]>
Commit | Line | Data |
---|---|---|
490639cd CP |
1 | ## <module name="userdomain" layer="system"> |
2 | ## <summary>Policy for user domains</summary> | |
b16c6b8c CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Base user domain template | |
7 | # | |
8 | # This is common to user and admin domain | |
9 | ||
10 | define(`base_user_domain',` | |
11 | ||
0c73cd25 CP |
12 | attribute $1_file_type; |
13 | ||
14 | type $1_t, userdomain; | |
15 | domain_make_domain($1_t) | |
16 | corecommands_make_shell_entrypoint($1_t) | |
17 | role $1_r types $1_t; | |
18 | allow system_r $1_r; | |
19 | ||
20 | # user pseudoterminal | |
21 | type $1_devpts_t; | |
0fd9dc55 | 22 | term_user_pty($1_t,$1_devpts_t) |
0c73cd25 CP |
23 | |
24 | # type for contents of home directory | |
25 | type $1_home_t, $1_file_type, home_type; | |
26 | files_make_file($1_home_t) | |
27 | ||
28 | # type of home directory | |
29 | type $1_home_dir_t, home_dir_type, home_type; | |
30 | files_make_file($1_home_t) | |
31 | ||
32 | type $1_tmp_t, $1_file_type; | |
33 | files_make_temporary_file($1_tmp_t) | |
34 | ||
35 | type $1_tmpfs_t; | |
36 | files_make_tmpfs_file($1_tmpfs_t) | |
37 | ||
38 | type $1_tty_device_t; | |
0fd9dc55 | 39 | term_tty($1_t,$1_tty_device_t) |
0c73cd25 CP |
40 | |
41 | ############################## | |
42 | # | |
43 | # Local policy | |
44 | # | |
45 | ||
46 | allow $1_t self:capability { setgid chown fowner }; | |
47 | dontaudit $1_t self:capability { sys_nice fsetid }; | |
48 | allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; | |
49 | allow $1_t self:process { ptrace setfscreate }; | |
50 | allow $1_t self:fd use; | |
cc41a97c CP |
51 | allow $1_t self:fifo_file rw_file_perms; |
52 | allow $1_t self:unix_dgram_socket create_socket_perms; | |
0fd9dc55 | 53 | allow $1_t self:unix_stream_socket create_stream_socket_perms; |
0c73cd25 CP |
54 | allow $1_t self:unix_dgram_socket sendto; |
55 | allow $1_t self:unix_stream_socket connectto; | |
cc41a97c CP |
56 | allow $1_t self:shm create_shm_perms; |
57 | allow $1_t self:sem create_sem_perms; | |
58 | allow $1_t self:msgq create_msgq_perms; | |
0c73cd25 CP |
59 | allow $1_t self:msg { send receive }; |
60 | dontaudit $1_t self:socket create; | |
61 | # Irrelevant until we have labeled networking. | |
62 | #allow $1_t self:udp_socket { sendto recvfrom }; | |
63 | ||
64 | # evolution and gnome-session try to create a netlink socket | |
65 | dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; | |
66 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
67 | ||
68 | # execute files in the home directory | |
cc41a97c | 69 | allow $1_t $1_home_t:file { rx_file_perms execute_no_trans }; |
0c73cd25 CP |
70 | |
71 | # full control of the home directory | |
cc41a97c CP |
72 | allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto }; |
73 | allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto }; | |
74 | allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto }; | |
75 | allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto }; | |
76 | allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto }; | |
77 | allow $1_t $1_home_dir_t:dir create_dir_perms; | |
78 | type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; | |
0c73cd25 | 79 | |
cc41a97c | 80 | allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans }; |
0c73cd25 CP |
81 | |
82 | # Bind to a Unix domain socket in /tmp. | |
83 | # cjp: this is combination is not checked and should be removed | |
84 | allow $1_t $1_tmp_t:unix_stream_socket name_bind; | |
85 | ||
cc41a97c CP |
86 | allow $1_t $1_tmpfs_t:dir rw_dir_perms; |
87 | allow $1_t $1_tmpfs_t:file create_file_perms; | |
88 | allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms; | |
89 | allow $1_t $1_tmpfs_t:sock_file create_file_perms; | |
90 | allow $1_t $1_tmpfs_t:fifo_file create_file_perms; | |
0fd9dc55 | 91 | fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) |
0c73cd25 | 92 | |
cc41a97c | 93 | allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; |
0c73cd25 CP |
94 | |
95 | allow $1_t unpriv_userdomain:fd use; | |
96 | ||
97 | # Instantiate derived domains for a number of programs. | |
98 | # These derived domains encode both information about the calling | |
99 | # user domain and the program, and allow us to maintain separation | |
100 | # between different instances of the program being run by different | |
101 | # user domains. | |
102 | per_userdomain_templates($1) | |
103 | ||
104 | kernel_read_kernel_sysctl($1_t) | |
105 | kernel_get_selinuxfs_mount_point($1_t) | |
106 | # Very permissive allowing every domain to see every type: | |
107 | kernel_get_sysvipc_info($1_t) | |
108 | # Find CDROM devices: | |
109 | kernel_read_device_sysctl($1_t) | |
110 | # GNOME checks for usb and other devices: | |
0fd9dc55 CP |
111 | kernel_rw_usb_hardware_config_option($1_t) |
112 | ||
113 | corenet_tcp_sendrecv_all_if($1_t) | |
114 | corenet_raw_sendrecv_all_if($1_t) | |
115 | corenet_udp_sendrecv_all_if($1_t) | |
