]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - refpolicy/policy/modules/system/userdomain.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
change doctool to bring in line with the xml tag change (layers encapsulate
[people/stevee/selinux-policy.git] / refpolicy / policy / modules / system / userdomain.if
CommitLineData
57869a68 1## <module name="userdomain">
490639cd 2## <summary>Policy for user domains</summary>
b16c6b8c
CP		 3
4########################################
5#
6# Base user domain template
7#
8# This is common to user and admin domain
9
10define(`base_user_domain',`
11
0c73cd25
CP		 12 attribute $1_file_type;
13
14 type $1_t, userdomain;
c9428d33
CP		 15 domain_type($1_t)
16 corecmd_shell_entry_type($1_t)
0c73cd25
CP		 17 role $1_r types $1_t;
18 allow system_r $1_r;
19
20 # user pseudoterminal
21 type $1_devpts_t;
0fd9dc55 22 term_user_pty($1_t,$1_devpts_t)
0c73cd25
CP		 23
24 # type for contents of home directory
25 type $1_home_t, $1_file_type, home_type;
c9428d33 26 files_file_type($1_home_t)
0c73cd25
CP		 27
28 # type of home directory
29 type $1_home_dir_t, home_dir_type, home_type;
c9428d33 30 files_file_type($1_home_t)
0c73cd25
CP		 31
32 type $1_tmp_t, $1_file_type;
c9428d33 33 files_tmp_file($1_tmp_t)
0c73cd25
CP		 34
35 type $1_tmpfs_t;
c9428d33 36 files_tmpfs_file($1_tmpfs_t)
0c73cd25
CP		 37
38 type $1_tty_device_t;
0fd9dc55 39 term_tty($1_t,$1_tty_device_t)
0c73cd25
CP		 40
41 ##############################
42 #
43 # Local policy
44 #
45
46 allow $1_t self:capability { setgid chown fowner };
47 dontaudit $1_t self:capability { sys_nice fsetid };
48 allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
49 allow $1_t self:process { ptrace setfscreate };
50 allow $1_t self:fd use;
cc41a97c
CP		 51 allow $1_t self:fifo_file rw_file_perms;
52 allow $1_t self:unix_dgram_socket create_socket_perms;
0fd9dc55 53 allow $1_t self:unix_stream_socket create_stream_socket_perms;
0c73cd25
CP		 54 allow $1_t self:unix_dgram_socket sendto;
55 allow $1_t self:unix_stream_socket connectto;
cc41a97c
CP		 56 allow $1_t self:shm create_shm_perms;
57 allow $1_t self:sem create_sem_perms;
58 allow $1_t self:msgq create_msgq_perms;
0c73cd25
CP		 59 allow $1_t self:msg { send receive };
60 dontaudit $1_t self:socket create;
61 # Irrelevant until we have labeled networking.
62 #allow $1_t self:udp_socket { sendto recvfrom };
63
64 # evolution and gnome-session try to create a netlink socket
65 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
66 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
67
68 # execute files in the home directory
cc41a97c 69 allow $1_t $1_home_t:file { rx_file_perms execute_no_trans };
0c73cd25
CP		 70
71 # full control of the home directory
cc41a97c
CP		 72 allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
73 allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
74 allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
75 allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
76 allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
77 allow $1_t $1_home_dir_t:dir create_dir_perms;
78 type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
0c73cd25 79
cc41a97c 80 allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans };
0c73cd25
CP		 81
82 # Bind to a Unix domain socket in /tmp.
83 # cjp: this is combination is not checked and should be removed
84 allow $1_t $1_tmp_t:unix_stream_socket name_bind;
85
cc41a97c
CP		 86 allow $1_t $1_tmpfs_t:dir rw_dir_perms;
87 allow $1_t $1_tmpfs_t:file create_file_perms;
88 allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
89 allow $1_t $1_tmpfs_t:sock_file create_file_perms;
90 allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
0fd9dc55 91 fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
0c73cd25 92
cc41a97c 93 allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
0c73cd25
CP		 94
95 allow $1_t unpriv_userdomain:fd use;
96
97 # Instantiate derived domains for a number of programs.
98 # These derived domains encode both information about the calling
99 # user domain and the program, and allow us to maintain separation
100 # between different instances of the program being run by different
101 # user domains.
