for creating a login user. |
8fd36732 CP |
855 | ## </summary> |
856 | ## <desc> | |
857 | ## <p> | |
858 | ## This template creates a user domain, types, and | |
859 | ## rules for the user's tty, pty, home directories, | |
860 | ## tmp, and tmpfs files. | |
861 | ## </p> | |
862 | ## </desc> | |
863 | ## <param name="userdomain_prefix"> | |
885b83ec | 864 | ## <summary> |
8fd36732 CP |
865 | ## The prefix of the user domain (e.g., user |
866 | ## is the prefix for user_t). | |
885b83ec | 867 | ## </summary> |
8fd36732 | 868 | ## </param> |
b16c6b8c | 869 | # |
847937da | 870 | template(`userdom_login_user_template', ` |
b1a90365 CP |
871 | gen_require(` |
872 | class context contains; | |
873 | ') | |
874 | ||
847937da | 875 | userdom_base_user_template($1) |
563e58e8 | 876 | |
3eaa9939 DW |
877 | userdom_manage_home_role($1_r, $1_usertype) |
878 | ||
879 | userdom_manage_tmp_role($1_r, $1_usertype) | |
880 | userdom_manage_tmpfs_role($1_r, $1_usertype) | |
847937da | 881 | |
3eaa9939 DW |
882 | ifelse(`$1',`unconfined',`',` |
883 | gen_tunable(allow_$1_exec_content, true) | |
847937da | 884 | |
3eaa9939 DW |
885 | tunable_policy(`allow_$1_exec_content',` |
886 | userdom_exec_user_tmp_files($1_usertype) | |
887 | userdom_exec_user_home_content_files($1_usertype) | |
888 | ') | |
889 | tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` | |
890 | fs_exec_nfs_files($1_usertype) | |
891 | ') | |
892 | ||
893 | tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` | |
894 | fs_exec_cifs_files($1_usertype) | |
895 | ') | |
896 | ') | |
847937da CP |
897 | |
898 | userdom_change_password_template($1) | |
563e58e8 | 899 | |
0c73cd25 CP |
900 | ############################## |
901 | # | |
847937da | 902 | # User domain Local policy |
0c73cd25 | 903 | # |
b16c6b8c | 904 | |
847937da CP |
905 | allow $1_t self:capability { setgid chown fowner }; |
906 | dontaudit $1_t self:capability { sys_nice fsetid }; | |
907 | ||
908 | allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; | |
909 | dontaudit $1_t self:process setrlimit; | |
910 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
911 | ||
912 | allow $1_t self:context contains; | |
913 | ||
3eaa9939 DW |
914 | kernel_dontaudit_read_system_state($1_usertype) |
915 | kernel_dontaudit_list_all_proc($1_usertype) | |
847937da | 916 | |
3eaa9939 DW |
917 | dev_read_sysfs($1_usertype) |
918 | dev_read_urand($1_usertype) | |
847937da | 919 | |
3eaa9939 | 920 | domain_use_interactive_fds($1_usertype) |
847937da | 921 | # Command completion can fire hundreds of denials |
3eaa9939 | 922 | domain_dontaudit_exec_all_entry_files($1_usertype) |
847937da | 923 | |
3eaa9939 DW |
924 | files_dontaudit_list_default($1_usertype) |
925 | files_dontaudit_read_default_files($1_usertype) | |
847937da | 926 | # Stat lost+found. |
3eaa9939 | 927 | files_getattr_lost_found_dirs($1_usertype) |
847937da | 928 | |
3eaa9939 DW |
929 | fs_get_all_fs_quotas($1_usertype) |
930 | fs_getattr_all_fs($1_usertype) | |
931 | fs_search_all($1_usertype) | |
932 | fs_list_inotifyfs($1_usertype) | |
933 | fs_rw_anon_inodefs_files($1_usertype) | |
847937da CP |
934 | |
935 | auth_dontaudit_write_login_records($1_t) | |
3eaa9939 | 936 | auth_rw_cache($1_t) |
847937da | 937 | |
847937da CP |
938 | application_exec_all($1_t) |
939 | ||
940 | # The library functions always try to open read-write first, | |
6c4f41ce | 941 | # then fall back to read-only if it fails. |
847937da CP |
942 | init_dontaudit_rw_utmp($1_t) |
943 | # Stop warnings about access to /dev/console | |
3eaa9939 DW |
944 | init_dontaudit_use_fds($1_usertype) |
945 | init_dontaudit_use_script_fds($1_usertype) | |
847937da | 946 | |
3eaa9939 | 947 | libs_exec_lib_files($1_usertype) |
847937da | 948 | |
3eaa9939 | 949 | logging_dontaudit_getattr_all_logs($1_usertype) |
847937da | 950 | |
847937da | 951 | # for running TeX programs |
3eaa9939 DW |
952 | miscfiles_read_tetex_data($1_usertype) |
953 | miscfiles_exec_tetex_data($1_usertype) | |
954 | ||
955 | seutil_read_config($1_usertype) | |
847937da | 956 | |
3eaa9939 DW |
957 | optional_policy(` |
958 | cups_read_config($1_usertype) | |
959 | cups_stream_connect($1_usertype) | |
960 | cups_stream_connect_ptal($1_usertype) | |
961 | ') | |
847937da CP |
962 | |
963 | optional_policy(` | |
3eaa9939 | 964 | kerberos_use($1_usertype) |
d141ac47 | 965 | kerberos_filetrans_home_content($1_usertype) |
847937da CP |
966 | ') |
967 | ||
968 | optional_policy(` | |
3eaa9939 | 969 | mta_dontaudit_read_spool_symlinks($1_usertype) |
847937da CP |
970 | ') |
971 | ||
972 | optional_policy(` | |
3eaa9939 | 973 | quota_dontaudit_getattr_db($1_usertype) |
847937da CP |
974 | ') |
975 | ||
976 | optional_policy(` | |
3eaa9939 DW |
977 | rpm_read_db($1_usertype) |
978 | rpm_dontaudit_manage_db($1_usertype) | |
979 | rpm_read_cache($1_usertype) | |
847937da CP |
980 | ') |
981 | ||
982 | optional_policy(` | |
3eaa9939 | 983 | oddjob_run_mkhomedir($1_t, $1_r) |
847937da CP |
984 | ') |
985 | ') | |
986 | ||
987 | ####################################### | |
988 | ## <summary> | |
989 | ## The template for creating a unprivileged login user. | |
990 | ## </summary> | |
991 | ## <desc> | |
992 | ## <p> | |
993 | ## This template creates a user domain, types, and | |
994 | ## rules for the user's tty, pty, home directories, | |
995 | ## tmp, and tmpfs files. | |
996 | ## </p> | |
997 | ## </desc> | |
998 | ## <param name="userdomain_prefix"> | |
999 | ## <summary> | |
1000 | ## The prefix of the user domain (e.g., user | |
1001 | ## is the prefix for user_t). | |
1002 | ## </summary> | |
1003 | ## </param> | |
1004 | # | |
1005 | template(`userdom_restricted_user_template',` | |
1006 | gen_require(` | |
1007 | attribute unpriv_userdomain; | |
847937da CP |
1008 | ') |
1009 | ||
1010 | userdom_login_user_template($1) | |
b16c6b8c | 1011 | |
0f707d52 | 1012 | typeattribute $1_t unpriv_userdomain; |
15722ec9 | 1013 | domain_interactive_fd($1_t) |
b16c6b8c | 1014 | |
3eaa9939 DW |
1015 | allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; |
1016 | dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; | |
1017 | ||
0c73cd25 CP |
1018 | ############################## |
1019 | # | |
1020 | # Local policy | |
1021 | # | |
1022 | ||
847937da | 1023 | optional_policy(` |
6c4f41ce | 1024 | loadkeys_run($1_t, $1_r) |
847937da CP |
1025 | ') |
1026 | ') | |
1027 | ||
1028 | ####################################### | |
1029 | ## <summary> | |
1030 | ## The template for creating a unprivileged xwindows login user. | |
1031 | ## </summary> | |
1032 | ## <desc> | |
1033 | ## <p> | |
1034 | ## The template for creating a unprivileged xwindows login user. | |
1035 | ## </p> | |
1036 | ## <p> | |
1037 | ## This template creates a user domain, types, and | |
1038 | ## rules for the user's tty, pty, home directories, | |
1039 | ## tmp, and tmpfs files. | |
1040 | ## </p> | |
1041 | ## </desc> | |
1042 | ## <param name="userdomain_prefix"> | |
1043 | ## <summary> | |
1044 | ## The prefix of the user domain (e.g., user | |
1045 | ## is the prefix for user_t). | |
1046 | ## </summary> | |
1047 | ## </param> | |
1048 | # | |
1049 | template(`userdom_restricted_xwindows_user_template',` | |
1050 | ||
1051 | userdom_restricted_user_template($1) | |
1052 | ||
847937da CP |
1053 | ############################## |
1054 | # | |
1055 | # Local policy | |
1056 | # | |
1057 | ||
296273a7 | 1058 | auth_role($1_r, $1_t) |
3eaa9939 | 1059 | auth_search_pam_console_data($1_usertype) |
b45aaab9 | 1060 | auth_dontaudit_read_login_records($1_usertype) |
847937da | 1061 | |
3eaa9939 DW |
1062 | dev_read_sound($1_usertype) |
1063 | dev_write_sound($1_usertype) | |
847937da | 1064 | # gnome keyring wants to read this. |
3eaa9939 DW |
1065 | dev_dontaudit_read_rand($1_usertype) |
1066 | # temporarily allow since openoffice requires this | |
1067 | dev_read_rand($1_usertype) | |
847937da | 1068 | |
3eaa9939 DW |
1069 | dev_read_video_dev($1_usertype) |
1070 | dev_write_video_dev($1_usertype) | |
1071 | dev_rw_wireless($1_usertype) | |
1072 | ||
773094ba DW |
1073 | libs_dontaudit_setattr_lib_files($1_usertype) |
1074 | ||
3eaa9939 DW |
1075 | tunable_policy(`user_rw_noexattrfile',` |
1076 | dev_rw_usbfs($1_t) | |
1077 | dev_rw_generic_usb_dev($1_usertype) | |
1078 | ||
1079 | fs_manage_noxattr_fs_files($1_usertype) | |
1080 | fs_manage_noxattr_fs_dirs($1_usertype) | |
1081 | fs_manage_dos_dirs($1_usertype) | |
1082 | fs_manage_dos_files($1_usertype) | |
1083 | storage_raw_read_removable_device($1_usertype) | |
1084 | storage_raw_write_removable_device($1_usertype) | |
1085 | ') | |
1086 | ||
1087 | logging_send_syslog_msg($1_usertype) | |
847937da CP |
1088 | logging_dontaudit_send_audit_msgs($1_t) |
1089 | ||
1090 | # Need to to this just so screensaver will work. Should be moved to screensaver domain | |
1091 | logging_send_audit_msgs($1_t) | |
1092 | selinux_get_enforce_mode($1_t) | |
3eaa9939 DW |
1093 | seutil_exec_restorecond($1_t) |
1094 | seutil_read_file_contexts($1_t) | |
1095 | seutil_read_default_contexts($1_t) | |
847937da | 1096 | |
93c49bdb CP |
1097 | xserver_restricted_role($1_r, $1_t) |
1098 | ||
847937da | 1099 | optional_policy(` |
3eaa9939 | 1100 | alsa_read_rw_config($1_usertype) |
847937da CP |
1101 | ') |
1102 | ||
a8183914 MG |
1103 | # cjp: needed by KDE apps |
1104 | # bug: #682499 | |
1105 | optional_policy(` | |
1106 | gnome_read_usr_config($1_usertype) | |
3a7aacc9 MG |
1107 | gnome_role_gkeyringd($1, $1_r, $1_t) |
1108 | # cjp: telepathy F15 bugs | |
ed6319f9 | 1109 | #telepathy_role($1_r, $1_t, $1) |
a8183914 MG |
1110 | ') |
1111 | ||
847937da | 1112 | optional_policy(` |
3eaa9939 DW |
1113 | dbus_role_template($1, $1_r, $1_usertype) |
1114 | dbus_system_bus_client($1_usertype) | |
1115 | allow $1_usertype $1_usertype:dbus send_msg; | |
1116 | ||
1117 | optional_policy(` | |
1118 | abrt_dbus_chat($1_usertype) | |
1119 | abrt_run_helper($1_usertype, $1_r) | |
1120 | ') | |
1121 | ||
1122 | optional_policy(` | |
b45aaab9 | 1123 | consolekit_dontaudit_read_log($1_usertype) |
3eaa9939 DW |
1124 | consolekit_dbus_chat($1_usertype) |
1125 | ') | |
1126 | ||
1127 | optional_policy(` | |
1128 | cups_dbus_chat($1_usertype) | |
1129 | cups_dbus_chat_config($1_usertype) | |
1130 | ') | |
847937da CP |
1131 | |
1132 | optional_policy(` | |
3eaa9939 DW |
1133 | devicekit_dbus_chat($1_usertype) |
1134 | devicekit_dbus_chat_disk($1_usertype) | |
1135 | devicekit_dbus_chat_power($1_usertype) | |
847937da CP |
1136 | ') |
1137 | ||
1138 | optional_policy(` | |
3eaa9939 | 1139 | fprintd_dbus_chat($1_t) |
847937da CP |
1140 | ') |
1141 | ') | |
1142 | ||
1143 | optional_policy(` | |
3eaa9939 DW |
1144 | openoffice_role_template($1, $1_r, $1_usertype) |
1145 | ') | |
1146 | ||
1147 | optional_policy(` | |
1148 | policykit_role($1_r, $1_usertype) | |
1149 | ') | |
1150 | ||
1151 | optional_policy(` | |
1152 | pulseaudio_role($1_r, $1_usertype) | |
9bf4902f DG |
1153 | pulseaudio_filetrans_admin_home_content($1_usertype) |
1154 | pulseaudio_filetrans_home_content($1_usertype) | |
3eaa9939 DW |
1155 | ') |
1156 | ||
1157 | optional_policy(` | |
1158 | rtkit_scheduled($1_usertype) | |
847937da CP |
1159 | ') |
1160 | ||
847937da CP |
1161 | optional_policy(` |
1162 | setroubleshoot_dontaudit_stream_connect($1_t) | |
3eaa9939 DW |
1163 | ') |
1164 | ||
1165 | optional_policy(` | |
1166 | udev_read_db($1_usertype) | |
1167 | ') | |
1168 | ||
1169 | optional_policy(` | |
1170 | wm_role_template($1, $1_r, $1_t) | |
847937da CP |
1171 | ') |
1172 | ') | |
1173 | ||
1174 | ####################################### | |
1175 | ## <summary> | |
1176 | ## The template for creating a unprivileged user roughly | |
1177 | ## equivalent to a regular linux user. | |
1178 | ## </summary> | |
1179 | ## <desc> | |
1180 | ## <p> | |
1181 | ## The template for creating a unprivileged user roughly | |
1182 | ## equivalent to a regular linux user. | |
1183 | ## </p> | |
1184 | ## <p> | |
1185 | ## This template creates a user domain, types, and | |
1186 | ## rules for the user's tty, pty, home directories, | |
1187 | ## tmp, and tmpfs files. | |
1188 | ## </p> | |
1189 | ## </desc> | |
1190 | ## <param name="userdomain_prefix"> | |
1191 | ## <summary> | |
1192 | ## The prefix of the user domain (e.g., user | |
1193 | ## is the prefix for user_t). | |
1194 | ## </summary> | |
1195 | ## </param> | |
1196 | # | |
1197 | template(`userdom_unpriv_user_template', ` | |
1198 | ||
1199 | ############################## | |
1200 | # | |
1201 | # Declarations | |
1202 | # | |
1203 | ||
1204 | # Inherit rules for ordinary users. | |
3eaa9939 | 1205 | userdom_restricted_xwindows_user_template($1) |
847937da CP |
1206 | userdom_common_user_template($1) |
1207 | ||
1208 | ############################## | |
1209 | # | |
1210 | # Local policy | |
1211 | # | |
0c73cd25 CP |
1212 | |
1213 | # port access is audited even if dac would not have allowed it, so dontaudit it here | |
3eaa9939 | 1214 | # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) |
bbcd3c97 CP |
1215 | # Need the following rule to allow users to run vpnc |
1216 | corenet_tcp_bind_xserver_port($1_t) | |
8b456c73 | 1217 | corenet_tcp_bind_generic_node($1_usertype) |
0c73cd25 | 1218 | |
3eaa9939 | 1219 | storage_rw_fuse($1_t) |
a1fcff33 | 1220 | |
2ec4c9d3 | 1221 | files_exec_usr_files($1_t) |
fb63d0b5 CP |
1222 | # cjp: why? |
1223 | files_read_kernel_symbol_table($1_t) | |
0c73cd25 | 1224 | |
ed6319f9 MG |
1225 | #ifndef(`enable_mls',` |
1226 | # fs_exec_noxattr($1_t) | |
0c73cd25 | 1227 | |
ed6319f9 MG |
1228 | # tunable_policy(`user_rw_noexattrfile',` |
1229 | # fs_manage_noxattr_fs_files($1_t) | |
1230 | # fs_manage_noxattr_fs_dirs($1_t) | |
6c4f41ce | 1231 | # Write floppies |
ed6319f9 MG |
1232 | # storage_raw_read_removable_device($1_t) |
1233 | # storage_raw_write_removable_device($1_t) | |
1234 | # ',` | |
1235 | # storage_raw_read_removable_device($1_t) | |
1236 | # ') | |
1237 | #') | |
a1fcff33 | 1238 | |
3eaa9939 | 1239 | miscfiles_read_hwdata($1_usertype) |
0c73cd25 CP |
1240 | |
1241 | # Allow users to run TCP servers (bind to ports and accept connection from | |
6073ea1e | 1242 | # the same domain and outside users) disabling this forces FTP passive mode |
0c73cd25 | 1243 | # and may change other protocols |
40068f3d DW |
1244 | |
1245 | tunable_policy(`user_share_music',` | |
7d5759fd | 1246 | corenet_tcp_bind_daap_port($1_usertype) |
40068f3d DW |
1247 | ') |
1248 | ||
34c8fabe | 1249 | tunable_policy(`user_tcp_server',` |
3eaa9939 DW |
1250 | corenet_tcp_bind_all_unreserved_ports($1_usertype) |
1251 | ') | |
1252 | ||
1253 | tunable_policy(`user_setrlimit',` | |
1254 | allow $1_usertype self:process setrlimit; | |
34c8fabe | 1255 | ') |
0c73cd25 | 1256 | |
bb7170f6 | 1257 | optional_policy(` |
3eaa9939 DW |
1258 | cdrecord_role($1_r, $1_t) |
1259 | ') | |
1260 | ||
1261 | optional_policy(` | |
1262 | cron_role($1_r, $1_t) | |
1263 | ') | |
1264 | ||
1265 | optional_policy(` | |
1266 | games_rw_data($1_usertype) | |
1267 | ') | |
1268 | ||
1269 | optional_policy(` | |
1270 | gpg_role($1_r, $1_usertype) | |
1271 | ') | |
1272 | ||
1273 | optional_policy(` | |
1274 | gnomeclock_dbus_chat($1_t) | |
1275 | ') | |
1276 | ||
1277 | optional_policy(` | |
1278 | gpm_stream_connect($1_usertype) | |
1279 | ') | |
1280 | ||
1281 | optional_policy(` | |
1282 | execmem_role_template($1, $1_r, $1_t) | |
1283 | ') | |
1284 | ||
1285 | optional_policy(` | |
1286 | java_role_template($1, $1_r, $1_t) | |
e3b5785f | 1287 | |
bb7170f6 | 1288 | optional_policy(` |
6c4f41ce CP |
1289 | netutils_run_ping_cond($1_t, $1_r) |
1290 | netutils_run_traceroute_cond($1_t, $1_r) | |
3eaa9939 DW |
1291 | ') |
1292 | ||
1293 | optional_policy(` | |
1294 | mono_role_template($1, $1_r, $1_t) | |
e3b5785f | 1295 | |
bb7170f6 | 1296 | optional_policy(` |
6c4f41ce | 1297 | ppp_run_cond($1_t, $1_r) |
3eaa9939 DW |
1298 | ') |
1299 | ||
1300 | optional_policy(` | |
1301 | mount_run_fusermount($1_t, $1_r) | |
5598732f | 1302 | mount_read_pid_files($1_t) |
3eaa9939 DW |
1303 | ') |
1304 | ||
1305 | optional_policy(` | |
1306 | wine_role_template($1, $1_r, $1_t) | |
1f91e1bf CP |
1307 | ') |
1308 | ||
bb7170f6 | 1309 | optional_policy(` |
3eaa9939 | 1310 | postfix_run_postdrop($1_t, $1_r) |
e08118a5 CP |
1311 | ') |
1312 | ||
3eaa9939 | 1313 | # Run pppd in pppd_t by default for user |
6b19be33 | 1314 | optional_policy(` |
3eaa9939 | 1315 | ppp_run_cond($1_t, $1_r) |
6b19be33 | 1316 | ') |
b16c6b8c | 1317 | ') |
4d8ddf9a | 1318 | |
8fd36732 CP |
1319 | ####################################### |
1320 | ## <summary> | |
1321 | ## The template for creating an administrative user. | |
1322 | ## </summary> | |
1323 | ## <desc> | |
1324 | ## <p> | |
1325 | ## This template creates a user domain, types, and | |
1326 | ## rules for the user's tty, pty, home directories, | |
1327 | ## tmp, and tmpfs files. | |
1328 | ## </p> | |
2ec4c9d3 | 1329 | ## <p> |
8fd36732 CP |
1330 | ## The privileges given to administrative users are: |
1331 | ## <ul> | |
1332 | ## <li>Raw disk access</li> | |
1333 | ## <li>Set all sysctls</li> | |
1334 | ## <li>All kernel ring buffer controls</li> | |
8fd36732 CP |
1335 | ## <li>Create, read, write, and delete all files but shadow</li> |
1336 | ## <li>Manage source and binary format SELinux policy</li> | |
1337 | ## <li>Run insmod</li> | |
1338 | ## </ul> | |
2ec4c9d3 CP |
1339 | ## </p> |
1340 | ## </desc> | |
8fd36732 | 1341 | ## <param name="userdomain_prefix"> |
885b83ec | 1342 | ## <summary> |
8fd36732 CP |
1343 | ## The prefix of the user domain (e.g., sysadm |
1344 | ## is the prefix for sysadm_t). | |
885b83ec | 1345 | ## </summary> |
8fd36732 | 1346 | ## </param> |
