]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - refpolicy/policy/modules/system/userdomain.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
overwrite the generated .te file instead of append
[people/stevee/selinux-policy.git] / refpolicy / policy / modules / system / userdomain.if
CommitLineData
490639cd
CP		 1## <module name="userdomain" layer="system">
2## <summary>Policy for user domains</summary>
b16c6b8c
CP		 3
4########################################
5#
6# Base user domain template
7#
8# This is common to user and admin domain
9
10define(`base_user_domain',`
11
0c73cd25
CP		 12 attribute $1_file_type;
13
14 type $1_t, userdomain;
15 domain_make_domain($1_t)
16 corecommands_make_shell_entrypoint($1_t)
17 role $1_r types $1_t;
18 allow system_r $1_r;
19
20 # user pseudoterminal
21 type $1_devpts_t;
0fd9dc55 22 term_user_pty($1_t,$1_devpts_t)
0c73cd25
CP		 23
24 # type for contents of home directory
25 type $1_home_t, $1_file_type, home_type;
26 files_make_file($1_home_t)
27
28 # type of home directory
29 type $1_home_dir_t, home_dir_type, home_type;
30 files_make_file($1_home_t)
31
32 type $1_tmp_t, $1_file_type;
33 files_make_temporary_file($1_tmp_t)
34
35 type $1_tmpfs_t;
36 files_make_tmpfs_file($1_tmpfs_t)
37
38 type $1_tty_device_t;
0fd9dc55 39 term_tty($1_t,$1_tty_device_t)
0c73cd25
CP		 40
41 ##############################
42 #
43 # Local policy
44 #
45
46 allow $1_t self:capability { setgid chown fowner };
47 dontaudit $1_t self:capability { sys_nice fsetid };
48 allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
49 allow $1_t self:process { ptrace setfscreate };
50 allow $1_t self:fd use;
cc41a97c
CP		 51 allow $1_t self:fifo_file rw_file_perms;
52 allow $1_t self:unix_dgram_socket create_socket_perms;
0fd9dc55 53 allow $1_t self:unix_stream_socket create_stream_socket_perms;
0c73cd25
CP		 54 allow $1_t self:unix_dgram_socket sendto;
55 allow $1_t self:unix_stream_socket connectto;
cc41a97c
CP		 56 allow $1_t self:shm create_shm_perms;
57 allow $1_t self:sem create_sem_perms;
58 allow $1_t self:msgq create_msgq_perms;
0c73cd25
CP		 59 allow $1_t self:msg { send receive };
60 dontaudit $1_t self:socket create;
61 # Irrelevant until we have labeled networking.
62 #allow $1_t self:udp_socket { sendto recvfrom };
63
64 # evolution and gnome-session try to create a netlink socket
65 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
66 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
67
68 # execute files in the home directory
cc41a97c 69 allow $1_t $1_home_t:file { rx_file_perms execute_no_trans };
0c73cd25
CP		 70
71 # full control of the home directory
cc41a97c
CP		 72 allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
73 allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
74 allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
75 allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
76 allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
77 allow $1_t $1_home_dir_t:dir create_dir_perms;
78 type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
0c73cd25 79
cc41a97c 80 allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans };
0c73cd25
CP		 81
82 # Bind to a Unix domain socket in /tmp.
83 # cjp: this is combination is not checked and should be removed
84 allow $1_t $1_tmp_t:unix_stream_socket name_bind;
85
cc41a97c
CP		 86 allow $1_t $1_tmpfs_t:dir rw_dir_perms;
87 allow $1_t $1_tmpfs_t:file create_file_perms;
88 allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
89 allow $1_t $1_tmpfs_t:sock_file create_file_perms;
90 allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
0fd9dc55 91 fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
0c73cd25 92
cc41a97c 93 allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
0c73cd25
CP		 94
95 allow $1_t unpriv_userdomain:fd use;
96
97 # Instantiate derived domains for a number of programs.
98 # These derived domains encode both information about the calling
99 # user domain and the program, and allow us to maintain separation
100 # between different instances of the program being run by different
101 # user domains.
