]>
Commit | Line | Data |
---|---|---|
490639cd | 1 | ## <summary>Policy for user domains</summary> |
b16c6b8c | 2 | |
8fd36732 CP |
3 | ####################################### |
4 | ## <summary> | |
bbcd3c97 | 5 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
6 | ## </summary> |
7 | ## <desc> | |
8 | ## <p> | |
bbcd3c97 | 9 | ## The template containing the most basic rules common to all users. |
8fd36732 CP |
10 | ## </p> |
11 | ## <p> | |
bbcd3c97 CP |
12 | ## This template creates a user domain, types, and |
13 | ## rules for the user's tty and pty. | |
8fd36732 CP |
14 | ## </p> |
15 | ## </desc> | |
16 | ## <param name="userdomain_prefix"> | |
885b83ec | 17 | ## <summary> |
8fd36732 CP |
18 | ## The prefix of the user domain (e.g., user |
19 | ## is the prefix for user_t). | |
885b83ec | 20 | ## </summary> |
8fd36732 | 21 | ## </param> |
bbcd3c97 | 22 | ## <rolebase/> |
b16c6b8c | 23 | # |
bbcd3c97 | 24 | template(`userdom_base_user_template',` |
c6a60bb2 CP |
25 | |
26 | gen_require(` | |
d6d16b97 | 27 | attribute userdomain; |
296273a7 | 28 | type user_devpts_t, user_tty_device_t; |
c6a60bb2 CP |
29 | class context contains; |
30 | ') | |
31 | ||
0c73cd25 | 32 | attribute $1_file_type; |
3eaa9939 | 33 | attribute $1_usertype; |
0c73cd25 | 34 | |
3eaa9939 | 35 | type $1_t, userdomain, $1_usertype; |
c9428d33 | 36 | domain_type($1_t) |
95662e80 | 37 | role $1_r; |
c9428d33 | 38 | corecmd_shell_entry_type($1_t) |
d40c0ecf | 39 | corecmd_bin_entry_type($1_t) |
2e863f8a | 40 | domain_user_exemption_target($1_t) |
296273a7 | 41 | ubac_constrained($1_t) |
0c73cd25 CP |
42 | role $1_r types $1_t; |
43 | allow system_r $1_r; | |
44 | ||
296273a7 | 45 | term_user_pty($1_t, user_devpts_t) |
0c73cd25 | 46 | |
296273a7 | 47 | term_user_tty($1_t, user_tty_device_t) |
3eaa9939 DW |
48 | term_dontaudit_getattr_generic_ptys($1_t) |
49 | ||
50 | allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; | |
51 | allow $1_usertype $1_usertype:fd use; | |
52 | allow $1_usertype $1_t:key { create view read write search link setattr }; | |
53 | ||
54 | allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; | |
55 | allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; | |
56 | allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; | |
57 | allow $1_usertype $1_usertype:shm create_shm_perms; | |
58 | allow $1_usertype $1_usertype:sem create_sem_perms; | |
59 | allow $1_usertype $1_usertype:msgq create_msgq_perms; | |
60 | allow $1_usertype $1_usertype:msg { send receive }; | |
61 | allow $1_usertype $1_usertype:context contains; | |
62 | dontaudit $1_usertype $1_usertype:socket create; | |
63 | ||
64 | allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; | |
65 | term_create_pty($1_usertype, user_devpts_t) | |
296273a7 | 66 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 | 67 | dontaudit $1_usertype user_devpts_t:chr_file ioctl; |
0c73cd25 | 68 | |
3eaa9939 | 69 | allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; |
296273a7 | 70 | # avoid annoying messages on terminal hangup on role change |
3eaa9939 DW |
71 | dontaudit $1_usertype user_tty_device_t:chr_file ioctl; |
72 | ||
73 | application_exec_all($1_usertype) | |
74 | ||
75 | kernel_read_kernel_sysctls($1_usertype) | |
76 | kernel_read_all_sysctls($1_usertype) | |
77 | kernel_dontaudit_list_unlabeled($1_usertype) | |
78 | kernel_dontaudit_getattr_unlabeled_files($1_usertype) | |
79 | kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) | |
80 | kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) | |
81 | kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) | |
82 | kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) | |
83 | kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) | |
84 | kernel_dontaudit_list_proc($1_usertype) | |
85 | ||
86 | dev_dontaudit_getattr_all_blk_files($1_usertype) | |
87 | dev_dontaudit_getattr_all_chr_files($1_usertype) | |
88 | dev_getattr_mtrr_dev($1_t) | |
847937da | 89 | |
2ec4c9d3 | 90 | # When the user domain runs ps, there will be a number of access |
ff8f0a63 | 91 | # denials when ps tries to search /proc. Do not audit these denials. |
3eaa9939 DW |
92 | domain_dontaudit_read_all_domains_state($1_usertype) |
93 | domain_dontaudit_getattr_all_domains($1_usertype) | |
94 | domain_dontaudit_getsession_all_domains($1_usertype) | |
7bbb31df | 95 | dev_dontaudit_all_access_check($1_usertype) |
3eaa9939 DW |
96 | |
97 | files_read_etc_files($1_usertype) | |
98 | files_list_mnt($1_usertype) | |
1415ddd2 | 99 | files_list_var($1_usertype) |
3eaa9939 | 100 | files_read_mnt_files($1_usertype) |
7455c4b3 | 101 | files_dontaudit_access_check_mnt($1_usertype) |
3eaa9939 DW |
102 | files_read_etc_runtime_files($1_usertype) |
103 | files_read_usr_files($1_usertype) | |
104 | files_read_usr_src_files($1_usertype) | |
bbcd3c97 CP |
105 | # Read directories and files with the readable_t type. |
106 | # This type is a general type for "world"-readable files. | |
3eaa9939 DW |
107 | files_list_world_readable($1_usertype) |
108 | files_read_world_readable_files($1_usertype) | |
109 | files_read_world_readable_symlinks($1_usertype) | |
110 | files_read_world_readable_pipes($1_usertype) | |
111 | files_read_world_readable_sockets($1_usertype) | |
a2868f6e | 112 | # old broswer_domain(): |
3eaa9939 DW |
113 | files_dontaudit_getattr_all_dirs($1_usertype) |
114 | files_dontaudit_list_non_security($1_usertype) | |
115 | files_dontaudit_getattr_all_files($1_usertype) | |
116 | files_dontaudit_getattr_non_security_symlinks($1_usertype) | |
117 | files_dontaudit_getattr_non_security_pipes($1_usertype) | |
118 | files_dontaudit_getattr_non_security_sockets($1_usertype) | |
d255399f | 119 | files_dontaudit_setattr_etc_runtime_files($1_usertype) |
3eaa9939 DW |
120 | |
121 | files_exec_usr_files($1_t) | |
122 | ||
123 | fs_list_cgroup_dirs($1_usertype) | |
124 | fs_dontaudit_rw_cgroup_files($1_usertype) | |
125 | ||
126 | storage_rw_fuse($1_usertype) | |
127 | ||
ae68f77d | 128 | auth_use_nsswitch($1_t) |
0c73cd25 | 129 | |
3eaa9939 | 130 | init_stream_connect($1_usertype) |
9461b606 DW |
131 | # The library functions always try to open read-write first, |
132 | # then fall back to read-only if it fails. | |
133 | init_dontaudit_rw_utmp($1_usertype) | |
bbcd3c97 | 134 | |
3eaa9939 | 135 | libs_exec_ld_so($1_usertype) |
6b19be33 | 136 | |
7e9cab9c DW |
137 | logging_send_audit_msgs($1_t) |
138 | ||
bbcd3c97 | 139 | miscfiles_read_localization($1_t) |
83406219 | 140 | miscfiles_read_generic_certs($1_t) |
6b19be33 | 141 | |
cab9bc9c | 142 | miscfiles_read_all_certs($1_usertype) |
3eaa9939 DW |
143 | miscfiles_read_localization($1_usertype) |
144 | miscfiles_read_man_pages($1_usertype) | |
145 | miscfiles_read_public_files($1_usertype) | |
bbcd3c97 | 146 | |
780fa294 DW |
147 | systemd_dbus_chat_logind($1_usertype) |
148 | ||
bbcd3c97 CP |
149 | tunable_policy(`allow_execmem',` |
150 | # Allow loading DSOs that require executable stack. | |
151 | allow $1_t self:process execmem; | |
152 | ') | |
153 | ||
154 | tunable_policy(`allow_execmem && allow_execstack',` | |
155 | # Allow making the stack executable via mprotect. | |
156 | allow $1_t self:process execstack; | |
157 | ') | |
3eaa9939 | 158 | |
d0f23a26 DW |
159 | optional_policy(` |
160 | abrt_stream_connect($1_usertype) | |
161 | ') | |
162 | ||
3eaa9939 DW |
163 | optional_policy(` |
164 | fs_list_cgroup_dirs($1_usertype) | |
165 | ') | |
a8183914 | 166 | |
3eaa9939 DW |
167 | optional_policy(` |
168 | ssh_rw_stream_sockets($1_usertype) | |
169 | ssh_delete_tmp($1_t) | |
170 | ssh_signal($1_t) | |
171 | ') | |
bbcd3c97 CP |
172 | ') |
173 | ||
174 | ####################################### | |
175 | ## <summary> | |
296273a7 CP |
176 | ## Allow a home directory for which the |
177 | ## role has read-only access. | |
bbcd3c97 CP |
178 | ## </summary> |
179 | ## <desc> | |
180 | ## <p> | |
296273a7 CP |
181 | ## Allow a home directory for which the |
182 | ## role has read-only access. | |
bbcd3c97 CP |
183 | ## </p> |
184 | ## <p> | |
185 | ## This does not allow execute access. | |
186 | ## </p> | |
187 | ## </desc> | |
296273a7 | 188 | ## <param name="role"> |
bbcd3c97 | 189 | ## <summary> |
296273a7 CP |
190 | ## The user role |
191 | ## </summary> | |
192 | ## </param> | |
193 | ## <param name="userdomain"> | |
194 | ## <summary> | |
195 | ## The user domain | |
bbcd3c97 CP |
196 | ## </summary> |
197 | ## </param> | |
198 | ## <rolebase/> | |
199 | # | |
296273a7 | 200 | interface(`userdom_ro_home_role',` |
d6d16b97 | 201 | gen_require(` |
296273a7 | 202 | type user_home_t, user_home_dir_t; |
d6d16b97 CP |
203 | ') |
204 | ||
3eaa9939 DW |
205 | role $1 types { user_home_t user_home_dir_t }; |
206 | ||
bbcd3c97 CP |
207 | ############################## |
208 | # | |
209 | # Domain access to home dir | |
210 | # | |
211 | ||
296273a7 CP |
212 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
213 | ||
bbcd3c97 | 214 | # read-only home directory |
296273a7 CP |
215 | allow $2 user_home_dir_t:dir list_dir_perms; |
216 | allow $2 user_home_t:dir list_dir_perms; | |
217 | allow $2 user_home_t:file entrypoint; | |
218 | read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
219 | read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
220 | read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
221 | read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) | |
222 | files_list_home($2) | |
bbcd3c97 | 223 | |
bbcd3c97 CP |
224 | ') |
225 | ||
226 | ####################################### | |
227 | ## <summary> | |
296273a7 CP |
228 | ## Allow a home directory for which the |
229 | ## role has full access. | |
bbcd3c97 CP |
230 | ## </summary> |
231 | ## <desc> | |
232 | ## <p> | |
296273a7 CP |
233 | ## Allow a home directory for which the |
234 | ## role has full access. | |
bbcd3c97 CP |
235 | ## </p> |
236 | ## <p> | |
237 | ## This does not allow execute access. | |
238 | ## </p> | |
239 | ## </desc> | |
296273a7 | 240 | ## <param name="role"> |
bbcd3c97 | 241 | ## <summary> |
296273a7 CP |
242 | ## The user role |
243 | ## </summary> | |
244 | ## </param> | |
245 | ## <param name="userdomain"> | |
246 | ## <summary> | |
247 | ## The user domain | |
bbcd3c97 CP |
248 | ## </summary> |
249 | ## </param> | |
250 | ## <rolebase/> | |
251 | # | |
296273a7 | 252 | interface(`userdom_manage_home_role',` |
d6d16b97 | 253 | gen_require(` |
296273a7 | 254 | type user_home_t, user_home_dir_t; |
3eaa9939 | 255 | attribute user_home_type; |
d6d16b97 CP |
256 | ') |
257 | ||
3eaa9939 DW |
258 | role $1 types { user_home_type user_home_dir_t }; |
259 | ||
bbcd3c97 CP |
260 | ############################## |
261 | # | |
262 | # Domain access to home dir | |
263 | # | |
264 | ||
296273a7 CP |
265 | type_member $2 user_home_dir_t:dir user_home_dir_t; |
266 | ||
bbcd3c97 | 267 | # full control of the home directory |
3eaa9939 | 268 | allow $2 user_home_t:dir mounton; |
296273a7 | 269 | allow $2 user_home_t:file entrypoint; |
3eaa9939 DW |
270 | |
271 | allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; | |
272 | allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; | |
273 | manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
274 | manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
275 | manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
276 | manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
277 | manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
278 | relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
279 | relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
280 | relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
281 | relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
282 | relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) | |
296273a7 CP |
283 | filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) |
284 | files_list_home($2) | |
bbcd3c97 | 285 | |
c0868a7a | 286 | # cjp: this should probably be removed: |
296273a7 | 287 | allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; |
c0868a7a | 288 | |
bbcd3c97 | 289 | tunable_policy(`use_nfs_home_dirs',` |
3eaa9939 DW |
290 | fs_mount_nfs($2) |
291 | fs_mounton_nfs($2) | |
296273a7 CP |
292 | fs_manage_nfs_dirs($2) |
293 | fs_manage_nfs_files($2) | |
294 | fs_manage_nfs_symlinks($2) | |
295 | fs_manage_nfs_named_sockets($2) | |
296 | fs_manage_nfs_named_pipes($2) | |
bbcd3c97 CP |
297 | ') |
298 | ||
299 | tunable_policy(`use_samba_home_dirs',` | |
3eaa9939 DW |
300 | fs_mount_cifs($2) |
301 | fs_mounton_cifs($2) | |
296273a7 CP |
302 | fs_manage_cifs_dirs($2) |
303 | fs_manage_cifs_files($2) | |
304 | fs_manage_cifs_symlinks($2) | |
305 | fs_manage_cifs_named_sockets($2) | |
306 | fs_manage_cifs_named_pipes($2) | |
bbcd3c97 CP |
307 | ') |
308 | ') | |
309 | ||
310 | ####################################### | |
311 | ## <summary> | |
296273a7 | 312 | ## Manage user temporary files |
bbcd3c97 | 313 | ## </summary> |
296273a7 | 314 | ## <param name="role"> |
bbcd3c97 | 315 | ## <summary> |
296273a7 | 316 | ## Role allowed access. |
bbcd3c97 CP |
317 | ## </summary> |
318 | ## </param> | |
296273a7 | 319 | ## <param name="domain"> |
bbcd3c97 | 320 | ## <summary> |
296273a7 | 321 | ## Domain allowed access. |
bbcd3c97 CP |
322 | ## </summary> |
323 | ## </param> | |
324 | ## <rolebase/> | |
325 | # | |
296273a7 | 326 | interface(`userdom_manage_tmp_role',` |
d6d16b97 | 327 | gen_require(` |
8c9f6ee9 | 328 | attribute user_tmp_type; |
296273a7 | 329 | type user_tmp_t; |
d6d16b97 CP |
330 | ') |
331 | ||
3eaa9939 DW |
332 | role $1 types user_tmp_t; |
333 | ||
296273a7 | 334 | files_poly_member_tmp($2, user_tmp_t) |
bbcd3c97 | 335 | |
8c9f6ee9 DG |
336 | manage_dirs_pattern($2, user_tmp_type, user_tmp_type) |
337 | manage_files_pattern($2, user_tmp_type, user_tmp_type) | |
338 | manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) | |
339 | manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) | |
340 | manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) | |
296273a7 | 341 | files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) |
8c9f6ee9 DG |
342 | relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) |
343 | relabel_files_pattern($2, user_tmp_type, user_tmp_type) | |
344 | relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) | |
345 | relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type) | |
346 | relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) | |
3eaa9939 DW |
347 | ') |
348 | ||
349 | ####################################### | |
350 | ## <summary> | |
351 | ## Dontaudit search of user bin dirs. | |
352 | ## </summary> | |
353 | ## <param name="domain"> | |
354 | ## <summary> | |
24280f35 | 355 | ## Domain to not audit. |
3eaa9939 DW |
356 | ## </summary> |
357 | ## </param> | |
358 | # | |
359 | interface(`userdom_dontaudit_search_user_bin_dirs',` | |
360 | gen_require(` | |
361 | type home_bin_t; | |
362 | ') | |
363 | ||
364 | dontaudit $1 home_bin_t:dir search_dir_perms; | |
365 | ') | |
366 | ||
367 | ####################################### | |
368 | ## <summary> | |
369 | ## Execute user bin files. | |
370 | ## </summary> | |
371 | ## <param name="domain"> | |
372 | ## <summary> | |
373 | ## Domain allowed access. | |
374 | ## </summary> | |
375 | ## </param> | |
376 | # | |
377 | interface(`userdom_exec_user_bin_files',` | |
378 | gen_require(` | |
379 | attribute user_home_type; | |
380 | type home_bin_t, user_home_dir_t; | |
381 | ') | |
382 | ||
383 | exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) | |
384 | files_search_home($1) | |
bbcd3c97 CP |
385 | ') |
386 | ||
387 | ####################################### | |
388 | ## <summary> | |
296273a7 | 389 | ## The execute access user temporary files. |
bbcd3c97 | 390 | ## </summary> |
296273a7 | 391 | ## <param name="domain"> |
bbcd3c97 | 392 | ## <summary> |
296273a7 | 393 | ## Domain allowed access. |
bbcd3c97 CP |
394 | ## </summary> |
395 | ## </param> | |
396 | ## <rolebase/> | |
397 | # | |
296273a7 CP |
398 | interface(`userdom_exec_user_tmp_files',` |
399 | gen_require(` | |
400 | type user_tmp_t; | |
401 | ') | |
402 | ||
403 | exec_files_pattern($1, user_tmp_t, user_tmp_t) | |
3eaa9939 | 404 | dontaudit $1 user_tmp_t:sock_file execute; |
296273a7 | 405 | files_search_tmp($1) |
bbcd3c97 CP |
406 | ') |
407 | ||
408 | ####################################### | |
409 | ## <summary> | |
296273a7 | 410 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
411 | ## that the user has full access. |
412 | ## </summary> | |
413 | ## <desc> | |
414 | ## <p> | |
296273a7 | 415 | ## Role access for the user tmpfs type |
bbcd3c97 CP |
416 | ## that the user has full access. |
417 | ## </p> | |
418 | ## <p> | |
419 | ## This does not allow execute access. | |
420 | ## </p> | |
421 | ## </desc> | |
296273a7 | 422 | ## <param name="role"> |
bbcd3c97 | 423 | ## <summary> |
296273a7 | 424 | ## Role allowed access. |
bbcd3c97 CP |
425 | ## </summary> |
426 | ## </param> | |
296273a7 | 427 | ## <param name="domain"> |
bbcd3c97 | 428 | ## <summary> |
296273a7 | 429 | ## Domain allowed access. |
bbcd3c97 CP |
430 | ## </summary> |
431 | ## </param> | |
296273a7 | 432 | ## <rolecap/> |
bbcd3c97 | 433 | # |
296273a7 | 434 | interface(`userdom_manage_tmpfs_role',` |
bbcd3c97 | 435 | gen_require(` |
faa4eacc | 436 | attribute user_tmpfs_type; |
296273a7 | 437 | type user_tmpfs_t; |
bbcd3c97 | 438 | ') |
bbcd3c97 | 439 | |
3eaa9939 DW |
440 | role $1 types user_tmpfs_t; |
441 | ||
8c9f6ee9 DG |
442 | manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) |
443 | manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
444 | manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
445 | manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
446 | manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
296273a7 | 447 | fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
8c9f6ee9 DG |
448 | relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) |
449 | relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
450 | relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
451 | relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
452 | relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) | |
bbcd3c97 CP |
453 | ') |
454 | ||
455 | ####################################### | |
456 | ## <summary> | |
3eaa9939 | 457 | ## The interface allowing the user basic |
bbcd3c97 CP |
458 | ## network permissions |
459 | ## </summary> | |
3eaa9939 | 460 | ## <param name="userdomain"> |
bbcd3c97 | 461 | ## <summary> |
3eaa9939 | 462 | ## The user domain |
bbcd3c97 CP |
463 | ## </summary> |
464 | ## </param> | |
465 | ## <rolebase/> | |
466 | # | |
3eaa9939 DW |
467 | interface(`userdom_basic_networking',` |
468 | ||
469 | allow $1 self:tcp_socket create_stream_socket_perms; | |
470 | allow $1 self:udp_socket create_socket_perms; | |
471 | ||
472 | corenet_all_recvfrom_unlabeled($1) | |
473 | corenet_all_recvfrom_netlabel($1) | |
474 | corenet_tcp_sendrecv_generic_if($1) | |
475 | corenet_udp_sendrecv_generic_if($1) | |
476 | corenet_tcp_sendrecv_generic_node($1) | |
477 | corenet_udp_sendrecv_generic_node($1) | |
478 | corenet_tcp_sendrecv_all_ports($1) | |
479 | corenet_udp_sendrecv_all_ports($1) | |
480 | corenet_tcp_connect_all_ports($1) | |
481 | corenet_sendrecv_all_client_packets($1) | |
dc1920b2 CP |
482 | |
483 | optional_policy(` | |
3eaa9939 DW |
484 | init_tcp_recvfrom_all_daemons($1) |
485 | init_udp_recvfrom_all_daemons($1) | |
dc1920b2 CP |
486 | ') |
487 | ||
0b6acad1 | 488 | optional_policy(` |
3eaa9939 | 489 | ipsec_match_default_spd($1) |
0b6acad1 | 490 | ') |
3eaa9939 | 491 | |
bbcd3c97 CP |
492 | ') |
493 | ||
494 | ####################################### | |
495 | ## <summary> | |
93c49bdb | 496 | ## The template for creating a user xwindows client. (Deprecated) |
bbcd3c97 CP |
497 | ## </summary> |
498 | ## <param name="userdomain_prefix"> | |
499 | ## <summary> | |
500 | ## The prefix of the user domain (e.g., user | |
501 | ## is the prefix for user_t). | |
502 | ## </summary> | |
503 | ## </param> | |
504 | ## <rolebase/> | |
505 | # | |
506 | template(`userdom_xwindows_client_template',` | |
93c49bdb | 507 | refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.') |
bbcd3c97 | 508 | gen_require(` |
296273a7 | 509 | type $1_t, user_tmpfs_t; |
bbcd3c97 CP |
510 | ') |
511 | ||
847937da CP |
512 | dev_rw_xserver_misc($1_t) |
513 | dev_rw_power_management($1_t) | |
514 | dev_read_input($1_t) | |
515 | dev_read_misc($1_t) | |
516 | dev_write_misc($1_t) | |
517 | # open office is looking for the following | |
518 | dev_getattr_agp_dev($1_t) | |
519 | dev_dontaudit_rw_dri($1_t) | |
520 | # GNOME checks for usb and other devices: | |
521 | dev_rw_usbfs($1_t) | |
3eaa9939 | 522 | dev_rw_generic_usb_dev($1_t) |
847937da | 523 | |
4279891d | 524 | xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) |
847937da CP |
525 | xserver_xsession_entry_type($1_t) |
526 | xserver_dontaudit_write_log($1_t) | |
527 | xserver_stream_connect_xdm($1_t) | |
528 | # certain apps want to read xdm.pid file | |
529 | xserver_read_xdm_pid($1_t) | |
530 | # gnome-session creates socket under /tmp/.ICE-unix/ | |
531 | xserver_create_xdm_tmp_sockets($1_t) | |
532 | # Needed for escd, remove if we get escd policy | |
533 | xserver_manage_xdm_tmp_files($1_t) | |
bbcd3c97 CP |
534 | ') |
535 | ||
536 | ####################################### | |
537 | ## <summary> | |
538 | ## The template for allowing the user to change passwords. | |
539 | ## </summary> | |
540 | ## <param name="userdomain_prefix"> | |
541 | ## <summary> | |
542 | ## The prefix of the user domain (e.g., user | |
543 | ## is the prefix for user_t). | |
544 | ## </summary> | |
545 | ## </param> | |
546 | ## <rolebase/> | |