102 per_userdomain_templates($1)
103
104 kernel_read_kernel_sysctl($1_t)
5e0da6a0 105 selinux_get_fs_mount($1_t)
0c73cd25
CP		 106 # Very permissive allowing every domain to see every type:
107 kernel_get_sysvipc_info($1_t)
108 # Find CDROM devices:
109 kernel_read_device_sysctl($1_t)
110 # GNOME checks for usb and other devices:
8bd67899 111 dev_rw_usbfs($1_t)
0fd9dc55
CP		 112
113 corenet_tcp_sendrecv_all_if($1_t)
114 corenet_raw_sendrecv_all_if($1_t)
115 corenet_udp_sendrecv_all_if($1_t)
116 corenet_tcp_sendrecv_all_nodes($1_t)
117 corenet_raw_sendrecv_all_nodes($1_t)
118 corenet_udp_sendrecv_all_nodes($1_t)
119 corenet_tcp_sendrecv_all_ports($1_t)
120 corenet_udp_sendrecv_all_ports($1_t)
121 corenet_tcp_bind_all_nodes($1_t)
122 corenet_udp_bind_all_nodes($1_t)
0c73cd25 123 # allow port_t name binding for UDP because it is not very usable otherwise
0fd9dc55 124 corenet_udp_bind_generic_port($1_t)
0c73cd25 125
f0c985ca
KM		 126 dev_read_input($1_t)
127 dev_read_misc($1_t)
128 dev_write_misc($1_t)
129 dev_write_snd_dev($1_t)
130 dev_read_snd_dev($1_t)
131 dev_read_snd_mixer_dev($1_t)
132 dev_write_snd_mixer_dev($1_t)
133 dev_read_rand($1_t)
134 dev_read_urand($1_t)
0c73cd25 135 # open office is looking for the following
f0c985ca
KM		 136 dev_getattr_agp_dev($1_t)
137 dev_dontaudit_rw_dri_dev($1_t)
0c73cd25 138
763c441e 139 fs_get_all_fs_quotas($1_t)
0fd9dc55 140 fs_getattr_all_fs($1_t)
0c73cd25
CP		 141
142 # for eject
0fd9dc55 143 storage_getattr_fixed_disk($1_t)
0c73cd25 144
c9428d33
CP		 145 auth_read_login_records($1_t)
146 auth_dontaudit_write_login_records($1_t)
147 auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
148 auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
0c73cd25 149
c9428d33
CP		 150 corecmd_exec_bin($1_t)
151 corecmd_exec_sbin($1_t)
152 corecmd_exec_ls($1_t)
0c73cd25 153
c9428d33
CP		 154 domain_exec_all_entry_files($1_t)
155 domain_use_wide_inherit_fd($1_t)
0c73cd25 156
c9428d33
CP		 157 files_exec_generic_etc_files($1_t)
158 files_read_usr_src($1_t)
0c73cd25
CP		 159
160 # Caused by su - init scripts
c9428d33 161 init_dontaudit_use_script_pty($1_t)
0c73cd25 162
c9428d33
CP		 163 libs_use_ld_so($1_t)
164 libs_use_shared_libs($1_t)
165 libs_exec_ld_so($1_t)
166 libs_exec_lib_files($1_t)
0c73cd25 167
c9428d33 168 logging_dontaudit_getattr_all_logs($1_t)
0c73cd25
CP		 169
170 miscfiles_read_localization($1_t)
c9428d33 171 miscfiles_rw_man_cache($1_t)
0c73cd25 172
5e0da6a0 173 seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
0c73cd25 174
c9428d33 175 mta_rw_spool($1_t)
0c73cd25 176
34c8fabe 177 tunable_policy(`allow_execmem',`
0c73cd25
CP		 178 # Allow loading DSOs that require executable stack.
179 allow $1_t self:process execmem;
34c8fabe 180 ')
0c73cd25 181
34c8fabe 182 tunable_policy(`use_nfs_home_dirs',`
0fd9dc55 183 fs_manage_nfs_dirs($1_t)
763c441e 184 fs_manage_nfs_files($1_t)
0fd9dc55 185 fs_manage_nfs_symlinks($1_t)
763c441e
CP		 186 fs_manage_nfs_named_sockets($1_t)
187 fs_manage_nfs_named_pipes($1_t)
188 fs_execute_nfs_files($1_t)
34c8fabe 189 ')
0c73cd25 190
34c8fabe 191 tunable_policy(`use_samba_home_dirs',`
0fd9dc55
CP		 192 fs_manage_cifs_dirs($1_t)
193 fs_manage_cifs_files($1_t)
194 fs_manage_cifs_symlinks($1_t)
195 fs_manage_cifs_named_sockets($1_t)
196 fs_manage_cifs_named_pipes($1_t)
197 fs_execute_cifs_files($1_t)
34c8fabe 198 ')
0c73cd25 199
34c8fabe 200 tunable_policy(`user_direct_mouse',`
f0c985ca 201 dev_read_mouse($1_t)
34c8fabe 202 ')
0c73cd25 203
34c8fabe 204 tunable_policy(`user_ttyfile_stat',`
0fd9dc55 205 term_getattr_all_user_ttys($1_t)
34c8fabe 206 ')
0c73cd25
CP		 207
208 optional_policy(`usermanage.te',`
c9428d33
CP		 209 usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
210 usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
0c73cd25
CP		 211 ')
212
213 ifdef(`TODO',`
214
215 # When the user domain runs ps, there will be a number of access
216 # denials when ps tries to search /proc. Do not audit these denials.
