[people/stevee/selinux-policy.git] / refpolicy / policy / modules / system / userdomain.if

## <summary>Policy for user domains</summary>

#######################################
## <summary>
##	The template containing rules common to unprivileged
##	users and administrative users.
## </summary>
## <desc>
##	<p>
##	This template creates a user domain, types, and
##	rules for the user's tty, pty, home directories,
##	tmp, and tmpfs files.
##	</p>
##	<p>
##	This generally should not be used, rather the
##	unpriv_user_template or admin_user_template should
##	be used.
##	</p>
## </desc>
## <param name="userdomain_prefix">
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
## </param>
#
template(`base_user_template',`

	attribute $1_file_type;

	type $1_t, userdomain;
	domain_type($1_t)
	corecmd_shell_entry_type($1_t)
	role $1_r types $1_t;
	allow system_r $1_r;

	# user pseudoterminal
	type $1_devpts_t;
	term_user_pty($1_t,$1_devpts_t)

	# type for contents of home directory
	type $1_home_t, $1_file_type, home_type;
	files_type($1_home_t)

	# type of home directory
	type $1_home_dir_t, home_dir_type, home_type;
	files_type($1_home_t)

	type $1_tmp_t, $1_file_type;
	files_tmp_file($1_tmp_t)

	type $1_tmpfs_t;
	files_tmpfs_file($1_tmpfs_t)

	type $1_tty_device_t; 
	term_tty($1_t,$1_tty_device_t)

	##############################
	#
	# Local policy
	#

	allow $1_t self:capability { setgid chown fowner };
	dontaudit $1_t self:capability { sys_nice fsetid };
	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
	allow $1_t self:process { ptrace setfscreate };
	allow $1_t self:fd use;
	allow $1_t self:fifo_file rw_file_perms;
	allow $1_t self:unix_dgram_socket create_socket_perms;
	allow $1_t self:unix_stream_socket create_stream_socket_perms;
	allow $1_t self:unix_dgram_socket sendto;
	allow $1_t self:unix_stream_socket connectto;
	allow $1_t self:shm create_shm_perms;
	allow $1_t self:sem create_sem_perms;
	allow $1_t self:msgq create_msgq_perms;
	allow $1_t self:msg { send receive };
	dontaudit $1_t self:socket create;
	# Irrelevant until we have labeled networking.
	#allow $1_t self:udp_socket { sendto recvfrom };

	# evolution and gnome-session try to create a netlink socket
	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };

	# execute files in the home directory
	allow $1_t $1_home_t:file { rx_file_perms execute_no_trans };

	# full control of the home directory
	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
	allow $1_t $1_home_dir_t:dir create_dir_perms;
	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;

	allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans };

	# Bind to a Unix domain socket in /tmp.
	# cjp: this is combination is not checked and should be removed
	allow $1_t $1_tmp_t:unix_stream_socket name_bind;

	allow $1_t $1_tmpfs_t:dir rw_dir_perms;
	allow $1_t $1_tmpfs_t:file create_file_perms;
	allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
	allow $1_t $1_tmpfs_t:sock_file create_file_perms;
	allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
	fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )

	allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };

	allow $1_t unpriv_userdomain:fd use;

	# Instantiate derived domains for a number of programs.
	# These derived domains encode both information about the calling
	# user domain and the program, and allow us to maintain separation
	# between different instances of the program being run by different
	# user domains.
	per_userdomain_templates($1)

	kernel_read_kernel_sysctl($1_t)
	selinux_get_fs_mount($1_t)
	# Very permissive allowing every domain to see every type:
	kernel_get_sysvipc_info($1_t)
	# Find CDROM devices:
	kernel_read_device_sysctl($1_t)

	dev_rw_power_management($1_t)
	# GNOME checks for usb and other devices:
	dev_rw_usbfs($1_t)

	corenet_tcp_sendrecv_all_if($1_t)
	corenet_raw_sendrecv_all_if($1_t)
	corenet_udp_sendrecv_all_if($1_t)
	corenet_tcp_sendrecv_all_nodes($1_t)
	corenet_raw_sendrecv_all_nodes($1_t)
	corenet_udp_sendrecv_all_nodes($1_t)
	corenet_tcp_sendrecv_all_ports($1_t)
	corenet_udp_sendrecv_all_ports($1_t)
	corenet_tcp_bind_all_nodes($1_t)
	corenet_udp_bind_all_nodes($1_t)
	# allow port_t name binding for UDP because it is not very usable otherwise
	corenet_udp_bind_generic_port($1_t)