547 | # | |
548 | template(`userdom_change_password_template',` | |
549 | gen_require(` | |
296273a7 | 550 | type $1_t; |
bbcd3c97 CP |
551 | role $1_r; |
552 | ') | |
553 | ||
554 | optional_policy(` | |
f4aae210 MG |
555 | usermanage_run_chfn($1_t,$1_r) |
556 | usermanage_run_passwd($1_t,$1_r) | |
bbcd3c97 | 557 | ') |
bbcd3c97 CP |
558 | ') |
559 | ||
560 | ####################################### | |
561 | ## <summary> | |
562 | ## The template containing rules common to unprivileged | |
563 | ## users and administrative users. | |
564 | ## </summary> | |
565 | ## <desc> | |
566 | ## <p> | |
567 | ## This template creates a user domain, types, and | |
568 | ## rules for the user's tty, pty, tmp, and tmpfs files. | |
569 | ## </p> | |
570 | ## </desc> | |
571 | ## <param name="userdomain_prefix"> | |
572 | ## <summary> | |
573 | ## The prefix of the user domain (e.g., user | |
574 | ## is the prefix for user_t). | |
575 | ## </summary> | |
576 | ## </param> | |
577 | # | |
578 | template(`userdom_common_user_template',` | |
563e58e8 CP |
579 | gen_require(` |
580 | attribute unpriv_userdomain; | |
581 | ') | |
bbcd3c97 | 582 | |
3eaa9939 | 583 | userdom_basic_networking($1_usertype) |
bbcd3c97 | 584 | |
bbcd3c97 CP |
585 | ############################## |
586 | # | |
587 | # User domain Local policy | |
588 | # | |
589 | ||
bbcd3c97 CP |
590 | # evolution and gnome-session try to create a netlink socket |
591 | dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; | |
592 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
3eaa9939 DW |
593 | allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; |
594 | allow $1_t self:socket create_socket_perms; | |
bbcd3c97 | 595 | |
3eaa9939 | 596 | allow $1_usertype unpriv_userdomain:fd use; |
bbcd3c97 | 597 | |
3eaa9939 DW |
598 | kernel_read_system_state($1_usertype) |
599 | kernel_read_network_state($1_usertype) | |
5aff16e1 | 600 | kernel_read_software_raid_state($1_usertype) |
3eaa9939 | 601 | kernel_read_net_sysctls($1_usertype) |
bbcd3c97 | 602 | # Very permissive allowing every domain to see every type: |
3eaa9939 | 603 | kernel_get_sysvipc_info($1_usertype) |
bbcd3c97 | 604 | # Find CDROM devices: |
3eaa9939 DW |
605 | kernel_read_device_sysctls($1_usertype) |
606 | kernel_request_load_module($1_usertype) | |
296273a7 | 607 | |
3eaa9939 DW |
608 | corenet_udp_bind_generic_node($1_usertype) |
609 | corenet_udp_bind_generic_port($1_usertype) | |
bbcd3c97 | 610 | |
3eaa9939 DW |
611 | dev_read_rand($1_usertype) |
612 | dev_write_sound($1_usertype) | |
613 | dev_read_sound($1_usertype) | |
614 | dev_read_sound_mixer($1_usertype) | |
615 | dev_write_sound_mixer($1_usertype) | |
bbcd3c97 | 616 | |
3eaa9939 DW |
617 | files_exec_etc_files($1_usertype) |
618 | files_search_locks($1_usertype) | |
bbcd3c97 | 619 | # Check to see if cdrom is mounted |
3eaa9939 | 620 | files_search_mnt($1_usertype) |
bbcd3c97 | 621 | # cjp: perhaps should cut back on file reads: |
3eaa9939 DW |
622 | files_read_var_files($1_usertype) |
623 | files_read_var_symlinks($1_usertype) | |
624 | files_read_generic_spool($1_usertype) | |
625 | files_read_var_lib_files($1_usertype) | |
bbcd3c97 | 626 | # Stat lost+found. |
3eaa9939 DW |
627 | files_getattr_lost_found_dirs($1_usertype) |
628 | files_read_config_files($1_usertype) | |
629 | fs_read_noxattr_fs_files($1_usertype) | |
630 | fs_read_noxattr_fs_symlinks($1_usertype) | |
631 | fs_rw_cgroup_files($1_usertype) | |
bbcd3c97 | 632 | |
f3ef2629 DW |
633 | application_getattr_socket($1_usertype) |
634 | ||
3eaa9939 DW |
635 | logging_send_syslog_msg($1_usertype) |
636 | logging_send_audit_msgs($1_usertype) | |
637 | selinux_get_enforce_mode($1_usertype) | |
e2b9add5 | 638 | |
bbcd3c97 | 639 | # cjp: some of this probably can be removed |
3eaa9939 DW |
640 | selinux_get_fs_mount($1_usertype) |
641 | selinux_validate_context($1_usertype) | |
642 | selinux_compute_access_vector($1_usertype) | |
643 | selinux_compute_create_context($1_usertype) | |
644 | selinux_compute_relabel_context($1_usertype) | |
645 | selinux_compute_user_contexts($1_usertype) | |
bbcd3c97 CP |
646 | |
647 | # for eject | |
3eaa9939 | 648 | storage_getattr_fixed_disk_dev($1_usertype) |
bbcd3c97 | 649 | |
f4aae210 MG |
650 | auth_read_login_records($1_usertype) |
651 | auth_run_pam($1_t,$1_r) | |
652 | auth_run_utempter($1_t,$1_r) | |
bbcd3c97 | 653 | |
3eaa9939 | 654 | init_read_utmp($1_usertype) |
0c73cd25 | 655 | |
3eaa9939 DW |
656 | seutil_read_file_contexts($1_usertype) |
657 | seutil_read_default_contexts($1_usertype) | |
296273a7 | 658 | seutil_run_newrole($1_t,$1_r) |
6b19be33 | 659 | seutil_exec_checkpolicy($1_t) |
3eaa9939 | 660 | seutil_exec_setfiles($1_usertype) |
bbcd3c97 CP |
661 | # for when the network connection is killed |
662 | # this is needed when a login role can change | |
663 | # to this one. | |
664 | seutil_dontaudit_signal_newrole($1_t) | |
a1fcff33 | 665 | |
34c8fabe | 666 | tunable_policy(`user_direct_mouse',` |
3eaa9939 | 667 | dev_read_mouse($1_usertype) |
34c8fabe | 668 | ') |
0c73cd25 | 669 | |
34c8fabe | 670 | tunable_policy(`user_ttyfile_stat',` |
c3c753f7 | 671 | term_getattr_all_ttys($1_t) |
34c8fabe | 672 | ') |
0c73cd25 | 673 | |
6b19be33 | 674 | optional_policy(` |
3eaa9939 | 675 | alsa_read_rw_config($1_usertype) |
413aac13 | 676 | alsa_manage_home_files($1_t) |
413aac13 | 677 | alsa_relabel_home_files($1_t) |
71de5bec | 678 | alsa_filetrans_named_content($1_t) |
6b19be33 CP |
679 | ') |
680 | ||
bb7170f6 | 681 | optional_policy(` |
ac9aa26d | 682 | # Allow graphical boot to check battery lifespan |
3eaa9939 | 683 | apm_stream_connect($1_usertype) |
ac9aa26d CP |
684 | ') |
685 | ||
bb7170f6 | 686 | optional_policy(` |
3eaa9939 | 687 | canna_stream_connect($1_usertype) |
3509484c CP |
688 | ') |
689 | ||
bb7170f6 | 690 | optional_policy(` |
3eaa9939 DW |
691 | chrome_role($1_r, $1_usertype) |
692 | ') | |
693 | ||
bfc1cfe9 MG |
694 | optional_policy(` |
695 | colord_read_lib_files($1_usertype) | |
696 | ') | |
697 | ||
3eaa9939 DW |
698 | optional_policy(` |
699 | dbus_system_bus_client($1_usertype) | |
700 | ||
701 | allow $1_usertype $1_usertype:dbus send_msg; | |
702 | ||
703 | optional_policy(` | |
704 | avahi_dbus_chat($1_usertype) | |
705 | ') | |
706 | ||
707 | optional_policy(` | |
708 | policykit_dbus_chat($1_usertype) | |
709 | ') | |
710 | ||
711 | optional_policy(` | |
712 | bluetooth_dbus_chat($1_usertype) | |
713 | ') | |
714 | ||
715 | optional_policy(` | |
716 | consolekit_dbus_chat($1_usertype) | |
717 | consolekit_read_log($1_usertype) | |
718 | ') | |
719 | ||
720 | optional_policy(` | |
721 | devicekit_dbus_chat($1_usertype) | |
722 | devicekit_dbus_chat_power($1_usertype) | |
723 | devicekit_dbus_chat_disk($1_usertype) | |
724 | ') | |
725 | ||
726 | optional_policy(` | |
727 | evolution_dbus_chat($1_usertype) | |
728 | evolution_alarm_dbus_chat($1_usertype) | |
729 | ') | |
d828b5ca | 730 | |
bbcd3c97 | 731 | optional_policy(` |
3eaa9939 | 732 | gnome_dbus_chat_gconfdefault($1_usertype) |
bbcd3c97 CP |
733 | ') |
734 | ||
6b19be33 | 735 | optional_policy(` |
3eaa9939 | 736 | hal_dbus_chat($1_usertype) |
6b19be33 CP |
737 | ') |
738 | ||
1acd60e5 MG |
739 | optional_policy(` |
740 | kde_dbus_chat_backlighthelper($1_usertype) | |
741 | ') | |
742 | ||
bb7170f6 | 743 | optional_policy(` |
3eaa9939 | 744 | modemmanager_dbus_chat($1_usertype) |
9fd4b818 CP |
745 | ') |
746 | ||
bb7170f6 | 747 | optional_policy(` |
3eaa9939 DW |
748 | networkmanager_dbus_chat($1_usertype) |
749 | networkmanager_read_lib_files($1_usertype) | |
ac9aa26d CP |
750 | ') |
751 | ||
bb7170f6 | 752 | optional_policy(` |
3eaa9939 | 753 | vpn_dbus_chat($1_usertype) |
d828b5ca | 754 | ') |
0c3d1705 CP |
755 | ') |
756 | ||
bb7170f6 | 757 | optional_policy(` |
3eaa9939 DW |
758 | git_session_role($1_r, $1_usertype) |
759 | ') | |
760 | ||
761 | optional_policy(` | |
762 | inetd_use_fds($1_usertype) | |
763 | inetd_rw_tcp_sockets($1_usertype) | |
b24f35d8 CP |
764 | ') |
765 | ||
bb7170f6 | 766 | optional_policy(` |
3eaa9939 DW |
767 | inn_read_config($1_usertype) |
768 | inn_read_news_lib($1_usertype) | |
769 | inn_read_news_spool($1_usertype) | |
9b06402e CP |
770 | ') |
771 | ||
cdd2b8d2 MG |
772 | optional_policy(` |
773 | lircd_stream_connect($1_usertype) | |
774 | ') | |
775 | ||
6b19be33 | 776 | optional_policy(` |
3eaa9939 | 777 | locate_read_lib_files($1_usertype) |
6b19be33 CP |
778 | ') |
779 | ||
bbcd3c97 CP |
780 | # for running depmod as part of the kernel packaging process |
781 | optional_policy(` | |
3eaa9939 DW |
782 | modutils_read_module_config($1_usertype) |
783 | ') | |
784 | ||
785 | optional_policy(` | |
786 | mta_rw_spool($1_usertype) | |
787 | mta_manage_queue($1_usertype) | |
780198a1 | 788 | mta_filetrans_home_content($1_usertype) |
bbcd3c97 CP |
789 | ') |
790 | ||
cc0c00d0 | 791 | optional_policy(` |
3eaa9939 | 792 | nsplugin_role($1_r, $1_usertype) |
cc0c00d0 CP |
793 | ') |
794 | ||
bb7170f6 | 795 | optional_policy(` |
bbcd3c97 CP |
796 | tunable_policy(`allow_user_mysql_connect',` |
797 | mysql_stream_connect($1_t) | |
42be7c21 CP |
798 | ') |
799 | ') | |
800 | ||
329138be DG |
801 | optional_policy(` |
802 | oident_manage_user_content($1_t) | |
803 | oident_relabel_user_content($1_t) | |
804 | ') | |
805 | ||
bb7170f6 | 806 | optional_policy(` |
2ec4c9d3 | 807 | # to allow monitoring of pcmcia status |
3eaa9939 | 808 | pcmcia_read_pid($1_usertype) |
2ec4c9d3 CP |
809 | ') |
810 | ||
6b19be33 | 811 | optional_policy(` |
3eaa9939 DW |
812 | pcscd_read_pub_files($1_usertype) |
813 | pcscd_stream_connect($1_usertype) | |
6b19be33 CP |
814 | ') |
815 | ||
cb10a2d5 CP |
816 | optional_policy(` |
817 | tunable_policy(`allow_user_postgresql_connect',` | |
3eaa9939 DW |
818 | postgresql_stream_connect($1_usertype) |
819 | postgresql_tcp_connect($1_usertype) | |
cb10a2d5 CP |
820 | ') |
821 | ') | |
822 | ||
b057be8d | 823 | optional_policy(` |
3eaa9939 | 824 | resmgr_stream_connect($1_usertype) |
b057be8d CP |
825 | ') |
826 | ||
bb7170f6 | 827 | optional_policy(` |
3eaa9939 DW |
828 | rpc_dontaudit_getattr_exports($1_usertype) |
829 | rpc_manage_nfs_rw_content($1_usertype) | |
f00434fa CP |
830 | ') |
831 | ||
bb7170f6 | 832 | optional_policy(` |
3eaa9939 | 833 | rpcbind_stream_connect($1_usertype) |
ac9aa26d CP |
834 | ') |
835 | ||
bb7170f6 | 836 | optional_policy(` |
3eaa9939 | 837 | samba_stream_connect_winbind($1_usertype) |
1d427acc CP |
838 | ') |
839 | ||
bb7170f6 | 840 | optional_policy(` |
3eaa9939 | 841 | sandbox_transition($1_usertype, $1_r) |
8cc49473 | 842 | ') |
3eaa9939 DW |
843 | |
844 | optional_policy(` | |
845 | seunshare_role_template($1, $1_r, $1_t) | |
846 | ') | |
847 | ||
848 | optional_policy(` | |
849 | slrnpull_search_spool($1_usertype) | |
850 | ') | |
851 | ||
2ec4c9d3 | 852 | ') |
b16c6b8c | 853 | |
8fd36732 CP |
854 | ####################################### |
855 | ## <summary> | |
847937da | 856 | ## The template for creating a login user. |
8fd36732 CP |
857 | ## </summary> |
858 | ## <desc> | |
859 | ## <p> | |
860 | ## This template creates a user domain, types, and | |
861 | ## rules for the user's tty, pty, home directories, | |
862 | ## tmp, and tmpfs files. | |
863 | ## </p> | |
864 | ## </desc> | |
865 | ## <param name="userdomain_prefix"> | |
885b83ec | 866 | ## <summary> |
8fd36732 CP |
867 | ## The prefix of the user domain (e.g., user |
868 | ## is the prefix for user_t). | |
885b83ec | 869 | ## </summary> |
8fd36732 | 870 | ## </param> |
b16c6b8c | 871 | # |
847937da | 872 | template(`userdom_login_user_template', ` |
b1a90365 CP |
873 | gen_require(` |
874 | class context contains; | |
875 | ') | |
876 | ||
847937da | 877 | userdom_base_user_template($1) |
563e58e8 | 878 | |
3eaa9939 DW |
879 | userdom_manage_home_role($1_r, $1_usertype) |
880 | ||
881 | userdom_manage_tmp_role($1_r, $1_usertype) | |
882 | userdom_manage_tmpfs_role($1_r, $1_usertype) | |
847937da | 883 | |
3eaa9939 DW |
884 | ifelse(`$1',`unconfined',`',` |
885 | gen_tunable(allow_$1_exec_content, true) | |
847937da | 886 | |
3eaa9939 DW |
887 | tunable_policy(`allow_$1_exec_content',` |
888 | userdom_exec_user_tmp_files($1_usertype) | |
889 | userdom_exec_user_home_content_files($1_usertype) | |
890 | ') | |
891 | tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` | |
892 | fs_exec_nfs_files($1_usertype) | |
893 | ') | |
894 | ||
895 | tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` | |
896 | fs_exec_cifs_files($1_usertype) | |
897 | ') | |
898 | ') | |
847937da CP |
899 | |
900 | userdom_change_password_template($1) | |
563e58e8 | 901 | |
0c73cd25 CP |
902 | ############################## |
903 | # | |
847937da | 904 | # User domain Local policy |
0c73cd25 | 905 | # |
b16c6b8c | 906 | |
847937da CP |
907 | allow $1_t self:capability { setgid chown fowner }; |
908 | dontaudit $1_t self:capability { sys_nice fsetid }; | |
909 | ||
910 | allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; | |
911 | dontaudit $1_t self:process setrlimit; | |
912 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
913 | ||
914 | allow $1_t self:context contains; | |
915 | ||
3eaa9939 DW |
916 | kernel_dontaudit_read_system_state($1_usertype) |
917 | kernel_dontaudit_list_all_proc($1_usertype) | |
847937da | 918 | |
3eaa9939 DW |
919 | dev_read_sysfs($1_usertype) |
920 | dev_read_urand($1_usertype) | |
847937da | 921 | |
3eaa9939 | 922 | domain_use_interactive_fds($1_usertype) |
847937da | 923 | # Command completion can fire hundreds of denials |
3eaa9939 | 924 | domain_dontaudit_exec_all_entry_files($1_usertype) |
847937da | 925 | |
3eaa9939 DW |
926 | files_dontaudit_list_default($1_usertype) |
927 | files_dontaudit_read_default_files($1_usertype) | |
847937da | 928 | # Stat lost+found. |
3eaa9939 | 929 | files_getattr_lost_found_dirs($1_usertype) |
847937da | 930 | |
3eaa9939 DW |
931 | fs_get_all_fs_quotas($1_usertype) |
932 | fs_getattr_all_fs($1_usertype) | |
933 | fs_search_all($1_usertype) | |
934 | fs_list_inotifyfs($1_usertype) | |
935 | fs_rw_anon_inodefs_files($1_usertype) | |
847937da CP |
936 | |
937 | auth_dontaudit_write_login_records($1_t) | |
3eaa9939 | 938 | auth_rw_cache($1_t) |
847937da | 939 | |
e933ac40 MG |
940 | application_exec_all($1_t) |
941 | # The library functions always try to open read-write first, | |
942 | # then fall back to read-only if it fails. | |
943 | init_dontaudit_rw_utmp($1_t) | |
944 | ||
847937da | 945 | # Stop warnings about access to /dev/console |
3eaa9939 DW |
946 | init_dontaudit_use_fds($1_usertype) |
947 | init_dontaudit_use_script_fds($1_usertype) | |
847937da | 948 | |
3eaa9939 | 949 | libs_exec_lib_files($1_usertype) |
847937da | 950 | |
3eaa9939 | 951 | logging_dontaudit_getattr_all_logs($1_usertype) |
847937da | 952 | |
847937da | 953 | # for running TeX programs |
3eaa9939 DW |
954 | miscfiles_read_tetex_data($1_usertype) |
955 | miscfiles_exec_tetex_data($1_usertype) | |
956 | ||
957 | seutil_read_config($1_usertype) | |
847937da | 958 | |
3eaa9939 DW |
959 | optional_policy(` |
960 | cups_read_config($1_usertype) | |
961 | cups_stream_connect($1_usertype) | |
962 | cups_stream_connect_ptal($1_usertype) | |
963 | ') | |
847937da CP |
964 | |
965 | optional_policy(` | |
3eaa9939 | 966 | kerberos_use($1_usertype) |
d141ac47 | 967 | kerberos_filetrans_home_content($1_usertype) |
847937da CP |
968 | ') |
969 | ||
970 | optional_policy(` | |
3eaa9939 | 971 | mta_dontaudit_read_spool_symlinks($1_usertype) |
847937da CP |
972 | ') |
973 | ||
974 | optional_policy(` | |
3eaa9939 | 975 | quota_dontaudit_getattr_db($1_usertype) |
847937da CP |
976 | ') |
977 | ||
978 | optional_policy(` | |
3eaa9939 DW |
979 | rpm_read_db($1_usertype) |
980 | rpm_dontaudit_manage_db($1_usertype) | |
981 | rpm_read_cache($1_usertype) | |
847937da CP |
982 | ') |
983 | ||
984 | optional_policy(` | |
3eaa9939 | 985 | oddjob_run_mkhomedir($1_t, $1_r) |
847937da CP |
986 | ') |
987 | ') | |
988 | ||
989 | ####################################### | |
990 | ## <summary> | |
991 | ## The template for creating a unprivileged login user. | |
992 | ## </summary> | |
993 | ## <desc> | |
994 | ## <p> | |
995 | ## This template creates a user domain, types, and | |
996 | ## rules for the user's tty, pty, home directories, | |
997 | ## tmp, and tmpfs files. | |
998 | ## </p> | |
999 | ## </desc> | |
1000 | ## <param name="userdomain_prefix"> | |
1001 | ## <summary> | |
1002 | ## The prefix of the user domain (e.g., user | |
1003 | ## is the prefix for user_t). | |
1004 | ## </summary> | |
1005 | ## </param> | |
1006 | # | |
1007 | template(`userdom_restricted_user_template',` | |
1008 | gen_require(` | |
1009 | attribute unpriv_userdomain; | |
847937da CP |
1010 | ') |
1011 | ||
1012 | userdom_login_user_template($1) | |
b16c6b8c | 1013 | |
0f707d52 | 1014 | typeattribute $1_t unpriv_userdomain; |
15722ec9 | 1015 | domain_interactive_fd($1_t) |
b16c6b8c | 1016 | |
3eaa9939 DW |
1017 | allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; |
1018 | dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; | |
1019 | ||
0c73cd25 CP |
1020 | ############################## |
1021 | # | |
1022 | # Local policy | |
1023 | # | |
1024 | ||
847937da | 1025 | optional_policy(` |
e933ac40 | 1026 | loadkeys_run($1_t, $1_r) |
847937da CP |
1027 | ') |
1028 | ') | |
1029 | ||
1030 | ####################################### | |
1031 | ## <summary> | |
1032 | ## The template for creating a unprivileged xwindows login user. | |
1033 | ## </summary> | |
1034 | ## <desc> | |
1035 | ## <p> | |
1036 | ## The template for creating a unprivileged xwindows login user. | |
1037 | ## </p> | |
1038 | ## <p> | |
1039 | ## This template creates a user domain, types, and | |
1040 | ## rules for the user's tty, pty, home directories, | |
1041 | ## tmp, and tmpfs files. | |
1042 | ## </p> | |
1043 | ## </desc> | |
1044 | ## <param name="userdomain_prefix"> | |
1045 | ## <summary> | |
1046 | ## The prefix of the user domain (e.g., user | |
1047 | ## is the prefix for user_t). | |
1048 | ## </summary> | |
1049 | ## </param> | |
1050 | # | |
1051 | template(`userdom_restricted_xwindows_user_template',` | |
1052 | ||
1053 | userdom_restricted_user_template($1) | |
1054 | ||
847937da CP |
1055 | ############################## |
1056 | # | |
1057 | # Local policy | |
1058 | # | |
1059 | ||
296273a7 | 1060 | auth_role($1_r, $1_t) |
3eaa9939 | 1061 | auth_search_pam_console_data($1_usertype) |
b45aaab9 | 1062 | auth_dontaudit_read_login_records($1_usertype) |
847937da | 1063 | |
3eaa9939 DW |
1064 | dev_read_sound($1_usertype) |
1065 | dev_write_sound($1_usertype) | |
847937da | 1066 | # gnome keyring wants to read this. |
3eaa9939 DW |
1067 | dev_dontaudit_read_rand($1_usertype) |
1068 | # temporarily allow since openoffice requires this | |
1069 | dev_read_rand($1_usertype) | |
847937da | 1070 | |
3eaa9939 DW |
1071 | dev_read_video_dev($1_usertype) |
1072 | dev_write_video_dev($1_usertype) | |
1073 | dev_rw_wireless($1_usertype) | |
1074 | ||
773094ba DW |
1075 | libs_dontaudit_setattr_lib_files($1_usertype) |
1076 | ||
3eaa9939 DW |
1077 | tunable_policy(`user_rw_noexattrfile',` |
1078 | dev_rw_usbfs($1_t) | |
1079 | dev_rw_generic_usb_dev($1_usertype) | |
1080 | ||
1081 | fs_manage_noxattr_fs_files($1_usertype) | |
1082 | fs_manage_noxattr_fs_dirs($1_usertype) | |
1083 | fs_manage_dos_dirs($1_usertype) | |
1084 | fs_manage_dos_files($1_usertype) | |
1085 | storage_raw_read_removable_device($1_usertype) | |
1086 | storage_raw_write_removable_device($1_usertype) | |
1087 | ') | |
1088 | ||
1089 | logging_send_syslog_msg($1_usertype) | |
847937da CP |
1090 | logging_dontaudit_send_audit_msgs($1_t) |
1091 | ||
1092 | # Need to to this just so screensaver will work. Should be moved to screensaver domain | |
1093 | logging_send_audit_msgs($1_t) | |
1094 | selinux_get_enforce_mode($1_t) | |
3eaa9939 DW |
1095 | seutil_exec_restorecond($1_t) |
1096 | seutil_read_file_contexts($1_t) | |
1097 | seutil_read_default_contexts($1_t) | |
847937da | 1098 | |
93c49bdb CP |
1099 | xserver_restricted_role($1_r, $1_t) |
1100 | ||
847937da | 1101 | optional_policy(` |
3eaa9939 | 1102 | alsa_read_rw_config($1_usertype) |
847937da CP |
1103 | ') |
1104 | ||
a8183914 MG |
1105 | # cjp: needed by KDE apps |
1106 | # bug: #682499 | |
1107 | optional_policy(` | |
1108 | gnome_read_usr_config($1_usertype) | |
ac7085d0 | 1109 | gnome_role_gkeyringd($1, $1_r, $1_usertype) |
3a7aacc9 | 1110 | # cjp: telepathy F15 bugs |
2aa4540b | 1111 | telepathy_role($1_r, $1_t, $1) |
a8183914 MG |
1112 | ') |
1113 | ||
847937da | 1114 | optional_policy(` |
3eaa9939 DW |
1115 | dbus_role_template($1, $1_r, $1_usertype) |
1116 | dbus_system_bus_client($1_usertype) | |
1117 | allow $1_usertype $1_usertype:dbus send_msg; | |
1118 | ||
1119 | optional_policy(` | |
1120 | abrt_dbus_chat($1_usertype) | |
1121 | abrt_run_helper($1_usertype, $1_r) | |
1122 | ') | |
1123 | ||
1124 | optional_policy(` | |
b45aaab9 | 1125 | consolekit_dontaudit_read_log($1_usertype) |
3eaa9939 DW |
1126 | consolekit_dbus_chat($1_usertype) |
1127 | ') | |
1128 | ||
1129 | optional_policy(` | |
1130 | cups_dbus_chat($1_usertype) | |
1131 | cups_dbus_chat_config($1_usertype) | |
1132 | ') | |
847937da CP |
1133 | |
1134 | optional_policy(` | |
3eaa9939 DW |
1135 | devicekit_dbus_chat($1_usertype) |
1136 | devicekit_dbus_chat_disk($1_usertype) | |
1137 | devicekit_dbus_chat_power($1_usertype) | |
847937da CP |
1138 | ') |
1139 | ||
1140 | optional_policy(` | |
3eaa9939 | 1141 | fprintd_dbus_chat($1_t) |
847937da CP |
1142 | ') |
1143 | ') | |
1144 | ||
1145 | optional_policy(` | |
3eaa9939 DW |
1146 | openoffice_role_template($1, $1_r, $1_usertype) |
1147 | ') | |
1148 | ||
1149 | optional_policy(` | |
1150 | policykit_role($1_r, $1_usertype) | |