217 dontaudit $1_t domain:dir r_dir_perms;
218 dontaudit $1_t domain:notdevfile_class_set r_file_perms;
219 dontaudit $1_t domain:process { getattr getsession };
220 #
221 # Cups daemon running as user tries to write /etc/printcap
222 #
223 dontaudit $1_t usr_t:file setattr;
224
225 # Access the power device.
cc41a97c 226 allow $1_t power_device_t:chr_file rw_file_perms;
0c73cd25
CP		 227
228 # Check to see if cdrom is mounted
229 allow $1_t mnt_t:dir { getattr search };
230
231 #
232 # Added to allow reading of cdrom
233 #
234 allow $1_t rpc_pipefs_t:dir getattr;
235 allow $1_t nfsd_fs_t:dir getattr;
236 allow $1_t binfmt_misc_fs_t:dir getattr;
237
238 # /initrd is left mounted, various programs try to look at it
239 dontaudit $1_t ramfs_t:dir getattr;
240
3eed1090 241 tunable_policy(`read_default_t',`
0c73cd25
CP		 242 allow $1_t default_t:dir r_dir_perms;
243 allow $1_t default_t:notdevfile_class_set r_file_perms;
3eed1090 244 ')
0c73cd25
CP		 245
246 #
247 # Running ifconfig as a user generates the following
248 #
249 dontaudit $1_t sysctl_net_t:dir search;
250
251 dontaudit $1_t default_context_t:dir search;
252
253 r_dir_file($1_t, usercanread)
254
255 can_ypbind($1_t)
256
3eed1090 257 tunable_policy(`allow_execmod',`
0c73cd25
CP		 258 # Allow text relocations on system shared libraries, e.g. libGL.
259 allow $1_t texrel_shlib_t:file execmod;
3eed1090 260 ')
0c73cd25
CP		 261
262 allow $1_t fs_type:dir getattr;
263
264 # old "file_browse_domain":
265 # Regular files/directories that are not security sensitive
266 dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
267 dontaudit $1_t file_type - secure_file_type:dir { read search };
268 # /dev
269 dontaudit $1_t dev_fs:dir_file_class_set getattr;
270 dontaudit $1_t dev_fs:dir { read search };
271 # /proc
272 dontaudit $1_t sysctl_t:dir_file_class_set getattr;
273 dontaudit $1_t proc_fs:dir { read search };
274
cc41a97c 275 allow $1_t autofs_t:dir { getattr search };
0c73cd25
CP		 276
277 can_exec($1_t, { removable_t noexattrfile } )
3eed1090
CP		 278
279 tunable_policy(`user_rw_noexattrfile',`
0c73cd25
CP		 280 create_dir_file($1_t, noexattrfile)
281 create_dir_file($1_t, removable_t)
282 # Write floppies
283 allow $1_t removable_device_t:blk_file rw_file_perms;
284 allow $1_t usbtty_device_t:chr_file write;
3eed1090 285 ',`
0c73cd25
CP		 286 r_dir_file($1_t, noexattrfile)
287 r_dir_file($1_t, removable_t)
288 allow $1_t removable_device_t:blk_file r_file_perms;
3eed1090
CP		 289 ')
290
0c73cd25
CP		 291 allow $1_t usbtty_device_t:chr_file read;
292
293 can_exec($1_t, noexattrfile)
294
295 # for running TeX programs
296 r_dir_file($1_t, tetex_data_t)
297 can_exec($1_t, tetex_data_t)
298
299 # Run programs developed by other users in the same domain.
300
301 can_resmgrd_connect($1_t)
302
303 can_ypbind($1_t)
304
305 allow $1_t var_lock_t:dir search;
306
307 # Grant permissions to access the system DBus
308 ifdef(`dbusd.te', `
309 dbusd_client(system, $1)
310 can_network_server_tcp($1_dbusd_t)
311 allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
312
313 allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
314 dbusd_client($1, $1)
315 allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
316 dbusd_domain($1)
317 ifdef(`hald.te', `
318 allow $1_t hald_t:dbus send_msg;
319 allow hald_t $1_t:dbus send_msg;
320 ')
321 ')
322
323 # Gnome pannel binds to the following
324 ifdef(`cups.te', `
cc41a97c 325 allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
0c73cd25
CP		 326 ')
327
328 # Connect to inetd.
329 ifdef(`inetd.te', `
330 can_tcp_connect($1_t, inetd_t)
331 can_udp_send($1_t, inetd_t)
332 can_udp_send(inetd_t, $1_t)
333 ')
334
335 # Connect to portmap.
336 ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
337
338 # Inherit and use sockets from inetd
339 ifdef(`inetd.te', `
340 allow $1_t inetd_t:fd use;
341 allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
342 ')
343
344 ifdef(`xserver.te', `
345 # for /tmp/.ICE-unix
346 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
347 allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
348 ')
349
350 ifdef(`xdm.te', `
351 # Connect to the X server run by the X Display Manager.
