]>
Commit | Line | Data |
---|---|---|
490639cd | 1 | ## <summary>Policy for user domains</summary> |
b16c6b8c | 2 | |
8fd36732 CP |
3 | ####################################### |
4 | ## <summary> | |
bbcd3c97 | 5 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
6 | ## </summary> |
7 | ## <desc> | |
8 | ## <p> | |
bbcd3c97 | 9 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
10 | ## </p> |
11 | ## <p> | |
bbcd3c97 CP |
12 | ## This template creates a user domain, types, and |
13 | ## rules for the user's tty and pty. | |
8fd36732 CP |
14 | ## </p> |
15 | ## </desc> | |
16 | ## <param name="userdomain_prefix"> | |
885b83ec | 17 | ## <summary> |
8fd36732 CP |
18 | ## The prefix of the user domain (e.g., user |
19 | ## is the prefix for user_t). | |
885b83ec | 20 | ## </summary> |
8fd36732 | 21 | ## </param> |
bbcd3c97 | 22 | ## <rolebase/> |
b16c6b8c | 23 | # |
bbcd3c97 | 24 | template(`userdom_base_user_template',` |
c6a60bb2 CP |
25 | |
26 | gen_require(` | |
d6d16b97 | 27 | attribute userdomain; |
296273a7 | 28 | type user_devpts_t, user_tty_device_t; |
c6a60bb2 CP |
29 | class context contains; |
30 | ') | |
31 | ||
0c73cd25 | 32 | attribute $1_file_type; |
3eaa9939 | 33 | attribute $1_usertype; |
0c73cd25 | 34 | |
3eaa9939 | 35 | type $1_t, userdomain, $1_usertype; |
c9428d33 CP |
36 | domain_type($1_t) |
37 | corecmd_shell_entry_type($1_t) | |
d40c0ecf | 38 | corecmd_bin_entry_type($1_t) |
2e863f8a | 39 | domain_user_exemption_target($1_t) |
296273a7 | 40 | ubac_constrained($1_t) |
0c73cd25 CP |
41 | role $1_r types $1_t; |
42 | allow system_r $1_r; | |
43 | ||
296273a7 | 44 | term_user_pty($1_t, user_devpts_t) |
0c73cd25 | 45 | |
296273a7 | 46 | term_user_tty($1_t, user_tty_device_t) |
3eaa9939 DW |
47 | term_dontaudit_getattr_generic_ptys($1_t) |
48 | ||
49 | allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; | |
50 | allow $1_usertype $1_usertype:fd use; | |
51 | allow $1_usertype $1_t:key { create view read write search link setattr }; | |
52 | ||
53 | allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; | |
54 | allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; | |
55 | allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; | |
56 | allow $1_usertype $1_usertype:shm create_shm_perms; | |
57 | allow $1_usertype $1_usertype:sem create_sem_perms; | |
58 | allow $1_usertype $1_usertype:msgq create_msgq_perms; | |
59 | allow $1_usertype $1_usertype:msg { send receive }; | |
60 | allow $1_usertype $1_usertype:context contains; | |
61 | dontaudit $1_usertype $1_usertype:socket create; | |
62 | ||
63 | allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; | |
64 | term_create_pty($1_usertype, user_devpts_t) | |
296273a7 | 65 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 | 66 | dontaudit $1_usertype user_devpts_t:chr_file ioctl; |
0c73cd25 | 67 | |
3eaa9939 | 68 | allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; |
296273a7 | 69 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 DW |
70 | dontaudit $1_usertype user_tty_device_t:chr_file ioctl; |
71 | ||
72 | application_exec_all($1_usertype) | |
73 | ||
74 | kernel_read_kernel_sysctls($1_usertype) | |
75 | kernel_read_all_sysctls($1_usertype) | |
76 | kernel_dontaudit_list_unlabeled($1_usertype) | |
77 | kernel_dontaudit_getattr_unlabeled_files($1_usertype) | |
78 | kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) | |
79 | kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) | |
80 | kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) | |
81 | kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) | |
82 | kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) | |
83 | kernel_dontaudit_list_proc($1_usertype) | |
84 | ||
85 | dev_dontaudit_getattr_all_blk_files($1_usertype) | |
86 | dev_dontaudit_getattr_all_chr_files($1_usertype) | |
87 | dev_getattr_mtrr_dev($1_t) | |
847937da | 88 | |
2ec4c9d3 | 89 | # When the user domain runs ps, there will be a number of access |
ff8f0a63 | 90 | # denials when ps tries to search /proc. Do not audit these denials. |
3eaa9939 DW |
91 | domain_dontaudit_read_all_domains_state($1_usertype) |
92 | domain_dontaudit_getattr_all_domains($1_usertype) | |
93 | domain_dontaudit_getsession_all_domains($1_usertype) | |
94 | ||
95 | files_read_etc_files($1_usertype) | |
96 | files_list_mnt($1_usertype) | |
97 | files_read_mnt_files($1_usertype) | |
98 | files_read_etc_runtime_files($1_usertype) | |
99 | files_read_usr_files($1_usertype) | |
100 | files_read_usr_src_files($1_usertype) | |
bbcd3c97 CP |
101 | # Read directories and files with the readable_t type. |
102 | # This type is a general type for "world"-readable files. | |
3eaa9939 DW |
103 | files_list_world_readable($1_usertype) |
104 | files_read_world_readable_files($1_usertype) | |
105 | files_read_world_readable_symlinks($1_usertype) | |
106 | files_read_world_readable_pipes($1_usertype) | |
107 | files_read_world_readable_sockets($1_usertype) | |
a2868f6e | 108 | # old broswer_domain(): |
3eaa9939 DW |
109 | files_dontaudit_getattr_all_dirs($1_usertype) |
110 | files_dontaudit_list_non_security($1_usertype) | |
111 | files_dontaudit_getattr_all_files($1_usertype) | |
112 | files_dontaudit_getattr_non_security_symlinks($1_usertype) | |
113 | files_dontaudit_getattr_non_security_pipes($1_usertype) | |
114 | files_dontaudit_getattr_non_security_sockets($1_usertype) | |
115 | ||
116 | files_exec_usr_files($1_t) | |
117 | ||
118 | fs_list_cgroup_dirs($1_usertype) | |
119 | fs_dontaudit_rw_cgroup_files($1_usertype) | |
120 | ||
121 | storage_rw_fuse($1_usertype) | |
122 | ||
123 | auth_use_nsswitch($1_usertype) | |
0c73cd25 | 124 | |
3eaa9939 | 125 | init_stream_connect($1_usertype) |
9461b606 DW |
126 | # The library functions always try to open read-write first, |
127 | # then fall back to read-only if it fails. | |
128 | init_dontaudit_rw_utmp($1_usertype) | |
bbcd3c97 | 129 | |
3eaa9939 | 130 | libs_exec_ld_so($1_usertype) |
6b19be33 | 131 | |
bbcd3c97 | 132 | miscfiles_read_localization($1_t) |
83406219 | 133 | miscfiles_read_generic_certs($1_t) |
6b19be33 | 134 | |
cab9bc9c | 135 | miscfiles_read_all_certs($1_usertype) |
3eaa9939 DW |
136 | miscfiles_read_localization($1_usertype) |
137 | miscfiles_read_man_pages($1_usertype) | |
138 | miscfiles_read_public_files($1_usertype) | |
bbcd3c97 CP |
139 | |
140 | tunable_policy(`allow_execmem',` | |
141 | # Allow loading DSOs that require executable stack. | |
142 | allow $1_t self:process execmem; | |
143 | ') | |
144 | ||
145 | tunable_policy(`allow_execmem && allow_execstack',` | |
146 | # Allow making the stack executable via mprotect. | |
147 | allow $1_t self:process execstack; | |
148 | ') | |
3eaa9939 DW |
149 | |
150 | optional_policy(` | |
151 | fs_list_cgroup_dirs($1_usertype) | |
152 | ') | |
153 | ||
154 | optional_policy(` | |
155 | ssh_rw_stream_sockets($1_usertype) | |
156 | ssh_delete_tmp($1_t) | |
157 | ssh_signal($1_t) | |
158 | ') | |
bbcd3c97 CP |
159 | ') |
160 | ||
161 | ####################################### | |
162 | ## <summary> | |
296273a7 CP |
163 | ## Allow a home directory for which the |
164 | ## role has read-only access. | |
bbcd3c97 CP |
165 | ## </summary> |
166 | ## <desc> | |
167 | ## <p> | |
296273a7 CP |
168 | ## Allow a home directory for which the |
169 | ## role has read-only access. | |
bbcd3c97 CP |
170 | ## </p> |
171 | ## <p> | |
172 | ## This does not allow execute access. | |
173 | ## </p> | |
174 | ## </desc> | |
296273a7 | 175 | ## <param name="role"> |
bbcd3c97 | 176 | ## <summary> |
296273a7 CP |
177 | ## The user role |
178 | ## </summary> | |
179 | ## </param> | |
180 | ## <param name="userdomain"> | |
181 | ## <summary> | |
182 | ## The user domain | |
bbcd3c97 CP |
183 | ## </summary> |
184 | ## </param> | |
185 | ## <rolebase/> | |
186 | # | |
296273a7 | 187 | interface(`userdom_ro_home_role',` |
d6d16b97 | 188 | gen_require(` |
296273a7 | 189 | type user_home_t, user_home_dir_t; |
d6d16b97 CP |
190 | ') |
191 | ||
3eaa9939 DW |
192 | role $1 types { user_home_t user_home_dir_t }; |
193 | ||
bbcd3c97 CP |
194 | ############################## |
195 | # | |
196 | # Domain access to home dir | |
197 | # | |
198 | ||
296273a7 CP |
199 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
200 | ||
bbcd3c97 | 201 | # read-only home directory |
296273a7 CP |
202 | allow $2 user_home_dir_t:dir list_dir_perms; |
203 | allow $2 user_home_t:dir list_dir_perms; | |
204 | allow $2 user_home_t:file entrypoint; | |
205 | read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
206 | read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
207 | read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
208 | read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
209 | files_list_home($2) | |
bbcd3c97 | 210 | |
bbcd3c97 CP |
211 | ') |
212 | ||
213 | ####################################### | |
214 | ## <summary> | |
296273a7 CP |
215 | ## Allow a home directory for which the |
216 | ## role has full access. | |
bbcd3c97 CP |
217 | ## </summary> |
218 | ## <desc> | |
219 | ## <p> | |
296273a7 CP |
220 | ## Allow a home directory for which the |
221 | ## role has full access. | |
bbcd3c97 CP |
222 | ## </p> |
223 | ## <p> | |
224 | ## This does not allow execute access. | |
225 | ## </p> | |
226 | ## </desc> | |
296273a7 | 227 | ## <param name="role"> |
bbcd3c97 | 228 | ## <summary> |
296273a7 CP |
229 | ## The user role |
230 | ## </summary> | |
231 | ## </param> | |
232 | ## <param name="userdomain"> | |
233 | ## <summary> | |
234 | ## The user domain | |
bbcd3c97 CP |
235 | ## </summary> |
236 | ## </param> | |
237 | ## <rolebase/> | |
238 | # | |
296273a7 | 239 | interface(`userdom_manage_home_role',` |
d6d16b97 | 240 | gen_require(` |
296273a7 | 241 | type user_home_t, user_home_dir_t; |
3eaa9939 | 242 | attribute user_home_type; |
d6d16b97 CP |
243 | ') |
244 | ||
3eaa9939 DW |
245 | role $1 types { user_home_type user_home_dir_t }; |
246 | ||
bbcd3c97 CP |
247 | ############################## |
248 | # | |
249 | # Domain access to home dir | |
250 | # | |
251 | ||
296273a7 CP |
252 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
253 | ||
bbcd3c97 | 254 | # full control of the home directory |
3eaa9939 | 255 | allow $2 user_home_t:dir mounton; |
296273a7 | 256 | allow $2 user_home_t:file entrypoint; |
3eaa9939 DW |
257 | |
258 | allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; | |
259 | allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; | |
260 | manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
261 | manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
262 | manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
263 | manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
264 | manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
265 | relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
266 | relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
267 | relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
268 | relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
269 | relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
296273a7 CP |
270 | filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) |
271 | files_list_home($2) | |
bbcd3c97 | 272 | |
c0868a7a | 273 | # cjp: this should probably be removed: |
296273a7 | 274 | allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; |
c0868a7a | 275 | |
bbcd3c97 | 276 | tunable_policy(`use_nfs_home_dirs',` |
3eaa9939 DW |
277 | fs_mount_nfs($2) |
278 | fs_mounton_nfs($2) | |
296273a7 CP |
279 | fs_manage_nfs_dirs($2) |
280 | fs_manage_nfs_files($2) | |
281 | fs_manage_nfs_symlinks($2) | |
282 | fs_manage_nfs_named_sockets($2) | |
283 | fs_manage_nfs_named_pipes($2) | |
bbcd3c97 CP |
284 | ') |
285 | ||
286 | tunable_policy(`use_samba_home_dirs',` | |
3eaa9939 DW |
287 | fs_mount_cifs($2) |
288 | fs_mounton_cifs($2) | |
296273a7 CP |
289 | fs_manage_cifs_dirs($2) |
290 | fs_manage_cifs_files($2) | |
291 | fs_manage_cifs_symlinks($2) | |
292 | fs_manage_cifs_named_sockets($2) | |
293 | fs_manage_cifs_named_pipes($2) | |
bbcd3c97 CP |
294 | ') |
295 | ') | |
296 | ||
297 | ####################################### | |
298 | ## <summary> | |
296273a7 | 299 | ## Manage user temporary files |
bbcd3c97 | 300 | ## </summary> |
296273a7 | 301 | ## <param name="role"> |
bbcd3c97 | 302 | ## <summary> |
296273a7 | 303 | ## Role allowed access. |
bbcd3c97 CP |
304 | ## </summary> |
305 | ## </param> | |
296273a7 | 306 | ## <param name="domain"> |
bbcd3c97 | 307 | ## <summary> |
296273a7 | 308 | ## Domain allowed access. |
bbcd3c97 CP |
309 | ## </summary> |
310 | ## </param> | |
311 | ## <rolebase/> | |
312 | # | |
296273a7 | 313 | interface(`userdom_manage_tmp_role',` |
d6d16b97 | 314 | gen_require(` |
296273a7 | 315 | type user_tmp_t; |
d6d16b97 CP |
316 | ') |
317 | ||
3eaa9939 DW |
318 | role $1 types user_tmp_t; |
319 | ||
296273a7 | 320 | files_poly_member_tmp($2, user_tmp_t) |
bbcd3c97 | 321 | |
296273a7 CP |
322 | manage_dirs_pattern($2, user_tmp_t, user_tmp_t) |
323 | manage_files_pattern($2, user_tmp_t, user_tmp_t) | |
324 | manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) | |
325 | manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) | |
326 | manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) | |
327 | files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) | |
3eaa9939 DW |
328 | relabel_files_pattern($2, user_tmp_t, user_tmp_t) |
329 | ') | |
330 | ||
331 | ####################################### | |
332 | ## <summary> | |
333 | ## Dontaudit search of user bin dirs. | |
334 | ## </summary> | |
335 | ## <param name="domain"> | |
336 | ## <summary> | |
337 | ## Domain allowed access. | |
338 | ## </summary> | |
339 | ## </param> | |
340 | # | |
341 | interface(`userdom_dontaudit_search_user_bin_dirs',` | |
342 | gen_require(` | |
343 | type home_bin_t; | |
344 | ') | |
345 | ||
346 | dontaudit $1 home_bin_t:dir search_dir_perms; | |
347 | ') | |
348 | ||
349 | ####################################### | |
350 | ## <summary> | |
351 | ## Execute user bin files. | |
352 | ## </summary> | |
353 | ## <param name="domain"> | |
354 | ## <summary> | |
355 | ## Domain allowed access. | |
356 | ## </summary> | |
357 | ## </param> | |
358 | # | |
359 | interface(`userdom_exec_user_bin_files',` | |
360 | gen_require(` | |
361 | attribute user_home_type; | |
362 | type home_bin_t, user_home_dir_t; | |
363 | ') | |
364 | ||
365 | exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) | |
366 | files_search_home($1) | |
bbcd3c97 CP |
367 | ') |
368 | ||
369 | ####################################### | |
370 | ## <summary> | |
296273a7 | 371 | ## The execute access user temporary files. |
bbcd3c97 | 372 | ## </summary> |
296273a7 | 373 | ## <param name="domain"> |
bbcd3c97 | 374 | ## <summary> |
296273a7 | 375 | ## Domain allowed access. |
bbcd3c97 CP |
376 | ## </summary> |
377 | ## </param> | |
378 | ## <rolebase/> | |
379 | # | |
296273a7 CP |
380 | interface(`userdom_exec_user_tmp_files',` |
381 | gen_require(` | |
382 | type user_tmp_t; | |
383 | ') | |
384 | ||
385 | exec_files_pattern($1, user_tmp_t, user_tmp_t) | |
3eaa9939 | 386 | dontaudit $1 user_tmp_t:sock_file execute; |
296273a7 | 387 | files_search_tmp($1) |
bbcd3c97 CP |
388 | ') |
389 | ||
390 | ####################################### | |
391 | ## <summary> | |
296273a7 | 392 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
393 | ## that the user has full access. |
394 | ## </summary> | |
395 | ## <desc> | |
396 | ## <p> | |
296273a7 | 397 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
398 | ## that the user has full access. |
399 | ## </p> | |
400 | ## <p> | |
401 | ## This does not allow execute access. | |
402 | ## </p> | |
403 | ## </desc> | |
296273a7 | 404 | ## <param name="role"> |
bbcd3c97 | 405 | ## <summary> |
296273a7 | 406 | ## Role allowed access. |
bbcd3c97 CP |
407 | ## </summary> |
408 | ## </param> | |
296273a7 | 409 | ## <param name="domain"> |
bbcd3c97 | 410 | ## <summary> |
296273a7 | 411 | ## Domain allowed access. |
bbcd3c97 CP |
412 | ## </summary> |
413 | ## </param> | |
296273a7 | 414 | ## <rolecap/> |
bbcd3c97 | 415 | # |
296273a7 | 416 | interface(`userdom_manage_tmpfs_role',` |
bbcd3c97 | 417 | gen_require(` |
296273a7 | 418 | type user_tmpfs_t; |
bbcd3c97 | 419 | ') |
bbcd3c97 | 420 | |
3eaa9939 DW |
421 | role $1 types user_tmpfs_t; |
422 | ||
296273a7 CP |
423 | manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) |
424 | manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
425 | manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
426 | manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
427 | manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) | |
428 | fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) | |
bbcd3c97 CP |
429 | ') |
430 | ||
431 | ####################################### | |
432 | ## <summary> | |
3eaa9939 | 433 | ## The interface allowing the user basic |
bbcd3c97 CP |
434 | ## network permissions |
435 | ## </summary> | |
3eaa9939 | 436 | ## <param name="userdomain"> |
bbcd3c97 | 437 | ## <summary> |
3eaa9939 | 438 | ## The user domain |
bbcd3c97 CP |
439 | ## </summary> |
440 | ## </param> | |
441 | ## <rolebase/> | |
442 | # | |
3eaa9939 DW |
443 | interface(`userdom_basic_networking',` |
444 | ||
445 | allow $1 self:tcp_socket create_stream_socket_perms; | |
446 | allow $1 self:udp_socket create_socket_perms; | |
447 | ||
448 | corenet_all_recvfrom_unlabeled($1) | |
449 | corenet_all_recvfrom_netlabel($1) | |
450 | corenet_tcp_sendrecv_generic_if($1) | |
451 | corenet_udp_sendrecv_generic_if($1) | |
452 | corenet_tcp_sendrecv_generic_node($1) | |
453 | corenet_udp_sendrecv_generic_node($1) | |
454 | corenet_tcp_sendrecv_all_ports($1) | |
455 | corenet_udp_sendrecv_all_ports($1) | |
456 | corenet_tcp_connect_all_ports($1) | |
457 | corenet_sendrecv_all_client_packets($1) | |
dc1920b2 CP |
458 | |
459 | optional_policy(` | |
3eaa9939 DW |
460 | init_tcp_recvfrom_all_daemons($1) |
461 | init_udp_recvfrom_all_daemons($1) | |
dc1920b2 CP |
462 | ') |
463 | ||
0b6acad1 | 464 | optional_policy(` |
3eaa9939 | 465 | ipsec_match_default_spd($1) |
0b6acad1 | 466 | ') |
3eaa9939 | 467 | |
bbcd3c97 CP |
468 | ') |
469 | ||
470 | ####################################### | |
471 | ## <summary> | |
93c49bdb | 472 | ## The template for creating a user xwindows client. (Deprecated) |
bbcd3c97 CP |
473 | ## </summary> |
474 | ## <param name="userdomain_prefix"> | |
475 | ## <summary> | |
476 | ## The prefix of the user domain (e.g., user | |
477 | ## is the prefix for user_t). | |
478 | ## </summary> | |
479 | ## </param> | |
480 | ## <rolebase/> | |
481 | # | |
482 | template(`userdom_xwindows_client_template',` | |
93c49bdb | 483 | refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.') |
bbcd3c97 | 484 | gen_require(` |
296273a7 | 485 | type $1_t, user_tmpfs_t; |
bbcd3c97 CP |
486 | ') |
487 | ||
847937da CP |
488 | dev_rw_xserver_misc($1_t) |
489 | dev_rw_power_management($1_t) | |
490 | dev_read_input($1_t) | |
491 | dev_read_misc($1_t) | |
492 | dev_write_misc($1_t) | |
493 | # open office is looking for the following | |