102 per_userdomain_templates($1)
103
104 kernel_read_kernel_sysctl($1_t)
105 kernel_get_selinuxfs_mount_point($1_t)
106 # Very permissive allowing every domain to see every type:
107 kernel_get_sysvipc_info($1_t)
108 # Find CDROM devices:
109 kernel_read_device_sysctl($1_t)
110 # GNOME checks for usb and other devices:
0fd9dc55
CP		 111 kernel_rw_usb_hardware_config_option($1_t)
112
113 corenet_tcp_sendrecv_all_if($1_t)
114 corenet_raw_sendrecv_all_if($1_t)
115 corenet_udp_sendrecv_all_if($1_t)
116 corenet_tcp_sendrecv_all_nodes($1_t)
117 corenet_raw_sendrecv_all_nodes($1_t)
118 corenet_udp_sendrecv_all_nodes($1_t)
119 corenet_tcp_sendrecv_all_ports($1_t)
120 corenet_udp_sendrecv_all_ports($1_t)
121 corenet_tcp_bind_all_nodes($1_t)
122 corenet_udp_bind_all_nodes($1_t)
0c73cd25 123 # allow port_t name binding for UDP because it is not very usable otherwise
0fd9dc55 124 corenet_udp_bind_generic_port($1_t)
0c73cd25 125
f0c985ca
KM		 126 dev_read_input($1_t)
127 dev_read_misc($1_t)
128 dev_write_misc($1_t)
129 dev_write_snd_dev($1_t)
130 dev_read_snd_dev($1_t)
131 dev_read_snd_mixer_dev($1_t)
132 dev_write_snd_mixer_dev($1_t)
133 dev_read_rand($1_t)
134 dev_read_urand($1_t)
0c73cd25 135 # open office is looking for the following
f0c985ca
KM		 136 dev_getattr_agp_dev($1_t)
137 dev_dontaudit_rw_dri_dev($1_t)
0c73cd25 138
763c441e 139 fs_get_all_fs_quotas($1_t)
0fd9dc55 140 fs_getattr_all_fs($1_t)
0c73cd25
CP		 141
142 # for eject
0fd9dc55 143 storage_getattr_fixed_disk($1_t)
0c73cd25
CP		 144
145 authlogin_read_login_records($1_t)
146 authlogin_ignore_write_login_records($1_t)
147 authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
148 authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
149
150 corecommands_execute_general_programs($1_t)
151 corecommands_execute_system_programs($1_t)
152 corecommands_execute_ls($1_t)
153
154 domain_execute_all_entrypoint_programs($1_t)
155 domain_use_widely_inheritable_file_descriptors($1_t)
156
157 files_execute_system_config_script($1_t)
158 files_read_system_source_code($1_t)
159
160 # Caused by su - init scripts
161 init_script_ignore_use_pseudoterminal($1_t)
162
163 libraries_use_dynamic_loader($1_t)
164 libraries_use_shared_libraries($1_t)
165 libraries_execute_dynamic_loader($1_t)
166 libraries_execute_library_scripts($1_t)
167
168 logging_ignore_get_all_logs_attributes($1_t)
169
170 miscfiles_read_localization($1_t)
171 miscfiles_manage_man_page_cache($1_t)
172
173 selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
174
175 mta_modify_mail_spool($1_t)
176
177 if (allow_execmem) {
178 # Allow loading DSOs that require executable stack.
179 allow $1_t self:process execmem;
180 }
181
182 if (use_nfs_home_dirs) {
0fd9dc55 183 fs_manage_nfs_dirs($1_t)
763c441e 184 fs_manage_nfs_files($1_t)
0fd9dc55 185 fs_manage_nfs_symlinks($1_t)
763c441e
CP		 186 fs_manage_nfs_named_sockets($1_t)
187 fs_manage_nfs_named_pipes($1_t)
188 fs_execute_nfs_files($1_t)
0c73cd25
CP		 189 }
190
191 if (use_samba_home_dirs) {
0fd9dc55
CP		 192 fs_manage_cifs_dirs($1_t)
193 fs_manage_cifs_files($1_t)
194 fs_manage_cifs_symlinks($1_t)
195 fs_manage_cifs_named_sockets($1_t)
196 fs_manage_cifs_named_pipes($1_t)
197 fs_execute_cifs_files($1_t)
0c73cd25
CP		 198 }
199
200 if (user_direct_mouse) {
f0c985ca 201 dev_read_mouse($1_t)
0c73cd25
CP		 202 }
203
204 if (user_ttyfile_stat) {
0fd9dc55 205 term_getattr_all_user_ttys($1_t)
0c73cd25
CP		 206 }
207
208 optional_policy(`usermanage.te',`
209 usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
210 usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
211 ')
212
213 ifdef(`TODO',`
214
215 # When the user domain runs ps, there will be a number of access
216 # denials when ps tries to search /proc. Do not audit these denials.
217 dontaudit $1_t domain:dir r_dir_perms;
218 dontaudit $1_t domain:notdevfile_class_set r_file_perms;
219 dontaudit $1_t domain:process { getattr getsession };
220 #
221 # Cups daemon running as user tries to write /etc/printcap
222 #
223 dontaudit $1_t usr_t:file setattr;
224
225 # Access the power device.