	dev_read_input($1_t)
	dev_read_misc($1_t)
	dev_write_misc($1_t)
	dev_write_snd_dev($1_t)
	dev_read_snd_dev($1_t)
	dev_read_snd_mixer_dev($1_t)
	dev_write_snd_mixer_dev($1_t)
	dev_read_rand($1_t)
	dev_read_urand($1_t)
	# open office is looking for the following
	dev_getattr_agp_dev($1_t)
	dev_dontaudit_rw_dri_dev($1_t)

	fs_get_all_fs_quotas($1_t)
	fs_getattr_all_fs($1_t)
	fs_search_auto_mountpoints($1_t)

	# for eject
	storage_getattr_fixed_disk($1_t)

	auth_read_login_records($1_t)
	auth_dontaudit_write_login_records($1_t)
	auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
	auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })

	corecmd_exec_bin($1_t)
	corecmd_exec_sbin($1_t)
	corecmd_exec_ls($1_t)

	domain_exec_all_entry_files($1_t)
	domain_use_wide_inherit_fd($1_t)

	files_exec_etc_files($1_t)
	files_read_usr_src_files($1_t)
	files_search_generic_locks($1_t)

	# Caused by su - init scripts
	init_dontaudit_use_script_pty($1_t)

	libs_use_ld_so($1_t)
	libs_use_shared_libs($1_t)
	libs_exec_ld_so($1_t)
	libs_exec_lib_files($1_t)

	logging_dontaudit_getattr_all_logs($1_t)

	miscfiles_read_localization($1_t)
	miscfiles_rw_man_cache($1_t)

	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })

	mta_rw_spool($1_t)

	tunable_policy(`allow_execmem',`
		# Allow loading DSOs that require executable stack.
		allow $1_t self:process execmem;
	')

	tunable_policy(`use_nfs_home_dirs',`
		fs_manage_nfs_dirs($1_t)
		fs_manage_nfs_files($1_t)
		fs_manage_nfs_symlinks($1_t)
		fs_manage_nfs_named_sockets($1_t)
		fs_manage_nfs_named_pipes($1_t)
		fs_execute_nfs_files($1_t)
	')

	tunable_policy(`use_samba_home_dirs',`
		fs_manage_cifs_dirs($1_t)
		fs_manage_cifs_files($1_t)
		fs_manage_cifs_symlinks($1_t)
		fs_manage_cifs_named_sockets($1_t)
		fs_manage_cifs_named_pipes($1_t)
		fs_execute_cifs_files($1_t)
	')

	tunable_policy(`user_direct_mouse',`
		dev_read_mouse($1_t)
	')

	tunable_policy(`user_ttyfile_stat',`
		term_getattr_all_user_ttys($1_t)
	')

	optional_policy(`nis.te',`
		nis_use_ypbind($1_t)
	')

	optional_policy(`usermanage.te',`
		usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
		usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
	')

	ifdef(`TODO',`

	# When the user domain runs ps, there will be a number of access
	# denials when ps tries to search /proc.  Do not audit these denials.
	dontaudit $1_t domain:dir r_dir_perms;
	dontaudit $1_t domain:notdevfile_class_set r_file_perms;
	dontaudit $1_t domain:process { getattr getsession };
	#
	# Cups daemon running as user tries to write /etc/printcap
	#
	dontaudit $1_t usr_t:file setattr;

	# Check to see if cdrom is mounted
	allow $1_t mnt_t:dir { getattr search };

	#
	# Added to allow reading of cdrom
	#
	allow $1_t rpc_pipefs_t:dir getattr;
	allow $1_t nfsd_fs_t:dir getattr;
	allow $1_t binfmt_misc_fs_t:dir getattr;

	# /initrd is left mounted, various programs try to look at it
	dontaudit $1_t ramfs_t:dir getattr;

	tunable_policy(`read_default_t',`
		allow $1_t default_t:dir r_dir_perms;
		allow $1_t default_t:notdevfile_class_set r_file_perms;
	')