494 | dev_getattr_agp_dev($1_t) | |
495 | dev_dontaudit_rw_dri($1_t) | |
496 | # GNOME checks for usb and other devices: | |
497 | dev_rw_usbfs($1_t) | |
3eaa9939 | 498 | dev_rw_generic_usb_dev($1_t) |
847937da | 499 | |
4279891d | 500 | xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) |
847937da CP |
501 | xserver_xsession_entry_type($1_t) |
502 | xserver_dontaudit_write_log($1_t) | |
503 | xserver_stream_connect_xdm($1_t) | |
504 | # certain apps want to read xdm.pid file | |
505 | xserver_read_xdm_pid($1_t) | |
506 | # gnome-session creates socket under /tmp/.ICE-unix/ | |
507 | xserver_create_xdm_tmp_sockets($1_t) | |
508 | # Needed for escd, remove if we get escd policy | |
509 | xserver_manage_xdm_tmp_files($1_t) | |
bbcd3c97 CP |
510 | ') |
511 | ||
512 | ####################################### | |
513 | ## <summary> | |
514 | ## The template for allowing the user to change passwords. | |
515 | ## </summary> | |
516 | ## <param name="userdomain_prefix"> | |
517 | ## <summary> | |
518 | ## The prefix of the user domain (e.g., user | |
519 | ## is the prefix for user_t). | |
520 | ## </summary> | |
521 | ## </param> | |
522 | ## <rolebase/> | |
523 | # | |
524 | template(`userdom_change_password_template',` | |
525 | gen_require(` | |
296273a7 | 526 | type $1_t; |
bbcd3c97 CP |
527 | role $1_r; |
528 | ') | |
529 | ||
530 | optional_policy(` | |
296273a7 CP |
531 | usermanage_run_chfn($1_t,$1_r) |
532 | usermanage_run_passwd($1_t,$1_r) | |
bbcd3c97 | 533 | ') |
bbcd3c97 CP |
534 | ') |
535 | ||
536 | ####################################### | |
537 | ## <summary> | |
538 | ## The template containing rules common to unprivileged | |
539 | ## users and administrative users. | |
540 | ## </summary> | |
541 | ## <desc> | |
542 | ## <p> | |
543 | ## This template creates a user domain, types, and | |
544 | ## rules for the user's tty, pty, tmp, and tmpfs files. | |
545 | ## </p> | |
546 | ## </desc> | |
547 | ## <param name="userdomain_prefix"> | |
548 | ## <summary> | |
549 | ## The prefix of the user domain (e.g., user | |
550 | ## is the prefix for user_t). | |
551 | ## </summary> | |
552 | ## </param> | |
553 | # | |
554 | template(`userdom_common_user_template',` | |
563e58e8 CP |
555 | gen_require(` |
556 | attribute unpriv_userdomain; | |
557 | ') | |
bbcd3c97 | 558 | |
3eaa9939 | 559 | userdom_basic_networking($1_usertype) |
bbcd3c97 | 560 | |
bbcd3c97 CP |
561 | ############################## |
562 | # | |
563 | # User domain Local policy | |
564 | # | |
565 | ||
bbcd3c97 CP |
566 | # evolution and gnome-session try to create a netlink socket |
567 | dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; | |
568 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
3eaa9939 DW |
569 | allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; |
570 | allow $1_t self:socket create_socket_perms; | |
bbcd3c97 | 571 | |
3eaa9939 | 572 | allow $1_usertype unpriv_userdomain:fd use; |
bbcd3c97 | 573 | |
3eaa9939 DW |
574 | kernel_read_system_state($1_usertype) |
575 | kernel_read_network_state($1_usertype) | |
576 | kernel_read_net_sysctls($1_usertype) | |
bbcd3c97 | 577 | # Very permissive allowing every domain to see every type: |
3eaa9939 | 578 | kernel_get_sysvipc_info($1_usertype) |
bbcd3c97 | 579 | # Find CDROM devices: |
3eaa9939 DW |
580 | kernel_read_device_sysctls($1_usertype) |
581 | kernel_request_load_module($1_usertype) | |
296273a7 | 582 | |
3eaa9939 DW |
583 | corenet_udp_bind_generic_node($1_usertype) |
584 | corenet_udp_bind_generic_port($1_usertype) | |
bbcd3c97 | 585 | |
3eaa9939 DW |
586 | dev_read_rand($1_usertype) |
587 | dev_write_sound($1_usertype) | |
588 | dev_read_sound($1_usertype) | |
589 | dev_read_sound_mixer($1_usertype) | |
590 | dev_write_sound_mixer($1_usertype) | |
bbcd3c97 | 591 | |
3eaa9939 DW |
592 | files_exec_etc_files($1_usertype) |
593 | files_search_locks($1_usertype) | |
bbcd3c97 | 594 | # Check to see if cdrom is mounted |
3eaa9939 | 595 | files_search_mnt($1_usertype) |
bbcd3c97 | 596 | # cjp: perhaps should cut back on file reads: |
3eaa9939 DW |
597 | files_read_var_files($1_usertype) |
598 | files_read_var_symlinks($1_usertype) | |
599 | files_read_generic_spool($1_usertype) | |
600 | files_read_var_lib_files($1_usertype) | |
bbcd3c97 | 601 | # Stat lost+found. |
3eaa9939 DW |
602 | files_getattr_lost_found_dirs($1_usertype) |
603 | files_read_config_files($1_usertype) | |
604 | fs_read_noxattr_fs_files($1_usertype) | |
605 | fs_read_noxattr_fs_symlinks($1_usertype) | |
606 | fs_rw_cgroup_files($1_usertype) | |
bbcd3c97 | 607 | |
3eaa9939 DW |
608 | logging_send_syslog_msg($1_usertype) |
609 | logging_send_audit_msgs($1_usertype) | |
610 | selinux_get_enforce_mode($1_usertype) | |
e2b9add5 | 611 | |
bbcd3c97 | 612 | # cjp: some of this probably can be removed |
3eaa9939 DW |
613 | selinux_get_fs_mount($1_usertype) |
614 | selinux_validate_context($1_usertype) | |
615 | selinux_compute_access_vector($1_usertype) | |
616 | selinux_compute_create_context($1_usertype) | |
617 | selinux_compute_relabel_context($1_usertype) | |
618 | selinux_compute_user_contexts($1_usertype) | |
bbcd3c97 CP |
619 | |
620 | # for eject | |
3eaa9939 | 621 | storage_getattr_fixed_disk_dev($1_usertype) |
bbcd3c97 | 622 | |
3eaa9939 | 623 | auth_read_login_records($1_usertype) |
296273a7 CP |
624 | auth_run_pam($1_t,$1_r) |
625 | auth_run_utempter($1_t,$1_r) | |
bbcd3c97 | 626 | |
3eaa9939 | 627 | init_read_utmp($1_usertype) |
0c73cd25 | 628 | |
3eaa9939 DW |
629 | seutil_read_file_contexts($1_usertype) |
630 | seutil_read_default_contexts($1_usertype) | |
296273a7 | 631 | seutil_run_newrole($1_t,$1_r) |
6b19be33 | 632 | seutil_exec_checkpolicy($1_t) |
3eaa9939 | 633 | seutil_exec_setfiles($1_usertype) |
bbcd3c97 CP |
634 | # for when the network connection is killed |
635 | # this is needed when a login role can change | |
636 | # to this one. | |
637 | seutil_dontaudit_signal_newrole($1_t) | |
a1fcff33 | 638 | |
34c8fabe | 639 | tunable_policy(`user_direct_mouse',` |
3eaa9939 | 640 | dev_read_mouse($1_usertype) |
34c8fabe | 641 | ') |
0c73cd25 | 642 | |
34c8fabe | 643 | tunable_policy(`user_ttyfile_stat',` |
c3c753f7 | 644 | term_getattr_all_ttys($1_t) |
34c8fabe | 645 | ') |
0c73cd25 | 646 | |
6b19be33 | 647 | optional_policy(` |
3eaa9939 | 648 | alsa_read_rw_config($1_usertype) |
413aac13 | 649 | alsa_manage_home_files($1_t) |
413aac13 | 650 | alsa_relabel_home_files($1_t) |
6b19be33 CP |
651 | ') |
652 | ||
bb7170f6 | 653 | optional_policy(` |
ac9aa26d | 654 | # Allow graphical boot to check battery lifespan |
3eaa9939 | 655 | apm_stream_connect($1_usertype) |
ac9aa26d CP |
656 | ') |
657 | ||
bb7170f6 | 658 | optional_policy(` |
3eaa9939 | 659 | canna_stream_connect($1_usertype) |
3509484c CP |
660 | ') |
661 | ||
bb7170f6 | 662 | optional_policy(` |
3eaa9939 DW |
663 | chrome_role($1_r, $1_usertype) |
664 | ') | |
665 | ||
666 | optional_policy(` | |
667 | dbus_system_bus_client($1_usertype) | |
668 | ||
669 | allow $1_usertype $1_usertype:dbus send_msg; | |
670 | ||
671 | optional_policy(` | |
672 | avahi_dbus_chat($1_usertype) | |
673 | ') | |
674 | ||
675 | optional_policy(` | |
676 | policykit_dbus_chat($1_usertype) | |
677 | ') | |
678 | ||
679 | optional_policy(` | |
680 | bluetooth_dbus_chat($1_usertype) | |
681 | ') | |
682 | ||
683 | optional_policy(` | |
684 | consolekit_dbus_chat($1_usertype) | |
685 | consolekit_read_log($1_usertype) | |
686 | ') | |
687 | ||
688 | optional_policy(` | |
689 | devicekit_dbus_chat($1_usertype) | |
690 | devicekit_dbus_chat_power($1_usertype) | |
691 | devicekit_dbus_chat_disk($1_usertype) | |
692 | ') | |
693 | ||
694 | optional_policy(` | |
695 | evolution_dbus_chat($1_usertype) | |
696 | evolution_alarm_dbus_chat($1_usertype) | |
697 | ') | |
d828b5ca | 698 | |
bbcd3c97 | 699 | optional_policy(` |
3eaa9939 | 700 | gnome_dbus_chat_gconfdefault($1_usertype) |
bbcd3c97 CP |
701 | ') |
702 | ||
6b19be33 | 703 | optional_policy(` |
3eaa9939 | 704 | hal_dbus_chat($1_usertype) |
6b19be33 CP |
705 | ') |
706 | ||
bb7170f6 | 707 | optional_policy(` |
3eaa9939 | 708 | modemmanager_dbus_chat($1_usertype) |
9fd4b818 CP |
709 | ') |
710 | ||
bb7170f6 | 711 | optional_policy(` |
3eaa9939 DW |
712 | networkmanager_dbus_chat($1_usertype) |
713 | networkmanager_read_lib_files($1_usertype) | |
ac9aa26d CP |
714 | ') |
715 | ||
bb7170f6 | 716 | optional_policy(` |
3eaa9939 | 717 | vpn_dbus_chat($1_usertype) |
d828b5ca | 718 | ') |
0c3d1705 CP |
719 | ') |
720 | ||
bb7170f6 | 721 | optional_policy(` |
3eaa9939 DW |
722 | git_session_role($1_r, $1_usertype) |
723 | ') | |
724 | ||
725 | optional_policy(` | |
726 | inetd_use_fds($1_usertype) | |
727 | inetd_rw_tcp_sockets($1_usertype) | |
b24f35d8 CP |
728 | ') |
729 | ||
bb7170f6 | 730 | optional_policy(` |
3eaa9939 DW |
731 | inn_read_config($1_usertype) |
732 | inn_read_news_lib($1_usertype) | |
733 | inn_read_news_spool($1_usertype) | |
9b06402e CP |
734 | ') |
735 | ||
6b19be33 | 736 | optional_policy(` |
3eaa9939 | 737 | locate_read_lib_files($1_usertype) |
6b19be33 CP |
738 | ') |
739 | ||
bbcd3c97 CP |
740 | # for running depmod as part of the kernel packaging process |
741 | optional_policy(` | |
3eaa9939 DW |
742 | modutils_read_module_config($1_usertype) |
743 | ') | |
744 | ||
745 | optional_policy(` | |
746 | mta_rw_spool($1_usertype) | |
747 | mta_manage_queue($1_usertype) | |
bbcd3c97 CP |
748 | ') |
749 | ||
cc0c00d0 | 750 | optional_policy(` |
3eaa9939 | 751 | nsplugin_role($1_r, $1_usertype) |
cc0c00d0 CP |
752 | ') |
753 | ||
bb7170f6 | 754 | optional_policy(` |
bbcd3c97 CP |
755 | tunable_policy(`allow_user_mysql_connect',` |
756 | mysql_stream_connect($1_t) | |
42be7c21 CP |
757 | ') |
758 | ') | |
759 | ||
329138be DG |
760 | optional_policy(` |
761 | oident_manage_user_content($1_t) | |
762 | oident_relabel_user_content($1_t) | |
763 | ') | |
764 | ||
bb7170f6 | 765 | optional_policy(` |
2ec4c9d3 | 766 | # to allow monitoring of pcmcia status |
3eaa9939 | 767 | pcmcia_read_pid($1_usertype) |
2ec4c9d3 CP |
768 | ') |
769 | ||
6b19be33 | 770 | optional_policy(` |
3eaa9939 DW |
771 | pcscd_read_pub_files($1_usertype) |
772 | pcscd_stream_connect($1_usertype) | |
6b19be33 CP |
773 | ') |
774 | ||
cb10a2d5 CP |
775 | optional_policy(` |
776 | tunable_policy(`allow_user_postgresql_connect',` | |
3eaa9939 DW |
777 | postgresql_stream_connect($1_usertype) |
778 | postgresql_tcp_connect($1_usertype) | |
cb10a2d5 CP |
779 | ') |
780 | ') | |
781 | ||
b057be8d | 782 | optional_policy(` |
3eaa9939 | 783 | resmgr_stream_connect($1_usertype) |
b057be8d CP |
784 | ') |
785 | ||
bb7170f6 | 786 | optional_policy(` |
3eaa9939 DW |
787 | rpc_dontaudit_getattr_exports($1_usertype) |
788 | rpc_manage_nfs_rw_content($1_usertype) | |
f00434fa CP |
789 | ') |
790 | ||
bb7170f6 | 791 | optional_policy(` |
3eaa9939 | 792 | rpcbind_stream_connect($1_usertype) |
ac9aa26d CP |
793 | ') |
794 | ||
bb7170f6 | 795 | optional_policy(` |
3eaa9939 | 796 | samba_stream_connect_winbind($1_usertype) |
1d427acc CP |
797 | ') |
798 | ||
bb7170f6 | 799 | optional_policy(` |
3eaa9939 | 800 | sandbox_transition($1_usertype, $1_r) |
8cc49473 | 801 | ') |
3eaa9939 DW |
802 | |
803 | optional_policy(` | |
804 | seunshare_role_template($1, $1_r, $1_t) | |
805 | ') | |
806 | ||
807 | optional_policy(` | |
808 | slrnpull_search_spool($1_usertype) | |
809 | ') | |
810 | ||
2ec4c9d3 | 811 | ') |
b16c6b8c | 812 | |
8fd36732 CP |
813 | ####################################### |
814 | ## <summary> | |
847937da | 815 | ## The template for creating a login user. |
8fd36732 CP |
816 | ## </summary> |
817 | ## <desc> | |
818 | ## <p> | |
819 | ## This template creates a user domain, types, and | |
820 | ## rules for the user's tty, pty, home directories, | |
821 | ## tmp, and tmpfs files. | |
822 | ## </p> | |
823 | ## </desc> | |
824 | ## <param name="userdomain_prefix"> | |
885b83ec | 825 | ## <summary> |
8fd36732 CP |
826 | ## The prefix of the user domain (e.g., user |
827 | ## is the prefix for user_t). | |
885b83ec | 828 | ## </summary> |
8fd36732 | 829 | ## </param> |
b16c6b8c | 830 | # |
847937da | 831 | template(`userdom_login_user_template', ` |
b1a90365 CP |
832 | gen_require(` |
833 | class context contains; | |
834 | ') | |
835 | ||
847937da | 836 | userdom_base_user_template($1) |
563e58e8 | 837 | |
3eaa9939 DW |
838 | userdom_manage_home_role($1_r, $1_usertype) |
839 | ||
840 | userdom_manage_tmp_role($1_r, $1_usertype) | |
841 | userdom_manage_tmpfs_role($1_r, $1_usertype) | |
847937da | 842 | |
3eaa9939 DW |
843 | ifelse(`$1',`unconfined',`',` |
844 | gen_tunable(allow_$1_exec_content, true) | |
847937da | 845 | |
3eaa9939 DW |
846 | tunable_policy(`allow_$1_exec_content',` |
847 | userdom_exec_user_tmp_files($1_usertype) | |
848 | userdom_exec_user_home_content_files($1_usertype) | |
849 | ') | |
850 | tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` | |
851 | fs_exec_nfs_files($1_usertype) | |
852 | ') | |
853 | ||
854 | tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` | |
855 | fs_exec_cifs_files($1_usertype) | |
856 | ') | |
857 | ') | |
847937da CP |
858 | |
859 | userdom_change_password_template($1) | |
563e58e8 | 860 | |
0c73cd25 CP |
861 | ############################## |
862 | # | |
847937da | 863 | # User domain Local policy |
0c73cd25 | 864 | # |
b16c6b8c | 865 | |
847937da CP |
866 | allow $1_t self:capability { setgid chown fowner }; |
867 | dontaudit $1_t self:capability { sys_nice fsetid }; | |
868 | ||
869 | allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; | |
870 | dontaudit $1_t self:process setrlimit; | |
871 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
872 | ||
873 | allow $1_t self:context contains; | |
874 | ||
3eaa9939 DW |
875 | kernel_dontaudit_read_system_state($1_usertype) |
876 | kernel_dontaudit_list_all_proc($1_usertype) | |
847937da | 877 | |
3eaa9939 DW |
878 | dev_read_sysfs($1_usertype) |
879 | dev_read_urand($1_usertype) | |
847937da | 880 | |
3eaa9939 | 881 | domain_use_interactive_fds($1_usertype) |
847937da | 882 | # Command completion can fire hundreds of denials |
3eaa9939 | 883 | domain_dontaudit_exec_all_entry_files($1_usertype) |
847937da | 884 | |
3eaa9939 DW |
885 | files_dontaudit_list_default($1_usertype) |
886 | files_dontaudit_read_default_files($1_usertype) | |
847937da | 887 | # Stat lost+found. |
3eaa9939 | 888 | files_getattr_lost_found_dirs($1_usertype) |
847937da | 889 | |
3eaa9939 DW |
890 | fs_get_all_fs_quotas($1_usertype) |
891 | fs_getattr_all_fs($1_usertype) | |
892 | fs_search_all($1_usertype) | |
893 | fs_list_inotifyfs($1_usertype) | |
894 | fs_rw_anon_inodefs_files($1_usertype) | |
847937da CP |
895 | |
896 | auth_dontaudit_write_login_records($1_t) | |
3eaa9939 | 897 | auth_rw_cache($1_t) |
847937da | 898 | |
847937da | 899 | # Stop warnings about access to /dev/console |
3eaa9939 DW |
900 | init_dontaudit_use_fds($1_usertype) |
901 | init_dontaudit_use_script_fds($1_usertype) | |
847937da | 902 | |
3eaa9939 | 903 | libs_exec_lib_files($1_usertype) |
847937da | 904 | |
3eaa9939 | 905 | logging_dontaudit_getattr_all_logs($1_usertype) |
847937da | 906 | |
847937da | 907 | # for running TeX programs |
3eaa9939 DW |
908 | miscfiles_read_tetex_data($1_usertype) |
909 | miscfiles_exec_tetex_data($1_usertype) | |
910 | ||
911 | seutil_read_config($1_usertype) | |
847937da | 912 | |
3eaa9939 DW |
913 | optional_policy(` |
914 | cups_read_config($1_usertype) | |
915 | cups_stream_connect($1_usertype) | |
916 | cups_stream_connect_ptal($1_usertype) | |
917 | ') | |
847937da CP |
918 | |
919 | optional_policy(` | |
3eaa9939 DW |
920 | kerberos_use($1_usertype) |
921 | kerberos_connect_524($1_usertype) | |
847937da CP |
922 | ') |
923 | ||
924 | optional_policy(` | |
3eaa9939 | 925 | mta_dontaudit_read_spool_symlinks($1_usertype) |
847937da CP |
926 | ') |
927 | ||
928 | optional_policy(` | |
3eaa9939 | 929 | quota_dontaudit_getattr_db($1_usertype) |
847937da CP |
930 | ') |
931 | ||
932 | optional_policy(` | |
3eaa9939 DW |
933 | rpm_read_db($1_usertype) |
934 | rpm_dontaudit_manage_db($1_usertype) | |
935 | rpm_read_cache($1_usertype) | |
847937da CP |
936 | ') |
937 | ||
938 | optional_policy(` | |
3eaa9939 | 939 | oddjob_run_mkhomedir($1_t, $1_r) |
847937da CP |
940 | ') |
941 | ') | |
942 | ||
943 | ####################################### | |
944 | ## <summary> | |
945 | ## The template for creating a unprivileged login user. | |
946 | ## </summary> | |
947 | ## <desc> | |
948 | ## <p> | |
949 | ## This template creates a user domain, types, and | |
950 | ## rules for the user's tty, pty, home directories, | |
951 | ## tmp, and tmpfs files. | |
952 | ## </p> | |
953 | ## </desc> | |
954 | ## <param name="userdomain_prefix"> | |
955 | ## <summary> | |
956 | ## The prefix of the user domain (e.g., user | |
957 | ## is the prefix for user_t). | |
958 | ## </summary> | |
959 | ## </param> | |
960 | # | |
961 | template(`userdom_restricted_user_template',` | |
962 | gen_require(` | |
963 | attribute unpriv_userdomain; | |
847937da CP |
964 | ') |
965 | ||
966 | userdom_login_user_template($1) | |
b16c6b8c | 967 | |
0f707d52 | 968 | typeattribute $1_t unpriv_userdomain; |
15722ec9 | 969 | domain_interactive_fd($1_t) |
b16c6b8c | 970 | |
3eaa9939 DW |
971 | allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; |
972 | dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; | |
973 | ||
0c73cd25 CP |
974 | ############################## |
975 | # | |
976 | # Local policy | |
977 | # | |
978 | ||
847937da | 979 | optional_policy(` |
296273a7 | 980 | loadkeys_run($1_t,$1_r) |
847937da CP |
981 | ') |
982 | ') | |
983 | ||
984 | ####################################### | |
985 | ## <summary> | |
986 | ## The template for creating a unprivileged xwindows login user. | |
987 | ## </summary> | |
988 | ## <desc> | |
989 | ## <p> | |
990 | ## The template for creating a unprivileged xwindows login user. | |
991 | ## </p> | |
992 | ## <p> | |
993 | ## This template creates a user domain, types, and | |
994 | ## rules for the user's tty, pty, home directories, | |
995 | ## tmp, and tmpfs files. | |
996 | ## </p> | |
997 | ## </desc> | |
998 | ## <param name="userdomain_prefix"> | |
999 | ## <summary> | |
1000 | ## The prefix of the user domain (e.g., user | |
1001 | ## is the prefix for user_t). | |
1002 | ## </summary> | |
1003 | ## </param> | |
1004 | # | |
1005 | template(`userdom_restricted_xwindows_user_template',` | |
1006 | ||
1007 | userdom_restricted_user_template($1) | |
1008 | ||
847937da CP |
1009 | ############################## |
1010 | # | |
1011 | # Local policy | |
1012 | # | |
1013 | ||
296273a7 | 1014 | auth_role($1_r, $1_t) |
3eaa9939 | 1015 | auth_search_pam_console_data($1_usertype) |
b45aaab9 | 1016 | auth_dontaudit_read_login_records($1_usertype) |
847937da | 1017 | |
3eaa9939 DW |
1018 | dev_read_sound($1_usertype) |
1019 | dev_write_sound($1_usertype) | |
847937da | 1020 | # gnome keyring wants to read this. |
3eaa9939 DW |
1021 | dev_dontaudit_read_rand($1_usertype) |
1022 | # temporarily allow since openoffice requires this | |