4d8ddf9a | 1347 | # |
bbcd3c97 | 1348 | template(`userdom_admin_user_template',` |
142e9f40 | 1349 | gen_require(` |
0be901ba | 1350 | attribute admindomain; |
3eaa9939 | 1351 | class passwd { passwd chfn chsh rootok crontab }; |
142e9f40 CP |
1352 | ') |
1353 | ||
0c73cd25 CP |
1354 | ############################## |
1355 | # | |
1356 | # Declarations | |
1357 | # | |
1358 | ||
1359 | # Inherit rules for ordinary users. | |
847937da | 1360 | userdom_login_user_template($1) |
bbcd3c97 | 1361 | userdom_common_user_template($1) |
0c73cd25 | 1362 | |
1815bad1 | 1363 | domain_obj_id_change_exemption($1_t) |
0c73cd25 CP |
1364 | role system_r types $1_t; |
1365 | ||
0be901ba | 1366 | typeattribute $1_t admindomain; |
bd75703c | 1367 | |
142e9f40 | 1368 | ifdef(`direct_sysadm_daemon',` |
1815bad1 | 1369 | domain_system_change_exemption($1_t) |
142e9f40 | 1370 | ') |
2a98379a | 1371 | |
0c73cd25 CP |
1372 | ############################## |
1373 | # | |
1374 | # $1_t local policy | |
1375 | # | |
1376 | ||
847937da | 1377 | allow $1_t self:capability ~{ sys_module audit_control audit_write }; |
4ba442da | 1378 | allow $1_t self:capability2 syslog; |
0c73cd25 | 1379 | allow $1_t self:process { setexec setfscreate }; |
bd75703c CP |
1380 | allow $1_t self:netlink_audit_socket nlmsg_readpriv; |
1381 | allow $1_t self:tun_socket create; | |
0c73cd25 CP |
1382 | # Set password information for other users. |
1383 | allow $1_t self:passwd { passwd chfn chsh }; | |
0c73cd25 CP |
1384 | # Skip authentication when pam_rootok is specified. |
1385 | allow $1_t self:passwd rootok; | |
1386 | ||
3eaa9939 DW |
1387 | # Manipulate other users crontab. |
1388 | allow $1_t self:passwd crontab; | |
1389 | ||
0c73cd25 | 1390 | kernel_read_software_raid_state($1_t) |
445522dc | 1391 | kernel_getattr_core_if($1_t) |
0fd9dc55 | 1392 | kernel_getattr_message_if($1_t) |
0c73cd25 CP |
1393 | kernel_change_ring_buffer_level($1_t) |
1394 | kernel_clear_ring_buffer($1_t) | |
1395 | kernel_read_ring_buffer($1_t) | |
1396 | kernel_get_sysvipc_info($1_t) | |
445522dc | 1397 | kernel_rw_all_sysctls($1_t) |
8fd36732 CP |
1398 | # signal unlabeled processes: |
1399 | kernel_kill_unlabeled($1_t) | |
1400 | kernel_signal_unlabeled($1_t) | |
1401 | kernel_sigstop_unlabeled($1_t) | |
1402 | kernel_signull_unlabeled($1_t) | |
1403 | kernel_sigchld_unlabeled($1_t) | |
3eaa9939 | 1404 | kernel_signal($1_t) |
2ec4c9d3 CP |
1405 | |
1406 | corenet_tcp_bind_generic_port($1_t) | |
1407 | # allow setting up tunnels | |
5b6ddb98 | 1408 | corenet_rw_tun_tap_dev($1_t) |
2ec4c9d3 | 1409 | |
207c4763 CP |
1410 | dev_getattr_generic_blk_files($1_t) |
1411 | dev_getattr_generic_chr_files($1_t) | |
bbcd3c97 CP |
1412 | # for lsof |
1413 | dev_getattr_mtrr_dev($1_t) | |
1414 | # Allow MAKEDEV to work | |
1415 | dev_create_all_blk_files($1_t) | |
1416 | dev_create_all_chr_files($1_t) | |
1417 | dev_delete_all_blk_files($1_t) | |
1418 | dev_delete_all_chr_files($1_t) | |
1419 | dev_rename_all_blk_files($1_t) | |
1420 | dev_rename_all_chr_files($1_t) | |
1421 | dev_create_generic_symlinks($1_t) | |
bba79b24 DW |
1422 | dev_rw_generic_usb_dev($1_t) |
1423 | dev_rw_usbfs($1_t) | |
0c73cd25 | 1424 | |
c9428d33 CP |
1425 | domain_setpriority_all_domains($1_t) |
1426 | domain_read_all_domains_state($1_t) | |
ccc59782 | 1427 | domain_getattr_all_domains($1_t) |
d79b5476 | 1428 | domain_getcap_all_domains($1_t) |
ccc59782 | 1429 | domain_dontaudit_ptrace_all_domains($1_t) |
0c73cd25 CP |
1430 | # signal all domains: |
1431 | domain_kill_all_domains($1_t) | |
1432 | domain_signal_all_domains($1_t) | |
1433 | domain_signull_all_domains($1_t) | |
1434 | domain_sigstop_all_domains($1_t) | |
1435 | domain_sigstop_all_domains($1_t) | |
1436 | domain_sigchld_all_domains($1_t) | |
2ec4c9d3 CP |
1437 | # for lsof |
1438 | domain_getattr_all_sockets($1_t) | |
3eaa9939 | 1439 | domain_dontaudit_getattr_all_sockets($1_t) |
0c73cd25 | 1440 | |
99505c1c | 1441 | files_exec_usr_src_files($1_t) |
0c73cd25 | 1442 | |
bbcd3c97 | 1443 | fs_getattr_all_fs($1_t) |
3eaa9939 DW |
1444 | fs_getattr_all_files($1_t) |
1445 | fs_list_all($1_t) | |
bbcd3c97 CP |
1446 | fs_set_all_quotas($1_t) |
1447 | fs_exec_noxattr($1_t) | |
1448 | ||
1449 | storage_raw_read_removable_device($1_t) | |
1450 | storage_raw_write_removable_device($1_t) | |
579a217f | 1451 | storage_dontaudit_read_fixed_disk($1_t) |
bbcd3c97 | 1452 | |
af2d8802 | 1453 | term_use_all_inherited_terms($1_t) |
9e6ca004 | 1454 | term_use_unallocated_ttys($1_t) |
bbcd3c97 CP |
1455 | |
1456 | auth_getattr_shadow($1_t) | |
1457 | # Manage almost all files | |
1458 | auth_manage_all_files_except_shadow($1_t) | |
1459 | # Relabel almost all files | |
1460 | auth_relabel_all_files_except_shadow($1_t) | |
1461 | ||
1462 | init_telinit($1_t) | |
0c73cd25 | 1463 | |
c9428d33 | 1464 | logging_send_syslog_msg($1_t) |
0c73cd25 | 1465 | |
2371d8d8 MG |
1466 | optional_policy(` |
1467 | modutils_domtrans_insmod($1_t) | |
1468 | modutils_domtrans_depmod($1_t) | |
1469 | ') | |
0c73cd25 | 1470 | |
0c73cd25 CP |
1471 | # The following rule is temporary until such time that a complete |
1472 | # policy management infrastructure is in place so that an administrator | |
1473 | # cannot directly manipulate policy files with arbitrary programs. | |
1815bad1 | 1474 | seutil_manage_src_policy($1_t) |
0c73cd25 CP |
1475 | # Violates the goal of limiting write access to checkpolicy. |
1476 | # But presently necessary for installing the file_contexts file. | |
1815bad1 | 1477 | seutil_manage_bin_policy($1_t) |
0c73cd25 | 1478 | |
296273a7 CP |
1479 | userdom_manage_user_home_content_dirs($1_t) |
1480 | userdom_manage_user_home_content_files($1_t) | |
1481 | userdom_manage_user_home_content_symlinks($1_t) | |
1482 | userdom_manage_user_home_content_pipes($1_t) | |
1483 | userdom_manage_user_home_content_sockets($1_t) | |
1484 | userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) | |
1485 | ||
bbcd3c97 CP |
1486 | tunable_policy(`user_rw_noexattrfile',` |
1487 | fs_manage_noxattr_fs_files($1_t) | |
1488 | fs_manage_noxattr_fs_dirs($1_t) | |
1489 | ',` | |
1490 | fs_read_noxattr_fs_files($1_t) | |
1491 | ') | |
1492 | ||
e8cb08ae CP |
1493 | optional_policy(` |
1494 | postgresql_unconfined($1_t) | |
1495 | ') | |
1496 | ||
6b19be33 CP |
1497 | optional_policy(` |
1498 | userhelper_exec($1_t) | |
1499 | ') | |
1500 | ') | |
1501 | ||
1502 | ######################################## | |
1503 | ## <summary> | |
1504 | ## Allow user to run as a secadm | |
1505 | ## </summary> | |
1506 | ## <desc> | |
1507 | ## <p> | |
1508 | ## Create objects in a user home directory | |
1509 | ## with an automatic type transition to | |
1510 | ## a specified private type. | |
1511 | ## </p> | |
1512 | ## <p> | |
1513 | ## This is a templated interface, and should only | |
1514 | ## be called from a per-userdomain template. | |
1515 | ## </p> | |
1516 | ## </desc> | |
6b19be33 CP |
1517 | ## <param name="domain"> |
1518 | ## <summary> | |
1519 | ## Domain allowed access. | |
1520 | ## </summary> | |
1521 | ## </param> | |
1522 | ## <param name="role"> | |
1523 | ## <summary> | |
1524 | ## The role of the object to create. | |
1525 | ## </summary> | |
1526 | ## </param> | |
6b19be33 CP |
1527 | # |
1528 | template(`userdom_security_admin_template',` | |
1529 | allow $1 self:capability { dac_read_search dac_override }; | |
1530 | ||
1531 | corecmd_exec_shell($1) | |
1532 | ||
1533 | domain_obj_id_change_exemption($1) | |
1534 | ||
1535 | dev_relabel_all_dev_nodes($1) | |
1536 | ||
1537 | files_create_boot_flag($1) | |
3eaa9939 DW |
1538 | files_create_default_dir($1) |
1539 | files_root_filetrans_default($1, dir) | |
6b19be33 CP |
1540 | |
1541 | # Necessary for managing /boot/efi | |
1542 | fs_manage_dos_files($1) | |
1543 | ||
1544 | mls_process_read_up($1) | |
f8233ab7 | 1545 | mls_file_read_all_levels($1) |
6b19be33 CP |
1546 | mls_file_upgrade($1) |
1547 | mls_file_downgrade($1) | |
1548 | ||
1549 | selinux_set_enforce_mode($1) | |
f0435b1a | 1550 | selinux_set_all_booleans($1) |
6b19be33 | 1551 | selinux_set_parameters($1) |
4ba442da | 1552 | selinux_read_policy($1) |
6b19be33 CP |
1553 | |
1554 | auth_relabel_all_files_except_shadow($1) | |
1555 | auth_relabel_shadow($1) | |
1556 | ||
1557 | init_exec($1) | |
1558 | ||
1559 | logging_send_syslog_msg($1) | |
1560 | logging_read_audit_log($1) | |
1561 | logging_read_generic_logs($1) | |
1562 | logging_read_audit_config($1) | |
1563 | ||
1564 | seutil_manage_bin_policy($1) | |
f362730d DW |
1565 | seutil_manage_default_contexts($1) |
1566 | seutil_manage_file_contexts($1) | |
1567 | seutil_manage_module_store($1) | |
1568 | seutil_manage_config($1) | |
e3b5785f | 1569 | |
296273a7 | 1570 | seutil_run_checkpolicy($1,$2) |
ed6319f9 MG |
1571 | seutil_run_loadpolicy($1, $2) |
1572 | seutil_run_semanage($1, $2) | |
1573 | seutil_run_setsebool($1, $2) | |
296273a7 | 1574 | seutil_run_setfiles($1, $2) |
6b19be33 CP |
1575 | |
1576 | optional_policy(` | |
6c4f41ce | 1577 | aide_run($1, $2) |
6b19be33 CP |
1578 | ') |
1579 | ||
1580 | optional_policy(` | |
1581 | consoletype_exec($1) | |
1582 | ') | |
1583 | ||
1584 | optional_policy(` | |
1585 | dmesg_exec($1) | |
1586 | ') | |
1587 | ||
6c4f41ce CP |
1588 | optional_policy(` |
1589 | ipsec_run_setkey($1, $2) | |
9e8f65c8 CP |
1590 | ') |
1591 | ||
6b19be33 | 1592 | optional_policy(` |
6c4f41ce | 1593 | netlabel_run_mgmt($1, $2) |
a1fcff33 | 1594 | ') |
ff449b62 CP |
1595 | |
1596 | optional_policy(` | |
1597 | samhain_run($1, $2) | |
1598 | ') | |
4d8ddf9a | 1599 | ') |
490639cd | 1600 | |
b1bf2f78 CP |
1601 | ######################################## |
1602 | ## <summary> | |
296273a7 CP |
1603 | ## Make the specified type usable in a |
1604 | ## user home directory. | |
b1bf2f78 | 1605 | ## </summary> |
296273a7 | 1606 | ## <param name="type"> |
b1bf2f78 | 1607 | ## <summary> |
296273a7 CP |
1608 | ## Type to be used as a file in the |
1609 | ## user home directory. | |
b1bf2f78 CP |
1610 | ## </summary> |
1611 | ## </param> | |
b1bf2f78 | 1612 | # |
296273a7 CP |
1613 | interface(`userdom_user_home_content',` |
1614 | gen_require(` | |
1615 | type user_home_t; | |
3eaa9939 | 1616 | attribute user_home_type; |
296273a7 CP |
1617 | ') |
1618 | ||
1619 | allow $1 user_home_t:filesystem associate; | |
1620 | files_type($1) | |
1621 | ubac_constrained($1) | |
3eaa9939 DW |
1622 | |
1623 | files_poly_member($1) | |
1624 | typeattribute $1 user_home_type; | |
b1bf2f78 CP |
1625 | ') |
1626 | ||
ca9e8850 DW |
1627 | ######################################## |
1628 | ## <summary> | |
1629 | ## Make the specified type usable in a | |
1630 | ## generic temporary directory. | |
1631 | ## </summary> | |
1632 | ## <param name="type"> | |
1633 | ## <summary> | |
1634 | ## Type to be used as a file in the | |
1635 | ## generic temporary directory. | |
1636 | ## </summary> | |
1637 | ## </param> | |
1638 | # | |
1639 | interface(`userdom_user_tmp_content',` | |
1640 | gen_require(` | |
1641 | attribute user_tmp_type; | |
1642 | ') | |
1643 | ||
1644 | typeattribute $1 user_tmp_type; | |
1645 | ||
1646 | files_tmp_file($1) | |
1647 | ubac_constrained($1) | |
1648 | ') | |
1649 | ||
04b8986d DG |
1650 | ######################################## |
1651 | ## <summary> | |
1652 | ## Make the specified type usable in a | |
1653 | ## generic tmpfs_t directory. | |
1654 | ## </summary> | |
1655 | ## <param name="type"> | |
1656 | ## <summary> | |
1657 | ## Type to be used as a file in the | |
1658 | ## generic temporary directory. | |
1659 | ## </summary> | |
1660 | ## </param> | |
1661 | # | |
1662 | interface(`userdom_user_tmpfs_content',` | |
1663 | gen_require(` | |
1664 | attribute user_tmpfs_type; | |
1665 | ') | |
1666 | ||
1667 | typeattribute $1 user_tmpfs_type; | |
1668 | ||
1669 | files_tmpfs_file($1) | |
1670 | ubac_constrained($1) | |
1671 | ') | |
1672 | ||
bd75703c CP |
1673 | ######################################## |
1674 | ## <summary> | |
1675 | ## Allow domain to attach to TUN devices created by administrative users. | |
1676 | ## </summary> | |
1677 | ## <param name="domain"> | |
1678 | ## <summary> | |
1679 | ## Domain allowed access. | |
1680 | ## </summary> | |
1681 | ## </param> | |
1682 | # | |
1683 | interface(`userdom_attach_admin_tun_iface',` | |
1684 | gen_require(` | |
0be901ba | 1685 | attribute admindomain; |
bd75703c CP |
1686 | ') |
1687 | ||
0be901ba | 1688 | allow $1 admindomain:tun_socket relabelfrom; |
bd75703c CP |
1689 | allow $1 self:tun_socket relabelto; |
1690 | ') | |
1691 | ||
b1bf2f78 CP |
1692 | ######################################## |
1693 | ## <summary> | |
296273a7 | 1694 | ## Set the attributes of a user pty. |
b1bf2f78 | 1695 | ## </summary> |
296273a7 | 1696 | ## <param name="domain"> |
b1bf2f78 | 1697 | ## <summary> |
296273a7 | 1698 | ## Domain allowed access. |
b1bf2f78 CP |
1699 | ## </summary> |
1700 | ## </param> | |
b1bf2f78 | 1701 | # |
296273a7 CP |
1702 | interface(`userdom_setattr_user_ptys',` |
1703 | gen_require(` | |
1704 | type user_devpts_t; | |
1705 | ') | |
1706 | ||
bf530f53 | 1707 | allow $1 user_devpts_t:chr_file setattr_chr_file_perms; |
b1bf2f78 CP |
1708 | ') |
1709 | ||
1710 | ######################################## | |
1711 | ## <summary> | |
296273a7 | 1712 | ## Create a user pty. |
b1bf2f78 | 1713 | ## </summary> |
296273a7 | 1714 | ## <param name="domain"> |
b1bf2f78 | 1715 | ## <summary> |
296273a7 | 1716 | ## Domain allowed access. |
b1bf2f78 CP |
1717 | ## </summary> |
1718 | ## </param> | |
b1bf2f78 | 1719 | # |
296273a7 CP |
1720 | interface(`userdom_create_user_pty',` |
1721 | gen_require(` | |
1722 | type user_devpts_t; | |
1723 | ') | |
1724 | ||
1725 | term_create_pty($1, user_devpts_t) | |
b1bf2f78 CP |
1726 | ') |
1727 | ||
1728 | ######################################## | |
1729 | ## <summary> | |
296273a7 | 1730 | ## Get the attributes of user home directories. |
b1bf2f78 | 1731 | ## </summary> |
296273a7 | 1732 | ## <param name="domain"> |
b1bf2f78 | 1733 | ## <summary> |
296273a7 | 1734 | ## Domain allowed access. |
b1bf2f78 CP |
1735 | ## </summary> |
1736 | ## </param> | |
b1bf2f78 | 1737 | # |
296273a7 CP |
1738 | interface(`userdom_getattr_user_home_dirs',` |
1739 | gen_require(` | |
1740 | type user_home_dir_t; | |
1741 | ') | |
1742 | ||
1743 | allow $1 user_home_dir_t:dir getattr_dir_perms; | |
1744 | files_search_home($1) | |
b1bf2f78 CP |
1745 | ') |
1746 | ||
1747 | ######################################## | |
1748 | ## <summary> | |
296273a7 | 1749 | ## Do not audit attempts to get the attributes of user home directories. |
b1bf2f78 | 1750 | ## </summary> |
296273a7 | 1751 | ## <param name="domain"> |
b1bf2f78 | 1752 | ## <summary> |
a0546c9d | 1753 | ## Domain to not audit. |
b1bf2f78 CP |
1754 | ## </summary> |
1755 | ## </param> | |
b1bf2f78 | 1756 | # |
296273a7 CP |
1757 | interface(`userdom_dontaudit_getattr_user_home_dirs',` |
1758 | gen_require(` | |
1759 | type user_home_dir_t; | |
1760 | ') | |
1761 | ||
1762 | dontaudit $1 user_home_dir_t:dir getattr_dir_perms; | |
b1bf2f78 CP |
1763 | ') |
1764 | ||
1765 | ######################################## | |
1766 | ## <summary> | |
296273a7 | 1767 | ## Search user home directories. |
b1bf2f78 | 1768 | ## </summary> |
296273a7 | 1769 | ## <param name="domain"> |
b1bf2f78 | 1770 | ## <summary> |
296273a7 | 1771 | ## Domain allowed access. |
b1bf2f78 CP |
1772 | ## </summary> |
1773 | ## </param> | |
b1bf2f78 | 1774 | # |
296273a7 CP |
1775 | interface(`userdom_search_user_home_dirs',` |
1776 | gen_require(` | |
1777 | type user_home_dir_t; | |
1778 | ') | |
1779 | ||
1780 | allow $1 user_home_dir_t:dir search_dir_perms; | |
3eaa9939 | 1781 | allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; |
296273a7 | 1782 | files_search_home($1) |
b1bf2f78 CP |
1783 | ') |
1784 | ||
1785 | ######################################## | |
1786 | ## <summary> | |
c46376e6 | 1787 | ## Do not audit attempts to search user home directories. |
b1bf2f78 | 1788 | ## </summary> |
c46376e6 CP |
1789 | ## <desc> |
1790 | ## <p> | |
1791 | ## Do not audit attempts to search user home directories. | |
1792 | ## This will supress SELinux denial messages when the specified | |
1793 | ## domain is denied the permission to search these directories. | |
1794 | ## </p> | |
1795 | ## </desc> | |
296273a7 | 1796 | ## <param name="domain"> |
b1bf2f78 | 1797 | ## <summary> |
c46376e6 | 1798 | ## Domain to not audit. |
b1bf2f78 CP |
1799 | ## </summary> |
1800 | ## </param> | |
c46376e6 | 1801 | ## <infoflow type="none"/> |
b1bf2f78 | 1802 | # |
296273a7 CP |
1803 | interface(`userdom_dontaudit_search_user_home_dirs',` |
1804 | gen_require(` | |
1805 | type user_home_dir_t; | |
1806 | ') | |
1807 | ||
1808 | dontaudit $1 user_home_dir_t:dir search_dir_perms; | |
b1bf2f78 CP |
1809 | ') |
1810 | ||
1811 | ######################################## | |
1812 | ## <summary> | |
ff8f0a63 | 1813 | ## List user home directories. |
b1bf2f78 | 1814 | ## </summary> |
296273a7 | 1815 | ## <param name="domain"> |
b1bf2f78 | 1816 | ## <summary> |
ff8f0a63 | 1817 | ## Domain allowed access. |
b1bf2f78 CP |
1818 | ## </summary> |
1819 | ## </param> | |
b1bf2f78 | 1820 | # |
296273a7 CP |
1821 | interface(`userdom_list_user_home_dirs',` |
1822 | gen_require(` | |
1823 | type user_home_dir_t; | |
1824 | ') | |
b1bf2f78 | 1825 | |
296273a7 CP |
1826 | allow $1 user_home_dir_t:dir list_dir_perms; |
1827 | files_search_home($1) | |
3eaa9939 DW |
1828 | |
1829 | tunable_policy(`use_nfs_home_dirs',` | |
1830 | fs_list_nfs($1) | |
1831 | ') | |
1832 | ||
1833 | tunable_policy(`use_samba_home_dirs',` | |
1834 | fs_list_cifs($1) | |
1835 | ') | |
de8af9dc CP |
1836 | ') |
1837 | ||