cc41a97c 226 allow $1_t power_device_t:chr_file rw_file_perms;
0c73cd25
CP		 227
228 # Check to see if cdrom is mounted
229 allow $1_t mnt_t:dir { getattr search };
230
231 #
232 # Added to allow reading of cdrom
233 #
234 allow $1_t rpc_pipefs_t:dir getattr;
235 allow $1_t nfsd_fs_t:dir getattr;
236 allow $1_t binfmt_misc_fs_t:dir getattr;
237
238 # /initrd is left mounted, various programs try to look at it
239 dontaudit $1_t ramfs_t:dir getattr;
240
241 if (read_default_t) {
242 allow $1_t default_t:dir r_dir_perms;
243 allow $1_t default_t:notdevfile_class_set r_file_perms;
244 }
245
246 #
247 # Running ifconfig as a user generates the following
248 #
249 dontaudit $1_t sysctl_net_t:dir search;
250
251 dontaudit $1_t default_context_t:dir search;
252
253 r_dir_file($1_t, usercanread)
254
255 can_ypbind($1_t)
256
257 if (allow_execmod) {
258 # Allow text relocations on system shared libraries, e.g. libGL.
259 allow $1_t texrel_shlib_t:file execmod;
260 }
261
262 allow $1_t fs_type:dir getattr;
263
264 # old "file_browse_domain":
265 # Regular files/directories that are not security sensitive
266 dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
267 dontaudit $1_t file_type - secure_file_type:dir { read search };
268 # /dev
269 dontaudit $1_t dev_fs:dir_file_class_set getattr;
270 dontaudit $1_t dev_fs:dir { read search };
271 # /proc
272 dontaudit $1_t sysctl_t:dir_file_class_set getattr;
273 dontaudit $1_t proc_fs:dir { read search };
274
cc41a97c 275 allow $1_t autofs_t:dir { getattr search };
0c73cd25
CP		 276
277 can_exec($1_t, { removable_t noexattrfile } )
278 if (user_rw_noexattrfile) {
279 create_dir_file($1_t, noexattrfile)
280 create_dir_file($1_t, removable_t)
281 # Write floppies
282 allow $1_t removable_device_t:blk_file rw_file_perms;
283 allow $1_t usbtty_device_t:chr_file write;
284 } else {
285 r_dir_file($1_t, noexattrfile)
286 r_dir_file($1_t, removable_t)
287 allow $1_t removable_device_t:blk_file r_file_perms;
288 }
289 allow $1_t usbtty_device_t:chr_file read;
290
291 can_exec($1_t, noexattrfile)
292
293 # for running TeX programs
294 r_dir_file($1_t, tetex_data_t)
295 can_exec($1_t, tetex_data_t)
296
297 # Run programs developed by other users in the same domain.
298
299 can_resmgrd_connect($1_t)
300
301 can_ypbind($1_t)
302
303 allow $1_t var_lock_t:dir search;
304
305 # Grant permissions to access the system DBus
306 ifdef(`dbusd.te', `
307 dbusd_client(system, $1)
308 can_network_server_tcp($1_dbusd_t)
309 allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
310
311 allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
312 dbusd_client($1, $1)
313 allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
314 dbusd_domain($1)
315 ifdef(`hald.te', `
316 allow $1_t hald_t:dbus send_msg;
317 allow hald_t $1_t:dbus send_msg;
318 ')
319 ')
320
321 # Gnome pannel binds to the following
322 ifdef(`cups.te', `
cc41a97c 323 allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
0c73cd25
CP		 324 ')
325
326 # Connect to inetd.
327 ifdef(`inetd.te', `
328 can_tcp_connect($1_t, inetd_t)
329 can_udp_send($1_t, inetd_t)
330 can_udp_send(inetd_t, $1_t)
331 ')
332
333 # Connect to portmap.
334 ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
335
336 # Inherit and use sockets from inetd
337 ifdef(`inetd.te', `
338 allow $1_t inetd_t:fd use;
339 allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
340 ')
341
342 ifdef(`xserver.te', `
343 # for /tmp/.ICE-unix
344 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
345 allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
346 ')
347
348 ifdef(`xdm.te', `
349 # Connect to the X server run by the X Display Manager.