116 | corenet_tcp_sendrecv_all_nodes($1_t) | |
117 | corenet_raw_sendrecv_all_nodes($1_t) | |
118 | corenet_udp_sendrecv_all_nodes($1_t) | |
119 | corenet_tcp_sendrecv_all_ports($1_t) | |
120 | corenet_udp_sendrecv_all_ports($1_t) | |
121 | corenet_tcp_bind_all_nodes($1_t) | |
122 | corenet_udp_bind_all_nodes($1_t) | |
0c73cd25 | 123 | # allow port_t name binding for UDP because it is not very usable otherwise |
0fd9dc55 | 124 | corenet_udp_bind_generic_port($1_t) |
0c73cd25 | 125 | |
f0c985ca KM |
126 | dev_read_input($1_t) |
127 | dev_read_misc($1_t) | |
128 | dev_write_misc($1_t) | |
129 | dev_write_snd_dev($1_t) | |
130 | dev_read_snd_dev($1_t) | |
131 | dev_read_snd_mixer_dev($1_t) | |
132 | dev_write_snd_mixer_dev($1_t) | |
133 | dev_read_rand($1_t) | |
134 | dev_read_urand($1_t) | |
0c73cd25 | 135 | # open office is looking for the following |
f0c985ca KM |
136 | dev_getattr_agp_dev($1_t) |
137 | dev_dontaudit_rw_dri_dev($1_t) | |
0c73cd25 | 138 | |
763c441e | 139 | fs_get_all_fs_quotas($1_t) |
0fd9dc55 | 140 | fs_getattr_all_fs($1_t) |
0c73cd25 CP |
141 | |
142 | # for eject | |
0fd9dc55 | 143 | storage_getattr_fixed_disk($1_t) |
0c73cd25 CP |
144 | |
145 | authlogin_read_login_records($1_t) | |
146 | authlogin_ignore_write_login_records($1_t) | |
147 | authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) | |
148 | authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) | |
149 | ||
150 | corecommands_execute_general_programs($1_t) | |
151 | corecommands_execute_system_programs($1_t) | |
152 | corecommands_execute_ls($1_t) | |
153 | ||
154 | domain_execute_all_entrypoint_programs($1_t) | |
155 | domain_use_widely_inheritable_file_descriptors($1_t) | |
156 | ||
157 | files_execute_system_config_script($1_t) | |
158 | files_read_system_source_code($1_t) | |
159 | ||
160 | # Caused by su - init scripts | |
161 | init_script_ignore_use_pseudoterminal($1_t) | |
162 | ||
163 | libraries_use_dynamic_loader($1_t) | |
164 | libraries_use_shared_libraries($1_t) | |
165 | libraries_execute_dynamic_loader($1_t) | |
166 | libraries_execute_library_scripts($1_t) | |
167 | ||
168 | logging_ignore_get_all_logs_attributes($1_t) | |
169 | ||
170 | miscfiles_read_localization($1_t) | |
171 | miscfiles_manage_man_page_cache($1_t) | |
172 | ||
173 | selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) | |
174 | ||
175 | mta_modify_mail_spool($1_t) | |
176 | ||
177 | if (allow_execmem) { | |
178 | # Allow loading DSOs that require executable stack. | |
179 | allow $1_t self:process execmem; | |
180 | } | |
181 | ||
182 | if (use_nfs_home_dirs) { | |
0fd9dc55 | 183 | fs_manage_nfs_dirs($1_t) |
763c441e | 184 | fs_manage_nfs_files($1_t) |
0fd9dc55 | 185 | fs_manage_nfs_symlinks($1_t) |
763c441e CP |
186 | fs_manage_nfs_named_sockets($1_t) |
187 | fs_manage_nfs_named_pipes($1_t) | |
188 | fs_execute_nfs_files($1_t) | |
0c73cd25 CP |
189 | } |
190 | ||
191 | if (use_samba_home_dirs) { | |
0fd9dc55 CP |
192 | fs_manage_cifs_dirs($1_t) |
193 | fs_manage_cifs_files($1_t) | |
194 | fs_manage_cifs_symlinks($1_t) | |
195 | fs_manage_cifs_named_sockets($1_t) | |
196 | fs_manage_cifs_named_pipes($1_t) | |
197 | fs_execute_cifs_files($1_t) | |
0c73cd25 CP |
198 | } |
199 | ||
200 | if (user_direct_mouse) { | |
f0c985ca | 201 | dev_read_mouse($1_t) |
0c73cd25 CP |
202 | } |
203 | ||
204 | if (user_ttyfile_stat) { | |
0fd9dc55 | 205 | term_getattr_all_user_ttys($1_t) |
0c73cd25 CP |
206 | } |
207 | ||
208 | optional_policy(`usermanage.te',` | |
209 | usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) | |
210 | usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) | |
211 | ') | |
212 | ||
213 | ifdef(`TODO',` | |
214 | ||
215 | # When the user domain runs ps, there will be a number of access | |
216 | # denials when ps tries to search /proc. Do not audit these denials. | |
217 | dontaudit $1_t domain:dir r_dir_perms; | |
218 | dontaudit $1_t domain:notdevfile_class_set r_file_perms; | |
219 | dontaudit $1_t domain:process { getattr getsession }; | |
220 | # | |
221 | # Cups daemon running as user tries to write /etc/printcap | |
222 | # | |
223 | dontaudit $1_t usr_t:file setattr; | |
224 | ||
225 | # Access the power device. | |
cc41a97c | 226 | allow $1_t power_device_t:chr_file rw_file_perms; |
0c73cd25 CP |
227 | |
228 | # Check to see if cdrom is mounted | |
229 | allow $1_t mnt_t:dir { getattr search }; | |
230 | ||
231 | # | |
232 | # Added to allow reading of cdrom | |
233 | # | |
234 | allow $1_t rpc_pipefs_t:dir getattr; | |
235 | allow $1_t nfsd_fs_t:dir getattr; | |
236 | allow $1_t binfmt_misc_fs_t:dir getattr; | |
237 | ||
238 | # /initrd is left mounted, various programs try to look at it | |
239 | dontaudit $1_t ramfs_t:dir getattr; | |
240 | ||
241 | if (read_default_t) { | |
242 | allow $1_t default_t:dir r_dir_perms; | |
243 | allow $1_t default_t:notdevfile_class_set r_file_perms; | |
244 | } | |
245 | ||
246 | # | |
247 | # Running ifconfig as a user generates the following | |
248 | # | |