	#
	# Running ifconfig as a user generates the following
	#
	dontaudit $1_t sysctl_net_t:dir search;

	dontaudit $1_t default_context_t:dir search;

	r_dir_file($1_t, usercanread)

	tunable_policy(`allow_execmod',`
		# Allow text relocations on system shared libraries, e.g. libGL.
		allow $1_t texrel_shlib_t:file execmod;
	')

	allow $1_t fs_type:dir getattr;

	# old "file_browse_domain":
	# Regular files/directories that are not security sensitive
	dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
	dontaudit $1_t file_type - secure_file_type:dir { read search };
	# /dev
	dontaudit $1_t dev_fs:dir_file_class_set getattr;
	dontaudit $1_t dev_fs:dir { read search };
	# /proc
	dontaudit $1_t sysctl_t:dir_file_class_set getattr;
	dontaudit $1_t proc_fs:dir { read search };

	can_exec($1_t, { removable_t noexattrfile } )

	tunable_policy(`user_rw_noexattrfile',`
		create_dir_file($1_t, noexattrfile)
		create_dir_file($1_t, removable_t)
		# Write floppies 
		storage_raw_read_removable_device($1_t)
		storage_raw_write_removable_device($1_t)
		# cjp: what does this have to do with removable devices?
		allow $1_t usbtty_device_t:chr_file write;
	',`
		r_dir_file($1_t, noexattrfile)
		r_dir_file($1_t, removable_t)
		allow $1_t removable_device_t:blk_file r_file_perms;
	')

	allow $1_t usbtty_device_t:chr_file read;

	can_exec($1_t, noexattrfile)

	# for running TeX programs
	r_dir_file($1_t, tetex_data_t)
	can_exec($1_t, tetex_data_t)

	can_resmgrd_connect($1_t)

	# Grant permissions to access the system DBus
	ifdef(`dbusd.te', `
		dbusd_client(system, $1)
		can_network_server_tcp($1_dbusd_t)
		allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
	
		allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
		dbusd_client($1, $1)
		allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
		dbusd_domain($1)
		ifdef(`hald.te', `
			allow $1_t hald_t:dbus send_msg;
			allow hald_t $1_t:dbus send_msg;
		')
	')

	# Gnome pannel binds to the following
	ifdef(`cups.te', `
		allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
	')

	# Connect to inetd.
	ifdef(`inetd.te', `
		can_tcp_connect($1_t, inetd_t)
		can_udp_send($1_t, inetd_t)
		can_udp_send(inetd_t, $1_t)
	')

	# Connect to portmap.
	ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')

	# Inherit and use sockets from inetd
	ifdef(`inetd.te', `
		allow $1_t inetd_t:fd use;
		allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
	')

	ifdef(`xserver.te', `
		# for /tmp/.ICE-unix
		file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
		allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
	')

	ifdef(`xdm.te', `
		# Connect to the X server run by the X Display Manager.
		can_unix_connect($1_t, xdm_t)
		allow $1_t xdm_tmp_t:sock_file rw_file_perms;
		allow $1_t xdm_tmp_t:dir r_dir_perms;
		allow $1_t xdm_tmp_t:file r_file_perms;
		allow $1_t xdm_xserver_tmp_t:sock_file { read write };
		allow $1_t xdm_xserver_tmp_t:dir search;
		allow $1_t xdm_xserver_t:unix_stream_socket connectto;
		# certain apps want to read xdm.pid file
		r_dir_file($1_t, xdm_var_run_t)
		allow $1_t xdm_var_lib_t:file r_file_perms;
		allow xdm_t $1_home_dir_t:dir getattr;
		ifdef(`xauth.te', `
			file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
		')

		# for shared memory
		allow xdm_xserver_t $1_tmpfs_t:file { read write };

	')

	ifdef(`rpcd.te', `
		create_dir_file($1_t, nfsd_rw_t)
	')

	ifdef(`cardmgr.te', `
		# to allow monitoring of pcmcia status
		allow $1_t cardmgr_var_run_t:file r_file_perms;
	')