7c2f5a82 CP |
1838 | ######################################## |
1839 | ## <summary> | |
296273a7 | 1840 | ## Do not audit attempts to list user home subdirectories. |
7c2f5a82 CP |
1841 | ## </summary> |
1842 | ## <param name="domain"> | |
885b83ec | 1843 | ## <summary> |
a7ee7f81 | 1844 | ## Domain to not audit. |
885b83ec | 1845 | ## </summary> |
7c2f5a82 CP |
1846 | ## </param> |
1847 | # | |
296273a7 | 1848 | interface(`userdom_dontaudit_list_user_home_dirs',` |
7c2f5a82 | 1849 | gen_require(` |
296273a7 | 1850 | type user_home_dir_t; |
3eaa9939 | 1851 | type user_home_t; |
7c2f5a82 CP |
1852 | ') |
1853 | ||
296273a7 | 1854 | dontaudit $1 user_home_dir_t:dir list_dir_perms; |
3eaa9939 | 1855 | dontaudit $1 user_home_t:dir list_dir_perms; |
7c2f5a82 CP |
1856 | ') |
1857 | ||
1858 | ######################################## | |
1859 | ## <summary> | |
296273a7 | 1860 | ## Create user home directories. |
7c2f5a82 CP |
1861 | ## </summary> |
1862 | ## <param name="domain"> | |
885b83ec | 1863 | ## <summary> |
7c2f5a82 | 1864 | ## Domain allowed access. |
885b83ec | 1865 | ## </summary> |
7c2f5a82 CP |
1866 | ## </param> |
1867 | # | |
296273a7 CP |
1868 | interface(`userdom_create_user_home_dirs',` |
1869 | gen_require(` | |
1870 | type user_home_dir_t; | |
1871 | ') | |
1872 | ||
1873 | allow $1 user_home_dir_t:dir create_dir_perms; | |
7c2f5a82 CP |
1874 | ') |
1875 | ||
1876 | ######################################## | |
1877 | ## <summary> | |
296273a7 | 1878 | ## Create user home directories. |
7c2f5a82 CP |
1879 | ## </summary> |
1880 | ## <param name="domain"> | |
885b83ec | 1881 | ## <summary> |
7c2f5a82 | 1882 | ## Domain allowed access. |
885b83ec | 1883 | ## </summary> |
7c2f5a82 CP |
1884 | ## </param> |
1885 | # | |
296273a7 | 1886 | interface(`userdom_manage_user_home_dirs',` |
7c2f5a82 | 1887 | gen_require(` |
296273a7 | 1888 | type user_home_dir_t; |
7c2f5a82 CP |
1889 | ') |
1890 | ||
296273a7 | 1891 | allow $1 user_home_dir_t:dir manage_dir_perms; |
7c2f5a82 CP |
1892 | ') |
1893 | ||
d490eb6b | 1894 | ######################################## |
ab940a4c | 1895 | ## <summary> |
296273a7 | 1896 | ## Relabel to user home directories. |
ab940a4c | 1897 | ## </summary> |
414e4151 | 1898 | ## <param name="domain"> |
885b83ec | 1899 | ## <summary> |
725926c5 | 1900 | ## Domain allowed access. |
885b83ec | 1901 | ## </summary> |
414e4151 | 1902 | ## </param> |
d490eb6b | 1903 | # |
296273a7 CP |
1904 | interface(`userdom_relabelto_user_home_dirs',` |
1905 | gen_require(` | |
1906 | type user_home_dir_t; | |
1907 | ') | |
d490eb6b | 1908 | |
296273a7 | 1909 | allow $1 user_home_dir_t:dir relabelto; |
7c2f5a82 CP |
1910 | ') |
1911 | ||
3eaa9939 DW |
1912 | |
1913 | ######################################## | |
1914 | ## <summary> | |
1915 | ## Relabel to user home files. | |
1916 | ## </summary> | |
1917 | ## <param name="domain"> | |
1918 | ## <summary> | |
1919 | ## Domain allowed access. | |
1920 | ## </summary> | |
1921 | ## </param> | |
1922 | # | |
1923 | interface(`userdom_relabelto_user_home_files',` | |
1924 | gen_require(` | |
1925 | type user_home_t; | |
1926 | ') | |
1927 | ||
1928 | allow $1 user_home_t:file relabelto; | |
1929 | ') | |
1930 | ######################################## | |
1931 | ## <summary> | |
1932 | ## Relabel user home files. | |
1933 | ## </summary> | |
1934 | ## <param name="domain"> | |
1935 | ## <summary> | |
1936 | ## Domain allowed access. | |
1937 | ## </summary> | |
1938 | ## </param> | |
1939 | # | |
1940 | interface(`userdom_relabel_user_home_files',` | |
1941 | gen_require(` | |
1942 | type user_home_t; | |
1943 | ') | |
1944 | ||
83029ff3 | 1945 | allow $1 user_home_t:file relabel_file_perms; |
3eaa9939 DW |
1946 | ') |
1947 | ||
7c2f5a82 CP |
1948 | ######################################## |
1949 | ## <summary> | |
296273a7 CP |
1950 | ## Create directories in the home dir root with |
1951 | ## the user home directory type. | |
7c2f5a82 CP |
1952 | ## </summary> |
1953 | ## <param name="domain"> | |
885b83ec | 1954 | ## <summary> |
7c2f5a82 | 1955 | ## Domain allowed access. |
885b83ec | 1956 | ## </summary> |
7c2f5a82 CP |
1957 | ## </param> |
1958 | # | |
296273a7 CP |
1959 | interface(`userdom_home_filetrans_user_home_dir',` |
1960 | gen_require(` | |
1961 | type user_home_dir_t; | |
1962 | ') | |
7c2f5a82 | 1963 | |
296273a7 | 1964 | files_home_filetrans($1, user_home_dir_t, dir) |
7c2f5a82 CP |
1965 | ') |
1966 | ||
d42c7ede CP |
1967 | ######################################## |
1968 | ## <summary> | |
296273a7 CP |
1969 | ## Do a domain transition to the specified |
1970 | ## domain when executing a program in the | |
1971 | ## user home directory. | |
d42c7ede CP |
1972 | ## </summary> |
1973 | ## <desc> | |
1974 | ## <p> | |
296273a7 CP |
1975 | ## Do a domain transition to the specified |
1976 | ## domain when executing a program in the | |
1977 | ## user home directory. | |
d42c7ede CP |
1978 | ## </p> |
1979 | ## <p> | |
296273a7 CP |
1980 | ## No interprocess communication (signals, pipes, |
1981 | ## etc.) is provided by this interface since | |
1982 | ## the domains are not owned by this module. | |
d42c7ede CP |
1983 | ## </p> |
1984 | ## </desc> | |
296273a7 | 1985 | ## <param name="source_domain"> |
d42c7ede | 1986 | ## <summary> |
a0546c9d | 1987 | ## Domain allowed to transition. |
d42c7ede CP |
1988 | ## </summary> |
1989 | ## </param> | |
296273a7 | 1990 | ## <param name="target_domain"> |
d42c7ede | 1991 | ## <summary> |
296273a7 | 1992 | ## Domain to transition to. |
d42c7ede CP |
1993 | ## </summary> |
1994 | ## </param> | |
1995 | # | |
296273a7 CP |
1996 | interface(`userdom_user_home_domtrans',` |
1997 | gen_require(` | |
1998 | type user_home_dir_t, user_home_t; | |
1999 | ') | |
d42c7ede | 2000 | |
296273a7 CP |
2001 | domain_auto_trans($1, user_home_t, $2) |
2002 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2003 | files_search_home($1) | |
d42c7ede CP |
2004 | ') |
2005 | ||
ae9e2716 CP |
2006 | ######################################## |
2007 | ## <summary> | |
296273a7 | 2008 | ## Do not audit attempts to search user home content directories. |
ae9e2716 CP |
2009 | ## </summary> |
2010 | ## <param name="domain"> | |
885b83ec | 2011 | ## <summary> |
a7ee7f81 | 2012 | ## Domain to not audit. |
885b83ec | 2013 | ## </summary> |
ae9e2716 CP |
2014 | ## </param> |
2015 | # | |
296273a7 CP |
2016 | interface(`userdom_dontaudit_search_user_home_content',` |
2017 | gen_require(` | |
2018 | type user_home_t; | |
2019 | ') | |
ae9e2716 | 2020 | |
296273a7 | 2021 | dontaudit $1 user_home_t:dir search_dir_perms; |
3eaa9939 DW |
2022 | fs_dontaudit_list_nfs($1) |
2023 | fs_dontaudit_list_cifs($1) | |
ae9e2716 CP |
2024 | ') |
2025 | ||
2d743657 CP |
2026 | ######################################## |
2027 | ## <summary> | |
2028 | ## List contents of users home directory. | |
2029 | ## </summary> | |
2030 | ## <param name="domain"> | |
2031 | ## <summary> | |
2032 | ## Domain allowed access. | |
2033 | ## </summary> | |
2034 | ## </param> | |
2035 | # | |
2036 | interface(`userdom_list_user_home_content',` | |
2037 | gen_require(` | |
3eaa9939 DW |
2038 | type user_home_dir_t; |
2039 | attribute user_home_type; | |
2d743657 CP |
2040 | ') |
2041 | ||
3eaa9939 DW |
2042 | files_list_home($1) |
2043 | allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; | |
2d743657 CP |
2044 | ') |
2045 | ||
cdc86ee5 CP |
2046 | ######################################## |
2047 | ## <summary> | |
296273a7 CP |
2048 | ## Create, read, write, and delete directories |
2049 | ## in a user home subdirectory. | |
cdc86ee5 CP |
2050 | ## </summary> |
2051 | ## <param name="domain"> | |
2052 | ## <summary> | |
2053 | ## Domain allowed access. | |
2054 | ## </summary> | |
2055 | ## </param> | |
2056 | # | |
296273a7 CP |
2057 | interface(`userdom_manage_user_home_content_dirs',` |
2058 | gen_require(` | |
2059 | type user_home_dir_t, user_home_t; | |
2060 | ') | |
2061 | ||
2062 | manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) | |
2063 | files_search_home($1) | |
cdc86ee5 CP |
2064 | ') |
2065 | ||
4083191c CP |
2066 | ######################################## |
2067 | ## <summary> | |
2068 | ## Delete directories in a user home subdirectory. | |
2069 | ## </summary> | |
2070 | ## <param name="domain"> | |
2071 | ## <summary> | |
2072 | ## Domain allowed access. | |
2073 | ## </summary> | |
2074 | ## </param> | |
2075 | # | |
2076 | interface(`userdom_delete_user_home_content_dirs',` | |
2077 | gen_require(` | |
2078 | type user_home_t; | |
2079 | ') | |
2080 | ||
2081 | allow $1 user_home_t:dir delete_dir_perms; | |
2082 | ') | |
2083 | ||
a6687c87 DG |
2084 | ######################################## |
2085 | ## <summary> | |
2086 | ## Delete all directories in a user home subdirectory. | |
2087 | ## </summary> | |
2088 | ## <param name="domain"> | |
2089 | ## <summary> | |
2090 | ## Domain allowed access. | |
2091 | ## </summary> | |
2092 | ## </param> | |
2093 | # | |
2094 | interface(`userdom_delete_all_user_home_content_dirs',` | |
2095 | gen_require(` | |
2096 | attribute user_home_type; | |
2097 | ') | |
2098 | ||
2099 | allow $1 user_home_type:dir delete_dir_perms; | |
2100 | ') | |
2101 | ||
3eaa9939 DW |
2102 | ######################################## |
2103 | ## <summary> | |
2104 | ## Set the attributes of user home files. | |
2105 | ## </summary> | |
2106 | ## <param name="domain"> | |
2107 | ## <summary> | |
2108 | ## Domain allowed access. | |
2109 | ## </summary> | |
2110 | ## </param> | |
2111 | ## <rolecap/> | |
2112 | # | |
2113 | interface(`userdom_setattr_user_home_content_files',` | |
2114 | gen_require(` | |
2115 | type user_home_t; | |
2116 | ') | |
2117 | ||
2118 | allow $1 user_home_t:file setattr; | |
2119 | ') | |
2120 | ||
d6d16b97 CP |
2121 | ######################################## |
2122 | ## <summary> | |
296273a7 CP |
2123 | ## Do not audit attempts to set the |
2124 | ## attributes of user home files. | |
d6d16b97 CP |
2125 | ## </summary> |
2126 | ## <param name="domain"> | |
2127 | ## <summary> | |
a0546c9d | 2128 | ## Domain to not audit. |
d6d16b97 CP |
2129 | ## </summary> |
2130 | ## </param> | |
2131 | # | |
296273a7 CP |
2132 | interface(`userdom_dontaudit_setattr_user_home_content_files',` |
2133 | gen_require(` | |
2134 | type user_home_t; | |
2135 | ') | |
d6d16b97 | 2136 | |
bf530f53 | 2137 | dontaudit $1 user_home_t:file setattr_file_perms; |
b0d2243c CP |
2138 | ') |
2139 | ||
a6687c87 DG |
2140 | ######################################## |
2141 | ## <summary> | |
2142 | ## Set the attributes of all user home directories. | |
2143 | ## </summary> | |
2144 | ## <param name="domain"> | |
2145 | ## <summary> | |
2146 | ## Domain allowed access. | |
2147 | ## </summary> | |
2148 | ## </param> | |
2149 | ## <rolecap/> | |
2150 | # | |
2151 | interface(`userdom_setattr_all_user_home_content_dirs',` | |
2152 | gen_require(` | |
2153 | attribute user_home_type; | |
2154 | ') | |
2155 | ||
2156 | allow $1 user_home_type:dir setattr_dir_perms; | |
2157 | ') | |
2158 | ||
fd89e19f CP |
2159 | ######################################## |
2160 | ## <summary> | |
296273a7 | 2161 | ## Mmap user home files. |
fd89e19f CP |
2162 | ## </summary> |
2163 | ## <param name="domain"> | |
885b83ec | 2164 | ## <summary> |
725926c5 | 2165 | ## Domain allowed access. |
885b83ec | 2166 | ## </summary> |
fd89e19f CP |
2167 | ## </param> |
2168 | # | |
296273a7 CP |
2169 | interface(`userdom_mmap_user_home_content_files',` |
2170 | gen_require(` | |
2171 | type user_home_dir_t, user_home_t; | |
2172 | ') | |
fd89e19f | 2173 | |
296273a7 CP |
2174 | mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
2175 | files_search_home($1) | |
1f91e1bf CP |
2176 | ') |
2177 | ||
725926c5 CP |
2178 | ######################################## |
2179 | ## <summary> | |
296273a7 | 2180 | ## Read user home files. |
725926c5 CP |
2181 | ## </summary> |
2182 | ## <param name="domain"> | |
885b83ec | 2183 | ## <summary> |
725926c5 | 2184 | ## Domain allowed access. |
885b83ec | 2185 | ## </summary> |
725926c5 CP |
2186 | ## </param> |
2187 | # | |
296273a7 CP |
2188 | interface(`userdom_read_user_home_content_files',` |
2189 | gen_require(` | |
2190 | type user_home_dir_t, user_home_t; | |
2191 | ') | |
2192 | ||
3eaa9939 | 2193 | list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) |
296273a7 CP |
2194 | read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
2195 | files_search_home($1) | |
725926c5 CP |
2196 | ') |
2197 | ||
daa0e0b0 | 2198 | ######################################## |
ab940a4c | 2199 | ## <summary> |
3eaa9939 | 2200 | ## Do not audit attempts to getattr user home files. |
ab940a4c | 2201 | ## </summary> |
414e4151 | 2202 | ## <param name="domain"> |
885b83ec | 2203 | ## <summary> |
296273a7 | 2204 | ## Domain to not audit. |
885b83ec | 2205 | ## </summary> |
414e4151 | 2206 | ## </param> |
490639cd | 2207 | # |
3eaa9939 | 2208 | interface(`userdom_dontaudit_getattr_user_home_content',` |
296273a7 | 2209 | gen_require(` |
3eaa9939 | 2210 | attribute user_home_type; |
296273a7 CP |
2211 | ') |
2212 | ||
3eaa9939 DW |
2213 | dontaudit $1 user_home_type:dir getattr; |
2214 | dontaudit $1 user_home_type:file getattr; | |
2215 | ') | |
2216 | ||
2217 | ######################################## | |
2218 | ## <summary> | |
2219 | ## Do not audit attempts to read user home files. | |
2220 | ## </summary> | |
2221 | ## <param name="domain"> | |
2222 | ## <summary> | |
2223 | ## Domain to not audit. | |
2224 | ## </summary> | |
2225 | ## </param> | |
2226 | # | |
2227 | interface(`userdom_dontaudit_read_user_home_content_files',` | |
2228 | gen_require(` | |
2229 | attribute user_home_type; | |
2230 | type user_home_dir_t; | |
2231 | ') | |
2232 | ||
2233 | dontaudit $1 user_home_dir_t:dir list_dir_perms; | |
2234 | dontaudit $1 user_home_type:dir list_dir_perms; | |
2235 | dontaudit $1 user_home_type:file read_file_perms; | |
2236 | dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; | |
fd89e19f CP |
2237 | ') |
2238 | ||
50aca6d2 CP |
2239 | ######################################## |
2240 | ## <summary> | |
296273a7 | 2241 | ## Do not audit attempts to append user home files. |
50aca6d2 CP |
2242 | ## </summary> |
2243 | ## <param name="domain"> | |
885b83ec | 2244 | ## <summary> |
50aca6d2 | 2245 | ## Domain to not audit. |
885b83ec | 2246 | ## </summary> |
50aca6d2 CP |
2247 | ## </param> |
2248 | # | |
296273a7 CP |
2249 | interface(`userdom_dontaudit_append_user_home_content_files',` |
2250 | gen_require(` | |
2251 | type user_home_t; | |
2252 | ') | |
2253 | ||
bf530f53 | 2254 | dontaudit $1 user_home_t:file append_file_perms; |
50aca6d2 CP |
2255 | ') |
2256 | ||
fd89e19f CP |
2257 | ######################################## |
2258 | ## <summary> | |
296273a7 | 2259 | ## Do not audit attempts to write user home files. |
fd89e19f CP |
2260 | ## </summary> |
2261 | ## <param name="domain"> | |
885b83ec | 2262 | ## <summary> |
296273a7 | 2263 | ## Domain to not audit. |
885b83ec | 2264 | ## </summary> |
fd89e19f CP |
2265 | ## </param> |
2266 | # | |
296273a7 CP |
2267 | interface(`userdom_dontaudit_write_user_home_content_files',` |
2268 | gen_require(` | |
2269 | type user_home_t; | |
2270 | ') | |
2271 | ||
bf530f53 | 2272 | dontaudit $1 user_home_t:file write_file_perms; |
daa0e0b0 CP |
2273 | ') |
2274 | ||
4083191c CP |
2275 | ######################################## |
2276 | ## <summary> | |
2277 | ## Delete files in a user home subdirectory. | |
2278 | ## </summary> | |
2279 | ## <param name="domain"> | |
2280 | ## <summary> | |
2281 | ## Domain allowed access. | |
2282 | ## </summary> | |
2283 | ## </param> | |
2284 | # | |
2285 | interface(`userdom_delete_user_home_content_files',` | |
2286 | gen_require(` | |
2287 | type user_home_t; | |
2288 | ') | |
2289 | ||
2290 | allow $1 user_home_t:file delete_file_perms; | |
2291 | ') | |
2292 | ||
a6687c87 DG |
2293 | ######################################## |
2294 | ## <summary> | |
2295 | ## Delete all files in a user home subdirectory. | |
2296 | ## </summary> | |
2297 | ## <param name="domain"> | |
2298 | ## <summary> | |
2299 | ## Domain allowed access. | |
2300 | ## </summary> | |
2301 | ## </param> | |
2302 | # | |
2303 | interface(`userdom_delete_all_user_home_content_files',` | |
2304 | gen_require(` | |
2305 | attribute user_home_type; | |
2306 | ') | |
2307 | ||
2308 | allow $1 user_home_type:file delete_file_perms; | |
2309 | ') | |
2310 | ||
d4dca585 | 2311 | ######################################## |
ae841c05 DW |
2312 | ## <summary> |
2313 | ## Delete sock files in a user home subdirectory. | |
2314 | ## </summary> | |
2315 | ## <param name="domain"> | |
2316 | ## <summary> | |
2317 | ## Domain allowed access. | |
2318 | ## </summary> | |
2319 | ## </param> | |
2320 | # | |
2321 | interface(`userdom_delete_user_home_content_sock_files',` | |
2322 | gen_require(` | |
2323 | type user_home_t; | |
2324 | ') | |
2325 | ||
2326 | allow $1 user_home_t:sock_file delete_file_perms; | |
2327 | ') | |
2328 | ||
a6687c87 DG |
2329 | ######################################## |
2330 | ## <summary> | |
2331 | ## Delete all sock files in a user home subdirectory. | |
2332 | ## </summary> | |
2333 | ## <param name="domain"> | |
2334 | ## <summary> | |
2335 | ## Domain allowed access. | |
2336 | ## </summary> | |
2337 | ## </param> | |
2338 | # | |
2339 | interface(`userdom_delete_all_user_home_content_sock_files',` | |
2340 | gen_require(` | |
2341 | attribute user_home_type; | |
2342 | ') | |
2343 | ||
2344 | allow $1 user_home_type:sock_file delete_file_perms; | |
2345 | ') | |
2346 | ||
d4dca585 CP |
2347 | ######################################## |