249 | dontaudit $1_t sysctl_net_t:dir search; | |
250 | ||
251 | dontaudit $1_t default_context_t:dir search; | |
252 | ||
253 | r_dir_file($1_t, usercanread) | |
254 | ||
255 | can_ypbind($1_t) | |
256 | ||
257 | if (allow_execmod) { | |
258 | # Allow text relocations on system shared libraries, e.g. libGL. | |
259 | allow $1_t texrel_shlib_t:file execmod; | |
260 | } | |
261 | ||
262 | allow $1_t fs_type:dir getattr; | |
263 | ||
264 | # old "file_browse_domain": | |
265 | # Regular files/directories that are not security sensitive | |
266 | dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr; | |
267 | dontaudit $1_t file_type - secure_file_type:dir { read search }; | |
268 | # /dev | |
269 | dontaudit $1_t dev_fs:dir_file_class_set getattr; | |
270 | dontaudit $1_t dev_fs:dir { read search }; | |
271 | # /proc | |
272 | dontaudit $1_t sysctl_t:dir_file_class_set getattr; | |
273 | dontaudit $1_t proc_fs:dir { read search }; | |
274 | ||
cc41a97c | 275 | allow $1_t autofs_t:dir { getattr search }; |
0c73cd25 CP |
276 | |
277 | can_exec($1_t, { removable_t noexattrfile } ) | |
278 | if (user_rw_noexattrfile) { | |
279 | create_dir_file($1_t, noexattrfile) | |
280 | create_dir_file($1_t, removable_t) | |
281 | # Write floppies | |
282 | allow $1_t removable_device_t:blk_file rw_file_perms; | |
283 | allow $1_t usbtty_device_t:chr_file write; | |
284 | } else { | |
285 | r_dir_file($1_t, noexattrfile) | |
286 | r_dir_file($1_t, removable_t) | |
287 | allow $1_t removable_device_t:blk_file r_file_perms; | |
288 | } | |
289 | allow $1_t usbtty_device_t:chr_file read; | |
290 | ||
291 | can_exec($1_t, noexattrfile) | |
292 | ||
293 | # for running TeX programs | |
294 | r_dir_file($1_t, tetex_data_t) | |
295 | can_exec($1_t, tetex_data_t) | |
296 | ||
297 | # Run programs developed by other users in the same domain. | |
298 | ||
299 | can_resmgrd_connect($1_t) | |
300 | ||
301 | can_ypbind($1_t) | |
302 | ||
303 | allow $1_t var_lock_t:dir search; | |
304 | ||
305 | # Grant permissions to access the system DBus | |
306 | ifdef(`dbusd.te', ` | |
307 | dbusd_client(system, $1) | |
308 | can_network_server_tcp($1_dbusd_t) | |
309 | allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; | |
310 | ||
311 | allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; | |
312 | dbusd_client($1, $1) | |
313 | allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; | |
314 | dbusd_domain($1) | |
315 | ifdef(`hald.te', ` | |
316 | allow $1_t hald_t:dbus send_msg; | |
317 | allow hald_t $1_t:dbus send_msg; | |
318 | ') | |
319 | ') | |
320 | ||
321 | # Gnome pannel binds to the following | |
322 | ifdef(`cups.te', ` | |
cc41a97c | 323 | allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms; |
0c73cd25 CP |
324 | ') |
325 | ||
326 | # Connect to inetd. | |
327 | ifdef(`inetd.te', ` | |
328 | can_tcp_connect($1_t, inetd_t) | |
329 | can_udp_send($1_t, inetd_t) | |
330 | can_udp_send(inetd_t, $1_t) | |
331 | ') | |
332 | ||
333 | # Connect to portmap. | |
334 | ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') | |
335 | ||
336 | # Inherit and use sockets from inetd | |
337 | ifdef(`inetd.te', ` | |
338 | allow $1_t inetd_t:fd use; | |
339 | allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; | |
340 | ') | |
341 | ||
342 | ifdef(`xserver.te', ` | |
343 | # for /tmp/.ICE-unix | |
344 | file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) | |
345 | allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; | |
346 | ') | |
347 | ||
348 | ifdef(`xdm.te', ` | |
349 | # Connect to the X server run by the X Display Manager. | |
350 | can_unix_connect($1_t, xdm_t) | |
351 | allow $1_t xdm_tmp_t:sock_file rw_file_perms; | |
352 | allow $1_t xdm_tmp_t:dir r_dir_perms; | |
cc41a97c | 353 | allow $1_t xdm_tmp_t:file r_file_perms; |
0c73cd25 CP |
354 | allow $1_t xdm_xserver_tmp_t:sock_file { read write }; |
355 | allow $1_t xdm_xserver_tmp_t:dir search; | |
356 | allow $1_t xdm_xserver_t:unix_stream_socket connectto; | |
357 | # certain apps want to read xdm.pid file | |
358 | r_dir_file($1_t, xdm_var_run_t) | |
cc41a97c | 359 | allow $1_t xdm_var_lib_t:file r_file_perms; |
0c73cd25 CP |
360 | allow xdm_t $1_home_dir_t:dir getattr; |
361 | ifdef(`xauth.te', ` | |
362 | file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) | |
363 | ') | |
364 | ||
365 | # for shared memory | |
366 | allow xdm_xserver_t $1_tmpfs_t:file { read write }; | |
367 | ||
368 | ') | |
369 | ||
370 | ifdef(`rpcd.te', ` | |
371 | create_dir_file($1_t, nfsd_rw_t) | |
372 | ') | |
373 | ||
374 | ifdef(`cardmgr.te', ` | |
375 | # to allow monitoring of pcmcia status | |
cc41a97c | 376 | allow $1_t cardmgr_var_run_t:file r_file_perms; |
0c73cd25 CP |
377 | ') |
378 | ||
379 | # | |
380 | # Allow graphical boot to check battery lifespan | |
381 | # | |
382 | ifdef(`apmd.te', ` | |
383 | allow $1_t apmd_t:unix_stream_socket connectto; | |
384 | allow $1_t apmd_var_run_t:sock_file write; | |
385 | ') | |
386 | ||
387 | ifdef(`automount.te', ` | |