1023 | dev_read_rand($1_usertype) | |
847937da | 1024 | |
3eaa9939 DW |
1025 | dev_read_video_dev($1_usertype) |
1026 | dev_write_video_dev($1_usertype) | |
1027 | dev_rw_wireless($1_usertype) | |
1028 | ||
1029 | tunable_policy(`user_rw_noexattrfile',` | |
1030 | dev_rw_usbfs($1_t) | |
1031 | dev_rw_generic_usb_dev($1_usertype) | |
1032 | ||
1033 | fs_manage_noxattr_fs_files($1_usertype) | |
1034 | fs_manage_noxattr_fs_dirs($1_usertype) | |
1035 | fs_manage_dos_dirs($1_usertype) | |
1036 | fs_manage_dos_files($1_usertype) | |
1037 | storage_raw_read_removable_device($1_usertype) | |
1038 | storage_raw_write_removable_device($1_usertype) | |
1039 | ') | |
1040 | ||
1041 | logging_send_syslog_msg($1_usertype) | |
847937da CP |
1042 | logging_dontaudit_send_audit_msgs($1_t) |
1043 | ||
1044 | # Need to to this just so screensaver will work. Should be moved to screensaver domain | |
1045 | logging_send_audit_msgs($1_t) | |
1046 | selinux_get_enforce_mode($1_t) | |
3eaa9939 DW |
1047 | seutil_exec_restorecond($1_t) |
1048 | seutil_read_file_contexts($1_t) | |
1049 | seutil_read_default_contexts($1_t) | |
847937da | 1050 | |
93c49bdb CP |
1051 | xserver_restricted_role($1_r, $1_t) |
1052 | ||
847937da | 1053 | optional_policy(` |
3eaa9939 | 1054 | alsa_read_rw_config($1_usertype) |
847937da CP |
1055 | ') |
1056 | ||
1057 | optional_policy(` | |
3eaa9939 DW |
1058 | dbus_role_template($1, $1_r, $1_usertype) |
1059 | dbus_system_bus_client($1_usertype) | |
1060 | allow $1_usertype $1_usertype:dbus send_msg; | |
1061 | ||
1062 | optional_policy(` | |
1063 | abrt_dbus_chat($1_usertype) | |
1064 | abrt_run_helper($1_usertype, $1_r) | |
1065 | ') | |
1066 | ||
1067 | optional_policy(` | |
b45aaab9 | 1068 | consolekit_dontaudit_read_log($1_usertype) |
3eaa9939 DW |
1069 | consolekit_dbus_chat($1_usertype) |
1070 | ') | |
1071 | ||
1072 | optional_policy(` | |
1073 | cups_dbus_chat($1_usertype) | |
1074 | cups_dbus_chat_config($1_usertype) | |
1075 | ') | |
847937da CP |
1076 | |
1077 | optional_policy(` | |
3eaa9939 DW |
1078 | devicekit_dbus_chat($1_usertype) |
1079 | devicekit_dbus_chat_disk($1_usertype) | |
1080 | devicekit_dbus_chat_power($1_usertype) | |
847937da CP |
1081 | ') |
1082 | ||
1083 | optional_policy(` | |
3eaa9939 | 1084 | fprintd_dbus_chat($1_t) |
847937da CP |
1085 | ') |
1086 | ') | |
1087 | ||
1088 | optional_policy(` | |
3eaa9939 DW |
1089 | openoffice_role_template($1, $1_r, $1_usertype) |
1090 | ') | |
1091 | ||
1092 | optional_policy(` | |
1093 | policykit_role($1_r, $1_usertype) | |
1094 | ') | |
1095 | ||
1096 | optional_policy(` | |
1097 | pulseaudio_role($1_r, $1_usertype) | |
1098 | ') | |
1099 | ||
1100 | optional_policy(` | |
1101 | rtkit_scheduled($1_usertype) | |
847937da CP |
1102 | ') |
1103 | ||
847937da CP |
1104 | optional_policy(` |
1105 | setroubleshoot_dontaudit_stream_connect($1_t) | |
3eaa9939 DW |
1106 | ') |
1107 | ||
1108 | optional_policy(` | |
1109 | udev_read_db($1_usertype) | |
1110 | ') | |
1111 | ||
1112 | optional_policy(` | |
1113 | wm_role_template($1, $1_r, $1_t) | |
847937da CP |
1114 | ') |
1115 | ') | |
1116 | ||
1117 | ####################################### | |
1118 | ## <summary> | |
1119 | ## The template for creating a unprivileged user roughly | |
1120 | ## equivalent to a regular linux user. | |
1121 | ## </summary> | |
1122 | ## <desc> | |
1123 | ## <p> | |
1124 | ## The template for creating a unprivileged user roughly | |
1125 | ## equivalent to a regular linux user. | |
1126 | ## </p> | |
1127 | ## <p> | |
1128 | ## This template creates a user domain, types, and | |
1129 | ## rules for the user's tty, pty, home directories, | |
1130 | ## tmp, and tmpfs files. | |
1131 | ## </p> | |
1132 | ## </desc> | |
1133 | ## <param name="userdomain_prefix"> | |
1134 | ## <summary> | |
1135 | ## The prefix of the user domain (e.g., user | |
1136 | ## is the prefix for user_t). | |
1137 | ## </summary> | |
1138 | ## </param> | |
1139 | # | |
1140 | template(`userdom_unpriv_user_template', ` | |
1141 | ||
1142 | ############################## | |
1143 | # | |
1144 | # Declarations | |
1145 | # | |
1146 | ||
1147 | # Inherit rules for ordinary users. | |
3eaa9939 | 1148 | userdom_restricted_xwindows_user_template($1) |
847937da CP |
1149 | userdom_common_user_template($1) |
1150 | ||
1151 | ############################## | |
1152 | # | |
1153 | # Local policy | |
1154 | # | |
0c73cd25 CP |
1155 | |
1156 | # port access is audited even if dac would not have allowed it, so dontaudit it here | |
3eaa9939 | 1157 | # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) |
bbcd3c97 CP |
1158 | # Need the following rule to allow users to run vpnc |
1159 | corenet_tcp_bind_xserver_port($1_t) | |
3eaa9939 | 1160 | corenet_tcp_bind_all_nodes($1_usertype) |
0c73cd25 | 1161 | |
3eaa9939 | 1162 | storage_rw_fuse($1_t) |
a1fcff33 | 1163 | |
3eaa9939 | 1164 | miscfiles_read_hwdata($1_usertype) |
0c73cd25 CP |
1165 | |
1166 | # Allow users to run TCP servers (bind to ports and accept connection from | |
6073ea1e | 1167 | # the same domain and outside users) disabling this forces FTP passive mode |
0c73cd25 | 1168 | # and may change other protocols |
34c8fabe | 1169 | tunable_policy(`user_tcp_server',` |
3eaa9939 DW |
1170 | corenet_tcp_bind_all_unreserved_ports($1_usertype) |
1171 | ') | |
1172 | ||
1173 | tunable_policy(`user_setrlimit',` | |
1174 | allow $1_usertype self:process setrlimit; | |
34c8fabe | 1175 | ') |
0c73cd25 | 1176 | |
bb7170f6 | 1177 | optional_policy(` |
3eaa9939 DW |
1178 | cdrecord_role($1_r, $1_t) |
1179 | ') | |
1180 | ||
1181 | optional_policy(` | |
1182 | cron_role($1_r, $1_t) | |
1183 | ') | |
1184 | ||
1185 | optional_policy(` | |
1186 | games_rw_data($1_usertype) | |
1187 | ') | |
1188 | ||
1189 | optional_policy(` | |
1190 | gpg_role($1_r, $1_usertype) | |
1191 | ') | |
1192 | ||
1193 | optional_policy(` | |
1194 | gnomeclock_dbus_chat($1_t) | |
1195 | ') | |
1196 | ||
1197 | optional_policy(` | |
1198 | gpm_stream_connect($1_usertype) | |
1199 | ') | |
1200 | ||
1201 | optional_policy(` | |
1202 | execmem_role_template($1, $1_r, $1_t) | |
1203 | ') | |
1204 | ||
1205 | optional_policy(` | |
1206 | java_role_template($1, $1_r, $1_t) | |
1207 | ') | |
1208 | ||
1209 | optional_policy(` | |
1210 | mono_role_template($1, $1_r, $1_t) | |
1211 | ') | |
1212 | ||
1213 | optional_policy(` | |
1214 | mount_run_fusermount($1_t, $1_r) | |
1215 | ') | |
1216 | ||
1217 | optional_policy(` | |
1218 | wine_role_template($1, $1_r, $1_t) | |
1f91e1bf CP |
1219 | ') |
1220 | ||
bb7170f6 | 1221 | optional_policy(` |
3eaa9939 | 1222 | postfix_run_postdrop($1_t, $1_r) |
e08118a5 CP |
1223 | ') |
1224 | ||
3eaa9939 | 1225 | # Run pppd in pppd_t by default for user |
6b19be33 | 1226 | optional_policy(` |
3eaa9939 | 1227 | ppp_run_cond($1_t, $1_r) |
6b19be33 | 1228 | ') |
b16c6b8c | 1229 | ') |
4d8ddf9a | 1230 | |
8fd36732 CP |
1231 | ####################################### |
1232 | ## <summary> | |
1233 | ## The template for creating an administrative user. | |
1234 | ## </summary> | |
1235 | ## <desc> | |
1236 | ## <p> | |
1237 | ## This template creates a user domain, types, and | |
1238 | ## rules for the user's tty, pty, home directories, | |
1239 | ## tmp, and tmpfs files. | |
1240 | ## </p> | |
2ec4c9d3 | 1241 | ## <p> |
8fd36732 CP |
1242 | ## The privileges given to administrative users are: |
1243 | ## <ul> | |
1244 | ## <li>Raw disk access</li> | |
1245 | ## <li>Set all sysctls</li> | |
1246 | ## <li>All kernel ring buffer controls</li> | |
8fd36732 CP |
1247 | ## <li>Create, read, write, and delete all files but shadow</li> |
1248 | ## <li>Manage source and binary format SELinux policy</li> | |
1249 | ## <li>Run insmod</li> | |
1250 | ## </ul> | |
2ec4c9d3 CP |
1251 | ## </p> |
1252 | ## </desc> | |
8fd36732 | 1253 | ## <param name="userdomain_prefix"> |
885b83ec | 1254 | ## <summary> |
8fd36732 CP |
1255 | ## The prefix of the user domain (e.g., sysadm |
1256 | ## is the prefix for sysadm_t). | |
885b83ec | 1257 | ## </summary> |
8fd36732 | 1258 | ## </param> |
4d8ddf9a | 1259 | # |
bbcd3c97 | 1260 | template(`userdom_admin_user_template',` |
142e9f40 | 1261 | gen_require(` |
0be901ba | 1262 | attribute admindomain; |
3eaa9939 | 1263 | class passwd { passwd chfn chsh rootok crontab }; |
142e9f40 CP |
1264 | ') |
1265 | ||
0c73cd25 CP |
1266 | ############################## |
1267 | # | |
1268 | # Declarations | |
1269 | # | |
1270 | ||
1271 | # Inherit rules for ordinary users. | |
847937da | 1272 | userdom_login_user_template($1) |
bbcd3c97 | 1273 | userdom_common_user_template($1) |
0c73cd25 | 1274 | |
1815bad1 | 1275 | domain_obj_id_change_exemption($1_t) |
0c73cd25 CP |
1276 | role system_r types $1_t; |
1277 | ||
0be901ba | 1278 | typeattribute $1_t admindomain; |
bd75703c | 1279 | |
142e9f40 | 1280 | ifdef(`direct_sysadm_daemon',` |
1815bad1 | 1281 | domain_system_change_exemption($1_t) |
142e9f40 | 1282 | ') |
2a98379a | 1283 | |
0c73cd25 CP |
1284 | ############################## |
1285 | # | |
1286 | # $1_t local policy | |
1287 | # | |
1288 | ||
847937da | 1289 | allow $1_t self:capability ~{ sys_module audit_control audit_write }; |
0c73cd25 | 1290 | allow $1_t self:process { setexec setfscreate }; |
bd75703c CP |
1291 | allow $1_t self:netlink_audit_socket nlmsg_readpriv; |
1292 | allow $1_t self:tun_socket create; | |
0c73cd25 CP |
1293 | # Set password information for other users. |
1294 | allow $1_t self:passwd { passwd chfn chsh }; | |
0c73cd25 CP |
1295 | # Skip authentication when pam_rootok is specified. |
1296 | allow $1_t self:passwd rootok; | |
1297 | ||
3eaa9939 DW |
1298 | # Manipulate other users crontab. |
1299 | allow $1_t self:passwd crontab; | |
1300 | ||
0c73cd25 | 1301 | kernel_read_software_raid_state($1_t) |
445522dc | 1302 | kernel_getattr_core_if($1_t) |
0fd9dc55 | 1303 | kernel_getattr_message_if($1_t) |
0c73cd25 CP |
1304 | kernel_change_ring_buffer_level($1_t) |
1305 | kernel_clear_ring_buffer($1_t) | |
1306 | kernel_read_ring_buffer($1_t) | |
1307 | kernel_get_sysvipc_info($1_t) | |
445522dc | 1308 | kernel_rw_all_sysctls($1_t) |
8fd36732 CP |
1309 | # signal unlabeled processes: |
1310 | kernel_kill_unlabeled($1_t) | |
1311 | kernel_signal_unlabeled($1_t) | |
1312 | kernel_sigstop_unlabeled($1_t) | |
1313 | kernel_signull_unlabeled($1_t) | |
1314 | kernel_sigchld_unlabeled($1_t) | |
3eaa9939 | 1315 | kernel_signal($1_t) |
2ec4c9d3 CP |
1316 | |
1317 | corenet_tcp_bind_generic_port($1_t) | |
1318 | # allow setting up tunnels | |
5b6ddb98 | 1319 | corenet_rw_tun_tap_dev($1_t) |
2ec4c9d3 | 1320 | |
207c4763 CP |
1321 | dev_getattr_generic_blk_files($1_t) |
1322 | dev_getattr_generic_chr_files($1_t) | |
bbcd3c97 CP |
1323 | # for lsof |
1324 | dev_getattr_mtrr_dev($1_t) | |
1325 | # Allow MAKEDEV to work | |
1326 | dev_create_all_blk_files($1_t) | |
1327 | dev_create_all_chr_files($1_t) | |
1328 | dev_delete_all_blk_files($1_t) | |
1329 | dev_delete_all_chr_files($1_t) | |
1330 | dev_rename_all_blk_files($1_t) | |
1331 | dev_rename_all_chr_files($1_t) | |
1332 | dev_create_generic_symlinks($1_t) | |
0c73cd25 | 1333 | |
c9428d33 CP |
1334 | domain_setpriority_all_domains($1_t) |
1335 | domain_read_all_domains_state($1_t) | |
ccc59782 CP |
1336 | domain_getattr_all_domains($1_t) |
1337 | domain_dontaudit_ptrace_all_domains($1_t) | |
0c73cd25 CP |
1338 | # signal all domains: |
1339 | domain_kill_all_domains($1_t) | |
1340 | domain_signal_all_domains($1_t) | |
1341 | domain_signull_all_domains($1_t) | |
1342 | domain_sigstop_all_domains($1_t) | |
1343 | domain_sigstop_all_domains($1_t) | |
1344 | domain_sigchld_all_domains($1_t) | |
2ec4c9d3 CP |
1345 | # for lsof |
1346 | domain_getattr_all_sockets($1_t) | |
3eaa9939 | 1347 | domain_dontaudit_getattr_all_sockets($1_t) |
0c73cd25 | 1348 | |
99505c1c | 1349 | files_exec_usr_src_files($1_t) |
0c73cd25 | 1350 | |
bbcd3c97 | 1351 | fs_getattr_all_fs($1_t) |
3eaa9939 DW |
1352 | fs_getattr_all_files($1_t) |
1353 | fs_list_all($1_t) | |
bbcd3c97 CP |
1354 | fs_set_all_quotas($1_t) |
1355 | fs_exec_noxattr($1_t) | |
1356 | ||
1357 | storage_raw_read_removable_device($1_t) | |
1358 | storage_raw_write_removable_device($1_t) | |
1359 | ||
1360 | term_use_all_terms($1_t) | |
1361 | ||
1362 | auth_getattr_shadow($1_t) | |
1363 | # Manage almost all files | |
1364 | auth_manage_all_files_except_shadow($1_t) | |
1365 | # Relabel almost all files | |
1366 | auth_relabel_all_files_except_shadow($1_t) | |
1367 | ||
1368 | init_telinit($1_t) | |
0c73cd25 | 1369 | |
c9428d33 | 1370 | logging_send_syslog_msg($1_t) |
0c73cd25 | 1371 | |
c9428d33 | 1372 | modutils_domtrans_insmod($1_t) |
3eaa9939 | 1373 | modutils_domtrans_depmod($1_t) |
0c73cd25 | 1374 | |
0c73cd25 CP |
1375 | # The following rule is temporary until such time that a complete |
1376 | # policy management infrastructure is in place so that an administrator | |
1377 | # cannot directly manipulate policy files with arbitrary programs. | |
1815bad1 | 1378 | seutil_manage_src_policy($1_t) |
0c73cd25 CP |
1379 | # Violates the goal of limiting write access to checkpolicy. |
1380 | # But presently necessary for installing the file_contexts file. | |
1815bad1 | 1381 | seutil_manage_bin_policy($1_t) |
0c73cd25 | 1382 | |
296273a7 CP |
1383 | userdom_manage_user_home_content_dirs($1_t) |
1384 | userdom_manage_user_home_content_files($1_t) | |
1385 | userdom_manage_user_home_content_symlinks($1_t) | |
1386 | userdom_manage_user_home_content_pipes($1_t) | |
1387 | userdom_manage_user_home_content_sockets($1_t) | |
1388 | userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) | |
1389 | ||
bbcd3c97 CP |
1390 | tunable_policy(`user_rw_noexattrfile',` |
1391 | fs_manage_noxattr_fs_files($1_t) | |
1392 | fs_manage_noxattr_fs_dirs($1_t) | |
1393 | ',` | |
1394 | fs_read_noxattr_fs_files($1_t) | |
1395 | ') | |
1396 | ||
e8cb08ae CP |
1397 | optional_policy(` |
1398 | postgresql_unconfined($1_t) | |
1399 | ') | |
1400 | ||
6b19be33 CP |
1401 | optional_policy(` |
1402 | userhelper_exec($1_t) | |
1403 | ') | |
1404 | ') | |
1405 | ||
1406 | ######################################## | |
1407 | ## <summary> | |
1408 | ## Allow user to run as a secadm | |
1409 | ## </summary> | |
1410 | ## <desc> | |
1411 | ## <p> | |
1412 | ## Create objects in a user home directory | |
1413 | ## with an automatic type transition to | |
1414 | ## a specified private type. | |
1415 | ## </p> | |
1416 | ## <p> | |
1417 | ## This is a templated interface, and should only | |
1418 | ## be called from a per-userdomain template. | |
1419 | ## </p> | |
1420 | ## </desc> | |
6b19be33 CP |
1421 | ## <param name="domain"> |
1422 | ## <summary> | |
1423 | ## Domain allowed access. | |
1424 | ## </summary> | |
1425 | ## </param> | |
1426 | ## <param name="role"> | |
1427 | ## <summary> | |
1428 | ## The role of the object to create. | |
1429 | ## </summary> | |
1430 | ## </param> | |
6b19be33 CP |
1431 | # |
1432 | template(`userdom_security_admin_template',` | |
1433 | allow $1 self:capability { dac_read_search dac_override }; | |
1434 | ||
1435 | corecmd_exec_shell($1) | |
1436 | ||
1437 | domain_obj_id_change_exemption($1) | |
1438 | ||
1439 | dev_relabel_all_dev_nodes($1) | |
1440 | ||
1441 | files_create_boot_flag($1) | |
3eaa9939 DW |
1442 | files_create_default_dir($1) |
1443 | files_root_filetrans_default($1, dir) | |
6b19be33 CP |
1444 | |
1445 | # Necessary for managing /boot/efi | |
1446 | fs_manage_dos_files($1) | |
1447 | ||
1448 | mls_process_read_up($1) | |
f8233ab7 | 1449 | mls_file_read_all_levels($1) |
6b19be33 CP |
1450 | mls_file_upgrade($1) |
1451 | mls_file_downgrade($1) | |
1452 | ||
1453 | selinux_set_enforce_mode($1) | |
f0435b1a | 1454 | selinux_set_all_booleans($1) |
6b19be33 CP |
1455 | selinux_set_parameters($1) |
1456 | ||
1457 | auth_relabel_all_files_except_shadow($1) | |
1458 | auth_relabel_shadow($1) | |
1459 | ||
1460 | init_exec($1) | |
1461 | ||
1462 | logging_send_syslog_msg($1) | |
1463 | logging_read_audit_log($1) | |
1464 | logging_read_generic_logs($1) | |
1465 | logging_read_audit_config($1) | |
1466 | ||
1467 | seutil_manage_bin_policy($1) | |
296273a7 CP |
1468 | seutil_run_checkpolicy($1,$2) |
1469 | seutil_run_loadpolicy($1,$2) | |
1470 | seutil_run_semanage($1,$2) | |
3eaa9939 | 1471 | seutil_run_setsebool($1,$2) |
296273a7 | 1472 | seutil_run_setfiles($1, $2) |
6b19be33 CP |
1473 | |
1474 | optional_policy(` | |
296273a7 | 1475 | aide_run($1,$2) |
6b19be33 CP |
1476 | ') |
1477 | ||
1478 | optional_policy(` | |
1479 | consoletype_exec($1) | |
1480 | ') | |
1481 | ||
1482 | optional_policy(` | |
1483 | dmesg_exec($1) | |
1484 | ') | |
1485 | ||
9e8f65c8 | 1486 | optional_policy(` |
296273a7 | 1487 | ipsec_run_setkey($1,$2) |
9e8f65c8 CP |
1488 | ') |
1489 | ||
6b19be33 | 1490 | optional_policy(` |
296273a7 | 1491 | netlabel_run_mgmt($1,$2) |
a1fcff33 | 1492 | ') |
4d8ddf9a | 1493 | ') |
490639cd | 1494 | |
b1bf2f78 CP |
1495 | ######################################## |
1496 | ## <summary> | |
296273a7 CP |
1497 | ## Make the specified type usable in a |
1498 | ## user home directory. | |
b1bf2f78 | 1499 | ## </summary> |
296273a7 | 1500 | ## <param name="type"> |
b1bf2f78 | 1501 | ## <summary> |
296273a7 CP |
1502 | ## Type to be used as a file in the |
1503 | ## user home directory. | |
b1bf2f78 CP |
1504 | ## </summary> |
1505 | ## </param> | |
b1bf2f78 | 1506 | # |
296273a7 CP |
1507 | interface(`userdom_user_home_content',` |
1508 | gen_require(` | |
1509 | type user_home_t; | |
3eaa9939 | 1510 | attribute user_home_type; |
296273a7 CP |
1511 | ') |
1512 | ||
1513 | allow $1 user_home_t:filesystem associate; | |
1514 | files_type($1) | |
1515 | ubac_constrained($1) | |
3eaa9939 DW |
1516 | |
1517 | files_poly_member($1) | |
1518 | typeattribute $1 user_home_type; | |
b1bf2f78 CP |
1519 | ') |
1520 | ||
bd75703c CP |
1521 | ######################################## |
1522 | ## <summary> | |
1523 | ## Allow domain to attach to TUN devices created by administrative users. | |
1524 | ## </summary> | |
1525 | ## <param name="domain"> | |
1526 | ## <summary> | |
1527 | ## Domain allowed access. | |
1528 | ## </summary> | |
1529 | ## </param> | |
1530 | # | |
1531 | interface(`userdom_attach_admin_tun_iface',` | |
1532 | gen_require(` | |
0be901ba | 1533 | attribute admindomain; |
bd75703c CP |
1534 | ') |
1535 | ||
0be901ba | 1536 | allow $1 admindomain:tun_socket relabelfrom; |
bd75703c CP |
1537 | allow $1 self:tun_socket relabelto; |
1538 | ') | |
1539 | ||
b1bf2f78 CP |
1540 | ######################################## |
1541 | ## <summary> | |
296273a7 | 1542 | ## Set the attributes of a user pty. |
b1bf2f78 | 1543 | ## </summary> |
296273a7 | 1544 | ## <param name="domain"> |
b1bf2f78 | 1545 | ## <summary> |
296273a7 | 1546 | ## Domain allowed access. |
b1bf2f78 CP |
1547 | ## </summary> |
1548 | ## </param> | |
b1bf2f78 | 1549 | # |
296273a7 CP |
1550 | interface(`userdom_setattr_user_ptys',` |
1551 | gen_require(` | |
1552 | type user_devpts_t; | |
1553 | ') | |
1554 | ||
bf530f53 | 1555 | allow $1 user_devpts_t:chr_file setattr_chr_file_perms; |
b1bf2f78 CP |
1556 | ') |
1557 | ||
