1 ## <summary>Policy for user domains</summary>
3 #######################################
5 ## The template containing the most basic rules common to all users.
9 ## The template containing the most basic rules common to all users.
12 ## This template creates a user domain, types, and
13 ## rules for the user's tty and pty.
16 ## <param name="userdomain_prefix">
18 ## The prefix of the user domain (e.g., user
19 ## is the prefix for user_t).
24 template(`userdom_base_user_template',`
28 type user_devpts_t, user_tty_device_t;
29 class context contains;
32 attribute $1_file_type;
33 attribute $1_usertype;
35 type $1_t, userdomain, $1_usertype;
37 corecmd_shell_entry_type($1_t)
38 corecmd_bin_entry_type($1_t)
39 domain_user_exemption_target($1_t)
40 ubac_constrained($1_t)
44 term_user_pty($1_t, user_devpts_t)
46 term_user_tty($1_t, user_tty_device_t)
47 term_dontaudit_getattr_generic_ptys($1_t)
49 allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
50 allow $1_usertype $1_usertype:fd use;
51 allow $1_usertype $1_t:key { create view read write search link setattr };
53 allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
54 allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
55 allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
56 allow $1_usertype $1_usertype:shm create_shm_perms;
57 allow $1_usertype $1_usertype:sem create_sem_perms;
58 allow $1_usertype $1_usertype:msgq create_msgq_perms;
59 allow $1_usertype $1_usertype:msg { send receive };
60 allow $1_usertype $1_usertype:context contains;
61 dontaudit $1_usertype $1_usertype:socket create;
63 allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
64 term_create_pty($1_usertype, user_devpts_t)
65 # avoid annoying messages on terminal hangup on role change
66 dontaudit $1_usertype user_devpts_t:chr_file ioctl;
68 allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
69 # avoid annoying messages on terminal hangup on role change
70 dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
72 application_exec_all($1_usertype)
74 kernel_read_kernel_sysctls($1_usertype)
75 kernel_read_all_sysctls($1_usertype)
76 kernel_dontaudit_list_unlabeled($1_usertype)
77 kernel_dontaudit_getattr_unlabeled_files($1_usertype)
78 kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
79 kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
80 kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
81 kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
82 kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
83 kernel_dontaudit_list_proc($1_usertype)
85 dev_dontaudit_getattr_all_blk_files($1_usertype)
86 dev_dontaudit_getattr_all_chr_files($1_usertype)
87 dev_getattr_mtrr_dev($1_t)
89 # When the user domain runs ps, there will be a number of access
90 # denials when ps tries to search /proc. Do not audit these denials.
91 domain_dontaudit_read_all_domains_state($1_usertype)
92 domain_dontaudit_getattr_all_domains($1_usertype)
93 domain_dontaudit_getsession_all_domains($1_usertype)
95 files_read_etc_files($1_usertype)
96 files_list_mnt($1_usertype)
97 files_read_mnt_files($1_usertype)
98 files_read_etc_runtime_files($1_usertype)
99 files_read_usr_files($1_usertype)
100 files_read_usr_src_files($1_usertype)
101 # Read directories and files with the readable_t type.
102 # This type is a general type for "world"-readable files.
103 files_list_world_readable($1_usertype)
104 files_read_world_readable_files($1_usertype)
105 files_read_world_readable_symlinks($1_usertype)
106 files_read_world_readable_pipes($1_usertype)
107 files_read_world_readable_sockets($1_usertype)
108 # old broswer_domain():
109 files_dontaudit_getattr_all_dirs($1_usertype)
110 files_dontaudit_list_non_security($1_usertype)
111 files_dontaudit_getattr_all_files($1_usertype)
112 files_dontaudit_getattr_non_security_symlinks($1_usertype)
113 files_dontaudit_getattr_non_security_pipes($1_usertype)
114 files_dontaudit_getattr_non_security_sockets($1_usertype)
116 files_exec_usr_files($1_t)
118 fs_list_cgroup_dirs($1_usertype)
119 fs_dontaudit_rw_cgroup_files($1_usertype)
121 storage_rw_fuse($1_usertype)
123 auth_use_nsswitch($1_usertype)
125 init_stream_connect($1_usertype)
126 # The library functions always try to open read-write first,
127 # then fall back to read-only if it fails.
128 init_dontaudit_rw_utmp($1_usertype)
130 libs_exec_ld_so($1_usertype)
132 miscfiles_read_localization($1_t)
133 miscfiles_read_generic_certs($1_t)
135 miscfiles_read_all_certs($1_usertype)
136 miscfiles_read_localization($1_usertype)
137 miscfiles_read_man_pages($1_usertype)
138 miscfiles_read_public_files($1_usertype)
140 tunable_policy(`allow_execmem',`
141 # Allow loading DSOs that require executable stack.
142 allow $1_t self:process execmem;
145 tunable_policy(`allow_execmem && allow_execstack',`
146 # Allow making the stack executable via mprotect.
147 allow $1_t self:process execstack;
151 fs_list_cgroup_dirs($1_usertype)
155 ssh_rw_stream_sockets($1_usertype)
161 #######################################
163 ## Allow a home directory for which the
164 ## role has read-only access.
168 ## Allow a home directory for which the
169 ## role has read-only access.
172 ## This does not allow execute access.
175 ## <param name="role">
180 ## <param name="userdomain">
187 interface(`userdom_ro_home_role',`
189 type user_home_t, user_home_dir_t;
192 role $1 types { user_home_t user_home_dir_t };
194 ##############################
196 # Domain access to home dir
199 type_member $2 user_home_dir_t:dir user_home_dir_t;
201 # read-only home directory
202 allow $2 user_home_dir_t:dir list_dir_perms;
203 allow $2 user_home_t:dir list_dir_perms;
204 allow $2 user_home_t:file entrypoint;
205 read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
206 read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
207 read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
208 read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
213 #######################################
215 ## Allow a home directory for which the
216 ## role has full access.
220 ## Allow a home directory for which the
221 ## role has full access.
224 ## This does not allow execute access.