2348 | ## <summary> | |
296273a7 | 2349 | ## Do not audit attempts to write user home files. |
d4dca585 CP |
2350 | ## </summary> |
2351 | ## <param name="domain"> | |
885b83ec | 2352 | ## <summary> |
d4dca585 | 2353 | ## Domain to not audit. |
885b83ec | 2354 | ## </summary> |
d4dca585 CP |
2355 | ## </param> |
2356 | # | |
296273a7 CP |
2357 | interface(`userdom_dontaudit_relabel_user_home_content_files',` |
2358 | gen_require(` | |
2359 | type user_home_t; | |
2360 | ') | |
2361 | ||
2362 | dontaudit $1 user_home_t:file relabel_file_perms; | |
d4dca585 CP |
2363 | ') |
2364 | ||
0404a390 | 2365 | ######################################## |
ab940a4c | 2366 | ## <summary> |
296273a7 | 2367 | ## Read user home subdirectory symbolic links. |
ab940a4c | 2368 | ## </summary> |
414e4151 | 2369 | ## <param name="domain"> |
885b83ec | 2370 | ## <summary> |
725926c5 | 2371 | ## Domain allowed access. |
885b83ec | 2372 | ## </summary> |
414e4151 | 2373 | ## </param> |
0404a390 | 2374 | # |
296273a7 CP |
2375 | interface(`userdom_read_user_home_content_symlinks',` |
2376 | gen_require(` | |
2377 | type user_home_dir_t, user_home_t; | |
2378 | ') | |
2379 | ||
3eaa9939 | 2380 | allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; |
daa0e0b0 CP |
2381 | ') |
2382 | ||
763c441e | 2383 | ######################################## |
ab940a4c | 2384 | ## <summary> |
296273a7 | 2385 | ## Execute user home files. |
ab940a4c | 2386 | ## </summary> |
414e4151 | 2387 | ## <param name="domain"> |
885b83ec | 2388 | ## <summary> |
296273a7 | 2389 | ## Domain allowed access. |
885b83ec | 2390 | ## </summary> |
414e4151 | 2391 | ## </param> |
296273a7 | 2392 | ## <rolecap/> |
763c441e | 2393 | # |
296273a7 CP |
2394 | interface(`userdom_exec_user_home_content_files',` |
2395 | gen_require(` | |
3eaa9939 DW |
2396 | type user_home_dir_t; |
2397 | attribute user_home_type; | |
296273a7 CP |
2398 | ') |
2399 | ||
2400 | files_search_home($1) | |
3eaa9939 DW |
2401 | exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) |
2402 | dontaudit $1 user_home_type:sock_file execute; | |
296273a7 | 2403 | ') |
763c441e | 2404 | |
fd89e19f CP |
2405 | ######################################## |
2406 | ## <summary> | |
296273a7 | 2407 | ## Do not audit attempts to execute user home files. |
fd89e19f CP |
2408 | ## </summary> |
2409 | ## <param name="domain"> | |
885b83ec | 2410 | ## <summary> |
a0546c9d | 2411 | ## Domain to not audit. |
885b83ec | 2412 | ## </summary> |
fd89e19f CP |
2413 | ## </param> |
2414 | # | |
296273a7 CP |
2415 | interface(`userdom_dontaudit_exec_user_home_content_files',` |
2416 | gen_require(` | |
2417 | type user_home_t; | |
2418 | ') | |
2419 | ||
bf530f53 | 2420 | dontaudit $1 user_home_t:file exec_file_perms; |
fd89e19f CP |
2421 | ') |
2422 | ||
2423 | ######################################## | |
2424 | ## <summary> | |
296273a7 CP |
2425 | ## Create, read, write, and delete files |
2426 | ## in a user home subdirectory. | |
fd89e19f CP |
2427 | ## </summary> |
2428 | ## <param name="domain"> | |
885b83ec | 2429 | ## <summary> |
725926c5 | 2430 | ## Domain allowed access. |
885b83ec | 2431 | ## </summary> |
fd89e19f CP |
2432 | ## </param> |
2433 | # | |
296273a7 CP |
2434 | interface(`userdom_manage_user_home_content_files',` |
2435 | gen_require(` | |
2436 | type user_home_dir_t, user_home_t; | |
2437 | ') | |
2438 | ||
2439 | manage_files_pattern($1, user_home_t, user_home_t) | |
2440 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2441 | files_search_home($1) | |
fd89e19f CP |
2442 | ') |
2443 | ||
799a0b43 CP |
2444 | ######################################## |
2445 | ## <summary> | |
296273a7 CP |
2446 | ## Do not audit attempts to create, read, write, and delete directories |
2447 | ## in a user home subdirectory. | |
799a0b43 CP |
2448 | ## </summary> |
2449 | ## <param name="domain"> | |
885b83ec | 2450 | ## <summary> |
a0546c9d | 2451 | ## Domain to not audit. |
885b83ec | 2452 | ## </summary> |
799a0b43 CP |
2453 | ## </param> |
2454 | # | |
296273a7 CP |
2455 | interface(`userdom_dontaudit_manage_user_home_content_dirs',` |
2456 | gen_require(` | |
2457 | type user_home_dir_t, user_home_t; | |
2458 | ') | |
2459 | ||
2460 | dontaudit $1 user_home_t:dir manage_dir_perms; | |
799a0b43 CP |
2461 | ') |
2462 | ||
44fc06b0 CP |
2463 | ######################################## |
2464 | ## <summary> | |
296273a7 CP |
2465 | ## Create, read, write, and delete symbolic links |
2466 | ## in a user home subdirectory. | |
44fc06b0 CP |
2467 | ## </summary> |
2468 | ## <param name="domain"> | |
885b83ec | 2469 | ## <summary> |
296273a7 | 2470 | ## Domain allowed access. |
885b83ec | 2471 | ## </summary> |
44fc06b0 CP |
2472 | ## </param> |
2473 | # | |
296273a7 CP |
2474 | interface(`userdom_manage_user_home_content_symlinks',` |
2475 | gen_require(` | |
2476 | type user_home_dir_t, user_home_t; | |
2477 | ') | |
2478 | ||
2479 | manage_lnk_files_pattern($1, user_home_t, user_home_t) | |
2480 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2481 | files_search_home($1) | |
44fc06b0 CP |
2482 | ') |
2483 | ||
4083191c CP |
2484 | ######################################## |
2485 | ## <summary> | |
2486 | ## Delete symbolic links in a user home directory. | |
2487 | ## </summary> | |
2488 | ## <param name="domain"> | |
2489 | ## <summary> | |
2490 | ## Domain allowed access. | |
2491 | ## </summary> | |
2492 | ## </param> | |
2493 | # | |
2494 | interface(`userdom_delete_user_home_content_symlinks',` | |
2495 | gen_require(` | |
2496 | type user_home_t; | |
2497 | ') | |
2498 | ||
2499 | allow $1 user_home_t:lnk_file delete_lnk_file_perms; | |
2500 | ') | |
2501 | ||
a6687c87 DG |
2502 | ######################################## |
2503 | ## <summary> | |
2504 | ## Delete all symbolic links in a user home directory. | |
2505 | ## </summary> | |
2506 | ## <param name="domain"> | |
2507 | ## <summary> | |
2508 | ## Domain allowed access. | |
2509 | ## </summary> | |
2510 | ## </param> | |
2511 | # | |
2512 | interface(`userdom_delete_all_user_home_content_symlinks',` | |
2513 | gen_require(` | |
2514 | attribute user_home_type; | |
2515 | ') | |
2516 | ||
2517 | allow $1 user_home_type:lnk_file delete_lnk_file_perms; | |
2518 | ') | |
2519 | ||
ae9e2716 CP |
2520 | ######################################## |
2521 | ## <summary> | |
296273a7 CP |
2522 | ## Create, read, write, and delete named pipes |
2523 | ## in a user home subdirectory. | |
ae9e2716 CP |
2524 | ## </summary> |
2525 | ## <param name="domain"> | |
885b83ec | 2526 | ## <summary> |
296273a7 | 2527 | ## Domain allowed access. |
885b83ec | 2528 | ## </summary> |
ae9e2716 CP |
2529 | ## </param> |
2530 | # | |
296273a7 CP |
2531 | interface(`userdom_manage_user_home_content_pipes',` |
2532 | gen_require(` | |
2533 | type user_home_dir_t, user_home_t; | |
2534 | ') | |
2535 | ||
2536 | manage_fifo_files_pattern($1, user_home_t, user_home_t) | |
2537 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2538 | files_search_home($1) | |
ae9e2716 CP |
2539 | ') |
2540 | ||
2541 | ######################################## | |
2542 | ## <summary> | |
296273a7 CP |
2543 | ## Create, read, write, and delete named sockets |
2544 | ## in a user home subdirectory. | |
ae9e2716 CP |
2545 | ## </summary> |
2546 | ## <param name="domain"> | |
885b83ec | 2547 | ## <summary> |
296273a7 | 2548 | ## Domain allowed access. |
885b83ec | 2549 | ## </summary> |
ae9e2716 CP |
2550 | ## </param> |
2551 | # | |
296273a7 CP |
2552 | interface(`userdom_manage_user_home_content_sockets',` |
2553 | gen_require(` | |
2554 | type user_home_dir_t, user_home_t; | |
2555 | ') | |
2556 | ||
2557 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2558 | manage_sock_files_pattern($1, user_home_t, user_home_t) | |
2559 | files_search_home($1) | |
ae9e2716 CP |
2560 | ') |
2561 | ||
725926c5 CP |
2562 | ######################################## |
2563 | ## <summary> | |
296273a7 CP |
2564 | ## Create objects in a user home directory |
2565 | ## with an automatic type transition to | |
2566 | ## a specified private type. | |
725926c5 CP |
2567 | ## </summary> |
2568 | ## <param name="domain"> | |
885b83ec | 2569 | ## <summary> |
725926c5 | 2570 | ## Domain allowed access. |
885b83ec | 2571 | ## </summary> |
725926c5 | 2572 | ## </param> |
296273a7 | 2573 | ## <param name="private_type"> |
885b83ec | 2574 | ## <summary> |
296273a7 | 2575 | ## The type of the object to create. |
885b83ec | 2576 | ## </summary> |
b11a75a5 | 2577 | ## </param> |
296273a7 | 2578 | ## <param name="object_class"> |
885b83ec | 2579 | ## <summary> |
296273a7 | 2580 | ## The class of the object to be created. |
885b83ec | 2581 | ## </summary> |
e1c41428 CP |
2582 | ## </param> |
2583 | # | |
296273a7 CP |
2584 | interface(`userdom_user_home_dir_filetrans',` |
2585 | gen_require(` | |
2586 | type user_home_dir_t; | |
2587 | ') | |
2588 | ||
ae4832c7 | 2589 | filetrans_pattern($1, user_home_dir_t, $2, $3, $4) |
296273a7 | 2590 | files_search_home($1) |
e1c41428 CP |
2591 | ') |
2592 | ||
10b1f324 CP |
2593 | ######################################## |
2594 | ## <summary> | |
296273a7 CP |
2595 | ## Create objects in a user home directory |
2596 | ## with an automatic type transition to | |
2597 | ## a specified private type. | |
10b1f324 CP |
2598 | ## </summary> |
2599 | ## <param name="domain"> | |
885b83ec | 2600 | ## <summary> |
10b1f324 | 2601 | ## Domain allowed access. |
885b83ec | 2602 | ## </summary> |
10b1f324 | 2603 | ## </param> |
296273a7 | 2604 | ## <param name="private_type"> |
885b83ec | 2605 | ## <summary> |
296273a7 | 2606 | ## The type of the object to create. |
885b83ec | 2607 | ## </summary> |
ee9500ec CP |
2608 | ## </param> |
2609 | ## <param name="object_class"> | |
885b83ec | 2610 | ## <summary> |
10b1f324 | 2611 | ## The class of the object to be created. |
885b83ec | 2612 | ## </summary> |
10b1f324 CP |
2613 | ## </param> |
2614 | # | |
296273a7 CP |
2615 | interface(`userdom_user_home_content_filetrans',` |
2616 | gen_require(` | |
2617 | type user_home_dir_t, user_home_t; | |
2618 | ') | |
2619 | ||
2620 | filetrans_pattern($1, user_home_t, $2, $3) | |
2621 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2622 | files_search_home($1) | |
10b1f324 CP |
2623 | ') |
2624 | ||
2625 | ######################################## | |
2626 | ## <summary> | |
296273a7 CP |
2627 | ## Create objects in a user home directory |
2628 | ## with an automatic type transition to | |
2629 | ## the user home file type. | |
10b1f324 CP |
2630 | ## </summary> |
2631 | ## <param name="domain"> | |
885b83ec | 2632 | ## <summary> |
296273a7 CP |
2633 | ## Domain allowed access. |
2634 | ## </summary> | |
2635 | ## </param> | |
2636 | ## <param name="object_class"> | |
2637 | ## <summary> | |
2638 | ## The class of the object to be created. | |
885b83ec | 2639 | ## </summary> |
10b1f324 CP |
2640 | ## </param> |
2641 | # | |
296273a7 CP |
2642 | interface(`userdom_user_home_dir_filetrans_user_home_content',` |
2643 | gen_require(` | |
2644 | type user_home_dir_t, user_home_t; | |
2645 | ') | |
2646 | ||
2647 | filetrans_pattern($1, user_home_dir_t, user_home_t, $2) | |
2648 | files_search_home($1) | |
10b1f324 CP |
2649 | ') |
2650 | ||
fd89e19f CP |
2651 | ######################################## |
2652 | ## <summary> | |
ff8f0a63 | 2653 | ## Write to user temporary named sockets. |
fd89e19f CP |
2654 | ## </summary> |
2655 | ## <param name="domain"> | |
885b83ec | 2656 | ## <summary> |
ff8f0a63 | 2657 | ## Domain allowed access. |
885b83ec | 2658 | ## </summary> |
fd89e19f CP |
2659 | ## </param> |
2660 | # | |
296273a7 CP |
2661 | interface(`userdom_write_user_tmp_sockets',` |
2662 | gen_require(` | |
2663 | type user_tmp_t; | |
2664 | ') | |
2665 | ||
4cb24aed | 2666 | allow $1 user_tmp_t:sock_file write_sock_file_perms; |
296273a7 | 2667 | files_search_tmp($1) |
ed38ca9f | 2668 | ') |
fd89e19f | 2669 | |
ed38ca9f CP |
2670 | ######################################## |
2671 | ## <summary> | |
296273a7 | 2672 | ## List user temporary directories. |
ed38ca9f CP |
2673 | ## </summary> |
2674 | ## <param name="domain"> | |
2675 | ## <summary> | |
2676 | ## Domain allowed access. | |
2677 | ## </summary> | |
2678 | ## </param> | |
2679 | # | |
296273a7 CP |
2680 | interface(`userdom_list_user_tmp',` |
2681 | gen_require(` | |
2682 | type user_tmp_t; | |
2683 | ') | |
2684 | ||
2685 | allow $1 user_tmp_t:dir list_dir_perms; | |
2686 | files_search_tmp($1) | |
fd89e19f CP |
2687 | ') |
2688 | ||
1786478c CP |
2689 | ######################################## |
2690 | ## <summary> | |
296273a7 CP |
2691 | ## Do not audit attempts to list user |
2692 | ## temporary directories. | |
1786478c CP |
2693 | ## </summary> |
2694 | ## <param name="domain"> | |
2695 | ## <summary> | |
296273a7 | 2696 | ## Domain to not audit. |
1786478c CP |
2697 | ## </summary> |
2698 | ## </param> | |
2699 | # | |
296273a7 | 2700 | interface(`userdom_dontaudit_list_user_tmp',` |
1786478c | 2701 | gen_require(` |
296273a7 | 2702 | type user_tmp_t; |
1786478c CP |
2703 | ') |
2704 | ||
296273a7 | 2705 | dontaudit $1 user_tmp_t:dir list_dir_perms; |
1786478c CP |
2706 | ') |
2707 | ||
9778406f CP |
2708 | ######################################## |
2709 | ## <summary> | |
296273a7 CP |
2710 | ## Do not audit attempts to manage users |
2711 | ## temporary directories. | |
9778406f CP |
2712 | ## </summary> |
2713 | ## <param name="domain"> | |
885b83ec | 2714 | ## <summary> |
296273a7 | 2715 | ## Domain to not audit. |
885b83ec | 2716 | ## </summary> |
9778406f CP |
2717 | ## </param> |
2718 | # | |
296273a7 | 2719 | interface(`userdom_dontaudit_manage_user_tmp_dirs',` |
9778406f | 2720 | gen_require(` |
296273a7 | 2721 | type user_tmp_t; |
9778406f CP |
2722 | ') |
2723 | ||
296273a7 | 2724 | dontaudit $1 user_tmp_t:dir manage_dir_perms; |
9778406f CP |
2725 | ') |
2726 | ||
4bf4ed9e | 2727 | ######################################## |
ab940a4c | 2728 | ## <summary> |
296273a7 | 2729 | ## Read user temporary files. |
ab940a4c | 2730 | ## </summary> |
414e4151 | 2731 | ## <param name="domain"> |
885b83ec | 2732 | ## <summary> |
725926c5 | 2733 | ## Domain allowed access. |
885b83ec | 2734 | ## </summary> |
414e4151 | 2735 | ## </param> |
4bf4ed9e | 2736 | # |
296273a7 | 2737 | interface(`userdom_read_user_tmp_files',` |
0404a390 | 2738 | gen_require(` |
296273a7 | 2739 | type user_tmp_t; |
0404a390 | 2740 | ') |
0c73cd25 | 2741 | |
296273a7 CP |
2742 | read_files_pattern($1, user_tmp_t, user_tmp_t) |
2743 | allow $1 user_tmp_t:dir list_dir_perms; | |
2744 | files_search_tmp($1) | |
4bf4ed9e CP |
2745 | ') |
2746 | ||
ae9e2716 CP |
2747 | ######################################## |
2748 | ## <summary> | |
296273a7 CP |
2749 | ## Do not audit attempts to read users |
2750 | ## temporary files. | |
ae9e2716 CP |
2751 | ## </summary> |
2752 | ## <param name="domain"> | |
885b83ec | 2753 | ## <summary> |
ae9e2716 | 2754 | ## Domain to not audit. |
885b83ec | 2755 | ## </summary> |
ae9e2716 CP |
2756 | ## </param> |
2757 | # | |
296273a7 | 2758 | interface(`userdom_dontaudit_read_user_tmp_files',` |
ae9e2716 | 2759 | gen_require(` |
296273a7 | 2760 | type user_tmp_t; |
ae9e2716 CP |
2761 | ') |
2762 | ||
3eaa9939 | 2763 | dontaudit $1 user_tmp_t:file read_inherited_file_perms; |
ae9e2716 CP |
2764 | ') |
2765 | ||
daa0e0b0 | 2766 | ######################################## |
ab940a4c | 2767 | ## <summary> |
296273a7 CP |
2768 | ## Do not audit attempts to append users |
2769 | ## temporary files. | |
ab940a4c | 2770 | ## </summary> |
414e4151 | 2771 | ## <param name="domain"> |
885b83ec | 2772 | ## <summary> |
296273a7 | 2773 | ## Domain to not audit. |
885b83ec | 2774 | ## </summary> |
414e4151 | 2775 | ## </param> |
daa0e0b0 | 2776 | # |
296273a7 | 2777 | interface(`userdom_dontaudit_append_user_tmp_files',` |
0404a390 | 2778 | gen_require(` |
296273a7 | 2779 | type user_tmp_t; |
0404a390 | 2780 | ') |
0c73cd25 | 2781 | |
bf530f53 | 2782 | dontaudit $1 user_tmp_t:file append_file_perms; |
daa0e0b0 CP |
2783 | ') |
2784 | ||
fc6524d7 CP |
2785 | ######################################## |
2786 | ## <summary> | |
296273a7 | 2787 | ## Read and write user temporary files. |
fc6524d7 CP |
2788 | ## </summary> |
2789 | ## <param name="domain"> | |
885b83ec | 2790 | ## <summary> |
725926c5 | 2791 | ## Domain allowed access. |
885b83ec | 2792 | ## </summary> |
fc6524d7 CP |
2793 | ## </param> |
2794 | # | |
296273a7 | 2795 | interface(`userdom_rw_user_tmp_files',` |
fc6524d7 | 2796 | gen_require(` |
296273a7 | 2797 | type user_tmp_t; |
fc6524d7 CP |
2798 | ') |
2799 | ||
296273a7 CP |
2800 | allow $1 user_tmp_t:dir list_dir_perms; |
2801 | rw_files_pattern($1, user_tmp_t, user_tmp_t) | |
2802 | files_search_tmp($1) | |
fc6524d7 CP |
2803 | ') |
2804 | ||
2805 | ######################################## | |
2806 | ## <summary> | |
296273a7 CP |
2807 | ## Do not audit attempts to manage users |
2808 | ## temporary files. | |
fc6524d7 CP |
2809 | ## </summary> |
2810 | ## <param name="domain"> | |
885b83ec | 2811 | ## <summary> |
296273a7 | 2812 | ## Domain to not audit. |
885b83ec | 2813 | ## </summary> |
fc6524d7 CP |
2814 | ## </param> |
2815 | # | |
296273a7 | 2816 | interface(`userdom_dontaudit_manage_user_tmp_files',` |
fc6524d7 | 2817 | gen_require(` |
296273a7 | 2818 | type user_tmp_t; |
fc6524d7 CP |
2819 | ') |
2820 | ||
296273a7 | 2821 | dontaudit $1 user_tmp_t:file manage_file_perms; |
fc6524d7 CP |
2822 | ') |
2823 | ||
2824 | ######################################## | |
2825 | ## <summary> | |
296273a7 | 2826 | ## Read user temporary symbolic links. |
fc6524d7 CP |
2827 | ## </summary> |