352 can_unix_connect($1_t, xdm_t)
353 allow $1_t xdm_tmp_t:sock_file rw_file_perms;
354 allow $1_t xdm_tmp_t:dir r_dir_perms;
cc41a97c 355 allow $1_t xdm_tmp_t:file r_file_perms;
0c73cd25
CP		 356 allow $1_t xdm_xserver_tmp_t:sock_file { read write };
357 allow $1_t xdm_xserver_tmp_t:dir search;
358 allow $1_t xdm_xserver_t:unix_stream_socket connectto;
359 # certain apps want to read xdm.pid file
360 r_dir_file($1_t, xdm_var_run_t)
cc41a97c 361 allow $1_t xdm_var_lib_t:file r_file_perms;
0c73cd25
CP		 362 allow xdm_t $1_home_dir_t:dir getattr;
363 ifdef(`xauth.te', `
364 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
365 ')
366
367 # for shared memory
368 allow xdm_xserver_t $1_tmpfs_t:file { read write };
369
370 ')
371
372 ifdef(`rpcd.te', `
373 create_dir_file($1_t, nfsd_rw_t)
374 ')
375
376 ifdef(`cardmgr.te', `
377 # to allow monitoring of pcmcia status
cc41a97c 378 allow $1_t cardmgr_var_run_t:file r_file_perms;
0c73cd25
CP		 379 ')
380
381 #
382 # Allow graphical boot to check battery lifespan
383 #
384 ifdef(`apmd.te', `
385 allow $1_t apmd_t:unix_stream_socket connectto;
386 allow $1_t apmd_var_run_t:sock_file write;
387 ')
388
389 ifdef(`automount.te', `
cc41a97c 390 allow $1_t autofs_t:dir { getattr search };
0c73cd25
CP		 391 ')
392
393 ifdef(`pamconsole.te', `
394 allow $1_t pam_var_console_t:dir search;
395 ')
396
397 ') dnl endif TODO
b16c6b8c
CP		 398
399')dnl end base_user_domain macro
400
401########################################
402#
403# User domain template
404#
405
406define(`user_domain_template', `
0c73cd25
CP		 407 ##############################
408 #
409 # Declarations
410 #
b16c6b8c 411
0c73cd25
CP		 412 # Inherit rules for ordinary users.
413 base_user_domain($1)
b16c6b8c 414
0c73cd25 415 typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
c9428d33 416 domain_wide_inherit_fd($1_t)
b16c6b8c 417
0c73cd25
CP		 418 #typeattribute $1_devpts_t userpty_type, user_tty_type;
419 #typeattribute $1_home_dir_t user_home_dir_type;
420 #typeattribute $1_home_t user_home_type;
b16c6b8c 421
0c73cd25 422 #typeattribute $1_tmp_t, user_tmpfile;
b16c6b8c 423
0c73cd25 424 #typeattribute $1_tty_device_t user_tty_type;
b16c6b8c 425
0c73cd25
CP		 426 ##############################
427 #
428 # Local policy
429 #
430
431 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
0fd9dc55 432 term_create_pty($1_t,$1_devpts_t)
0c73cd25
CP		 433
434 # Rules used to associate a homedir as a mountpoint
435 allow $1_home_t self:filesystem associate;
436 allow $1_file_type $1_home_t:filesystem associate;
437
438 # user temporary files
cc41a97c
CP		 439 allow $1_t $1_tmp_t:file create_file_perms;
440 allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
441 allow $1_t $1_tmp_t:dir create_dir_perms;
442 allow $1_t $1_tmp_t:sock_file create_file_perms;
443 allow $1_t $1_tmp_t:fifo_file create_file_perms;
c9428d33 444 files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
0c73cd25
CP		 445
446 # privileged home directory writers
cc41a97c
CP		 447 allow privhome $1_home_t:file create_file_perms;
448 allow privhome $1_home_t:lnk_file create_lnk_perms;
449 allow privhome $1_home_t:dir create_dir_perms;
450 allow privhome $1_home_t:sock_file create_file_perms;
451 allow privhome $1_home_t:fifo_file create_file_perms;
452 type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
0c73cd25
CP		 453
454 kernel_read_system_state($1_t)
455 kernel_read_network_state($1_t)
8bd67899 456 dev_read_sysfs($1_t)
0c73cd25
CP		 457
458 # cjp: why?
459 bootloader_read_kernel_symbol_table($1_t)
460
461 # port access is audited even if dac would not have allowed it, so dontaudit it here
0fd9dc55 462 corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
0c73cd25 463
c9428d33
CP		 464 files_read_generic_etc_files($1_t)
465 files_list_home($1_t)
466 files_read_usr_files($1_t)
0c73cd25 467
c9428d33 468 init_read_script_pid($1_t)
0c73cd25
CP		 469 # The library functions always try to open read-write first,
470 # then fall back to read-only if it fails.
c9428d33 471 init_dontaudit_write_script_pid($1_t)
0c73cd25 472 # Stop warnings about access to /dev/console
c9428d33
CP		 473 init_dontaudit_use_fd($1_t)
474 init_dontaudit_use_script_fd($1_t)
0c73cd25
CP		 475
476 miscfiles_read_man_pages($1_t)
477
5e0da6a0 478 seutil_read_config($1_t)
0c73cd25
CP		 479 # Allow users to execute checkpolicy without a domain transition
480 # so it can be used without privilege to write real binary policy file
5e0da6a0 481 seutil_exec_checkpol($1_t)
0c73cd25 482
34c8fabe 483 tunable_policy(`user_dmesg',`
0c73cd25 484 kernel_read_ring_buffer($1_t)
34c8fabe 485 ',`
0fd9dc55 486 kernel_dontaudit_read_ring_buffer($1_t)
34c8fabe 487 ')
0c73cd25
CP		 488
489 # Allow users to run TCP servers (bind to ports and accept connection from
490 # the same domain and outside users) disabling this forces FTP passive mode
491 # and may change other protocols
34c8fabe 492 tunable_policy(`user_tcp_server',`
0fd9dc55 493 corenet_tcp_bind_generic_port($1_t)
34c8fabe 494 ')
0c73cd25
CP		 495
496 # for running depmod as part of the kernel packaging process
497 optional_policy(`modutils.te',`
c9428d33 498 modutils_read_module_conf($1_t)
0c73cd25
CP		 499 ')
500
501 optional_policy(`selinux.te',`
502 # for when the network connection is killed
5e0da6a0 503 seutil_dontaudit_newrole_signal($1_t)
0c73cd25
CP		 504 ')
505
506 # Need the following rule to allow users to run vpnc
507 optional_policy(`xserver.te', `
508 corenetwork_bind_tcp_on_xserver_port($1_t)
509 ')
510
511 ifdef(`TODO',`
512
513 dontaudit $1_t boot_t:lnk_file read;
514 dontaudit $1_t boot_t:file read;
515
516 can_kerberos($1_t)
517
518 # do not audit read on disk devices
519 dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
520
521 ifdef(`xdm.te', `
522 allow xdm_t $1_home_t:lnk_file read;
523 allow xdm_t $1_home_t:dir search;
524 #
525 # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
526 #
527 dontaudit xdm_t $1_home_t:file rw_file_perms;
528 ')
529
530 ifdef(`ftpd.te', `
3eed1090 531 tunable_policy(`ftp_home_dir',`
0c73cd25 532 file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
3eed1090 533 ')
0c73cd25
CP		 534 ')
535
3eed1090 536 tunable_policy(`read_default_t',`
0c73cd25
CP		 537 allow $1 default_t:dir r_dir_perms;
538 allow $1 default_t:notdevfile_class_set r_file_perms;
3eed1090 539 ')
0c73cd25
CP		 540
541 can_exec($1_t, usr_t)
542
543 # Read directories and files with the readable_t type.