227 ## <param name="role">
232 ## <param name="userdomain">
239 interface(`userdom_manage_home_role',`
241 type user_home_t, user_home_dir_t;
242 attribute user_home_type;
245 role $1 types { user_home_type user_home_dir_t };
247 ##############################
249 # Domain access to home dir
252 type_member $2 user_home_dir_t:dir user_home_dir_t;
254 # full control of the home directory
255 allow $2 user_home_t:dir mounton;
256 allow $2 user_home_t:file entrypoint;
258 allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
259 allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
260 manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
261 manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
262 manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
263 manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
264 manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
265 relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
266 relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
267 relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
268 relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
269 relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
270 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
273 # cjp: this should probably be removed:
274 allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
276 tunable_policy(`use_nfs_home_dirs',`
279 fs_manage_nfs_dirs($2)
280 fs_manage_nfs_files($2)
281 fs_manage_nfs_symlinks($2)
282 fs_manage_nfs_named_sockets($2)
283 fs_manage_nfs_named_pipes($2)
286 tunable_policy(`use_samba_home_dirs',`
289 fs_manage_cifs_dirs($2)
290 fs_manage_cifs_files($2)
291 fs_manage_cifs_symlinks($2)
292 fs_manage_cifs_named_sockets($2)
293 fs_manage_cifs_named_pipes($2)
297 #######################################
299 ## Manage user temporary files
301 ## <param name="role">
303 ## Role allowed access.
306 ## <param name="domain">
308 ## Domain allowed access.
313 interface(`userdom_manage_tmp_role',`
318 role $1 types user_tmp_t;
320 files_poly_member_tmp($2, user_tmp_t)
322 manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
323 manage_files_pattern($2, user_tmp_t, user_tmp_t)
324 manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
325 manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
326 manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
327 files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
328 relabel_files_pattern($2, user_tmp_t, user_tmp_t)
331 #######################################
333 ## Dontaudit search of user bin dirs.
335 ## <param name="domain">
337 ## Domain allowed access.
341 interface(`userdom_dontaudit_search_user_bin_dirs',`
346 dontaudit $1 home_bin_t:dir search_dir_perms;
349 #######################################
351 ## Execute user bin files.
353 ## <param name="domain">
355 ## Domain allowed access.
359 interface(`userdom_exec_user_bin_files',`
361 attribute user_home_type;
362 type home_bin_t, user_home_dir_t;
365 exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
366 files_search_home($1)
369 #######################################
371 ## The execute access user temporary files.
373 ## <param name="domain">
375 ## Domain allowed access.
380 interface(`userdom_exec_user_tmp_files',`
385 exec_files_pattern($1, user_tmp_t, user_tmp_t)
386 dontaudit $1 user_tmp_t:sock_file execute;
390 #######################################
392 ## Role access for the user tmpfs type
393 ## that the user has full access.
397 ## Role access for the user tmpfs type
398 ## that the user has full access.
401 ## This does not allow execute access.
404 ## <param name="role">
406 ## Role allowed access.
409 ## <param name="domain">
411 ## Domain allowed access.
416 interface(`userdom_manage_tmpfs_role',`
421 role $1 types user_tmpfs_t;
423 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
424 manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
425 manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
426 manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
427 manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
428 fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
431 #######################################
433 ## The interface allowing the user basic
434 ## network permissions
436 ## <param name="userdomain">
443 interface(`userdom_basic_networking',`
445 allow $1 self:tcp_socket create_stream_socket_perms;
446 allow $1 self:udp_socket create_socket_perms;
448 corenet_all_recvfrom_unlabeled($1)
449 corenet_all_recvfrom_netlabel($1)
450 corenet_tcp_sendrecv_generic_if($1)
451 corenet_udp_sendrecv_generic_if($1)
452 corenet_tcp_sendrecv_generic_node($1)
453 corenet_udp_sendrecv_generic_node($1)
454 corenet_tcp_sendrecv_all_ports($1)
455 corenet_udp_sendrecv_all_ports($1)
456 corenet_tcp_connect_all_ports($1)
457 corenet_sendrecv_all_client_packets($1)
460 init_tcp_recvfrom_all_daemons($1)
461 init_udp_recvfrom_all_daemons($1)
465 ipsec_match_default_spd($1)
470 #######################################
472 ## The template for creating a user xwindows client. (Deprecated)
474 ## <param name="userdomain_prefix">
476 ## The prefix of the user domain (e.g., user
477 ## is the prefix for user_t).
482 template(`userdom_xwindows_client_template',`
483 refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
485 type $1_t, user_tmpfs_t;
488 dev_rw_xserver_misc($1_t)
489 dev_rw_power_management($1_t)
493 # open office is looking for the following
494 dev_getattr_agp_dev($1_t)
495 dev_dontaudit_rw_dri($1_t)
496 # GNOME checks for usb and other devices:
498 dev_rw_generic_usb_dev($1_t)
500 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
501 xserver_xsession_entry_type($1_t)
502 xserver_dontaudit_write_log($1_t)
503 xserver_stream_connect_xdm($1_t)
504 # certain apps want to read xdm.pid file
505 xserver_read_xdm_pid($1_t)
506 # gnome-session creates socket under /tmp/.ICE-unix/
507 xserver_create_xdm_tmp_sockets($1_t)
508 # Needed for escd, remove if we get escd policy
509 xserver_manage_xdm_tmp_files($1_t)
512 #######################################
514 ## The template for allowing the user to change passwords.
516 ## <param name="userdomain_prefix">
518 ## The prefix of the user domain (e.g., user
519 ## is the prefix for user_t).
524 template(`userdom_change_password_template',`
531 usermanage_run_chfn($1_t,$1_r)
532 usermanage_run_passwd($1_t,$1_r)
536 #######################################
538 ## The template containing rules common to unprivileged
539 ## users and administrative users.
543 ## This template creates a user domain, types, and
544 ## rules for the user's tty, pty, tmp, and tmpfs files.
547 ## <param name="userdomain_prefix">
549 ## The prefix of the user domain (e.g., user
550 ## is the prefix for user_t).