1151 | ') | |
1152 | ||
1153 | optional_policy(` | |
1154 | pulseaudio_role($1_r, $1_usertype) | |
9bf4902f DG |
1155 | pulseaudio_filetrans_admin_home_content($1_usertype) |
1156 | pulseaudio_filetrans_home_content($1_usertype) | |
3eaa9939 DW |
1157 | ') |
1158 | ||
1159 | optional_policy(` | |
1160 | rtkit_scheduled($1_usertype) | |
847937da CP |
1161 | ') |
1162 | ||
847937da CP |
1163 | optional_policy(` |
1164 | setroubleshoot_dontaudit_stream_connect($1_t) | |
3eaa9939 DW |
1165 | ') |
1166 | ||
1167 | optional_policy(` | |
1168 | udev_read_db($1_usertype) | |
1169 | ') | |
1170 | ||
1171 | optional_policy(` | |
1172 | wm_role_template($1, $1_r, $1_t) | |
847937da CP |
1173 | ') |
1174 | ') | |
1175 | ||
1176 | ####################################### | |
1177 | ## <summary> | |
1178 | ## The template for creating a unprivileged user roughly | |
1179 | ## equivalent to a regular linux user. | |
1180 | ## </summary> | |
1181 | ## <desc> | |
1182 | ## <p> | |
1183 | ## The template for creating a unprivileged user roughly | |
1184 | ## equivalent to a regular linux user. | |
1185 | ## </p> | |
1186 | ## <p> | |
1187 | ## This template creates a user domain, types, and | |
1188 | ## rules for the user's tty, pty, home directories, | |
1189 | ## tmp, and tmpfs files. | |
1190 | ## </p> | |
1191 | ## </desc> | |
1192 | ## <param name="userdomain_prefix"> | |
1193 | ## <summary> | |
1194 | ## The prefix of the user domain (e.g., user | |
1195 | ## is the prefix for user_t). | |
1196 | ## </summary> | |
1197 | ## </param> | |
1198 | # | |
1199 | template(`userdom_unpriv_user_template', ` | |
1200 | ||
1201 | ############################## | |
1202 | # | |
1203 | # Declarations | |
1204 | # | |
1205 | ||
1206 | # Inherit rules for ordinary users. | |
3eaa9939 | 1207 | userdom_restricted_xwindows_user_template($1) |
847937da CP |
1208 | userdom_common_user_template($1) |
1209 | ||
1210 | ############################## | |
1211 | # | |
1212 | # Local policy | |
1213 | # | |
0c73cd25 CP |
1214 | |
1215 | # port access is audited even if dac would not have allowed it, so dontaudit it here | |
3eaa9939 | 1216 | # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) |
bbcd3c97 CP |
1217 | # Need the following rule to allow users to run vpnc |
1218 | corenet_tcp_bind_xserver_port($1_t) | |
8b456c73 | 1219 | corenet_tcp_bind_generic_node($1_usertype) |
0c73cd25 | 1220 | |
3eaa9939 | 1221 | storage_rw_fuse($1_t) |
a1fcff33 | 1222 | |
e933ac40 MG |
1223 | files_exec_usr_files($1_t) |
1224 | # cjp: why? | |
1225 | files_read_kernel_symbol_table($1_t) | |
1226 | ||
1227 | ifndef(`enable_mls',` | |
1228 | fs_exec_noxattr($1_t) | |
1229 | ||
1230 | tunable_policy(`user_rw_noexattrfile',` | |
1231 | fs_manage_noxattr_fs_files($1_t) | |
1232 | fs_manage_noxattr_fs_dirs($1_t) | |
1233 | # Write floppies | |
1234 | storage_raw_read_removable_device($1_t) | |
1235 | storage_raw_write_removable_device($1_t) | |
1236 | ',` | |
1237 | storage_raw_read_removable_device($1_t) | |
1238 | ') | |
1239 | ') | |
1240 | ||
3eaa9939 | 1241 | miscfiles_read_hwdata($1_usertype) |
0c73cd25 CP |
1242 | |
1243 | # Allow users to run TCP servers (bind to ports and accept connection from | |
6073ea1e | 1244 | # the same domain and outside users) disabling this forces FTP passive mode |
0c73cd25 | 1245 | # and may change other protocols |
40068f3d DW |
1246 | |
1247 | tunable_policy(`user_share_music',` | |
7d5759fd | 1248 | corenet_tcp_bind_daap_port($1_usertype) |
40068f3d DW |
1249 | ') |
1250 | ||
34c8fabe | 1251 | tunable_policy(`user_tcp_server',` |
3eaa9939 DW |
1252 | corenet_tcp_bind_all_unreserved_ports($1_usertype) |
1253 | ') | |
1254 | ||
1255 | tunable_policy(`user_setrlimit',` | |
1256 | allow $1_usertype self:process setrlimit; | |
34c8fabe | 1257 | ') |
0c73cd25 | 1258 | |
bb7170f6 | 1259 | optional_policy(` |
3eaa9939 DW |
1260 | cdrecord_role($1_r, $1_t) |
1261 | ') | |
1262 | ||
1263 | optional_policy(` | |
1264 | cron_role($1_r, $1_t) | |
1265 | ') | |
1266 | ||
1267 | optional_policy(` | |
1268 | games_rw_data($1_usertype) | |
1269 | ') | |
1270 | ||
1271 | optional_policy(` | |
1272 | gpg_role($1_r, $1_usertype) | |
1273 | ') | |
1274 | ||
1275 | optional_policy(` | |
1276 | gnomeclock_dbus_chat($1_t) | |
1277 | ') | |
1278 | ||
1279 | optional_policy(` | |
1280 | gpm_stream_connect($1_usertype) | |
1281 | ') | |
1282 | ||
1283 | optional_policy(` | |
1284 | execmem_role_template($1, $1_r, $1_t) | |
1285 | ') | |
1286 | ||
1287 | optional_policy(` | |
1288 | java_role_template($1, $1_r, $1_t) | |
1289 | ') | |
1290 | ||
1291 | optional_policy(` | |
1292 | mono_role_template($1, $1_r, $1_t) | |
1293 | ') | |
1294 | ||
1295 | optional_policy(` | |
1296 | mount_run_fusermount($1_t, $1_r) | |
5598732f | 1297 | mount_read_pid_files($1_t) |
3eaa9939 DW |
1298 | ') |
1299 | ||
1300 | optional_policy(` | |
1301 | wine_role_template($1, $1_r, $1_t) | |
1f91e1bf CP |
1302 | ') |
1303 | ||
bb7170f6 | 1304 | optional_policy(` |
3eaa9939 | 1305 | postfix_run_postdrop($1_t, $1_r) |
cbedaf1d | 1306 | postfix_search_spool($1_t) |
e08118a5 CP |
1307 | ') |
1308 | ||
3eaa9939 | 1309 | # Run pppd in pppd_t by default for user |
6b19be33 | 1310 | optional_policy(` |
3eaa9939 | 1311 | ppp_run_cond($1_t, $1_r) |
6b19be33 | 1312 | ') |
31aa991d MG |
1313 | |
1314 | optional_policy(` | |
1315 | vdagent_getattr_log($1_t) | |
1316 | vdagent_getattr_exec($1_t) | |
1317 | vdagent_stream_connect($1_t) | |
1318 | ') | |
b16c6b8c | 1319 | ') |
4d8ddf9a | 1320 | |
8fd36732 CP |
1321 | ####################################### |
1322 | ## <summary> | |
1323 | ## The template for creating an administrative user. | |
1324 | ## </summary> | |
1325 | ## <desc> | |
1326 | ## <p> | |
1327 | ## This template creates a user domain, types, and | |
1328 | ## rules for the user's tty, pty, home directories, | |
1329 | ## tmp, and tmpfs files. | |
1330 | ## </p> | |
2ec4c9d3 | 1331 | ## <p> |
8fd36732 CP |
1332 | ## The privileges given to administrative users are: |
1333 | ## <ul> | |
1334 | ## <li>Raw disk access</li> | |
1335 | ## <li>Set all sysctls</li> | |
1336 | ## <li>All kernel ring buffer controls</li> | |
8fd36732 CP |
1337 | ## <li>Create, read, write, and delete all files but shadow</li> |
1338 | ## <li>Manage source and binary format SELinux policy</li> | |
1339 | ## <li>Run insmod</li> | |
1340 | ## </ul> | |
2ec4c9d3 CP |
1341 | ## </p> |
1342 | ## </desc> | |
8fd36732 | 1343 | ## <param name="userdomain_prefix"> |
885b83ec | 1344 | ## <summary> |
8fd36732 CP |
1345 | ## The prefix of the user domain (e.g., sysadm |
1346 | ## is the prefix for sysadm_t). | |
885b83ec | 1347 | ## </summary> |
8fd36732 | 1348 | ## </param> |
4d8ddf9a | 1349 | # |
bbcd3c97 | 1350 | template(`userdom_admin_user_template',` |
142e9f40 | 1351 | gen_require(` |
0be901ba | 1352 | attribute admindomain; |
3eaa9939 | 1353 | class passwd { passwd chfn chsh rootok crontab }; |
142e9f40 CP |
1354 | ') |
1355 | ||
0c73cd25 CP |
1356 | ############################## |
1357 | # | |
1358 | # Declarations | |
1359 | # | |
1360 | ||
1361 | # Inherit rules for ordinary users. | |
847937da | 1362 | userdom_login_user_template($1) |
bbcd3c97 | 1363 | userdom_common_user_template($1) |
0c73cd25 | 1364 | |
1815bad1 | 1365 | domain_obj_id_change_exemption($1_t) |
0c73cd25 CP |
1366 | role system_r types $1_t; |
1367 | ||
0be901ba | 1368 | typeattribute $1_t admindomain; |
bd75703c | 1369 | |
142e9f40 | 1370 | ifdef(`direct_sysadm_daemon',` |
1815bad1 | 1371 | domain_system_change_exemption($1_t) |
142e9f40 | 1372 | ') |
2a98379a | 1373 | |
0c73cd25 CP |
1374 | ############################## |
1375 | # | |
1376 | # $1_t local policy | |
1377 | # | |
1378 | ||
847937da | 1379 | allow $1_t self:capability ~{ sys_module audit_control audit_write }; |
4ba442da | 1380 | allow $1_t self:capability2 syslog; |
0c73cd25 | 1381 | allow $1_t self:process { setexec setfscreate }; |
bd75703c CP |
1382 | allow $1_t self:netlink_audit_socket nlmsg_readpriv; |
1383 | allow $1_t self:tun_socket create; | |
0c73cd25 CP |
1384 | # Set password information for other users. |
1385 | allow $1_t self:passwd { passwd chfn chsh }; | |
0c73cd25 CP |
1386 | # Skip authentication when pam_rootok is specified. |
1387 | allow $1_t self:passwd rootok; | |
1388 | ||
3eaa9939 DW |
1389 | # Manipulate other users crontab. |
1390 | allow $1_t self:passwd crontab; | |
1391 | ||
0c73cd25 | 1392 | kernel_read_software_raid_state($1_t) |
445522dc | 1393 | kernel_getattr_core_if($1_t) |
0fd9dc55 | 1394 | kernel_getattr_message_if($1_t) |
0c73cd25 CP |
1395 | kernel_change_ring_buffer_level($1_t) |
1396 | kernel_clear_ring_buffer($1_t) | |
1397 | kernel_read_ring_buffer($1_t) | |
1398 | kernel_get_sysvipc_info($1_t) | |
445522dc | 1399 | kernel_rw_all_sysctls($1_t) |
8fd36732 CP |
1400 | # signal unlabeled processes: |
1401 | kernel_kill_unlabeled($1_t) | |
1402 | kernel_signal_unlabeled($1_t) | |
1403 | kernel_sigstop_unlabeled($1_t) | |
1404 | kernel_signull_unlabeled($1_t) | |
1405 | kernel_sigchld_unlabeled($1_t) | |
3eaa9939 | 1406 | kernel_signal($1_t) |
2ec4c9d3 CP |
1407 | |
1408 | corenet_tcp_bind_generic_port($1_t) | |
1409 | # allow setting up tunnels | |
5b6ddb98 | 1410 | corenet_rw_tun_tap_dev($1_t) |
2ec4c9d3 | 1411 | |
207c4763 CP |
1412 | dev_getattr_generic_blk_files($1_t) |
1413 | dev_getattr_generic_chr_files($1_t) | |
bbcd3c97 CP |
1414 | # for lsof |
1415 | dev_getattr_mtrr_dev($1_t) | |
1416 | # Allow MAKEDEV to work | |
1417 | dev_create_all_blk_files($1_t) | |
1418 | dev_create_all_chr_files($1_t) | |
1419 | dev_delete_all_blk_files($1_t) | |
1420 | dev_delete_all_chr_files($1_t) | |
1421 | dev_rename_all_blk_files($1_t) | |
1422 | dev_rename_all_chr_files($1_t) | |
1423 | dev_create_generic_symlinks($1_t) | |
bba79b24 DW |
1424 | dev_rw_generic_usb_dev($1_t) |
1425 | dev_rw_usbfs($1_t) | |
0c73cd25 | 1426 | |
c9428d33 CP |
1427 | domain_setpriority_all_domains($1_t) |
1428 | domain_read_all_domains_state($1_t) | |
ccc59782 | 1429 | domain_getattr_all_domains($1_t) |
d79b5476 | 1430 | domain_getcap_all_domains($1_t) |
ccc59782 | 1431 | domain_dontaudit_ptrace_all_domains($1_t) |
0c73cd25 CP |
1432 | # signal all domains: |
1433 | domain_kill_all_domains($1_t) | |
1434 | domain_signal_all_domains($1_t) | |
1435 | domain_signull_all_domains($1_t) | |
1436 | domain_sigstop_all_domains($1_t) | |
1437 | domain_sigstop_all_domains($1_t) | |
1438 | domain_sigchld_all_domains($1_t) | |
2ec4c9d3 CP |
1439 | # for lsof |
1440 | domain_getattr_all_sockets($1_t) | |
3eaa9939 | 1441 | domain_dontaudit_getattr_all_sockets($1_t) |
0c73cd25 | 1442 | |
99505c1c | 1443 | files_exec_usr_src_files($1_t) |
0c73cd25 | 1444 | |
bbcd3c97 | 1445 | fs_getattr_all_fs($1_t) |
3eaa9939 DW |
1446 | fs_getattr_all_files($1_t) |
1447 | fs_list_all($1_t) | |
bbcd3c97 CP |
1448 | fs_set_all_quotas($1_t) |
1449 | fs_exec_noxattr($1_t) | |
1450 | ||
1451 | storage_raw_read_removable_device($1_t) | |
1452 | storage_raw_write_removable_device($1_t) | |
579a217f | 1453 | storage_dontaudit_read_fixed_disk($1_t) |
bbcd3c97 | 1454 | |
af2d8802 | 1455 | term_use_all_inherited_terms($1_t) |
9e6ca004 | 1456 | term_use_unallocated_ttys($1_t) |
bbcd3c97 CP |
1457 | |
1458 | auth_getattr_shadow($1_t) | |
1459 | # Manage almost all files | |
1e7ee442 | 1460 | files_manage_non_security_dirs($1_t) |
df34481f | 1461 | files_manage_non_security_files($1_t) |
bbcd3c97 | 1462 | # Relabel almost all files |
df34481f | 1463 | files_relabel_non_security_files($1_t) |
bbcd3c97 CP |
1464 | |
1465 | init_telinit($1_t) | |
0c73cd25 | 1466 | |
c9428d33 | 1467 | logging_send_syslog_msg($1_t) |
0c73cd25 | 1468 | |
2371d8d8 MG |
1469 | optional_policy(` |
1470 | modutils_domtrans_insmod($1_t) | |
1471 | modutils_domtrans_depmod($1_t) | |
1472 | ') | |
0c73cd25 | 1473 | |
0c73cd25 CP |
1474 | # The following rule is temporary until such time that a complete |
1475 | # policy management infrastructure is in place so that an administrator | |
1476 | # cannot directly manipulate policy files with arbitrary programs. | |
1815bad1 | 1477 | seutil_manage_src_policy($1_t) |
0c73cd25 CP |
1478 | # Violates the goal of limiting write access to checkpolicy. |
1479 | # But presently necessary for installing the file_contexts file. | |
1815bad1 | 1480 | seutil_manage_bin_policy($1_t) |
0c73cd25 | 1481 | |
eedf23b8 DW |
1482 | systemd_config_all_services($1_t) |
1483 | ||
296273a7 CP |
1484 | userdom_manage_user_home_content_dirs($1_t) |
1485 | userdom_manage_user_home_content_files($1_t) | |
1486 | userdom_manage_user_home_content_symlinks($1_t) | |
1487 | userdom_manage_user_home_content_pipes($1_t) | |
1488 | userdom_manage_user_home_content_sockets($1_t) | |
1489 | userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) | |
1490 | ||
bbcd3c97 CP |
1491 | tunable_policy(`user_rw_noexattrfile',` |
1492 | fs_manage_noxattr_fs_files($1_t) | |
1493 | fs_manage_noxattr_fs_dirs($1_t) | |
1494 | ',` | |
1495 | fs_read_noxattr_fs_files($1_t) | |
1496 | ') | |
1497 | ||
e8cb08ae CP |
1498 | optional_policy(` |
1499 | postgresql_unconfined($1_t) | |
1500 | ') | |
1501 | ||
6b19be33 CP |
1502 | optional_policy(` |
1503 | userhelper_exec($1_t) | |
1504 | ') | |
1505 | ') | |
1506 | ||
1507 | ######################################## | |
1508 | ## <summary> | |
1509 | ## Allow user to run as a secadm | |
1510 | ## </summary> | |
1511 | ## <desc> | |
1512 | ## <p> | |
1513 | ## Create objects in a user home directory | |
1514 | ## with an automatic type transition to | |
1515 | ## a specified private type. | |
1516 | ## </p> | |
1517 | ## <p> | |
1518 | ## This is a templated interface, and should only | |
1519 | ## be called from a per-userdomain template. | |
1520 | ## </p> | |
1521 | ## </desc> | |
6b19be33 CP |
1522 | ## <param name="domain"> |
1523 | ## <summary> | |
1524 | ## Domain allowed access. | |
1525 | ## </summary> | |
1526 | ## </param> | |
1527 | ## <param name="role"> | |
1528 | ## <summary> | |
1529 | ## The role of the object to create. | |
1530 | ## </summary> | |
1531 | ## </param> | |
6b19be33 CP |
1532 | # |
1533 | template(`userdom_security_admin_template',` | |
1534 | allow $1 self:capability { dac_read_search dac_override }; | |
1535 | ||
1536 | corecmd_exec_shell($1) | |
1537 | ||
1538 | domain_obj_id_change_exemption($1) | |
1539 | ||
1540 | dev_relabel_all_dev_nodes($1) | |
1541 | ||
1542 | files_create_boot_flag($1) | |
3eaa9939 DW |
1543 | files_create_default_dir($1) |
1544 | files_root_filetrans_default($1, dir) | |
6b19be33 CP |
1545 | |
1546 | # Necessary for managing /boot/efi | |
1547 | fs_manage_dos_files($1) | |
1548 | ||
1549 | mls_process_read_up($1) | |
f8233ab7 | 1550 | mls_file_read_all_levels($1) |
6b19be33 CP |
1551 | mls_file_upgrade($1) |
1552 | mls_file_downgrade($1) | |
1553 | ||
1554 | selinux_set_enforce_mode($1) | |
f0435b1a | 1555 | selinux_set_all_booleans($1) |
6b19be33 | 1556 | selinux_set_parameters($1) |
4ba442da | 1557 | selinux_read_policy($1) |
6b19be33 | 1558 | |
df34481f | 1559 | files_relabel_all_files($1) |
6b19be33 CP |
1560 | auth_relabel_shadow($1) |
1561 | ||
1562 | init_exec($1) | |
1563 | ||
1564 | logging_send_syslog_msg($1) | |
1565 | logging_read_audit_log($1) | |
1566 | logging_read_generic_logs($1) | |
1567 | logging_read_audit_config($1) | |
1568 | ||
1569 | seutil_manage_bin_policy($1) | |
f362730d DW |
1570 | seutil_manage_default_contexts($1) |
1571 | seutil_manage_file_contexts($1) | |
1572 | seutil_manage_module_store($1) | |
1573 | seutil_manage_config($1) | |
296273a7 | 1574 | seutil_run_checkpolicy($1,$2) |
f4aae210 MG |
1575 | seutil_run_loadpolicy($1,$2) |
1576 | seutil_run_semanage($1,$2) | |
1577 | seutil_run_setsebool($1,$2) | |
296273a7 | 1578 | seutil_run_setfiles($1, $2) |
6b19be33 | 1579 | |
f4aae210 MG |
1580 | seutil_manage_bin_policy($1) |
1581 | seutil_manage_default_contexts($1) | |
1582 | seutil_manage_file_contexts($1) | |
1583 | seutil_manage_module_store($1) | |
1584 | seutil_manage_config($1) | |
1585 | ||
6b19be33 | 1586 | optional_policy(` |
f4aae210 | 1587 | aide_run($1,$2) |
6b19be33 CP |
1588 | ') |
1589 | ||
1590 | optional_policy(` | |
1591 | consoletype_exec($1) | |
1592 | ') | |
1593 | ||
1594 | optional_policy(` | |
1595 | dmesg_exec($1) | |
1596 | ') | |
1597 | ||
f4aae210 MG |
1598 | optional_policy(` |
1599 | ipsec_run_setkey($1,$2) | |
9e8f65c8 CP |
1600 | ') |
1601 | ||
6b19be33 | 1602 | optional_policy(` |
f4aae210 | 1603 | netlabel_run_mgmt($1,$2) |
a1fcff33 | 1604 | ') |
ff449b62 CP |
1605 | |
1606 | optional_policy(` | |
1607 | samhain_run($1, $2) | |
1608 | ') | |
4d8ddf9a | 1609 | ') |
490639cd | 1610 | |
b1bf2f78 CP |
1611 | ######################################## |
1612 | ## <summary> | |
296273a7 CP |
1613 | ## Make the specified type usable in a |
1614 | ## user home directory. | |
b1bf2f78 | 1615 | ## </summary> |
296273a7 | 1616 | ## <param name="type"> |
b1bf2f78 | 1617 | ## <summary> |
296273a7 CP |
1618 | ## Type to be used as a file in the |
1619 | ## user home directory. | |
b1bf2f78 CP |
1620 | ## </summary> |
1621 | ## </param> | |
b1bf2f78 | 1622 | # |
296273a7 CP |
1623 | interface(`userdom_user_home_content',` |
1624 | gen_require(` | |
1625 | type user_home_t; | |
3eaa9939 | 1626 | attribute user_home_type; |
296273a7 CP |
1627 | ') |
1628 | ||
1629 | allow $1 user_home_t:filesystem associate; | |
1630 | files_type($1) | |
1631 | ubac_constrained($1) | |
3eaa9939 DW |
1632 | |
1633 | files_poly_member($1) | |
1634 | typeattribute $1 user_home_type; | |
b1bf2f78 CP |
1635 | ') |
1636 | ||
ca9e8850 DW |
1637 | ######################################## |
1638 | ## <summary> | |
1639 | ## Make the specified type usable in a | |
1640 | ## generic temporary directory. | |
1641 | ## </summary> | |
1642 | ## <param name="type"> | |
1643 | ## <summary> | |
1644 | ## Type to be used as a file in the | |
1645 | ## generic temporary directory. | |
1646 | ## </summary> | |
1647 | ## </param> | |
1648 | # | |
1649 | interface(`userdom_user_tmp_content',` | |
1650 | gen_require(` | |
1651 | attribute user_tmp_type; | |
1652 | ') | |
1653 | ||
1654 | typeattribute $1 user_tmp_type; | |
1655 | ||
1656 | files_tmp_file($1) | |
1657 | ubac_constrained($1) | |
1658 | ') | |
1659 | ||
04b8986d DG |
1660 | ######################################## |
1661 | ## <summary> | |
1662 | ## Make the specified type usable in a | |
1663 | ## generic tmpfs_t directory. | |
1664 | ## </summary> | |
1665 | ## <param name="type"> | |
1666 | ## <summary> | |
1667 | ## Type to be used as a file in the | |
1668 | ## generic temporary directory. | |
1669 | ## </summary> | |
1670 | ## </param> | |
1671 | # | |
1672 | interface(`userdom_user_tmpfs_content',` | |
1673 | gen_require(` | |
1674 | attribute user_tmpfs_type; | |
1675 | ') | |
1676 | ||
1677 | typeattribute $1 user_tmpfs_type; | |
1678 | ||
1679 | files_tmpfs_file($1) | |
1680 | ubac_constrained($1) | |
1681 | ') | |
1682 | ||
bd75703c CP |
1683 | ######################################## |
1684 | ## <summary> | |
1685 | ## Allow domain to attach to TUN devices created by administrative users. | |
1686 | ## </summary> | |
1687 | ## <param name="domain"> | |
1688 | ## <summary> | |
1689 | ## Domain allowed access. | |
1690 | ## </summary> | |
1691 | ## </param> | |
1692 | # | |
1693 | interface(`userdom_attach_admin_tun_iface',` | |
1694 | gen_require(` | |
0be901ba | 1695 | attribute admindomain; |
bd75703c CP |
1696 | ') |
1697 | ||
0be901ba | 1698 | allow $1 admindomain:tun_socket relabelfrom; |
bd75703c CP |
1699 | allow $1 self:tun_socket relabelto; |
1700 | ') | |
1701 | ||
b1bf2f78 CP |
1702 | ######################################## |
1703 | ## <summary> | |
296273a7 | 1704 | ## Set the attributes of a user pty. |
b1bf2f78 | 1705 | ## </summary> |
296273a7 | 1706 | ## <param name="domain"> |
b1bf2f78 | 1707 | ## <summary> |
296273a7 | 1708 | ## Domain allowed access. |
b1bf2f78 CP |
1709 | ## </summary> |
1710 | ## </param> | |
b1bf2f78 | 1711 | # |
296273a7 CP |
1712 | interface(`userdom_setattr_user_ptys',` |
1713 | gen_require(` | |
1714 | type user_devpts_t; | |
1715 | ') | |
1716 | ||
bf530f53 | 1717 | allow $1 user_devpts_t:chr_file setattr_chr_file_perms; |
b1bf2f78 CP |
1718 | ') |
1719 | ||
1720 | ######################################## | |
1721 | ## <summary> | |
296273a7 | 1722 | ## Create a user pty. |
b1bf2f78 | 1723 | ## </summary> |
296273a7 | 1724 | ## <param name="domain"> |
b1bf2f78 | 1725 | ## <summary> |
296273a7 | 1726 | ## Domain allowed access. |
b1bf2f78 CP |
1727 | ## </summary> |
1728 | ## </param> | |
b1bf2f78 | 1729 | # |
296273a7 CP |
1730 | interface(`userdom_create_user_pty',` |
1731 | gen_require(` | |
1732 | type user_devpts_t; | |
1733 | ') | |
1734 | ||
1735 | term_create_pty($1, user_devpts_t) | |
b1bf2f78 CP |
1736 | ') |
1737 | ||
1738 | ######################################## | |
1739 | ## <summary> | |
296273a7 | 1740 | ## Get the attributes of user home directories. |
b1bf2f78 | 1741 | ## </summary> |
296273a7 | 1742 | ## <param name="domain"> |
b1bf2f78 | 1743 | ## <summary> |
296273a7 | 1744 | ## Domain allowed access. |
b1bf2f78 CP |
1745 | ## </summary> |
1746 | ## </param> | |
b1bf2f78 | 1747 | # |
296273a7 CP |
1748 | interface(`userdom_getattr_user_home_dirs',` |
1749 | gen_require(` | |
1750 | type user_home_dir_t; | |
1751 | ') | |
1752 | ||
1753 | allow $1 user_home_dir_t:dir getattr_dir_perms; | |
1754 | files_search_home($1) | |
b1bf2f78 CP |
1755 | ') |
1756 | ||
1757 | ######################################## | |
1758 | ## <summary> | |
296273a7 | 1759 | ## Do not audit attempts to get the attributes of user home directories. |
b1bf2f78 | 1760 | ## </summary> |
296273a7 | 1761 | ## <param name="domain"> |