544 # This type is a general type for "world"-readable files.
545 allow $1_t readable_t:dir r_dir_perms;
546 allow $1_t readable_t:notdevfile_class_set r_file_perms;
547
548 # Stat lost+found.
549 allow $1_t lost_found_t:dir getattr;
550
551 # Read /var, /var/spool, /var/run.
552 allow $1_t var_t:dir r_dir_perms;
553 allow $1_t var_t:notdevfile_class_set r_file_perms;
554 allow $1_t var_spool_t:dir r_dir_perms;
555 allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
556 allow $1_t var_run_t:dir r_dir_perms;
557 allow $1_t var_run_t:{ file lnk_file } r_file_perms;
558 allow $1_t var_lib_t:dir r_dir_perms;
559 allow $1_t var_lib_t:file { getattr read };
560
561 # Allow users to rw usb devices
3eed1090 562 tunable_policy(`user_rw_usb',`
0c73cd25 563 rw_dir_create_file($1_t,usbdevfs_t)
3eed1090 564 ',`
0c73cd25 565 r_dir_file($1_t,usbdevfs_t)
3eed1090 566 ')
0c73cd25
CP		 567
568 # Do not audit write denials to /etc/ld.so.cache.
569 dontaudit $1_t ld_so_cache_t:file write;
570
571 dontaudit $1_t sysadm_home_t:file { read append };
572
573 ifdef(`syslogd.te', `
574 # Some programs that are left in $1_t will try to connect
575 # to syslogd, but we do not want to let them generate log messages.
576 # Do not audit.
577 dontaudit $1_t devlog_t:sock_file { read write };
578 dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
579 ')
580
581 allow $1_t initrc_t:fifo_file write;
582
583 ifdef(`user_can_mount', `
584 #
585 # Allow users to mount file systems like floppies and cdrom
586 #
587 mount_domain($1, $1_mount, `, fs_domain')
588 r_dir_file($1_t, mnt_t)
589 allow $1_mount_t device_t:lnk_file read;
590 allow $1_mount_t removable_device_t:blk_file read;
591 allow $1_mount_t iso9660_t:filesystem relabelfrom;
592 allow $1_mount_t removable_t:filesystem { mount relabelto };
593 allow $1_mount_t removable_t:dir mounton;
594 ifdef(`xdm.te', `
595 allow $1_mount_t xdm_t:fd use;
596 allow $1_mount_t xdm_t:fifo_file { read write };
597 ')
598 ')
599
600 ') dnl end TODO
b16c6b8c 601')
4d8ddf9a
CP		 602
603########################################
604#
605# Admin domain template
606#
607define(`admin_domain_template',`
0c73cd25
CP		 608 ##############################
609 #
610 # Declarations
611 #
612
613 # Inherit rules for ordinary users.
614 base_user_domain($1)
615
616 typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
8bd67899 617 domain_obj_id_change_exempt($1_t)
0c73cd25
CP		 618 role system_r types $1_t;
619
620 #ifdef(`direct_sysadm_daemon', `, priv_system_role')
621 #; dnl end of sysadm_t type declaration
622
623 typeattribute $1_devpts_t admin_terminal;
624
625 typeattribute $1_tty_device_t admin_terminal;
626
627 ##############################
628 #
629 # $1_t local policy
630 #
631
632 allow $1_t self:capability ~sys_module;
633 allow $1_t self:process { setexec setfscreate };
634
635 # Set password information for other users.
636 allow $1_t self:passwd { passwd chfn chsh };
637
638 # Skip authentication when pam_rootok is specified.
639 allow $1_t self:passwd rootok;
640
641 # Manipulate other users crontab.