554 template(`userdom_common_user_template',`
556 attribute unpriv_userdomain;
559 userdom_basic_networking($1_usertype)
561 ##############################
563 # User domain Local policy
566 # evolution and gnome-session try to create a netlink socket
567 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
568 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
569 allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
570 allow $1_t self:socket create_socket_perms;
572 allow $1_usertype unpriv_userdomain:fd use;
574 kernel_read_system_state($1_usertype)
575 kernel_read_network_state($1_usertype)
576 kernel_read_net_sysctls($1_usertype)
577 # Very permissive allowing every domain to see every type:
578 kernel_get_sysvipc_info($1_usertype)
579 # Find CDROM devices:
580 kernel_read_device_sysctls($1_usertype)
581 kernel_request_load_module($1_usertype)
583 corenet_udp_bind_generic_node($1_usertype)
584 corenet_udp_bind_generic_port($1_usertype)
586 dev_read_rand($1_usertype)
587 dev_write_sound($1_usertype)
588 dev_read_sound($1_usertype)
589 dev_read_sound_mixer($1_usertype)
590 dev_write_sound_mixer($1_usertype)
592 files_exec_etc_files($1_usertype)
593 files_search_locks($1_usertype)
594 # Check to see if cdrom is mounted
595 files_search_mnt($1_usertype)
596 # cjp: perhaps should cut back on file reads:
597 files_read_var_files($1_usertype)
598 files_read_var_symlinks($1_usertype)
599 files_read_generic_spool($1_usertype)
600 files_read_var_lib_files($1_usertype)
602 files_getattr_lost_found_dirs($1_usertype)
603 files_read_config_files($1_usertype)
604 fs_read_noxattr_fs_files($1_usertype)
605 fs_read_noxattr_fs_symlinks($1_usertype)
606 fs_rw_cgroup_files($1_usertype)
608 logging_send_syslog_msg($1_usertype)
609 logging_send_audit_msgs($1_usertype)
610 selinux_get_enforce_mode($1_usertype)
612 # cjp: some of this probably can be removed
613 selinux_get_fs_mount($1_usertype)
614 selinux_validate_context($1_usertype)
615 selinux_compute_access_vector($1_usertype)
616 selinux_compute_create_context($1_usertype)
617 selinux_compute_relabel_context($1_usertype)
618 selinux_compute_user_contexts($1_usertype)
621 storage_getattr_fixed_disk_dev($1_usertype)
623 auth_read_login_records($1_usertype)
624 auth_run_pam($1_t,$1_r)
625 auth_run_utempter($1_t,$1_r)
627 init_read_utmp($1_usertype)
629 seutil_read_file_contexts($1_usertype)
630 seutil_read_default_contexts($1_usertype)
631 seutil_run_newrole($1_t,$1_r)
632 seutil_exec_checkpolicy($1_t)
633 seutil_exec_setfiles($1_usertype)
634 # for when the network connection is killed
635 # this is needed when a login role can change
637 seutil_dontaudit_signal_newrole($1_t)
639 tunable_policy(`user_direct_mouse',`
640 dev_read_mouse($1_usertype)
643 tunable_policy(`user_ttyfile_stat',`
644 term_getattr_all_ttys($1_t)
648 alsa_read_rw_config($1_usertype)
652 # Allow graphical boot to check battery lifespan
653 apm_stream_connect($1_usertype)
657 canna_stream_connect($1_usertype)
661 chrome_role($1_r, $1_usertype)
665 dbus_system_bus_client($1_usertype)
667 allow $1_usertype $1_usertype:dbus send_msg;
670 avahi_dbus_chat($1_usertype)
674 policykit_dbus_chat($1_usertype)
678 bluetooth_dbus_chat($1_usertype)
682 consolekit_dbus_chat($1_usertype)
683 consolekit_read_log($1_usertype)
687 devicekit_dbus_chat($1_usertype)
688 devicekit_dbus_chat_power($1_usertype)
689 devicekit_dbus_chat_disk($1_usertype)
693 evolution_dbus_chat($1_usertype)
694 evolution_alarm_dbus_chat($1_usertype)
698 gnome_dbus_chat_gconfdefault($1_usertype)
702 hal_dbus_chat($1_usertype)
706 modemmanager_dbus_chat($1_usertype)
710 networkmanager_dbus_chat($1_usertype)
711 networkmanager_read_lib_files($1_usertype)
715 vpn_dbus_chat($1_usertype)
720 git_session_role($1_r, $1_usertype)
724 inetd_use_fds($1_usertype)
725 inetd_rw_tcp_sockets($1_usertype)
729 inn_read_config($1_usertype)
730 inn_read_news_lib($1_usertype)
731 inn_read_news_spool($1_usertype)
735 locate_read_lib_files($1_usertype)
738 # for running depmod as part of the kernel packaging process
740 modutils_read_module_config($1_usertype)
744 mta_rw_spool($1_usertype)
745 mta_manage_queue($1_usertype)
749 nsplugin_role($1_r, $1_usertype)
753 tunable_policy(`allow_user_mysql_connect',`
754 mysql_stream_connect($1_t)
759 # to allow monitoring of pcmcia status
760 pcmcia_read_pid($1_usertype)
764 pcscd_read_pub_files($1_usertype)
765 pcscd_stream_connect($1_usertype)
769 tunable_policy(`allow_user_postgresql_connect',`
770 postgresql_stream_connect($1_usertype)
771 postgresql_tcp_connect($1_usertype)
776 resmgr_stream_connect($1_usertype)
780 rpc_dontaudit_getattr_exports($1_usertype)
781 rpc_manage_nfs_rw_content($1_usertype)
785 rpcbind_stream_connect($1_usertype)
789 samba_stream_connect_winbind($1_usertype)
793 sandbox_transition($1_usertype, $1_r)
797 seunshare_role_template($1, $1_r, $1_t)
801 slrnpull_search_spool($1_usertype)
806 #######################################
808 ## The template for creating a login user.
812 ## This template creates a user domain, types, and
813 ## rules for the user's tty, pty, home directories,
814 ## tmp, and tmpfs files.
817 ## <param name="userdomain_prefix">
819 ## The prefix of the user domain (e.g., user
820 ## is the prefix for user_t).