350 can_unix_connect($1_t, xdm_t)
351 allow $1_t xdm_tmp_t:sock_file rw_file_perms;
352 allow $1_t xdm_tmp_t:dir r_dir_perms;
cc41a97c 353 allow $1_t xdm_tmp_t:file r_file_perms;
0c73cd25
CP		 354 allow $1_t xdm_xserver_tmp_t:sock_file { read write };
355 allow $1_t xdm_xserver_tmp_t:dir search;
356 allow $1_t xdm_xserver_t:unix_stream_socket connectto;
357 # certain apps want to read xdm.pid file
358 r_dir_file($1_t, xdm_var_run_t)
cc41a97c 359 allow $1_t xdm_var_lib_t:file r_file_perms;
0c73cd25
CP		 360 allow xdm_t $1_home_dir_t:dir getattr;
361 ifdef(`xauth.te', `
362 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
363 ')
364
365 # for shared memory
366 allow xdm_xserver_t $1_tmpfs_t:file { read write };
367
368 ')
369
370 ifdef(`rpcd.te', `
371 create_dir_file($1_t, nfsd_rw_t)
372 ')
373
374 ifdef(`cardmgr.te', `
375 # to allow monitoring of pcmcia status
cc41a97c 376 allow $1_t cardmgr_var_run_t:file r_file_perms;
0c73cd25
CP		 377 ')
378
379 #
380 # Allow graphical boot to check battery lifespan
381 #
382 ifdef(`apmd.te', `
383 allow $1_t apmd_t:unix_stream_socket connectto;
384 allow $1_t apmd_var_run_t:sock_file write;
385 ')
386
387 ifdef(`automount.te', `
cc41a97c 388 allow $1_t autofs_t:dir { getattr search };
0c73cd25
CP		 389 ')
390
391 ifdef(`pamconsole.te', `
392 allow $1_t pam_var_console_t:dir search;
393 ')
394
395 ') dnl endif TODO
b16c6b8c
CP		 396
397')dnl end base_user_domain macro
398
399########################################
400#
401# User domain template
402#
403
404define(`user_domain_template', `
0c73cd25
CP		 405 ##############################
406 #
407 # Declarations
408 #
b16c6b8c 409
0c73cd25
CP		 410 # Inherit rules for ordinary users.
411 base_user_domain($1)
b16c6b8c 412
0c73cd25
CP		 413 typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
414 domain_make_file_descriptors_widely_inheritable($1_t)
b16c6b8c 415
0c73cd25
CP		 416 #typeattribute $1_devpts_t userpty_type, user_tty_type;
417 #typeattribute $1_home_dir_t user_home_dir_type;
418 #typeattribute $1_home_t user_home_type;
b16c6b8c 419
0c73cd25 420 #typeattribute $1_tmp_t, user_tmpfile;
b16c6b8c 421
0c73cd25 422 #typeattribute $1_tty_device_t user_tty_type;
b16c6b8c 423
0c73cd25
CP		 424 ##############################
425 #
426 # Local policy
427 #
428
429 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
0fd9dc55 430 term_create_pty($1_t,$1_devpts_t)
0c73cd25
CP		 431
432 # Rules used to associate a homedir as a mountpoint
433 allow $1_home_t self:filesystem associate;
434 allow $1_file_type $1_home_t:filesystem associate;
435
436 # user temporary files
cc41a97c
CP		 437 allow $1_t $1_tmp_t:file create_file_perms;
438 allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
439 allow $1_t $1_tmp_t:dir create_dir_perms;
440 allow $1_t $1_tmp_t:sock_file create_file_perms;
441 allow $1_t $1_tmp_t:fifo_file create_file_perms;
442 files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
0c73cd25
CP		 443
444 # privileged home directory writers
cc41a97c
CP		 445 allow privhome $1_home_t:file create_file_perms;
446 allow privhome $1_home_t:lnk_file create_lnk_perms;
447 allow privhome $1_home_t:dir create_dir_perms;
448 allow privhome $1_home_t:sock_file create_file_perms;
449 allow privhome $1_home_t:fifo_file create_file_perms;
450 type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
0c73cd25
CP		 451
452 kernel_read_system_state($1_t)
453 kernel_read_network_state($1_t)
454 kernel_read_hardware_state($1_t)
455
456 # cjp: why?
457 bootloader_read_kernel_symbol_table($1_t)
458
459 # port access is audited even if dac would not have allowed it, so dontaudit it here
0fd9dc55 460 corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
0c73cd25
CP		 461
462 files_read_general_system_config($1_t)
463 files_list_home_directories($1_t)
464 files_read_general_application_resources($1_t)
465
466 init_script_read_runtime_data($1_t)
467 # The library functions always try to open read-write first,
468 # then fall back to read-only if it fails.