642 allow $1_t self:passwd crontab;
643
644 # for the administrator to run TCP servers directly
645 allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
646
647 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
0fd9dc55 648 term_create_pty($1_t,$1_devpts_t)
0c73cd25 649
cc41a97c
CP		 650 allow $1_t $1_tmp_t:dir create_dir_perms;
651 allow $1_t $1_tmp_t:file create_file_perms;
652 allow $1_t $1_tmp_t:lnk_file create_file_perms;
653 allow $1_t $1_tmp_t:fifo_file create_file_perms;
654 allow $1_t $1_tmp_t:sock_file create_file_perms;
c9428d33 655 files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
0c73cd25
CP		 656
657 kernel_read_system_state($1_t)
658 kernel_read_network_state($1_t)
659 kernel_read_software_raid_state($1_t)
0fd9dc55
CP		 660 kernel_getattr_core($1_t)
661 kernel_getattr_message_if($1_t)
0c73cd25
CP		 662 kernel_change_ring_buffer_level($1_t)
663 kernel_clear_ring_buffer($1_t)
664 kernel_read_ring_buffer($1_t)
665 kernel_get_sysvipc_info($1_t)
0fd9dc55 666 kernel_rw_all_sysctl($1_t)
5e0da6a0
CP		 667 selinux_set_enforce_mode($1_t)
668 selinux_set_boolean($1_t)
669 selinux_set_parameters($1_t)
0c73cd25 670 # Get security policy decisions:
5e0da6a0
CP		 671 selinux_get_fs_mount($1_t)
672 selinux_validate_context($1_t)
673 selinux_compute_access_vector($1_t)
674 selinux_compute_create_context($1_t)
675 selinux_compute_relabel_context($1_t)
676 selinux_compute_user_contexts($1_t)
0c73cd25 677 # signal unlabeled processes:
0fd9dc55
CP		 678 kernel_kill_unlabeled($1_t)
679 kernel_signal_unlabeled($1_t)
680 kernel_sigstop_unlabeled($1_t)
681 kernel_signull_unlabeled($1_t)
682 kernel_sigchld_unlabeled($1_t)
0c73cd25 683
0fd9dc55 684 corenet_tcp_bind_generic_port($1_t)
0c73cd25 685
f0c985ca
KM		 686 dev_getattr_generic_blk_file($1_t)
687 dev_getattr_generic_chr_file($1_t)
688 dev_getattr_all_blk_files($1_t)
689 dev_getattr_all_chr_files($1_t)
0c73cd25 690
0fd9dc55
CP		 691 fs_getattr_all_fs($1_t)
692 fs_set_all_quotas($1_t)
0c73cd25
CP		 693
694 storage_raw_read_removable_device($1_t)
695 storage_raw_write_removable_device($1_t)
696
0fd9dc55
CP		 697 term_use_console($1_t)
698 term_use_unallocated_tty($1_t)
699 term_use_all_user_ptys($1_t)
700 term_use_all_user_ttys($1_t)
0c73cd25
CP		 701
702 # Manage almost all files
c9428d33 703 auth_manage_all_files_except_shadow($1_t)
0c73cd25 704 # Relabel almost all files
c9428d33 705 auth_relabel_all_files_except_shadow($1_t)
0c73cd25 706
c9428d33
CP		 707 domain_setpriority_all_domains($1_t)
708 domain_read_all_domains_state($1_t)
0c73cd25
CP		 709 # signal all domains:
710 domain_kill_all_domains($1_t)
711 domain_signal_all_domains($1_t)
712 domain_signull_all_domains($1_t)
713 domain_sigstop_all_domains($1_t)
714 domain_sigstop_all_domains($1_t)
715 domain_sigchld_all_domains($1_t)
716
c9428d33 717 files_exec_usr_files($1_t)
0c73cd25 718
c9428d33 719 init_use_initctl($1_t)
0c73cd25 720
c9428d33 721 logging_send_syslog_msg($1_t)
0c73cd25 722
c9428d33 723 modutils_domtrans_insmod($1_t)
0c73cd25 724
5e0da6a0 725 seutil_read_config($1_t)
0c73cd25
CP		 726 # The following rule is temporary until such time that a complete
727 # policy management infrastructure is in place so that an administrator
728 # cannot directly manipulate policy files with arbitrary programs.
5e0da6a0 729 seutil_manage_src_pol($1_t)
0c73cd25
CP		 730 # Violates the goal of limiting write access to checkpolicy.
731 # But presently necessary for installing the file_contexts file.
5e0da6a0 732 seutil_manage_binary_pol($1_t)
0c73cd25
CP		 733
734 optional_policy(`cron.te',`
735 cron_admin_template($1)
736 ')
737
738 ifdef(`TODO',`
739
740 # Let admin stat the shadow file.
741 allow $1_t shadow_t:file getattr;
742
743 # for lsof
744 allow $1_t mtrr_device_t:file getattr;
745
746 allow $1_t serial_device:chr_file setattr;
747
748 # allow setting up tunnels
749 allow $1_t tun_tap_device_t:chr_file rw_file_perms;
750
751 allow $1_t ptyfile:chr_file getattr;
752
753 # Run programs from staff home directories.
754 # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
755 can_exec($1_t, staff_home_t)
756
757 # Run admin programs that require different permissions in their own domain.
758 # These rules were moved into the appropriate program domain file.