1558 | ######################################## | |
1559 | ## <summary> | |
296273a7 | 1560 | ## Create a user pty. |
b1bf2f78 | 1561 | ## </summary> |
296273a7 | 1562 | ## <param name="domain"> |
b1bf2f78 | 1563 | ## <summary> |
296273a7 | 1564 | ## Domain allowed access. |
b1bf2f78 CP |
1565 | ## </summary> |
1566 | ## </param> | |
b1bf2f78 | 1567 | # |
296273a7 CP |
1568 | interface(`userdom_create_user_pty',` |
1569 | gen_require(` | |
1570 | type user_devpts_t; | |
1571 | ') | |
1572 | ||
1573 | term_create_pty($1, user_devpts_t) | |
b1bf2f78 CP |
1574 | ') |
1575 | ||
1576 | ######################################## | |
1577 | ## <summary> | |
296273a7 | 1578 | ## Get the attributes of user home directories. |
b1bf2f78 | 1579 | ## </summary> |
296273a7 | 1580 | ## <param name="domain"> |
b1bf2f78 | 1581 | ## <summary> |
296273a7 | 1582 | ## Domain allowed access. |
b1bf2f78 CP |
1583 | ## </summary> |
1584 | ## </param> | |
b1bf2f78 | 1585 | # |
296273a7 CP |
1586 | interface(`userdom_getattr_user_home_dirs',` |
1587 | gen_require(` | |
1588 | type user_home_dir_t; | |
1589 | ') | |
1590 | ||
1591 | allow $1 user_home_dir_t:dir getattr_dir_perms; | |
1592 | files_search_home($1) | |
b1bf2f78 CP |
1593 | ') |
1594 | ||
1595 | ######################################## | |
1596 | ## <summary> | |
296273a7 | 1597 | ## Do not audit attempts to get the attributes of user home directories. |
b1bf2f78 | 1598 | ## </summary> |
296273a7 | 1599 | ## <param name="domain"> |
b1bf2f78 | 1600 | ## <summary> |
a0546c9d | 1601 | ## Domain to not audit. |
b1bf2f78 CP |
1602 | ## </summary> |
1603 | ## </param> | |
b1bf2f78 | 1604 | # |
296273a7 CP |
1605 | interface(`userdom_dontaudit_getattr_user_home_dirs',` |
1606 | gen_require(` | |
1607 | type user_home_dir_t; | |
1608 | ') | |
1609 | ||
1610 | dontaudit $1 user_home_dir_t:dir getattr_dir_perms; | |
b1bf2f78 CP |
1611 | ') |
1612 | ||
1613 | ######################################## | |
1614 | ## <summary> | |
296273a7 | 1615 | ## Search user home directories. |
b1bf2f78 | 1616 | ## </summary> |
296273a7 | 1617 | ## <param name="domain"> |
b1bf2f78 | 1618 | ## <summary> |
296273a7 | 1619 | ## Domain allowed access. |
b1bf2f78 CP |
1620 | ## </summary> |
1621 | ## </param> | |
b1bf2f78 | 1622 | # |
296273a7 CP |
1623 | interface(`userdom_search_user_home_dirs',` |
1624 | gen_require(` | |
1625 | type user_home_dir_t; | |
1626 | ') | |
1627 | ||
1628 | allow $1 user_home_dir_t:dir search_dir_perms; | |
3eaa9939 | 1629 | allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; |
296273a7 | 1630 | files_search_home($1) |
b1bf2f78 CP |
1631 | ') |
1632 | ||
1633 | ######################################## | |
1634 | ## <summary> | |
c46376e6 | 1635 | ## Do not audit attempts to search user home directories. |
b1bf2f78 | 1636 | ## </summary> |
c46376e6 CP |
1637 | ## <desc> |
1638 | ## <p> | |
1639 | ## Do not audit attempts to search user home directories. | |
1640 | ## This will supress SELinux denial messages when the specified | |
1641 | ## domain is denied the permission to search these directories. | |
1642 | ## </p> | |
1643 | ## </desc> | |
296273a7 | 1644 | ## <param name="domain"> |
b1bf2f78 | 1645 | ## <summary> |
c46376e6 | 1646 | ## Domain to not audit. |
b1bf2f78 CP |
1647 | ## </summary> |
1648 | ## </param> | |
c46376e6 | 1649 | ## <infoflow type="none"/> |
b1bf2f78 | 1650 | # |
296273a7 CP |
1651 | interface(`userdom_dontaudit_search_user_home_dirs',` |
1652 | gen_require(` | |
1653 | type user_home_dir_t; | |
1654 | ') | |
1655 | ||
1656 | dontaudit $1 user_home_dir_t:dir search_dir_perms; | |
b1bf2f78 CP |
1657 | ') |
1658 | ||
1659 | ######################################## | |
1660 | ## <summary> | |
ff8f0a63 | 1661 | ## List user home directories. |
b1bf2f78 | 1662 | ## </summary> |
296273a7 | 1663 | ## <param name="domain"> |
b1bf2f78 | 1664 | ## <summary> |
ff8f0a63 | 1665 | ## Domain allowed access. |
b1bf2f78 CP |
1666 | ## </summary> |
1667 | ## </param> | |
b1bf2f78 | 1668 | # |
296273a7 CP |
1669 | interface(`userdom_list_user_home_dirs',` |
1670 | gen_require(` | |
1671 | type user_home_dir_t; | |
1672 | ') | |
b1bf2f78 | 1673 | |
296273a7 CP |
1674 | allow $1 user_home_dir_t:dir list_dir_perms; |
1675 | files_search_home($1) | |
3eaa9939 DW |
1676 | |
1677 | tunable_policy(`use_nfs_home_dirs',` | |
1678 | fs_list_nfs($1) | |
1679 | ') | |
1680 | ||
1681 | tunable_policy(`use_samba_home_dirs',` | |
1682 | fs_list_cifs($1) | |
1683 | ') | |
de8af9dc CP |
1684 | ') |
1685 | ||
7c2f5a82 CP |
1686 | ######################################## |
1687 | ## <summary> | |
296273a7 | 1688 | ## Do not audit attempts to list user home subdirectories. |
7c2f5a82 CP |
1689 | ## </summary> |
1690 | ## <param name="domain"> | |
885b83ec | 1691 | ## <summary> |
a7ee7f81 | 1692 | ## Domain to not audit. |
885b83ec | 1693 | ## </summary> |
7c2f5a82 CP |
1694 | ## </param> |
1695 | # | |
296273a7 | 1696 | interface(`userdom_dontaudit_list_user_home_dirs',` |
7c2f5a82 | 1697 | gen_require(` |
296273a7 | 1698 | type user_home_dir_t; |
3eaa9939 | 1699 | type user_home_t; |
7c2f5a82 CP |
1700 | ') |
1701 | ||
296273a7 | 1702 | dontaudit $1 user_home_dir_t:dir list_dir_perms; |
3eaa9939 | 1703 | dontaudit $1 user_home_t:dir list_dir_perms; |
7c2f5a82 CP |
1704 | ') |
1705 | ||
1706 | ######################################## | |
1707 | ## <summary> | |
296273a7 | 1708 | ## Create user home directories. |
7c2f5a82 CP |
1709 | ## </summary> |
1710 | ## <param name="domain"> | |
885b83ec | 1711 | ## <summary> |
7c2f5a82 | 1712 | ## Domain allowed access. |
885b83ec | 1713 | ## </summary> |
7c2f5a82 CP |
1714 | ## </param> |
1715 | # | |
296273a7 CP |
1716 | interface(`userdom_create_user_home_dirs',` |
1717 | gen_require(` | |
1718 | type user_home_dir_t; | |
1719 | ') | |
1720 | ||
1721 | allow $1 user_home_dir_t:dir create_dir_perms; | |
7c2f5a82 CP |
1722 | ') |
1723 | ||
1724 | ######################################## | |
1725 | ## <summary> | |
296273a7 | 1726 | ## Create user home directories. |
7c2f5a82 CP |
1727 | ## </summary> |
1728 | ## <param name="domain"> | |
885b83ec | 1729 | ## <summary> |
7c2f5a82 | 1730 | ## Domain allowed access. |
885b83ec | 1731 | ## </summary> |
7c2f5a82 CP |
1732 | ## </param> |
1733 | # | |
296273a7 | 1734 | interface(`userdom_manage_user_home_dirs',` |
7c2f5a82 | 1735 | gen_require(` |
296273a7 | 1736 | type user_home_dir_t; |
7c2f5a82 CP |
1737 | ') |
1738 | ||
296273a7 | 1739 | allow $1 user_home_dir_t:dir manage_dir_perms; |
7c2f5a82 CP |
1740 | ') |
1741 | ||
d490eb6b | 1742 | ######################################## |
ab940a4c | 1743 | ## <summary> |
296273a7 | 1744 | ## Relabel to user home directories. |
ab940a4c | 1745 | ## </summary> |
414e4151 | 1746 | ## <param name="domain"> |
885b83ec | 1747 | ## <summary> |
725926c5 | 1748 | ## Domain allowed access. |
885b83ec | 1749 | ## </summary> |
414e4151 | 1750 | ## </param> |
d490eb6b | 1751 | # |
296273a7 CP |
1752 | interface(`userdom_relabelto_user_home_dirs',` |
1753 | gen_require(` | |
1754 | type user_home_dir_t; | |
1755 | ') | |
d490eb6b | 1756 | |
296273a7 | 1757 | allow $1 user_home_dir_t:dir relabelto; |
7c2f5a82 CP |
1758 | ') |
1759 | ||
3eaa9939 DW |
1760 | |
1761 | ######################################## | |
1762 | ## <summary> | |
1763 | ## Relabel to user home files. | |
1764 | ## </summary> | |
1765 | ## <param name="domain"> | |
1766 | ## <summary> | |
1767 | ## Domain allowed access. | |
1768 | ## </summary> | |
1769 | ## </param> | |
1770 | # | |
1771 | interface(`userdom_relabelto_user_home_files',` | |
1772 | gen_require(` | |
1773 | type user_home_t; | |
1774 | ') | |
1775 | ||
1776 | allow $1 user_home_t:file relabelto; | |
1777 | ') | |
1778 | ######################################## | |
1779 | ## <summary> | |
1780 | ## Relabel user home files. | |
1781 | ## </summary> | |
1782 | ## <param name="domain"> | |
1783 | ## <summary> | |
1784 | ## Domain allowed access. | |
1785 | ## </summary> | |
1786 | ## </param> | |
1787 | # | |
1788 | interface(`userdom_relabel_user_home_files',` | |
1789 | gen_require(` | |
1790 | type user_home_t; | |
1791 | ') | |
1792 | ||
83029ff3 | 1793 | allow $1 user_home_t:file relabel_file_perms; |
3eaa9939 DW |
1794 | ') |
1795 | ||
7c2f5a82 CP |
1796 | ######################################## |
1797 | ## <summary> | |
296273a7 CP |
1798 | ## Create directories in the home dir root with |
1799 | ## the user home directory type. | |
7c2f5a82 CP |
1800 | ## </summary> |
1801 | ## <param name="domain"> | |
885b83ec | 1802 | ## <summary> |
7c2f5a82 | 1803 | ## Domain allowed access. |
885b83ec | 1804 | ## </summary> |
7c2f5a82 CP |
1805 | ## </param> |
1806 | # | |
296273a7 CP |
1807 | interface(`userdom_home_filetrans_user_home_dir',` |
1808 | gen_require(` | |
1809 | type user_home_dir_t; | |
1810 | ') | |
7c2f5a82 | 1811 | |
296273a7 | 1812 | files_home_filetrans($1, user_home_dir_t, dir) |
7c2f5a82 CP |
1813 | ') |
1814 | ||
d42c7ede CP |
1815 | ######################################## |
1816 | ## <summary> | |
296273a7 CP |
1817 | ## Do a domain transition to the specified |
1818 | ## domain when executing a program in the | |
1819 | ## user home directory. | |
d42c7ede CP |
1820 | ## </summary> |
1821 | ## <desc> | |
1822 | ## <p> | |
296273a7 CP |
1823 | ## Do a domain transition to the specified |
1824 | ## domain when executing a program in the | |
1825 | ## user home directory. | |
d42c7ede CP |
1826 | ## </p> |
1827 | ## <p> | |
296273a7 CP |
1828 | ## No interprocess communication (signals, pipes, |
1829 | ## etc.) is provided by this interface since | |
1830 | ## the domains are not owned by this module. | |
d42c7ede CP |
1831 | ## </p> |
1832 | ## </desc> | |
296273a7 | 1833 | ## <param name="source_domain"> |
d42c7ede | 1834 | ## <summary> |
a0546c9d | 1835 | ## Domain allowed to transition. |
d42c7ede CP |
1836 | ## </summary> |
1837 | ## </param> | |
296273a7 | 1838 | ## <param name="target_domain"> |
d42c7ede | 1839 | ## <summary> |
296273a7 | 1840 | ## Domain to transition to. |
d42c7ede CP |
1841 | ## </summary> |
1842 | ## </param> | |
1843 | # | |
296273a7 CP |
1844 | interface(`userdom_user_home_domtrans',` |
1845 | gen_require(` | |
1846 | type user_home_dir_t, user_home_t; | |
1847 | ') | |
d42c7ede | 1848 | |
296273a7 CP |
1849 | domain_auto_trans($1, user_home_t, $2) |
1850 | allow $1 user_home_dir_t:dir search_dir_perms; | |
1851 | files_search_home($1) | |
d42c7ede CP |
1852 | ') |
1853 | ||
ae9e2716 CP |
1854 | ######################################## |
1855 | ## <summary> | |
296273a7 | 1856 | ## Do not audit attempts to search user home content directories. |
ae9e2716 CP |
1857 | ## </summary> |
1858 | ## <param name="domain"> | |
885b83ec | 1859 | ## <summary> |
a7ee7f81 | 1860 | ## Domain to not audit. |
885b83ec | 1861 | ## </summary> |
ae9e2716 CP |
1862 | ## </param> |
1863 | # | |
296273a7 CP |
1864 | interface(`userdom_dontaudit_search_user_home_content',` |
1865 | gen_require(` | |
1866 | type user_home_t; | |
1867 | ') | |
ae9e2716 | 1868 | |
296273a7 | 1869 | dontaudit $1 user_home_t:dir search_dir_perms; |
3eaa9939 DW |
1870 | fs_dontaudit_list_nfs($1) |
1871 | fs_dontaudit_list_cifs($1) | |
ae9e2716 CP |
1872 | ') |
1873 | ||
2d743657 CP |
1874 | ######################################## |
1875 | ## <summary> | |
1876 | ## List contents of users home directory. | |
1877 | ## </summary> | |
1878 | ## <param name="domain"> | |
1879 | ## <summary> | |
1880 | ## Domain allowed access. | |
1881 | ## </summary> | |
1882 | ## </param> | |
1883 | # | |
1884 | interface(`userdom_list_user_home_content',` | |
1885 | gen_require(` | |
3eaa9939 DW |
1886 | type user_home_dir_t; |
1887 | attribute user_home_type; | |
2d743657 CP |
1888 | ') |
1889 | ||
3eaa9939 DW |
1890 | files_list_home($1) |
1891 | allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; | |
2d743657 CP |
1892 | ') |
1893 | ||
cdc86ee5 CP |
1894 | ######################################## |
1895 | ## <summary> | |
296273a7 CP |
1896 | ## Create, read, write, and delete directories |
1897 | ## in a user home subdirectory. | |
cdc86ee5 CP |
1898 | ## </summary> |
1899 | ## <param name="domain"> | |
1900 | ## <summary> | |
1901 | ## Domain allowed access. | |
1902 | ## </summary> | |
1903 | ## </param> | |
1904 | # | |
296273a7 CP |
1905 | interface(`userdom_manage_user_home_content_dirs',` |
1906 | gen_require(` | |
1907 | type user_home_dir_t, user_home_t; | |
1908 | ') | |
1909 | ||
1910 | manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) | |
1911 | files_search_home($1) | |
cdc86ee5 CP |
1912 | ') |
1913 | ||
4083191c CP |
1914 | ######################################## |
1915 | ## <summary> | |
1916 | ## Delete directories in a user home subdirectory. | |
1917 | ## </summary> | |
1918 | ## <param name="domain"> | |
1919 | ## <summary> | |
1920 | ## Domain allowed access. | |
1921 | ## </summary> | |
1922 | ## </param> | |
1923 | # | |
1924 | interface(`userdom_delete_user_home_content_dirs',` | |
1925 | gen_require(` | |
1926 | type user_home_t; | |
1927 | ') | |
1928 | ||
1929 | allow $1 user_home_t:dir delete_dir_perms; | |
1930 | ') | |
1931 | ||
3eaa9939 DW |
1932 | ######################################## |
1933 | ## <summary> | |
1934 | ## Set the attributes of user home files. | |
1935 | ## </summary> | |
1936 | ## <param name="domain"> | |
1937 | ## <summary> | |
1938 | ## Domain allowed access. | |
1939 | ## </summary> | |
1940 | ## </param> | |
1941 | ## <rolecap/> | |
1942 | # | |
1943 | interface(`userdom_setattr_user_home_content_files',` | |
1944 | gen_require(` | |
1945 | type user_home_t; | |
1946 | ') | |
1947 | ||
1948 | allow $1 user_home_t:file setattr; | |
1949 | ') | |
1950 | ||
d6d16b97 CP |
1951 | ######################################## |
1952 | ## <summary> | |
296273a7 CP |
1953 | ## Do not audit attempts to set the |
1954 | ## attributes of user home files. | |
d6d16b97 CP |
1955 | ## </summary> |
1956 | ## <param name="domain"> | |
1957 | ## <summary> | |
a0546c9d | 1958 | ## Domain to not audit. |
d6d16b97 CP |
1959 | ## </summary> |
1960 | ## </param> | |
1961 | # | |
296273a7 CP |
1962 | interface(`userdom_dontaudit_setattr_user_home_content_files',` |
1963 | gen_require(` | |
1964 | type user_home_t; | |
1965 | ') | |
d6d16b97 | 1966 | |
bf530f53 | 1967 | dontaudit $1 user_home_t:file setattr_file_perms; |
b0d2243c CP |
1968 | ') |
1969 | ||
fd89e19f CP |
1970 | ######################################## |
1971 | ## <summary> | |
296273a7 | 1972 | ## Mmap user home files. |
fd89e19f CP |
1973 | ## </summary> |
1974 | ## <param name="domain"> | |
885b83ec | 1975 | ## <summary> |
725926c5 | 1976 | ## Domain allowed access. |
885b83ec | 1977 | ## </summary> |
fd89e19f CP |
1978 | ## </param> |
1979 | # | |
296273a7 CP |
1980 | interface(`userdom_mmap_user_home_content_files',` |
1981 | gen_require(` | |
1982 | type user_home_dir_t, user_home_t; | |
1983 | ') | |
fd89e19f | 1984 | |
296273a7 CP |
1985 | mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
1986 | files_search_home($1) | |
1f91e1bf CP |
1987 | ') |
1988 | ||
725926c5 CP |
1989 | ######################################## |
1990 | ## <summary> | |
296273a7 | 1991 | ## Read user home files. |
725926c5 CP |
1992 | ## </summary> |
1993 | ## <param name="domain"> | |
885b83ec | 1994 | ## <summary> |
725926c5 | 1995 | ## Domain allowed access. |
885b83ec | 1996 | ## </summary> |
725926c5 CP |
1997 | ## </param> |
1998 | # | |
296273a7 CP |
1999 | interface(`userdom_read_user_home_content_files',` |
2000 | gen_require(` | |
2001 | type user_home_dir_t, user_home_t; | |
2002 | ') | |
2003 | ||
3eaa9939 | 2004 | list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) |
296273a7 CP |
2005 | read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
2006 | files_search_home($1) | |
725926c5 CP |
2007 | ') |
2008 | ||
daa0e0b0 | 2009 | ######################################## |
ab940a4c | 2010 | ## <summary> |
3eaa9939 | 2011 | ## Do not audit attempts to getattr user home files. |
ab940a4c | 2012 | ## </summary> |
414e4151 | 2013 | ## <param name="domain"> |
885b83ec | 2014 | ## <summary> |
296273a7 | 2015 | ## Domain to not audit. |
885b83ec | 2016 | ## </summary> |
414e4151 | 2017 | ## </param> |
490639cd | 2018 | # |
3eaa9939 | 2019 | interface(`userdom_dontaudit_getattr_user_home_content',` |
296273a7 | 2020 | gen_require(` |
3eaa9939 | 2021 | attribute user_home_type; |
296273a7 CP |
2022 | ') |
2023 | ||
3eaa9939 DW |
2024 | dontaudit $1 user_home_type:dir getattr; |
2025 | dontaudit $1 user_home_type:file getattr; | |
2026 | ') | |
2027 | ||
2028 | ######################################## | |
2029 | ## <summary> | |
2030 | ## Do not audit attempts to read user home files. | |
2031 | ## </summary> | |
2032 | ## <param name="domain"> | |
2033 | ## <summary> | |
2034 | ## Domain to not audit. | |
2035 | ## </summary> | |
2036 | ## </param> | |
2037 | # | |
2038 | interface(`userdom_dontaudit_read_user_home_content_files',` | |
2039 | gen_require(` | |
2040 | attribute user_home_type; | |
2041 | type user_home_dir_t; | |
2042 | ') | |
2043 | ||
2044 | dontaudit $1 user_home_dir_t:dir list_dir_perms; | |
2045 | dontaudit $1 user_home_type:dir list_dir_perms; | |
2046 | dontaudit $1 user_home_type:file read_file_perms; | |
2047 | dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; | |
fd89e19f CP |
2048 | ') |
2049 | ||
50aca6d2 CP |
2050 | ######################################## |
2051 | ## <summary> | |
296273a7 | 2052 | ## Do not audit attempts to append user home files. |
50aca6d2 CP |
2053 | ## </summary> |
2054 | ## <param name="domain"> | |
885b83ec | 2055 | ## <summary> |
50aca6d2 | 2056 | ## Domain to not audit. |
885b83ec | 2057 | ## </summary> |
50aca6d2 CP |
2058 | ## </param> |
2059 | # | |
296273a7 CP |
2060 | interface(`userdom_dontaudit_append_user_home_content_files',` |
2061 | gen_require(` | |
2062 | type user_home_t; | |
2063 | ') | |
2064 | ||
bf530f53 | 2065 | dontaudit $1 user_home_t:file append_file_perms; |
50aca6d2 CP |
2066 | ') |
2067 | ||
fd89e19f CP |
2068 | ######################################## |
2069 | ## <summary> | |
296273a7 | 2070 | ## Do not audit attempts to write user home files. |
fd89e19f CP |
2071 | ## </summary> |
2072 | ## <param name="domain"> | |
885b83ec | 2073 | ## <summary> |
296273a7 | 2074 | ## Domain to not audit. |
885b83ec | 2075 | ## </summary> |
fd89e19f CP |
2076 | ## </param> |
2077 | # | |
296273a7 CP |
2078 | interface(`userdom_dontaudit_write_user_home_content_files',` |
2079 | gen_require(` | |
2080 | type user_home_t; | |
2081 | ') | |
2082 | ||
bf530f53 | 2083 | dontaudit $1 user_home_t:file write_file_perms; |
daa0e0b0 CP |
2084 | ') |
2085 | ||
4083191c CP |
2086 | ######################################## |
2087 | ## <summary> | |
2088 | ## Delete files in a user home subdirectory. | |
2089 | ## </summary> | |
2090 | ## <param name="domain"> | |
2091 | ## <summary> | |
2092 | ## Domain allowed access. | |
2093 | ## </summary> | |
2094 | ## </param> | |
2095 | # | |
2096 | interface(`userdom_delete_user_home_content_files',` | |