2828 | ## <param name="domain"> | |
885b83ec | 2829 | ## <summary> |
725926c5 | 2830 | ## Domain allowed access. |
885b83ec | 2831 | ## </summary> |
fc6524d7 CP |
2832 | ## </param> |
2833 | # | |
296273a7 | 2834 | interface(`userdom_read_user_tmp_symlinks',` |
fc6524d7 | 2835 | gen_require(` |
296273a7 | 2836 | type user_tmp_t; |
fc6524d7 CP |
2837 | ') |
2838 | ||
296273a7 CP |
2839 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2840 | allow $1 user_tmp_t:dir list_dir_perms; | |
2841 | files_search_tmp($1) | |
fc6524d7 CP |
2842 | ') |
2843 | ||
784a3bbc CP |
2844 | ######################################## |
2845 | ## <summary> | |
296273a7 CP |
2846 | ## Create, read, write, and delete user |
2847 | ## temporary directories. | |
784a3bbc | 2848 | ## </summary> |
784a3bbc | 2849 | ## <param name="domain"> |
885b83ec | 2850 | ## <summary> |
725926c5 | 2851 | ## Domain allowed access. |
885b83ec | 2852 | ## </summary> |
784a3bbc CP |
2853 | ## </param> |
2854 | # | |
296273a7 | 2855 | interface(`userdom_manage_user_tmp_dirs',` |
784a3bbc | 2856 | gen_require(` |
296273a7 | 2857 | type user_tmp_t; |
784a3bbc CP |
2858 | ') |
2859 | ||
296273a7 CP |
2860 | manage_dirs_pattern($1, user_tmp_t, user_tmp_t) |
2861 | files_search_tmp($1) | |
784a3bbc CP |
2862 | ') |
2863 | ||
daa0e0b0 | 2864 | ######################################## |
ab940a4c | 2865 | ## <summary> |
296273a7 CP |
2866 | ## Create, read, write, and delete user |
2867 | ## temporary files. | |
ab940a4c CP |
2868 | ## </summary> |
2869 | ## <param name="domain"> | |
885b83ec | 2870 | ## <summary> |
725926c5 | 2871 | ## Domain allowed access. |
885b83ec | 2872 | ## </summary> |
ab940a4c CP |
2873 | ## </param> |
2874 | # | |
296273a7 | 2875 | interface(`userdom_manage_user_tmp_files',` |
ab940a4c | 2876 | gen_require(` |
296273a7 | 2877 | type user_tmp_t; |
ab940a4c CP |
2878 | ') |
2879 | ||
296273a7 CP |
2880 | manage_files_pattern($1, user_tmp_t, user_tmp_t) |
2881 | files_search_tmp($1) | |
ab940a4c CP |
2882 | ') |
2883 | ||
2884 | ######################################## | |
2885 | ## <summary> | |
296273a7 CP |
2886 | ## Create, read, write, and delete user |
2887 | ## temporary symbolic links. | |
ab940a4c | 2888 | ## </summary> |
414e4151 | 2889 | ## <param name="domain"> |
885b83ec | 2890 | ## <summary> |
725926c5 | 2891 | ## Domain allowed access. |
885b83ec | 2892 | ## </summary> |
414e4151 | 2893 | ## </param> |
490639cd | 2894 | # |
296273a7 | 2895 | interface(`userdom_manage_user_tmp_symlinks',` |
0404a390 | 2896 | gen_require(` |
296273a7 | 2897 | type user_tmp_t; |
0404a390 | 2898 | ') |
0c73cd25 | 2899 | |
296273a7 CP |
2900 | manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2901 | files_search_tmp($1) | |
490639cd CP |
2902 | ') |
2903 | ||
4bf4ed9e | 2904 | ######################################## |
ab940a4c | 2905 | ## <summary> |
296273a7 CP |
2906 | ## Create, read, write, and delete user |
2907 | ## temporary named pipes. | |
ab940a4c | 2908 | ## </summary> |
414e4151 | 2909 | ## <param name="domain"> |
885b83ec | 2910 | ## <summary> |
725926c5 | 2911 | ## Domain allowed access. |
885b83ec | 2912 | ## </summary> |
414e4151 | 2913 | ## </param> |
4bf4ed9e | 2914 | # |
296273a7 | 2915 | interface(`userdom_manage_user_tmp_pipes',` |
0404a390 | 2916 | gen_require(` |
296273a7 | 2917 | type user_tmp_t; |
0404a390 | 2918 | ') |
0c73cd25 | 2919 | |
296273a7 CP |
2920 | manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) |
2921 | files_search_tmp($1) | |
4bf4ed9e CP |
2922 | ') |
2923 | ||
0404a390 | 2924 | ######################################## |
ab940a4c | 2925 | ## <summary> |
296273a7 CP |
2926 | ## Create, read, write, and delete user |
2927 | ## temporary named sockets. | |
ab940a4c | 2928 | ## </summary> |
414e4151 | 2929 | ## <param name="domain"> |
885b83ec | 2930 | ## <summary> |
57a96cbd | 2931 | ## Domain allowed access. |
885b83ec | 2932 | ## </summary> |
414e4151 | 2933 | ## </param> |
0404a390 | 2934 | # |
296273a7 CP |
2935 | interface(`userdom_manage_user_tmp_sockets',` |
2936 | gen_require(` | |
2937 | type user_tmp_t; | |
2938 | ') | |
2939 | ||
2940 | manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) | |
2941 | files_search_tmp($1) | |
4bf4ed9e CP |
2942 | ') |
2943 | ||
4614e83f CP |
2944 | ######################################## |
2945 | ## <summary> | |
296273a7 CP |
2946 | ## Create objects in a user temporary directory |
2947 | ## with an automatic type transition to | |
2948 | ## a specified private type. | |
4614e83f CP |
2949 | ## </summary> |
2950 | ## <param name="domain"> | |
885b83ec | 2951 | ## <summary> |
4614e83f | 2952 | ## Domain allowed access. |
885b83ec | 2953 | ## </summary> |
4614e83f | 2954 | ## </param> |
296273a7 CP |
2955 | ## <param name="private_type"> |
2956 | ## <summary> | |
2957 | ## The type of the object to create. | |
2958 | ## </summary> | |
2959 | ## </param> | |
2960 | ## <param name="object_class"> | |
2961 | ## <summary> | |
2962 | ## The class of the object to be created. | |
2963 | ## </summary> | |
2964 | ## </param> | |
4614e83f | 2965 | # |
296273a7 CP |
2966 | interface(`userdom_user_tmp_filetrans',` |
2967 | gen_require(` | |
2968 | type user_tmp_t; | |
2969 | ') | |
2970 | ||
2971 | filetrans_pattern($1, user_tmp_t, $2, $3) | |
2972 | files_search_tmp($1) | |
4614e83f CP |
2973 | ') |
2974 | ||
daa0e0b0 | 2975 | ######################################## |
ab940a4c | 2976 | ## <summary> |
296273a7 CP |
2977 | ## Create objects in the temporary directory |
2978 | ## with an automatic type transition to | |
2979 | ## the user temporary type. | |
57a96cbd CP |
2980 | ## </summary> |
2981 | ## <param name="domain"> | |
885b83ec | 2982 | ## <summary> |
57a96cbd | 2983 | ## Domain allowed access. |
885b83ec | 2984 | ## </summary> |
57a96cbd | 2985 | ## </param> |
1c1ac67f | 2986 | ## <param name="object_class"> |
885b83ec | 2987 | ## <summary> |
57a96cbd | 2988 | ## The class of the object to be created. |
885b83ec | 2989 | ## </summary> |
57a96cbd CP |
2990 | ## </param> |
2991 | # | |
296273a7 CP |
2992 | interface(`userdom_tmp_filetrans_user_tmp',` |
2993 | gen_require(` | |
2994 | type user_tmp_t; | |
2995 | ') | |
2996 | ||
2997 | files_tmp_filetrans($1, user_tmp_t, $2) | |
57a96cbd CP |
2998 | ') |
2999 | ||
a9e9678f CP |
3000 | ######################################## |
3001 | ## <summary> | |
3002 | ## Read user tmpfs files. | |
3003 | ## </summary> | |
3004 | ## <param name="domain"> | |
3005 | ## <summary> | |
3006 | ## Domain allowed access. | |
3007 | ## </summary> | |
3008 | ## </param> | |
3009 | # | |
3010 | interface(`userdom_read_user_tmpfs_files',` | |
3011 | gen_require(` | |
3012 | type user_tmpfs_t; | |
3013 | ') | |
3014 | ||
3015 | read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
3eaa9939 | 3016 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) |
a9e9678f CP |
3017 | allow $1 user_tmpfs_t:dir list_dir_perms; |
3018 | fs_search_tmpfs($1) | |
3019 | ') | |
3020 | ||
d4dca585 CP |
3021 | ######################################## |
3022 | ## <summary> | |
3eaa9939 | 3023 | ## Read/Write user tmpfs files. |
d4dca585 CP |
3024 | ## </summary> |
3025 | ## <param name="domain"> | |
885b83ec | 3026 | ## <summary> |
d4dca585 | 3027 | ## Domain allowed access. |
885b83ec | 3028 | ## </summary> |
d4dca585 CP |
3029 | ## </param> |
3030 | # | |
296273a7 CP |
3031 | interface(`userdom_rw_user_tmpfs_files',` |
3032 | gen_require(` | |
3033 | type user_tmpfs_t; | |
3034 | ') | |
3035 | ||
3036 | rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
3037 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
3038 | allow $1 user_tmpfs_t:dir list_dir_perms; | |
3039 | fs_search_tmpfs($1) | |
d4dca585 CP |
3040 | ') |
3041 | ||
d9845ae9 CP |
3042 | ######################################## |
3043 | ## <summary> | |
296273a7 | 3044 | ## Get the attributes of a user domain tty. |
d9845ae9 CP |
3045 | ## </summary> |
3046 | ## <param name="domain"> | |
3047 | ## <summary> | |
3048 | ## Domain allowed access. | |
3049 | ## </summary> | |
3050 | ## </param> | |
3051 | # | |
296273a7 CP |
3052 | interface(`userdom_getattr_user_ttys',` |
3053 | gen_require(` | |
3054 | type user_tty_device_t; | |
3055 | ') | |
3056 | ||
bf530f53 | 3057 | allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
d9845ae9 CP |
3058 | ') |
3059 | ||
57a96cbd CP |
3060 | ######################################## |
3061 | ## <summary> | |
296273a7 | 3062 | ## Do not audit attempts to get the attributes of a user domain tty. |
57a96cbd CP |
3063 | ## </summary> |
3064 | ## <param name="domain"> | |
885b83ec | 3065 | ## <summary> |
a0546c9d | 3066 | ## Domain to not audit. |
885b83ec | 3067 | ## </summary> |
57a96cbd CP |
3068 | ## </param> |
3069 | # | |
296273a7 CP |
3070 | interface(`userdom_dontaudit_getattr_user_ttys',` |
3071 | gen_require(` | |
3072 | type user_tty_device_t; | |
3073 | ') | |
3074 | ||
bf530f53 | 3075 | dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
57a96cbd CP |
3076 | ') |
3077 | ||
d6d16b97 CP |
3078 | ######################################## |
3079 | ## <summary> | |
296273a7 | 3080 | ## Set the attributes of a user domain tty. |
d6d16b97 CP |
3081 | ## </summary> |
3082 | ## <param name="domain"> | |
3083 | ## <summary> | |
3084 | ## Domain allowed access. | |
3085 | ## </summary> | |
3086 | ## </param> | |
3087 | # | |
296273a7 CP |
3088 | interface(`userdom_setattr_user_ttys',` |
3089 | gen_require(` | |
3090 | type user_tty_device_t; | |
3091 | ') | |
3092 | ||
bf530f53 | 3093 | allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
d6d16b97 CP |
3094 | ') |
3095 | ||
165b42d2 CP |
3096 | ######################################## |
3097 | ## <summary> | |
296273a7 | 3098 | ## Do not audit attempts to set the attributes of a user domain tty. |
165b42d2 CP |
3099 | ## </summary> |
3100 | ## <param name="domain"> | |
3101 | ## <summary> | |
a0546c9d | 3102 | ## Domain to not audit. |
165b42d2 CP |
3103 | ## </summary> |
3104 | ## </param> | |
3105 | # | |
296273a7 CP |
3106 | interface(`userdom_dontaudit_setattr_user_ttys',` |
3107 | gen_require(` | |
3108 | type user_tty_device_t; | |
3109 | ') | |
3110 | ||
bf530f53 | 3111 | dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
165b42d2 CP |
3112 | ') |
3113 | ||
d6d16b97 CP |
3114 | ######################################## |
3115 | ## <summary> | |
296273a7 | 3116 | ## Read and write a user domain tty. |
d6d16b97 CP |
3117 | ## </summary> |
3118 | ## <param name="domain"> | |
3119 | ## <summary> | |
3120 | ## Domain allowed access. | |
3121 | ## </summary> | |
3122 | ## </param> | |
3123 | # | |
296273a7 CP |
3124 | interface(`userdom_use_user_ttys',` |
3125 | gen_require(` | |
3126 | type user_tty_device_t; | |
3127 | ') | |
3128 | ||
3129 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
d6d16b97 CP |
3130 | ') |
3131 | ||
af2d8802 MG |
3132 | ######################################## |
3133 | ## <summary> | |
3134 | ## Read and write a inherited user domain tty. | |
3135 | ## </summary> | |
3136 | ## <param name="domain"> | |
3137 | ## <summary> | |
3138 | ## Domain allowed access. | |
3139 | ## </summary> | |
3140 | ## </param> | |
3141 | # | |
3142 | interface(`userdom_use_inherited_user_ttys',` | |
3143 | gen_require(` | |
3144 | type user_tty_device_t; | |
3145 | ') | |
3146 | ||
3147 | allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; | |
3148 | ') | |
3149 | ||
57a96cbd CP |
3150 | ######################################## |
3151 | ## <summary> | |
296273a7 | 3152 | ## Read and write a user domain pty. |
57a96cbd CP |
3153 | ## </summary> |
3154 | ## <param name="domain"> | |
885b83ec | 3155 | ## <summary> |
57a96cbd | 3156 | ## Domain allowed access. |
885b83ec | 3157 | ## </summary> |
57a96cbd CP |
3158 | ## </param> |
3159 | # | |
296273a7 CP |
3160 | interface(`userdom_use_user_ptys',` |
3161 | gen_require(` | |
3162 | type user_devpts_t; | |
3163 | ') | |
3164 | ||
3165 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
3166 | ') |
3167 | ||
d6d16b97 CP |
3168 | ######################################## |
3169 | ## <summary> | |
af2d8802 MG |
3170 | ## Read and write a inherited user domain pty. |
3171 | ## </summary> | |
3172 | ## <param name="domain"> | |
3173 | ## <summary> | |
3174 | ## Domain allowed access. | |
3175 | ## </summary> | |
3176 | ## </param> | |
3177 | # | |
3178 | interface(`userdom_use_inherited_user_ptys',` | |
3179 | gen_require(` | |
3180 | type user_devpts_t; | |
3181 | ') | |
3182 | ||
3183 | allow $1 user_devpts_t:chr_file rw_inherited_term_perms; | |
3184 | ') | |
3185 | ||
57a96cbd | 3186 | ######################################## |
af2d8802 MG |
3187 | ## <summary> |
3188 | ## Read and write a inherited user TTYs and PTYs. | |
d6d16b97 | 3189 | ## </summary> |
c46376e6 CP |
3190 | ## <desc> |
3191 | ## <p> | |
af2d8802 | 3192 | ## Allow the specified domain to read and write inherited user |
c46376e6 CP |
3193 | ## TTYs and PTYs. This will allow the domain to |
3194 | ## interact with the user via the terminal. Typically | |
3195 | ## all interactive applications will require this | |
3196 | ## access. | |
3197 | ## </p> | |
c46376e6 | 3198 | ## </desc> |
d6d16b97 CP |
3199 | ## <param name="domain"> |
3200 | ## <summary> | |
3201 | ## Domain allowed access. | |
3202 | ## </summary> | |
3203 | ## </param> | |
c46376e6 | 3204 | ## <infoflow type="both" weight="10"/> |
d6d16b97 | 3205 | # |
af2d8802 | 3206 | interface(`userdom_use_inherited_user_terminals',` |
296273a7 CP |
3207 | gen_require(` |
3208 | type user_tty_device_t, user_devpts_t; | |
3209 | ') | |
3210 | ||
af2d8802 MG |
3211 | allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; |
3212 | allow $1 user_devpts_t:chr_file rw_inherited_term_perms; | |
3213 | ') | |
3214 | ||
35afb663 MG |
3215 | ####################################### |
3216 | ## <summary> | |
3217 | ## Allow attempts to read and write | |
3218 | ## a user domain tty and pty. | |
3219 | ## </summary> | |
3220 | ## <param name="domain"> | |
3221 | ## <summary> | |
3222 | ## Domain to not audit. | |
3223 | ## </summary> | |
3224 | ## </param> | |
3225 | # | |
3226 | interface(`userdom_use_user_terminals',` | |
3227 | gen_require(` | |
3228 | type user_tty_device_t, user_devpts_t; | |
3229 | ') | |
3230 | ||
3231 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
3232 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
d6d16b97 CP |
3233 | ') |
3234 | ||
57a96cbd CP |
3235 | ######################################## |
3236 | ## <summary> | |
296273a7 CP |
3237 | ## Do not audit attempts to read and write |
3238 | ## a user domain tty and pty. | |
57a96cbd CP |
3239 | ## </summary> |
3240 | ## <param name="domain"> | |
885b83ec | 3241 | ## <summary> |
a0546c9d | 3242 | ## Domain to not audit. |
885b83ec | 3243 | ## </summary> |
57a96cbd CP |
3244 | ## </param> |
3245 | # | |
296273a7 CP |
3246 | interface(`userdom_dontaudit_use_user_terminals',` |
3247 | gen_require(` | |
3248 | type user_tty_device_t, user_devpts_t; | |
3249 | ') | |
3250 | ||
3251 | dontaudit $1 user_tty_device_t:chr_file rw_term_perms; | |
3252 | dontaudit $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
3253 | ') |
3254 | ||
8fc060c2 DG |
3255 | |
3256 | ######################################## | |
3257 | ## <summary> | |
3258 | ## Get attributes of user domain tty and pty. | |
3259 | ## </summary> | |
3260 | ## <param name="domain"> | |
3261 | ## <summary> | |
3262 | ## Domain allowed access. | |
3263 | ## </summary> | |
3264 | ## </param> | |
3265 | # | |
3266 | interface(`userdom_getattr_user_terminals',` | |
3267 | gen_require(` | |
3268 | type user_tty_device_t, user_devpts_t; | |
3269 | ') | |
3270 | ||
3271 | allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; | |
3272 | ') | |
3273 | ||
57a96cbd CP |
3274 | ######################################## |
3275 | ## <summary> | |
296273a7 CP |
3276 | ## Execute a shell in all user domains. This |
3277 | ## is an explicit transition, requiring the | |
3278 | ## caller to use setexeccon(). | |
57a96cbd CP |
3279 | ## </summary> |
3280 | ## <param name="domain"> | |
885b83ec | 3281 | ## <summary> |
a0546c9d | 3282 | ## Domain allowed to transition. |
885b83ec | 3283 | ## </summary> |
57a96cbd CP |
3284 | ## </param> |
3285 | # | |
296273a7 CP |
3286 | interface(`userdom_spec_domtrans_all_users',` |
3287 | gen_require(` | |
3288 | attribute userdomain; | |
3289 | ') | |
3290 | ||
3f67f722 | 3291 | corecmd_shell_spec_domtrans($1, userdomain) |
296273a7 CP |
3292 | allow userdomain $1:fd use; |
3293 | allow userdomain $1:fifo_file rw_file_perms; | |
3294 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
3295 | ') |
3296 | ||
3297 | ######################################## | |
3298 | ## <summary> | |
296273a7 CP |
3299 | ## Execute an Xserver session in all unprivileged user domains. This |
3300 | ## is an explicit transition, requiring the | |
3301 | ## caller to use setexeccon(). | |
57a96cbd CP |
3302 | ## </summary> |
3303 | ## <param name="domain"> | |
885b83ec | 3304 | ## <summary> |
a0546c9d | 3305 | ## Domain allowed to transition. |
885b83ec | 3306 | ## </summary> |
57a96cbd CP |
3307 | ## </param> |
3308 | # | |
296273a7 CP |
3309 | interface(`userdom_xsession_spec_domtrans_all_users',` |
3310 | gen_require(` | |
3311 | attribute userdomain; | |
3312 | ') | |
3313 | ||
3f67f722 | 3314 | xserver_xsession_spec_domtrans($1, userdomain) |
296273a7 CP |
3315 | allow userdomain $1:fd use; |
3316 | allow userdomain $1:fifo_file rw_file_perms; | |
3317 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
3318 | ') |
3319 | ||
e08118a5 CP |
3320 | ######################################## |
3321 | ## <summary> | |
296273a7 CP |