469 init_script_ignore_write_runtime_data($1_t)
470 # Stop warnings about access to /dev/console
471 init_ignore_use_file_descriptors($1_t)
472 init_script_ignore_use_file_descriptors($1_t)
473
474 miscfiles_read_man_pages($1_t)
475
476 selinux_read_config($1_t)
477 # Allow users to execute checkpolicy without a domain transition
478 # so it can be used without privilege to write real binary policy file
479 selinux_checkpolicy_execute($1_t)
480
481 if (user_dmesg) {
482 kernel_read_ring_buffer($1_t)
483 } else {
0fd9dc55 484 kernel_dontaudit_read_ring_buffer($1_t)
0c73cd25
CP		 485 }
486
487 # Allow users to run TCP servers (bind to ports and accept connection from
488 # the same domain and outside users) disabling this forces FTP passive mode
489 # and may change other protocols
490 if (user_tcp_server) {
0fd9dc55 491 corenet_tcp_bind_generic_port($1_t)
0c73cd25
CP		 492 }
493
494 # for running depmod as part of the kernel packaging process
495 optional_policy(`modutils.te',`
496 modutils_read_kernel_module_loading_config($1_t)
497 ')
498
499 optional_policy(`selinux.te',`
500 # for when the network connection is killed
501 selinux_newrole_ignore_signal($1_t)
502 ')
503
504 # Need the following rule to allow users to run vpnc
505 optional_policy(`xserver.te', `
506 corenetwork_bind_tcp_on_xserver_port($1_t)
507 ')
508
509 ifdef(`TODO',`
510
511 dontaudit $1_t boot_t:lnk_file read;
512 dontaudit $1_t boot_t:file read;
513
514 can_kerberos($1_t)
515
516 # do not audit read on disk devices
517 dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
518
519 ifdef(`xdm.te', `
520 allow xdm_t $1_home_t:lnk_file read;
521 allow xdm_t $1_home_t:dir search;
522 #
523 # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
524 #
525 dontaudit xdm_t $1_home_t:file rw_file_perms;
526 ')
527
528 ifdef(`ftpd.te', `
529 if (ftp_home_dir) {
530 file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
531 }
532 ')
533
534 if (read_default_t) {
535 allow $1 default_t:dir r_dir_perms;
536 allow $1 default_t:notdevfile_class_set r_file_perms;
537 }
538
539 can_exec($1_t, usr_t)
540
541 # Read directories and files with the readable_t type.
542 # This type is a general type for "world"-readable files.
543 allow $1_t readable_t:dir r_dir_perms;
544 allow $1_t readable_t:notdevfile_class_set r_file_perms;
545
546 # Stat lost+found.
547 allow $1_t lost_found_t:dir getattr;
548
549 # Read /var, /var/spool, /var/run.
550 allow $1_t var_t:dir r_dir_perms;
551 allow $1_t var_t:notdevfile_class_set r_file_perms;
552 allow $1_t var_spool_t:dir r_dir_perms;
553 allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
554 allow $1_t var_run_t:dir r_dir_perms;
555 allow $1_t var_run_t:{ file lnk_file } r_file_perms;
556 allow $1_t var_lib_t:dir r_dir_perms;
557 allow $1_t var_lib_t:file { getattr read };
558
559 # Allow users to rw usb devices
560 if (user_rw_usb) {
561 rw_dir_create_file($1_t,usbdevfs_t)
562 } else {
563 r_dir_file($1_t,usbdevfs_t)
564 }
565
566 # Do not audit write denials to /etc/ld.so.cache.
567 dontaudit $1_t ld_so_cache_t:file write;
568
569 dontaudit $1_t sysadm_home_t:file { read append };
570
571 ifdef(`syslogd.te', `
572 # Some programs that are left in $1_t will try to connect
573 # to syslogd, but we do not want to let them generate log messages.
574 # Do not audit.
575 dontaudit $1_t devlog_t:sock_file { read write };
576 dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
577 ')
578
579 allow $1_t initrc_t:fifo_file write;
580
581 ifdef(`user_can_mount', `
582 #
583 # Allow users to mount file systems like floppies and cdrom
584 #
585 mount_domain($1, $1_mount, `, fs_domain')
586 r_dir_file($1_t, mnt_t)
587 allow $1_mount_t device_t:lnk_file read;
588 allow $1_mount_t removable_device_t:blk_file read;
589 allow $1_mount_t iso9660_t:filesystem relabelfrom;
590 allow $1_mount_t removable_t:filesystem { mount relabelto };
591 allow $1_mount_t removable_t:dir mounton;
592 ifdef(`xdm.te', `
593 allow $1_mount_t xdm_t:fd use;
594 allow $1_mount_t xdm_t:fifo_file { read write };
595 ')
596 ')
597
598 ') dnl end TODO
b16c6b8c 599')
4d8ddf9a
CP		 600
601########################################
602#
603# Admin domain template
604#
605define(`admin_domain_template',`
0c73cd25
CP		 606 ##############################
607 #
608 # Declarations
609 #
610
611 # Inherit rules for ordinary users.
612 base_user_domain($1)
613
614 typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
615 kernel_make_object_identity_change_constraint_exception($1_t)
616 role system_r types $1_t;
617
618 #ifdef(`direct_sysadm_daemon', `, priv_system_role')
619 #; dnl end of sysadm_t type declaration
620
621 typeattribute $1_devpts_t admin_terminal;
622
623 typeattribute $1_tty_device_t admin_terminal;
624
625 ##############################
626 #
627 # $1_t local policy
628 #
629
630 allow $1_t self:capability ~sys_module;
631 allow $1_t self:process { setexec setfscreate };
632
633 # Set password information for other users.
634 allow $1_t self:passwd { passwd chfn chsh };
635
636 # Skip authentication when pam_rootok is specified.
637 allow $1_t self:passwd rootok;
638
639 # Manipulate other users crontab.