2097 | gen_require(` | |
2098 | type user_home_t; | |
2099 | ') | |
2100 | ||
2101 | allow $1 user_home_t:file delete_file_perms; | |
2102 | ') | |
2103 | ||
d4dca585 CP |
2104 | ######################################## |
2105 | ## <summary> | |
296273a7 | 2106 | ## Do not audit attempts to write user home files. |
d4dca585 CP |
2107 | ## </summary> |
2108 | ## <param name="domain"> | |
885b83ec | 2109 | ## <summary> |
d4dca585 | 2110 | ## Domain to not audit. |
885b83ec | 2111 | ## </summary> |
d4dca585 CP |
2112 | ## </param> |
2113 | # | |
296273a7 CP |
2114 | interface(`userdom_dontaudit_relabel_user_home_content_files',` |
2115 | gen_require(` | |
2116 | type user_home_t; | |
2117 | ') | |
2118 | ||
2119 | dontaudit $1 user_home_t:file relabel_file_perms; | |
d4dca585 CP |
2120 | ') |
2121 | ||
0404a390 | 2122 | ######################################## |
ab940a4c | 2123 | ## <summary> |
296273a7 | 2124 | ## Read user home subdirectory symbolic links. |
ab940a4c | 2125 | ## </summary> |
414e4151 | 2126 | ## <param name="domain"> |
885b83ec | 2127 | ## <summary> |
725926c5 | 2128 | ## Domain allowed access. |
885b83ec | 2129 | ## </summary> |
414e4151 | 2130 | ## </param> |
0404a390 | 2131 | # |
296273a7 CP |
2132 | interface(`userdom_read_user_home_content_symlinks',` |
2133 | gen_require(` | |
2134 | type user_home_dir_t, user_home_t; | |
2135 | ') | |
2136 | ||
3eaa9939 | 2137 | allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; |
daa0e0b0 CP |
2138 | ') |
2139 | ||
763c441e | 2140 | ######################################## |
ab940a4c | 2141 | ## <summary> |
296273a7 | 2142 | ## Execute user home files. |
ab940a4c | 2143 | ## </summary> |
414e4151 | 2144 | ## <param name="domain"> |
885b83ec | 2145 | ## <summary> |
296273a7 | 2146 | ## Domain allowed access. |
885b83ec | 2147 | ## </summary> |
414e4151 | 2148 | ## </param> |
296273a7 | 2149 | ## <rolecap/> |
763c441e | 2150 | # |
296273a7 CP |
2151 | interface(`userdom_exec_user_home_content_files',` |
2152 | gen_require(` | |
3eaa9939 DW |
2153 | type user_home_dir_t; |
2154 | attribute user_home_type; | |
296273a7 CP |
2155 | ') |
2156 | ||
2157 | files_search_home($1) | |
3eaa9939 DW |
2158 | exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) |
2159 | dontaudit $1 user_home_type:sock_file execute; | |
296273a7 | 2160 | ') |
763c441e | 2161 | |
fd89e19f CP |
2162 | ######################################## |
2163 | ## <summary> | |
296273a7 | 2164 | ## Do not audit attempts to execute user home files. |
fd89e19f CP |
2165 | ## </summary> |
2166 | ## <param name="domain"> | |
885b83ec | 2167 | ## <summary> |
a0546c9d | 2168 | ## Domain to not audit. |
885b83ec | 2169 | ## </summary> |
fd89e19f CP |
2170 | ## </param> |
2171 | # | |
296273a7 CP |
2172 | interface(`userdom_dontaudit_exec_user_home_content_files',` |
2173 | gen_require(` | |
2174 | type user_home_t; | |
2175 | ') | |
2176 | ||
bf530f53 | 2177 | dontaudit $1 user_home_t:file exec_file_perms; |
fd89e19f CP |
2178 | ') |
2179 | ||
2180 | ######################################## | |
2181 | ## <summary> | |
296273a7 CP |
2182 | ## Create, read, write, and delete files |
2183 | ## in a user home subdirectory. | |
fd89e19f CP |
2184 | ## </summary> |
2185 | ## <param name="domain"> | |
885b83ec | 2186 | ## <summary> |
725926c5 | 2187 | ## Domain allowed access. |
885b83ec | 2188 | ## </summary> |
fd89e19f CP |
2189 | ## </param> |
2190 | # | |
296273a7 CP |
2191 | interface(`userdom_manage_user_home_content_files',` |
2192 | gen_require(` | |
2193 | type user_home_dir_t, user_home_t; | |
2194 | ') | |
2195 | ||
2196 | manage_files_pattern($1, user_home_t, user_home_t) | |
2197 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2198 | files_search_home($1) | |
fd89e19f CP |
2199 | ') |
2200 | ||
799a0b43 CP |
2201 | ######################################## |
2202 | ## <summary> | |
296273a7 CP |
2203 | ## Do not audit attempts to create, read, write, and delete directories |
2204 | ## in a user home subdirectory. | |
799a0b43 CP |
2205 | ## </summary> |
2206 | ## <param name="domain"> | |
885b83ec | 2207 | ## <summary> |
a0546c9d | 2208 | ## Domain to not audit. |
885b83ec | 2209 | ## </summary> |
799a0b43 CP |
2210 | ## </param> |
2211 | # | |
296273a7 CP |
2212 | interface(`userdom_dontaudit_manage_user_home_content_dirs',` |
2213 | gen_require(` | |
2214 | type user_home_dir_t, user_home_t; | |
2215 | ') | |
2216 | ||
2217 | dontaudit $1 user_home_t:dir manage_dir_perms; | |
799a0b43 CP |
2218 | ') |
2219 | ||
44fc06b0 CP |
2220 | ######################################## |
2221 | ## <summary> | |
296273a7 CP |
2222 | ## Create, read, write, and delete symbolic links |
2223 | ## in a user home subdirectory. | |
44fc06b0 CP |
2224 | ## </summary> |
2225 | ## <param name="domain"> | |
885b83ec | 2226 | ## <summary> |
296273a7 | 2227 | ## Domain allowed access. |
885b83ec | 2228 | ## </summary> |
44fc06b0 CP |
2229 | ## </param> |
2230 | # | |
296273a7 CP |
2231 | interface(`userdom_manage_user_home_content_symlinks',` |
2232 | gen_require(` | |
2233 | type user_home_dir_t, user_home_t; | |
2234 | ') | |
2235 | ||
2236 | manage_lnk_files_pattern($1, user_home_t, user_home_t) | |
2237 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2238 | files_search_home($1) | |
44fc06b0 CP |
2239 | ') |
2240 | ||
4083191c CP |
2241 | ######################################## |
2242 | ## <summary> | |
2243 | ## Delete symbolic links in a user home directory. | |
2244 | ## </summary> | |
2245 | ## <param name="domain"> | |
2246 | ## <summary> | |
2247 | ## Domain allowed access. | |
2248 | ## </summary> | |
2249 | ## </param> | |
2250 | # | |
2251 | interface(`userdom_delete_user_home_content_symlinks',` | |
2252 | gen_require(` | |
2253 | type user_home_t; | |
2254 | ') | |
2255 | ||
2256 | allow $1 user_home_t:lnk_file delete_lnk_file_perms; | |
2257 | ') | |
2258 | ||
ae9e2716 CP |
2259 | ######################################## |
2260 | ## <summary> | |
296273a7 CP |
2261 | ## Create, read, write, and delete named pipes |
2262 | ## in a user home subdirectory. | |
ae9e2716 CP |
2263 | ## </summary> |
2264 | ## <param name="domain"> | |
885b83ec | 2265 | ## <summary> |
296273a7 | 2266 | ## Domain allowed access. |
885b83ec | 2267 | ## </summary> |
ae9e2716 CP |
2268 | ## </param> |
2269 | # | |
296273a7 CP |
2270 | interface(`userdom_manage_user_home_content_pipes',` |
2271 | gen_require(` | |
2272 | type user_home_dir_t, user_home_t; | |
2273 | ') | |
2274 | ||
2275 | manage_fifo_files_pattern($1, user_home_t, user_home_t) | |
2276 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2277 | files_search_home($1) | |
ae9e2716 CP |
2278 | ') |
2279 | ||
2280 | ######################################## | |
2281 | ## <summary> | |
296273a7 CP |
2282 | ## Create, read, write, and delete named sockets |
2283 | ## in a user home subdirectory. | |
ae9e2716 CP |
2284 | ## </summary> |
2285 | ## <param name="domain"> | |
885b83ec | 2286 | ## <summary> |
296273a7 | 2287 | ## Domain allowed access. |
885b83ec | 2288 | ## </summary> |
ae9e2716 CP |
2289 | ## </param> |
2290 | # | |
296273a7 CP |
2291 | interface(`userdom_manage_user_home_content_sockets',` |
2292 | gen_require(` | |
2293 | type user_home_dir_t, user_home_t; | |
2294 | ') | |
2295 | ||
2296 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2297 | manage_sock_files_pattern($1, user_home_t, user_home_t) | |
2298 | files_search_home($1) | |
ae9e2716 CP |
2299 | ') |
2300 | ||
725926c5 CP |
2301 | ######################################## |
2302 | ## <summary> | |
296273a7 CP |
2303 | ## Create objects in a user home directory |
2304 | ## with an automatic type transition to | |
2305 | ## a specified private type. | |
725926c5 CP |
2306 | ## </summary> |
2307 | ## <param name="domain"> | |
885b83ec | 2308 | ## <summary> |
725926c5 | 2309 | ## Domain allowed access. |
885b83ec | 2310 | ## </summary> |
725926c5 | 2311 | ## </param> |
296273a7 | 2312 | ## <param name="private_type"> |
885b83ec | 2313 | ## <summary> |
296273a7 | 2314 | ## The type of the object to create. |
885b83ec | 2315 | ## </summary> |
b11a75a5 | 2316 | ## </param> |
296273a7 | 2317 | ## <param name="object_class"> |
885b83ec | 2318 | ## <summary> |
296273a7 | 2319 | ## The class of the object to be created. |
885b83ec | 2320 | ## </summary> |
e1c41428 CP |
2321 | ## </param> |
2322 | # | |
296273a7 CP |
2323 | interface(`userdom_user_home_dir_filetrans',` |
2324 | gen_require(` | |
2325 | type user_home_dir_t; | |
2326 | ') | |
2327 | ||
2328 | filetrans_pattern($1, user_home_dir_t, $2, $3) | |
2329 | files_search_home($1) | |
e1c41428 CP |
2330 | ') |
2331 | ||
10b1f324 CP |
2332 | ######################################## |
2333 | ## <summary> | |
296273a7 CP |
2334 | ## Create objects in a user home directory |
2335 | ## with an automatic type transition to | |
2336 | ## a specified private type. | |
10b1f324 CP |
2337 | ## </summary> |
2338 | ## <param name="domain"> | |
885b83ec | 2339 | ## <summary> |
10b1f324 | 2340 | ## Domain allowed access. |
885b83ec | 2341 | ## </summary> |
10b1f324 | 2342 | ## </param> |
296273a7 | 2343 | ## <param name="private_type"> |
885b83ec | 2344 | ## <summary> |
296273a7 | 2345 | ## The type of the object to create. |
885b83ec | 2346 | ## </summary> |
ee9500ec CP |
2347 | ## </param> |
2348 | ## <param name="object_class"> | |
885b83ec | 2349 | ## <summary> |
10b1f324 | 2350 | ## The class of the object to be created. |
885b83ec | 2351 | ## </summary> |
10b1f324 CP |
2352 | ## </param> |
2353 | # | |
296273a7 CP |
2354 | interface(`userdom_user_home_content_filetrans',` |
2355 | gen_require(` | |
2356 | type user_home_dir_t, user_home_t; | |
2357 | ') | |
2358 | ||
2359 | filetrans_pattern($1, user_home_t, $2, $3) | |
2360 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2361 | files_search_home($1) | |
10b1f324 CP |
2362 | ') |
2363 | ||
2364 | ######################################## | |
2365 | ## <summary> | |
296273a7 CP |
2366 | ## Create objects in a user home directory |
2367 | ## with an automatic type transition to | |
2368 | ## the user home file type. | |
10b1f324 CP |
2369 | ## </summary> |
2370 | ## <param name="domain"> | |
885b83ec | 2371 | ## <summary> |
296273a7 CP |
2372 | ## Domain allowed access. |
2373 | ## </summary> | |
2374 | ## </param> | |
2375 | ## <param name="object_class"> | |
2376 | ## <summary> | |
2377 | ## The class of the object to be created. | |
885b83ec | 2378 | ## </summary> |
10b1f324 CP |
2379 | ## </param> |
2380 | # | |
296273a7 CP |
2381 | interface(`userdom_user_home_dir_filetrans_user_home_content',` |
2382 | gen_require(` | |
2383 | type user_home_dir_t, user_home_t; | |
2384 | ') | |
2385 | ||
2386 | filetrans_pattern($1, user_home_dir_t, user_home_t, $2) | |
2387 | files_search_home($1) | |
10b1f324 CP |
2388 | ') |
2389 | ||
fd89e19f CP |
2390 | ######################################## |
2391 | ## <summary> | |
ff8f0a63 | 2392 | ## Write to user temporary named sockets. |
fd89e19f CP |
2393 | ## </summary> |
2394 | ## <param name="domain"> | |
885b83ec | 2395 | ## <summary> |
ff8f0a63 | 2396 | ## Domain allowed access. |
885b83ec | 2397 | ## </summary> |
fd89e19f CP |
2398 | ## </param> |
2399 | # | |
296273a7 CP |
2400 | interface(`userdom_write_user_tmp_sockets',` |
2401 | gen_require(` | |
2402 | type user_tmp_t; | |
2403 | ') | |
2404 | ||
4cb24aed | 2405 | allow $1 user_tmp_t:sock_file write_sock_file_perms; |
296273a7 | 2406 | files_search_tmp($1) |
ed38ca9f | 2407 | ') |
fd89e19f | 2408 | |
ed38ca9f CP |
2409 | ######################################## |
2410 | ## <summary> | |
296273a7 | 2411 | ## List user temporary directories. |
ed38ca9f CP |
2412 | ## </summary> |
2413 | ## <param name="domain"> | |
2414 | ## <summary> | |
2415 | ## Domain allowed access. | |
2416 | ## </summary> | |
2417 | ## </param> | |
2418 | # | |
296273a7 CP |
2419 | interface(`userdom_list_user_tmp',` |
2420 | gen_require(` | |
2421 | type user_tmp_t; | |
2422 | ') | |
2423 | ||
2424 | allow $1 user_tmp_t:dir list_dir_perms; | |
2425 | files_search_tmp($1) | |
fd89e19f CP |
2426 | ') |
2427 | ||
1786478c CP |
2428 | ######################################## |
2429 | ## <summary> | |
296273a7 CP |
2430 | ## Do not audit attempts to list user |
2431 | ## temporary directories. | |
1786478c CP |
2432 | ## </summary> |
2433 | ## <param name="domain"> | |
2434 | ## <summary> | |
296273a7 | 2435 | ## Domain to not audit. |
1786478c CP |
2436 | ## </summary> |
2437 | ## </param> | |
2438 | # | |
296273a7 | 2439 | interface(`userdom_dontaudit_list_user_tmp',` |
1786478c | 2440 | gen_require(` |
296273a7 | 2441 | type user_tmp_t; |
1786478c CP |
2442 | ') |
2443 | ||
296273a7 | 2444 | dontaudit $1 user_tmp_t:dir list_dir_perms; |
1786478c CP |
2445 | ') |
2446 | ||
9778406f CP |
2447 | ######################################## |
2448 | ## <summary> | |
296273a7 CP |
2449 | ## Do not audit attempts to manage users |
2450 | ## temporary directories. | |
9778406f CP |
2451 | ## </summary> |
2452 | ## <param name="domain"> | |
885b83ec | 2453 | ## <summary> |
296273a7 | 2454 | ## Domain to not audit. |
885b83ec | 2455 | ## </summary> |
9778406f CP |
2456 | ## </param> |
2457 | # | |
296273a7 | 2458 | interface(`userdom_dontaudit_manage_user_tmp_dirs',` |
9778406f | 2459 | gen_require(` |
296273a7 | 2460 | type user_tmp_t; |
9778406f CP |
2461 | ') |
2462 | ||
296273a7 | 2463 | dontaudit $1 user_tmp_t:dir manage_dir_perms; |
9778406f CP |
2464 | ') |
2465 | ||
4bf4ed9e | 2466 | ######################################## |
ab940a4c | 2467 | ## <summary> |
296273a7 | 2468 | ## Read user temporary files. |
ab940a4c | 2469 | ## </summary> |
414e4151 | 2470 | ## <param name="domain"> |
885b83ec | 2471 | ## <summary> |
725926c5 | 2472 | ## Domain allowed access. |
885b83ec | 2473 | ## </summary> |
414e4151 | 2474 | ## </param> |
4bf4ed9e | 2475 | # |
296273a7 | 2476 | interface(`userdom_read_user_tmp_files',` |
0404a390 | 2477 | gen_require(` |
296273a7 | 2478 | type user_tmp_t; |
0404a390 | 2479 | ') |
0c73cd25 | 2480 | |
296273a7 CP |
2481 | read_files_pattern($1, user_tmp_t, user_tmp_t) |
2482 | allow $1 user_tmp_t:dir list_dir_perms; | |
2483 | files_search_tmp($1) | |
4bf4ed9e CP |
2484 | ') |
2485 | ||
ae9e2716 CP |
2486 | ######################################## |
2487 | ## <summary> | |
296273a7 CP |
2488 | ## Do not audit attempts to read users |
2489 | ## temporary files. | |
ae9e2716 CP |
2490 | ## </summary> |
2491 | ## <param name="domain"> | |
885b83ec | 2492 | ## <summary> |
ae9e2716 | 2493 | ## Domain to not audit. |
885b83ec | 2494 | ## </summary> |
ae9e2716 CP |
2495 | ## </param> |
2496 | # | |
296273a7 | 2497 | interface(`userdom_dontaudit_read_user_tmp_files',` |
ae9e2716 | 2498 | gen_require(` |
296273a7 | 2499 | type user_tmp_t; |
ae9e2716 CP |
2500 | ') |
2501 | ||
3eaa9939 | 2502 | dontaudit $1 user_tmp_t:file read_inherited_file_perms; |
ae9e2716 CP |
2503 | ') |
2504 | ||
daa0e0b0 | 2505 | ######################################## |
ab940a4c | 2506 | ## <summary> |
296273a7 CP |
2507 | ## Do not audit attempts to append users |
2508 | ## temporary files. | |
ab940a4c | 2509 | ## </summary> |
414e4151 | 2510 | ## <param name="domain"> |
885b83ec | 2511 | ## <summary> |
296273a7 | 2512 | ## Domain to not audit. |
885b83ec | 2513 | ## </summary> |
414e4151 | 2514 | ## </param> |
daa0e0b0 | 2515 | # |
296273a7 | 2516 | interface(`userdom_dontaudit_append_user_tmp_files',` |
0404a390 | 2517 | gen_require(` |
296273a7 | 2518 | type user_tmp_t; |
0404a390 | 2519 | ') |
0c73cd25 | 2520 | |
bf530f53 | 2521 | dontaudit $1 user_tmp_t:file append_file_perms; |
daa0e0b0 CP |
2522 | ') |
2523 | ||
fc6524d7 CP |
2524 | ######################################## |
2525 | ## <summary> | |
296273a7 | 2526 | ## Read and write user temporary files. |
fc6524d7 CP |
2527 | ## </summary> |
2528 | ## <param name="domain"> | |
885b83ec | 2529 | ## <summary> |
725926c5 | 2530 | ## Domain allowed access. |
885b83ec | 2531 | ## </summary> |
fc6524d7 CP |
2532 | ## </param> |
2533 | # | |
296273a7 | 2534 | interface(`userdom_rw_user_tmp_files',` |
fc6524d7 | 2535 | gen_require(` |
296273a7 | 2536 | type user_tmp_t; |
fc6524d7 CP |
2537 | ') |
2538 | ||
296273a7 CP |
2539 | allow $1 user_tmp_t:dir list_dir_perms; |
2540 | rw_files_pattern($1, user_tmp_t, user_tmp_t) | |
2541 | files_search_tmp($1) | |
fc6524d7 CP |
2542 | ') |
2543 | ||
2544 | ######################################## | |
2545 | ## <summary> | |
296273a7 CP |
2546 | ## Do not audit attempts to manage users |
2547 | ## temporary files. | |
fc6524d7 CP |
2548 | ## </summary> |
2549 | ## <param name="domain"> | |
885b83ec | 2550 | ## <summary> |
296273a7 | 2551 | ## Domain to not audit. |
885b83ec | 2552 | ## </summary> |
fc6524d7 CP |
2553 | ## </param> |
2554 | # | |
296273a7 | 2555 | interface(`userdom_dontaudit_manage_user_tmp_files',` |
fc6524d7 | 2556 | gen_require(` |
296273a7 | 2557 | type user_tmp_t; |
fc6524d7 CP |
2558 | ') |
2559 | ||
296273a7 | 2560 | dontaudit $1 user_tmp_t:file manage_file_perms; |
fc6524d7 CP |
2561 | ') |
2562 | ||
2563 | ######################################## | |
2564 | ## <summary> | |
296273a7 | 2565 | ## Read user temporary symbolic links. |
fc6524d7 CP |
2566 | ## </summary> |
2567 | ## <param name="domain"> | |
885b83ec | 2568 | ## <summary> |
725926c5 | 2569 | ## Domain allowed access. |
885b83ec | 2570 | ## </summary> |
fc6524d7 CP |
2571 | ## </param> |
2572 | # | |
296273a7 | 2573 | interface(`userdom_read_user_tmp_symlinks',` |
fc6524d7 | 2574 | gen_require(` |
296273a7 | 2575 | type user_tmp_t; |
fc6524d7 CP |
2576 | ') |
2577 | ||
296273a7 CP |
2578 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2579 | allow $1 user_tmp_t:dir list_dir_perms; | |
2580 | files_search_tmp($1) | |
fc6524d7 CP |
2581 | ') |
2582 | ||
784a3bbc CP |
2583 | ######################################## |
2584 | ## <summary> | |
296273a7 CP |
2585 | ## Create, read, write, and delete user |
2586 | ## temporary directories. | |
784a3bbc | 2587 | ## </summary> |
784a3bbc | 2588 | ## <param name="domain"> |
885b83ec | 2589 | ## <summary> |
725926c5 | 2590 | ## Domain allowed access. |
885b83ec | 2591 | ## </summary> |
784a3bbc CP |
2592 | ## </param> |
2593 | # | |
296273a7 | 2594 | interface(`userdom_manage_user_tmp_dirs',` |
784a3bbc | 2595 | gen_require(` |
296273a7 | 2596 | type user_tmp_t; |
784a3bbc CP |
2597 | ') |
2598 | ||
296273a7 CP |
2599 | manage_dirs_pattern($1, user_tmp_t, user_tmp_t) |
2600 | files_search_tmp($1) | |
784a3bbc CP |
2601 | ') |
2602 | ||
daa0e0b0 | 2603 | ######################################## |
ab940a4c | 2604 | ## <summary> |
296273a7 CP |
2605 | ## Create, read, write, and delete user |
2606 | ## temporary files. | |
ab940a4c CP |
2607 | ## </summary> |
2608 | ## <param name="domain"> | |
885b83ec | 2609 | ## <summary> |
725926c5 | 2610 | ## Domain allowed access. |
885b83ec | 2611 | ## </summary> |
ab940a4c CP |
2612 | ## </param> |
2613 | # | |
296273a7 | 2614 | interface(`userdom_manage_user_tmp_files',` |
ab940a4c | 2615 | gen_require(` |
296273a7 | 2616 | type user_tmp_t; |