3322 | ## Execute a shell in all unprivileged user domains. This |
3323 | ## is an explicit transition, requiring the | |
3324 | ## caller to use setexeccon(). | |
e08118a5 CP |
3325 | ## </summary> |
3326 | ## <param name="domain"> | |
885b83ec | 3327 | ## <summary> |
a0546c9d | 3328 | ## Domain allowed to transition. |
885b83ec | 3329 | ## </summary> |
e08118a5 CP |
3330 | ## </param> |
3331 | # | |
296273a7 | 3332 | interface(`userdom_spec_domtrans_unpriv_users',` |
e08118a5 | 3333 | gen_require(` |
296273a7 | 3334 | attribute unpriv_userdomain; |
e08118a5 CP |
3335 | ') |
3336 | ||
3f67f722 | 3337 | corecmd_shell_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3338 | allow unpriv_userdomain $1:fd use; |
3339 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3340 | allow unpriv_userdomain $1:process sigchld; | |
e08118a5 CP |
3341 | ') |
3342 | ||
d4dca585 CP |
3343 | ######################################## |
3344 | ## <summary> | |
296273a7 CP |
3345 | ## Execute an Xserver session in all unprivileged user domains. This |
3346 | ## is an explicit transition, requiring the | |
3347 | ## caller to use setexeccon(). | |
d4dca585 CP |
3348 | ## </summary> |
3349 | ## <param name="domain"> | |
885b83ec | 3350 | ## <summary> |
a0546c9d | 3351 | ## Domain allowed to transition. |
885b83ec | 3352 | ## </summary> |
d4dca585 CP |
3353 | ## </param> |
3354 | # | |
296273a7 | 3355 | interface(`userdom_xsession_spec_domtrans_unpriv_users',` |
d4dca585 | 3356 | gen_require(` |
296273a7 | 3357 | attribute unpriv_userdomain; |
d4dca585 CP |
3358 | ') |
3359 | ||
3f67f722 | 3360 | xserver_xsession_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3361 | allow unpriv_userdomain $1:fd use; |
3362 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3363 | allow unpriv_userdomain $1:process sigchld; | |
d4dca585 CP |
3364 | ') |
3365 | ||
ec5d81e1 CP |
3366 | ####################################### |
3367 | ## <summary> | |
3368 | ## Read and write unpriviledged user SysV sempaphores. | |
3369 | ## </summary> | |
3370 | ## <param name="domain"> | |
3371 | ## <summary> | |
3372 | ## Domain allowed access. | |
3373 | ## </summary> | |
3374 | ## </param> | |
3375 | # | |
3376 | interface(`userdom_rw_unpriv_user_semaphores',` | |
3377 | gen_require(` | |
3378 | attribute unpriv_userdomain; | |
3379 | ') | |
3380 | ||
3381 | allow $1 unpriv_userdomain:sem rw_sem_perms; | |
3382 | ') | |
3383 | ||
6f8cda96 CP |
3384 | ######################################## |
3385 | ## <summary> | |
296273a7 | 3386 | ## Manage unpriviledged user SysV sempaphores. |
6f8cda96 CP |
3387 | ## </summary> |
3388 | ## <param name="domain"> | |
3389 | ## <summary> | |
3390 | ## Domain allowed access. | |
3391 | ## </summary> | |
3392 | ## </param> | |
3393 | # | |
296273a7 | 3394 | interface(`userdom_manage_unpriv_user_semaphores',` |
6f8cda96 | 3395 | gen_require(` |
296273a7 | 3396 | attribute unpriv_userdomain; |
6f8cda96 CP |
3397 | ') |
3398 | ||
296273a7 | 3399 | allow $1 unpriv_userdomain:sem create_sem_perms; |
6f8cda96 CP |
3400 | ') |
3401 | ||
ec5d81e1 CP |
3402 | ####################################### |
3403 | ## <summary> | |
3404 | ## Read and write unpriviledged user SysV shared | |
3405 | ## memory segments. | |
3406 | ## </summary> | |
3407 | ## <param name="domain"> | |
3408 | ## <summary> | |
3409 | ## Domain allowed access. | |
3410 | ## </summary> | |
3411 | ## </param> | |
3412 | # | |
3413 | interface(`userdom_rw_unpriv_user_shared_mem',` | |
3414 | gen_require(` | |
3415 | attribute unpriv_userdomain; | |
3416 | ') | |
3417 | ||
3418 | allow $1 unpriv_userdomain:shm rw_shm_perms; | |
3419 | ') | |
3420 | ||
6f8cda96 CP |
3421 | ######################################## |
3422 | ## <summary> | |
296273a7 CP |
3423 | ## Manage unpriviledged user SysV shared |
3424 | ## memory segments. | |
6f8cda96 CP |
3425 | ## </summary> |
3426 | ## <param name="domain"> | |
3427 | ## <summary> | |
3428 | ## Domain allowed access. | |
3429 | ## </summary> | |
3430 | ## </param> | |
3431 | # | |
296273a7 | 3432 | interface(`userdom_manage_unpriv_user_shared_mem',` |
6f8cda96 | 3433 | gen_require(` |
296273a7 | 3434 | attribute unpriv_userdomain; |
6f8cda96 CP |
3435 | ') |
3436 | ||
296273a7 | 3437 | allow $1 unpriv_userdomain:shm create_shm_perms; |
6f8cda96 CP |
3438 | ') |
3439 | ||
43989f82 CP |
3440 | ######################################## |
3441 | ## <summary> | |
296273a7 CP |
3442 | ## Execute bin_t in the unprivileged user domains. This |
3443 | ## is an explicit transition, requiring the | |
3444 | ## caller to use setexeccon(). | |
43989f82 CP |
3445 | ## </summary> |
3446 | ## <param name="domain"> | |
885b83ec | 3447 | ## <summary> |
a0546c9d | 3448 | ## Domain allowed to transition. |
885b83ec | 3449 | ## </summary> |
43989f82 CP |
3450 | ## </param> |
3451 | # | |
296273a7 | 3452 | interface(`userdom_bin_spec_domtrans_unpriv_users',` |
43989f82 | 3453 | gen_require(` |
296273a7 | 3454 | attribute unpriv_userdomain; |
43989f82 CP |
3455 | ') |
3456 | ||
3f67f722 | 3457 | corecmd_bin_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3458 | allow unpriv_userdomain $1:fd use; |
3459 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3460 | allow unpriv_userdomain $1:process sigchld; | |
725926c5 CP |
3461 | ') |
3462 | ||
6820a398 CP |
3463 | ######################################## |
3464 | ## <summary> | |
296273a7 CP |
3465 | ## Execute all entrypoint files in unprivileged user |
3466 | ## domains. This is an explicit transition, requiring the | |
3467 | ## caller to use setexeccon(). | |
6820a398 CP |
3468 | ## </summary> |
3469 | ## <param name="domain"> | |
885b83ec | 3470 | ## <summary> |
6820a398 | 3471 | ## Domain allowed access. |
885b83ec | 3472 | ## </summary> |
6820a398 CP |
3473 | ## </param> |
3474 | # | |
296273a7 | 3475 | interface(`userdom_entry_spec_domtrans_unpriv_users',` |
350b6ab7 | 3476 | gen_require(` |
296273a7 | 3477 | attribute unpriv_userdomain; |
6820a398 | 3478 | ') |
350b6ab7 | 3479 | |
3f67f722 | 3480 | domain_entry_file_spec_domtrans($1, unpriv_userdomain) |
296273a7 | 3481 | allow unpriv_userdomain $1:fd use; |
3eaa9939 | 3482 | allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; |
296273a7 | 3483 | allow unpriv_userdomain $1:process sigchld; |
6820a398 CP |
3484 | ') |
3485 | ||
1504ff3e CP |
3486 | ######################################## |
3487 | ## <summary> | |
296273a7 | 3488 | ## Search users home directories. |
1504ff3e CP |
3489 | ## </summary> |
3490 | ## <param name="domain"> | |
885b83ec | 3491 | ## <summary> |
296273a7 | 3492 | ## Domain allowed access. |
885b83ec | 3493 | ## </summary> |
1504ff3e CP |
3494 | ## </param> |
3495 | # | |
296273a7 | 3496 | interface(`userdom_search_user_home_content',` |
350b6ab7 | 3497 | gen_require(` |
3eaa9939 DW |
3498 | type user_home_dir_t; |
3499 | attribute user_home_type; | |
1504ff3e | 3500 | ') |
350b6ab7 | 3501 | |
296273a7 | 3502 | files_list_home($1) |
3eaa9939 DW |
3503 | allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; |
3504 | allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; | |
1504ff3e CP |
3505 | ') |
3506 | ||
b598c442 CP |
3507 | ######################################## |
3508 | ## <summary> | |
3509 | ## Send signull to unprivileged user domains. | |
3510 | ## </summary> | |
3511 | ## <param name="domain"> | |
3512 | ## <summary> | |
3513 | ## Domain allowed access. | |
3514 | ## </summary> | |
3515 | ## </param> | |
3516 | # | |
3517 | interface(`userdom_signull_unpriv_users',` | |
3518 | gen_require(` | |
3519 | attribute unpriv_userdomain; | |
3520 | ') | |
3521 | ||
3522 | allow $1 unpriv_userdomain:process signull; | |
3523 | ') | |
3524 | ||
f6abfdb8 CP |
3525 | ######################################## |
3526 | ## <summary> | |
296273a7 | 3527 | ## Send general signals to unprivileged user domains. |
f6abfdb8 CP |
3528 | ## </summary> |
3529 | ## <param name="domain"> | |
885b83ec | 3530 | ## <summary> |
f6abfdb8 | 3531 | ## Domain allowed access. |
885b83ec | 3532 | ## </summary> |
f6abfdb8 CP |
3533 | ## </param> |
3534 | # | |
296273a7 | 3535 | interface(`userdom_signal_unpriv_users',` |
f6abfdb8 | 3536 | gen_require(` |
296273a7 | 3537 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3538 | ') |
3539 | ||
296273a7 | 3540 | allow $1 unpriv_userdomain:process signal; |
f6abfdb8 CP |
3541 | ') |
3542 | ||
3543 | ######################################## | |
3544 | ## <summary> | |
296273a7 | 3545 | ## Inherit the file descriptors from unprivileged user domains. |
f6abfdb8 CP |
3546 | ## </summary> |
3547 | ## <param name="domain"> | |
885b83ec | 3548 | ## <summary> |
f6abfdb8 | 3549 | ## Domain allowed access. |
885b83ec | 3550 | ## </summary> |
f6abfdb8 CP |
3551 | ## </param> |
3552 | # | |
296273a7 | 3553 | interface(`userdom_use_unpriv_users_fds',` |
f6abfdb8 | 3554 | gen_require(` |
296273a7 | 3555 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3556 | ') |
3557 | ||
296273a7 | 3558 | allow $1 unpriv_userdomain:fd use; |
f6abfdb8 CP |
3559 | ') |
3560 | ||
725926c5 CP |
3561 | ######################################## |
3562 | ## <summary> | |
c46376e6 CP |
3563 | ## Do not audit attempts to inherit the file descriptors |
3564 | ## from unprivileged user domains. | |
725926c5 | 3565 | ## </summary> |
c46376e6 CP |
3566 | ## <desc> |
3567 | ## <p> | |
3568 | ## Do not audit attempts to inherit the file descriptors | |
3569 | ## from unprivileged user domains. This will supress | |
3570 | ## SELinux denial messages when the specified domain is denied | |
3571 | ## the permission to inherit these file descriptors. | |
3572 | ## </p> | |
3573 | ## </desc> | |
725926c5 | 3574 | ## <param name="domain"> |
885b83ec | 3575 | ## <summary> |
c46376e6 | 3576 | ## Domain to not audit. |
885b83ec | 3577 | ## </summary> |
725926c5 | 3578 | ## </param> |
c46376e6 | 3579 | ## <infoflow type="none"/> |
725926c5 | 3580 | # |
296273a7 | 3581 | interface(`userdom_dontaudit_use_unpriv_user_fds',` |
350b6ab7 | 3582 | gen_require(` |
296273a7 | 3583 | attribute unpriv_userdomain; |
725926c5 | 3584 | ') |
350b6ab7 | 3585 | |
296273a7 | 3586 | dontaudit $1 unpriv_userdomain:fd use; |
43989f82 CP |
3587 | ') |
3588 | ||
3589 | ######################################## | |
3590 | ## <summary> | |
296273a7 | 3591 | ## Do not audit attempts to use user ptys. |
43989f82 CP |
3592 | ## </summary> |
3593 | ## <param name="domain"> | |
885b83ec | 3594 | ## <summary> |
296273a7 | 3595 | ## Domain to not audit. |
885b83ec | 3596 | ## </summary> |
43989f82 CP |
3597 | ## </param> |
3598 | # | |
296273a7 | 3599 | interface(`userdom_dontaudit_use_user_ptys',` |
350b6ab7 | 3600 | gen_require(` |
296273a7 | 3601 | type user_devpts_t; |
725926c5 | 3602 | ') |
350b6ab7 | 3603 | |
f5b49a5e | 3604 | dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; |
43989f82 CP |
3605 | ') |
3606 | ||
3607 | ######################################## | |
3608 | ## <summary> | |
296273a7 | 3609 | ## Relabel files to unprivileged user pty types. |
43989f82 CP |
3610 | ## </summary> |
3611 | ## <param name="domain"> | |
885b83ec | 3612 | ## <summary> |
43989f82 | 3613 | ## Domain allowed access. |
885b83ec | 3614 | ## </summary> |
43989f82 CP |
3615 | ## </param> |
3616 | # | |
296273a7 | 3617 | interface(`userdom_relabelto_user_ptys',` |
350b6ab7 | 3618 | gen_require(` |
296273a7 | 3619 | type user_devpts_t; |
725926c5 | 3620 | ') |
350b6ab7 | 3621 | |
296273a7 | 3622 | allow $1 user_devpts_t:chr_file relabelto; |
43989f82 CP |
3623 | ') |
3624 | ||
57a96cbd CP |
3625 | ######################################## |
3626 | ## <summary> | |
296273a7 CP |
3627 | ## Do not audit attempts to relabel files from |
3628 | ## user pty types. | |
ab940a4c | 3629 | ## </summary> |
414e4151 | 3630 | ## <param name="domain"> |
885b83ec | 3631 | ## <summary> |
a0546c9d | 3632 | ## Domain to not audit. |
885b83ec | 3633 | ## </summary> |
414e4151 | 3634 | ## </param> |
daa0e0b0 | 3635 | # |
296273a7 | 3636 | interface(`userdom_dontaudit_relabelfrom_user_ptys',` |
0404a390 | 3637 | gen_require(` |
296273a7 | 3638 | type user_devpts_t; |
0404a390 | 3639 | ') |
0c73cd25 | 3640 | |
296273a7 | 3641 | dontaudit $1 user_devpts_t:chr_file relabelfrom; |
daa0e0b0 CP |
3642 | ') |
3643 | ||
693d4aed CP |
3644 | ######################################## |
3645 | ## <summary> | |
296273a7 | 3646 | ## Write all users files in /tmp |
693d4aed CP |
3647 | ## </summary> |
3648 | ## <param name="domain"> | |
3649 | ## <summary> | |
3650 | ## Domain allowed access. | |
3651 | ## </summary> | |
3652 | ## </param> | |
3653 | # | |
296273a7 | 3654 | interface(`userdom_write_user_tmp_files',` |
350b6ab7 | 3655 | gen_require(` |
296273a7 | 3656 | type user_tmp_t; |
693d4aed | 3657 | ') |
350b6ab7 | 3658 | |
3eaa9939 DW |
3659 | write_files_pattern($1, user_tmp_t, user_tmp_t) |
3660 | ') | |
3661 | ||
3662 | ######################################## | |
3663 | ## <summary> | |
3664 | ## Do not audit attempts to write users | |
3665 | ## temporary files. | |
3666 | ## </summary> | |
3667 | ## <param name="domain"> | |
3668 | ## <summary> | |
3669 | ## Domain to not audit. | |
3670 | ## </summary> | |
3671 | ## </param> | |
3672 | # | |
3673 | interface(`userdom_dontaudit_write_user_tmp_files',` | |
3674 | gen_require(` | |
3675 | type user_tmp_t; | |
3676 | ') | |
3677 | ||
3678 | dontaudit $1 user_tmp_t:file write; | |
3679 | ') | |
3680 | ||
3681 | ######################################## | |
3682 | ## <summary> | |
3683 | ## Do not audit attempts to read/write users | |
3684 | ## temporary fifo files. | |
3685 | ## </summary> | |
3686 | ## <param name="domain"> | |
3687 | ## <summary> | |
3688 | ## Domain to not audit. | |
3689 | ## </summary> | |
3690 | ## </param> | |
3691 | # | |
3692 | interface(`userdom_dontaudit_rw_user_tmp_pipes',` | |
3693 | gen_require(` | |
3694 | type user_tmp_t; | |
3695 | ') | |
3696 | ||
3697 | dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; | |
693d4aed CP |
3698 | ') |
3699 | ||
ebdc3b79 CP |
3700 | ######################################## |
3701 | ## <summary> | |
296273a7 | 3702 | ## Do not audit attempts to use user ttys. |
ebdc3b79 CP |
3703 | ## </summary> |
3704 | ## <param name="domain"> | |
885b83ec | 3705 | ## <summary> |
a0546c9d | 3706 | ## Domain to not audit. |
885b83ec | 3707 | ## </summary> |
ebdc3b79 CP |
3708 | ## </param> |
3709 | # | |
296273a7 | 3710 | interface(`userdom_dontaudit_use_user_ttys',` |
350b6ab7 | 3711 | gen_require(` |
296273a7 | 3712 | type user_tty_device_t; |
9cc2ccc4 | 3713 | ') |
350b6ab7 | 3714 | |
296273a7 | 3715 | dontaudit $1 user_tty_device_t:chr_file rw_file_perms; |
ebdc3b79 | 3716 | ') |
c98340cf | 3717 | |
2629c659 CP |
3718 | ######################################## |
3719 | ## <summary> | |
3720 | ## Read the process state of all user domains. | |
3721 | ## </summary> | |
3722 | ## <param name="domain"> | |
885b83ec | 3723 | ## <summary> |
2629c659 | 3724 | ## Domain allowed access. |
885b83ec | 3725 | ## </summary> |
2629c659 CP |
3726 | ## </param> |
3727 | # | |
1815bad1 | 3728 | interface(`userdom_read_all_users_state',` |
2629c659 CP |
3729 | gen_require(` |
3730 | attribute userdomain; | |
3731 | ') | |
3732 | ||
3f67f722 | 3733 | read_files_pattern($1, userdomain, userdomain) |
3eaa9939 | 3734 | read_lnk_files_pattern($1,userdomain,userdomain) |
2629c659 CP |
3735 | kernel_search_proc($1) |
3736 | ') | |
3737 | ||
3738 | ######################################## | |
3739 | ## <summary> | |
3740 | ## Get the attributes of all user domains. | |
3741 | ## </summary> | |
3742 | ## <param name="domain"> | |
885b83ec | 3743 | ## <summary> |
2629c659 | 3744 | ## Domain allowed access. |
885b83ec | 3745 | ## </summary> |
2629c659 CP |
3746 | ## </param> |
3747 | # | |
15722ec9 | 3748 | interface(`userdom_getattr_all_users',` |
2629c659 CP |
3749 | gen_require(` |
3750 | attribute userdomain; | |
3751 | ') | |
3752 | ||
3753 | allow $1 userdomain:process getattr; | |
3754 | ') | |
3755 | ||
57a96cbd CP |
3756 | ######################################## |
3757 | ## <summary> | |
3758 | ## Inherit the file descriptors from all user domains | |
3759 | ## </summary> | |
3760 | ## <param name="domain"> | |
885b83ec | 3761 | ## <summary> |
725926c5 | 3762 | ## Domain allowed access. |
885b83ec | 3763 | ## </summary> |
57a96cbd CP |
3764 | ## </param> |
3765 | # | |
15722ec9 | 3766 | interface(`userdom_use_all_users_fds',` |
57a96cbd CP |
3767 | gen_require(` |
3768 | attribute userdomain; | |
57a96cbd CP |
3769 | ') |
3770 | ||
3771 | allow $1 userdomain:fd use; | |
3772 | ') | |
3773 | ||
3774 | ######################################## | |
eb3cb682 CP |
3775 | ## <summary> |
3776 | ## Do not audit attempts to inherit the file | |
3777 | ## descriptors from any user domains. | |
3778 | ## </summary> | |
3779 | ## <param name="domain"> | |
885b83ec | 3780 | ## <summary> |
eb3cb682 | 3781 | ## Domain to not audit. |
885b83ec | 3782 | ## </summary> |
eb3cb682 CP |
3783 | ## </param> |
3784 | # | |
15722ec9 | 3785 | interface(`userdom_dontaudit_use_all_users_fds',` |
eb3cb682 CP |
3786 | gen_require(` |
3787 | attribute userdomain; | |
eb3cb682 CP |
3788 | ') |
3789 | ||
3790 | dontaudit $1 userdomain:fd use; | |
3791 | ') | |
3792 | ||
3793 | ######################################## | |
57a96cbd CP |
3794 | ## <summary> |
3795 | ## Send general signals to all user domains. | |
3796 | ## </summary> | |
3797 | ## <param name="domain"> | |
885b83ec | 3798 | ## <summary> |
725926c5 | 3799 | ## Domain allowed access. |
885b83ec | 3800 | ## </summary> |
57a96cbd CP |
3801 | ## </param> |
3802 | # | |
3803 | interface(`userdom_signal_all_users',` | |
3804 | gen_require(` | |