759
760 ifdef(`startx.te', `
761 ifdef(`xserver.te', `
762 # Create files in /tmp/.X11-unix with our X servers derived
763 # tmp type rather than user_xserver_tmp_t.
764 file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
765 ')
766 ')
767
768 ifdef(`xdm.te', `
769 ifdef(`xauth.te', `
3eed1090 770 tunable_policy(`xdm_sysadm_login',`
0c73cd25
CP		 771 allow xdm_t $1_home_t:lnk_file read;
772 allow xdm_t $1_home_t:dir search;
3eed1090 773 ')
0c73cd25
CP		 774 allow $1_t xdm_t:fifo_file rw_file_perms;
775 ')
776 ')
777
778 #
779 # A user who is authorized for sysadm_t may nonetheless have
780 # a home directory labeled with user_home_t if the user is expected
781 # to login in either user_t or sysadm_t. Hence, the derived domains
782 # for programs need to be able to access user_home_t.
783 #
4d8ddf9a 784
0c73cd25
CP		 785 # Allow our gph domain to write to .xsession-errors.
786 ifdef(`gnome-pty-helper.te', `
787 allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
788 allow $1_gph_t user_home_type:file create_file_perms;
789 ')
4d8ddf9a 790
0c73cd25
CP		 791 # for the administrator to run TCP servers directly
792 allow $1_t kernel_t:tcp_socket recvfrom;
4d8ddf9a 793
0c73cd25
CP		 794 # Connect data port to ftpd.
795 ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
4d8ddf9a 796
0c73cd25
CP		 797 # Connect second port to rshd.
798 ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
799
800 # Allow MAKEDEV to work
801 allow $1_t device_t:dir rw_dir_perms;
802 allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
803 allow $1_t device_t:lnk_file { create read };
4d8ddf9a 804
0c73cd25
CP		 805 # for lsof
806 allow $1_t domain:socket_class_set getattr;
807 allow $1_t eventpollfs_t:file getattr;
808 ') dnl endif TODO
4d8ddf9a 809')
490639cd 810
4bf4ed9e 811########################################
c9428d33 812## <interface name="userdom_spec_domtrans_all_users">
4bf4ed9e
CP		 813## <description>
814## Execute a shell in all user domains. This
815## is an explicit transition, requiring the
816## caller to use setexeccon().
817## </description>
818## <parameter name="domain">
819## The type of the process performing this action.
820## </parameter>
4bf4ed9e
CP		 821## </interface>
822#
c9428d33 823define(`userdom_spec_domtrans_all_users',`
fa7bea8f 824 gen_require(`$0'_depend)
c9428d33 825 corecmd_shell_spec_domtrans($1,userdomain)
4bf4ed9e
CP		 826')
827
c9428d33 828define(`userdom_spec_domtrans_all_users_depend',`
0c73cd25 829 type sysadm_t;
4bf4ed9e
CP		 830')
831
d490eb6b 832########################################
c9428d33 833## <interface name="userdom_shell_domtrans_sysadm">
d490eb6b
CP		 834## <description>
835## Execute a shell in the sysadm domain.
836## </description>
837## <parameter name="domain">
838## The type of the process performing this action.
839## </parameter>
d490eb6b
CP		 840## </interface>
841#
c9428d33 842define(`userdom_shell_domtrans_sysadm',`
fa7bea8f 843 gen_require(`$0'_depend)
0c73cd25 844
c9428d33 845 corecmd_domtrans_shell($1,sysadm_t)
d490eb6b
CP		 846')
847
c9428d33 848define(`userdom_shell_domtrans_sysadm_depend',`
0c73cd25 849 type sysadm_t;
d490eb6b
CP		 850')
851
daa0e0b0 852########################################
c9428d33 853## <interface name="userdom_use_sysadm_terms">
daa0e0b0
CP		 854## <description>
855## Read and write administrative users
856## physical and pseudo terminals.
857## </description>
858## <parameter name="domain">
859## The type of the process performing this action.
860## </parameter>
daa0e0b0 861## </interface>
490639cd 862#
c9428d33 863define(`userdom_use_sysadm_terms',`
fa7bea8f 864 gen_require(`$0'_depend)
0c73cd25 865
f0c985ca 866 dev_list_all_dev_nodes($1)
0fd9dc55 867 term_list_ptys($1)
0c73cd25 868 allow $1 admin_terminal:chr_file { getattr read write ioctl };
daa0e0b0
CP		 869')
870
c9428d33 871define(`userdom_use_sysadm_terms_depend',`
0c73cd25
CP		 872 attribute admin_terminal;
873
874 class chr_file { getattr read write ioctl };
daa0e0b0
CP		 875')
876
763c441e 877########################################
c9428d33 878## <interface name="userdom_dontaudit_use_sysadm_terms">
763c441e
CP		 879## <description>
880## Do not audit attempts to use admin ttys and ptys.
881## </description>
882## <parameter name="domain">
883## The type of the process performing this action.
884## </parameter>
763c441e
CP		 885## </interface>
886#
c9428d33 887define(`userdom_dontaudit_use_sysadm_terms',`
fa7bea8f 888 gen_require(`$0'_depend)
763c441e
CP		 889
890 dontaudit $1 admin_terminal:chr_file { read write };
891')
892
c9428d33 893define(`userdom_dontaudit_use_sysadm_terms_depend',`
763c441e
CP		 894 attribute admin_terminal;
895
896 class chr_file { read write };
897')
898
4bf4ed9e 899########################################
c9428d33 900## <interface name="userdom_search_all_users_home">
4bf4ed9e
CP		 901## <description>
902## Search all users home directories.