b1bf2f78 | 1762 | ## <summary> |
a0546c9d | 1763 | ## Domain to not audit. |
b1bf2f78 CP |
1764 | ## </summary> |
1765 | ## </param> | |
b1bf2f78 | 1766 | # |
296273a7 CP |
1767 | interface(`userdom_dontaudit_getattr_user_home_dirs',` |
1768 | gen_require(` | |
1769 | type user_home_dir_t; | |
1770 | ') | |
1771 | ||
1772 | dontaudit $1 user_home_dir_t:dir getattr_dir_perms; | |
b1bf2f78 CP |
1773 | ') |
1774 | ||
1775 | ######################################## | |
1776 | ## <summary> | |
296273a7 | 1777 | ## Search user home directories. |
b1bf2f78 | 1778 | ## </summary> |
296273a7 | 1779 | ## <param name="domain"> |
b1bf2f78 | 1780 | ## <summary> |
296273a7 | 1781 | ## Domain allowed access. |
b1bf2f78 CP |
1782 | ## </summary> |
1783 | ## </param> | |
b1bf2f78 | 1784 | # |
296273a7 CP |
1785 | interface(`userdom_search_user_home_dirs',` |
1786 | gen_require(` | |
1787 | type user_home_dir_t; | |
1788 | ') | |
1789 | ||
1790 | allow $1 user_home_dir_t:dir search_dir_perms; | |
3eaa9939 | 1791 | allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; |
296273a7 | 1792 | files_search_home($1) |
b1bf2f78 CP |
1793 | ') |
1794 | ||
1795 | ######################################## | |
1796 | ## <summary> | |
c46376e6 | 1797 | ## Do not audit attempts to search user home directories. |
b1bf2f78 | 1798 | ## </summary> |
c46376e6 CP |
1799 | ## <desc> |
1800 | ## <p> | |
1801 | ## Do not audit attempts to search user home directories. | |
1802 | ## This will supress SELinux denial messages when the specified | |
1803 | ## domain is denied the permission to search these directories. | |
1804 | ## </p> | |
1805 | ## </desc> | |
296273a7 | 1806 | ## <param name="domain"> |
b1bf2f78 | 1807 | ## <summary> |
c46376e6 | 1808 | ## Domain to not audit. |
b1bf2f78 CP |
1809 | ## </summary> |
1810 | ## </param> | |
c46376e6 | 1811 | ## <infoflow type="none"/> |
b1bf2f78 | 1812 | # |
296273a7 CP |
1813 | interface(`userdom_dontaudit_search_user_home_dirs',` |
1814 | gen_require(` | |
1815 | type user_home_dir_t; | |
1816 | ') | |
1817 | ||
1818 | dontaudit $1 user_home_dir_t:dir search_dir_perms; | |
b1bf2f78 CP |
1819 | ') |
1820 | ||
1821 | ######################################## | |
1822 | ## <summary> | |
ff8f0a63 | 1823 | ## List user home directories. |
b1bf2f78 | 1824 | ## </summary> |
296273a7 | 1825 | ## <param name="domain"> |
b1bf2f78 | 1826 | ## <summary> |
ff8f0a63 | 1827 | ## Domain allowed access. |
b1bf2f78 CP |
1828 | ## </summary> |
1829 | ## </param> | |
b1bf2f78 | 1830 | # |
296273a7 CP |
1831 | interface(`userdom_list_user_home_dirs',` |
1832 | gen_require(` | |
1833 | type user_home_dir_t; | |
1834 | ') | |
b1bf2f78 | 1835 | |
296273a7 CP |
1836 | allow $1 user_home_dir_t:dir list_dir_perms; |
1837 | files_search_home($1) | |
3eaa9939 DW |
1838 | |
1839 | tunable_policy(`use_nfs_home_dirs',` | |
1840 | fs_list_nfs($1) | |
1841 | ') | |
1842 | ||
1843 | tunable_policy(`use_samba_home_dirs',` | |
1844 | fs_list_cifs($1) | |
1845 | ') | |
de8af9dc CP |
1846 | ') |
1847 | ||
7c2f5a82 CP |
1848 | ######################################## |
1849 | ## <summary> | |
296273a7 | 1850 | ## Do not audit attempts to list user home subdirectories. |
7c2f5a82 CP |
1851 | ## </summary> |
1852 | ## <param name="domain"> | |
885b83ec | 1853 | ## <summary> |
a7ee7f81 | 1854 | ## Domain to not audit. |
885b83ec | 1855 | ## </summary> |
7c2f5a82 CP |
1856 | ## </param> |
1857 | # | |
296273a7 | 1858 | interface(`userdom_dontaudit_list_user_home_dirs',` |
7c2f5a82 | 1859 | gen_require(` |
296273a7 | 1860 | type user_home_dir_t; |
3eaa9939 | 1861 | type user_home_t; |
7c2f5a82 CP |
1862 | ') |
1863 | ||
296273a7 | 1864 | dontaudit $1 user_home_dir_t:dir list_dir_perms; |
3eaa9939 | 1865 | dontaudit $1 user_home_t:dir list_dir_perms; |
7c2f5a82 CP |
1866 | ') |
1867 | ||
1868 | ######################################## | |
1869 | ## <summary> | |
296273a7 | 1870 | ## Create user home directories. |
7c2f5a82 CP |
1871 | ## </summary> |
1872 | ## <param name="domain"> | |
885b83ec | 1873 | ## <summary> |
7c2f5a82 | 1874 | ## Domain allowed access. |
885b83ec | 1875 | ## </summary> |
7c2f5a82 CP |
1876 | ## </param> |
1877 | # | |
296273a7 CP |
1878 | interface(`userdom_create_user_home_dirs',` |
1879 | gen_require(` | |
1880 | type user_home_dir_t; | |
1881 | ') | |
1882 | ||
1883 | allow $1 user_home_dir_t:dir create_dir_perms; | |
7c2f5a82 CP |
1884 | ') |
1885 | ||
1886 | ######################################## | |
1887 | ## <summary> | |
296273a7 | 1888 | ## Create user home directories. |
7c2f5a82 CP |
1889 | ## </summary> |
1890 | ## <param name="domain"> | |
885b83ec | 1891 | ## <summary> |
7c2f5a82 | 1892 | ## Domain allowed access. |
885b83ec | 1893 | ## </summary> |
7c2f5a82 CP |
1894 | ## </param> |
1895 | # | |
296273a7 | 1896 | interface(`userdom_manage_user_home_dirs',` |
7c2f5a82 | 1897 | gen_require(` |
296273a7 | 1898 | type user_home_dir_t; |
7c2f5a82 CP |
1899 | ') |
1900 | ||
296273a7 | 1901 | allow $1 user_home_dir_t:dir manage_dir_perms; |
7c2f5a82 CP |
1902 | ') |
1903 | ||
d490eb6b | 1904 | ######################################## |
ab940a4c | 1905 | ## <summary> |
296273a7 | 1906 | ## Relabel to user home directories. |
ab940a4c | 1907 | ## </summary> |
414e4151 | 1908 | ## <param name="domain"> |
885b83ec | 1909 | ## <summary> |
725926c5 | 1910 | ## Domain allowed access. |
885b83ec | 1911 | ## </summary> |
414e4151 | 1912 | ## </param> |
d490eb6b | 1913 | # |
296273a7 CP |
1914 | interface(`userdom_relabelto_user_home_dirs',` |
1915 | gen_require(` | |
1916 | type user_home_dir_t; | |
1917 | ') | |
d490eb6b | 1918 | |
296273a7 | 1919 | allow $1 user_home_dir_t:dir relabelto; |
7c2f5a82 CP |
1920 | ') |
1921 | ||
3eaa9939 DW |
1922 | |
1923 | ######################################## | |
1924 | ## <summary> | |
1925 | ## Relabel to user home files. | |
1926 | ## </summary> | |
1927 | ## <param name="domain"> | |
1928 | ## <summary> | |
1929 | ## Domain allowed access. | |
1930 | ## </summary> | |
1931 | ## </param> | |
1932 | # | |
1933 | interface(`userdom_relabelto_user_home_files',` | |
1934 | gen_require(` | |
1935 | type user_home_t; | |
1936 | ') | |
1937 | ||
1938 | allow $1 user_home_t:file relabelto; | |
1939 | ') | |
1940 | ######################################## | |
1941 | ## <summary> | |
1942 | ## Relabel user home files. | |
1943 | ## </summary> | |
1944 | ## <param name="domain"> | |
1945 | ## <summary> | |
1946 | ## Domain allowed access. | |
1947 | ## </summary> | |
1948 | ## </param> | |
1949 | # | |
1950 | interface(`userdom_relabel_user_home_files',` | |
1951 | gen_require(` | |
1952 | type user_home_t; | |
1953 | ') | |
1954 | ||
83029ff3 | 1955 | allow $1 user_home_t:file relabel_file_perms; |
3eaa9939 DW |
1956 | ') |
1957 | ||
7c2f5a82 CP |
1958 | ######################################## |
1959 | ## <summary> | |
296273a7 CP |
1960 | ## Create directories in the home dir root with |
1961 | ## the user home directory type. | |
7c2f5a82 CP |
1962 | ## </summary> |
1963 | ## <param name="domain"> | |
885b83ec | 1964 | ## <summary> |
7c2f5a82 | 1965 | ## Domain allowed access. |
885b83ec | 1966 | ## </summary> |
7c2f5a82 CP |
1967 | ## </param> |
1968 | # | |
296273a7 CP |
1969 | interface(`userdom_home_filetrans_user_home_dir',` |
1970 | gen_require(` | |
1971 | type user_home_dir_t; | |
1972 | ') | |
7c2f5a82 | 1973 | |
296273a7 | 1974 | files_home_filetrans($1, user_home_dir_t, dir) |
7c2f5a82 CP |
1975 | ') |
1976 | ||
d42c7ede CP |
1977 | ######################################## |
1978 | ## <summary> | |
296273a7 CP |
1979 | ## Do a domain transition to the specified |
1980 | ## domain when executing a program in the | |
1981 | ## user home directory. | |
d42c7ede CP |
1982 | ## </summary> |
1983 | ## <desc> | |
1984 | ## <p> | |
296273a7 CP |
1985 | ## Do a domain transition to the specified |
1986 | ## domain when executing a program in the | |
1987 | ## user home directory. | |
d42c7ede CP |
1988 | ## </p> |
1989 | ## <p> | |
296273a7 CP |
1990 | ## No interprocess communication (signals, pipes, |
1991 | ## etc.) is provided by this interface since | |
1992 | ## the domains are not owned by this module. | |
d42c7ede CP |
1993 | ## </p> |
1994 | ## </desc> | |
296273a7 | 1995 | ## <param name="source_domain"> |
d42c7ede | 1996 | ## <summary> |
a0546c9d | 1997 | ## Domain allowed to transition. |
d42c7ede CP |
1998 | ## </summary> |
1999 | ## </param> | |
296273a7 | 2000 | ## <param name="target_domain"> |
d42c7ede | 2001 | ## <summary> |
296273a7 | 2002 | ## Domain to transition to. |
d42c7ede CP |
2003 | ## </summary> |
2004 | ## </param> | |
2005 | # | |
296273a7 CP |
2006 | interface(`userdom_user_home_domtrans',` |
2007 | gen_require(` | |
2008 | type user_home_dir_t, user_home_t; | |
2009 | ') | |
d42c7ede | 2010 | |
296273a7 CP |
2011 | domain_auto_trans($1, user_home_t, $2) |
2012 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2013 | files_search_home($1) | |
d42c7ede CP |
2014 | ') |
2015 | ||
ae9e2716 CP |
2016 | ######################################## |
2017 | ## <summary> | |
296273a7 | 2018 | ## Do not audit attempts to search user home content directories. |
ae9e2716 CP |
2019 | ## </summary> |
2020 | ## <param name="domain"> | |
885b83ec | 2021 | ## <summary> |
a7ee7f81 | 2022 | ## Domain to not audit. |
885b83ec | 2023 | ## </summary> |
ae9e2716 CP |
2024 | ## </param> |
2025 | # | |
296273a7 CP |
2026 | interface(`userdom_dontaudit_search_user_home_content',` |
2027 | gen_require(` | |
2028 | type user_home_t; | |
2029 | ') | |
ae9e2716 | 2030 | |
296273a7 | 2031 | dontaudit $1 user_home_t:dir search_dir_perms; |
3eaa9939 DW |
2032 | fs_dontaudit_list_nfs($1) |
2033 | fs_dontaudit_list_cifs($1) | |
ae9e2716 CP |
2034 | ') |
2035 | ||
2d743657 CP |
2036 | ######################################## |
2037 | ## <summary> | |
2038 | ## List contents of users home directory. | |
2039 | ## </summary> | |
2040 | ## <param name="domain"> | |
2041 | ## <summary> | |
2042 | ## Domain allowed access. | |
2043 | ## </summary> | |
2044 | ## </param> | |
2045 | # | |
2046 | interface(`userdom_list_user_home_content',` | |
2047 | gen_require(` | |
3eaa9939 DW |
2048 | type user_home_dir_t; |
2049 | attribute user_home_type; | |
2d743657 CP |
2050 | ') |
2051 | ||
3eaa9939 DW |
2052 | files_list_home($1) |
2053 | allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; | |
2d743657 CP |
2054 | ') |
2055 | ||
cdc86ee5 CP |
2056 | ######################################## |
2057 | ## <summary> | |
296273a7 CP |
2058 | ## Create, read, write, and delete directories |
2059 | ## in a user home subdirectory. | |
cdc86ee5 CP |
2060 | ## </summary> |
2061 | ## <param name="domain"> | |
2062 | ## <summary> | |
2063 | ## Domain allowed access. | |
2064 | ## </summary> | |
2065 | ## </param> | |
2066 | # | |
296273a7 CP |
2067 | interface(`userdom_manage_user_home_content_dirs',` |
2068 | gen_require(` | |
2069 | type user_home_dir_t, user_home_t; | |
2070 | ') | |
2071 | ||
2072 | manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) | |
2073 | files_search_home($1) | |
cdc86ee5 CP |
2074 | ') |
2075 | ||
4083191c CP |
2076 | ######################################## |
2077 | ## <summary> | |
2078 | ## Delete directories in a user home subdirectory. | |
2079 | ## </summary> | |
2080 | ## <param name="domain"> | |
2081 | ## <summary> | |
2082 | ## Domain allowed access. | |
2083 | ## </summary> | |
2084 | ## </param> | |
2085 | # | |
2086 | interface(`userdom_delete_user_home_content_dirs',` | |
2087 | gen_require(` | |
2088 | type user_home_t; | |
2089 | ') | |
2090 | ||
2091 | allow $1 user_home_t:dir delete_dir_perms; | |
2092 | ') | |
2093 | ||
a6687c87 DG |
2094 | ######################################## |
2095 | ## <summary> | |
2096 | ## Delete all directories in a user home subdirectory. | |
2097 | ## </summary> | |
2098 | ## <param name="domain"> | |
2099 | ## <summary> | |
2100 | ## Domain allowed access. | |
2101 | ## </summary> | |
2102 | ## </param> | |
2103 | # | |
2104 | interface(`userdom_delete_all_user_home_content_dirs',` | |
2105 | gen_require(` | |
2106 | attribute user_home_type; | |
2107 | ') | |
2108 | ||
2109 | allow $1 user_home_type:dir delete_dir_perms; | |
2110 | ') | |
2111 | ||
3eaa9939 DW |
2112 | ######################################## |
2113 | ## <summary> | |
2114 | ## Set the attributes of user home files. | |
2115 | ## </summary> | |
2116 | ## <param name="domain"> | |
2117 | ## <summary> | |
2118 | ## Domain allowed access. | |
2119 | ## </summary> | |
2120 | ## </param> | |
2121 | ## <rolecap/> | |
2122 | # | |
2123 | interface(`userdom_setattr_user_home_content_files',` | |
2124 | gen_require(` | |
2125 | type user_home_t; | |
2126 | ') | |
2127 | ||
2128 | allow $1 user_home_t:file setattr; | |
2129 | ') | |
2130 | ||
d6d16b97 CP |
2131 | ######################################## |
2132 | ## <summary> | |
296273a7 CP |
2133 | ## Do not audit attempts to set the |
2134 | ## attributes of user home files. | |
d6d16b97 CP |
2135 | ## </summary> |
2136 | ## <param name="domain"> | |
2137 | ## <summary> | |
a0546c9d | 2138 | ## Domain to not audit. |
d6d16b97 CP |
2139 | ## </summary> |
2140 | ## </param> | |
2141 | # | |
296273a7 CP |
2142 | interface(`userdom_dontaudit_setattr_user_home_content_files',` |
2143 | gen_require(` | |
2144 | type user_home_t; | |
2145 | ') | |
d6d16b97 | 2146 | |
bf530f53 | 2147 | dontaudit $1 user_home_t:file setattr_file_perms; |
b0d2243c CP |
2148 | ') |
2149 | ||
a6687c87 DG |
2150 | ######################################## |
2151 | ## <summary> | |
2152 | ## Set the attributes of all user home directories. | |
2153 | ## </summary> | |
2154 | ## <param name="domain"> | |
2155 | ## <summary> | |
2156 | ## Domain allowed access. | |
2157 | ## </summary> | |
2158 | ## </param> | |
2159 | ## <rolecap/> | |
2160 | # | |
2161 | interface(`userdom_setattr_all_user_home_content_dirs',` | |
2162 | gen_require(` | |
2163 | attribute user_home_type; | |
2164 | ') | |
2165 | ||
2166 | allow $1 user_home_type:dir setattr_dir_perms; | |
2167 | ') | |
2168 | ||
fd89e19f CP |
2169 | ######################################## |
2170 | ## <summary> | |
296273a7 | 2171 | ## Mmap user home files. |
fd89e19f CP |
2172 | ## </summary> |
2173 | ## <param name="domain"> | |
885b83ec | 2174 | ## <summary> |
725926c5 | 2175 | ## Domain allowed access. |
885b83ec | 2176 | ## </summary> |
fd89e19f CP |
2177 | ## </param> |
2178 | # | |
296273a7 CP |
2179 | interface(`userdom_mmap_user_home_content_files',` |
2180 | gen_require(` | |
2181 | type user_home_dir_t, user_home_t; | |
2182 | ') | |
fd89e19f | 2183 | |
296273a7 CP |
2184 | mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
2185 | files_search_home($1) | |
1f91e1bf CP |
2186 | ') |
2187 | ||
725926c5 CP |
2188 | ######################################## |
2189 | ## <summary> | |
296273a7 | 2190 | ## Read user home files. |
725926c5 CP |
2191 | ## </summary> |
2192 | ## <param name="domain"> | |
885b83ec | 2193 | ## <summary> |
725926c5 | 2194 | ## Domain allowed access. |
885b83ec | 2195 | ## </summary> |
725926c5 CP |
2196 | ## </param> |
2197 | # | |
296273a7 CP |
2198 | interface(`userdom_read_user_home_content_files',` |
2199 | gen_require(` | |
2200 | type user_home_dir_t, user_home_t; | |
2201 | ') | |
2202 | ||
3eaa9939 | 2203 | list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) |
296273a7 CP |
2204 | read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) |
2205 | files_search_home($1) | |
725926c5 CP |
2206 | ') |
2207 | ||
daa0e0b0 | 2208 | ######################################## |
ab940a4c | 2209 | ## <summary> |
3eaa9939 | 2210 | ## Do not audit attempts to getattr user home files. |
ab940a4c | 2211 | ## </summary> |
414e4151 | 2212 | ## <param name="domain"> |
885b83ec | 2213 | ## <summary> |
296273a7 | 2214 | ## Domain to not audit. |
885b83ec | 2215 | ## </summary> |
414e4151 | 2216 | ## </param> |
490639cd | 2217 | # |
3eaa9939 | 2218 | interface(`userdom_dontaudit_getattr_user_home_content',` |
296273a7 | 2219 | gen_require(` |
3eaa9939 | 2220 | attribute user_home_type; |
296273a7 CP |
2221 | ') |
2222 | ||
3eaa9939 DW |
2223 | dontaudit $1 user_home_type:dir getattr; |
2224 | dontaudit $1 user_home_type:file getattr; | |
2225 | ') | |
2226 | ||
2227 | ######################################## | |
2228 | ## <summary> | |
2229 | ## Do not audit attempts to read user home files. | |
2230 | ## </summary> | |
2231 | ## <param name="domain"> | |
2232 | ## <summary> | |
2233 | ## Domain to not audit. | |
2234 | ## </summary> | |
2235 | ## </param> | |
2236 | # | |
2237 | interface(`userdom_dontaudit_read_user_home_content_files',` | |
2238 | gen_require(` | |
2239 | attribute user_home_type; | |
2240 | type user_home_dir_t; | |
2241 | ') | |
2242 | ||
2243 | dontaudit $1 user_home_dir_t:dir list_dir_perms; | |
2244 | dontaudit $1 user_home_type:dir list_dir_perms; | |
2245 | dontaudit $1 user_home_type:file read_file_perms; | |
2246 | dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; | |
fd89e19f CP |
2247 | ') |
2248 | ||
50aca6d2 CP |
2249 | ######################################## |
2250 | ## <summary> | |
296273a7 | 2251 | ## Do not audit attempts to append user home files. |
50aca6d2 CP |
2252 | ## </summary> |
2253 | ## <param name="domain"> | |
885b83ec | 2254 | ## <summary> |
50aca6d2 | 2255 | ## Domain to not audit. |
885b83ec | 2256 | ## </summary> |
50aca6d2 CP |
2257 | ## </param> |
2258 | # | |
296273a7 CP |
2259 | interface(`userdom_dontaudit_append_user_home_content_files',` |
2260 | gen_require(` | |
2261 | type user_home_t; | |
2262 | ') | |
2263 | ||
bf530f53 | 2264 | dontaudit $1 user_home_t:file append_file_perms; |
50aca6d2 CP |
2265 | ') |
2266 | ||
fd89e19f CP |
2267 | ######################################## |
2268 | ## <summary> | |
296273a7 | 2269 | ## Do not audit attempts to write user home files. |
fd89e19f CP |
2270 | ## </summary> |
2271 | ## <param name="domain"> | |
885b83ec | 2272 | ## <summary> |
296273a7 | 2273 | ## Domain to not audit. |
885b83ec | 2274 | ## </summary> |
fd89e19f CP |
2275 | ## </param> |
2276 | # | |
296273a7 CP |
2277 | interface(`userdom_dontaudit_write_user_home_content_files',` |
2278 | gen_require(` | |
2279 | type user_home_t; | |
2280 | ') | |
2281 | ||
bf530f53 | 2282 | dontaudit $1 user_home_t:file write_file_perms; |
daa0e0b0 CP |
2283 | ') |
2284 | ||
4083191c CP |
2285 | ######################################## |
2286 | ## <summary> | |
2287 | ## Delete files in a user home subdirectory. | |
2288 | ## </summary> | |
2289 | ## <param name="domain"> | |
2290 | ## <summary> | |
2291 | ## Domain allowed access. | |
2292 | ## </summary> | |
2293 | ## </param> | |
2294 | # | |
2295 | interface(`userdom_delete_user_home_content_files',` | |
2296 | gen_require(` | |
2297 | type user_home_t; | |
2298 | ') | |
2299 | ||
2300 | allow $1 user_home_t:file delete_file_perms; | |
2301 | ') | |
2302 | ||
a6687c87 DG |
2303 | ######################################## |
2304 | ## <summary> | |
2305 | ## Delete all files in a user home subdirectory. | |
2306 | ## </summary> | |
2307 | ## <param name="domain"> | |
2308 | ## <summary> | |
2309 | ## Domain allowed access. | |
2310 | ## </summary> | |
2311 | ## </param> | |
2312 | # | |
2313 | interface(`userdom_delete_all_user_home_content_files',` | |
2314 | gen_require(` | |
2315 | attribute user_home_type; | |
2316 | ') | |
2317 | ||
2318 | allow $1 user_home_type:file delete_file_perms; | |
2319 | ') | |
2320 | ||
d4dca585 | 2321 | ######################################## |
ae841c05 DW |
2322 | ## <summary> |
2323 | ## Delete sock files in a user home subdirectory. | |
2324 | ## </summary> | |
2325 | ## <param name="domain"> | |
2326 | ## <summary> | |
2327 | ## Domain allowed access. | |
2328 | ## </summary> | |
2329 | ## </param> | |
2330 | # | |
2331 | interface(`userdom_delete_user_home_content_sock_files',` | |
2332 | gen_require(` | |
2333 | type user_home_t; | |
2334 | ') | |
2335 | ||
2336 | allow $1 user_home_t:sock_file delete_file_perms; | |
2337 | ') | |
2338 | ||
a6687c87 DG |
2339 | ######################################## |
2340 | ## <summary> | |
2341 | ## Delete all sock files in a user home subdirectory. | |
2342 | ## </summary> | |
2343 | ## <param name="domain"> | |
2344 | ## <summary> | |
2345 | ## Domain allowed access. | |
2346 | ## </summary> | |
2347 | ## </param> | |
2348 | # | |
2349 | interface(`userdom_delete_all_user_home_content_sock_files',` | |
2350 | gen_require(` | |
2351 | attribute user_home_type; | |
2352 | ') | |
2353 | ||
2354 | allow $1 user_home_type:sock_file delete_file_perms; | |
2355 | ') | |
2356 | ||
d4dca585 CP |
2357 | ######################################## |
2358 | ## <summary> | |
296273a7 | 2359 | ## Do not audit attempts to write user home files. |
d4dca585 CP |
2360 | ## </summary> |
2361 | ## <param name="domain"> | |
885b83ec | 2362 | ## <summary> |
d4dca585 | 2363 | ## Domain to not audit. |
885b83ec | 2364 | ## </summary> |
d4dca585 CP |
2365 | ## </param> |
2366 | # | |
296273a7 CP |
2367 | interface(`userdom_dontaudit_relabel_user_home_content_files',` |
2368 | gen_require(` | |
2369 | type user_home_t; | |
2370 | ') | |
2371 | ||
2372 | dontaudit $1 user_home_t:file relabel_file_perms; | |
d4dca585 CP |
2373 | ') |
2374 | ||
0404a390 | 2375 | ######################################## |
ab940a4c | 2376 | ## <summary> |
296273a7 | 2377 | ## Read user home subdirectory symbolic links. |
ab940a4c | 2378 | ## </summary> |
414e4151 | 2379 | ## <param name="domain"> |
885b83ec | 2380 | ## <summary> |
725926c5 | 2381 | ## Domain allowed access. |
885b83ec | 2382 | ## </summary> |
414e4151 | 2383 | ## </param> |
0404a390 | 2384 | # |