3805 | attribute userdomain; | |
57a96cbd CP |
3806 | ') |
3807 | ||
3808 | allow $1 userdomain:process signal; | |
3809 | ') | |
3810 | ||
4f115e10 DW |
3811 | ######################################## |
3812 | ## <summary> | |
3813 | ## Send kill signals to all user domains. | |
3814 | ## </summary> | |
3815 | ## <param name="domain"> | |
3816 | ## <summary> | |
3817 | ## Domain allowed access. | |
3818 | ## </summary> | |
3819 | ## </param> | |
3820 | # | |
3821 | interface(`userdom_kill_all_users',` | |
3822 | gen_require(` | |
3823 | attribute userdomain; | |
3824 | ') | |
3825 | ||
3826 | allow $1 userdomain:process sigkill; | |
3827 | ') | |
3828 | ||
246839f3 CP |
3829 | ######################################## |
3830 | ## <summary> | |
3831 | ## Send a SIGCHLD signal to all user domains. | |
3832 | ## </summary> | |
3833 | ## <param name="domain"> | |
885b83ec | 3834 | ## <summary> |
246839f3 | 3835 | ## Domain allowed access. |
885b83ec | 3836 | ## </summary> |
246839f3 CP |
3837 | ## </param> |
3838 | # | |
9fd4b818 | 3839 | interface(`userdom_sigchld_all_users',` |
246839f3 CP |
3840 | gen_require(` |
3841 | attribute userdomain; | |
246839f3 CP |
3842 | ') |
3843 | ||
a1fcff33 | 3844 | allow $1 userdomain:process sigchld; |
246839f3 CP |
3845 | ') |
3846 | ||
fe3a1eb8 CP |
3847 | ######################################## |
3848 | ## <summary> | |
3849 | ## Create keys for all user domains. | |
3850 | ## </summary> | |
3851 | ## <param name="domain"> | |
3852 | ## <summary> | |
3853 | ## Domain allowed access. | |
3854 | ## </summary> | |
3855 | ## </param> | |
3856 | # | |
3857 | interface(`userdom_create_all_users_keys',` | |
350b6ab7 CP |
3858 | gen_require(` |
3859 | attribute userdomain; | |
fe3a1eb8 | 3860 | ') |
350b6ab7 CP |
3861 | |
3862 | allow $1 userdomain:key create; | |
fe3a1eb8 CP |
3863 | ') |
3864 | ||
9fd4b818 CP |
3865 | ######################################## |
3866 | ## <summary> | |
3867 | ## Send a dbus message to all user domains. | |
3868 | ## </summary> | |
3869 | ## <param name="domain"> | |
885b83ec | 3870 | ## <summary> |
9fd4b818 | 3871 | ## Domain allowed access. |
885b83ec | 3872 | ## </summary> |
9fd4b818 CP |
3873 | ## </param> |
3874 | # | |
3875 | interface(`userdom_dbus_send_all_users',` | |
3876 | gen_require(` | |
3877 | attribute userdomain; | |
3878 | class dbus send_msg; | |
3879 | ') | |
3880 | ||
3881 | allow $1 userdomain:dbus send_msg; | |
3882 | ') | |
3eaa9939 DW |
3883 | |
3884 | ######################################## | |
3885 | ## <summary> | |
3886 | ## Allow apps to set rlimits on userdomain | |
3887 | ## </summary> | |
3888 | ## <param name="domain"> | |
3889 | ## <summary> | |
3890 | ## Domain allowed access. | |
3891 | ## </summary> | |
3892 | ## </param> | |
3893 | # | |
3894 | interface(`userdom_set_rlimitnh',` | |
3895 | gen_require(` | |
3896 | attribute userdomain; | |
3897 | ') | |
3898 | ||
3899 | allow $1 userdomain:process rlimitinh; | |
3900 | ') | |
3901 | ||
3902 | ######################################## | |
3903 | ## <summary> | |
3904 | ## Define this type as a Allow apps to set rlimits on userdomain | |
3905 | ## </summary> | |
3906 | ## <param name="domain"> | |
3907 | ## <summary> | |
3908 | ## Domain allowed access. | |
3909 | ## </summary> | |
3910 | ## </param> | |
3911 | ## <param name="userdomain_prefix"> | |
3912 | ## <summary> | |
3913 | ## The prefix of the user domain (e.g., user | |
3914 | ## is the prefix for user_t). | |
3915 | ## </summary> | |
3916 | ## </param> | |
3917 | ## <param name="domain"> | |
3918 | ## <summary> | |
3919 | ## Domain allowed access. | |
3920 | ## </summary> | |
3921 | ## </param> | |
3922 | # | |
3923 | template(`userdom_unpriv_usertype',` | |
3924 | gen_require(` | |
3925 | attribute unpriv_userdomain, userdomain; | |
3926 | attribute $1_usertype; | |
3927 | ') | |
3928 | typeattribute $2 $1_usertype; | |
3929 | typeattribute $2 unpriv_userdomain; | |
3930 | typeattribute $2 userdomain; | |
3931 | ||
3932 | ubac_constrained($2) | |
3933 | ') | |
3934 | ||
3935 | ######################################## | |
3936 | ## <summary> | |
3937 | ## Connect to users over an unix stream socket. | |
3938 | ## </summary> | |
3939 | ## <param name="domain"> | |
3940 | ## <summary> | |
3941 | ## Domain allowed access. | |
3942 | ## </summary> | |
3943 | ## </param> | |
3944 | # | |
3945 | interface(`userdom_stream_connect',` | |
3946 | gen_require(` | |
3947 | type user_tmp_t; | |
3948 | attribute userdomain; | |
3949 | ') | |
3950 | ||
3951 | stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) | |
3952 | ') | |
3953 | ||
3954 | ######################################## | |
3955 | ## <summary> | |
3956 | ## Ptrace user domains. | |
3957 | ## </summary> | |
3958 | ## <param name="domain"> | |
3959 | ## <summary> | |
3960 | ## Domain allowed access. | |
3961 | ## </summary> | |
3962 | ## </param> | |
3963 | # | |
3964 | interface(`userdom_ptrace_all_users',` | |
3965 | gen_require(` | |
3966 | attribute userdomain; | |
3967 | ') | |
3968 | ||
3969 | allow $1 userdomain:process ptrace; | |
3970 | ') | |
3971 | ||
3972 | ######################################## | |
3973 | ## <summary> | |
3974 | ## dontaudit Search /root | |
3975 | ## </summary> | |
3976 | ## <param name="domain"> | |
3977 | ## <summary> | |
24280f35 | 3978 | ## Domain to not audit. |
3eaa9939 DW |
3979 | ## </summary> |
3980 | ## </param> | |
3981 | # | |
3982 | interface(`userdom_dontaudit_search_admin_dir',` | |
3983 | gen_require(` | |
3984 | type admin_home_t; | |
3985 | ') | |
3986 | ||
3987 | dontaudit $1 admin_home_t:dir search_dir_perms; | |
3988 | ') | |
3989 | ||
3990 | ######################################## | |
3991 | ## <summary> | |
3992 | ## dontaudit list /root | |
3993 | ## </summary> | |
3994 | ## <param name="domain"> | |
3995 | ## <summary> | |
24280f35 | 3996 | ## Domain to not audit. |
3eaa9939 DW |
3997 | ## </summary> |
3998 | ## </param> | |
3999 | # | |
4000 | interface(`userdom_dontaudit_list_admin_dir',` | |
4001 | gen_require(` | |
4002 | type admin_home_t; | |
4003 | ') | |
4004 | ||
4005 | dontaudit $1 admin_home_t:dir list_dir_perms; | |
4006 | ') | |
4007 | ||
4008 | ######################################## | |
4009 | ## <summary> | |
4010 | ## Allow domain to list /root | |
4011 | ## </summary> | |
4012 | ## <param name="domain"> | |
4013 | ## <summary> | |
4014 | ## Domain allowed access. | |
4015 | ## </summary> | |
4016 | ## </param> | |
4017 | # | |
4018 | interface(`userdom_list_admin_dir',` | |
4019 | gen_require(` | |
4020 | type admin_home_t; | |
4021 | ') | |
4022 | ||
4023 | allow $1 admin_home_t:dir list_dir_perms; | |
4024 | ') | |
4025 | ||
4026 | ######################################## | |
4027 | ## <summary> | |
4028 | ## Allow Search /root | |
4029 | ## </summary> | |
4030 | ## <param name="domain"> | |
4031 | ## <summary> | |
4032 | ## Domain allowed access. | |
4033 | ## </summary> | |
4034 | ## </param> | |
4035 | # | |
4036 | interface(`userdom_search_admin_dir',` | |
4037 | gen_require(` | |
4038 | type admin_home_t; | |
4039 | ') | |
4040 | ||
4041 | allow $1 admin_home_t:dir search_dir_perms; | |
4042 | ') | |
4043 | ||
4044 | ######################################## | |
4045 | ## <summary> | |
4046 | ## RW unpriviledged user SysV sempaphores. | |
4047 | ## </summary> | |
4048 | ## <param name="domain"> | |
4049 | ## <summary> | |
4050 | ## Domain allowed access. | |
4051 | ## </summary> | |
4052 | ## </param> | |
4053 | # | |
4054 | interface(`userdom_rw_semaphores',` | |
4055 | gen_require(` | |
4056 | attribute unpriv_userdomain; | |
4057 | ') | |
4058 | ||
4059 | allow $1 unpriv_userdomain:sem rw_sem_perms; | |
4060 | ') | |
4061 | ||
4062 | ######################################## | |
4063 | ## <summary> | |
4064 | ## Send a message to unpriv users over a unix domain | |
4065 | ## datagram socket. | |
4066 | ## </summary> | |
4067 | ## <param name="domain"> | |
4068 | ## <summary> | |
4069 | ## Domain allowed access. | |
4070 | ## </summary> | |
4071 | ## </param> | |
4072 | # | |
4073 | interface(`userdom_dgram_send',` | |
4074 | gen_require(` | |
4075 | attribute unpriv_userdomain; | |
4076 | ') | |
4077 | ||
4078 | allow $1 unpriv_userdomain:unix_dgram_socket sendto; | |
4079 | ') | |
4080 | ||
4081 | ###################################### | |
4082 | ## <summary> | |
4083 | ## Send a message to users over a unix domain | |
4084 | ## datagram socket. | |
4085 | ## </summary> | |
4086 | ## <param name="domain"> | |
4087 | ## <summary> | |
4088 | ## Domain allowed access. | |
4089 | ## </summary> | |
4090 | ## </param> | |
4091 | # | |
4092 | interface(`userdom_users_dgram_send',` | |
4093 | gen_require(` | |
4094 | attribute userdomain; | |
4095 | ') | |
4096 | ||
4097 | allow $1 userdomain:unix_dgram_socket sendto; | |
4098 | ') | |
4099 | ||
4100 | ####################################### | |
4101 | ## <summary> | |
4102 | ## Allow execmod on files in homedirectory | |
4103 | ## </summary> | |
4104 | ## <param name="domain"> | |
4105 | ## <summary> | |
4106 | ## Domain allowed access. | |
4107 | ## </summary> | |
4108 | ## </param> | |
4109 | ## <rolebase/> | |
4110 | # | |
4111 | interface(`userdom_execmod_user_home_files',` | |
4112 | gen_require(` | |
4113 | type user_home_type; | |
4114 | ') | |
4115 | ||
4116 | allow $1 user_home_type:file execmod; | |
4117 | ') | |
4118 | ||
4119 | ######################################## | |
4120 | ## <summary> | |
4121 | ## Read admin home files. | |
4122 | ## </summary> | |
4123 | ## <param name="domain"> | |
4124 | ## <summary> | |
4125 | ## Domain allowed access. | |
4126 | ## </summary> | |
4127 | ## </param> | |
4128 | ## <rolecap/> | |
4129 | # | |
4130 | interface(`userdom_read_admin_home_files',` | |
4131 | gen_require(` | |
4132 | type admin_home_t; | |
4133 | ') | |
4134 | ||
4135 | read_files_pattern($1, admin_home_t, admin_home_t) | |
4136 | ') | |
4137 | ||
4138 | ######################################## | |
4139 | ## <summary> | |
4140 | ## Execute admin home files. | |
4141 | ## </summary> | |
4142 | ## <param name="domain"> | |
4143 | ## <summary> | |
4144 | ## Domain allowed access. | |
4145 | ## </summary> | |
4146 | ## </param> | |
4147 | ## <rolecap/> | |
4148 | # | |
4149 | interface(`userdom_exec_admin_home_files',` | |
4150 | gen_require(` | |
4151 | type admin_home_t; | |
4152 | ') | |
4153 | ||
4154 | exec_files_pattern($1, admin_home_t, admin_home_t) | |
4155 | ') | |
4156 | ||
4157 | ######################################## | |
4158 | ## <summary> | |
4159 | ## Append files inherited | |
4160 | ## in the /root directory. | |
4161 | ## </summary> | |
4162 | ## <param name="domain"> | |
4163 | ## <summary> | |
4164 | ## Domain allowed access. | |
4165 | ## </summary> | |
4166 | ## </param> | |
4167 | # | |
4168 | interface(`userdom_inherit_append_admin_home_files',` | |
4169 | gen_require(` | |
4170 | type admin_home_t; | |
4171 | ') | |
4172 | ||
4173 | allow $1 admin_home_t:file { getattr append }; | |
4174 | ') | |
4175 | ||
4176 | ||
4177 | ####################################### | |
4178 | ## <summary> | |
4179 | ## Manage all files/directories in the homedir | |
4180 | ## </summary> | |
4181 | ## <param name="userdomain"> | |
4182 | ## <summary> | |
4183 | ## The user domain | |
4184 | ## </summary> | |
4185 | ## </param> | |
4186 | ## <rolebase/> | |
4187 | # | |
4188 | interface(`userdom_manage_user_home_content',` | |
4189 | gen_require(` | |
4190 | type user_home_dir_t, user_home_t; | |
4191 | attribute user_home_type; | |
4192 | ') | |
4193 | ||
4194 | files_list_home($1) | |
4195 | manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4196 | manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4197 | manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4198 | manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4199 | manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4200 | filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) | |
4201 | ||
4202 | ') | |
4203 | ||
4204 | ||
4205 | ######################################## | |
4206 | ## <summary> | |
4207 | ## Create objects in a user home directory | |
4208 | ## with an automatic type transition to | |
4209 | ## the user home file type. | |
4210 | ## </summary> | |
4211 | ## <param name="domain"> | |
4212 | ## <summary> | |
4213 | ## Domain allowed access. | |
4214 | ## </summary> | |
4215 | ## </param> | |
4216 | ## <param name="object_class"> | |
4217 | ## <summary> | |
4218 | ## The class of the object to be created. | |
4219 | ## </summary> | |
4220 | ## </param> | |
4221 | # | |
4222 | interface(`userdom_user_home_dir_filetrans_pattern',` | |
4223 | gen_require(` | |
4224 | type user_home_dir_t, user_home_t; | |
4225 | ') | |
4226 | ||
4227 | type_transition $1 user_home_dir_t:$2 user_home_t; | |
4228 | ') | |
4229 | ||
4230 | ######################################## | |
4231 | ## <summary> | |
4232 | ## Create objects in the /root directory | |
4233 | ## with an automatic type transition to | |
4234 | ## a specified private type. | |
4235 | ## </summary> | |
4236 | ## <param name="domain"> | |
4237 | ## <summary> | |
4238 | ## Domain allowed access. | |
4239 | ## </summary> | |
4240 | ## </param> | |
4241 | ## <param name="private_type"> | |
4242 | ## <summary> | |
4243 | ## The type of the object to create. | |
4244 | ## </summary> | |
4245 | ## </param> | |
4246 | ## <param name="object_class"> | |
4247 | ## <summary> | |
4248 | ## The class of the object to be created. | |
4249 | ## </summary> | |
4250 | ## </param> | |
4251 | # | |
4252 | interface(`userdom_admin_home_dir_filetrans',` | |
4253 | gen_require(` | |
4254 | type admin_home_t; | |
4255 | ') | |
4256 | ||
ae4832c7 | 4257 | filetrans_pattern($1, admin_home_t, $2, $3, $4) |
3eaa9939 DW |
4258 | ') |
4259 | ||
4260 | ######################################## | |
4261 | ## <summary> | |
4262 | ## Send signull to unprivileged user domains. | |
4263 | ## </summary> | |
4264 | ## <param name="domain"> | |
4265 | ## <summary> | |
4266 | ## Domain allowed access. | |
4267 | ## </summary> | |
4268 | ## </param> | |
4269 | # | |
4270 | interface(`userdom_signull_unpriv_users',` | |
4271 | gen_require(` | |
4272 | attribute unpriv_userdomain; | |
4273 | ') | |
4274 | ||
4275 | allow $1 unpriv_userdomain:process signull; | |
4276 | ') | |
4277 | ||
4278 | ######################################## | |
4279 | ## <summary> | |
4280 | ## Write all users files in /tmp | |
4281 | ## </summary> | |
4282 | ## <param name="domain"> | |
4283 | ## <summary> | |
4284 | ## Domain allowed access. | |
4285 | ## </summary> | |
4286 | ## </param> | |
4287 | # | |
4288 | interface(`userdom_write_user_tmp_dirs',` | |
4289 | gen_require(` | |
4290 | type user_tmp_t; | |
4291 | ') | |
4292 | ||
4293 | write_files_pattern($1, user_tmp_t, user_tmp_t) | |
4294 | ') | |
4295 | ||
4296 | ######################################## | |
4297 | ## <summary> | |
4298 | ## Manage keys for all user domains. | |
4299 | ## </summary> | |
4300 | ## <param name="domain"> | |
4301 | ## <summary> | |
4302 | ## Domain allowed access. | |
4303 | ## </summary> | |
4304 | ## </param> | |
4305 | # | |
4306 | interface(`userdom_manage_all_users_keys',` | |
4307 | gen_require(` | |
4308 | attribute userdomain; | |
4309 | ') | |
4310 | ||
4311 | allow $1 userdomain:key manage_key_perms; | |
4312 | ') | |
4313 | ||
4314 | ||
4315 | ######################################## | |
4316 | ## <summary> | |
4317 | ## Do not audit attempts to read and write | |
4318 | ## unserdomain stream. | |
4319 | ## </summary> | |
4320 | ## <param name="domain"> | |
4321 | ## <summary> | |
4322 | ## Domain to not audit. | |
4323 | ## </summary> | |
4324 | ## </param> | |
4325 | # | |
4326 | interface(`userdom_dontaudit_rw_stream',` | |
4327 | gen_require(` | |
4328 | attribute userdomain; | |
4329 | ') | |
4330 | ||
4331 | dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; | |
4332 | ') | |
4333 | ||
3d3d47e4 DW |
4334 | ######################################## |
4335 | ## <summary> | |
4336 | ## Do not audit attempts to read and write | |
4337 | ## unserdomain datagram socket. | |
4338 | ## </summary> | |
4339 | ## <param name="domain"> | |
4340 | ## <summary> | |
4341 | ## Domain to not audit. | |
4342 | ## </summary> | |
4343 | ## </param> | |
4344 | # | |
4345 | interface(`userdom_dontaudit_rw_dgram_socket',` | |
4346 | gen_require(` | |
4347 | attribute userdomain; | |
4348 | ') | |
4349 | ||
6a074ab5 | 4350 | dontaudit $1 userdomain:unix_dgram_socket { read write }; |
3d3d47e4 DW |
4351 | ') |
4352 | ||
3eaa9939 DW |
4353 | ######################################## |
4354 | ## <summary> | |
4355 | ## Append files | |
4356 | ## in a user home subdirectory. | |
4357 | ## </summary> | |
4358 | ## <param name="domain"> | |
4359 | ## <summary> | |
4360 | ## Domain allowed access. | |
4361 | ## </summary> | |
4362 | ## </param> | |
4363 | # | |
4364 | interface(`userdom_append_user_home_content_files',` | |
4365 | gen_require(` | |
4366 | type user_home_dir_t, user_home_t; | |
4367 | ') | |
4368 | ||
4369 | append_files_pattern($1, user_home_t, user_home_t) | |
4370 | allow $1 user_home_dir_t:dir search_dir_perms; | |
4371 | files_search_home($1) | |
4372 | ') | |
4373 | ||
4374 | ######################################## | |
4375 | ## <summary> | |
4376 | ## Read files inherited | |
4377 | ## in a user home subdirectory. | |
4378 | ## </summary> | |
4379 | ## <param name="domain"> | |
4380 | ## <summary> | |
4381 | ## Domain allowed access. | |
4382 | ## </summary> | |
4383 | ## </param> | |
4384 | # | |
4385 | interface(`userdom_read_inherited_user_home_content_files',` | |