ab940a4c CP |
2617 | ') |
2618 | ||
296273a7 CP |
2619 | manage_files_pattern($1, user_tmp_t, user_tmp_t) |
2620 | files_search_tmp($1) | |
ab940a4c CP |
2621 | ') |
2622 | ||
2623 | ######################################## | |
2624 | ## <summary> | |
296273a7 CP |
2625 | ## Create, read, write, and delete user |
2626 | ## temporary symbolic links. | |
ab940a4c | 2627 | ## </summary> |
414e4151 | 2628 | ## <param name="domain"> |
885b83ec | 2629 | ## <summary> |
725926c5 | 2630 | ## Domain allowed access. |
885b83ec | 2631 | ## </summary> |
414e4151 | 2632 | ## </param> |
490639cd | 2633 | # |
296273a7 | 2634 | interface(`userdom_manage_user_tmp_symlinks',` |
0404a390 | 2635 | gen_require(` |
296273a7 | 2636 | type user_tmp_t; |
0404a390 | 2637 | ') |
0c73cd25 | 2638 | |
296273a7 CP |
2639 | manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2640 | files_search_tmp($1) | |
490639cd CP |
2641 | ') |
2642 | ||
4bf4ed9e | 2643 | ######################################## |
ab940a4c | 2644 | ## <summary> |
296273a7 CP |
2645 | ## Create, read, write, and delete user |
2646 | ## temporary named pipes. | |
ab940a4c | 2647 | ## </summary> |
414e4151 | 2648 | ## <param name="domain"> |
885b83ec | 2649 | ## <summary> |
725926c5 | 2650 | ## Domain allowed access. |
885b83ec | 2651 | ## </summary> |
414e4151 | 2652 | ## </param> |
4bf4ed9e | 2653 | # |
296273a7 | 2654 | interface(`userdom_manage_user_tmp_pipes',` |
0404a390 | 2655 | gen_require(` |
296273a7 | 2656 | type user_tmp_t; |
0404a390 | 2657 | ') |
0c73cd25 | 2658 | |
296273a7 CP |
2659 | manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) |
2660 | files_search_tmp($1) | |
4bf4ed9e CP |
2661 | ') |
2662 | ||
0404a390 | 2663 | ######################################## |
ab940a4c | 2664 | ## <summary> |
296273a7 CP |
2665 | ## Create, read, write, and delete user |
2666 | ## temporary named sockets. | |
ab940a4c | 2667 | ## </summary> |
414e4151 | 2668 | ## <param name="domain"> |
885b83ec | 2669 | ## <summary> |
57a96cbd | 2670 | ## Domain allowed access. |
885b83ec | 2671 | ## </summary> |
414e4151 | 2672 | ## </param> |
0404a390 | 2673 | # |
296273a7 CP |
2674 | interface(`userdom_manage_user_tmp_sockets',` |
2675 | gen_require(` | |
2676 | type user_tmp_t; | |
2677 | ') | |
2678 | ||
2679 | manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) | |
2680 | files_search_tmp($1) | |
4bf4ed9e CP |
2681 | ') |
2682 | ||
4614e83f CP |
2683 | ######################################## |
2684 | ## <summary> | |
296273a7 CP |
2685 | ## Create objects in a user temporary directory |
2686 | ## with an automatic type transition to | |
2687 | ## a specified private type. | |
4614e83f CP |
2688 | ## </summary> |
2689 | ## <param name="domain"> | |
885b83ec | 2690 | ## <summary> |
4614e83f | 2691 | ## Domain allowed access. |
885b83ec | 2692 | ## </summary> |
4614e83f | 2693 | ## </param> |
296273a7 CP |
2694 | ## <param name="private_type"> |
2695 | ## <summary> | |
2696 | ## The type of the object to create. | |
2697 | ## </summary> | |
2698 | ## </param> | |
2699 | ## <param name="object_class"> | |
2700 | ## <summary> | |
2701 | ## The class of the object to be created. | |
2702 | ## </summary> | |
2703 | ## </param> | |
4614e83f | 2704 | # |
296273a7 CP |
2705 | interface(`userdom_user_tmp_filetrans',` |
2706 | gen_require(` | |
2707 | type user_tmp_t; | |
2708 | ') | |
2709 | ||
2710 | filetrans_pattern($1, user_tmp_t, $2, $3) | |
2711 | files_search_tmp($1) | |
4614e83f CP |
2712 | ') |
2713 | ||
daa0e0b0 | 2714 | ######################################## |
ab940a4c | 2715 | ## <summary> |
296273a7 CP |
2716 | ## Create objects in the temporary directory |
2717 | ## with an automatic type transition to | |
2718 | ## the user temporary type. | |
57a96cbd CP |
2719 | ## </summary> |
2720 | ## <param name="domain"> | |
885b83ec | 2721 | ## <summary> |
57a96cbd | 2722 | ## Domain allowed access. |
885b83ec | 2723 | ## </summary> |
57a96cbd | 2724 | ## </param> |
1c1ac67f | 2725 | ## <param name="object_class"> |
885b83ec | 2726 | ## <summary> |
57a96cbd | 2727 | ## The class of the object to be created. |
885b83ec | 2728 | ## </summary> |
57a96cbd CP |
2729 | ## </param> |
2730 | # | |
296273a7 CP |
2731 | interface(`userdom_tmp_filetrans_user_tmp',` |
2732 | gen_require(` | |
2733 | type user_tmp_t; | |
2734 | ') | |
2735 | ||
2736 | files_tmp_filetrans($1, user_tmp_t, $2) | |
57a96cbd CP |
2737 | ') |
2738 | ||
a9e9678f CP |
2739 | ######################################## |
2740 | ## <summary> | |
2741 | ## Read user tmpfs files. | |
2742 | ## </summary> | |
2743 | ## <param name="domain"> | |
2744 | ## <summary> | |
2745 | ## Domain allowed access. | |
2746 | ## </summary> | |
2747 | ## </param> | |
2748 | # | |
2749 | interface(`userdom_read_user_tmpfs_files',` | |
2750 | gen_require(` | |
2751 | type user_tmpfs_t; | |
2752 | ') | |
2753 | ||
2754 | read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
3eaa9939 | 2755 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) |
a9e9678f CP |
2756 | allow $1 user_tmpfs_t:dir list_dir_perms; |
2757 | fs_search_tmpfs($1) | |
2758 | ') | |
2759 | ||
d4dca585 CP |
2760 | ######################################## |
2761 | ## <summary> | |
3eaa9939 | 2762 | ## Read/Write user tmpfs files. |
d4dca585 CP |
2763 | ## </summary> |
2764 | ## <param name="domain"> | |
885b83ec | 2765 | ## <summary> |
d4dca585 | 2766 | ## Domain allowed access. |
885b83ec | 2767 | ## </summary> |
d4dca585 CP |
2768 | ## </param> |
2769 | # | |
296273a7 CP |
2770 | interface(`userdom_rw_user_tmpfs_files',` |
2771 | gen_require(` | |
2772 | type user_tmpfs_t; | |
2773 | ') | |
2774 | ||
2775 | rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
2776 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
2777 | allow $1 user_tmpfs_t:dir list_dir_perms; | |
2778 | fs_search_tmpfs($1) | |
d4dca585 CP |
2779 | ') |
2780 | ||
d9845ae9 CP |
2781 | ######################################## |
2782 | ## <summary> | |
296273a7 | 2783 | ## Get the attributes of a user domain tty. |
d9845ae9 CP |
2784 | ## </summary> |
2785 | ## <param name="domain"> | |
2786 | ## <summary> | |
2787 | ## Domain allowed access. | |
2788 | ## </summary> | |
2789 | ## </param> | |
2790 | # | |
296273a7 CP |
2791 | interface(`userdom_getattr_user_ttys',` |
2792 | gen_require(` | |
2793 | type user_tty_device_t; | |
2794 | ') | |
2795 | ||
bf530f53 | 2796 | allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
d9845ae9 CP |
2797 | ') |
2798 | ||
57a96cbd CP |
2799 | ######################################## |
2800 | ## <summary> | |
296273a7 | 2801 | ## Do not audit attempts to get the attributes of a user domain tty. |
57a96cbd CP |
2802 | ## </summary> |
2803 | ## <param name="domain"> | |
885b83ec | 2804 | ## <summary> |
a0546c9d | 2805 | ## Domain to not audit. |
885b83ec | 2806 | ## </summary> |
57a96cbd CP |
2807 | ## </param> |
2808 | # | |
296273a7 CP |
2809 | interface(`userdom_dontaudit_getattr_user_ttys',` |
2810 | gen_require(` | |
2811 | type user_tty_device_t; | |
2812 | ') | |
2813 | ||
bf530f53 | 2814 | dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
57a96cbd CP |
2815 | ') |
2816 | ||
d6d16b97 CP |
2817 | ######################################## |
2818 | ## <summary> | |
296273a7 | 2819 | ## Set the attributes of a user domain tty. |
d6d16b97 CP |
2820 | ## </summary> |
2821 | ## <param name="domain"> | |
2822 | ## <summary> | |
2823 | ## Domain allowed access. | |
2824 | ## </summary> | |
2825 | ## </param> | |
2826 | # | |
296273a7 CP |
2827 | interface(`userdom_setattr_user_ttys',` |
2828 | gen_require(` | |
2829 | type user_tty_device_t; | |
2830 | ') | |
2831 | ||
bf530f53 | 2832 | allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
d6d16b97 CP |
2833 | ') |
2834 | ||
165b42d2 CP |
2835 | ######################################## |
2836 | ## <summary> | |
296273a7 | 2837 | ## Do not audit attempts to set the attributes of a user domain tty. |
165b42d2 CP |
2838 | ## </summary> |
2839 | ## <param name="domain"> | |
2840 | ## <summary> | |
a0546c9d | 2841 | ## Domain to not audit. |
165b42d2 CP |
2842 | ## </summary> |
2843 | ## </param> | |
2844 | # | |
296273a7 CP |
2845 | interface(`userdom_dontaudit_setattr_user_ttys',` |
2846 | gen_require(` | |
2847 | type user_tty_device_t; | |
2848 | ') | |
2849 | ||
bf530f53 | 2850 | dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
165b42d2 CP |
2851 | ') |
2852 | ||
d6d16b97 CP |
2853 | ######################################## |
2854 | ## <summary> | |
296273a7 | 2855 | ## Read and write a user domain tty. |
d6d16b97 CP |
2856 | ## </summary> |
2857 | ## <param name="domain"> | |
2858 | ## <summary> | |
2859 | ## Domain allowed access. | |
2860 | ## </summary> | |
2861 | ## </param> | |
2862 | # | |
296273a7 CP |
2863 | interface(`userdom_use_user_ttys',` |
2864 | gen_require(` | |
2865 | type user_tty_device_t; | |
2866 | ') | |
2867 | ||
2868 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
d6d16b97 CP |
2869 | ') |
2870 | ||
57a96cbd CP |
2871 | ######################################## |
2872 | ## <summary> | |
296273a7 | 2873 | ## Read and write a user domain pty. |
57a96cbd CP |
2874 | ## </summary> |
2875 | ## <param name="domain"> | |
885b83ec | 2876 | ## <summary> |
57a96cbd | 2877 | ## Domain allowed access. |
885b83ec | 2878 | ## </summary> |
57a96cbd CP |
2879 | ## </param> |
2880 | # | |
296273a7 CP |
2881 | interface(`userdom_use_user_ptys',` |
2882 | gen_require(` | |
2883 | type user_devpts_t; | |
2884 | ') | |
2885 | ||
2886 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
2887 | ') |
2888 | ||
d6d16b97 CP |
2889 | ######################################## |
2890 | ## <summary> | |
c46376e6 | 2891 | ## Read and write a user TTYs and PTYs. |
d6d16b97 | 2892 | ## </summary> |
c46376e6 CP |
2893 | ## <desc> |
2894 | ## <p> | |
2895 | ## Allow the specified domain to read and write user | |
2896 | ## TTYs and PTYs. This will allow the domain to | |
2897 | ## interact with the user via the terminal. Typically | |
2898 | ## all interactive applications will require this | |
2899 | ## access. | |
2900 | ## </p> | |
2901 | ## <p> | |
2902 | ## However, this also allows the applications to spy | |
2903 | ## on user sessions or inject information into the | |
2904 | ## user session. Thus, this access should likely | |
2905 | ## not be allowed for non-interactive domains. | |
2906 | ## </p> | |
2907 | ## </desc> | |
d6d16b97 CP |
2908 | ## <param name="domain"> |
2909 | ## <summary> | |
2910 | ## Domain allowed access. | |
2911 | ## </summary> | |
2912 | ## </param> | |
c46376e6 | 2913 | ## <infoflow type="both" weight="10"/> |
d6d16b97 | 2914 | # |
296273a7 CP |
2915 | interface(`userdom_use_user_terminals',` |
2916 | gen_require(` | |
2917 | type user_tty_device_t, user_devpts_t; | |
2918 | ') | |
2919 | ||
2920 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
2921 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
2922 | term_list_ptys($1) | |
d6d16b97 CP |
2923 | ') |
2924 | ||
57a96cbd CP |
2925 | ######################################## |
2926 | ## <summary> | |
296273a7 CP |
2927 | ## Do not audit attempts to read and write |
2928 | ## a user domain tty and pty. | |
57a96cbd CP |
2929 | ## </summary> |
2930 | ## <param name="domain"> | |
885b83ec | 2931 | ## <summary> |
a0546c9d | 2932 | ## Domain to not audit. |
885b83ec | 2933 | ## </summary> |
57a96cbd CP |
2934 | ## </param> |
2935 | # | |
296273a7 CP |
2936 | interface(`userdom_dontaudit_use_user_terminals',` |
2937 | gen_require(` | |
2938 | type user_tty_device_t, user_devpts_t; | |
2939 | ') | |
2940 | ||
2941 | dontaudit $1 user_tty_device_t:chr_file rw_term_perms; | |
2942 | dontaudit $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
2943 | ') |
2944 | ||
2945 | ######################################## | |
2946 | ## <summary> | |
296273a7 CP |
2947 | ## Execute a shell in all user domains. This |
2948 | ## is an explicit transition, requiring the | |
2949 | ## caller to use setexeccon(). | |
57a96cbd CP |
2950 | ## </summary> |
2951 | ## <param name="domain"> | |
885b83ec | 2952 | ## <summary> |
a0546c9d | 2953 | ## Domain allowed to transition. |
885b83ec | 2954 | ## </summary> |
57a96cbd CP |
2955 | ## </param> |
2956 | # | |
296273a7 CP |
2957 | interface(`userdom_spec_domtrans_all_users',` |
2958 | gen_require(` | |
2959 | attribute userdomain; | |
2960 | ') | |
2961 | ||
3f67f722 | 2962 | corecmd_shell_spec_domtrans($1, userdomain) |
296273a7 CP |
2963 | allow userdomain $1:fd use; |
2964 | allow userdomain $1:fifo_file rw_file_perms; | |
2965 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
2966 | ') |
2967 | ||
2968 | ######################################## | |
2969 | ## <summary> | |
296273a7 CP |
2970 | ## Execute an Xserver session in all unprivileged user domains. This |
2971 | ## is an explicit transition, requiring the | |
2972 | ## caller to use setexeccon(). | |
57a96cbd CP |
2973 | ## </summary> |
2974 | ## <param name="domain"> | |
885b83ec | 2975 | ## <summary> |
a0546c9d | 2976 | ## Domain allowed to transition. |
885b83ec | 2977 | ## </summary> |
57a96cbd CP |
2978 | ## </param> |
2979 | # | |
296273a7 CP |
2980 | interface(`userdom_xsession_spec_domtrans_all_users',` |
2981 | gen_require(` | |
2982 | attribute userdomain; | |
2983 | ') | |
2984 | ||
3f67f722 | 2985 | xserver_xsession_spec_domtrans($1, userdomain) |
296273a7 CP |
2986 | allow userdomain $1:fd use; |
2987 | allow userdomain $1:fifo_file rw_file_perms; | |
2988 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
2989 | ') |
2990 | ||
e08118a5 CP |
2991 | ######################################## |
2992 | ## <summary> | |
296273a7 CP |
2993 | ## Execute a shell in all unprivileged user domains. This |
2994 | ## is an explicit transition, requiring the | |
2995 | ## caller to use setexeccon(). | |
e08118a5 CP |
2996 | ## </summary> |
2997 | ## <param name="domain"> | |
885b83ec | 2998 | ## <summary> |
a0546c9d | 2999 | ## Domain allowed to transition. |
885b83ec | 3000 | ## </summary> |
e08118a5 CP |
3001 | ## </param> |
3002 | # | |
296273a7 | 3003 | interface(`userdom_spec_domtrans_unpriv_users',` |
e08118a5 | 3004 | gen_require(` |
296273a7 | 3005 | attribute unpriv_userdomain; |
e08118a5 CP |
3006 | ') |
3007 | ||
3f67f722 | 3008 | corecmd_shell_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3009 | allow unpriv_userdomain $1:fd use; |
3010 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3011 | allow unpriv_userdomain $1:process sigchld; | |
e08118a5 CP |
3012 | ') |
3013 | ||
d4dca585 CP |
3014 | ######################################## |
3015 | ## <summary> | |
296273a7 CP |
3016 | ## Execute an Xserver session in all unprivileged user domains. This |
3017 | ## is an explicit transition, requiring the | |
3018 | ## caller to use setexeccon(). | |
d4dca585 CP |
3019 | ## </summary> |
3020 | ## <param name="domain"> | |
885b83ec | 3021 | ## <summary> |
a0546c9d | 3022 | ## Domain allowed to transition. |
885b83ec | 3023 | ## </summary> |
d4dca585 CP |
3024 | ## </param> |
3025 | # | |
296273a7 | 3026 | interface(`userdom_xsession_spec_domtrans_unpriv_users',` |
d4dca585 | 3027 | gen_require(` |
296273a7 | 3028 | attribute unpriv_userdomain; |
d4dca585 CP |
3029 | ') |
3030 | ||
3f67f722 | 3031 | xserver_xsession_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3032 | allow unpriv_userdomain $1:fd use; |
3033 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3034 | allow unpriv_userdomain $1:process sigchld; | |
d4dca585 CP |
3035 | ') |
3036 | ||
6f8cda96 CP |
3037 | ######################################## |
3038 | ## <summary> | |
296273a7 | 3039 | ## Manage unpriviledged user SysV sempaphores. |
6f8cda96 CP |
3040 | ## </summary> |
3041 | ## <param name="domain"> | |
3042 | ## <summary> | |
3043 | ## Domain allowed access. | |
3044 | ## </summary> | |
3045 | ## </param> | |
3046 | # | |
296273a7 | 3047 | interface(`userdom_manage_unpriv_user_semaphores',` |
6f8cda96 | 3048 | gen_require(` |
296273a7 | 3049 | attribute unpriv_userdomain; |
6f8cda96 CP |
3050 | ') |
3051 | ||
296273a7 | 3052 | allow $1 unpriv_userdomain:sem create_sem_perms; |
6f8cda96 CP |
3053 | ') |
3054 | ||
3055 | ######################################## | |
3056 | ## <summary> | |
296273a7 CP |
3057 | ## Manage unpriviledged user SysV shared |
3058 | ## memory segments. | |
6f8cda96 CP |
3059 | ## </summary> |
3060 | ## <param name="domain"> | |
3061 | ## <summary> | |
3062 | ## Domain allowed access. | |
3063 | ## </summary> | |
3064 | ## </param> | |
3065 | # | |
296273a7 | 3066 | interface(`userdom_manage_unpriv_user_shared_mem',` |
6f8cda96 | 3067 | gen_require(` |
296273a7 | 3068 | attribute unpriv_userdomain; |
6f8cda96 CP |
3069 | ') |
3070 | ||
296273a7 | 3071 | allow $1 unpriv_userdomain:shm create_shm_perms; |
6f8cda96 CP |
3072 | ') |
3073 | ||
43989f82 CP |
3074 | ######################################## |
3075 | ## <summary> | |
296273a7 CP |
3076 | ## Execute bin_t in the unprivileged user domains. This |
3077 | ## is an explicit transition, requiring the | |
3078 | ## caller to use setexeccon(). | |
43989f82 CP |
3079 | ## </summary> |
3080 | ## <param name="domain"> | |
885b83ec | 3081 | ## <summary> |
a0546c9d | 3082 | ## Domain allowed to transition. |
885b83ec | 3083 | ## </summary> |
43989f82 CP |
3084 | ## </param> |
3085 | # | |
296273a7 | 3086 | interface(`userdom_bin_spec_domtrans_unpriv_users',` |
43989f82 | 3087 | gen_require(` |
296273a7 | 3088 | attribute unpriv_userdomain; |
43989f82 CP |
3089 | ') |
3090 | ||
3f67f722 | 3091 | corecmd_bin_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3092 | allow unpriv_userdomain $1:fd use; |
3093 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3094 | allow unpriv_userdomain $1:process sigchld; | |
725926c5 CP |
3095 | ') |
3096 | ||
6820a398 CP |
3097 | ######################################## |
3098 | ## <summary> | |
296273a7 CP |
3099 | ## Execute all entrypoint files in unprivileged user |
3100 | ## domains. This is an explicit transition, requiring the | |
3101 | ## caller to use setexeccon(). | |
6820a398 CP |
3102 | ## </summary> |
3103 | ## <param name="domain"> | |
885b83ec | 3104 | ## <summary> |
6820a398 | 3105 | ## Domain allowed access. |
885b83ec | 3106 | ## </summary> |
6820a398 CP |
3107 | ## </param> |
3108 | # | |
296273a7 | 3109 | interface(`userdom_entry_spec_domtrans_unpriv_users',` |
350b6ab7 | 3110 | gen_require(` |
296273a7 | 3111 | attribute unpriv_userdomain; |
6820a398 | 3112 | ') |
350b6ab7 | 3113 | |
3f67f722 | 3114 | domain_entry_file_spec_domtrans($1, unpriv_userdomain) |
296273a7 | 3115 | allow unpriv_userdomain $1:fd use; |
3eaa9939 | 3116 | allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; |
296273a7 | 3117 | allow unpriv_userdomain $1:process sigchld; |
6820a398 CP |
3118 | ') |
3119 | ||
1504ff3e CP |
3120 | ######################################## |
3121 | ## <summary> | |
296273a7 | 3122 | ## Search users home directories. |
1504ff3e CP |
3123 | ## </summary> |
3124 | ## <param name="domain"> | |
885b83ec | 3125 | ## <summary> |