296273a7 CP |
2385 | interface(`userdom_read_user_home_content_symlinks',` |
2386 | gen_require(` | |
2387 | type user_home_dir_t, user_home_t; | |
2388 | ') | |
2389 | ||
3eaa9939 | 2390 | allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; |
daa0e0b0 CP |
2391 | ') |
2392 | ||
763c441e | 2393 | ######################################## |
ab940a4c | 2394 | ## <summary> |
296273a7 | 2395 | ## Execute user home files. |
ab940a4c | 2396 | ## </summary> |
414e4151 | 2397 | ## <param name="domain"> |
885b83ec | 2398 | ## <summary> |
296273a7 | 2399 | ## Domain allowed access. |
885b83ec | 2400 | ## </summary> |
414e4151 | 2401 | ## </param> |
296273a7 | 2402 | ## <rolecap/> |
763c441e | 2403 | # |
296273a7 CP |
2404 | interface(`userdom_exec_user_home_content_files',` |
2405 | gen_require(` | |
3eaa9939 DW |
2406 | type user_home_dir_t; |
2407 | attribute user_home_type; | |
296273a7 CP |
2408 | ') |
2409 | ||
2410 | files_search_home($1) | |
3eaa9939 DW |
2411 | exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) |
2412 | dontaudit $1 user_home_type:sock_file execute; | |
296273a7 | 2413 | ') |
763c441e | 2414 | |
fd89e19f CP |
2415 | ######################################## |
2416 | ## <summary> | |
296273a7 | 2417 | ## Do not audit attempts to execute user home files. |
fd89e19f CP |
2418 | ## </summary> |
2419 | ## <param name="domain"> | |
885b83ec | 2420 | ## <summary> |
a0546c9d | 2421 | ## Domain to not audit. |
885b83ec | 2422 | ## </summary> |
fd89e19f CP |
2423 | ## </param> |
2424 | # | |
296273a7 CP |
2425 | interface(`userdom_dontaudit_exec_user_home_content_files',` |
2426 | gen_require(` | |
2427 | type user_home_t; | |
2428 | ') | |
2429 | ||
bf530f53 | 2430 | dontaudit $1 user_home_t:file exec_file_perms; |
fd89e19f CP |
2431 | ') |
2432 | ||
2433 | ######################################## | |
2434 | ## <summary> | |
296273a7 CP |
2435 | ## Create, read, write, and delete files |
2436 | ## in a user home subdirectory. | |
fd89e19f CP |
2437 | ## </summary> |
2438 | ## <param name="domain"> | |
885b83ec | 2439 | ## <summary> |
725926c5 | 2440 | ## Domain allowed access. |
885b83ec | 2441 | ## </summary> |
fd89e19f CP |
2442 | ## </param> |
2443 | # | |
296273a7 CP |
2444 | interface(`userdom_manage_user_home_content_files',` |
2445 | gen_require(` | |
2446 | type user_home_dir_t, user_home_t; | |
2447 | ') | |
2448 | ||
2449 | manage_files_pattern($1, user_home_t, user_home_t) | |
2450 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2451 | files_search_home($1) | |
fd89e19f CP |
2452 | ') |
2453 | ||
799a0b43 CP |
2454 | ######################################## |
2455 | ## <summary> | |
296273a7 CP |
2456 | ## Do not audit attempts to create, read, write, and delete directories |
2457 | ## in a user home subdirectory. | |
799a0b43 CP |
2458 | ## </summary> |
2459 | ## <param name="domain"> | |
885b83ec | 2460 | ## <summary> |
a0546c9d | 2461 | ## Domain to not audit. |
885b83ec | 2462 | ## </summary> |
799a0b43 CP |
2463 | ## </param> |
2464 | # | |
296273a7 CP |
2465 | interface(`userdom_dontaudit_manage_user_home_content_dirs',` |
2466 | gen_require(` | |
2467 | type user_home_dir_t, user_home_t; | |
2468 | ') | |
2469 | ||
2470 | dontaudit $1 user_home_t:dir manage_dir_perms; | |
799a0b43 CP |
2471 | ') |
2472 | ||
44fc06b0 CP |
2473 | ######################################## |
2474 | ## <summary> | |
296273a7 CP |
2475 | ## Create, read, write, and delete symbolic links |
2476 | ## in a user home subdirectory. | |
44fc06b0 CP |
2477 | ## </summary> |
2478 | ## <param name="domain"> | |
885b83ec | 2479 | ## <summary> |
296273a7 | 2480 | ## Domain allowed access. |
885b83ec | 2481 | ## </summary> |
44fc06b0 CP |
2482 | ## </param> |
2483 | # | |
296273a7 CP |
2484 | interface(`userdom_manage_user_home_content_symlinks',` |
2485 | gen_require(` | |
2486 | type user_home_dir_t, user_home_t; | |
2487 | ') | |
2488 | ||
2489 | manage_lnk_files_pattern($1, user_home_t, user_home_t) | |
2490 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2491 | files_search_home($1) | |
44fc06b0 CP |
2492 | ') |
2493 | ||
4083191c CP |
2494 | ######################################## |
2495 | ## <summary> | |
2496 | ## Delete symbolic links in a user home directory. | |
2497 | ## </summary> | |
2498 | ## <param name="domain"> | |
2499 | ## <summary> | |
2500 | ## Domain allowed access. | |
2501 | ## </summary> | |
2502 | ## </param> | |
2503 | # | |
2504 | interface(`userdom_delete_user_home_content_symlinks',` | |
2505 | gen_require(` | |
2506 | type user_home_t; | |
2507 | ') | |
2508 | ||
2509 | allow $1 user_home_t:lnk_file delete_lnk_file_perms; | |
2510 | ') | |
2511 | ||
a6687c87 DG |
2512 | ######################################## |
2513 | ## <summary> | |
2514 | ## Delete all symbolic links in a user home directory. | |
2515 | ## </summary> | |
2516 | ## <param name="domain"> | |
2517 | ## <summary> | |
2518 | ## Domain allowed access. | |
2519 | ## </summary> | |
2520 | ## </param> | |
2521 | # | |
2522 | interface(`userdom_delete_all_user_home_content_symlinks',` | |
2523 | gen_require(` | |
2524 | attribute user_home_type; | |
2525 | ') | |
2526 | ||
2527 | allow $1 user_home_type:lnk_file delete_lnk_file_perms; | |
2528 | ') | |
2529 | ||
ae9e2716 CP |
2530 | ######################################## |
2531 | ## <summary> | |
296273a7 CP |
2532 | ## Create, read, write, and delete named pipes |
2533 | ## in a user home subdirectory. | |
ae9e2716 CP |
2534 | ## </summary> |
2535 | ## <param name="domain"> | |
885b83ec | 2536 | ## <summary> |
296273a7 | 2537 | ## Domain allowed access. |
885b83ec | 2538 | ## </summary> |
ae9e2716 CP |
2539 | ## </param> |
2540 | # | |
296273a7 CP |
2541 | interface(`userdom_manage_user_home_content_pipes',` |
2542 | gen_require(` | |
2543 | type user_home_dir_t, user_home_t; | |
2544 | ') | |
2545 | ||
2546 | manage_fifo_files_pattern($1, user_home_t, user_home_t) | |
2547 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2548 | files_search_home($1) | |
ae9e2716 CP |
2549 | ') |
2550 | ||
2551 | ######################################## | |
2552 | ## <summary> | |
296273a7 CP |
2553 | ## Create, read, write, and delete named sockets |
2554 | ## in a user home subdirectory. | |
ae9e2716 CP |
2555 | ## </summary> |
2556 | ## <param name="domain"> | |
885b83ec | 2557 | ## <summary> |
296273a7 | 2558 | ## Domain allowed access. |
885b83ec | 2559 | ## </summary> |
ae9e2716 CP |
2560 | ## </param> |
2561 | # | |
296273a7 CP |
2562 | interface(`userdom_manage_user_home_content_sockets',` |
2563 | gen_require(` | |
2564 | type user_home_dir_t, user_home_t; | |
2565 | ') | |
2566 | ||
2567 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2568 | manage_sock_files_pattern($1, user_home_t, user_home_t) | |
2569 | files_search_home($1) | |
ae9e2716 CP |
2570 | ') |
2571 | ||
725926c5 CP |
2572 | ######################################## |
2573 | ## <summary> | |
296273a7 CP |
2574 | ## Create objects in a user home directory |
2575 | ## with an automatic type transition to | |
2576 | ## a specified private type. | |
725926c5 CP |
2577 | ## </summary> |
2578 | ## <param name="domain"> | |
885b83ec | 2579 | ## <summary> |
725926c5 | 2580 | ## Domain allowed access. |
885b83ec | 2581 | ## </summary> |
725926c5 | 2582 | ## </param> |
296273a7 | 2583 | ## <param name="private_type"> |
885b83ec | 2584 | ## <summary> |
296273a7 | 2585 | ## The type of the object to create. |
885b83ec | 2586 | ## </summary> |
b11a75a5 | 2587 | ## </param> |
296273a7 | 2588 | ## <param name="object_class"> |
885b83ec | 2589 | ## <summary> |
296273a7 | 2590 | ## The class of the object to be created. |
885b83ec | 2591 | ## </summary> |
e1c41428 CP |
2592 | ## </param> |
2593 | # | |
296273a7 CP |
2594 | interface(`userdom_user_home_dir_filetrans',` |
2595 | gen_require(` | |
2596 | type user_home_dir_t; | |
2597 | ') | |
2598 | ||
ae4832c7 | 2599 | filetrans_pattern($1, user_home_dir_t, $2, $3, $4) |
296273a7 | 2600 | files_search_home($1) |
e1c41428 CP |
2601 | ') |
2602 | ||
10b1f324 CP |
2603 | ######################################## |
2604 | ## <summary> | |
296273a7 CP |
2605 | ## Create objects in a user home directory |
2606 | ## with an automatic type transition to | |
2607 | ## a specified private type. | |
10b1f324 CP |
2608 | ## </summary> |
2609 | ## <param name="domain"> | |
885b83ec | 2610 | ## <summary> |
10b1f324 | 2611 | ## Domain allowed access. |
885b83ec | 2612 | ## </summary> |
10b1f324 | 2613 | ## </param> |
296273a7 | 2614 | ## <param name="private_type"> |
885b83ec | 2615 | ## <summary> |
296273a7 | 2616 | ## The type of the object to create. |
885b83ec | 2617 | ## </summary> |
ee9500ec CP |
2618 | ## </param> |
2619 | ## <param name="object_class"> | |
885b83ec | 2620 | ## <summary> |
10b1f324 | 2621 | ## The class of the object to be created. |
885b83ec | 2622 | ## </summary> |
10b1f324 CP |
2623 | ## </param> |
2624 | # | |
296273a7 CP |
2625 | interface(`userdom_user_home_content_filetrans',` |
2626 | gen_require(` | |
2627 | type user_home_dir_t, user_home_t; | |
2628 | ') | |
2629 | ||
2630 | filetrans_pattern($1, user_home_t, $2, $3) | |
2631 | allow $1 user_home_dir_t:dir search_dir_perms; | |
2632 | files_search_home($1) | |
10b1f324 CP |
2633 | ') |
2634 | ||
2635 | ######################################## | |
2636 | ## <summary> | |
296273a7 CP |
2637 | ## Create objects in a user home directory |
2638 | ## with an automatic type transition to | |
2639 | ## the user home file type. | |
10b1f324 CP |
2640 | ## </summary> |
2641 | ## <param name="domain"> | |
885b83ec | 2642 | ## <summary> |
296273a7 CP |
2643 | ## Domain allowed access. |
2644 | ## </summary> | |
2645 | ## </param> | |
2646 | ## <param name="object_class"> | |
2647 | ## <summary> | |
2648 | ## The class of the object to be created. | |
885b83ec | 2649 | ## </summary> |
10b1f324 CP |
2650 | ## </param> |
2651 | # | |
296273a7 CP |
2652 | interface(`userdom_user_home_dir_filetrans_user_home_content',` |
2653 | gen_require(` | |
2654 | type user_home_dir_t, user_home_t; | |
2655 | ') | |
2656 | ||
2657 | filetrans_pattern($1, user_home_dir_t, user_home_t, $2) | |
2658 | files_search_home($1) | |
10b1f324 CP |
2659 | ') |
2660 | ||
fd89e19f CP |
2661 | ######################################## |
2662 | ## <summary> | |
ff8f0a63 | 2663 | ## Write to user temporary named sockets. |
fd89e19f CP |
2664 | ## </summary> |
2665 | ## <param name="domain"> | |
885b83ec | 2666 | ## <summary> |
ff8f0a63 | 2667 | ## Domain allowed access. |
885b83ec | 2668 | ## </summary> |
fd89e19f CP |
2669 | ## </param> |
2670 | # | |
296273a7 CP |
2671 | interface(`userdom_write_user_tmp_sockets',` |
2672 | gen_require(` | |
2673 | type user_tmp_t; | |
2674 | ') | |
2675 | ||
4cb24aed | 2676 | allow $1 user_tmp_t:sock_file write_sock_file_perms; |
296273a7 | 2677 | files_search_tmp($1) |
ed38ca9f | 2678 | ') |
fd89e19f | 2679 | |
ed38ca9f CP |
2680 | ######################################## |
2681 | ## <summary> | |
296273a7 | 2682 | ## List user temporary directories. |
ed38ca9f CP |
2683 | ## </summary> |
2684 | ## <param name="domain"> | |
2685 | ## <summary> | |
2686 | ## Domain allowed access. | |
2687 | ## </summary> | |
2688 | ## </param> | |
2689 | # | |
296273a7 CP |
2690 | interface(`userdom_list_user_tmp',` |
2691 | gen_require(` | |
2692 | type user_tmp_t; | |
2693 | ') | |
2694 | ||
2695 | allow $1 user_tmp_t:dir list_dir_perms; | |
2696 | files_search_tmp($1) | |
fd89e19f CP |
2697 | ') |
2698 | ||
1786478c CP |
2699 | ######################################## |
2700 | ## <summary> | |
296273a7 CP |
2701 | ## Do not audit attempts to list user |
2702 | ## temporary directories. | |
1786478c CP |
2703 | ## </summary> |
2704 | ## <param name="domain"> | |
2705 | ## <summary> | |
296273a7 | 2706 | ## Domain to not audit. |
1786478c CP |
2707 | ## </summary> |
2708 | ## </param> | |
2709 | # | |
296273a7 | 2710 | interface(`userdom_dontaudit_list_user_tmp',` |
1786478c | 2711 | gen_require(` |
296273a7 | 2712 | type user_tmp_t; |
1786478c CP |
2713 | ') |
2714 | ||
296273a7 | 2715 | dontaudit $1 user_tmp_t:dir list_dir_perms; |
1786478c CP |
2716 | ') |
2717 | ||
9778406f CP |
2718 | ######################################## |
2719 | ## <summary> | |
296273a7 CP |
2720 | ## Do not audit attempts to manage users |
2721 | ## temporary directories. | |
9778406f CP |
2722 | ## </summary> |
2723 | ## <param name="domain"> | |
885b83ec | 2724 | ## <summary> |
296273a7 | 2725 | ## Domain to not audit. |
885b83ec | 2726 | ## </summary> |
9778406f CP |
2727 | ## </param> |
2728 | # | |
296273a7 | 2729 | interface(`userdom_dontaudit_manage_user_tmp_dirs',` |
9778406f | 2730 | gen_require(` |
296273a7 | 2731 | type user_tmp_t; |
9778406f CP |
2732 | ') |
2733 | ||
296273a7 | 2734 | dontaudit $1 user_tmp_t:dir manage_dir_perms; |
9778406f CP |
2735 | ') |
2736 | ||
4bf4ed9e | 2737 | ######################################## |
ab940a4c | 2738 | ## <summary> |
296273a7 | 2739 | ## Read user temporary files. |
ab940a4c | 2740 | ## </summary> |
414e4151 | 2741 | ## <param name="domain"> |
885b83ec | 2742 | ## <summary> |
725926c5 | 2743 | ## Domain allowed access. |
885b83ec | 2744 | ## </summary> |
414e4151 | 2745 | ## </param> |
4bf4ed9e | 2746 | # |
296273a7 | 2747 | interface(`userdom_read_user_tmp_files',` |
0404a390 | 2748 | gen_require(` |
296273a7 | 2749 | type user_tmp_t; |
0404a390 | 2750 | ') |
0c73cd25 | 2751 | |
296273a7 CP |
2752 | read_files_pattern($1, user_tmp_t, user_tmp_t) |
2753 | allow $1 user_tmp_t:dir list_dir_perms; | |
2754 | files_search_tmp($1) | |
4bf4ed9e CP |
2755 | ') |
2756 | ||
ae9e2716 CP |
2757 | ######################################## |
2758 | ## <summary> | |
296273a7 CP |
2759 | ## Do not audit attempts to read users |
2760 | ## temporary files. | |
ae9e2716 CP |
2761 | ## </summary> |
2762 | ## <param name="domain"> | |
885b83ec | 2763 | ## <summary> |
ae9e2716 | 2764 | ## Domain to not audit. |
885b83ec | 2765 | ## </summary> |
ae9e2716 CP |
2766 | ## </param> |
2767 | # | |
296273a7 | 2768 | interface(`userdom_dontaudit_read_user_tmp_files',` |
ae9e2716 | 2769 | gen_require(` |
296273a7 | 2770 | type user_tmp_t; |
ae9e2716 CP |
2771 | ') |
2772 | ||
3eaa9939 | 2773 | dontaudit $1 user_tmp_t:file read_inherited_file_perms; |
ae9e2716 CP |
2774 | ') |
2775 | ||
daa0e0b0 | 2776 | ######################################## |
ab940a4c | 2777 | ## <summary> |
296273a7 CP |
2778 | ## Do not audit attempts to append users |
2779 | ## temporary files. | |
ab940a4c | 2780 | ## </summary> |
414e4151 | 2781 | ## <param name="domain"> |
885b83ec | 2782 | ## <summary> |
296273a7 | 2783 | ## Domain to not audit. |
885b83ec | 2784 | ## </summary> |
414e4151 | 2785 | ## </param> |
daa0e0b0 | 2786 | # |
296273a7 | 2787 | interface(`userdom_dontaudit_append_user_tmp_files',` |
0404a390 | 2788 | gen_require(` |
296273a7 | 2789 | type user_tmp_t; |
0404a390 | 2790 | ') |
0c73cd25 | 2791 | |
bf530f53 | 2792 | dontaudit $1 user_tmp_t:file append_file_perms; |
daa0e0b0 CP |
2793 | ') |
2794 | ||
fc6524d7 CP |
2795 | ######################################## |
2796 | ## <summary> | |
296273a7 | 2797 | ## Read and write user temporary files. |
fc6524d7 CP |
2798 | ## </summary> |
2799 | ## <param name="domain"> | |
885b83ec | 2800 | ## <summary> |
725926c5 | 2801 | ## Domain allowed access. |
885b83ec | 2802 | ## </summary> |
fc6524d7 CP |
2803 | ## </param> |
2804 | # | |
296273a7 | 2805 | interface(`userdom_rw_user_tmp_files',` |
fc6524d7 | 2806 | gen_require(` |
296273a7 | 2807 | type user_tmp_t; |
fc6524d7 CP |
2808 | ') |
2809 | ||
296273a7 CP |
2810 | allow $1 user_tmp_t:dir list_dir_perms; |
2811 | rw_files_pattern($1, user_tmp_t, user_tmp_t) | |
2812 | files_search_tmp($1) | |
fc6524d7 CP |
2813 | ') |
2814 | ||
2815 | ######################################## | |
2816 | ## <summary> | |
296273a7 CP |
2817 | ## Do not audit attempts to manage users |
2818 | ## temporary files. | |
fc6524d7 CP |
2819 | ## </summary> |
2820 | ## <param name="domain"> | |
885b83ec | 2821 | ## <summary> |
296273a7 | 2822 | ## Domain to not audit. |
885b83ec | 2823 | ## </summary> |
fc6524d7 CP |
2824 | ## </param> |
2825 | # | |
296273a7 | 2826 | interface(`userdom_dontaudit_manage_user_tmp_files',` |
fc6524d7 | 2827 | gen_require(` |
296273a7 | 2828 | type user_tmp_t; |
fc6524d7 CP |
2829 | ') |
2830 | ||
296273a7 | 2831 | dontaudit $1 user_tmp_t:file manage_file_perms; |
fc6524d7 CP |
2832 | ') |
2833 | ||
2834 | ######################################## | |
2835 | ## <summary> | |
296273a7 | 2836 | ## Read user temporary symbolic links. |
fc6524d7 CP |
2837 | ## </summary> |
2838 | ## <param name="domain"> | |
885b83ec | 2839 | ## <summary> |
725926c5 | 2840 | ## Domain allowed access. |
885b83ec | 2841 | ## </summary> |
fc6524d7 CP |
2842 | ## </param> |
2843 | # | |
296273a7 | 2844 | interface(`userdom_read_user_tmp_symlinks',` |
fc6524d7 | 2845 | gen_require(` |
296273a7 | 2846 | type user_tmp_t; |
fc6524d7 CP |
2847 | ') |
2848 | ||
296273a7 CP |
2849 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2850 | allow $1 user_tmp_t:dir list_dir_perms; | |
2851 | files_search_tmp($1) | |
fc6524d7 CP |
2852 | ') |
2853 | ||
784a3bbc CP |
2854 | ######################################## |
2855 | ## <summary> | |
296273a7 CP |
2856 | ## Create, read, write, and delete user |
2857 | ## temporary directories. | |
784a3bbc | 2858 | ## </summary> |
784a3bbc | 2859 | ## <param name="domain"> |
885b83ec | 2860 | ## <summary> |
725926c5 | 2861 | ## Domain allowed access. |
885b83ec | 2862 | ## </summary> |
784a3bbc CP |
2863 | ## </param> |
2864 | # | |
296273a7 | 2865 | interface(`userdom_manage_user_tmp_dirs',` |
784a3bbc | 2866 | gen_require(` |
296273a7 | 2867 | type user_tmp_t; |
784a3bbc CP |
2868 | ') |
2869 | ||
296273a7 CP |
2870 | manage_dirs_pattern($1, user_tmp_t, user_tmp_t) |
2871 | files_search_tmp($1) | |
784a3bbc CP |
2872 | ') |
2873 | ||
daa0e0b0 | 2874 | ######################################## |
ab940a4c | 2875 | ## <summary> |
296273a7 CP |
2876 | ## Create, read, write, and delete user |
2877 | ## temporary files. | |
ab940a4c CP |
2878 | ## </summary> |
2879 | ## <param name="domain"> | |
885b83ec | 2880 | ## <summary> |
725926c5 | 2881 | ## Domain allowed access. |
885b83ec | 2882 | ## </summary> |
ab940a4c CP |
2883 | ## </param> |
2884 | # | |
296273a7 | 2885 | interface(`userdom_manage_user_tmp_files',` |
ab940a4c | 2886 | gen_require(` |
296273a7 | 2887 | type user_tmp_t; |
ab940a4c CP |
2888 | ') |
2889 | ||
296273a7 CP |
2890 | manage_files_pattern($1, user_tmp_t, user_tmp_t) |
2891 | files_search_tmp($1) | |
ab940a4c CP |
2892 | ') |
2893 | ||
2894 | ######################################## | |
2895 | ## <summary> | |
296273a7 CP |
2896 | ## Create, read, write, and delete user |
2897 | ## temporary symbolic links. | |
ab940a4c | 2898 | ## </summary> |
414e4151 | 2899 | ## <param name="domain"> |
885b83ec | 2900 | ## <summary> |
725926c5 | 2901 | ## Domain allowed access. |
885b83ec | 2902 | ## </summary> |
414e4151 | 2903 | ## </param> |
490639cd | 2904 | # |
296273a7 | 2905 | interface(`userdom_manage_user_tmp_symlinks',` |
0404a390 | 2906 | gen_require(` |
296273a7 | 2907 | type user_tmp_t; |
0404a390 | 2908 | ') |
0c73cd25 | 2909 | |
296273a7 CP |
2910 | manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) |
2911 | files_search_tmp($1) | |
490639cd CP |
2912 | ') |
2913 | ||
4bf4ed9e | 2914 | ######################################## |
ab940a4c | 2915 | ## <summary> |
296273a7 CP |
2916 | ## Create, read, write, and delete user |
2917 | ## temporary named pipes. | |
ab940a4c | 2918 | ## </summary> |
414e4151 | 2919 | ## <param name="domain"> |
885b83ec | 2920 | ## <summary> |
725926c5 | 2921 | ## Domain allowed access. |
885b83ec | 2922 | ## </summary> |
414e4151 | 2923 | ## </param> |
4bf4ed9e | 2924 | # |
296273a7 | 2925 | interface(`userdom_manage_user_tmp_pipes',` |
0404a390 | 2926 | gen_require(` |
296273a7 | 2927 | type user_tmp_t; |
0404a390 | 2928 | ') |
0c73cd25 | 2929 | |
296273a7 CP |
2930 | manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) |
2931 | files_search_tmp($1) | |
4bf4ed9e CP |
2932 | ') |
2933 | ||
0404a390 | 2934 | ######################################## |
ab940a4c | 2935 | ## <summary> |
296273a7 CP |
2936 | ## Create, read, write, and delete user |
2937 | ## temporary named sockets. | |
ab940a4c | 2938 | ## </summary> |
414e4151 | 2939 | ## <param name="domain"> |
885b83ec | 2940 | ## <summary> |
57a96cbd | 2941 | ## Domain allowed access. |
885b83ec | 2942 | ## </summary> |
414e4151 | 2943 | ## </param> |
0404a390 | 2944 | # |
296273a7 CP |
2945 | interface(`userdom_manage_user_tmp_sockets',` |
2946 | gen_require(` | |
2947 | type user_tmp_t; | |
2948 | ') | |
2949 | ||
2950 | manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) | |
2951 | files_search_tmp($1) | |
4bf4ed9e CP |
2952 | ') |
2953 | ||
4614e83f CP |
2954 | ######################################## |
2955 | ## <summary> | |
296273a7 CP |
2956 | ## Create objects in a user temporary directory |
2957 | ## with an automatic type transition to | |
2958 | ## a specified private type. | |
4614e83f CP |
2959 | ## </summary> |
2960 | ## <param name="domain"> | |
885b83ec | 2961 | ## <summary> |
4614e83f | 2962 | ## Domain allowed access. |
885b83ec | 2963 | ## </summary> |
4614e83f | 2964 | ## </param> |
296273a7 CP |
2965 | ## <param name="private_type"> |
2966 | ## <summary> | |
2967 | ## The type of the object to create. | |
2968 | ## </summary> | |
2969 | ## </param> | |
2970 | ## <param name="object_class"> | |
2971 | ## <summary> | |
2972 | ## The class of the object to be created. | |
2973 | ## </summary> | |
2974 | ## </param> | |