	#
	# Allow graphical boot to check battery lifespan
	#
	ifdef(`apmd.te', `
		allow $1_t apmd_t:unix_stream_socket connectto;
		allow $1_t apmd_var_run_t:sock_file write;
	')

	ifdef(`pamconsole.te', `
		allow $1_t pam_var_console_t:dir search;
	')

	') dnl endif TODO

')dnl end base_user_domain macro

#######################################
## <summary>
##	The template for creating a unprivileged user.
## </summary>
## <desc>
##	<p>
##	This template creates a user domain, types, and
##	rules for the user's tty, pty, home directories,
##	tmp, and tmpfs files.
##	</p>
## </desc>
## <param name="userdomain_prefix">
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
## </param>
#
template(`unpriv_user_template', `
	##############################
	#
	# Declarations
	#

	# Inherit rules for ordinary users.
	base_user_template($1)

	typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
	domain_wide_inherit_fd($1_t)

	#typeattribute $1_devpts_t userpty_type, user_tty_type;
	#typeattribute $1_home_dir_t user_home_dir_type;
	#typeattribute $1_home_t user_home_type;

	typeattribute $1_tmp_t user_tmpfile;

	typeattribute $1_tty_device_t user_ttynode;
 
	##############################
	#
	# Local policy
	#

	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
	term_create_pty($1_t,$1_devpts_t)

	# Rules used to associate a homedir as a mountpoint
	allow $1_home_t self:filesystem associate;
	allow $1_file_type $1_home_t:filesystem associate;

	# user temporary files
	allow $1_t $1_tmp_t:file create_file_perms;
	allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
	allow $1_t $1_tmp_t:dir create_dir_perms;
	allow $1_t $1_tmp_t:sock_file create_file_perms;
	allow $1_t $1_tmp_t:fifo_file create_file_perms;
	files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })

	# privileged home directory writers
	allow privhome $1_home_t:file create_file_perms;
	allow privhome $1_home_t:lnk_file create_lnk_perms;
	allow privhome $1_home_t:dir create_dir_perms;
	allow privhome $1_home_t:sock_file create_file_perms;
	allow privhome $1_home_t:fifo_file create_file_perms;
	type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;

	kernel_read_system_state($1_t)
	kernel_read_network_state($1_t)
	dev_read_sysfs($1_t)

	# cjp: why?
	bootloader_read_kernel_symbol_table($1_t)

	# port access is audited even if dac would not have allowed it, so dontaudit it here
	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)

	files_read_etc_files($1_t)
	files_list_home($1_t)
	files_read_usr_files($1_t)

	init_read_script_pid($1_t)
	# The library functions always try to open read-write first,
	# then fall back to read-only if it fails. 
	init_dontaudit_write_script_pid($1_t)
	# Stop warnings about access to /dev/console
	init_dontaudit_use_fd($1_t)
	init_dontaudit_use_script_fd($1_t)

	miscfiles_read_man_pages($1_t)

	seutil_read_config($1_t)
	# Allow users to execute checkpolicy without a domain transition
	# so it can be used without privilege to write real binary policy file
	seutil_exec_checkpol($1_t)

	tunable_policy(`user_dmesg',`
		kernel_read_ring_buffer($1_t)
	',`
		kernel_dontaudit_read_ring_buffer($1_t)
	')

	# Allow users to run TCP servers (bind to ports and accept connection from
	# the same domain and outside users)  disabling this forces FTP passive mode
	# and may change other protocols
	tunable_policy(`user_tcp_server',`
		corenet_tcp_bind_generic_port($1_t)
	')

	optional_policy(`kerberos.te',`
		kerberos_use($1_t)
	')

	# for running depmod as part of the kernel packaging process
	optional_policy(`modutils.te',`
		modutils_read_module_conf($1_t)
	')

	optional_policy(`selinux.te',`
		# for when the network connection is killed
		seutil_dontaudit_signal_newrole($1_t)
	')

	# Need the following rule to allow users to run vpnc
	optional_policy(`xserver.te', `
		corenetwork_bind_tcp_on_xserver_port($1_t)
	')

	ifdef(`TODO',`

	dontaudit $1_t boot_t:lnk_file read;
	dontaudit $1_t boot_t:file read;