cc41a97c | 388 | allow $1_t autofs_t:dir { getattr search }; |
0c73cd25 CP |
389 | ') |
390 | ||
391 | ifdef(`pamconsole.te', ` | |
392 | allow $1_t pam_var_console_t:dir search; | |
393 | ') | |
394 | ||
395 | ') dnl endif TODO | |
b16c6b8c CP |
396 | |
397 | ')dnl end base_user_domain macro | |
398 | ||
399 | ######################################## | |
400 | # | |
401 | # User domain template | |
402 | # | |
403 | ||
404 | define(`user_domain_template', ` | |
0c73cd25 CP |
405 | ############################## |
406 | # | |
407 | # Declarations | |
408 | # | |
b16c6b8c | 409 | |
0c73cd25 CP |
410 | # Inherit rules for ordinary users. |
411 | base_user_domain($1) | |
b16c6b8c | 412 | |
0c73cd25 CP |
413 | typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; |
414 | domain_make_file_descriptors_widely_inheritable($1_t) | |
b16c6b8c | 415 | |
0c73cd25 CP |
416 | #typeattribute $1_devpts_t userpty_type, user_tty_type; |
417 | #typeattribute $1_home_dir_t user_home_dir_type; | |
418 | #typeattribute $1_home_t user_home_type; | |
b16c6b8c | 419 | |
0c73cd25 | 420 | #typeattribute $1_tmp_t, user_tmpfile; |
b16c6b8c | 421 | |
0c73cd25 | 422 | #typeattribute $1_tty_device_t user_tty_type; |
b16c6b8c | 423 | |
0c73cd25 CP |
424 | ############################## |
425 | # | |
426 | # Local policy | |
427 | # | |
428 | ||
429 | allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; | |
0fd9dc55 | 430 | term_create_pty($1_t,$1_devpts_t) |
0c73cd25 CP |
431 | |
432 | # Rules used to associate a homedir as a mountpoint | |
433 | allow $1_home_t self:filesystem associate; | |
434 | allow $1_file_type $1_home_t:filesystem associate; | |
435 | ||
436 | # user temporary files | |
cc41a97c CP |
437 | allow $1_t $1_tmp_t:file create_file_perms; |
438 | allow $1_t $1_tmp_t:lnk_file create_lnk_perms; | |
439 | allow $1_t $1_tmp_t:dir create_dir_perms; | |
440 | allow $1_t $1_tmp_t:sock_file create_file_perms; | |
441 | allow $1_t $1_tmp_t:fifo_file create_file_perms; | |
442 | files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set }) | |
0c73cd25 CP |
443 | |
444 | # privileged home directory writers | |
cc41a97c CP |
445 | allow privhome $1_home_t:file create_file_perms; |
446 | allow privhome $1_home_t:lnk_file create_lnk_perms; | |
447 | allow privhome $1_home_t:dir create_dir_perms; | |
448 | allow privhome $1_home_t:sock_file create_file_perms; | |
449 | allow privhome $1_home_t:fifo_file create_file_perms; | |
450 | type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; | |
0c73cd25 CP |
451 | |
452 | kernel_read_system_state($1_t) | |
453 | kernel_read_network_state($1_t) | |
454 | kernel_read_hardware_state($1_t) | |
455 | ||
456 | # cjp: why? | |
457 | bootloader_read_kernel_symbol_table($1_t) | |
458 | ||
459 | # port access is audited even if dac would not have allowed it, so dontaudit it here | |
0fd9dc55 | 460 | corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) |
0c73cd25 CP |
461 | |
462 | files_read_general_system_config($1_t) | |
463 | files_list_home_directories($1_t) | |
464 | files_read_general_application_resources($1_t) | |
465 | ||
466 | init_script_read_runtime_data($1_t) | |
467 | # The library functions always try to open read-write first, | |
468 | # then fall back to read-only if it fails. | |
469 | init_script_ignore_write_runtime_data($1_t) | |
470 | # Stop warnings about access to /dev/console | |
471 | init_ignore_use_file_descriptors($1_t) | |
472 | init_script_ignore_use_file_descriptors($1_t) | |
473 | ||
474 | miscfiles_read_man_pages($1_t) | |
475 | ||
476 | selinux_read_config($1_t) | |
477 | # Allow users to execute checkpolicy without a domain transition | |
478 | # so it can be used without privilege to write real binary policy file | |
479 | selinux_checkpolicy_execute($1_t) | |
480 | ||
481 | if (user_dmesg) { | |
482 | kernel_read_ring_buffer($1_t) | |
483 | } else { | |
0fd9dc55 | 484 | kernel_dontaudit_read_ring_buffer($1_t) |
0c73cd25 CP |
485 | } |
486 | ||
487 | # Allow users to run TCP servers (bind to ports and accept connection from | |
488 | # the same domain and outside users) disabling this forces FTP passive mode | |
489 | # and may change other protocols | |
490 | if (user_tcp_server) { | |
0fd9dc55 | 491 | corenet_tcp_bind_generic_port($1_t) |
0c73cd25 CP |
492 | } |
493 | ||
494 | # for running depmod as part of the kernel packaging process | |
495 | optional_policy(`modutils.te',` | |
496 | modutils_read_kernel_module_loading_config($1_t) | |
497 | ') | |
498 | ||
499 | optional_policy(`selinux.te',` | |
500 | # for when the network connection is killed | |
501 | selinux_newrole_ignore_signal($1_t) | |
502 | ') | |
503 | ||
504 | # Need the following rule to allow users to run vpnc | |
505 | optional_policy(`xserver.te', ` | |
506 | corenetwork_bind_tcp_on_xserver_port($1_t) | |
507 | ') | |
508 | ||
509 | ifdef(`TODO',` | |
510 | ||
511 | dontaudit $1_t boot_t:lnk_file read; | |
512 | dontaudit $1_t boot_t:file read; | |
513 | ||