824 template(`userdom_login_user_template', `
826 class context contains;
829 userdom_base_user_template($1)
831 userdom_manage_home_role($1_r, $1_usertype)
833 userdom_manage_tmp_role($1_r, $1_usertype)
834 userdom_manage_tmpfs_role($1_r, $1_usertype)
836 ifelse(`$1',`unconfined',`',`
837 gen_tunable(allow_$1_exec_content, true)
839 tunable_policy(`allow_$1_exec_content',`
840 userdom_exec_user_tmp_files($1_usertype)
841 userdom_exec_user_home_content_files($1_usertype)
843 tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
844 fs_exec_nfs_files($1_usertype)
847 tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
848 fs_exec_cifs_files($1_usertype)
852 userdom_change_password_template($1)
854 ##############################
856 # User domain Local policy
859 allow $1_t self:capability { setgid chown fowner };
860 dontaudit $1_t self:capability { sys_nice fsetid };
862 allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
863 dontaudit $1_t self:process setrlimit;
864 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
866 allow $1_t self:context contains;
868 kernel_dontaudit_read_system_state($1_usertype)
869 kernel_dontaudit_list_all_proc($1_usertype)
871 dev_read_sysfs($1_usertype)
872 dev_read_urand($1_usertype)
874 domain_use_interactive_fds($1_usertype)
875 # Command completion can fire hundreds of denials
876 domain_dontaudit_exec_all_entry_files($1_usertype)
878 files_dontaudit_list_default($1_usertype)
879 files_dontaudit_read_default_files($1_usertype)
881 files_getattr_lost_found_dirs($1_usertype)
883 fs_get_all_fs_quotas($1_usertype)
884 fs_getattr_all_fs($1_usertype)
885 fs_search_all($1_usertype)
886 fs_list_inotifyfs($1_usertype)
887 fs_rw_anon_inodefs_files($1_usertype)
889 auth_dontaudit_write_login_records($1_t)
892 # Stop warnings about access to /dev/console
893 init_dontaudit_use_fds($1_usertype)
894 init_dontaudit_use_script_fds($1_usertype)
896 libs_exec_lib_files($1_usertype)
898 logging_dontaudit_getattr_all_logs($1_usertype)
900 # for running TeX programs
901 miscfiles_read_tetex_data($1_usertype)
902 miscfiles_exec_tetex_data($1_usertype)
904 seutil_read_config($1_usertype)
907 cups_read_config($1_usertype)
908 cups_stream_connect($1_usertype)
909 cups_stream_connect_ptal($1_usertype)
913 kerberos_use($1_usertype)
914 kerberos_connect_524($1_usertype)
918 mta_dontaudit_read_spool_symlinks($1_usertype)
922 quota_dontaudit_getattr_db($1_usertype)
926 rpm_read_db($1_usertype)
927 rpm_dontaudit_manage_db($1_usertype)
928 rpm_read_cache($1_usertype)
932 oddjob_run_mkhomedir($1_t, $1_r)
936 #######################################
938 ## The template for creating a unprivileged login user.
942 ## This template creates a user domain, types, and
943 ## rules for the user's tty, pty, home directories,
944 ## tmp, and tmpfs files.
947 ## <param name="userdomain_prefix">
949 ## The prefix of the user domain (e.g., user
950 ## is the prefix for user_t).
954 template(`userdom_restricted_user_template',`
956 attribute unpriv_userdomain;
959 userdom_login_user_template($1)
961 typeattribute $1_t unpriv_userdomain;
962 domain_interactive_fd($1_t)
964 allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
965 dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
967 ##############################
973 loadkeys_run($1_t,$1_r)
977 #######################################
979 ## The template for creating a unprivileged xwindows login user.
983 ## The template for creating a unprivileged xwindows login user.
986 ## This template creates a user domain, types, and
987 ## rules for the user's tty, pty, home directories,
988 ## tmp, and tmpfs files.
991 ## <param name="userdomain_prefix">
993 ## The prefix of the user domain (e.g., user
994 ## is the prefix for user_t).
998 template(`userdom_restricted_xwindows_user_template',`
1000 userdom_restricted_user_template($1)
1002 ##############################
1007 auth_role($1_r, $1_t)
1008 auth_search_pam_console_data($1_usertype)
1010 dev_read_sound($1_usertype)
1011 dev_write_sound($1_usertype)
1012 # gnome keyring wants to read this.
1013 dev_dontaudit_read_rand($1_usertype)
1014 # temporarily allow since openoffice requires this
1015 dev_read_rand($1_usertype)
1017 dev_read_video_dev($1_usertype)
1018 dev_write_video_dev($1_usertype)
1019 dev_rw_wireless($1_usertype)
1021 tunable_policy(`user_rw_noexattrfile',`
1023 dev_rw_generic_usb_dev($1_usertype)
1025 fs_manage_noxattr_fs_files($1_usertype)
1026 fs_manage_noxattr_fs_dirs($1_usertype)
1027 fs_manage_dos_dirs($1_usertype)
1028 fs_manage_dos_files($1_usertype)
1029 storage_raw_read_removable_device($1_usertype)
1030 storage_raw_write_removable_device($1_usertype)
1033 logging_send_syslog_msg($1_usertype)
1034 logging_dontaudit_send_audit_msgs($1_t)
1036 # Need to to this just so screensaver will work. Should be moved to screensaver domain
1037 logging_send_audit_msgs($1_t)
1038 selinux_get_enforce_mode($1_t)
1039 seutil_exec_restorecond($1_t)
1040 seutil_read_file_contexts($1_t)
1041 seutil_read_default_contexts($1_t)
1043 xserver_restricted_role($1_r, $1_t)
1046 alsa_read_rw_config($1_usertype)
1050 dbus_role_template($1, $1_r, $1_usertype)
1051 dbus_system_bus_client($1_usertype)
1052 allow $1_usertype $1_usertype:dbus send_msg;
1055 abrt_dbus_chat($1_usertype)
1056 abrt_run_helper($1_usertype, $1_r)
1060 consolekit_dbus_chat($1_usertype)
1064 cups_dbus_chat($1_usertype)
1065 cups_dbus_chat_config($1_usertype)
1069 devicekit_dbus_chat($1_usertype)
1070 devicekit_dbus_chat_disk($1_usertype)
1071 devicekit_dbus_chat_power($1_usertype)
1075 fprintd_dbus_chat($1_t)
1080 openoffice_role_template($1, $1_r, $1_usertype)
1084 policykit_role($1_r, $1_usertype)
1088 pulseaudio_role($1_r, $1_usertype)
1092 rtkit_scheduled($1_usertype)
1096 setroubleshoot_dontaudit_stream_connect($1_t)
1100 udev_read_db($1_usertype)
1104 wm_role_template($1, $1_r, $1_t)
1108 #######################################
1110 ## The template for creating a unprivileged user roughly
1111 ## equivalent to a regular linux user.
1115 ## The template for creating a unprivileged user roughly
1116 ## equivalent to a regular linux user.