4614e83f | 2975 | # |
296273a7 CP |
2976 | interface(`userdom_user_tmp_filetrans',` |
2977 | gen_require(` | |
2978 | type user_tmp_t; | |
2979 | ') | |
2980 | ||
06264551 | 2981 | filetrans_pattern($1, user_tmp_t, $2, $3, $4) |
296273a7 | 2982 | files_search_tmp($1) |
4614e83f CP |
2983 | ') |
2984 | ||
daa0e0b0 | 2985 | ######################################## |
ab940a4c | 2986 | ## <summary> |
296273a7 CP |
2987 | ## Create objects in the temporary directory |
2988 | ## with an automatic type transition to | |
2989 | ## the user temporary type. | |
57a96cbd CP |
2990 | ## </summary> |
2991 | ## <param name="domain"> | |
885b83ec | 2992 | ## <summary> |
57a96cbd | 2993 | ## Domain allowed access. |
885b83ec | 2994 | ## </summary> |
57a96cbd | 2995 | ## </param> |
1c1ac67f | 2996 | ## <param name="object_class"> |
885b83ec | 2997 | ## <summary> |
57a96cbd | 2998 | ## The class of the object to be created. |
885b83ec | 2999 | ## </summary> |
57a96cbd CP |
3000 | ## </param> |
3001 | # | |
296273a7 CP |
3002 | interface(`userdom_tmp_filetrans_user_tmp',` |
3003 | gen_require(` | |
3004 | type user_tmp_t; | |
3005 | ') | |
3006 | ||
3007 | files_tmp_filetrans($1, user_tmp_t, $2) | |
57a96cbd CP |
3008 | ') |
3009 | ||
a9e9678f CP |
3010 | ######################################## |
3011 | ## <summary> | |
3012 | ## Read user tmpfs files. | |
3013 | ## </summary> | |
3014 | ## <param name="domain"> | |
3015 | ## <summary> | |
3016 | ## Domain allowed access. | |
3017 | ## </summary> | |
3018 | ## </param> | |
3019 | # | |
3020 | interface(`userdom_read_user_tmpfs_files',` | |
3021 | gen_require(` | |
3022 | type user_tmpfs_t; | |
3023 | ') | |
3024 | ||
3025 | read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
3eaa9939 | 3026 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) |
a9e9678f CP |
3027 | allow $1 user_tmpfs_t:dir list_dir_perms; |
3028 | fs_search_tmpfs($1) | |
3029 | ') | |
3030 | ||
d4dca585 CP |
3031 | ######################################## |
3032 | ## <summary> | |
3eaa9939 | 3033 | ## Read/Write user tmpfs files. |
d4dca585 CP |
3034 | ## </summary> |
3035 | ## <param name="domain"> | |
885b83ec | 3036 | ## <summary> |
d4dca585 | 3037 | ## Domain allowed access. |
885b83ec | 3038 | ## </summary> |
d4dca585 CP |
3039 | ## </param> |
3040 | # | |
296273a7 CP |
3041 | interface(`userdom_rw_user_tmpfs_files',` |
3042 | gen_require(` | |
3043 | type user_tmpfs_t; | |
3044 | ') | |
3045 | ||
3046 | rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
3047 | read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) | |
3048 | allow $1 user_tmpfs_t:dir list_dir_perms; | |
3049 | fs_search_tmpfs($1) | |
d4dca585 CP |
3050 | ') |
3051 | ||
d9845ae9 CP |
3052 | ######################################## |
3053 | ## <summary> | |
296273a7 | 3054 | ## Get the attributes of a user domain tty. |
d9845ae9 CP |
3055 | ## </summary> |
3056 | ## <param name="domain"> | |
3057 | ## <summary> | |
3058 | ## Domain allowed access. | |
3059 | ## </summary> | |
3060 | ## </param> | |
3061 | # | |
296273a7 CP |
3062 | interface(`userdom_getattr_user_ttys',` |
3063 | gen_require(` | |
3064 | type user_tty_device_t; | |
3065 | ') | |
3066 | ||
bf530f53 | 3067 | allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
d9845ae9 CP |
3068 | ') |
3069 | ||
57a96cbd CP |
3070 | ######################################## |
3071 | ## <summary> | |
296273a7 | 3072 | ## Do not audit attempts to get the attributes of a user domain tty. |
57a96cbd CP |
3073 | ## </summary> |
3074 | ## <param name="domain"> | |
885b83ec | 3075 | ## <summary> |
a0546c9d | 3076 | ## Domain to not audit. |
885b83ec | 3077 | ## </summary> |
57a96cbd CP |
3078 | ## </param> |
3079 | # | |
296273a7 CP |
3080 | interface(`userdom_dontaudit_getattr_user_ttys',` |
3081 | gen_require(` | |
3082 | type user_tty_device_t; | |
3083 | ') | |
3084 | ||
bf530f53 | 3085 | dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; |
57a96cbd CP |
3086 | ') |
3087 | ||
d6d16b97 CP |
3088 | ######################################## |
3089 | ## <summary> | |
296273a7 | 3090 | ## Set the attributes of a user domain tty. |
d6d16b97 CP |
3091 | ## </summary> |
3092 | ## <param name="domain"> | |
3093 | ## <summary> | |
3094 | ## Domain allowed access. | |
3095 | ## </summary> | |
3096 | ## </param> | |
3097 | # | |
296273a7 CP |
3098 | interface(`userdom_setattr_user_ttys',` |
3099 | gen_require(` | |
3100 | type user_tty_device_t; | |
3101 | ') | |
3102 | ||
bf530f53 | 3103 | allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
d6d16b97 CP |
3104 | ') |
3105 | ||
165b42d2 CP |
3106 | ######################################## |
3107 | ## <summary> | |
296273a7 | 3108 | ## Do not audit attempts to set the attributes of a user domain tty. |
165b42d2 CP |
3109 | ## </summary> |
3110 | ## <param name="domain"> | |
3111 | ## <summary> | |
a0546c9d | 3112 | ## Domain to not audit. |
165b42d2 CP |
3113 | ## </summary> |
3114 | ## </param> | |
3115 | # | |
296273a7 CP |
3116 | interface(`userdom_dontaudit_setattr_user_ttys',` |
3117 | gen_require(` | |
3118 | type user_tty_device_t; | |
3119 | ') | |
3120 | ||
bf530f53 | 3121 | dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; |
165b42d2 CP |
3122 | ') |
3123 | ||
d6d16b97 CP |
3124 | ######################################## |
3125 | ## <summary> | |
296273a7 | 3126 | ## Read and write a user domain tty. |
d6d16b97 CP |
3127 | ## </summary> |
3128 | ## <param name="domain"> | |
3129 | ## <summary> | |
3130 | ## Domain allowed access. | |
3131 | ## </summary> | |
3132 | ## </param> | |
3133 | # | |
296273a7 CP |
3134 | interface(`userdom_use_user_ttys',` |
3135 | gen_require(` | |
3136 | type user_tty_device_t; | |
3137 | ') | |
3138 | ||
3139 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
d6d16b97 CP |
3140 | ') |
3141 | ||
af2d8802 MG |
3142 | ######################################## |
3143 | ## <summary> | |
3144 | ## Read and write a inherited user domain tty. | |
3145 | ## </summary> | |
3146 | ## <param name="domain"> | |
3147 | ## <summary> | |
3148 | ## Domain allowed access. | |
3149 | ## </summary> | |
3150 | ## </param> | |
3151 | # | |
3152 | interface(`userdom_use_inherited_user_ttys',` | |
3153 | gen_require(` | |
3154 | type user_tty_device_t; | |
3155 | ') | |
3156 | ||
3157 | allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; | |
3158 | ') | |
3159 | ||
57a96cbd CP |
3160 | ######################################## |
3161 | ## <summary> | |
296273a7 | 3162 | ## Read and write a user domain pty. |
57a96cbd CP |
3163 | ## </summary> |
3164 | ## <param name="domain"> | |
885b83ec | 3165 | ## <summary> |
57a96cbd | 3166 | ## Domain allowed access. |
885b83ec | 3167 | ## </summary> |
57a96cbd CP |
3168 | ## </param> |
3169 | # | |
296273a7 CP |
3170 | interface(`userdom_use_user_ptys',` |
3171 | gen_require(` | |
3172 | type user_devpts_t; | |
3173 | ') | |
3174 | ||
3175 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
3176 | ') |
3177 | ||
d6d16b97 CP |
3178 | ######################################## |
3179 | ## <summary> | |
af2d8802 MG |
3180 | ## Read and write a inherited user domain pty. |
3181 | ## </summary> | |
3182 | ## <param name="domain"> | |
3183 | ## <summary> | |
3184 | ## Domain allowed access. | |
3185 | ## </summary> | |
3186 | ## </param> | |
3187 | # | |
3188 | interface(`userdom_use_inherited_user_ptys',` | |
3189 | gen_require(` | |
3190 | type user_devpts_t; | |
3191 | ') | |
3192 | ||
3193 | allow $1 user_devpts_t:chr_file rw_inherited_term_perms; | |
3194 | ') | |
3195 | ||
57a96cbd | 3196 | ######################################## |
af2d8802 MG |
3197 | ## <summary> |
3198 | ## Read and write a inherited user TTYs and PTYs. | |
d6d16b97 | 3199 | ## </summary> |
c46376e6 CP |
3200 | ## <desc> |
3201 | ## <p> | |
af2d8802 | 3202 | ## Allow the specified domain to read and write inherited user |
c46376e6 CP |
3203 | ## TTYs and PTYs. This will allow the domain to |
3204 | ## interact with the user via the terminal. Typically | |
3205 | ## all interactive applications will require this | |
3206 | ## access. | |
3207 | ## </p> | |
c46376e6 | 3208 | ## </desc> |
d6d16b97 CP |
3209 | ## <param name="domain"> |
3210 | ## <summary> | |
3211 | ## Domain allowed access. | |
3212 | ## </summary> | |
3213 | ## </param> | |
c46376e6 | 3214 | ## <infoflow type="both" weight="10"/> |
d6d16b97 | 3215 | # |
af2d8802 | 3216 | interface(`userdom_use_inherited_user_terminals',` |
296273a7 CP |
3217 | gen_require(` |
3218 | type user_tty_device_t, user_devpts_t; | |
3219 | ') | |
3220 | ||
af2d8802 MG |
3221 | allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; |
3222 | allow $1 user_devpts_t:chr_file rw_inherited_term_perms; | |
3223 | ') | |
3224 | ||
35afb663 MG |
3225 | ####################################### |
3226 | ## <summary> | |
3227 | ## Allow attempts to read and write | |
3228 | ## a user domain tty and pty. | |
3229 | ## </summary> | |
3230 | ## <param name="domain"> | |
3231 | ## <summary> | |
3232 | ## Domain to not audit. | |
3233 | ## </summary> | |
3234 | ## </param> | |
3235 | # | |
3236 | interface(`userdom_use_user_terminals',` | |
3237 | gen_require(` | |
3238 | type user_tty_device_t, user_devpts_t; | |
3239 | ') | |
3240 | ||
3241 | allow $1 user_tty_device_t:chr_file rw_term_perms; | |
3242 | allow $1 user_devpts_t:chr_file rw_term_perms; | |
d6d16b97 CP |
3243 | ') |
3244 | ||
57a96cbd CP |
3245 | ######################################## |
3246 | ## <summary> | |
296273a7 CP |
3247 | ## Do not audit attempts to read and write |
3248 | ## a user domain tty and pty. | |
57a96cbd CP |
3249 | ## </summary> |
3250 | ## <param name="domain"> | |
885b83ec | 3251 | ## <summary> |
a0546c9d | 3252 | ## Domain to not audit. |
885b83ec | 3253 | ## </summary> |
57a96cbd CP |
3254 | ## </param> |
3255 | # | |
296273a7 CP |
3256 | interface(`userdom_dontaudit_use_user_terminals',` |
3257 | gen_require(` | |
3258 | type user_tty_device_t, user_devpts_t; | |
3259 | ') | |
3260 | ||
3261 | dontaudit $1 user_tty_device_t:chr_file rw_term_perms; | |
3262 | dontaudit $1 user_devpts_t:chr_file rw_term_perms; | |
57a96cbd CP |
3263 | ') |
3264 | ||
8fc060c2 DG |
3265 | |
3266 | ######################################## | |
3267 | ## <summary> | |
3268 | ## Get attributes of user domain tty and pty. | |
3269 | ## </summary> | |
3270 | ## <param name="domain"> | |
3271 | ## <summary> | |
3272 | ## Domain allowed access. | |
3273 | ## </summary> | |
3274 | ## </param> | |
3275 | # | |
3276 | interface(`userdom_getattr_user_terminals',` | |
3277 | gen_require(` | |
3278 | type user_tty_device_t, user_devpts_t; | |
3279 | ') | |
3280 | ||
3281 | allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; | |
3282 | ') | |
3283 | ||
57a96cbd CP |
3284 | ######################################## |
3285 | ## <summary> | |
296273a7 CP |
3286 | ## Execute a shell in all user domains. This |
3287 | ## is an explicit transition, requiring the | |
3288 | ## caller to use setexeccon(). | |
57a96cbd CP |
3289 | ## </summary> |
3290 | ## <param name="domain"> | |
885b83ec | 3291 | ## <summary> |
a0546c9d | 3292 | ## Domain allowed to transition. |
885b83ec | 3293 | ## </summary> |
57a96cbd CP |
3294 | ## </param> |
3295 | # | |
296273a7 CP |
3296 | interface(`userdom_spec_domtrans_all_users',` |
3297 | gen_require(` | |
3298 | attribute userdomain; | |
3299 | ') | |
3300 | ||
3f67f722 | 3301 | corecmd_shell_spec_domtrans($1, userdomain) |
296273a7 CP |
3302 | allow userdomain $1:fd use; |
3303 | allow userdomain $1:fifo_file rw_file_perms; | |
3304 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
3305 | ') |
3306 | ||
3307 | ######################################## | |
3308 | ## <summary> | |
296273a7 CP |
3309 | ## Execute an Xserver session in all unprivileged user domains. This |
3310 | ## is an explicit transition, requiring the | |
3311 | ## caller to use setexeccon(). | |
57a96cbd CP |
3312 | ## </summary> |
3313 | ## <param name="domain"> | |
885b83ec | 3314 | ## <summary> |
a0546c9d | 3315 | ## Domain allowed to transition. |
885b83ec | 3316 | ## </summary> |
57a96cbd CP |
3317 | ## </param> |
3318 | # | |
296273a7 CP |
3319 | interface(`userdom_xsession_spec_domtrans_all_users',` |
3320 | gen_require(` | |
3321 | attribute userdomain; | |
3322 | ') | |
3323 | ||
3f67f722 | 3324 | xserver_xsession_spec_domtrans($1, userdomain) |
296273a7 CP |
3325 | allow userdomain $1:fd use; |
3326 | allow userdomain $1:fifo_file rw_file_perms; | |
3327 | allow userdomain $1:process sigchld; | |
57a96cbd CP |
3328 | ') |
3329 | ||
e08118a5 CP |
3330 | ######################################## |
3331 | ## <summary> | |
296273a7 CP |
3332 | ## Execute a shell in all unprivileged user domains. This |
3333 | ## is an explicit transition, requiring the | |
3334 | ## caller to use setexeccon(). | |
e08118a5 CP |
3335 | ## </summary> |
3336 | ## <param name="domain"> | |
885b83ec | 3337 | ## <summary> |
a0546c9d | 3338 | ## Domain allowed to transition. |
885b83ec | 3339 | ## </summary> |
e08118a5 CP |
3340 | ## </param> |
3341 | # | |
296273a7 | 3342 | interface(`userdom_spec_domtrans_unpriv_users',` |
e08118a5 | 3343 | gen_require(` |
296273a7 | 3344 | attribute unpriv_userdomain; |
e08118a5 CP |
3345 | ') |
3346 | ||
3f67f722 | 3347 | corecmd_shell_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3348 | allow unpriv_userdomain $1:fd use; |
3349 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3350 | allow unpriv_userdomain $1:process sigchld; | |
e08118a5 CP |
3351 | ') |
3352 | ||
ba04e2e9 MG |
3353 | ##################################### |
3354 | ## <summary> | |
3355 | ## Allow domain dyntrans to unpriv userdomain. | |
3356 | ## </summary> | |
3357 | ## <param name="domain"> | |
3358 | ## <summary> | |
3359 | ## Domain allowed access. | |
3360 | ## </summary> | |
3361 | ## </param> | |
3362 | # | |
3363 | interface(`userdom_dyntransition_unpriv_users',` | |
3364 | gen_require(` | |
3365 | attribute unpriv_userdomain; | |
3366 | ') | |
3367 | ||
3368 | allow $1 unpriv_userdomain:process dyntransition; | |
3369 | ') | |
3370 | ||
d4dca585 CP |
3371 | ######################################## |
3372 | ## <summary> | |
296273a7 CP |
3373 | ## Execute an Xserver session in all unprivileged user domains. This |
3374 | ## is an explicit transition, requiring the | |
3375 | ## caller to use setexeccon(). | |
d4dca585 CP |
3376 | ## </summary> |
3377 | ## <param name="domain"> | |
885b83ec | 3378 | ## <summary> |
a0546c9d | 3379 | ## Domain allowed to transition. |
885b83ec | 3380 | ## </summary> |
d4dca585 CP |
3381 | ## </param> |
3382 | # | |
296273a7 | 3383 | interface(`userdom_xsession_spec_domtrans_unpriv_users',` |
d4dca585 | 3384 | gen_require(` |
296273a7 | 3385 | attribute unpriv_userdomain; |
d4dca585 CP |
3386 | ') |
3387 | ||
3f67f722 | 3388 | xserver_xsession_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3389 | allow unpriv_userdomain $1:fd use; |
3390 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3391 | allow unpriv_userdomain $1:process sigchld; | |
d4dca585 CP |
3392 | ') |
3393 | ||
6f8cda96 CP |
3394 | ######################################## |
3395 | ## <summary> | |
296273a7 | 3396 | ## Manage unpriviledged user SysV sempaphores. |
6f8cda96 CP |
3397 | ## </summary> |
3398 | ## <param name="domain"> | |
3399 | ## <summary> | |
3400 | ## Domain allowed access. | |
3401 | ## </summary> | |
3402 | ## </param> | |
3403 | # | |
296273a7 | 3404 | interface(`userdom_manage_unpriv_user_semaphores',` |
6f8cda96 | 3405 | gen_require(` |
296273a7 | 3406 | attribute unpriv_userdomain; |
6f8cda96 CP |
3407 | ') |
3408 | ||
296273a7 | 3409 | allow $1 unpriv_userdomain:sem create_sem_perms; |
6f8cda96 CP |
3410 | ') |
3411 | ||
3412 | ######################################## | |
3413 | ## <summary> | |
296273a7 CP |
3414 | ## Manage unpriviledged user SysV shared |
3415 | ## memory segments. | |
6f8cda96 CP |
3416 | ## </summary> |
3417 | ## <param name="domain"> | |
3418 | ## <summary> | |
3419 | ## Domain allowed access. | |
3420 | ## </summary> | |
3421 | ## </param> | |
3422 | # | |
296273a7 | 3423 | interface(`userdom_manage_unpriv_user_shared_mem',` |
6f8cda96 | 3424 | gen_require(` |
296273a7 | 3425 | attribute unpriv_userdomain; |
6f8cda96 CP |
3426 | ') |
3427 | ||
296273a7 | 3428 | allow $1 unpriv_userdomain:shm create_shm_perms; |
6f8cda96 CP |
3429 | ') |
3430 | ||
43989f82 CP |
3431 | ######################################## |
3432 | ## <summary> | |
296273a7 CP |
3433 | ## Execute bin_t in the unprivileged user domains. This |
3434 | ## is an explicit transition, requiring the | |
3435 | ## caller to use setexeccon(). | |
43989f82 CP |
3436 | ## </summary> |
3437 | ## <param name="domain"> | |
885b83ec | 3438 | ## <summary> |
a0546c9d | 3439 | ## Domain allowed to transition. |
885b83ec | 3440 | ## </summary> |
43989f82 CP |
3441 | ## </param> |
3442 | # | |
296273a7 | 3443 | interface(`userdom_bin_spec_domtrans_unpriv_users',` |
43989f82 | 3444 | gen_require(` |
296273a7 | 3445 | attribute unpriv_userdomain; |
43989f82 CP |
3446 | ') |
3447 | ||
3f67f722 | 3448 | corecmd_bin_spec_domtrans($1, unpriv_userdomain) |
296273a7 CP |
3449 | allow unpriv_userdomain $1:fd use; |
3450 | allow unpriv_userdomain $1:fifo_file rw_file_perms; | |
3451 | allow unpriv_userdomain $1:process sigchld; | |
725926c5 CP |
3452 | ') |
3453 | ||
6820a398 CP |
3454 | ######################################## |
3455 | ## <summary> | |
296273a7 CP |
3456 | ## Execute all entrypoint files in unprivileged user |
3457 | ## domains. This is an explicit transition, requiring the | |
3458 | ## caller to use setexeccon(). | |
6820a398 CP |
3459 | ## </summary> |
3460 | ## <param name="domain"> | |
885b83ec | 3461 | ## <summary> |
6820a398 | 3462 | ## Domain allowed access. |
885b83ec | 3463 | ## </summary> |
6820a398 CP |
3464 | ## </param> |
3465 | # | |
296273a7 | 3466 | interface(`userdom_entry_spec_domtrans_unpriv_users',` |
350b6ab7 | 3467 | gen_require(` |
296273a7 | 3468 | attribute unpriv_userdomain; |
6820a398 | 3469 | ') |
350b6ab7 | 3470 | |
3f67f722 | 3471 | domain_entry_file_spec_domtrans($1, unpriv_userdomain) |
296273a7 | 3472 | allow unpriv_userdomain $1:fd use; |
3eaa9939 | 3473 | allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; |
296273a7 | 3474 | allow unpriv_userdomain $1:process sigchld; |
6820a398 CP |
3475 | ') |
3476 | ||
1504ff3e CP |
3477 | ######################################## |
3478 | ## <summary> | |
296273a7 | 3479 | ## Search users home directories. |
1504ff3e CP |
3480 | ## </summary> |
3481 | ## <param name="domain"> | |
885b83ec | 3482 | ## <summary> |
296273a7 | 3483 | ## Domain allowed access. |
885b83ec | 3484 | ## </summary> |
1504ff3e CP |
3485 | ## </param> |
3486 | # | |
296273a7 | 3487 | interface(`userdom_search_user_home_content',` |
350b6ab7 | 3488 | gen_require(` |
3eaa9939 DW |
3489 | type user_home_dir_t; |
3490 | attribute user_home_type; | |
1504ff3e | 3491 | ') |
350b6ab7 | 3492 | |
296273a7 | 3493 | files_list_home($1) |
3eaa9939 DW |
3494 | allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; |
3495 | allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; | |
1504ff3e CP |
3496 | ') |
3497 | ||
f6abfdb8 CP |
3498 | ######################################## |
3499 | ## <summary> | |
296273a7 | 3500 | ## Send general signals to unprivileged user domains. |
f6abfdb8 CP |
3501 | ## </summary> |
3502 | ## <param name="domain"> | |
885b83ec | 3503 | ## <summary> |
f6abfdb8 | 3504 | ## Domain allowed access. |
885b83ec | 3505 | ## </summary> |
f6abfdb8 CP |
3506 | ## </param> |
3507 | # | |
296273a7 | 3508 | interface(`userdom_signal_unpriv_users',` |
f6abfdb8 | 3509 | gen_require(` |
296273a7 | 3510 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3511 | ') |
3512 | ||
296273a7 | 3513 | allow $1 unpriv_userdomain:process signal; |
f6abfdb8 CP |
3514 | ') |
3515 | ||
3516 | ######################################## | |
3517 | ## <summary> | |
296273a7 | 3518 | ## Inherit the file descriptors from unprivileged user domains. |
f6abfdb8 CP |
3519 | ## </summary> |
3520 | ## <param name="domain"> | |
885b83ec | 3521 | ## <summary> |
f6abfdb8 | 3522 | ## Domain allowed access. |
885b83ec | 3523 | ## </summary> |
f6abfdb8 CP |
3524 | ## </param> |
3525 | # | |
296273a7 | 3526 | interface(`userdom_use_unpriv_users_fds',` |
f6abfdb8 | 3527 | gen_require(` |
296273a7 | 3528 | attribute unpriv_userdomain; |
f6abfdb8 CP |
3529 | ') |
3530 | ||
296273a7 | 3531 | allow $1 unpriv_userdomain:fd use; |
f6abfdb8 CP |
3532 | ') |
3533 | ||
725926c5 CP |
3534 | ######################################## |
3535 | ## <summary> | |
c46376e6 CP |
3536 | ## Do not audit attempts to inherit the file descriptors |
3537 | ## from unprivileged user domains. | |
725926c5 | 3538 | ## </summary> |
c46376e6 CP |
3539 | ## <desc> |
3540 | ## <p> | |
3541 | ## Do not audit attempts to inherit the file descriptors | |
3542 | ## from unprivileged user domains. This will supress | |
3543 | ## SELinux denial messages when the specified domain is denied | |
3544 | ## the permission to inherit these file descriptors. | |
3545 | ## </p> | |
3546 | ## </desc> | |
725926c5 | 3547 | ## <param name="domain"> |
885b83ec | 3548 | ## <summary> |
c46376e6 | 3549 | ## Domain to not audit. |
885b83ec | 3550 | ## </summary> |
725926c5 | 3551 | ## </param> |
c46376e6 | 3552 | ## <infoflow type="none"/> |
725926c5 | 3553 | # |
296273a7 | 3554 | interface(`userdom_dontaudit_use_unpriv_user_fds',` |
350b6ab7 | 3555 | gen_require(` |
296273a7 | 3556 | attribute unpriv_userdomain; |
725926c5 | 3557 | ') |
350b6ab7 | 3558 | |
296273a7 | 3559 | dontaudit $1 unpriv_userdomain:fd use; |
43989f82 CP |
3560 | ') |
3561 | ||