514 | can_kerberos($1_t) | |
515 | ||
516 | # do not audit read on disk devices | |
517 | dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; | |
518 | ||
519 | ifdef(`xdm.te', ` | |
520 | allow xdm_t $1_home_t:lnk_file read; | |
521 | allow xdm_t $1_home_t:dir search; | |
522 | # | |
523 | # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp | |
524 | # | |
525 | dontaudit xdm_t $1_home_t:file rw_file_perms; | |
526 | ') | |
527 | ||
528 | ifdef(`ftpd.te', ` | |
529 | if (ftp_home_dir) { | |
530 | file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) | |
531 | } | |
532 | ') | |
533 | ||
534 | if (read_default_t) { | |
535 | allow $1 default_t:dir r_dir_perms; | |
536 | allow $1 default_t:notdevfile_class_set r_file_perms; | |
537 | } | |
538 | ||
539 | can_exec($1_t, usr_t) | |
540 | ||
541 | # Read directories and files with the readable_t type. | |
542 | # This type is a general type for "world"-readable files. | |
543 | allow $1_t readable_t:dir r_dir_perms; | |
544 | allow $1_t readable_t:notdevfile_class_set r_file_perms; | |
545 | ||
546 | # Stat lost+found. | |
547 | allow $1_t lost_found_t:dir getattr; | |
548 | ||
549 | # Read /var, /var/spool, /var/run. | |
550 | allow $1_t var_t:dir r_dir_perms; | |
551 | allow $1_t var_t:notdevfile_class_set r_file_perms; | |
552 | allow $1_t var_spool_t:dir r_dir_perms; | |
553 | allow $1_t var_spool_t:notdevfile_class_set r_file_perms; | |
554 | allow $1_t var_run_t:dir r_dir_perms; | |
555 | allow $1_t var_run_t:{ file lnk_file } r_file_perms; | |
556 | allow $1_t var_lib_t:dir r_dir_perms; | |
557 | allow $1_t var_lib_t:file { getattr read }; | |
558 | ||
559 | # Allow users to rw usb devices | |
560 | if (user_rw_usb) { | |
561 | rw_dir_create_file($1_t,usbdevfs_t) | |
562 | } else { | |
563 | r_dir_file($1_t,usbdevfs_t) | |
564 | } | |
565 | ||
566 | # Do not audit write denials to /etc/ld.so.cache. | |
567 | dontaudit $1_t ld_so_cache_t:file write; | |
568 | ||
569 | dontaudit $1_t sysadm_home_t:file { read append }; | |
570 | ||
571 | ifdef(`syslogd.te', ` | |
572 | # Some programs that are left in $1_t will try to connect | |
573 | # to syslogd, but we do not want to let them generate log messages. | |
574 | # Do not audit. | |
575 | dontaudit $1_t devlog_t:sock_file { read write }; | |
576 | dontaudit $1_t syslogd_t:unix_dgram_socket sendto; | |
577 | ') | |
578 | ||
579 | allow $1_t initrc_t:fifo_file write; | |
580 | ||
581 | ifdef(`user_can_mount', ` | |
582 | # | |
583 | # Allow users to mount file systems like floppies and cdrom | |
584 | # | |
585 | mount_domain($1, $1_mount, `, fs_domain') | |
586 | r_dir_file($1_t, mnt_t) | |
587 | allow $1_mount_t device_t:lnk_file read; | |
588 | allow $1_mount_t removable_device_t:blk_file read; | |
589 | allow $1_mount_t iso9660_t:filesystem relabelfrom; | |
590 | allow $1_mount_t removable_t:filesystem { mount relabelto }; | |
591 | allow $1_mount_t removable_t:dir mounton; | |
592 | ifdef(`xdm.te', ` | |
593 | allow $1_mount_t xdm_t:fd use; | |
594 | allow $1_mount_t xdm_t:fifo_file { read write }; | |
595 | ') | |
596 | ') | |
597 | ||
598 | ') dnl end TODO | |
b16c6b8c | 599 | ') |
4d8ddf9a CP |
600 | |
601 | ######################################## | |
602 | # | |
603 | # Admin domain template | |
604 | # | |
605 | define(`admin_domain_template',` | |
0c73cd25 CP |
606 | ############################## |
607 | # | |
608 | # Declarations | |
609 | # | |
610 | ||
611 | # Inherit rules for ordinary users. | |
612 | base_user_domain($1) | |
613 | ||
614 | typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; | |
615 | kernel_make_object_identity_change_constraint_exception($1_t) | |
616 | role system_r types $1_t; | |
617 | ||
618 | #ifdef(`direct_sysadm_daemon', `, priv_system_role') | |
619 | #; dnl end of sysadm_t type declaration | |
620 | ||
621 | typeattribute $1_devpts_t admin_terminal; | |
622 | ||
623 | typeattribute $1_tty_device_t admin_terminal; | |
624 | ||
625 | ############################## | |
626 | # | |
627 | # $1_t local policy | |
628 | # | |
629 | ||
630 | allow $1_t self:capability ~sys_module; | |
631 | allow $1_t self:process { setexec setfscreate }; | |
632 | ||
633 | # Set password information for other users. | |
634 | allow $1_t self:passwd { passwd chfn chsh }; | |
635 | ||
636 | # Skip authentication when pam_rootok is specified. | |
637 | allow $1_t self:passwd rootok; | |
638 | ||
639 | # Manipulate other users crontab. | |
640 | allow $1_t self:passwd crontab; | |
641 | ||
642 | # for the administrator to run TCP servers directly | |
643 | allow $1_t self:tcp_socket { acceptfrom connectto recvfrom }; | |
644 | ||
645 | allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; | |
0fd9dc55 | 646 | term_create_pty($1_t,$1_devpts_t) |
0c73cd25 | 647 | |
cc41a97c CP |
648 | allow $1_t $1_tmp_t:dir create_dir_perms; |
649 | allow $1_t $1_tmp_t:file create_file_perms; | |
650 | allow $1_t $1_tmp_t:lnk_file create_file_perms; | |
651 | allow $1_t $1_tmp_t:fifo_file create_file_perms; | |