	# do not audit read on disk devices
	dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;

	ifdef(`xdm.te', `
		allow xdm_t $1_home_t:lnk_file read;
		allow xdm_t $1_home_t:dir search;
		#
		# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
		# 
		dontaudit xdm_t $1_home_t:file rw_file_perms;
	')

	ifdef(`ftpd.te', `
		tunable_policy(`ftp_home_dir',`
			file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
		')
	')

	tunable_policy(`read_default_t',`
		allow $1 default_t:dir r_dir_perms;
		allow $1 default_t:notdevfile_class_set r_file_perms;
	')

	can_exec($1_t, usr_t)

	# Read directories and files with the readable_t type.
	# This type is a general type for "world"-readable files.
	allow $1_t readable_t:dir r_dir_perms;
	allow $1_t readable_t:notdevfile_class_set r_file_perms;

	# Stat lost+found.
	allow $1_t lost_found_t:dir getattr;

	# Read /var, /var/spool, /var/run.
	allow $1_t var_t:dir r_dir_perms;
	allow $1_t var_t:notdevfile_class_set r_file_perms;
	allow $1_t var_spool_t:dir r_dir_perms;
	allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
	allow $1_t var_run_t:dir r_dir_perms;
	allow $1_t var_run_t:{ file lnk_file } r_file_perms;
	allow $1_t var_lib_t:dir r_dir_perms;
	allow $1_t var_lib_t:file { getattr read };

	# Allow users to rw usb devices
	tunable_policy(`user_rw_usb',`
		rw_dir_create_file($1_t,usbdevfs_t)
	',`
		r_dir_file($1_t,usbdevfs_t)
	')

	# Do not audit write denials to /etc/ld.so.cache.
	dontaudit $1_t ld_so_cache_t:file write;

	dontaudit $1_t sysadm_home_t:file { read append };

	ifdef(`syslogd.te', `
		# Some programs that are left in $1_t will try to connect
		# to syslogd, but we do not want to let them generate log messages.
		# Do not audit.
		dontaudit $1_t devlog_t:sock_file { read write };
		dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
	')

	allow $1_t initrc_t:fifo_file write;

	ifdef(`user_can_mount', `
		#
		#  Allow users to mount file systems like floppies and cdrom
		#
		mount_domain($1, $1_mount, `, fs_domain')
		r_dir_file($1_t, mnt_t)
		allow $1_mount_t device_t:lnk_file read;
		allow $1_mount_t removable_device_t:blk_file read;
		allow $1_mount_t iso9660_t:filesystem relabelfrom;
		allow $1_mount_t removable_t:filesystem { mount relabelto };
		allow $1_mount_t removable_t:dir mounton;
		ifdef(`xdm.te', `
			allow $1_mount_t xdm_t:fd use;
			allow $1_mount_t xdm_t:fifo_file { read write };
		')
	')

	') dnl end TODO
')

#######################################
## <summary>
##	The template for creating an administrative user.
## </summary>
## <desc>
##	<p>
##	This template creates a user domain, types, and
##	rules for the user's tty, pty, home directories,
##	tmp, and tmpfs files.
##	</p>
## </desc>
## <secdesc>
##	The privileges given to administrative users are:
##	<ul>
##		<li>Raw disk access</li>
##		<li>Set all sysctls</li>
##		<li>All kernel ring buffer controls</li>
##		<li>Set SELinux enforcement mode (enforcing/permissive)</li>
##		<li>Set SELinux booleans</li>
##		<li>Relabel all files but shadow</li>
##		<li>Create, read, write, and delete all files but shadow</li>
##		<li>Manage source and binary format SELinux policy</li>
##		<li>Run insmod</li>
##	</ul>
## </secdesc>
## <param name="userdomain_prefix">
##	The prefix of the user domain (e.g., sysadm
##	is the prefix for sysadm_t).
## </param>
#
template(`admin_user_template',`
	##############################
	#
	# Declarations
	#

	# Inherit rules for ordinary users.
	base_user_template($1)

	typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
	domain_obj_id_change_exempt($1_t)
	role system_r types $1_t;

	#ifdef(`direct_sysadm_daemon', `, priv_system_role')
	#; dnl end of sysadm_t type declaration

	typeattribute $1_devpts_t admin_terminal;

	typeattribute $1_tty_device_t admin_terminal;