3562 | ######################################## | |
3563 | ## <summary> | |
296273a7 | 3564 | ## Do not audit attempts to use user ptys. |
43989f82 CP |
3565 | ## </summary> |
3566 | ## <param name="domain"> | |
885b83ec | 3567 | ## <summary> |
296273a7 | 3568 | ## Domain to not audit. |
885b83ec | 3569 | ## </summary> |
43989f82 CP |
3570 | ## </param> |
3571 | # | |
296273a7 | 3572 | interface(`userdom_dontaudit_use_user_ptys',` |
350b6ab7 | 3573 | gen_require(` |
296273a7 | 3574 | type user_devpts_t; |
725926c5 | 3575 | ') |
350b6ab7 | 3576 | |
f5b49a5e | 3577 | dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; |
43989f82 CP |
3578 | ') |
3579 | ||
3580 | ######################################## | |
3581 | ## <summary> | |
296273a7 | 3582 | ## Relabel files to unprivileged user pty types. |
43989f82 CP |
3583 | ## </summary> |
3584 | ## <param name="domain"> | |
885b83ec | 3585 | ## <summary> |
43989f82 | 3586 | ## Domain allowed access. |
885b83ec | 3587 | ## </summary> |
43989f82 CP |
3588 | ## </param> |
3589 | # | |
296273a7 | 3590 | interface(`userdom_relabelto_user_ptys',` |
350b6ab7 | 3591 | gen_require(` |
296273a7 | 3592 | type user_devpts_t; |
725926c5 | 3593 | ') |
350b6ab7 | 3594 | |
296273a7 | 3595 | allow $1 user_devpts_t:chr_file relabelto; |
43989f82 CP |
3596 | ') |
3597 | ||
57a96cbd CP |
3598 | ######################################## |
3599 | ## <summary> | |
296273a7 CP |
3600 | ## Do not audit attempts to relabel files from |
3601 | ## user pty types. | |
ab940a4c | 3602 | ## </summary> |
414e4151 | 3603 | ## <param name="domain"> |
885b83ec | 3604 | ## <summary> |
a0546c9d | 3605 | ## Domain to not audit. |
885b83ec | 3606 | ## </summary> |
414e4151 | 3607 | ## </param> |
daa0e0b0 | 3608 | # |
296273a7 | 3609 | interface(`userdom_dontaudit_relabelfrom_user_ptys',` |
0404a390 | 3610 | gen_require(` |
296273a7 | 3611 | type user_devpts_t; |
0404a390 | 3612 | ') |
0c73cd25 | 3613 | |
296273a7 | 3614 | dontaudit $1 user_devpts_t:chr_file relabelfrom; |
daa0e0b0 CP |
3615 | ') |
3616 | ||
693d4aed CP |
3617 | ######################################## |
3618 | ## <summary> | |
296273a7 | 3619 | ## Write all users files in /tmp |
693d4aed CP |
3620 | ## </summary> |
3621 | ## <param name="domain"> | |
3622 | ## <summary> | |
3623 | ## Domain allowed access. | |
3624 | ## </summary> | |
3625 | ## </param> | |
3626 | # | |
296273a7 | 3627 | interface(`userdom_write_user_tmp_files',` |
350b6ab7 | 3628 | gen_require(` |
296273a7 | 3629 | type user_tmp_t; |
693d4aed | 3630 | ') |
350b6ab7 | 3631 | |
3eaa9939 DW |
3632 | write_files_pattern($1, user_tmp_t, user_tmp_t) |
3633 | ') | |
3634 | ||
3635 | ######################################## | |
3636 | ## <summary> | |
3637 | ## Do not audit attempts to write users | |
3638 | ## temporary files. | |
3639 | ## </summary> | |
3640 | ## <param name="domain"> | |
3641 | ## <summary> | |
3642 | ## Domain to not audit. | |
3643 | ## </summary> | |
3644 | ## </param> | |
3645 | # | |
3646 | interface(`userdom_dontaudit_write_user_tmp_files',` | |
3647 | gen_require(` | |
3648 | type user_tmp_t; | |
3649 | ') | |
3650 | ||
3651 | dontaudit $1 user_tmp_t:file write; | |
3652 | ') | |
3653 | ||
3654 | ######################################## | |
3655 | ## <summary> | |
3656 | ## Do not audit attempts to read/write users | |
3657 | ## temporary fifo files. | |
3658 | ## </summary> | |
3659 | ## <param name="domain"> | |
3660 | ## <summary> | |
3661 | ## Domain to not audit. | |
3662 | ## </summary> | |
3663 | ## </param> | |
3664 | # | |
3665 | interface(`userdom_dontaudit_rw_user_tmp_pipes',` | |
3666 | gen_require(` | |
3667 | type user_tmp_t; | |
3668 | ') | |
3669 | ||
3670 | dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; | |
693d4aed CP |
3671 | ') |
3672 | ||
ebdc3b79 CP |
3673 | ######################################## |
3674 | ## <summary> | |
296273a7 | 3675 | ## Do not audit attempts to use user ttys. |
ebdc3b79 CP |
3676 | ## </summary> |
3677 | ## <param name="domain"> | |
885b83ec | 3678 | ## <summary> |
a0546c9d | 3679 | ## Domain to not audit. |
885b83ec | 3680 | ## </summary> |
ebdc3b79 CP |
3681 | ## </param> |
3682 | # | |
296273a7 | 3683 | interface(`userdom_dontaudit_use_user_ttys',` |
350b6ab7 | 3684 | gen_require(` |
296273a7 | 3685 | type user_tty_device_t; |
9cc2ccc4 | 3686 | ') |
350b6ab7 | 3687 | |
296273a7 | 3688 | dontaudit $1 user_tty_device_t:chr_file rw_file_perms; |
ebdc3b79 | 3689 | ') |
c98340cf | 3690 | |
2629c659 CP |
3691 | ######################################## |
3692 | ## <summary> | |
3693 | ## Read the process state of all user domains. | |
3694 | ## </summary> | |
3695 | ## <param name="domain"> | |
885b83ec | 3696 | ## <summary> |
2629c659 | 3697 | ## Domain allowed access. |
885b83ec | 3698 | ## </summary> |
2629c659 CP |
3699 | ## </param> |
3700 | # | |
1815bad1 | 3701 | interface(`userdom_read_all_users_state',` |
2629c659 CP |
3702 | gen_require(` |
3703 | attribute userdomain; | |
3704 | ') | |
3705 | ||
3f67f722 | 3706 | read_files_pattern($1, userdomain, userdomain) |
3eaa9939 | 3707 | read_lnk_files_pattern($1,userdomain,userdomain) |
2629c659 CP |
3708 | kernel_search_proc($1) |
3709 | ') | |
3710 | ||
3711 | ######################################## | |
3712 | ## <summary> | |
3713 | ## Get the attributes of all user domains. | |
3714 | ## </summary> | |
3715 | ## <param name="domain"> | |
885b83ec | 3716 | ## <summary> |
2629c659 | 3717 | ## Domain allowed access. |
885b83ec | 3718 | ## </summary> |
2629c659 CP |
3719 | ## </param> |
3720 | # | |
15722ec9 | 3721 | interface(`userdom_getattr_all_users',` |
2629c659 CP |
3722 | gen_require(` |
3723 | attribute userdomain; | |
3724 | ') | |
3725 | ||
3726 | allow $1 userdomain:process getattr; | |
3727 | ') | |
3728 | ||
57a96cbd CP |
3729 | ######################################## |
3730 | ## <summary> | |
3731 | ## Inherit the file descriptors from all user domains | |
3732 | ## </summary> | |
3733 | ## <param name="domain"> | |
885b83ec | 3734 | ## <summary> |
725926c5 | 3735 | ## Domain allowed access. |
885b83ec | 3736 | ## </summary> |
57a96cbd CP |
3737 | ## </param> |
3738 | # | |
15722ec9 | 3739 | interface(`userdom_use_all_users_fds',` |
57a96cbd CP |
3740 | gen_require(` |
3741 | attribute userdomain; | |
57a96cbd CP |
3742 | ') |
3743 | ||
3744 | allow $1 userdomain:fd use; | |
3745 | ') | |
3746 | ||
3747 | ######################################## | |
eb3cb682 CP |
3748 | ## <summary> |
3749 | ## Do not audit attempts to inherit the file | |
3750 | ## descriptors from any user domains. | |
3751 | ## </summary> | |
3752 | ## <param name="domain"> | |
885b83ec | 3753 | ## <summary> |
eb3cb682 | 3754 | ## Domain to not audit. |
885b83ec | 3755 | ## </summary> |
eb3cb682 CP |
3756 | ## </param> |
3757 | # | |
15722ec9 | 3758 | interface(`userdom_dontaudit_use_all_users_fds',` |
eb3cb682 CP |
3759 | gen_require(` |
3760 | attribute userdomain; | |
eb3cb682 CP |
3761 | ') |
3762 | ||
3763 | dontaudit $1 userdomain:fd use; | |
3764 | ') | |
3765 | ||
3766 | ######################################## | |
57a96cbd CP |
3767 | ## <summary> |
3768 | ## Send general signals to all user domains. | |
3769 | ## </summary> | |
3770 | ## <param name="domain"> | |
885b83ec | 3771 | ## <summary> |
725926c5 | 3772 | ## Domain allowed access. |
885b83ec | 3773 | ## </summary> |
57a96cbd CP |
3774 | ## </param> |
3775 | # | |
3776 | interface(`userdom_signal_all_users',` | |
3777 | gen_require(` | |
3778 | attribute userdomain; | |
57a96cbd CP |
3779 | ') |
3780 | ||
3781 | allow $1 userdomain:process signal; | |
3782 | ') | |
3783 | ||
4f115e10 DW |
3784 | ######################################## |
3785 | ## <summary> | |
3786 | ## Send kill signals to all user domains. | |
3787 | ## </summary> | |
3788 | ## <param name="domain"> | |
3789 | ## <summary> | |
3790 | ## Domain allowed access. | |
3791 | ## </summary> | |
3792 | ## </param> | |
3793 | # | |
3794 | interface(`userdom_kill_all_users',` | |
3795 | gen_require(` | |
3796 | attribute userdomain; | |
3797 | ') | |
3798 | ||
3799 | allow $1 userdomain:process sigkill; | |
3800 | ') | |
3801 | ||
246839f3 CP |
3802 | ######################################## |
3803 | ## <summary> | |
3804 | ## Send a SIGCHLD signal to all user domains. | |
3805 | ## </summary> | |
3806 | ## <param name="domain"> | |
885b83ec | 3807 | ## <summary> |
246839f3 | 3808 | ## Domain allowed access. |
885b83ec | 3809 | ## </summary> |
246839f3 CP |
3810 | ## </param> |
3811 | # | |
9fd4b818 | 3812 | interface(`userdom_sigchld_all_users',` |
246839f3 CP |
3813 | gen_require(` |
3814 | attribute userdomain; | |
246839f3 CP |
3815 | ') |
3816 | ||
a1fcff33 | 3817 | allow $1 userdomain:process sigchld; |
246839f3 CP |
3818 | ') |
3819 | ||
fe3a1eb8 CP |
3820 | ######################################## |
3821 | ## <summary> | |
3822 | ## Create keys for all user domains. | |
3823 | ## </summary> | |
3824 | ## <param name="domain"> | |
3825 | ## <summary> | |
3826 | ## Domain allowed access. | |
3827 | ## </summary> | |
3828 | ## </param> | |
3829 | # | |
3830 | interface(`userdom_create_all_users_keys',` | |
350b6ab7 CP |
3831 | gen_require(` |
3832 | attribute userdomain; | |
fe3a1eb8 | 3833 | ') |
350b6ab7 CP |
3834 | |
3835 | allow $1 userdomain:key create; | |
fe3a1eb8 CP |
3836 | ') |
3837 | ||
9fd4b818 CP |
3838 | ######################################## |
3839 | ## <summary> | |
3840 | ## Send a dbus message to all user domains. | |
3841 | ## </summary> | |
3842 | ## <param name="domain"> | |
885b83ec | 3843 | ## <summary> |
9fd4b818 | 3844 | ## Domain allowed access. |
885b83ec | 3845 | ## </summary> |
9fd4b818 CP |
3846 | ## </param> |
3847 | # | |
3848 | interface(`userdom_dbus_send_all_users',` | |
3849 | gen_require(` | |
3850 | attribute userdomain; | |
3851 | class dbus send_msg; | |
3852 | ') | |
3853 | ||
3854 | allow $1 userdomain:dbus send_msg; | |
3855 | ') | |
3eaa9939 DW |
3856 | |
3857 | ######################################## | |
3858 | ## <summary> | |
3859 | ## Allow apps to set rlimits on userdomain | |
3860 | ## </summary> | |
3861 | ## <param name="domain"> | |
3862 | ## <summary> | |
3863 | ## Domain allowed access. | |
3864 | ## </summary> | |
3865 | ## </param> | |
3866 | # | |
3867 | interface(`userdom_set_rlimitnh',` | |
3868 | gen_require(` | |
3869 | attribute userdomain; | |
3870 | ') | |
3871 | ||
3872 | allow $1 userdomain:process rlimitinh; | |
3873 | ') | |
3874 | ||
3875 | ######################################## | |
3876 | ## <summary> | |
3877 | ## Define this type as a Allow apps to set rlimits on userdomain | |
3878 | ## </summary> | |
3879 | ## <param name="domain"> | |
3880 | ## <summary> | |
3881 | ## Domain allowed access. | |
3882 | ## </summary> | |
3883 | ## </param> | |
3884 | ## <param name="userdomain_prefix"> | |
3885 | ## <summary> | |
3886 | ## The prefix of the user domain (e.g., user | |
3887 | ## is the prefix for user_t). | |
3888 | ## </summary> | |
3889 | ## </param> | |
3890 | ## <param name="domain"> | |
3891 | ## <summary> | |
3892 | ## Domain allowed access. | |
3893 | ## </summary> | |
3894 | ## </param> | |
3895 | # | |
3896 | template(`userdom_unpriv_usertype',` | |
3897 | gen_require(` | |
3898 | attribute unpriv_userdomain, userdomain; | |
3899 | attribute $1_usertype; | |
3900 | ') | |
3901 | typeattribute $2 $1_usertype; | |
3902 | typeattribute $2 unpriv_userdomain; | |
3903 | typeattribute $2 userdomain; | |
ae68f77d DW |
3904 | |
3905 | auth_use_nsswitch($2) | |
3eaa9939 DW |
3906 | ubac_constrained($2) |
3907 | ') | |
3908 | ||
3909 | ######################################## | |
3910 | ## <summary> | |
3911 | ## Connect to users over an unix stream socket. | |
3912 | ## </summary> | |
3913 | ## <param name="domain"> | |
3914 | ## <summary> | |
3915 | ## Domain allowed access. | |
3916 | ## </summary> | |
3917 | ## </param> | |
3918 | # | |
3919 | interface(`userdom_stream_connect',` | |
3920 | gen_require(` | |
3921 | type user_tmp_t; | |
3922 | attribute userdomain; | |
3923 | ') | |
3924 | ||
3925 | stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) | |
3926 | ') | |
3927 | ||
3928 | ######################################## | |
3929 | ## <summary> | |
3930 | ## Ptrace user domains. | |
3931 | ## </summary> | |
3932 | ## <param name="domain"> | |
3933 | ## <summary> | |
3934 | ## Domain allowed access. | |
3935 | ## </summary> | |
3936 | ## </param> | |
3937 | # | |
3938 | interface(`userdom_ptrace_all_users',` | |
3939 | gen_require(` | |
3940 | attribute userdomain; | |
3941 | ') | |
3942 | ||
3943 | allow $1 userdomain:process ptrace; | |
3944 | ') | |
3945 | ||
3946 | ######################################## | |
3947 | ## <summary> | |
3948 | ## dontaudit Search /root | |
3949 | ## </summary> | |
3950 | ## <param name="domain"> | |
3951 | ## <summary> | |
24280f35 | 3952 | ## Domain to not audit. |
3eaa9939 DW |
3953 | ## </summary> |
3954 | ## </param> | |
3955 | # | |
3956 | interface(`userdom_dontaudit_search_admin_dir',` | |
3957 | gen_require(` | |
3958 | type admin_home_t; | |
3959 | ') | |
3960 | ||
3961 | dontaudit $1 admin_home_t:dir search_dir_perms; | |
3962 | ') | |
3963 | ||
3964 | ######################################## | |
3965 | ## <summary> | |
3966 | ## dontaudit list /root | |
3967 | ## </summary> | |
3968 | ## <param name="domain"> | |
3969 | ## <summary> | |
24280f35 | 3970 | ## Domain to not audit. |
3eaa9939 DW |
3971 | ## </summary> |
3972 | ## </param> | |
3973 | # | |
3974 | interface(`userdom_dontaudit_list_admin_dir',` | |
3975 | gen_require(` | |
3976 | type admin_home_t; | |
3977 | ') | |
3978 | ||
3979 | dontaudit $1 admin_home_t:dir list_dir_perms; | |
3980 | ') | |
3981 | ||
3982 | ######################################## | |
3983 | ## <summary> | |
3984 | ## Allow domain to list /root | |
3985 | ## </summary> | |
3986 | ## <param name="domain"> | |
3987 | ## <summary> | |
3988 | ## Domain allowed access. | |
3989 | ## </summary> | |
3990 | ## </param> | |
3991 | # | |
3992 | interface(`userdom_list_admin_dir',` | |
3993 | gen_require(` | |
3994 | type admin_home_t; | |
3995 | ') | |
3996 | ||
3997 | allow $1 admin_home_t:dir list_dir_perms; | |
3998 | ') | |
3999 | ||
4000 | ######################################## | |
4001 | ## <summary> | |
4002 | ## Allow Search /root | |
4003 | ## </summary> | |
4004 | ## <param name="domain"> | |
4005 | ## <summary> | |
4006 | ## Domain allowed access. | |
4007 | ## </summary> | |
4008 | ## </param> | |
4009 | # | |
4010 | interface(`userdom_search_admin_dir',` | |
4011 | gen_require(` | |
4012 | type admin_home_t; | |
4013 | ') | |
4014 | ||
4015 | allow $1 admin_home_t:dir search_dir_perms; | |
4016 | ') | |
4017 | ||
4018 | ######################################## | |
4019 | ## <summary> | |
4020 | ## RW unpriviledged user SysV sempaphores. | |
4021 | ## </summary> | |
4022 | ## <param name="domain"> | |
4023 | ## <summary> | |
4024 | ## Domain allowed access. | |
4025 | ## </summary> | |
4026 | ## </param> | |
4027 | # | |
4028 | interface(`userdom_rw_semaphores',` | |
4029 | gen_require(` | |
4030 | attribute unpriv_userdomain; | |
4031 | ') | |
4032 | ||
4033 | allow $1 unpriv_userdomain:sem rw_sem_perms; | |
4034 | ') | |
4035 | ||
4036 | ######################################## | |
4037 | ## <summary> | |
4038 | ## Send a message to unpriv users over a unix domain | |
4039 | ## datagram socket. | |
4040 | ## </summary> | |
4041 | ## <param name="domain"> | |
4042 | ## <summary> | |
4043 | ## Domain allowed access. | |
4044 | ## </summary> | |
4045 | ## </param> | |
4046 | # | |
4047 | interface(`userdom_dgram_send',` | |
4048 | gen_require(` | |
4049 | attribute unpriv_userdomain; | |
4050 | ') | |
4051 | ||
4052 | allow $1 unpriv_userdomain:unix_dgram_socket sendto; | |
4053 | ') | |
4054 | ||
4055 | ###################################### | |
4056 | ## <summary> | |
4057 | ## Send a message to users over a unix domain | |
4058 | ## datagram socket. | |
4059 | ## </summary> | |
4060 | ## <param name="domain"> | |
4061 | ## <summary> | |
4062 | ## Domain allowed access. | |
4063 | ## </summary> | |
4064 | ## </param> | |
4065 | # | |
4066 | interface(`userdom_users_dgram_send',` | |
4067 | gen_require(` | |
4068 | attribute userdomain; | |
4069 | ') | |
4070 | ||
4071 | allow $1 userdomain:unix_dgram_socket sendto; | |
4072 | ') | |
4073 | ||
4074 | ####################################### | |
4075 | ## <summary> | |
4076 | ## Allow execmod on files in homedirectory | |
4077 | ## </summary> | |
4078 | ## <param name="domain"> | |
4079 | ## <summary> | |
4080 | ## Domain allowed access. | |
4081 | ## </summary> | |
4082 | ## </param> | |
4083 | ## <rolebase/> | |
4084 | # | |
4085 | interface(`userdom_execmod_user_home_files',` | |
4086 | gen_require(` | |
4087 | type user_home_type; | |
4088 | ') | |
4089 | ||
4090 | allow $1 user_home_type:file execmod; | |
4091 | ') | |
4092 | ||
4093 | ######################################## | |
4094 | ## <summary> | |
4095 | ## Read admin home files. | |
4096 | ## </summary> | |
4097 | ## <param name="domain"> | |
4098 | ## <summary> | |
4099 | ## Domain allowed access. | |
4100 | ## </summary> | |
4101 | ## </param> | |
4102 | ## <rolecap/> | |
4103 | # | |
4104 | interface(`userdom_read_admin_home_files',` | |
4105 | gen_require(` | |
4106 | type admin_home_t; | |
4107 | ') | |
4108 | ||
4109 | read_files_pattern($1, admin_home_t, admin_home_t) | |
4110 | ') | |
4111 | ||
4112 | ######################################## | |
4113 | ## <summary> | |
4114 | ## Execute admin home files. | |
4115 | ## </summary> | |
4116 | ## <param name="domain"> | |
4117 | ## <summary> | |
4118 | ## Domain allowed access. | |
4119 | ## </summary> | |
4120 | ## </param> | |
4121 | ## <rolecap/> | |
4122 | # | |
4123 | interface(`userdom_exec_admin_home_files',` | |
4124 | gen_require(` | |
4125 | type admin_home_t; | |
4126 | ') | |
4127 | ||
4128 | exec_files_pattern($1, admin_home_t, admin_home_t) | |
4129 | ') | |
4130 | ||
4131 | ######################################## | |
4132 | ## <summary> | |
4133 | ## Append files inherited | |
4134 | ## in the /root directory. | |
4135 | ## </summary> | |
4136 | ## <param name="domain"> | |
4137 | ## <summary> | |
4138 | ## Domain allowed access. | |
4139 | ## </summary> | |
4140 | ## </param> | |
4141 | # | |
4142 | interface(`userdom_inherit_append_admin_home_files',` | |
4143 | gen_require(` | |
4144 | type admin_home_t; | |
4145 | ') | |
4146 | ||
4147 | allow $1 admin_home_t:file { getattr append }; | |
4148 | ') | |
4149 | ||
4150 | ||
4151 | ####################################### | |
4152 | ## <summary> | |
4153 | ## Manage all files/directories in the homedir | |
4154 | ## </summary> | |
4155 | ## <param name="userdomain"> | |
4156 | ## <summary> | |
4157 | ## The user domain | |
4158 | ## </summary> | |
4159 | ## </param> | |
4160 | ## <rolebase/> | |
4161 | # | |
4162 | interface(`userdom_manage_user_home_content',` | |
4163 | gen_require(` | |
4164 | type user_home_dir_t, user_home_t; | |
4165 | attribute user_home_type; | |
4166 | ') | |
4167 | ||
4168 | files_list_home($1) | |
4169 | manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4170 | manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4171 | manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4172 | manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4173 | manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) | |
4174 | filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) | |
4175 | ||
4176 | ') | |
4177 | ||
4178 | ||
4179 | ######################################## | |
4180 | ## <summary> | |
4181 | ## Create objects in a user home directory | |
4182 | ## with an automatic type transition to | |
4183 | ## the user home file type. | |
4184 | ## </summary> | |
4185 | ## <param name="domain"> | |
4186 | ## <summary> | |
4187 | ## Domain allowed access. | |
4188 | ## </summary> | |
4189 | ## </param> | |
4190 | ## <param name="object_class"> | |
4191 | ## <summary> | |
4192 | ## The class of the object to be created. | |
4193 | ## </summary> | |
4194 | ## </param> | |
4195 | # | |
4196 | interface(`userdom_user_home_dir_filetrans_pattern',` | |
4197 | gen_require(` | |
4198 | type user_home_dir_t, user_home_t; | |
4199 | ') | |
4200 | ||
4201 | type_transition $1 user_home_dir_t:$2 user_home_t; | |
4202 | ') | |
4203 | ||
4204 | ######################################## | |
4205 | ## <summary> | |
4206 | ## Create objects in the /root directory | |
4207 | ## with an automatic type transition to | |
4208 | ## a specified private type. | |
4209 | ## </summary> | |
4210 | ## <param name="domain"> | |
4211 | ## <summary> | |
4212 | ## Domain allowed access. | |
4213 | ## </summary> | |
4214 | ## </param> | |
4215 | ## <param name="private_type"> | |
4216 | ## <summary> | |
4217 | ## The type of the object to create. | |
4218 | ## </summary> | |
4219 | ## </param> | |
4220 | ## <param name="object_class"> | |
4221 | ## <summary> | |
4222 | ## The class of the object to be created. | |
4223 | ## </summary> | |
4224 | ## </param> | |
4225 | # | |
4226 | interface(`userdom_admin_home_dir_filetrans',` | |
4227 | gen_require(` | |
4228 | type admin_home_t; | |
4229 | ') | |
4230 | ||
ae4832c7 | 4231 | filetrans_pattern($1, admin_home_t, $2, $3, $4) |
3eaa9939 DW |
4232 | ') |
4233 | ||
4234 | ######################################## | |
4235 | ## <summary> | |
4236 | ## Send signull to unprivileged user domains. | |
4237 | ## </summary> | |
4238 | ## <param name="domain"> | |
4239 | ## <summary> | |
4240 | ## Domain allowed access. | |
4241 | ## </summary> | |
4242 | ## </param> | |
4243 | # | |
4244 | interface(`userdom_signull_unpriv_users',` | |