1119 ## This template creates a user domain, types, and
1120 ## rules for the user's tty, pty, home directories,
1121 ## tmp, and tmpfs files.
1124 ## <param name="userdomain_prefix">
1126 ## The prefix of the user domain (e.g., user
1127 ## is the prefix for user_t).
1131 template(`userdom_unpriv_user_template', `
1133 ##############################
1138 # Inherit rules for ordinary users.
1139 userdom_restricted_xwindows_user_template($1)
1140 userdom_common_user_template($1)
1142 ##############################
1147 # port access is audited even if dac would not have allowed it, so dontaudit it here
1148 # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
1149 # Need the following rule to allow users to run vpnc
1150 corenet_tcp_bind_xserver_port($1_t)
1151 corenet_tcp_bind_all_nodes($1_usertype)
1153 storage_rw_fuse($1_t)
1155 miscfiles_read_hwdata($1_usertype)
1157 # Allow users to run TCP servers (bind to ports and accept connection from
1158 # the same domain and outside users) disabling this forces FTP passive mode
1159 # and may change other protocols
1160 tunable_policy(`user_tcp_server',`
1161 corenet_tcp_bind_all_unreserved_ports($1_usertype)
1164 tunable_policy(`user_setrlimit',`
1165 allow $1_usertype self:process setrlimit;
1169 cdrecord_role($1_r, $1_t)
1173 cron_role($1_r, $1_t)
1177 games_rw_data($1_usertype)
1181 gpg_role($1_r, $1_usertype)
1185 gnomeclock_dbus_chat($1_t)
1189 gpm_stream_connect($1_usertype)
1193 execmem_role_template($1, $1_r, $1_t)
1197 java_role_template($1, $1_r, $1_t)
1201 mono_role_template($1, $1_r, $1_t)
1205 mount_run_fusermount($1_t, $1_r)
1209 wine_role_template($1, $1_r, $1_t)
1213 postfix_run_postdrop($1_t, $1_r)
1216 # Run pppd in pppd_t by default for user
1218 ppp_run_cond($1_t, $1_r)
1222 #######################################
1224 ## The template for creating an administrative user.
1228 ## This template creates a user domain, types, and
1229 ## rules for the user's tty, pty, home directories,
1230 ## tmp, and tmpfs files.
1233 ## The privileges given to administrative users are:
1235 ## <li>Raw disk access</li>
1236 ## <li>Set all sysctls</li>
1237 ## <li>All kernel ring buffer controls</li>
1238 ## <li>Create, read, write, and delete all files but shadow</li>
1239 ## <li>Manage source and binary format SELinux policy</li>
1240 ## <li>Run insmod</li>
1244 ## <param name="userdomain_prefix">
1246 ## The prefix of the user domain (e.g., sysadm
1247 ## is the prefix for sysadm_t).
1251 template(`userdom_admin_user_template',`
1253 attribute admindomain;
1254 class passwd { passwd chfn chsh rootok crontab };
1257 ##############################
1262 # Inherit rules for ordinary users.
1263 userdom_login_user_template($1)
1264 userdom_common_user_template($1)
1266 domain_obj_id_change_exemption($1_t)
1267 role system_r types $1_t;
1269 typeattribute $1_t admindomain;
1271 ifdef(`direct_sysadm_daemon',`
1272 domain_system_change_exemption($1_t)
1275 ##############################
1280 allow $1_t self:capability ~{ sys_module audit_control audit_write };
1281 allow $1_t self:process { setexec setfscreate };
1282 allow $1_t self:netlink_audit_socket nlmsg_readpriv;
1283 allow $1_t self:tun_socket create;
1284 # Set password information for other users.
1285 allow $1_t self:passwd { passwd chfn chsh };
1286 # Skip authentication when pam_rootok is specified.
1287 allow $1_t self:passwd rootok;
1289 # Manipulate other users crontab.
1290 allow $1_t self:passwd crontab;
1292 kernel_read_software_raid_state($1_t)
1293 kernel_getattr_core_if($1_t)
1294 kernel_getattr_message_if($1_t)
1295 kernel_change_ring_buffer_level($1_t)
1296 kernel_clear_ring_buffer($1_t)
1297 kernel_read_ring_buffer($1_t)
1298 kernel_get_sysvipc_info($1_t)
1299 kernel_rw_all_sysctls($1_t)
1300 # signal unlabeled processes:
1301 kernel_kill_unlabeled($1_t)
1302 kernel_signal_unlabeled($1_t)
1303 kernel_sigstop_unlabeled($1_t)
1304 kernel_signull_unlabeled($1_t)
1305 kernel_sigchld_unlabeled($1_t)
1308 corenet_tcp_bind_generic_port($1_t)
1309 # allow setting up tunnels
1310 corenet_rw_tun_tap_dev($1_t)
1312 dev_getattr_generic_blk_files($1_t)
1313 dev_getattr_generic_chr_files($1_t)
1315 dev_getattr_mtrr_dev($1_t)
1316 # Allow MAKEDEV to work
1317 dev_create_all_blk_files($1_t)
1318 dev_create_all_chr_files($1_t)
1319 dev_delete_all_blk_files($1_t)
1320 dev_delete_all_chr_files($1_t)
1321 dev_rename_all_blk_files($1_t)
1322 dev_rename_all_chr_files($1_t)
1323 dev_create_generic_symlinks($1_t)
1325 domain_setpriority_all_domains($1_t)
1326 domain_read_all_domains_state($1_t)
1327 domain_getattr_all_domains($1_t)
1328 domain_dontaudit_ptrace_all_domains($1_t)
1329 # signal all domains:
1330 domain_kill_all_domains($1_t)
1331 domain_signal_all_domains($1_t)
1332 domain_signull_all_domains($1_t)
1333 domain_sigstop_all_domains($1_t)
1334 domain_sigstop_all_domains($1_t)
1335 domain_sigchld_all_domains($1_t)
1337 domain_getattr_all_sockets($1_t)
1338 domain_dontaudit_getattr_all_sockets($1_t)
1340 files_exec_usr_src_files($1_t)
1342 fs_getattr_all_fs($1_t)
1343 fs_getattr_all_files($1_t)
1345 fs_set_all_quotas($1_t)
1346 fs_exec_noxattr($1_t)
1348 storage_raw_read_removable_device($1_t)
1349 storage_raw_write_removable_device($1_t)
1351 term_use_all_terms($1_t)
1353 auth_getattr_shadow($1_t)
1354 # Manage almost all files
1355 auth_manage_all_files_except_shadow($1_t)
1356 # Relabel almost all files
1357 auth_relabel_all_files_except_shadow($1_t)
1361 logging_send_syslog_msg($1_t)
1363 modutils_domtrans_insmod($1_t)
1364 modutils_domtrans_depmod($1_t)
1366 # The following rule is temporary until such time that a complete
1367 # policy management infrastructure is in place so that an administrator
1368 # cannot directly manipulate policy files with arbitrary programs.