640 allow $1_t self:passwd crontab;
641
642 # for the administrator to run TCP servers directly
643 allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
644
645 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
0fd9dc55 646 term_create_pty($1_t,$1_devpts_t)
0c73cd25 647
cc41a97c
CP		 648 allow $1_t $1_tmp_t:dir create_dir_perms;
649 allow $1_t $1_tmp_t:file create_file_perms;
650 allow $1_t $1_tmp_t:lnk_file create_file_perms;
651 allow $1_t $1_tmp_t:fifo_file create_file_perms;
652 allow $1_t $1_tmp_t:sock_file create_file_perms;
653 files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
0c73cd25
CP		 654
655 kernel_read_system_state($1_t)
656 kernel_read_network_state($1_t)
657 kernel_read_software_raid_state($1_t)
0fd9dc55
CP		 658 kernel_getattr_core($1_t)
659 kernel_getattr_message_if($1_t)
0c73cd25
CP		 660 kernel_change_ring_buffer_level($1_t)
661 kernel_clear_ring_buffer($1_t)
662 kernel_read_ring_buffer($1_t)
663 kernel_get_sysvipc_info($1_t)
0fd9dc55
CP		 664 kernel_rw_all_sysctl($1_t)
665 kernel_set_enforcement_mode($1_t)
666 kernel_set_boolean($1_t)
667 kernel_set_security_parameters($1_t)
0c73cd25
CP		 668 # Get security policy decisions:
669 kernel_get_selinuxfs_mount_point($1_t)
0fd9dc55
CP		 670 kernel_validate_context($1_t)
671 kernel_compute_access_vector($1_t)
672 kernel_compute_create_context($1_t)
673 kernel_compute_relabel_context($1_t)
674 kernel_compute_reachable_user_contexts($1_t)
0c73cd25 675 # signal unlabeled processes:
0fd9dc55
CP		 676 kernel_kill_unlabeled($1_t)
677 kernel_signal_unlabeled($1_t)
678 kernel_sigstop_unlabeled($1_t)
679 kernel_signull_unlabeled($1_t)
680 kernel_sigchld_unlabeled($1_t)
0c73cd25 681
0fd9dc55 682 corenet_tcp_bind_generic_port($1_t)
0c73cd25 683
f0c985ca
KM		 684 dev_getattr_generic_blk_file($1_t)
685 dev_getattr_generic_chr_file($1_t)
686 dev_getattr_all_blk_files($1_t)
687 dev_getattr_all_chr_files($1_t)
0c73cd25 688
0fd9dc55
CP		 689 fs_getattr_all_fs($1_t)
690 fs_set_all_quotas($1_t)
0c73cd25
CP		 691
692 storage_raw_read_removable_device($1_t)
693 storage_raw_write_removable_device($1_t)
694
0fd9dc55
CP		 695 term_use_console($1_t)
696 term_use_unallocated_tty($1_t)
697 term_use_all_user_ptys($1_t)
698 term_use_all_user_ttys($1_t)
0c73cd25
CP		 699
700 # Manage almost all files
701 authlogin_manage_all_files_except_shadow($1_t)
702 # Relabel almost all files
703 authlogin_relabel_all_files_except_shadow($1_t)
704
705 domain_set_all_domains_priorities($1_t)
706 domain_read_all_domains_process_state($1_t)
707 # signal all domains:
708 domain_kill_all_domains($1_t)
709 domain_signal_all_domains($1_t)
710 domain_signull_all_domains($1_t)
711 domain_sigstop_all_domains($1_t)
712 domain_sigstop_all_domains($1_t)
713 domain_sigchld_all_domains($1_t)
714
715 files_execute_system_source_code_scripts($1_t)
716
717 init_use_control_channel($1_t)
718
719 logging_send_system_log_message($1_t)
720
721 modutils_insmod_transition($1_t)
722
723 selinux_read_config($1_t)
724 # The following rule is temporary until such time that a complete
725 # policy management infrastructure is in place so that an administrator
726 # cannot directly manipulate policy files with arbitrary programs.
727 selinux_manage_source_policy($1_t)
728 # Violates the goal of limiting write access to checkpolicy.
729 # But presently necessary for installing the file_contexts file.
730 selinux_manage_binary_policy($1_t)
731
732 optional_policy(`cron.te',`
733 cron_admin_template($1)
734 ')
735
736 ifdef(`TODO',`
737
738 # Let admin stat the shadow file.
739 allow $1_t shadow_t:file getattr;
740
741 # for lsof
742 allow $1_t mtrr_device_t:file getattr;
743
744 allow $1_t serial_device:chr_file setattr;
745
746 # allow setting up tunnels
747 allow $1_t tun_tap_device_t:chr_file rw_file_perms;
748
749 allow $1_t ptyfile:chr_file getattr;
750
751 # Run programs from staff home directories.
752 # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
753 can_exec($1_t, staff_home_t)
754
755 # Run admin programs that require different permissions in their own domain.
756 # These rules were moved into the appropriate program domain file.