652 | allow $1_t $1_tmp_t:sock_file create_file_perms; | |
653 | files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set }) | |
0c73cd25 CP |
654 | |
655 | kernel_read_system_state($1_t) | |
656 | kernel_read_network_state($1_t) | |
657 | kernel_read_software_raid_state($1_t) | |
0fd9dc55 CP |
658 | kernel_getattr_core($1_t) |
659 | kernel_getattr_message_if($1_t) | |
0c73cd25 CP |
660 | kernel_change_ring_buffer_level($1_t) |
661 | kernel_clear_ring_buffer($1_t) | |
662 | kernel_read_ring_buffer($1_t) | |
663 | kernel_get_sysvipc_info($1_t) | |
0fd9dc55 CP |
664 | kernel_rw_all_sysctl($1_t) |
665 | kernel_set_enforcement_mode($1_t) | |
666 | kernel_set_boolean($1_t) | |
667 | kernel_set_security_parameters($1_t) | |
0c73cd25 CP |
668 | # Get security policy decisions: |
669 | kernel_get_selinuxfs_mount_point($1_t) | |
0fd9dc55 CP |
670 | kernel_validate_context($1_t) |
671 | kernel_compute_access_vector($1_t) | |
672 | kernel_compute_create_context($1_t) | |
673 | kernel_compute_relabel_context($1_t) | |
674 | kernel_compute_reachable_user_contexts($1_t) | |
0c73cd25 | 675 | # signal unlabeled processes: |
0fd9dc55 CP |
676 | kernel_kill_unlabeled($1_t) |
677 | kernel_signal_unlabeled($1_t) | |
678 | kernel_sigstop_unlabeled($1_t) | |
679 | kernel_signull_unlabeled($1_t) | |
680 | kernel_sigchld_unlabeled($1_t) | |
0c73cd25 | 681 | |
0fd9dc55 | 682 | corenet_tcp_bind_generic_port($1_t) |
0c73cd25 | 683 | |
f0c985ca KM |
684 | dev_getattr_generic_blk_file($1_t) |
685 | dev_getattr_generic_chr_file($1_t) | |
686 | dev_getattr_all_blk_files($1_t) | |
687 | dev_getattr_all_chr_files($1_t) | |
0c73cd25 | 688 | |
0fd9dc55 CP |
689 | fs_getattr_all_fs($1_t) |
690 | fs_set_all_quotas($1_t) | |
0c73cd25 CP |
691 | |
692 | storage_raw_read_removable_device($1_t) | |
693 | storage_raw_write_removable_device($1_t) | |
694 | ||
0fd9dc55 CP |
695 | term_use_console($1_t) |
696 | term_use_unallocated_tty($1_t) | |
697 | term_use_all_user_ptys($1_t) | |
698 | term_use_all_user_ttys($1_t) | |
0c73cd25 CP |
699 | |
700 | # Manage almost all files | |
701 | authlogin_manage_all_files_except_shadow($1_t) | |
702 | # Relabel almost all files | |
703 | authlogin_relabel_all_files_except_shadow($1_t) | |
704 | ||
705 | domain_set_all_domains_priorities($1_t) | |
706 | domain_read_all_domains_process_state($1_t) | |
707 | # signal all domains: | |
708 | domain_kill_all_domains($1_t) | |
709 | domain_signal_all_domains($1_t) | |
710 | domain_signull_all_domains($1_t) | |
711 | domain_sigstop_all_domains($1_t) | |
712 | domain_sigstop_all_domains($1_t) | |
713 | domain_sigchld_all_domains($1_t) | |
714 | ||
715 | files_execute_system_source_code_scripts($1_t) | |
716 | ||
717 | init_use_control_channel($1_t) | |
718 | ||
719 | logging_send_system_log_message($1_t) | |
720 | ||
721 | modutils_insmod_transition($1_t) | |
722 | ||
723 | selinux_read_config($1_t) | |
724 | # The following rule is temporary until such time that a complete | |
725 | # policy management infrastructure is in place so that an administrator | |
726 | # cannot directly manipulate policy files with arbitrary programs. | |
727 | selinux_manage_source_policy($1_t) | |
728 | # Violates the goal of limiting write access to checkpolicy. | |
729 | # But presently necessary for installing the file_contexts file. | |
730 | selinux_manage_binary_policy($1_t) | |
731 | ||
732 | optional_policy(`cron.te',` | |
733 | cron_admin_template($1) | |
734 | ') | |
735 | ||
736 | ifdef(`TODO',` | |
737 | ||
738 | # Let admin stat the shadow file. | |
739 | allow $1_t shadow_t:file getattr; | |
740 | ||
741 | # for lsof | |
742 | allow $1_t mtrr_device_t:file getattr; | |
743 | ||
744 | allow $1_t serial_device:chr_file setattr; | |
745 | ||
746 | # allow setting up tunnels | |
747 | allow $1_t tun_tap_device_t:chr_file rw_file_perms; | |
748 | ||
749 | allow $1_t ptyfile:chr_file getattr; | |
750 | ||
751 | # Run programs from staff home directories. | |
752 | # Not ideal, but typical if users want to login as both sysadm_t or staff_t. | |
753 | can_exec($1_t, staff_home_t) | |
754 | ||
755 | # Run admin programs that require different permissions in their own domain. | |
756 | # These rules were moved into the appropriate program domain file. | |
757 | ||
758 | ifdef(`startx.te', ` | |
759 | ifdef(`xserver.te', ` | |
760 | # Create files in /tmp/.X11-unix with our X servers derived | |
761 | # tmp type rather than user_xserver_tmp_t. | |
762 | file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) | |
763 | ') | |
764 | ') | |
765 | ||
766 | ifdef(`xdm.te', ` | |
767 | ifdef(`xauth.te', ` | |
768 | if (xdm_sysadm_login) { | |
769 | allow xdm_t $1_home_t:lnk_file read; | |
770 | allow xdm_t $1_home_t:dir search; | |
771 | } | |
772 | allow $1_t xdm_t:fifo_file rw_file_perms; | |
773 | ') | |
774 | ') | |
775 | ||
776 | # | |
777 | # A user who is authorized for sysadm_t may nonetheless have | |
778 | # a home directory labeled with user_home_t if the user is expected | |