903## </description>
904## <parameter name="domain">
905## The type of the process performing this action.
906## </parameter>
4bf4ed9e
CP		 907## </interface>
908#
c9428d33 909define(`userdom_search_all_users_home',`
fa7bea8f 910 gen_require(`$0'_depend)
0c73cd25 911
c9428d33 912 files_list_home($1)
0c73cd25 913 allow $1 { home_dir_type home_type }:dir search;
4bf4ed9e
CP		 914')
915
c9428d33 916define(`userdom_search_all_users_home_depend',`
0c73cd25
CP		 917 attribute home_dir_type, home_type;
918
919 class dir search;
4bf4ed9e
CP		 920')
921
daa0e0b0 922########################################
c9428d33 923## <interface name="userdom_read_all_user_data">
daa0e0b0 924## <description>
4bf4ed9e 925## Read all files in all users home directories.
daa0e0b0
CP		 926## </description>
927## <parameter name="domain">
928## The type of the process performing this action.
929## </parameter>
daa0e0b0
CP		 930## </interface>
931#
c9428d33 932define(`userdom_read_all_user_data',`
fa7bea8f 933 gen_require(`$0'_depend)
0c73cd25 934
c9428d33 935 files_list_home($1)
cc41a97c 936 allow $1 home_type:dir r_dir_perms;
0fd9dc55 937 allow $1 home_type:file r_file_perms;
daa0e0b0
CP		 938')
939
c9428d33 940define(`userdom_read_all_user_data_depend',`
0c73cd25
CP		 941 attribute home_type;
942
cc41a97c
CP		 943 class dir r_dir_perms;
944 class file r_file_perms;
daa0e0b0
CP		 945')
946
947########################################
c9428d33 948## <interface name="userdom_use_all_user_fd">
490639cd
CP		 949## <description>
950## Inherit the file descriptors from all user domains
951## </description>
952## <parameter name="domain">
953## The type of the process performing this action.
954## </parameter>
490639cd
CP		 955## </interface>
956#
c9428d33 957define(`userdom_use_all_user_fd',`
fa7bea8f 958 gen_require(`$0'_depend)
0c73cd25
CP		 959
960 allow $1 userdomain:fd use;
490639cd
CP		 961')
962
c9428d33 963define(`userdom_use_all_user_fd_depend',`
0c73cd25
CP		 964 attribute userdomain;
965
966 class fd use;
490639cd
CP		 967')
968
4bf4ed9e 969########################################
c9428d33 970## <interface name="userdom_signal_all_users">
4bf4ed9e
CP		 971## <description>
972## Send general signals to all user domains.
973## </description>
974## <parameter name="domain">
975## The type of the process performing this action.
976## </parameter>
4bf4ed9e
CP		 977## </interface>
978#
c9428d33 979define(`userdom_signal_all_users',`
fa7bea8f 980 gen_require(`$0'_depend)
0c73cd25
CP		 981
982 allow $1 userdomain:process signal;
4bf4ed9e
CP		 983')
984
c9428d33 985define(`userdom_signal_all_users_depend',`
0c73cd25
CP		 986 attribute userdomain;
987
988 class process signal;
4bf4ed9e
CP		 989')
990
daa0e0b0 991########################################
c9428d33 992## <interface name="userdom_use_unpriv_users_fd">
daa0e0b0
CP		 993## <description>
994## Inherit the file descriptors from all user domains.
995## </description>
996## <parameter name="domain">
997## The type of the process performing this action.
998## </parameter>
daa0e0b0
CP		 999## </interface>
1000#
c9428d33 1001define(`userdom_use_unpriv_users_fd',`
fa7bea8f 1002 gen_require(`$0'_depend)
0c73cd25
CP		 1003
1004 allow $1 unpriv_userdomain:fd use;
daa0e0b0
CP		 1005')
1006
c9428d33 1007define(`userdom_use_unpriv_users_fd_depend',`
0c73cd25
CP		 1008 attribute unpriv_userdomain;
1009
1010 class fd use;
daa0e0b0
CP		 1011')
1012
1013########################################
c9428d33 1014## <interface name="userdom_dontaudit_use_unpriv_user_fd">
daa0e0b0
CP		 1015## <description>
1016## Do not audit attempts to inherit the
1017## file descriptors from all user domains.
1018## </description>
1019## <parameter name="domain">
1020## The type of the process performing this action.
1021## </parameter>
daa0e0b0
CP		 1022## </interface>
1023#
c9428d33 1024define(`userdom_dontaudit_use_unpriv_user_fd',`
fa7bea8f 1025 gen_require(`$0'_depend)
0c73cd25
CP		 1026
1027 dontaudit $1 unpriv_userdomain:fd use;
daa0e0b0
CP		 1028')
1029
c9428d33 1030define(`userdom_dontaudit_use_unpriv_user_fd_depend',`
0c73cd25
CP		 1031 attribute unpriv_userdomain;
1032
1033 class fd use;
daa0e0b0
CP		 1034')
1035
490639cd 1036## </module>
The IPFire selinux policy.