	##############################
	#
	# $1_t local policy
	#

	allow $1_t self:capability ~sys_module;
	allow $1_t self:process { setexec setfscreate };

	# Set password information for other users.
	allow $1_t self:passwd { passwd chfn chsh };

	# Skip authentication when pam_rootok is specified.
	allow $1_t self:passwd rootok;

	# Manipulate other users crontab.
	allow $1_t self:passwd crontab;

	# for the administrator to run TCP servers directly
	allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };

	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
	term_create_pty($1_t,$1_devpts_t)

	allow $1_t $1_tmp_t:dir create_dir_perms;
	allow $1_t $1_tmp_t:file create_file_perms;
	allow $1_t $1_tmp_t:lnk_file create_file_perms;
	allow $1_t $1_tmp_t:fifo_file create_file_perms;
	allow $1_t $1_tmp_t:sock_file create_file_perms;
	files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })

	kernel_read_system_state($1_t)
	kernel_read_network_state($1_t)
	kernel_read_software_raid_state($1_t)
	kernel_getattr_core($1_t)
	kernel_getattr_message_if($1_t)
	kernel_change_ring_buffer_level($1_t)
	kernel_clear_ring_buffer($1_t)
	kernel_read_ring_buffer($1_t)
	kernel_get_sysvipc_info($1_t)
	kernel_rw_all_sysctl($1_t)

	# signal unlabeled processes:
	kernel_kill_unlabeled($1_t)
	kernel_signal_unlabeled($1_t)
	kernel_sigstop_unlabeled($1_t)
	kernel_signull_unlabeled($1_t)
	kernel_sigchld_unlabeled($1_t)

	selinux_set_enforce_mode($1_t)
	selinux_set_boolean($1_t)
	selinux_set_parameters($1_t)
	# Get security policy decisions:
	selinux_get_fs_mount($1_t)
	selinux_validate_context($1_t)
	selinux_compute_access_vector($1_t)
	selinux_compute_create_context($1_t)
	selinux_compute_relabel_context($1_t)
	selinux_compute_user_contexts($1_t)

	corenet_tcp_bind_generic_port($1_t)

	dev_getattr_generic_blk_file($1_t)
	dev_getattr_generic_chr_file($1_t)
	dev_getattr_all_blk_files($1_t)
	dev_getattr_all_chr_files($1_t)

	fs_getattr_all_fs($1_t)
	fs_set_all_quotas($1_t)

	storage_raw_read_removable_device($1_t)
	storage_raw_write_removable_device($1_t)

	term_use_console($1_t)
	term_use_unallocated_tty($1_t)
	term_use_all_user_ptys($1_t)
	term_use_all_user_ttys($1_t)

	# Manage almost all files
	auth_manage_all_files_except_shadow($1_t)
	# Relabel almost all files
	auth_relabel_all_files_except_shadow($1_t)

	domain_setpriority_all_domains($1_t)
	domain_read_all_domains_state($1_t)
	# signal all domains:
	domain_kill_all_domains($1_t)
	domain_signal_all_domains($1_t)
	domain_signull_all_domains($1_t)
	domain_sigstop_all_domains($1_t)
	domain_sigstop_all_domains($1_t)
	domain_sigchld_all_domains($1_t)

	files_exec_usr_files($1_t)

	init_use_initctl($1_t)

	logging_send_syslog_msg($1_t)

	modutils_domtrans_insmod($1_t)

	seutil_read_config($1_t)
	# The following rule is temporary until such time that a complete
	# policy management infrastructure is in place so that an administrator
	# cannot directly manipulate policy files with arbitrary programs.
	seutil_manage_src_pol($1_t)
	# Violates the goal of limiting write access to checkpolicy.
	# But presently necessary for installing the file_contexts file.
	seutil_manage_binary_pol($1_t)

	optional_policy(`cron.te',`
		cron_admin_template($1)
	')

	ifdef(`TODO',`

	# Let admin stat the shadow file.
	allow $1_t shadow_t:file getattr;

	# for lsof
	allow $1_t mtrr_device_t:file getattr;

	allow $1_t serial_device:chr_file setattr;