296273a7 | 3126 | ## Domain allowed access. |
885b83ec | 3127 | ## </summary> |
1504ff3e CP |
3128 | ## </param> |
3129 | # | |
296273a7 | 3130 | interface(`userdom_search_user_home_content',` |
350b6ab7 | 3131 | gen_require(` |
3eaa9939 DW |
3132 | type user_home_dir_t; |
3133 | attribute user_home_type; | |
1504ff3e | 3134 | ') |
350b6ab7 | 3135 | |
296273a7 | 3136 | files_list_home($1) |
3eaa9939 DW |
3137 | allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; |
3138 | allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; | |
1504ff3e CP |
3139 | ') |
3140 | ||
f6abfdb8 CP |
3141 | ######################################## |
3142 | ## <summary> | |
296273a7 | 3143 | ## Send general signals to unprivileged user domains. |
f6abfdb8 CP |
3144 | ## </summary> |
3145 | ## <param name="domain"> | |
885b83ec | 3146 | ## <summary> |
f6abfdb8 | 3147 | ## Domain allowed access. |
885b83ec | 3148 | ## </summary> |
f6abfdb8 CP |
3149 | ## </param> |
3150 | # | |
296273a7 | 3151 | interface(`userdom_signal_unpriv_users',` |
f6abfdb8 | 3152 | gen_require(` |
296273a7 | 3153 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3154 | ') |
3155 | ||
296273a7 | 3156 | allow $1 unpriv_userdomain:process signal; |
f6abfdb8 CP |
3157 | ') |
3158 | ||
3159 | ######################################## | |
3160 | ## <summary> | |
296273a7 | 3161 | ## Inherit the file descriptors from unprivileged user domains. |
f6abfdb8 CP |
3162 | ## </summary> |
3163 | ## <param name="domain"> | |
885b83ec | 3164 | ## <summary> |
f6abfdb8 | 3165 | ## Domain allowed access. |
885b83ec | 3166 | ## </summary> |
f6abfdb8 CP |
3167 | ## </param> |
3168 | # | |
296273a7 | 3169 | interface(`userdom_use_unpriv_users_fds',` |
f6abfdb8 | 3170 | gen_require(` |
296273a7 | 3171 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3172 | ') |
3173 | ||
296273a7 | 3174 | allow $1 unpriv_userdomain:fd use; |
f6abfdb8 CP |
3175 | ') |
3176 | ||
725926c5 CP |
3177 | ######################################## |
3178 | ## <summary> | |
c46376e6 CP |
3179 | ## Do not audit attempts to inherit the file descriptors |
3180 | ## from unprivileged user domains. | |
725926c5 | 3181 | ## </summary> |
c46376e6 CP |
3182 | ## <desc> |
3183 | ## <p> | |
3184 | ## Do not audit attempts to inherit the file descriptors | |
3185 | ## from unprivileged user domains. This will supress | |
3186 | ## SELinux denial messages when the specified domain is denied | |
3187 | ## the permission to inherit these file descriptors. | |
3188 | ## </p> | |
3189 | ## </desc> | |
725926c5 | 3190 | ## <param name="domain"> |
885b83ec | 3191 | ## <summary> |
c46376e6 | 3192 | ## Domain to not audit. |
885b83ec | 3193 | ## </summary> |
725926c5 | 3194 | ## </param> |
c46376e6 | 3195 | ## <infoflow type="none"/> |
725926c5 | 3196 | # |
296273a7 | 3197 | interface(`userdom_dontaudit_use_unpriv_user_fds',` |
350b6ab7 | 3198 | gen_require(` |
296273a7 | 3199 | attribute unpriv_userdomain; |
725926c5 | 3200 | ') |
350b6ab7 | 3201 | |
296273a7 | 3202 | dontaudit $1 unpriv_userdomain:fd use; |
43989f82 CP |
3203 | ') |
3204 | ||
3205 | ######################################## | |
3206 | ## <summary> | |
296273a7 | 3207 | ## Do not audit attempts to use user ptys. |
43989f82 CP |
3208 | ## </summary> |
3209 | ## <param name="domain"> | |
885b83ec | 3210 | ## <summary> |
296273a7 | 3211 | ## Domain to not audit. |
885b83ec | 3212 | ## </summary> |
43989f82 CP |
3213 | ## </param> |
3214 | # | |
296273a7 | 3215 | interface(`userdom_dontaudit_use_user_ptys',` |
350b6ab7 | 3216 | gen_require(` |
296273a7 | 3217 | type user_devpts_t; |
725926c5 | 3218 | ') |
350b6ab7 | 3219 | |
f5b49a5e | 3220 | dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; |
43989f82 CP |
3221 | ') |
3222 | ||
3223 | ######################################## | |
3224 | ## <summary> | |
296273a7 | 3225 | ## Relabel files to unprivileged user pty types. |
43989f82 CP |
3226 | ## </summary> |
3227 | ## <param name="domain"> | |
885b83ec | 3228 | ## <summary> |
43989f82 | 3229 | ## Domain allowed access. |
885b83ec | 3230 | ## </summary> |
43989f82 CP |
3231 | ## </param> |
3232 | # | |
296273a7 | 3233 | interface(`userdom_relabelto_user_ptys',` |
350b6ab7 | 3234 | gen_require(` |
296273a7 | 3235 | type user_devpts_t; |
725926c5 | 3236 | ') |
350b6ab7 | 3237 | |
296273a7 | 3238 | allow $1 user_devpts_t:chr_file relabelto; |
43989f82 CP |
3239 | ') |
3240 | ||
57a96cbd CP |
3241 | ######################################## |
3242 | ## <summary> | |
296273a7 CP |
3243 | ## Do not audit attempts to relabel files from |
3244 | ## user pty types. | |
ab940a4c | 3245 | ## </summary> |
414e4151 | 3246 | ## <param name="domain"> |
885b83ec | 3247 | ## <summary> |
a0546c9d | 3248 | ## Domain to not audit. |
885b83ec | 3249 | ## </summary> |
414e4151 | 3250 | ## </param> |
daa0e0b0 | 3251 | # |
296273a7 | 3252 | interface(`userdom_dontaudit_relabelfrom_user_ptys',` |
0404a390 | 3253 | gen_require(` |
296273a7 | 3254 | type user_devpts_t; |
0404a390 | 3255 | ') |
0c73cd25 | 3256 | |
296273a7 | 3257 | dontaudit $1 user_devpts_t:chr_file relabelfrom; |
daa0e0b0 CP |
3258 | ') |
3259 | ||
693d4aed CP |
3260 | ######################################## |
3261 | ## <summary> | |
296273a7 | 3262 | ## Write all users files in /tmp |
693d4aed CP |
3263 | ## </summary> |
3264 | ## <param name="domain"> | |
3265 | ## <summary> | |
3266 | ## Domain allowed access. | |
3267 | ## </summary> | |
3268 | ## </param> | |
3269 | # | |
296273a7 | 3270 | interface(`userdom_write_user_tmp_files',` |
350b6ab7 | 3271 | gen_require(` |
296273a7 | 3272 | type user_tmp_t; |
693d4aed | 3273 | ') |
350b6ab7 | 3274 | |
3eaa9939 DW |
3275 | write_files_pattern($1, user_tmp_t, user_tmp_t) |
3276 | ') | |
3277 | ||
3278 | ######################################## | |
3279 | ## <summary> | |
3280 | ## Do not audit attempts to write users | |
3281 | ## temporary files. | |
3282 | ## </summary> | |
3283 | ## <param name="domain"> | |
3284 | ## <summary> | |
3285 | ## Domain to not audit. | |
3286 | ## </summary> | |
3287 | ## </param> | |
3288 | # | |
3289 | interface(`userdom_dontaudit_write_user_tmp_files',` | |
3290 | gen_require(` | |
3291 | type user_tmp_t; | |
3292 | ') | |
3293 | ||
3294 | dontaudit $1 user_tmp_t:file write; | |
3295 | ') | |
3296 | ||
3297 | ######################################## | |
3298 | ## <summary> | |
3299 | ## Do not audit attempts to read/write users | |
3300 | ## temporary fifo files. | |
3301 | ## </summary> | |
3302 | ## <param name="domain"> | |
3303 | ## <summary> | |
3304 | ## Domain to not audit. | |
3305 | ## </summary> | |
3306 | ## </param> | |
3307 | # | |
3308 | interface(`userdom_dontaudit_rw_user_tmp_pipes',` | |
3309 | gen_require(` | |
3310 | type user_tmp_t; | |
3311 | ') | |
3312 | ||
3313 | dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; | |
693d4aed CP |
3314 | ') |
3315 | ||
ebdc3b79 CP |
3316 | ######################################## |
3317 | ## <summary> | |
296273a7 | 3318 | ## Do not audit attempts to use user ttys. |
ebdc3b79 CP |
3319 | ## </summary> |
3320 | ## <param name="domain"> | |
885b83ec | 3321 | ## <summary> |
a0546c9d | 3322 | ## Domain to not audit. |
885b83ec | 3323 | ## </summary> |
ebdc3b79 CP |
3324 | ## </param> |
3325 | # | |
296273a7 | 3326 | interface(`userdom_dontaudit_use_user_ttys',` |
350b6ab7 | 3327 | gen_require(` |
296273a7 | 3328 | type user_tty_device_t; |
9cc2ccc4 | 3329 | ') |
350b6ab7 | 3330 | |
296273a7 | 3331 | dontaudit $1 user_tty_device_t:chr_file rw_file_perms; |
ebdc3b79 | 3332 | ') |
c98340cf | 3333 | |
2629c659 CP |
3334 | ######################################## |
3335 | ## <summary> | |
3336 | ## Read the process state of all user domains. | |
3337 | ## </summary> | |
3338 | ## <param name="domain"> | |
885b83ec | 3339 | ## <summary> |
2629c659 | 3340 | ## Domain allowed access. |
885b83ec | 3341 | ## </summary> |
2629c659 CP |
3342 | ## </param> |
3343 | # | |
1815bad1 | 3344 | interface(`userdom_read_all_users_state',` |
2629c659 CP |
3345 | gen_require(` |
3346 | attribute userdomain; | |
3347 | ') | |
3348 | ||
3f67f722 | 3349 | read_files_pattern($1, userdomain, userdomain) |
3eaa9939 | 3350 | read_lnk_files_pattern($1,userdomain,userdomain) |
2629c659 CP |
3351 | kernel_search_proc($1) |
3352 | ') | |
3353 | ||
3354 | ######################################## | |
3355 | ## <summary> | |
3356 | ## Get the attributes of all user domains. | |
3357 | ## </summary> | |
3358 | ## <param name="domain"> | |
885b83ec | 3359 | ## <summary> |
2629c659 | 3360 | ## Domain allowed access. |
885b83ec | 3361 | ## </summary> |
2629c659 CP |
3362 | ## </param> |
3363 | # | |
15722ec9 | 3364 | interface(`userdom_getattr_all_users',` |
2629c659 CP |
3365 | gen_require(` |
3366 | attribute userdomain; | |
3367 | ') | |
3368 | ||
3369 | allow $1 userdomain:process getattr; | |
3370 | ') | |
3371 | ||
57a96cbd CP |
3372 | ######################################## |
3373 | ## <summary> | |
3374 | ## Inherit the file descriptors from all user domains | |
3375 | ## </summary> | |
3376 | ## <param name="domain"> | |
885b83ec | 3377 | ## <summary> |
725926c5 | 3378 | ## Domain allowed access. |
885b83ec | 3379 | ## </summary> |
57a96cbd CP |
3380 | ## </param> |
3381 | # | |
15722ec9 | 3382 | interface(`userdom_use_all_users_fds',` |
57a96cbd CP |
3383 | gen_require(` |
3384 | attribute userdomain; | |
57a96cbd CP |
3385 | ') |
3386 | ||
3387 | allow $1 userdomain:fd use; | |
3388 | ') | |
3389 | ||
3390 | ######################################## | |
eb3cb682 CP |
3391 | ## <summary> |
3392 | ## Do not audit attempts to inherit the file | |
3393 | ## descriptors from any user domains. | |
3394 | ## </summary> | |
3395 | ## <param name="domain"> | |
885b83ec | 3396 | ## <summary> |
eb3cb682 | 3397 | ## Domain to not audit. |
885b83ec | 3398 | ## </summary> |
eb3cb682 CP |
3399 | ## </param> |
3400 | # | |
15722ec9 | 3401 | interface(`userdom_dontaudit_use_all_users_fds',` |
eb3cb682 CP |
3402 | gen_require(` |
3403 | attribute userdomain; | |
eb3cb682 CP |
3404 | ') |
3405 | ||
3406 | dontaudit $1 userdomain:fd use; | |
3407 | ') | |
3408 | ||
3409 | ######################################## | |
57a96cbd CP |
3410 | ## <summary> |
3411 | ## Send general signals to all user domains. | |
3412 | ## </summary> | |
3413 | ## <param name="domain"> | |
885b83ec | 3414 | ## <summary> |
725926c5 | 3415 | ## Domain allowed access. |
885b83ec | 3416 | ## </summary> |
57a96cbd CP |
3417 | ## </param> |
3418 | # | |
3419 | interface(`userdom_signal_all_users',` | |
3420 | gen_require(` | |
3421 | attribute userdomain; | |
57a96cbd CP |
3422 | ') |
3423 | ||
3424 | allow $1 userdomain:process signal; | |
3425 | ') | |
3426 | ||
246839f3 CP |
3427 | ######################################## |
3428 | ## <summary> | |
3429 | ## Send a SIGCHLD signal to all user domains. | |
3430 | ## </summary> | |
3431 | ## <param name="domain"> | |
885b83ec | 3432 | ## <summary> |
246839f3 | 3433 | ## Domain allowed access. |
885b83ec | 3434 | ## </summary> |
246839f3 CP |
3435 | ## </param> |
3436 | # | |
9fd4b818 | 3437 | interface(`userdom_sigchld_all_users',` |
246839f3 CP |
3438 | gen_require(` |
3439 | attribute userdomain; | |
246839f3 CP |
3440 | ') |
3441 | ||
a1fcff33 | 3442 | allow $1 userdomain:process sigchld; |
246839f3 CP |
3443 | ') |
3444 | ||
fe3a1eb8 CP |
3445 | ######################################## |
3446 | ## <summary> | |
3447 | ## Create keys for all user domains. | |
3448 | ## </summary> | |
3449 | ## <param name="domain"> | |
3450 | ## <summary> | |
3451 | ## Domain allowed access. | |
3452 | ## </summary> | |
3453 | ## </param> | |
3454 | # | |
3455 | interface(`userdom_create_all_users_keys',` | |
350b6ab7 CP |
3456 | gen_require(` |
3457 | attribute userdomain; | |
fe3a1eb8 | 3458 | ') |
350b6ab7 CP |
3459 | |
3460 | allow $1 userdomain:key create; | |
fe3a1eb8 CP |
3461 | ') |
3462 | ||
9fd4b818 CP |
3463 | ######################################## |
3464 | ## <summary> | |
3465 | ## Send a dbus message to all user domains. | |
3466 | ## </summary> | |
3467 | ## <param name="domain"> | |
885b83ec | 3468 | ## <summary> |
9fd4b818 | 3469 | ## Domain allowed access. |
885b83ec | 3470 | ## </summary> |
9fd4b818 CP |
3471 | ## </param> |
3472 | # | |
3473 | interface(`userdom_dbus_send_all_users',` | |
3474 | gen_require(` | |
3475 | attribute userdomain; | |
3476 | class dbus send_msg; | |
3477 | ') | |
3478 | ||
3479 | allow $1 userdomain:dbus send_msg; | |
3480 | ') | |
3eaa9939 DW |
3481 | |
3482 | ######################################## | |
3483 | ## <summary> | |
3484 | ## Allow apps to set rlimits on userdomain | |
3485 | ## </summary> | |
3486 | ## <param name="domain"> | |
3487 | ## <summary> | |
3488 | ## Domain allowed access. | |
3489 | ## </summary> | |
3490 | ## </param> | |
3491 | # | |
3492 | interface(`userdom_set_rlimitnh',` | |
3493 | gen_require(` | |
3494 | attribute userdomain; | |
3495 | ') | |
3496 | ||
3497 | allow $1 userdomain:process rlimitinh; | |
3498 | ') | |
3499 | ||
3500 | ######################################## | |
3501 | ## <summary> | |
3502 | ## Define this type as a Allow apps to set rlimits on userdomain | |
3503 | ## </summary> | |
3504 | ## <param name="domain"> | |
3505 | ## <summary> | |
3506 | ## Domain allowed access. | |
3507 | ## </summary> | |
3508 | ## </param> | |
3509 | ## <param name="userdomain_prefix"> | |
3510 | ## <summary> | |
3511 | ## The prefix of the user domain (e.g., user | |
3512 | ## is the prefix for user_t). | |
3513 | ## </summary> | |
3514 | ## </param> | |
3515 | ## <param name="domain"> | |
3516 | ## <summary> | |
3517 | ## Domain allowed access. | |
3518 | ## </summary> | |
3519 | ## </param> | |
3520 | # | |
3521 | template(`userdom_unpriv_usertype',` | |
3522 | gen_require(` | |
3523 | attribute unpriv_userdomain, userdomain; | |
3524 | attribute $1_usertype; | |
3525 | ') | |
3526 | typeattribute $2 $1_usertype; | |
3527 | typeattribute $2 unpriv_userdomain; | |
3528 | typeattribute $2 userdomain; | |
3529 | ||
3530 | ubac_constrained($2) | |
3531 | ') | |
3532 | ||
3533 | ######################################## | |
3534 | ## <summary> | |
3535 | ## Connect to users over an unix stream socket. | |
3536 | ## </summary> | |
3537 | ## <param name="domain"> | |
3538 | ## <summary> | |
3539 | ## Domain allowed access. | |
3540 | ## </summary> | |
3541 | ## </param> | |
3542 | # | |
3543 | interface(`userdom_stream_connect',` | |
3544 | gen_require(` | |
3545 | type user_tmp_t; | |
3546 | attribute userdomain; | |
3547 | ') | |
3548 | ||
3549 | stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) | |
3550 | ') | |
3551 | ||
3552 | ######################################## | |
3553 | ## <summary> | |
3554 | ## Ptrace user domains. | |
3555 | ## </summary> | |
3556 | ## <param name="domain"> | |
3557 | ## <summary> | |
3558 | ## Domain allowed access. | |
3559 | ## </summary> | |
3560 | ## </param> | |
3561 | # | |
3562 | interface(`userdom_ptrace_all_users',` | |
3563 | gen_require(` | |
3564 | attribute userdomain; | |
3565 | ') | |
3566 | ||
3567 | allow $1 userdomain:process ptrace; | |
3568 | ') | |
3569 | ||
3570 | ######################################## | |
3571 | ## <summary> | |
3572 | ## dontaudit Search /root | |
3573 | ## </summary> | |
3574 | ## <param name="domain"> | |
3575 | ## <summary> | |
3576 | ## Domain allowed access. | |
3577 | ## </summary> | |
3578 | ## </param> | |
3579 | # | |
3580 | interface(`userdom_dontaudit_search_admin_dir',` | |
3581 | gen_require(` | |
3582 | type admin_home_t; | |
3583 | ') | |
3584 | ||
3585 | dontaudit $1 admin_home_t:dir search_dir_perms; | |
3586 | ') | |
3587 | ||
3588 | ######################################## | |
3589 | ## <summary> | |
3590 | ## dontaudit list /root | |
3591 | ## </summary> | |
3592 | ## <param name="domain"> | |
3593 | ## <summary> | |
3594 | ## Domain allowed access. | |
3595 | ## </summary> | |
3596 | ## </param> | |
3597 | # | |
3598 | interface(`userdom_dontaudit_list_admin_dir',` | |
3599 | gen_require(` | |
3600 | type admin_home_t; | |
3601 | ') | |
3602 | ||
3603 | dontaudit $1 admin_home_t:dir list_dir_perms; | |
3604 | ') | |
3605 | ||
3606 | ######################################## | |
3607 | ## <summary> | |
3608 | ## Allow domain to list /root | |
3609 | ## </summary> | |
3610 | ## <param name="domain"> | |
3611 | ## <summary> | |
3612 | ## Domain allowed access. | |
3613 | ## </summary> | |
3614 | ## </param> | |
3615 | # | |
3616 | interface(`userdom_list_admin_dir',` | |
3617 | gen_require(` | |
3618 | type admin_home_t; | |
3619 | ') | |
3620 | ||
3621 | allow $1 admin_home_t:dir list_dir_perms; | |
3622 | ') | |
3623 | ||
3624 | ######################################## | |
3625 | ## <summary> | |
3626 | ## Allow Search /root | |
3627 | ## </summary> | |
3628 | ## <param name="domain"> | |
3629 | ## <summary> | |
3630 | ## Domain allowed access. | |
3631 | ## </summary> | |
3632 | ## </param> | |
3633 | # | |
3634 | interface(`userdom_search_admin_dir',` | |
3635 | gen_require(` | |
3636 | type admin_home_t; | |
3637 | ') | |
3638 | ||
3639 | allow $1 admin_home_t:dir search_dir_perms; | |
3640 | ') | |
3641 | ||
3642 | ######################################## | |
3643 | ## <summary> | |
3644 | ## RW unpriviledged user SysV sempaphores. | |
3645 | ## </summary> | |
3646 | ## <param name="domain"> | |
3647 | ## <summary> | |
3648 | ## Domain allowed access. | |
3649 | ## </summary> | |
3650 | ## </param> | |
3651 | # | |
3652 | interface(`userdom_rw_semaphores',` | |
3653 | gen_require(` | |
3654 | attribute unpriv_userdomain; | |
3655 | ') | |
3656 | ||
3657 | allow $1 unpriv_userdomain:sem rw_sem_perms; | |
3658 | ') | |
3659 | ||
3660 | ######################################## | |
3661 | ## <summary> | |
3662 | ## Send a message to unpriv users over a unix domain | |
3663 | ## datagram socket. | |
3664 | ## </summary> | |
3665 | ## <param name="domain"> | |
3666 | ## <summary> | |
3667 | ## Domain allowed access. | |
3668 | ## </summary> | |
3669 | ## </param> | |
3670 | # | |
3671 | interface(`userdom_dgram_send',` | |
3672 | gen_require(` | |
3673 | attribute unpriv_userdomain; | |
3674 | ') | |
3675 | ||
3676 | allow $1 unpriv_userdomain:unix_dgram_socket sendto; | |
3677 | ') | |
3678 | ||
3679 | ###################################### | |
3680 | ## <summary> | |
3681 | ## Send a message to users over a unix domain | |
3682 | ## datagram socket. | |
3683 | ## </summary> | |
3684 | ## <param name="domain"> | |
3685 | ## <summary> | |
3686 | ## Domain allowed access. | |
3687 | ## </summary> | |
3688 | ## </param> | |
3689 | # | |
3690 | interface(`userdom_users_dgram_send',` | |
3691 | gen_require(` | |
3692 | attribute userdomain; | |
3693 | ') | |
3694 | ||
3695 | allow $1 userdomain:unix_dgram_socket sendto; | |
3696 | ') | |
3697 | ||
3698 | ####################################### | |
3699 | ## <summary> | |
3700 | ## Allow execmod on files in homedirectory | |
3701 | ## </summary> | |
3702 | ## <param name="domain"> | |
3703 | ## <summary> | |
3704 | ## Domain allowed access. | |
3705 | ## </summary> | |