757
758 ifdef(`startx.te', `
759 ifdef(`xserver.te', `
760 # Create files in /tmp/.X11-unix with our X servers derived
761 # tmp type rather than user_xserver_tmp_t.
762 file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
763 ')
764 ')
765
766 ifdef(`xdm.te', `
767 ifdef(`xauth.te', `
768 if (xdm_sysadm_login) {
769 allow xdm_t $1_home_t:lnk_file read;
770 allow xdm_t $1_home_t:dir search;
771 }
772 allow $1_t xdm_t:fifo_file rw_file_perms;
773 ')
774 ')
775
776 #
777 # A user who is authorized for sysadm_t may nonetheless have
778 # a home directory labeled with user_home_t if the user is expected
779 # to login in either user_t or sysadm_t. Hence, the derived domains
780 # for programs need to be able to access user_home_t.
781 #
4d8ddf9a 782
0c73cd25
CP		 783 # Allow our gph domain to write to .xsession-errors.
784 ifdef(`gnome-pty-helper.te', `
785 allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
786 allow $1_gph_t user_home_type:file create_file_perms;
787 ')
4d8ddf9a 788
0c73cd25
CP		 789 # for the administrator to run TCP servers directly
790 allow $1_t kernel_t:tcp_socket recvfrom;
4d8ddf9a 791
0c73cd25
CP		 792 # Connect data port to ftpd.
793 ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
4d8ddf9a 794
0c73cd25
CP		 795 # Connect second port to rshd.
796 ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
797
798 # Allow MAKEDEV to work
799 allow $1_t device_t:dir rw_dir_perms;
800 allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
801 allow $1_t device_t:lnk_file { create read };
4d8ddf9a 802
0c73cd25
CP		 803 # for lsof
804 allow $1_t domain:socket_class_set getattr;
805 allow $1_t eventpollfs_t:file getattr;
806 ') dnl endif TODO
4d8ddf9a 807')
490639cd 808
4bf4ed9e
CP		 809########################################
810## <interface name="userdomain_all_users_explicit_transition">
811## <description>
812## Execute a shell in all user domains. This
813## is an explicit transition, requiring the
814## caller to use setexeccon().
815## </description>
816## <parameter name="domain">
817## The type of the process performing this action.
818## </parameter>
4bf4ed9e
CP		 819## </interface>
820#
821define(`userdomain_all_users_explicit_transition',`
0c73cd25
CP		 822 requires_block_template(`$0'_depend)
823 corecommands_shell_explicit_transition($1,userdomain)
4bf4ed9e
CP		 824')
825
826define(`userdomain_all_users_explicit_transition_depend',`
0c73cd25 827 type sysadm_t;
4bf4ed9e
CP		 828')
829
d490eb6b
CP		 830########################################
831## <interface name="userdomain_sysadm_shell_transition">
832## <description>
833## Execute a shell in the sysadm domain.
834## </description>
835## <parameter name="domain">
836## The type of the process performing this action.
837## </parameter>
d490eb6b
CP		 838## </interface>
839#
840define(`userdomain_sysadm_shell_transition',`
0c73cd25
CP		 841 requires_block_template(`$0'_depend)
842
843 corecommands_shell_transition($1,sysadm_t)
d490eb6b
CP		 844')
845
846define(`userdomain_sysadm_shell_transition_depend',`
0c73cd25 847 type sysadm_t;
d490eb6b
CP		 848')
849
daa0e0b0
CP		 850########################################
851## <interface name="userdomain_use_admin_terminals">
852## <description>
853## Read and write administrative users
854## physical and pseudo terminals.
855## </description>
856## <parameter name="domain">
857## The type of the process performing this action.
858## </parameter>
daa0e0b0 859## </interface>
490639cd 860#
daa0e0b0 861define(`userdomain_use_admin_terminals',`
0c73cd25
CP		 862 requires_block_template(`$0'_depend)
863
f0c985ca 864 dev_list_all_dev_nodes($1)
0fd9dc55 865 term_list_ptys($1)
0c73cd25 866 allow $1 admin_terminal:chr_file { getattr read write ioctl };
daa0e0b0
CP		 867')
868
869define(`userdomain_use_admin_terminals_depend',`
0c73cd25
CP		 870 attribute admin_terminal;
871
872 class chr_file { getattr read write ioctl };
daa0e0b0
CP		 873')
874
763c441e
CP		 875########################################
876## <interface name="userdomain_dontaudit_use_admin_terminals">
877## <description>
878## Do not audit attempts to use admin ttys and ptys.
879## </description>
880## <parameter name="domain">
881## The type of the process performing this action.