	# allow setting up tunnels
	allow $1_t tun_tap_device_t:chr_file rw_file_perms;

	allow $1_t ptyfile:chr_file getattr;

	# Run programs from staff home directories.
	# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
	can_exec($1_t, staff_home_t)

	# Run admin programs that require different permissions in their own domain.
	# These rules were moved into the appropriate program domain file.

	ifdef(`startx.te', `
		ifdef(`xserver.te', `
			# Create files in /tmp/.X11-unix with our X servers derived
			# tmp type rather than user_xserver_tmp_t.
			file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
		')
	')

	ifdef(`xdm.te', `
		ifdef(`xauth.te', `
			tunable_policy(`xdm_sysadm_login',`
				allow xdm_t $1_home_t:lnk_file read;
				allow xdm_t $1_home_t:dir search;
			')
			allow $1_t xdm_t:fifo_file rw_file_perms;
		')
	')

	#
	# A user who is authorized for sysadm_t may nonetheless have
	# a home directory labeled with user_home_t if the user is expected
	# to login in either user_t or sysadm_t.  Hence, the derived domains
	# for programs need to be able to access user_home_t.  
	# 

	# Allow our gph domain to write to .xsession-errors.
	ifdef(`gnome-pty-helper.te', `
		allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
		allow $1_gph_t user_home_type:file create_file_perms;
	')

	# for the administrator to run TCP servers directly
	allow $1_t kernel_t:tcp_socket recvfrom;

	# Connect data port to ftpd.
	ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')

	# Connect second port to rshd.
	ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')

	# Allow MAKEDEV to work
	allow $1_t device_t:dir rw_dir_perms;
	allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
	allow $1_t device_t:lnk_file { create read };

	# for lsof
	allow $1_t domain:socket_class_set getattr;
	allow $1_t eventpollfs_t:file getattr;
	') dnl endif TODO
')

########################################
## <summary>
##	Execute a shell in all user domains.  This
##	is an explicit transition, requiring the
##	caller to use setexeccon().
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_spec_domtrans_all_users',`
	gen_require(`
		attribute userdomain;
	')

	corecmd_shell_spec_domtrans($1,userdomain)
')

########################################
## <summary>
##	Execute a shell in all unprivileged user domains.  This
##	is an explicit transition, requiring the
##	caller to use setexeccon().
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_spec_domtrans_unpriv_users',`
	gen_require(`
		attribute unpriv_userdomain;
	')

	corecmd_shell_spec_domtrans($1,unpriv_userdomain)
')

########################################
## <summary>
##	Execute a shell in the sysadm domain.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_shell_domtrans_sysadm',`
	ifdef(`targeted_policy',`
		#cjp: need to doublecheck this one
		unconfined_domtrans_shell($1)
	',`
		gen_require(`
			type sysadm_t;
		')

		corecmd_domtrans_shell($1,sysadm_t)
	')
')

########################################
## <summary>
##	Read files in the staff users home directory.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_read_staff_home_files',`
	gen_require(`
		type staff_home_dir_t, staff_home_t;
		class dir r_dir_perms;
		class file r_file_perms;
		class lnk_file r_file_perms;
	')

	files_search_home($1)
	allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
	allow $1 staff_home_t:{ file lnk_file } r_file_perms;
')

########################################
## <summary>
##	Read and write sysadm ttys.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_use_sysadm_tty',`
	ifdef(`targeted_policy',`
		term_use_unallocated_tty($1)
	',`
		gen_require(`
			type sysadm_tty_device_t;
			class chr_file rw_term_perms;
		')

		dev_list_all_dev_nodes($1)
		term_list_ptys($1)
		allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
	')
')

########################################
## <summary>
##	Read and write sysadm ptys.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_use_sysadm_pty',`
	ifdef(`targeted_policy',`
		term_use_generic_pty($1)
	',`
		gen_require(`
			type sysadm_devpts_t;
			class chr_file rw_term_perms;
		')

		dev_list_all_dev_nodes($1)
		term_list_ptys($1)
		allow $1 sysadm_devpts_t:chr_file rw_term_perms;
	')
')

########################################
## <summary>
##	Read and write sysadm ttys and ptys.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_use_sysadm_terms',`
	userdom_use_sysadm_tty($1)
	userdom_use_sysadm_pty($1)
')