4245 | gen_require(` | |
4246 | attribute unpriv_userdomain; | |
4247 | ') | |
4248 | ||
4249 | allow $1 unpriv_userdomain:process signull; | |
4250 | ') | |
4251 | ||
4252 | ######################################## | |
4253 | ## <summary> | |
4254 | ## Write all users files in /tmp | |
4255 | ## </summary> | |
4256 | ## <param name="domain"> | |
4257 | ## <summary> | |
4258 | ## Domain allowed access. | |
4259 | ## </summary> | |
4260 | ## </param> | |
4261 | # | |
4262 | interface(`userdom_write_user_tmp_dirs',` | |
4263 | gen_require(` | |
4264 | type user_tmp_t; | |
4265 | ') | |
4266 | ||
4267 | write_files_pattern($1, user_tmp_t, user_tmp_t) | |
4268 | ') | |
4269 | ||
4270 | ######################################## | |
4271 | ## <summary> | |
4272 | ## Manage keys for all user domains. | |
4273 | ## </summary> | |
4274 | ## <param name="domain"> | |
4275 | ## <summary> | |
4276 | ## Domain allowed access. | |
4277 | ## </summary> | |
4278 | ## </param> | |
4279 | # | |
4280 | interface(`userdom_manage_all_users_keys',` | |
4281 | gen_require(` | |
4282 | attribute userdomain; | |
4283 | ') | |
4284 | ||
4285 | allow $1 userdomain:key manage_key_perms; | |
4286 | ') | |
4287 | ||
4288 | ||
4289 | ######################################## | |
4290 | ## <summary> | |
4291 | ## Do not audit attempts to read and write | |
4292 | ## unserdomain stream. | |
4293 | ## </summary> | |
4294 | ## <param name="domain"> | |
4295 | ## <summary> | |
4296 | ## Domain to not audit. | |
4297 | ## </summary> | |
4298 | ## </param> | |
4299 | # | |
4300 | interface(`userdom_dontaudit_rw_stream',` | |
4301 | gen_require(` | |
4302 | attribute userdomain; | |
4303 | ') | |
4304 | ||
4305 | dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; | |
4306 | ') | |
4307 | ||
3d3d47e4 DW |
4308 | ######################################## |
4309 | ## <summary> | |
4310 | ## Do not audit attempts to read and write | |
4311 | ## unserdomain datagram socket. | |
4312 | ## </summary> | |
4313 | ## <param name="domain"> | |
4314 | ## <summary> | |
4315 | ## Domain to not audit. | |
4316 | ## </summary> | |
4317 | ## </param> | |
4318 | # | |
4319 | interface(`userdom_dontaudit_rw_dgram_socket',` | |
4320 | gen_require(` | |
4321 | attribute userdomain; | |
4322 | ') | |
4323 | ||
6a074ab5 | 4324 | dontaudit $1 userdomain:unix_dgram_socket { read write }; |
3d3d47e4 DW |
4325 | ') |
4326 | ||
3eaa9939 DW |
4327 | ######################################## |
4328 | ## <summary> | |
4329 | ## Append files | |
4330 | ## in a user home subdirectory. | |
4331 | ## </summary> | |
4332 | ## <param name="domain"> | |
4333 | ## <summary> | |
4334 | ## Domain allowed access. | |
4335 | ## </summary> | |
4336 | ## </param> | |
4337 | # | |
4338 | interface(`userdom_append_user_home_content_files',` | |
4339 | gen_require(` | |
4340 | type user_home_dir_t, user_home_t; | |
4341 | ') | |
4342 | ||
4343 | append_files_pattern($1, user_home_t, user_home_t) | |
4344 | allow $1 user_home_dir_t:dir search_dir_perms; | |
4345 | files_search_home($1) | |
4346 | ') | |
4347 | ||
4348 | ######################################## | |
4349 | ## <summary> | |
4350 | ## Read files inherited | |
4351 | ## in a user home subdirectory. | |
4352 | ## </summary> | |
4353 | ## <param name="domain"> | |
4354 | ## <summary> | |
4355 | ## Domain allowed access. | |
4356 | ## </summary> | |
4357 | ## </param> | |
4358 | # | |
4359 | interface(`userdom_read_inherited_user_home_content_files',` | |
4360 | gen_require(` | |
4361 | attribute user_home_type; | |
4362 | ') | |
4363 | ||
4364 | allow $1 user_home_type:file { getattr read }; | |
4365 | ') | |
4366 | ||
4367 | ######################################## | |
4368 | ## <summary> | |
4369 | ## Append files inherited | |
4370 | ## in a user home subdirectory. | |
4371 | ## </summary> | |
4372 | ## <param name="domain"> | |
4373 | ## <summary> | |
4374 | ## Domain allowed access. | |
4375 | ## </summary> | |
4376 | ## </param> | |
4377 | # | |
4378 | interface(`userdom_inherit_append_user_home_content_files',` | |
4379 | gen_require(` | |
4380 | type user_home_t; | |
4381 | ') | |
4382 | ||
4383 | allow $1 user_home_t:file { getattr append }; | |
4384 | ') | |
4385 | ||
4386 | ######################################## | |
4387 | ## <summary> | |
4388 | ## Append files inherited | |
4389 | ## in a user tmp files. | |
4390 | ## </summary> | |
4391 | ## <param name="domain"> | |
4392 | ## <summary> | |
4393 | ## Domain allowed access. | |
4394 | ## </summary> | |
4395 | ## </param> | |
4396 | # | |
4397 | interface(`userdom_inherit_append_user_tmp_files',` | |
4398 | gen_require(` | |
4399 | type user_tmp_t; | |
4400 | ') | |
4401 | ||
4402 | allow $1 user_tmp_t:file { getattr append }; | |
4403 | ') | |
4404 | ||
4405 | ###################################### | |
4406 | ## <summary> | |
4407 | ## Read audio files in the users homedir. | |
4408 | ## </summary> | |
4409 | ## <param name="domain"> | |
4410 | ## <summary> | |
4411 | ## Domain allowed access. | |
4412 | ## </summary> | |
4413 | ## </param> | |
4414 | ## <rolecap/> | |
4415 | # | |
4416 | interface(`userdom_read_home_audio_files',` | |
4417 | gen_require(` | |
4418 | type audio_home_t; | |
4419 | ') | |
4420 | ||
4421 | userdom_search_user_home_dirs($1) | |
4422 | allow $1 audio_home_t:dir list_dir_perms; | |
4423 | read_files_pattern($1, audio_home_t, audio_home_t) | |
4424 | read_lnk_files_pattern($1, audio_home_t, audio_home_t) | |
4425 | ') | |
4426 | ||
ca9e8850 DW |
4427 | ######################################## |
4428 | ## <summary> | |
4429 | ## Do not audit attempts to write all user home content files. | |
4430 | ## </summary> | |
4431 | ## <param name="domain"> | |
4432 | ## <summary> | |
4433 | ## Domain to not audit. | |
4434 | ## </summary> | |
4435 | ## </param> | |
4436 | # | |
4437 | interface(`userdom_dontaudit_write_all_user_home_content_files',` | |
4438 | gen_require(` | |
4439 | attribute user_home_type; | |
4440 | ') | |
4441 | ||
4442 | dontaudit $1 user_home_type:file write_file_perms; | |
4443 | ') | |
4444 | ||
4445 | ######################################## | |
4446 | ## <summary> | |
4447 | ## Do not audit attempts to write all user tmp content files. | |
4448 | ## </summary> | |
4449 | ## <param name="domain"> | |
4450 | ## <summary> | |
4451 | ## Domain to not audit. | |
4452 | ## </summary> | |
4453 | ## </param> | |
4454 | # | |
4455 | interface(`userdom_dontaudit_write_all_user_tmp_content_files',` | |
4456 | gen_require(` | |
4457 | attribute user_tmp_type; | |
4458 | ') | |
4459 | ||
4460 | dontaudit $1 user_tmp_type:file write_file_perms; | |
4461 | ') | |
4462 | ||
4463 | ######################################## | |
4464 | ## <summary> | |
4465 | ## Manage all user temporary content. | |
4466 | ## </summary> | |
4467 | ## <param name="domain"> | |
4468 | ## <summary> | |
4469 | ## Domain allowed access. | |
4470 | ## </summary> | |
4471 | ## </param> | |
4472 | # | |
4473 | interface(`userdom_manage_all_user_tmp_content',` | |
4474 | gen_require(` | |
4475 | attribute user_tmp_type; | |
4476 | ') | |
4477 | ||
4478 | manage_dirs_pattern($1, user_tmp_type, user_tmp_type) | |
4479 | manage_files_pattern($1, user_tmp_type, user_tmp_type) | |
4480 | manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) | |
4481 | manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) | |
4482 | manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) | |
4483 | files_search_tmp($1) | |
4484 | ') | |
4485 | ||
4486 | ######################################## | |
4487 | ## <summary> | |
4488 | ## List all user temporary content. | |
4489 | ## </summary> | |
4490 | ## <param name="domain"> | |
4491 | ## <summary> | |
4492 | ## Domain allowed access. | |
4493 | ## </summary> | |
4494 | ## </param> | |
4495 | # | |
4496 | interface(`userdom_list_all_user_tmp_content',` | |
4497 | gen_require(` | |
4498 | attribute user_tmp_type; | |
4499 | ') | |
4500 | ||
4501 | list_dirs_pattern($1, user_tmp_type, user_tmp_type) | |
4502 | getattr_files_pattern($1, user_tmp_type, user_tmp_type) | |
4503 | read_lnk_files_pattern($1, user_tmp_type, user_tmp_type) | |
4504 | getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type) | |
4505 | getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type) | |
4506 | files_search_var($1) | |
4507 | files_search_tmp($1) | |
4508 | ') | |
4509 | ||
4510 | ######################################## | |
4511 | ## <summary> | |
4512 | ## Manage all user tmpfs content. | |
4513 | ## </summary> | |
4514 | ## <param name="domain"> | |
4515 | ## <summary> | |
4516 | ## Domain allowed access. | |
4517 | ## </summary> | |
4518 | ## </param> | |
4519 | # | |
4520 | interface(`userdom_manage_all_user_tmpfs_content',` | |
4521 | gen_require(` | |
4522 | attribute user_tmpfs_type; | |
4523 | ') | |
4524 | ||
4525 | manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4526 | manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4527 | manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4528 | manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4529 | manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) | |
4530 | fs_search_tmpfs($1) | |
4531 | ') | |
4532 | ||
4533 | ######################################## | |
4534 | ## <summary> | |
4535 | ## Delete all user temporary content. | |
4536 | ## </summary> | |
4537 | ## <param name="domain"> | |
4538 | ## <summary> | |
4539 | ## Domain allowed access. | |
4540 | ## </summary> | |
4541 | ## </param> | |
4542 | # | |
4543 | interface(`userdom_delete_all_user_tmp_content',` | |
4544 | gen_require(` | |
4545 | attribute user_tmp_type; | |
4546 | ') | |
4547 | ||
4548 | delete_dirs_pattern($1, user_tmp_type, user_tmp_type) | |
4549 | delete_files_pattern($1, user_tmp_type, user_tmp_type) | |
4550 | delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type) | |
4551 | delete_sock_files_pattern($1, user_tmp_type, user_tmp_type) | |
4552 | delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type) | |
4553 | # /var/tmp | |
4554 | files_search_var($1) | |
4555 | files_delete_tmp_dir_entry($1) | |
4556 | ') | |
4557 | ||
3eaa9939 DW |
4558 | ######################################## |
4559 | ## <summary> | |
4560 | ## Read system SSL certificates in the users homedir. | |
4561 | ## </summary> | |
4562 | ## <param name="domain"> | |
4563 | ## <summary> | |
4564 | ## Domain allowed access. | |
4565 | ## </summary> | |
4566 | ## </param> | |
3eaa9939 DW |
4567 | # |
4568 | interface(`userdom_read_home_certs',` | |
4569 | gen_require(` | |
4570 | type home_cert_t; | |
4571 | ') | |
4572 | ||
4982766c | 4573 | userdom_search_user_home_content($1) |
3eaa9939 DW |
4574 | allow $1 home_cert_t:dir list_dir_perms; |
4575 | read_files_pattern($1, home_cert_t, home_cert_t) | |
4576 | read_lnk_files_pattern($1, home_cert_t, home_cert_t) | |
4577 | ') | |
4578 | ||
f06e4c22 MG |
4579 | ####################################### |
4580 | ## <summary> | |
4581 | ## Dontaudit Write system SSL certificates in the users homedir. | |
4582 | ## </summary> | |
4583 | ## <param name="domain"> | |
4584 | ## <summary> | |
24280f35 | 4585 | ## Domain to not audit. |
f06e4c22 MG |
4586 | ## </summary> |
4587 | ## </param> | |
4588 | # | |
4589 | interface(`userdom_dontaudit_write_home_certs',` | |
4590 | gen_require(` | |
4591 | type home_cert_t; | |
4592 | ') | |
4593 | ||
4594 | dontaudit $1 home_cert_t:file write; | |
4595 | ') | |
4596 | ||
3eaa9939 DW |
4597 | ######################################## |
4598 | ## <summary> | |
4599 | ## dontaudit Search getatrr /root files | |
4600 | ## </summary> | |
4601 | ## <param name="domain"> | |
4602 | ## <summary> | |
24280f35 | 4603 | ## Domain to not audit. |
3eaa9939 DW |
4604 | ## </summary> |
4605 | ## </param> | |
4606 | # | |
4607 | interface(`userdom_dontaudit_getattr_admin_home_files',` | |
4608 | gen_require(` | |
4609 | type admin_home_t; | |
4610 | ') | |
4611 | ||
4612 | dontaudit $1 admin_home_t:file getattr; | |
4613 | ') | |
4614 | ||
4615 | ######################################## | |
4616 | ## <summary> | |
4617 | ## dontaudit read /root lnk files | |
4618 | ## </summary> | |
4619 | ## <param name="domain"> | |
4620 | ## <summary> | |
24280f35 | 4621 | ## Domain to not audit. |
3eaa9939 DW |
4622 | ## </summary> |
4623 | ## </param> | |
4624 | # | |
4625 | interface(`userdom_dontaudit_read_admin_home_lnk_files',` | |
4626 | gen_require(` | |
4627 | type admin_home_t; | |
4628 | ') | |
4629 | ||
4630 | dontaudit $1 admin_home_t:lnk_file read; | |
4631 | ') | |
4632 | ||
4633 | ######################################## | |
4634 | ## <summary> | |
4635 | ## dontaudit read /root files | |
4636 | ## </summary> | |
4637 | ## <param name="domain"> | |
4638 | ## <summary> | |
24280f35 | 4639 | ## Domain to not audit. |
3eaa9939 DW |
4640 | ## </summary> |
4641 | ## </param> | |
4642 | # | |
4643 | interface(`userdom_dontaudit_read_admin_home_files',` | |
4644 | gen_require(` | |
4645 | type admin_home_t; | |
4646 | ') | |
4647 | ||
4648 | dontaudit $1 admin_home_t:file read_file_perms; | |
4649 | ') | |
4650 | ||
4651 | ######################################## | |
4652 | ## <summary> | |
4653 | ## Create, read, write, and delete user | |
4654 | ## temporary chr files. | |
4655 | ## </summary> | |
4656 | ## <param name="domain"> | |
4657 | ## <summary> | |
4658 | ## Domain allowed access. | |
4659 | ## </summary> | |
4660 | ## </param> | |
4661 | # | |
4662 | interface(`userdom_manage_user_tmp_chr_files',` | |
4663 | gen_require(` | |
4664 | type user_tmp_t; | |
4665 | ') | |
4666 | ||
4667 | manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) | |
4668 | files_search_tmp($1) | |
4669 | ') | |
4670 | ||
4671 | ######################################## | |
4672 | ## <summary> | |
4673 | ## Create, read, write, and delete user | |
4674 | ## temporary blk files. | |
4675 | ## </summary> | |
4676 | ## <param name="domain"> | |
4677 | ## <summary> | |
4678 | ## Domain allowed access. | |
4679 | ## </summary> | |
4680 | ## </param> | |
4681 | # | |
4682 | interface(`userdom_manage_user_tmp_blk_files',` | |
4683 | gen_require(` | |
4684 | type user_tmp_t; | |
4685 | ') | |
4686 | ||
4687 | manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4688 | files_search_tmp($1) | |
4689 | ') | |
4690 | ||
4691 | ######################################## | |
4692 | ## <summary> | |
4693 | ## Dontaudit attempt to set attributes on user temporary directories. | |
4694 | ## </summary> | |
4695 | ## <param name="domain"> | |
4696 | ## <summary> | |
24280f35 | 4697 | ## Domain to not audit. |
3eaa9939 DW |
4698 | ## </summary> |
4699 | ## </param> | |
4700 | # | |
4701 | interface(`userdom_dontaudit_setattr_user_tmp',` | |
4702 | gen_require(` | |
4703 | type user_tmp_t; | |
4704 | ') | |
4705 | ||
4706 | dontaudit $1 user_tmp_t:dir setattr; | |
4707 | ') | |
4708 | ||
4709 | ######################################## | |
4710 | ## <summary> | |
4711 | ## Write all inherited users files in /tmp | |
4712 | ## </summary> | |
4713 | ## <param name="domain"> | |
4714 | ## <summary> | |
4715 | ## Domain allowed access. | |
4716 | ## </summary> | |
4717 | ## </param> | |
4718 | # | |
4719 | interface(`userdom_write_inherited_user_tmp_files',` | |
4720 | gen_require(` | |
4721 | type user_tmp_t; | |
4722 | ') | |
4723 | ||
4724 | allow $1 user_tmp_t:file write; | |
4725 | ') | |
4726 | ||
4727 | ######################################## | |
4728 | ## <summary> | |
4729 | ## Delete all users files in /tmp | |
4730 | ## </summary> | |
4731 | ## <param name="domain"> | |
4732 | ## <summary> | |
4733 | ## Domain allowed access. | |
4734 | ## </summary> | |
4735 | ## </param> | |
4736 | # | |
4737 | interface(`userdom_delete_user_tmp_files',` | |
4738 | gen_require(` | |
4739 | type user_tmp_t; | |
4740 | ') | |
4741 | ||
4742 | allow $1 user_tmp_t:file delete_file_perms; | |
4743 | ') | |
4744 | ||
4745 | ######################################## | |
4746 | ## <summary> | |
4747 | ## Delete user tmpfs files. | |
4748 | ## </summary> | |
4749 | ## <param name="domain"> | |
4750 | ## <summary> | |
4751 | ## Domain allowed access. | |
4752 | ## </summary> | |
4753 | ## </param> | |
4754 | # | |
4755 | interface(`userdom_delete_user_tmpfs_files',` | |
4756 | gen_require(` | |
4757 | type user_tmpfs_t; | |
4758 | ') | |
4759 | ||
4760 | allow $1 user_tmpfs_t:file delete_file_perms; | |
4761 | ') | |
4762 | ||
4763 | ######################################## | |
4764 | ## <summary> | |
4765 | ## Read/Write unpriviledged user SysV shared | |
4766 | ## memory segments. | |
4767 | ## </summary> | |
4768 | ## <param name="domain"> | |
4769 | ## <summary> | |
4770 | ## Domain allowed access. | |
4771 | ## </summary> | |
4772 | ## </param> | |
4773 | # | |
4774 | interface(`userdom_rw_unpriv_user_shared_mem',` | |
4775 | gen_require(` | |
4776 | attribute unpriv_userdomain; | |
4777 | ') | |
4778 | ||
4779 | allow $1 unpriv_userdomain:shm rw_shm_perms; | |
4780 | ') | |
4781 | ||
4782 | ######################################## | |
4783 | ## <summary> | |
4784 | ## Do not audit attempts to search user | |
4785 | ## temporary directories. | |
4786 | ## </summary> | |
4787 | ## <param name="domain"> | |
4788 | ## <summary> | |
4789 | ## Domain to not audit. | |
4790 | ## </summary> | |
4791 | ## </param> | |
4792 | # | |
4793 | interface(`userdom_dontaudit_search_user_tmp',` | |
4794 | gen_require(` | |
4795 | type user_tmp_t; | |
4796 | ') | |
4797 | ||
4798 | dontaudit $1 user_tmp_t:dir search_dir_perms; | |
4799 | ') | |
4800 | ||
4801 | ######################################## | |
4802 | ## <summary> | |
4803 | ## Execute a file in a user home directory | |
4804 | ## in the specified domain. | |
4805 | ## </summary> | |
4806 | ## <desc> | |
4807 | ## <p> | |
4808 | ## Execute a file in a user home directory | |
4809 | ## in the specified domain. | |
4810 | ## </p> | |
4811 | ## <p> | |
4812 | ## No interprocess communication (signals, pipes, | |
4813 | ## etc.) is provided by this interface since | |
4814 | ## the domains are not owned by this module. | |
4815 | ## </p> | |
4816 | ## </desc> | |
4817 | ## <param name="domain"> | |
4818 | ## <summary> | |
4819 | ## Domain allowed access. | |
4820 | ## </summary> | |
4821 | ## </param> | |
4822 | ## <param name="target_domain"> | |
4823 | ## <summary> | |
4824 | ## The type of the new process. | |
4825 | ## </summary> | |
4826 | ## </param> | |
4827 | # | |
4828 | interface(`userdom_domtrans_user_home',` | |
4829 | gen_require(` | |
4830 | type user_home_t; | |
4831 | ') | |
4832 | ||
4833 | read_lnk_files_pattern($1, user_home_t, user_home_t) | |
4834 | domain_transition_pattern($1, user_home_t, $2) | |
4835 | type_transition $1 user_home_t:process $2; | |
4836 | ') | |
4837 | ||
4838 | ######################################## | |
4839 | ## <summary> | |
4840 | ## Execute a file in a user tmp directory | |
4841 | ## in the specified domain. | |
4842 | ## </summary> | |
4843 | ## <desc> | |
4844 | ## <p> | |
4845 | ## Execute a file in a user tmp directory | |
4846 | ## in the specified domain. | |
4847 | ## </p> | |
4848 | ## <p> | |
4849 | ## No interprocess communication (signals, pipes, | |
4850 | ## etc.) is provided by this interface since | |
4851 | ## the domains are not owned by this module. | |
4852 | ## </p> | |
4853 | ## </desc> | |
4854 | ## <param name="domain"> | |
4855 | ## <summary> | |
4856 | ## Domain allowed access. | |
4857 | ## </summary> | |
4858 | ## </param> | |
4859 | ## <param name="target_domain"> | |
4860 | ## <summary> | |
4861 | ## The type of the new process. | |
4862 | ## </summary> | |
4863 | ## </param> | |
4864 | # | |
4865 | interface(`userdom_domtrans_user_tmp',` | |
4866 | gen_require(` | |
4867 | type user_tmp_t; | |
4868 | ') | |
4869 | ||
4870 | files_search_tmp($1) | |
4871 | read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) | |
4872 | domain_transition_pattern($1, user_tmp_t, $2) | |
4873 | type_transition $1 user_tmp_t:process $2; | |
4874 | ') | |
ca9e8850 DW |
4875 | |
4876 | ######################################## | |
4877 | ## <summary> | |
4878 | ## Do not audit attempts to read all user home content files. | |
4879 | ## </summary> | |
4880 | ## <param name="domain"> | |
4881 | ## <summary> | |
4882 | ## Domain to not audit. | |
4883 | ## </summary> | |
4884 | ## </param> | |
4885 | # | |
4886 | interface(`userdom_dontaudit_read_all_user_home_content_files',` | |
4887 | gen_require(` | |
4888 | attribute user_home_type; | |
4889 | ') | |
4890 | ||
4891 | dontaudit $1 user_home_type:file read_file_perms; | |
4892 | ') | |
4893 | ||
4894 | ######################################## | |
4895 | ## <summary> | |
4896 | ## Do not audit attempts to read all user tmp content files. | |
4897 | ## </summary> | |
4898 | ## <param name="domain"> | |
4899 | ## <summary> | |
4900 | ## Domain to not audit. | |
4901 | ## </summary> | |
4902 | ## </param> | |
4903 | # | |
4904 | interface(`userdom_dontaudit_read_all_user_tmp_content_files',` | |
4905 | gen_require(` | |
4906 | attribute user_tmp_type; | |
4907 | ') | |
4908 | ||
4909 | dontaudit $1 user_tmp_type:file read_file_perms; | |
4910 | ') | |
4911 | ||
2aa4540b MG |
4912 | ####################################### |
4913 | ## <summary> | |
4914 | ## Read and write unpriviledged user SysV sempaphores. | |
4915 | ## </summary> | |
4916 | ## <param name="domain"> | |
4917 | ## <summary> | |
4918 | ## Domain allowed access. | |
4919 | ## </summary> | |
4920 | ## </param> | |
4921 | # | |
4922 | interface(`userdom_rw_unpriv_user_semaphores',` | |
4923 | gen_require(` | |
4924 | attribute unpriv_userdomain; | |
4925 | ') | |
4926 | ||
4927 | allow $1 unpriv_userdomain:sem rw_sem_perms; | |
4928 | ') |