3706 | ## </param> | |
3707 | ## <rolebase/> | |
3708 | # | |
3709 | interface(`userdom_execmod_user_home_files',` | |
3710 | gen_require(` | |
3711 | type user_home_type; | |
3712 | ') | |
3713 | ||
3714 | allow $1 user_home_type:file execmod; | |
3715 | ') | |
3716 | ||
3717 | ######################################## | |
3718 | ## <summary> | |
3719 | ## Read admin home files. | |
3720 | ## </summary> | |
3721 | ## <param name="domain"> | |
3722 | ## <summary> | |
3723 | ## Domain allowed access. | |
3724 | ## </summary> | |
3725 | ## </param> | |
3726 | ## <rolecap/> | |
3727 | # | |
3728 | interface(`userdom_read_admin_home_files',` | |
3729 | gen_require(` | |
3730 | type admin_home_t; | |
3731 | ') | |
3732 | ||
3733 | read_files_pattern($1, admin_home_t, admin_home_t) | |
3734 | ') | |
3735 | ||
3736 | ######################################## | |
3737 | ## <summary> | |
3738 | ## Execute admin home files. | |
3739 | ## </summary> | |
3740 | ## <param name="domain"> | |
3741 | ## <summary> | |
3742 | ## Domain allowed access. | |
3743 | ## </summary> | |
3744 | ## </param> | |
3745 | ## <rolecap/> | |
3746 | # | |
3747 | interface(`userdom_exec_admin_home_files',` | |
3748 | gen_require(` | |
3749 | type admin_home_t; | |
3750 | ') | |
3751 | ||
3752 | exec_files_pattern($1, admin_home_t, admin_home_t) | |
3753 | ') | |
3754 | ||
3755 | ######################################## | |
3756 | ## <summary> | |
3757 | ## Append files inherited | |
3758 | ## in the /root directory. | |
3759 | ## </summary> | |
3760 | ## <param name="domain"> | |
3761 | ## <summary> | |
3762 | ## Domain allowed access. | |
3763 | ## </summary> | |
3764 | ## </param> | |
3765 | # | |
3766 | interface(`userdom_inherit_append_admin_home_files',` | |
3767 | gen_require(` | |
3768 | type admin_home_t; | |
3769 | ') | |
3770 | ||
3771 | allow $1 admin_home_t:file { getattr append }; | |
3772 | ') | |
3773 | ||
3774 | ||
3775 | ####################################### | |
3776 | ## <summary> | |
3777 | ## Manage all files/directories in the homedir | |
3778 | ## </summary> | |
3779 | ## <param name="userdomain"> | |
3780 | ## <summary> | |
3781 | ## The user domain | |
3782 | ## </summary> | |
3783 | ## </param> | |
3784 | ## <rolebase/> | |
3785 | # | |
3786 | interface(`userdom_manage_user_home_content',` | |
3787 | gen_require(` | |
3788 | type user_home_dir_t, user_home_t; | |
3789 | attribute user_home_type; | |
3790 | ') | |
3791 | ||
3792 | files_list_home($1) | |
3793 | manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3794 | manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3795 | manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3796 | manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3797 | manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
3798 | filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) | |
3799 | ||
3800 | ') | |
3801 | ||
3802 | ||
3803 | ######################################## | |
3804 | ## <summary> | |
3805 | ## Create objects in a user home directory | |
3806 | ## with an automatic type transition to | |
3807 | ## the user home file type. | |
3808 | ## </summary> | |
3809 | ## <param name="domain"> | |
3810 | ## <summary> | |
3811 | ## Domain allowed access. | |
3812 | ## </summary> | |
3813 | ## </param> | |
3814 | ## <param name="object_class"> | |
3815 | ## <summary> | |
3816 | ## The class of the object to be created. | |
3817 | ## </summary> | |
3818 | ## </param> | |
3819 | # | |
3820 | interface(`userdom_user_home_dir_filetrans_pattern',` | |
3821 | gen_require(` | |
3822 | type user_home_dir_t, user_home_t; | |
3823 | ') | |
3824 | ||
3825 | type_transition $1 user_home_dir_t:$2 user_home_t; | |
3826 | ') | |
3827 | ||
3828 | ######################################## | |
3829 | ## <summary> | |
3830 | ## Create objects in the /root directory | |
3831 | ## with an automatic type transition to | |
3832 | ## a specified private type. | |
3833 | ## </summary> | |
3834 | ## <param name="domain"> | |
3835 | ## <summary> | |
3836 | ## Domain allowed access. | |
3837 | ## </summary> | |
3838 | ## </param> | |
3839 | ## <param name="private_type"> | |
3840 | ## <summary> | |
3841 | ## The type of the object to create. | |
3842 | ## </summary> | |
3843 | ## </param> | |
3844 | ## <param name="object_class"> | |
3845 | ## <summary> | |
3846 | ## The class of the object to be created. | |
3847 | ## </summary> | |
3848 | ## </param> | |
3849 | # | |
3850 | interface(`userdom_admin_home_dir_filetrans',` | |
3851 | gen_require(` | |
3852 | type admin_home_t; | |
3853 | ') | |
3854 | ||
3855 | filetrans_pattern($1, admin_home_t, $2, $3) | |
3856 | ') | |
3857 | ||
3858 | ######################################## | |
3859 | ## <summary> | |
3860 | ## Send signull to unprivileged user domains. | |
3861 | ## </summary> | |
3862 | ## <param name="domain"> | |
3863 | ## <summary> | |
3864 | ## Domain allowed access. | |
3865 | ## </summary> | |
3866 | ## </param> | |
3867 | # | |
3868 | interface(`userdom_signull_unpriv_users',` | |
3869 | gen_require(` | |
3870 | attribute unpriv_userdomain; | |
3871 | ') | |
3872 | ||
3873 | allow $1 unpriv_userdomain:process signull; | |
3874 | ') | |
3875 | ||
3876 | ######################################## | |
3877 | ## <summary> | |
3878 | ## Write all users files in /tmp | |
3879 | ## </summary> | |
3880 | ## <param name="domain"> | |
3881 | ## <summary> | |
3882 | ## Domain allowed access. | |
3883 | ## </summary> | |
3884 | ## </param> | |
3885 | # | |
3886 | interface(`userdom_write_user_tmp_dirs',` | |
3887 | gen_require(` | |
3888 | type user_tmp_t; | |
3889 | ') | |
3890 | ||
3891 | write_files_pattern($1, user_tmp_t, user_tmp_t) | |
3892 | ') | |
3893 | ||
3894 | ######################################## | |
3895 | ## <summary> | |
3896 | ## Manage keys for all user domains. | |
3897 | ## </summary> | |
3898 | ## <param name="domain"> | |
3899 | ## <summary> | |
3900 | ## Domain allowed access. | |
3901 | ## </summary> | |
3902 | ## </param> | |
3903 | # | |
3904 | interface(`userdom_manage_all_users_keys',` | |
3905 | gen_require(` | |
3906 | attribute userdomain; | |
3907 | ') | |
3908 | ||
3909 | allow $1 userdomain:key manage_key_perms; | |
3910 | ') | |
3911 | ||
3912 | ||
3913 | ######################################## | |
3914 | ## <summary> | |
3915 | ## Do not audit attempts to read and write | |
3916 | ## unserdomain stream. | |
3917 | ## </summary> | |
3918 | ## <param name="domain"> | |
3919 | ## <summary> | |
3920 | ## Domain to not audit. | |
3921 | ## </summary> | |
3922 | ## </param> | |
3923 | # | |
3924 | interface(`userdom_dontaudit_rw_stream',` | |
3925 | gen_require(` | |
3926 | attribute userdomain; | |
3927 | ') | |
3928 | ||
3929 | dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; | |
3930 | ') | |
3931 | ||
3932 | ######################################## | |
3933 | ## <summary> | |
3934 | ## Append files | |
3935 | ## in a user home subdirectory. | |
3936 | ## </summary> | |
3937 | ## <param name="domain"> | |
3938 | ## <summary> | |
3939 | ## Domain allowed access. | |
3940 | ## </summary> | |
3941 | ## </param> | |
3942 | # | |
3943 | interface(`userdom_append_user_home_content_files',` | |
3944 | gen_require(` | |
3945 | type user_home_dir_t, user_home_t; | |
3946 | ') | |
3947 | ||
3948 | append_files_pattern($1, user_home_t, user_home_t) | |
3949 | allow $1 user_home_dir_t:dir search_dir_perms; | |
3950 | files_search_home($1) | |
3951 | ') | |
3952 | ||
3953 | ######################################## | |
3954 | ## <summary> | |
3955 | ## Read files inherited | |
3956 | ## in a user home subdirectory. | |
3957 | ## </summary> | |
3958 | ## <param name="domain"> | |
3959 | ## <summary> | |
3960 | ## Domain allowed access. | |
3961 | ## </summary> | |
3962 | ## </param> | |
3963 | # | |
3964 | interface(`userdom_read_inherited_user_home_content_files',` | |
3965 | gen_require(` | |
3966 | attribute user_home_type; | |
3967 | ') | |
3968 | ||
3969 | allow $1 user_home_type:file { getattr read }; | |
3970 | ') | |
3971 | ||
3972 | ######################################## | |
3973 | ## <summary> | |
3974 | ## Append files inherited | |
3975 | ## in a user home subdirectory. | |
3976 | ## </summary> | |
3977 | ## <param name="domain"> | |
3978 | ## <summary> | |
3979 | ## Domain allowed access. | |
3980 | ## </summary> | |
3981 | ## </param> | |
3982 | # | |
3983 | interface(`userdom_inherit_append_user_home_content_files',` | |
3984 | gen_require(` | |
3985 | type user_home_t; | |
3986 | ') | |
3987 | ||
3988 | allow $1 user_home_t:file { getattr append }; | |
3989 | ') | |
3990 | ||
3991 | ######################################## | |
3992 | ## <summary> | |
3993 | ## Append files inherited | |
3994 | ## in a user tmp files. | |
3995 | ## </summary> | |
3996 | ## <param name="domain"> | |
3997 | ## <summary> | |
3998 | ## Domain allowed access. | |
3999 | ## </summary> | |
4000 | ## </param> | |
4001 | # | |
4002 | interface(`userdom_inherit_append_user_tmp_files',` | |
4003 | gen_require(` | |
4004 | type user_tmp_t; | |
4005 | ') | |
4006 | ||
4007 | allow $1 user_tmp_t:file { getattr append }; | |
4008 | ') | |
4009 | ||
4010 | ###################################### | |
4011 | ## <summary> | |
4012 | ## Read audio files in the users homedir. | |
4013 | ## </summary> | |
4014 | ## <param name="domain"> | |
4015 | ## <summary> | |
4016 | ## Domain allowed access. | |
4017 | ## </summary> | |
4018 | ## </param> | |
4019 | ## <rolecap/> | |
4020 | # | |
4021 | interface(`userdom_read_home_audio_files',` | |
4022 | gen_require(` | |
4023 | type audio_home_t; | |
4024 | ') | |
4025 | ||
4026 | userdom_search_user_home_dirs($1) | |
4027 | allow $1 audio_home_t:dir list_dir_perms; | |
4028 | read_files_pattern($1, audio_home_t, audio_home_t) | |
4029 | read_lnk_files_pattern($1, audio_home_t, audio_home_t) | |
4030 | ') | |
4031 | ||
4032 | ######################################## | |
4033 | ## <summary> | |
4034 | ## Read system SSL certificates in the users homedir. | |
4035 | ## </summary> | |
4036 | ## <param name="domain"> | |
4037 | ## <summary> | |
4038 | ## Domain allowed access. | |
4039 | ## </summary> | |
4040 | ## </param> | |
4041 | ## <rolecap/> | |
4042 | # | |
4043 | interface(`userdom_read_home_certs',` | |
4044 | gen_require(` | |
4045 | type home_cert_t; | |
4046 | ') | |
4047 | ||
4048 | userdom_search_user_home_dirs($1) | |
4049 | allow $1 home_cert_t:dir list_dir_perms; | |
4050 | read_files_pattern($1, home_cert_t, home_cert_t) | |
4051 | read_lnk_files_pattern($1, home_cert_t, home_cert_t) | |
4052 | ') | |
4053 | ||
4054 | ######################################## | |
4055 | ## <summary> | |
4056 | ## dontaudit Search getatrr /root files | |
4057 | ## </summary> | |
4058 | ## <param name="domain"> | |
4059 | ## <summary> | |
4060 | ## Domain allowed access. | |
4061 | ## </summary> | |
4062 | ## </param> | |
4063 | # | |
4064 | interface(`userdom_dontaudit_getattr_admin_home_files',` | |
4065 | gen_require(` | |
4066 | type admin_home_t; | |
4067 | ') | |
4068 | ||
4069 | dontaudit $1 admin_home_t:file getattr; | |
4070 | ') | |
4071 | ||
4072 | ######################################## | |
4073 | ## <summary> | |
4074 | ## dontaudit read /root lnk files | |
4075 | ## </summary> | |
4076 | ## <param name="domain"> | |
4077 | ## <summary> | |
4078 | ## Domain allowed access. | |
4079 | ## </summary> | |
4080 | ## </param> | |
4081 | # | |
4082 | interface(`userdom_dontaudit_read_admin_home_lnk_files',` | |
4083 | gen_require(` | |
4084 | type admin_home_t; | |
4085 | ') | |
4086 | ||
4087 | dontaudit $1 admin_home_t:lnk_file read; | |
4088 | ') | |
4089 | ||
4090 | ######################################## | |
4091 | ## <summary> | |
4092 | ## dontaudit read /root files | |
4093 | ## </summary> | |
4094 | ## <param name="domain"> | |
4095 | ## <summary> | |
4096 | ## Domain allowed access. | |
4097 | ## </summary> | |
4098 | ## </param> | |
4099 | # | |
4100 | interface(`userdom_dontaudit_read_admin_home_files',` | |
4101 | gen_require(` | |
4102 | type admin_home_t; | |
4103 | ') | |
4104 | ||
4105 | dontaudit $1 admin_home_t:file read_file_perms; | |
4106 | ') | |
4107 | ||
4108 | ######################################## | |
4109 | ## <summary> | |
4110 | ## Create, read, write, and delete user | |
4111 | ## temporary chr files. | |
4112 | ## </summary> | |
4113 | ## <param name="domain"> | |
4114 | ## <summary> | |
4115 | ## Domain allowed access. | |
4116 | ## </summary> | |
4117 | ## </param> | |
4118 | # | |
4119 | interface(`userdom_manage_user_tmp_chr_files',` | |
4120 | gen_require(` | |
4121 | type user_tmp_t; | |
4122 | ') | |
4123 | ||
4124 | manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) | |
4125 | files_search_tmp($1) | |
4126 | ') | |
4127 | ||
4128 | ######################################## | |
4129 | ## <summary> | |
4130 | ## Create, read, write, and delete user | |
4131 | ## temporary blk files. | |
4132 | ## </summary> | |
4133 | ## <param name="domain"> | |
4134 | ## <summary> | |
4135 | ## Domain allowed access. | |
4136 | ## </summary> | |
4137 | ## </param> | |
4138 | # | |
4139 | interface(`userdom_manage_user_tmp_blk_files',` | |
4140 | gen_require(` | |
4141 | type user_tmp_t; | |
4142 | ') | |
4143 | ||
4144 | manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4145 | files_search_tmp($1) | |
4146 | ') | |
4147 | ||
4148 | ######################################## | |
4149 | ## <summary> | |
4150 | ## Dontaudit attempt to set attributes on user temporary directories. | |
4151 | ## </summary> | |
4152 | ## <param name="domain"> | |
4153 | ## <summary> | |
4154 | ## Domain allowed access. | |
4155 | ## </summary> | |
4156 | ## </param> | |
4157 | # | |
4158 | interface(`userdom_dontaudit_setattr_user_tmp',` | |
4159 | gen_require(` | |
4160 | type user_tmp_t; | |
4161 | ') | |
4162 | ||
4163 | dontaudit $1 user_tmp_t:dir setattr; | |
4164 | ') | |
4165 | ||
4166 | ######################################## | |
4167 | ## <summary> | |
4168 | ## Write all inherited users files in /tmp | |
4169 | ## </summary> | |
4170 | ## <param name="domain"> | |
4171 | ## <summary> | |
4172 | ## Domain allowed access. | |
4173 | ## </summary> | |
4174 | ## </param> | |
4175 | # | |
4176 | interface(`userdom_write_inherited_user_tmp_files',` | |
4177 | gen_require(` | |
4178 | type user_tmp_t; | |
4179 | ') | |
4180 | ||
4181 | allow $1 user_tmp_t:file write; | |
4182 | ') | |
4183 | ||
4184 | ######################################## | |
4185 | ## <summary> | |
4186 | ## Delete all users files in /tmp | |
4187 | ## </summary> | |
4188 | ## <param name="domain"> | |
4189 | ## <summary> | |
4190 | ## Domain allowed access. | |
4191 | ## </summary> | |
4192 | ## </param> | |
4193 | # | |
4194 | interface(`userdom_delete_user_tmp_files',` | |
4195 | gen_require(` | |
4196 | type user_tmp_t; | |
4197 | ') | |
4198 | ||
4199 | allow $1 user_tmp_t:file delete_file_perms; | |
4200 | ') | |
4201 | ||
4202 | ######################################## | |
4203 | ## <summary> | |
4204 | ## Delete user tmpfs files. | |
4205 | ## </summary> | |
4206 | ## <param name="domain"> | |
4207 | ## <summary> | |
4208 | ## Domain allowed access. | |
4209 | ## </summary> | |
4210 | ## </param> | |
4211 | # | |
4212 | interface(`userdom_delete_user_tmpfs_files',` | |
4213 | gen_require(` | |
4214 | type user_tmpfs_t; | |
4215 | ') | |
4216 | ||
4217 | allow $1 user_tmpfs_t:file delete_file_perms; | |
4218 | ') | |
4219 | ||
4220 | ######################################## | |
4221 | ## <summary> | |
4222 | ## Read/Write unpriviledged user SysV shared | |
4223 | ## memory segments. | |
4224 | ## </summary> | |
4225 | ## <param name="domain"> | |
4226 | ## <summary> | |
4227 | ## Domain allowed access. | |
4228 | ## </summary> | |
4229 | ## </param> | |
4230 | # | |
4231 | interface(`userdom_rw_unpriv_user_shared_mem',` | |
4232 | gen_require(` | |
4233 | attribute unpriv_userdomain; | |
4234 | ') | |
4235 | ||
4236 | allow $1 unpriv_userdomain:shm rw_shm_perms; | |
4237 | ') | |
4238 | ||
4239 | ######################################## | |
4240 | ## <summary> | |
4241 | ## Do not audit attempts to search user | |
4242 | ## temporary directories. | |
4243 | ## </summary> | |
4244 | ## <param name="domain"> | |
4245 | ## <summary> | |
4246 | ## Domain to not audit. | |
4247 | ## </summary> | |
4248 | ## </param> | |
4249 | # | |
4250 | interface(`userdom_dontaudit_search_user_tmp',` | |
4251 | gen_require(` | |
4252 | type user_tmp_t; | |
4253 | ') | |
4254 | ||
4255 | dontaudit $1 user_tmp_t:dir search_dir_perms; | |
4256 | ') | |
4257 | ||
4258 | ######################################## | |
4259 | ## <summary> | |
4260 | ## Execute a file in a user home directory | |
4261 | ## in the specified domain. | |
4262 | ## </summary> | |
4263 | ## <desc> | |
4264 | ## <p> | |
4265 | ## Execute a file in a user home directory | |
4266 | ## in the specified domain. | |
4267 | ## </p> | |
4268 | ## <p> | |
4269 | ## No interprocess communication (signals, pipes, | |
4270 | ## etc.) is provided by this interface since | |
4271 | ## the domains are not owned by this module. | |
4272 | ## </p> | |
4273 | ## </desc> | |
4274 | ## <param name="domain"> | |
4275 | ## <summary> | |
4276 | ## Domain allowed access. | |
4277 | ## </summary> | |
4278 | ## </param> | |
4279 | ## <param name="target_domain"> | |
4280 | ## <summary> | |
4281 | ## The type of the new process. | |
4282 | ## </summary> | |
4283 | ## </param> | |
4284 | # | |
4285 | interface(`userdom_domtrans_user_home',` | |
4286 | gen_require(` | |
4287 | type user_home_t; | |
4288 | ') | |
4289 | ||
4290 | read_lnk_files_pattern($1, user_home_t, user_home_t) | |
4291 | domain_transition_pattern($1, user_home_t, $2) | |
4292 | type_transition $1 user_home_t:process $2; | |
4293 | ') | |
4294 | ||
4295 | ######################################## | |
4296 | ## <summary> | |
4297 | ## Execute a file in a user tmp directory | |
4298 | ## in the specified domain. | |
4299 | ## </summary> | |
4300 | ## <desc> | |
4301 | ## <p> | |
4302 | ## Execute a file in a user tmp directory | |
4303 | ## in the specified domain. | |
4304 | ## </p> | |
4305 | ## <p> | |
4306 | ## No interprocess communication (signals, pipes, | |
4307 | ## etc.) is provided by this interface since | |
4308 | ## the domains are not owned by this module. | |
4309 | ## </p> | |
4310 | ## </desc> | |
4311 | ## <param name="domain"> | |
4312 | ## <summary> | |
4313 | ## Domain allowed access. | |
4314 | ## </summary> | |
4315 | ## </param> | |
4316 | ## <param name="target_domain"> | |
4317 | ## <summary> | |
4318 | ## The type of the new process. | |
4319 | ## </summary> | |
4320 | ## </param> | |
4321 | # | |
4322 | interface(`userdom_domtrans_user_tmp',` | |
4323 | gen_require(` | |
4324 | type user_tmp_t; | |
4325 | ') | |
4326 | ||
4327 | files_search_tmp($1) | |
4328 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4329 | domain_transition_pattern($1, user_tmp_t, $2) | |
4330 | type_transition $1 user_tmp_t:process $2; | |
4331 | ') |