########################################
## <summary>
##	Do not audit attempts to use admin ttys and ptys.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_dontaudit_use_sysadm_terms',`
	ifdef(`targeted_policy',`
		term_dontaudit_use_generic_pty($1)
	',`
		gen_require(`
			attribute admin_terminal;
			class chr_file { read write };
		')

		dontaudit $1 admin_terminal:chr_file { read write };
	')
')

########################################
## <summary>
##	Inherit and use sysadm file descriptors
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_use_sysadm_fd',`
	ifdef(`targeted_policy',`
		#cjp: need to doublecheck this one
		unconfined_use_fd($1)
	',`
		gen_require(`
			type sysadm_t;
			class fd use;
		')

		allow $1 sysadm_t:fd use;
	')
')

########################################
## <summary>
##	Read and write sysadm user unnamed pipes.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_rw_sysadm_pipe',`
	ifdef(`targeted_policy',`
		#cjp: need to doublecheck this one
		unconfined_rw_pipe($1)
	',`
		gen_require(`
			type sysadm_t;
			class fifo_file rw_file_perms;
		')

		allow $1 sysadm_t:fifo_file rw_file_perms;
	')
')

########################################
## <summary>
##	Read files in the sysadm users home directory.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_read_sysadm_home_files',`
	gen_require(`
		type sysadm_home_dir_t, sysadm_home_t;
		class dir r_dir_perms;
		class file r_file_perms;
		class lnk_file r_file_perms;
	')

	files_search_home($1)
	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
	allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
')

########################################
## <summary>
##	Search all users home directories.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_search_all_users_home',`
	gen_require(`
		attribute home_dir_type, home_type;
		class dir search;
	')

	files_list_home($1)
	allow $1 { home_dir_type home_type }:dir search;
')

########################################
## <summary>
##	Read all files in all users home directories.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_read_all_user_files',`
	gen_require(`
		attribute home_type;
		class dir r_dir_perms;
		class file r_file_perms;
	')

	files_list_home($1)
	allow $1 home_type:dir r_dir_perms;
	allow $1 home_type:file r_file_perms;
')

########################################
## <summary>
##	Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_write_unpriv_user_tmp',`
	gen_require(`
		attribute user_tmpfile;
		class file { getattr write append };
	')

	allow $1 user_tmpfile:file { getattr write append };
')

########################################
## <summary>
##	Inherit the file descriptors from all user domains
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_use_all_user_fd',`
	gen_require(`
		attribute userdomain;
		class fd use;
	')

	allow $1 userdomain:fd use;
')

########################################
## <summary>
##	Send general signals to all user domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_signal_all_users',`
	gen_require(`
		attribute userdomain;
		class process signal;
	')

	allow $1 userdomain:process signal;
')

########################################
## <summary>
##	Send general signals to unprivileged user domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_signal_unpriv_users',`
	gen_require(`
		attribute unpriv_userdomain;
		class process signal;
	')

	allow $1 unpriv_userdomain:process signal;
')

########################################
## <summary>
##	Inherit the file descriptors from unprivileged user domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_use_unpriv_users_fd',`
	gen_require(`
		attribute unpriv_userdomain;
		class fd use;
	')

	allow $1 unpriv_userdomain:fd use;
')

########################################
## <summary>
##	Do not audit attempts to inherit the
##	file descriptors from all user domains.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_dontaudit_use_unpriv_user_fd',`
	gen_require(`
		attribute unpriv_userdomain;
		class fd use;
	')

	dontaudit $1 unpriv_userdomain:fd use;
')

########################################
## <summary>
##	Do not audit attempts to use unprivileged
##	user ttys.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`userdom_dontaudit_use_unpriv_user_tty',`
	gen_require(`
		attribute user_ttynode;
		class chr_file rw_file_perms;
	')

	dontaudit $1 user_ttynode:chr_file rw_file_perms;
')

########################################
## <summary>
##	Unconfined access to user domains.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`userdom_unconfined',`
	gen_require(`
		type user_home_dir_t;
		class dir create_dir_perms;
	')

	allow $1 user_home_dir_t:dir create_dir_perms;
	files_create_home_dirs($1,user_home_dir_t)
')