1369 seutil_manage_src_policy($1_t)
1370 # Violates the goal of limiting write access to checkpolicy.
1371 # But presently necessary for installing the file_contexts file.
1372 seutil_manage_bin_policy($1_t)
1374 userdom_manage_user_home_content_dirs($1_t)
1375 userdom_manage_user_home_content_files($1_t)
1376 userdom_manage_user_home_content_symlinks($1_t)
1377 userdom_manage_user_home_content_pipes($1_t)
1378 userdom_manage_user_home_content_sockets($1_t)
1379 userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
1381 tunable_policy(`user_rw_noexattrfile',`
1382 fs_manage_noxattr_fs_files($1_t)
1383 fs_manage_noxattr_fs_dirs($1_t)
1385 fs_read_noxattr_fs_files($1_t)
1389 postgresql_unconfined($1_t)
1393 userhelper_exec($1_t)
1397 ########################################
1399 ## Allow user to run as a secadm
1403 ## Create objects in a user home directory
1404 ## with an automatic type transition to
1405 ## a specified private type.
1408 ## This is a templated interface, and should only
1409 ## be called from a per-userdomain template.
1412 ## <param name="domain">
1414 ## Domain allowed access.
1417 ## <param name="role">
1419 ## The role of the object to create.
1423 template(`userdom_security_admin_template',`
1424 allow $1 self:capability { dac_read_search dac_override };
1426 corecmd_exec_shell($1)
1428 domain_obj_id_change_exemption($1)
1430 dev_relabel_all_dev_nodes($1)
1432 files_create_boot_flag($1)
1433 files_create_default_dir($1)
1434 files_root_filetrans_default($1, dir)
1436 # Necessary for managing /boot/efi
1437 fs_manage_dos_files($1)
1439 mls_process_read_up($1)
1440 mls_file_read_all_levels($1)
1441 mls_file_upgrade($1)
1442 mls_file_downgrade($1)
1444 selinux_set_enforce_mode($1)
1445 selinux_set_all_booleans($1)
1446 selinux_set_parameters($1)
1448 auth_relabel_all_files_except_shadow($1)
1449 auth_relabel_shadow($1)
1453 logging_send_syslog_msg($1)
1454 logging_read_audit_log($1)
1455 logging_read_generic_logs($1)
1456 logging_read_audit_config($1)
1458 seutil_manage_bin_policy($1)
1459 seutil_run_checkpolicy($1,$2)
1460 seutil_run_loadpolicy($1,$2)
1461 seutil_run_semanage($1,$2)
1462 seutil_run_setsebool($1,$2)
1463 seutil_run_setfiles($1, $2)
1470 consoletype_exec($1)
1478 ipsec_run_setkey($1,$2)
1482 netlabel_run_mgmt($1,$2)
1486 ########################################
1488 ## Make the specified type usable in a
1489 ## user home directory.
1491 ## <param name="type">
1493 ## Type to be used as a file in the
1494 ## user home directory.
1498 interface(`userdom_user_home_content',`
1501 attribute user_home_type;
1504 allow $1 user_home_t:filesystem associate;
1506 ubac_constrained($1)
1508 files_poly_member($1)
1509 typeattribute $1 user_home_type;
1512 ########################################
1514 ## Allow domain to attach to TUN devices created by administrative users.
1516 ## <param name="domain">
1518 ## Domain allowed access.
1522 interface(`userdom_attach_admin_tun_iface',`
1524 attribute admindomain;
1527 allow $1 admindomain:tun_socket relabelfrom;
1528 allow $1 self:tun_socket relabelto;
1531 ########################################
1533 ## Set the attributes of a user pty.
1535 ## <param name="domain">
1537 ## Domain allowed access.
1541 interface(`userdom_setattr_user_ptys',`
1546 allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
1549 ########################################
1551 ## Create a user pty.
1553 ## <param name="domain">
1555 ## Domain allowed access.
1559 interface(`userdom_create_user_pty',`
1564 term_create_pty($1, user_devpts_t)
1567 ########################################
1569 ## Get the attributes of user home directories.
1571 ## <param name="domain">
1573 ## Domain allowed access.
1577 interface(`userdom_getattr_user_home_dirs',`
1579 type user_home_dir_t;
1582 allow $1 user_home_dir_t:dir getattr_dir_perms;
1583 files_search_home($1)
1586 ########################################
1588 ## Do not audit attempts to get the attributes of user home directories.
1590 ## <param name="domain">
1592 ## Domain to not audit.
1596 interface(`userdom_dontaudit_getattr_user_home_dirs',`
1598 type user_home_dir_t;
1601 dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
1604 ########################################
1606 ## Search user home directories.
1608 ## <param name="domain">
1610 ## Domain allowed access.
1614 interface(`userdom_search_user_home_dirs',`
1616 type user_home_dir_t;
1619 allow $1 user_home_dir_t:dir search_dir_perms;
1620 allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
1621 files_search_home($1)
1624 ########################################
1626 ## Do not audit attempts to search user home directories.
1630 ## Do not audit attempts to search user home directories.
1631 ## This will supress SELinux denial messages when the specified
1632 ## domain is denied the permission to search these directories.
1635 ## <param name="domain">
1637 ## Domain to not audit.
1640 ## <infoflow type="none"/>
1642 interface(`userdom_dontaudit_search_user_home_dirs',`
1644 type user_home_dir_t;
1647 dontaudit $1 user_home_dir_t:dir search_dir_perms;
1650 ########################################
1652 ## List user home directories.
1654 ## <param name="domain">
1656 ## Domain allowed access.