779 | # to login in either user_t or sysadm_t. Hence, the derived domains | |
780 | # for programs need to be able to access user_home_t. | |
781 | # | |
4d8ddf9a | 782 | |
0c73cd25 CP |
783 | # Allow our gph domain to write to .xsession-errors. |
784 | ifdef(`gnome-pty-helper.te', ` | |
785 | allow $1_gph_t user_home_dir_type:dir rw_dir_perms; | |
786 | allow $1_gph_t user_home_type:file create_file_perms; | |
787 | ') | |
4d8ddf9a | 788 | |
0c73cd25 CP |
789 | # for the administrator to run TCP servers directly |
790 | allow $1_t kernel_t:tcp_socket recvfrom; | |
4d8ddf9a | 791 | |
0c73cd25 CP |
792 | # Connect data port to ftpd. |
793 | ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') | |
4d8ddf9a | 794 | |
0c73cd25 CP |
795 | # Connect second port to rshd. |
796 | ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') | |
797 | ||
798 | # Allow MAKEDEV to work | |
799 | allow $1_t device_t:dir rw_dir_perms; | |
800 | allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; | |
801 | allow $1_t device_t:lnk_file { create read }; | |
4d8ddf9a | 802 | |
0c73cd25 CP |
803 | # for lsof |
804 | allow $1_t domain:socket_class_set getattr; | |
805 | allow $1_t eventpollfs_t:file getattr; | |
806 | ') dnl endif TODO | |
4d8ddf9a | 807 | ') |
490639cd | 808 | |
4bf4ed9e CP |
809 | ######################################## |
810 | ## <interface name="userdomain_all_users_explicit_transition"> | |
811 | ## <description> | |
812 | ## Execute a shell in all user domains. This | |
813 | ## is an explicit transition, requiring the | |
814 | ## caller to use setexeccon(). | |
815 | ## </description> | |
816 | ## <parameter name="domain"> | |
817 | ## The type of the process performing this action. | |
818 | ## </parameter> | |
4bf4ed9e CP |
819 | ## </interface> |
820 | # | |
821 | define(`userdomain_all_users_explicit_transition',` | |
0c73cd25 CP |
822 | requires_block_template(`$0'_depend) |
823 | corecommands_shell_explicit_transition($1,userdomain) | |
4bf4ed9e CP |
824 | ') |
825 | ||
826 | define(`userdomain_all_users_explicit_transition_depend',` | |
0c73cd25 | 827 | type sysadm_t; |
4bf4ed9e CP |
828 | ') |
829 | ||
d490eb6b CP |
830 | ######################################## |
831 | ## <interface name="userdomain_sysadm_shell_transition"> | |
832 | ## <description> | |
833 | ## Execute a shell in the sysadm domain. | |
834 | ## </description> | |
835 | ## <parameter name="domain"> | |
836 | ## The type of the process performing this action. | |
837 | ## </parameter> | |
d490eb6b CP |
838 | ## </interface> |
839 | # | |
840 | define(`userdomain_sysadm_shell_transition',` | |
0c73cd25 CP |
841 | requires_block_template(`$0'_depend) |
842 | ||
843 | corecommands_shell_transition($1,sysadm_t) | |
d490eb6b CP |
844 | ') |
845 | ||
846 | define(`userdomain_sysadm_shell_transition_depend',` | |
0c73cd25 | 847 | type sysadm_t; |
d490eb6b CP |
848 | ') |
849 | ||
daa0e0b0 CP |
850 | ######################################## |
851 | ## <interface name="userdomain_use_admin_terminals"> | |
852 | ## <description> | |
853 | ## Read and write administrative users | |
854 | ## physical and pseudo terminals. | |
855 | ## </description> | |
856 | ## <parameter name="domain"> | |
857 | ## The type of the process performing this action. | |
858 | ## </parameter> | |
daa0e0b0 | 859 | ## </interface> |
490639cd | 860 | # |
daa0e0b0 | 861 | define(`userdomain_use_admin_terminals',` |
0c73cd25 CP |
862 | requires_block_template(`$0'_depend) |
863 | ||
f0c985ca | 864 | dev_list_all_dev_nodes($1) |
0fd9dc55 | 865 | term_list_ptys($1) |
0c73cd25 | 866 | allow $1 admin_terminal:chr_file { getattr read write ioctl }; |
daa0e0b0 CP |
867 | ') |
868 | ||
869 | define(`userdomain_use_admin_terminals_depend',` | |
0c73cd25 CP |
870 | attribute admin_terminal; |
871 | ||
872 | class chr_file { getattr read write ioctl }; | |
daa0e0b0 CP |
873 | ') |
874 | ||
763c441e CP |
875 | ######################################## |
876 | ## <interface name="userdomain_dontaudit_use_admin_terminals"> | |
877 | ## <description> | |
878 | ## Do not audit attempts to use admin ttys and ptys. | |
879 | ## </description> | |
880 | ## <parameter name="domain"> | |
881 | ## The type of the process performing this action. | |
882 | ## </parameter> | |
763c441e CP |
883 | ## </interface> |
884 | # | |
885 | define(`userdomain_dontaudit_use_admin_terminals',` | |
886 | requires_block_template(`$0'_depend) | |
887 | ||
888 | dontaudit $1 admin_terminal:chr_file { read write }; | |
889 | ') | |
890 | ||
891 | define(`userdomain_dontaudit_use_admin_terminals_depend',` | |
892 | attribute admin_terminal; | |
893 | ||
894 | class chr_file { read write }; | |
895 | ') | |
896 | ||
4bf4ed9e CP |
897 | ######################################## |
898 | ## <interface name="userdomain_search_all_users_home_dirs"> | |
899 | ## <description> | |
900 | ## Search all users home directories. | |
901 | ## </description> | |
902 | ## <parameter name="domain"> | |