4386 | gen_require(` | |
4387 | attribute user_home_type; | |
4388 | ') | |
4389 | ||
4390 | allow $1 user_home_type:file { getattr read }; | |
4391 | ') | |
4392 | ||
4393 | ######################################## | |
4394 | ## <summary> | |
4395 | ## Append files inherited | |
4396 | ## in a user home subdirectory. | |
4397 | ## </summary> | |
4398 | ## <param name="domain"> | |
4399 | ## <summary> | |
4400 | ## Domain allowed access. | |
4401 | ## </summary> | |
4402 | ## </param> | |
4403 | # | |
4404 | interface(`userdom_inherit_append_user_home_content_files',` | |
4405 | gen_require(` | |
4406 | type user_home_t; | |
4407 | ') | |
4408 | ||
4409 | allow $1 user_home_t:file { getattr append }; | |
4410 | ') | |
4411 | ||
4412 | ######################################## | |
4413 | ## <summary> | |
4414 | ## Append files inherited | |
4415 | ## in a user tmp files. | |
4416 | ## </summary> | |
4417 | ## <param name="domain"> | |
4418 | ## <summary> | |
4419 | ## Domain allowed access. | |
4420 | ## </summary> | |
4421 | ## </param> | |
4422 | # | |
4423 | interface(`userdom_inherit_append_user_tmp_files',` | |
4424 | gen_require(` | |
4425 | type user_tmp_t; | |
4426 | ') | |
4427 | ||
4428 | allow $1 user_tmp_t:file { getattr append }; | |
4429 | ') | |
4430 | ||
4431 | ###################################### | |
4432 | ## <summary> | |
4433 | ## Read audio files in the users homedir. | |
4434 | ## </summary> | |
4435 | ## <param name="domain"> | |
4436 | ## <summary> | |
4437 | ## Domain allowed access. | |
4438 | ## </summary> | |
4439 | ## </param> | |
4440 | ## <rolecap/> | |
4441 | # | |
4442 | interface(`userdom_read_home_audio_files',` | |
4443 | gen_require(` | |
4444 | type audio_home_t; | |
4445 | ') | |
4446 | ||
4447 | userdom_search_user_home_dirs($1) | |
4448 | allow $1 audio_home_t:dir list_dir_perms; | |
4449 | read_files_pattern($1, audio_home_t, audio_home_t) | |
4450 | read_lnk_files_pattern($1, audio_home_t, audio_home_t) | |
4451 | ') | |
4452 | ||
ca9e8850 DW |
4453 | ######################################## |
4454 | ## <summary> | |
4455 | ## Do not audit attempts to write all user home content files. | |
4456 | ## </summary> | |
4457 | ## <param name="domain"> | |
4458 | ## <summary> | |
4459 | ## Domain to not audit. | |
4460 | ## </summary> | |
4461 | ## </param> | |
4462 | # | |
4463 | interface(`userdom_dontaudit_write_all_user_home_content_files',` | |
4464 | gen_require(` | |
4465 | attribute user_home_type; | |
4466 | ') | |
4467 | ||
4468 | dontaudit $1 user_home_type:file write_file_perms; | |
4469 | ') | |
4470 | ||
4471 | ######################################## | |
4472 | ## <summary> | |
4473 | ## Do not audit attempts to write all user tmp content files. | |
4474 | ## </summary> | |
4475 | ## <param name="domain"> | |
4476 | ## <summary> | |
4477 | ## Domain to not audit. | |
4478 | ## </summary> | |
4479 | ## </param> | |
4480 | # | |
4481 | interface(`userdom_dontaudit_write_all_user_tmp_content_files',` | |
4482 | gen_require(` | |
4483 | attribute user_tmp_type; | |
4484 | ') | |
4485 | ||
4486 | dontaudit $1 user_tmp_type:file write_file_perms; | |
4487 | ') | |
4488 | ||
4489 | ######################################## | |
4490 | ## <summary> | |
4491 | ## Manage all user temporary content. | |
4492 | ## </summary> | |
4493 | ## <param name="domain"> | |
4494 | ## <summary> | |
4495 | ## Domain allowed access. | |
4496 | ## </summary> | |
4497 | ## </param> | |
4498 | # | |
4499 | interface(`userdom_manage_all_user_tmp_content',` | |
4500 | gen_require(` | |
4501 | attribute user_tmp_type; | |
4502 | ') | |
4503 | ||
4504 | manage_dirs_pattern($1, user_tmp_type, user_tmp_type) | |
4505 | manage_files_pattern($1, user_tmp_type, user_tmp_type) | |
4506 | manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) | |
4507 | manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) | |
4508 | manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) | |
4509 | files_search_tmp($1) | |
4510 | ') | |
4511 | ||
4512 | ######################################## | |
4513 | ## <summary> | |
4514 | ## List all user temporary content. | |
4515 | ## </summary> | |
4516 | ## <param name="domain"> | |
4517 | ## <summary> | |
4518 | ## Domain allowed access. | |
4519 | ## </summary> | |
4520 | ## </param> | |
4521 | # | |
4522 | interface(`userdom_list_all_user_tmp_content',` | |
4523 | gen_require(` | |
4524 | attribute user_tmp_type; | |
4525 | ') | |
4526 | ||
4527 | list_dirs_pattern($1, user_tmp_type, user_tmp_type) | |
4528 | getattr_files_pattern($1, user_tmp_type, user_tmp_type) | |
4529 | read_lnk_files_pattern($1, user_tmp_type, user_tmp_type) | |
4530 | getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type) | |
4531 | getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type) | |
4532 | files_search_var($1) | |
4533 | files_search_tmp($1) | |
4534 | ') | |
4535 | ||
4536 | ######################################## | |
4537 | ## <summary> | |
4538 | ## Manage all user tmpfs content. | |
4539 | ## </summary> | |
4540 | ## <param name="domain"> | |
4541 | ## <summary> | |
4542 | ## Domain allowed access. | |
4543 | ## </summary> | |
4544 | ## </param> | |
4545 | # | |
4546 | interface(`userdom_manage_all_user_tmpfs_content',` | |
4547 | gen_require(` | |
4548 | attribute user_tmpfs_type; | |
4549 | ') | |
4550 | ||
4551 | manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4552 | manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4553 | manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4554 | manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4555 | manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4556 | fs_search_tmpfs($1) | |
4557 | ') | |
4558 | ||
4559 | ######################################## | |
4560 | ## <summary> | |
4561 | ## Delete all user temporary content. | |
4562 | ## </summary> | |
4563 | ## <param name="domain"> | |
4564 | ## <summary> | |
4565 | ## Domain allowed access. | |
4566 | ## </summary> | |
4567 | ## </param> | |
4568 | # | |
4569 | interface(`userdom_delete_all_user_tmp_content',` | |
4570 | gen_require(` | |
4571 | attribute user_tmp_type; | |
4572 | ') | |
4573 | ||
4574 | delete_dirs_pattern($1, user_tmp_type, user_tmp_type) | |
4575 | delete_files_pattern($1, user_tmp_type, user_tmp_type) | |
4576 | delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type) | |
4577 | delete_sock_files_pattern($1, user_tmp_type, user_tmp_type) | |
4578 | delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type) | |
4579 | # /var/tmp | |
4580 | files_search_var($1) | |
4581 | files_delete_tmp_dir_entry($1) | |
4582 | ') | |
4583 | ||
3eaa9939 DW |
4584 | ######################################## |
4585 | ## <summary> | |
4586 | ## Read system SSL certificates in the users homedir. | |
4587 | ## </summary> | |
4588 | ## <param name="domain"> | |
4589 | ## <summary> | |
4590 | ## Domain allowed access. | |
4591 | ## </summary> | |
4592 | ## </param> | |
3eaa9939 DW |
4593 | # |
4594 | interface(`userdom_read_home_certs',` | |
4595 | gen_require(` | |
4596 | type home_cert_t; | |
4597 | ') | |
4598 | ||
4982766c | 4599 | userdom_search_user_home_content($1) |
3eaa9939 DW |
4600 | allow $1 home_cert_t:dir list_dir_perms; |
4601 | read_files_pattern($1, home_cert_t, home_cert_t) | |
4602 | read_lnk_files_pattern($1, home_cert_t, home_cert_t) | |
4603 | ') | |
4604 | ||
f06e4c22 MG |
4605 | ####################################### |
4606 | ## <summary> | |
4607 | ## Dontaudit Write system SSL certificates in the users homedir. | |
4608 | ## </summary> | |
4609 | ## <param name="domain"> | |
4610 | ## <summary> | |
24280f35 | 4611 | ## Domain to not audit. |
f06e4c22 MG |
4612 | ## </summary> |
4613 | ## </param> | |
4614 | # | |
4615 | interface(`userdom_dontaudit_write_home_certs',` | |
4616 | gen_require(` | |
4617 | type home_cert_t; | |
4618 | ') | |
4619 | ||
4620 | dontaudit $1 home_cert_t:file write; | |
4621 | ') | |
4622 | ||
3eaa9939 DW |
4623 | ######################################## |
4624 | ## <summary> | |
4625 | ## dontaudit Search getatrr /root files | |
4626 | ## </summary> | |
4627 | ## <param name="domain"> | |
4628 | ## <summary> | |
24280f35 | 4629 | ## Domain to not audit. |
3eaa9939 DW |
4630 | ## </summary> |
4631 | ## </param> | |
4632 | # | |
4633 | interface(`userdom_dontaudit_getattr_admin_home_files',` | |
4634 | gen_require(` | |
4635 | type admin_home_t; | |
4636 | ') | |
4637 | ||
4638 | dontaudit $1 admin_home_t:file getattr; | |
4639 | ') | |
4640 | ||
4641 | ######################################## | |
4642 | ## <summary> | |
4643 | ## dontaudit read /root lnk files | |
4644 | ## </summary> | |
4645 | ## <param name="domain"> | |
4646 | ## <summary> | |
24280f35 | 4647 | ## Domain to not audit. |
3eaa9939 DW |
4648 | ## </summary> |
4649 | ## </param> | |
4650 | # | |
4651 | interface(`userdom_dontaudit_read_admin_home_lnk_files',` | |
4652 | gen_require(` | |
4653 | type admin_home_t; | |
4654 | ') | |
4655 | ||
4656 | dontaudit $1 admin_home_t:lnk_file read; | |
4657 | ') | |
4658 | ||
4659 | ######################################## | |
4660 | ## <summary> | |
4661 | ## dontaudit read /root files | |
4662 | ## </summary> | |
4663 | ## <param name="domain"> | |
4664 | ## <summary> | |
24280f35 | 4665 | ## Domain to not audit. |
3eaa9939 DW |
4666 | ## </summary> |
4667 | ## </param> | |
4668 | # | |
4669 | interface(`userdom_dontaudit_read_admin_home_files',` | |
4670 | gen_require(` | |
4671 | type admin_home_t; | |
4672 | ') | |
4673 | ||
4674 | dontaudit $1 admin_home_t:file read_file_perms; | |
4675 | ') | |
4676 | ||
4677 | ######################################## | |
4678 | ## <summary> | |
4679 | ## Create, read, write, and delete user | |
4680 | ## temporary chr files. | |
4681 | ## </summary> | |
4682 | ## <param name="domain"> | |
4683 | ## <summary> | |
4684 | ## Domain allowed access. | |
4685 | ## </summary> | |
4686 | ## </param> | |
4687 | # | |
4688 | interface(`userdom_manage_user_tmp_chr_files',` | |
4689 | gen_require(` | |
4690 | type user_tmp_t; | |
4691 | ') | |
4692 | ||
4693 | manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) | |
4694 | files_search_tmp($1) | |
4695 | ') | |
4696 | ||
4697 | ######################################## | |
4698 | ## <summary> | |
4699 | ## Create, read, write, and delete user | |
4700 | ## temporary blk files. | |
4701 | ## </summary> | |
4702 | ## <param name="domain"> | |
4703 | ## <summary> | |
4704 | ## Domain allowed access. | |
4705 | ## </summary> | |
4706 | ## </param> | |
4707 | # | |
4708 | interface(`userdom_manage_user_tmp_blk_files',` | |
4709 | gen_require(` | |
4710 | type user_tmp_t; | |
4711 | ') | |
4712 | ||
4713 | manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4714 | files_search_tmp($1) | |
4715 | ') | |
4716 | ||
4717 | ######################################## | |
4718 | ## <summary> | |
4719 | ## Dontaudit attempt to set attributes on user temporary directories. | |
4720 | ## </summary> | |
4721 | ## <param name="domain"> | |
4722 | ## <summary> | |
24280f35 | 4723 | ## Domain to not audit. |
3eaa9939 DW |
4724 | ## </summary> |
4725 | ## </param> | |
4726 | # | |
4727 | interface(`userdom_dontaudit_setattr_user_tmp',` | |
4728 | gen_require(` | |
4729 | type user_tmp_t; | |
4730 | ') | |
4731 | ||
4732 | dontaudit $1 user_tmp_t:dir setattr; | |
4733 | ') | |
4734 | ||
4735 | ######################################## | |
4736 | ## <summary> | |
4737 | ## Write all inherited users files in /tmp | |
4738 | ## </summary> | |
4739 | ## <param name="domain"> | |
4740 | ## <summary> | |
4741 | ## Domain allowed access. | |
4742 | ## </summary> | |
4743 | ## </param> | |
4744 | # | |
4745 | interface(`userdom_write_inherited_user_tmp_files',` | |
4746 | gen_require(` | |
4747 | type user_tmp_t; | |
4748 | ') | |
4749 | ||
4750 | allow $1 user_tmp_t:file write; | |
4751 | ') | |
4752 | ||
4753 | ######################################## | |
4754 | ## <summary> | |
4755 | ## Delete all users files in /tmp | |
4756 | ## </summary> | |
4757 | ## <param name="domain"> | |
4758 | ## <summary> | |
4759 | ## Domain allowed access. | |
4760 | ## </summary> | |
4761 | ## </param> | |
4762 | # | |
4763 | interface(`userdom_delete_user_tmp_files',` | |
4764 | gen_require(` | |
4765 | type user_tmp_t; | |
4766 | ') | |
4767 | ||
4768 | allow $1 user_tmp_t:file delete_file_perms; | |
4769 | ') | |
4770 | ||
4771 | ######################################## | |
4772 | ## <summary> | |
4773 | ## Delete user tmpfs files. | |
4774 | ## </summary> | |
4775 | ## <param name="domain"> | |
4776 | ## <summary> | |
4777 | ## Domain allowed access. | |
4778 | ## </summary> | |
4779 | ## </param> | |
4780 | # | |
4781 | interface(`userdom_delete_user_tmpfs_files',` | |
4782 | gen_require(` | |
4783 | type user_tmpfs_t; | |
4784 | ') | |
4785 | ||
4786 | allow $1 user_tmpfs_t:file delete_file_perms; | |
4787 | ') | |
4788 | ||
4789 | ######################################## | |
4790 | ## <summary> | |
4791 | ## Read/Write unpriviledged user SysV shared | |
4792 | ## memory segments. | |
4793 | ## </summary> | |
4794 | ## <param name="domain"> | |
4795 | ## <summary> | |
4796 | ## Domain allowed access. | |
4797 | ## </summary> | |
4798 | ## </param> | |
4799 | # | |
4800 | interface(`userdom_rw_unpriv_user_shared_mem',` | |
4801 | gen_require(` | |
4802 | attribute unpriv_userdomain; | |
4803 | ') | |
4804 | ||
4805 | allow $1 unpriv_userdomain:shm rw_shm_perms; | |
4806 | ') | |
4807 | ||
4808 | ######################################## | |
4809 | ## <summary> | |
4810 | ## Do not audit attempts to search user | |
4811 | ## temporary directories. | |
4812 | ## </summary> | |
4813 | ## <param name="domain"> | |
4814 | ## <summary> | |
4815 | ## Domain to not audit. | |
4816 | ## </summary> | |
4817 | ## </param> | |
4818 | # | |
4819 | interface(`userdom_dontaudit_search_user_tmp',` | |
4820 | gen_require(` | |
4821 | type user_tmp_t; | |
4822 | ') | |
4823 | ||
4824 | dontaudit $1 user_tmp_t:dir search_dir_perms; | |
4825 | ') | |
4826 | ||
4827 | ######################################## | |
4828 | ## <summary> | |
4829 | ## Execute a file in a user home directory | |
4830 | ## in the specified domain. | |
4831 | ## </summary> | |
4832 | ## <desc> | |
4833 | ## <p> | |
4834 | ## Execute a file in a user home directory | |
4835 | ## in the specified domain. | |
4836 | ## </p> | |
4837 | ## <p> | |
4838 | ## No interprocess communication (signals, pipes, | |
4839 | ## etc.) is provided by this interface since | |
4840 | ## the domains are not owned by this module. | |
4841 | ## </p> | |
4842 | ## </desc> | |
4843 | ## <param name="domain"> | |
4844 | ## <summary> | |
4845 | ## Domain allowed access. | |
4846 | ## </summary> | |
4847 | ## </param> | |
4848 | ## <param name="target_domain"> | |
4849 | ## <summary> | |
4850 | ## The type of the new process. | |
4851 | ## </summary> | |
4852 | ## </param> | |
4853 | # | |
4854 | interface(`userdom_domtrans_user_home',` | |
4855 | gen_require(` | |
4856 | type user_home_t; | |
4857 | ') | |
4858 | ||
4859 | read_lnk_files_pattern($1, user_home_t, user_home_t) | |
4860 | domain_transition_pattern($1, user_home_t, $2) | |
4861 | type_transition $1 user_home_t:process $2; | |
4862 | ') | |
4863 | ||
4864 | ######################################## | |
4865 | ## <summary> | |
4866 | ## Execute a file in a user tmp directory | |
4867 | ## in the specified domain. | |
4868 | ## </summary> | |
4869 | ## <desc> | |
4870 | ## <p> | |
4871 | ## Execute a file in a user tmp directory | |
4872 | ## in the specified domain. | |
4873 | ## </p> | |
4874 | ## <p> | |
4875 | ## No interprocess communication (signals, pipes, | |
4876 | ## etc.) is provided by this interface since | |
4877 | ## the domains are not owned by this module. | |
4878 | ## </p> | |
4879 | ## </desc> | |
4880 | ## <param name="domain"> | |
4881 | ## <summary> | |
4882 | ## Domain allowed access. | |
4883 | ## </summary> | |
4884 | ## </param> | |
4885 | ## <param name="target_domain"> | |
4886 | ## <summary> | |
4887 | ## The type of the new process. | |
4888 | ## </summary> | |
4889 | ## </param> | |
4890 | # | |
4891 | interface(`userdom_domtrans_user_tmp',` | |
4892 | gen_require(` | |
4893 | type user_tmp_t; | |
4894 | ') | |
4895 | ||
4896 | files_search_tmp($1) | |
4897 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4898 | domain_transition_pattern($1, user_tmp_t, $2) | |
4899 | type_transition $1 user_tmp_t:process $2; | |
4900 | ') | |
ca9e8850 DW |
4901 | |
4902 | ######################################## | |
4903 | ## <summary> | |
4904 | ## Do not audit attempts to read all user home content files. | |
4905 | ## </summary> | |
4906 | ## <param name="domain"> | |
4907 | ## <summary> | |
4908 | ## Domain to not audit. | |
4909 | ## </summary> | |
4910 | ## </param> | |
4911 | # | |
4912 | interface(`userdom_dontaudit_read_all_user_home_content_files',` | |
4913 | gen_require(` | |
4914 | attribute user_home_type; | |
4915 | ') | |
4916 | ||
4917 | dontaudit $1 user_home_type:file read_file_perms; | |
4918 | ') | |
4919 | ||
4920 | ######################################## | |
4921 | ## <summary> | |
4922 | ## Do not audit attempts to read all user tmp content files. | |
4923 | ## </summary> | |
4924 | ## <param name="domain"> | |
4925 | ## <summary> | |
4926 | ## Domain to not audit. | |
4927 | ## </summary> | |
4928 | ## </param> | |
4929 | # | |
4930 | interface(`userdom_dontaudit_read_all_user_tmp_content_files',` | |
4931 | gen_require(` | |
4932 | attribute user_tmp_type; | |
4933 | ') | |
4934 | ||
4935 | dontaudit $1 user_tmp_type:file read_file_perms; | |
4936 | ') | |
4937 |