1660 interface(`userdom_list_user_home_dirs',`
1662 type user_home_dir_t;
1665 allow $1 user_home_dir_t:dir list_dir_perms;
1666 files_search_home($1)
1668 tunable_policy(`use_nfs_home_dirs',`
1672 tunable_policy(`use_samba_home_dirs',`
1677 ########################################
1679 ## Do not audit attempts to list user home subdirectories.
1681 ## <param name="domain">
1683 ## Domain to not audit.
1687 interface(`userdom_dontaudit_list_user_home_dirs',`
1689 type user_home_dir_t;
1693 dontaudit $1 user_home_dir_t:dir list_dir_perms;
1694 dontaudit $1 user_home_t:dir list_dir_perms;
1697 ########################################
1699 ## Create user home directories.
1701 ## <param name="domain">
1703 ## Domain allowed access.
1707 interface(`userdom_create_user_home_dirs',`
1709 type user_home_dir_t;
1712 allow $1 user_home_dir_t:dir create_dir_perms;
1715 ########################################
1717 ## Create user home directories.
1719 ## <param name="domain">
1721 ## Domain allowed access.
1725 interface(`userdom_manage_user_home_dirs',`
1727 type user_home_dir_t;
1730 allow $1 user_home_dir_t:dir manage_dir_perms;
1733 ########################################
1735 ## Relabel to user home directories.
1737 ## <param name="domain">
1739 ## Domain allowed access.
1743 interface(`userdom_relabelto_user_home_dirs',`
1745 type user_home_dir_t;
1748 allow $1 user_home_dir_t:dir relabelto;
1752 ########################################
1754 ## Relabel to user home files.
1756 ## <param name="domain">
1758 ## Domain allowed access.
1762 interface(`userdom_relabelto_user_home_files',`
1767 allow $1 user_home_t:file relabelto;
1769 ########################################
1771 ## Relabel user home files.
1773 ## <param name="domain">
1775 ## Domain allowed access.
1779 interface(`userdom_relabel_user_home_files',`
1784 allow $1 user_home_t:file relabel_file_perms;
1787 ########################################
1789 ## Create directories in the home dir root with
1790 ## the user home directory type.
1792 ## <param name="domain">
1794 ## Domain allowed access.
1798 interface(`userdom_home_filetrans_user_home_dir',`
1800 type user_home_dir_t;
1803 files_home_filetrans($1, user_home_dir_t, dir)
1806 ########################################
1808 ## Do a domain transition to the specified
1809 ## domain when executing a program in the
1810 ## user home directory.
1814 ## Do a domain transition to the specified
1815 ## domain when executing a program in the
1816 ## user home directory.
1819 ## No interprocess communication (signals, pipes,
1820 ## etc.) is provided by this interface since
1821 ## the domains are not owned by this module.
1824 ## <param name="source_domain">
1826 ## Domain allowed to transition.
1829 ## <param name="target_domain">
1831 ## Domain to transition to.
1835 interface(`userdom_user_home_domtrans',`
1837 type user_home_dir_t, user_home_t;
1840 domain_auto_trans($1, user_home_t, $2)
1841 allow $1 user_home_dir_t:dir search_dir_perms;
1842 files_search_home($1)
1845 ########################################
1847 ## Do not audit attempts to search user home content directories.
1849 ## <param name="domain">
1851 ## Domain to not audit.
1855 interface(`userdom_dontaudit_search_user_home_content',`
1860 dontaudit $1 user_home_t:dir search_dir_perms;
1861 fs_dontaudit_list_nfs($1)
1862 fs_dontaudit_list_cifs($1)
1865 ########################################
1867 ## List contents of users home directory.
1869 ## <param name="domain">
1871 ## Domain allowed access.
1875 interface(`userdom_list_user_home_content',`
1877 type user_home_dir_t;
1878 attribute user_home_type;
1882 allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
1885 ########################################
1887 ## Create, read, write, and delete directories
1888 ## in a user home subdirectory.
1890 ## <param name="domain">
1892 ## Domain allowed access.
1896 interface(`userdom_manage_user_home_content_dirs',`
1898 type user_home_dir_t, user_home_t;
1901 manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1902 files_search_home($1)
1905 ########################################
1907 ## Delete directories in a user home subdirectory.
1909 ## <param name="domain">
1911 ## Domain allowed access.
1915 interface(`userdom_delete_user_home_content_dirs',`
1920 allow $1 user_home_t:dir delete_dir_perms;
1923 ########################################
1925 ## Set the attributes of user home files.
1927 ## <param name="domain">
1929 ## Domain allowed access.
1934 interface(`userdom_setattr_user_home_content_files',`
1939 allow $1 user_home_t:file setattr;
1942 ########################################
1944 ## Do not audit attempts to set the
1945 ## attributes of user home files.
1947 ## <param name="domain">
1949 ## Domain to not audit.
1953 interface(`userdom_dontaudit_setattr_user_home_content_files',`
1958 dontaudit $1 user_home_t:file setattr_file_perms;
1961 ########################################
1963 ## Mmap user home files.
1965 ## <param name="domain">
1967 ## Domain allowed access.
1971 interface(`userdom_mmap_user_home_content_files',`
1973 type user_home_dir_t, user_home_t;
1976 mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1977 files_search_home($1)
1980 ########################################
1982 ## Read user home files.
1984 ## <param name="domain">
1986 ## Domain allowed access.
1990 interface(`userdom_read_user_home_content_files',`
1992 type user_home_dir_t, user_home_t;
1995 list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
1996 read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1997 files_search_home($1)
2000 ########################################
2002 ## Do not audit attempts to getattr user home files.
2004 ## <param name="domain">
2006 ## Domain to not audit.
2010 interface(`userdom_dontaudit_getattr_user_home_content',`
2012 attribute user_home_type;
2015 dontaudit $1 user_home_type:dir getattr;
2016 dontaudit $1 user_home_type:file getattr;
2019 ########################################
2021 ## Do not audit attempts to read user home files.
2023 ## <param name="domain">
2025 ## Domain to not audit.
2029 interface(`userdom_dontaudit_read_user_home_content_files',`
2031 attribute user_home_type;
2032 type user_home_dir_t;
2035 dontaudit $1 user_home_dir_t:dir list_dir_perms;
2036 dontaudit $1 user_home_type:dir list_dir_perms;
2037 dontaudit $1 user_home_type:file read_file_perms;
2038 dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
2041 ########################################
2043 ## Do not audit attempts to append user home files.