903 | ## The type of the process performing this action. | |
904 | ## </parameter> | |
4bf4ed9e CP |
905 | ## </interface> |
906 | # | |
907 | define(`userdomain_search_all_users_home_dirs',` | |
0c73cd25 CP |
908 | requires_block_template(`$0'_depend) |
909 | ||
910 | files_list_home_directories($1) | |
911 | allow $1 { home_dir_type home_type }:dir search; | |
4bf4ed9e CP |
912 | ') |
913 | ||
914 | define(`userdomain_search_all_users_home_dirs_depend',` | |
0c73cd25 CP |
915 | attribute home_dir_type, home_type; |
916 | ||
917 | class dir search; | |
4bf4ed9e CP |
918 | ') |
919 | ||
daa0e0b0 CP |
920 | ######################################## |
921 | ## <interface name="userdomain_read_all_users_data"> | |
922 | ## <description> | |
4bf4ed9e | 923 | ## Read all files in all users home directories. |
daa0e0b0 CP |
924 | ## </description> |
925 | ## <parameter name="domain"> | |
926 | ## The type of the process performing this action. | |
927 | ## </parameter> | |
daa0e0b0 CP |
928 | ## </interface> |
929 | # | |
930 | define(`userdomain_read_all_users_data',` | |
0c73cd25 CP |
931 | requires_block_template(`$0'_depend) |
932 | ||
933 | files_list_home_directories($1) | |
cc41a97c | 934 | allow $1 home_type:dir r_dir_perms; |
0fd9dc55 | 935 | allow $1 home_type:file r_file_perms; |
daa0e0b0 CP |
936 | ') |
937 | ||
938 | define(`userdomain_read_all_users_data_depend',` | |
0c73cd25 CP |
939 | attribute home_type; |
940 | ||
cc41a97c CP |
941 | class dir r_dir_perms; |
942 | class file r_file_perms; | |
daa0e0b0 CP |
943 | ') |
944 | ||
945 | ######################################## | |
490639cd CP |
946 | ## <interface name="userdomain_use_all_users_file_descriptors"> |
947 | ## <description> | |
948 | ## Inherit the file descriptors from all user domains | |
949 | ## </description> | |
950 | ## <parameter name="domain"> | |
951 | ## The type of the process performing this action. | |
952 | ## </parameter> | |
490639cd CP |
953 | ## </interface> |
954 | # | |
955 | define(`userdomain_use_all_users_file_descriptors',` | |
0c73cd25 CP |
956 | requires_block_template(`$0'_depend) |
957 | ||
958 | allow $1 userdomain:fd use; | |
490639cd CP |
959 | ') |
960 | ||
961 | define(`userdomain_use_all_users_file_descriptors_depend',` | |
0c73cd25 CP |
962 | attribute userdomain; |
963 | ||
964 | class fd use; | |
490639cd CP |
965 | ') |
966 | ||
4bf4ed9e CP |
967 | ######################################## |
968 | ## <interface name="userdomain_signal_all_userdomains"> | |
969 | ## <description> | |
970 | ## Send general signals to all user domains. | |
971 | ## </description> | |
972 | ## <parameter name="domain"> | |
973 | ## The type of the process performing this action. | |
974 | ## </parameter> | |
4bf4ed9e CP |
975 | ## </interface> |
976 | # | |
977 | define(`userdomain_signal_all_userdomains',` | |
0c73cd25 CP |
978 | requires_block_template(`$0'_depend) |
979 | ||
980 | allow $1 userdomain:process signal; | |
4bf4ed9e CP |
981 | ') |
982 | ||
983 | define(`userdomain_signal_all_userdomains_depend',` | |
0c73cd25 CP |
984 | attribute userdomain; |
985 | ||
986 | class process signal; | |
4bf4ed9e CP |
987 | ') |
988 | ||
daa0e0b0 CP |
989 | ######################################## |
990 | ## <interface name="userdomain_use_all_unprivileged_users_file_descriptors"> | |
991 | ## <description> | |
992 | ## Inherit the file descriptors from all user domains. | |
993 | ## </description> | |
994 | ## <parameter name="domain"> | |
995 | ## The type of the process performing this action. | |
996 | ## </parameter> | |
daa0e0b0 CP |
997 | ## </interface> |
998 | # | |
999 | define(`userdomain_use_all_unprivileged_users_file_descriptors',` | |
0c73cd25 CP |
1000 | requires_block_template(`$0'_depend) |
1001 | ||
1002 | allow $1 unpriv_userdomain:fd use; | |
daa0e0b0 CP |
1003 | ') |
1004 | ||
1005 | define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',` | |
0c73cd25 CP |
1006 | attribute unpriv_userdomain; |
1007 | ||
1008 | class fd use; | |
daa0e0b0 CP |
1009 | ') |
1010 | ||
1011 | ######################################## | |
1012 | ## <interface name="userdomain_ignore_use_all_unprivileged_users_file_descriptors"> | |
1013 | ## <description> | |
1014 | ## Do not audit attempts to inherit the | |
1015 | ## file descriptors from all user domains. | |
1016 | ## </description> | |
1017 | ## <parameter name="domain"> | |
1018 | ## The type of the process performing this action. | |
1019 | ## </parameter> | |
daa0e0b0 CP |
1020 | ## </interface> |
1021 | # | |
1022 | define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',` | |
0c73cd25 CP |
1023 | requires_block_template(`$0'_depend) |
1024 | ||
1025 | dontaudit $1 unpriv_userdomain:fd use; | |
daa0e0b0 CP |
1026 | ') |
1027 | ||
1028 | define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',` | |
0c73cd25 CP |
1029 | attribute unpriv_userdomain; |
1030 | ||
1031 | class fd use; | |
daa0e0b0 CP |
1032 | ') |
1033 | ||
490639cd | 1034 | ## </module> |