882## </parameter>
763c441e
CP		 883## </interface>
884#
885define(`userdomain_dontaudit_use_admin_terminals',`
886 requires_block_template(`$0'_depend)
887
888 dontaudit $1 admin_terminal:chr_file { read write };
889')
890
891define(`userdomain_dontaudit_use_admin_terminals_depend',`
892 attribute admin_terminal;
893
894 class chr_file { read write };
895')
896
4bf4ed9e
CP		 897########################################
898## <interface name="userdomain_search_all_users_home_dirs">
899## <description>
900## Search all users home directories.
901## </description>
902## <parameter name="domain">
903## The type of the process performing this action.
904## </parameter>
4bf4ed9e
CP		 905## </interface>
906#
907define(`userdomain_search_all_users_home_dirs',`
0c73cd25
CP		 908 requires_block_template(`$0'_depend)
909
910 files_list_home_directories($1)
911 allow $1 { home_dir_type home_type }:dir search;
4bf4ed9e
CP		 912')
913
914define(`userdomain_search_all_users_home_dirs_depend',`
0c73cd25
CP		 915 attribute home_dir_type, home_type;
916
917 class dir search;
4bf4ed9e
CP		 918')
919
daa0e0b0
CP		 920########################################
921## <interface name="userdomain_read_all_users_data">
922## <description>
4bf4ed9e 923## Read all files in all users home directories.
daa0e0b0
CP		 924## </description>
925## <parameter name="domain">
926## The type of the process performing this action.
927## </parameter>
daa0e0b0
CP		 928## </interface>
929#
930define(`userdomain_read_all_users_data',`
0c73cd25
CP		 931 requires_block_template(`$0'_depend)
932
933 files_list_home_directories($1)
cc41a97c 934 allow $1 home_type:dir r_dir_perms;
0fd9dc55 935 allow $1 home_type:file r_file_perms;
daa0e0b0
CP		 936')
937
938define(`userdomain_read_all_users_data_depend',`
0c73cd25
CP		 939 attribute home_type;
940
cc41a97c
CP		 941 class dir r_dir_perms;
942 class file r_file_perms;
daa0e0b0
CP		 943')
944
945########################################
490639cd
CP		 946## <interface name="userdomain_use_all_users_file_descriptors">
947## <description>
948## Inherit the file descriptors from all user domains
949## </description>
950## <parameter name="domain">
951## The type of the process performing this action.
952## </parameter>
490639cd
CP		 953## </interface>
954#
955define(`userdomain_use_all_users_file_descriptors',`
0c73cd25
CP		 956 requires_block_template(`$0'_depend)
957
958 allow $1 userdomain:fd use;
490639cd
CP		 959')
960
961define(`userdomain_use_all_users_file_descriptors_depend',`
0c73cd25
CP		 962 attribute userdomain;
963
964 class fd use;
490639cd
CP		 965')
966
4bf4ed9e
CP		 967########################################
968## <interface name="userdomain_signal_all_userdomains">
969## <description>
970## Send general signals to all user domains.
971## </description>
972## <parameter name="domain">
973## The type of the process performing this action.
974## </parameter>
4bf4ed9e
CP		 975## </interface>
976#
977define(`userdomain_signal_all_userdomains',`
0c73cd25
CP		 978 requires_block_template(`$0'_depend)
979
980 allow $1 userdomain:process signal;
4bf4ed9e
CP		 981')
982
983define(`userdomain_signal_all_userdomains_depend',`
0c73cd25
CP		 984 attribute userdomain;
985
986 class process signal;
4bf4ed9e
CP		 987')
988
daa0e0b0
CP		 989########################################
990## <interface name="userdomain_use_all_unprivileged_users_file_descriptors">
991## <description>
992## Inherit the file descriptors from all user domains.
993## </description>
994## <parameter name="domain">
995## The type of the process performing this action.
996## </parameter>
daa0e0b0
CP		 997## </interface>
998#
999define(`userdomain_use_all_unprivileged_users_file_descriptors',`
0c73cd25
CP		 1000 requires_block_template(`$0'_depend)
1001
1002 allow $1 unpriv_userdomain:fd use;
daa0e0b0
CP		 1003')
1004
1005define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
0c73cd25
CP		 1006 attribute unpriv_userdomain;
1007
1008 class fd use;
daa0e0b0
CP		 1009')
1010
1011########################################
1012## <interface name="userdomain_ignore_use_all_unprivileged_users_file_descriptors">
1013## <description>
1014## Do not audit attempts to inherit the
1015## file descriptors from all user domains.
1016## </description>
1017## <parameter name="domain">
1018## The type of the process performing this action.
1019## </parameter>
daa0e0b0
CP		 1020## </interface>
1021#
1022define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`
0c73cd25
CP		 1023 requires_block_template(`$0'_depend)
1024
1025 dontaudit $1 unpriv_userdomain:fd use;
daa0e0b0
CP		 1026')
1027
1028define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',`
0c73cd25
CP		 1029 attribute unpriv_userdomain;
1030
1031 class fd use;
daa0e0b0
CP		 1032')
1033
490639cd 1034## </module>
The IPFire selinux policy.