2045 ## <param name="domain">
2047 ## Domain to not audit.
2051 interface(`userdom_dontaudit_append_user_home_content_files',`
2056 dontaudit $1 user_home_t:file append_file_perms;
2059 ########################################
2061 ## Do not audit attempts to write user home files.
2063 ## <param name="domain">
2065 ## Domain to not audit.
2069 interface(`userdom_dontaudit_write_user_home_content_files',`
2074 dontaudit $1 user_home_t:file write_file_perms;
2077 ########################################
2079 ## Delete files in a user home subdirectory.
2081 ## <param name="domain">
2083 ## Domain allowed access.
2087 interface(`userdom_delete_user_home_content_files',`
2092 allow $1 user_home_t:file delete_file_perms;
2095 ########################################
2097 ## Do not audit attempts to write user home files.
2099 ## <param name="domain">
2101 ## Domain to not audit.
2105 interface(`userdom_dontaudit_relabel_user_home_content_files',`
2110 dontaudit $1 user_home_t:file relabel_file_perms;
2113 ########################################
2115 ## Read user home subdirectory symbolic links.
2117 ## <param name="domain">
2119 ## Domain allowed access.
2123 interface(`userdom_read_user_home_content_symlinks',`
2125 type user_home_dir_t, user_home_t;
2128 allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
2131 ########################################
2133 ## Execute user home files.
2135 ## <param name="domain">
2137 ## Domain allowed access.
2142 interface(`userdom_exec_user_home_content_files',`
2144 type user_home_dir_t;
2145 attribute user_home_type;
2148 files_search_home($1)
2149 exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
2150 dontaudit $1 user_home_type:sock_file execute;
2153 ########################################
2155 ## Do not audit attempts to execute user home files.
2157 ## <param name="domain">
2159 ## Domain to not audit.
2163 interface(`userdom_dontaudit_exec_user_home_content_files',`
2168 dontaudit $1 user_home_t:file exec_file_perms;
2171 ########################################
2173 ## Create, read, write, and delete files
2174 ## in a user home subdirectory.
2176 ## <param name="domain">
2178 ## Domain allowed access.
2182 interface(`userdom_manage_user_home_content_files',`
2184 type user_home_dir_t, user_home_t;
2187 manage_files_pattern($1, user_home_t, user_home_t)
2188 allow $1 user_home_dir_t:dir search_dir_perms;
2189 files_search_home($1)
2192 ########################################
2194 ## Do not audit attempts to create, read, write, and delete directories
2195 ## in a user home subdirectory.
2197 ## <param name="domain">
2199 ## Domain to not audit.
2203 interface(`userdom_dontaudit_manage_user_home_content_dirs',`
2205 type user_home_dir_t, user_home_t;
2208 dontaudit $1 user_home_t:dir manage_dir_perms;
2211 ########################################
2213 ## Create, read, write, and delete symbolic links
2214 ## in a user home subdirectory.
2216 ## <param name="domain">
2218 ## Domain allowed access.
2222 interface(`userdom_manage_user_home_content_symlinks',`
2224 type user_home_dir_t, user_home_t;
2227 manage_lnk_files_pattern($1, user_home_t, user_home_t)
2228 allow $1 user_home_dir_t:dir search_dir_perms;
2229 files_search_home($1)
2232 ########################################
2234 ## Delete symbolic links in a user home directory.
2236 ## <param name="domain">
2238 ## Domain allowed access.
2242 interface(`userdom_delete_user_home_content_symlinks',`
2247 allow $1 user_home_t:lnk_file delete_lnk_file_perms;
2250 ########################################
2252 ## Create, read, write, and delete named pipes
2253 ## in a user home subdirectory.
2255 ## <param name="domain">
2257 ## Domain allowed access.
2261 interface(`userdom_manage_user_home_content_pipes',`
2263 type user_home_dir_t, user_home_t;
2266 manage_fifo_files_pattern($1, user_home_t, user_home_t)
2267 allow $1 user_home_dir_t:dir search_dir_perms;
2268 files_search_home($1)
2271 ########################################
2273 ## Create, read, write, and delete named sockets
2274 ## in a user home subdirectory.
2276 ## <param name="domain">
2278 ## Domain allowed access.
2282 interface(`userdom_manage_user_home_content_sockets',`
2284 type user_home_dir_t, user_home_t;
2287 allow $1 user_home_dir_t:dir search_dir_perms;
2288 manage_sock_files_pattern($1, user_home_t, user_home_t)
2289 files_search_home($1)
2292 ########################################
2294 ## Create objects in a user home directory
2295 ## with an automatic type transition to
2296 ## a specified private type.
2298 ## <param name="domain">
2300 ## Domain allowed access.
2303 ## <param name="private_type">
2305 ## The type of the object to create.
2308 ## <param name="object_class">
2310 ## The class of the object to be created.
2314 interface(`userdom_user_home_dir_filetrans',`
2316 type user_home_dir_t;
2319 filetrans_pattern($1, user_home_dir_t, $2, $3)
2320 files_search_home($1)
2323 ########################################
2325 ## Create objects in a user home directory
2326 ## with an automatic type transition to
2327 ## a specified private type.
2329 ## <param name="domain">
2331 ## Domain allowed access.
2334 ## <param name="private_type">
2336 ## The type of the object to create.
2339 ## <param name="object_class">
2341 ## The class of the object to be created.
2345 interface(`userdom_user_home_content_filetrans',`
2347 type user_home_dir_t, user_home_t;
2350 filetrans_pattern($1, user_home_t, $2, $3)
2351 allow $1 user_home_dir_t:dir search_dir_perms;
2352 files_search_home($1)
2355 ########################################
2357 ## Create objects in a user home directory
2358 ## with an automatic type transition to
2359 ## the user home file type.
2361 ## <param name="domain">
2363 ## Domain allowed access.
2366 ## <param name="object_class">
2368 ## The class of the object to be created.
2372 interface(`userdom_user_home_dir_filetrans_user_home_content',`
2374 type user_home_dir_t, user_home_t;
2377 filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
2378 files_search_home($1)
2381 ########################################
2383 ## Write to user temporary named sockets.
2385 ## <param name="domain">
2387 ## Domain allowed access.
2391 interface(`userdom_write_user_tmp_sockets',`
2396 allow $1 user_tmp_t:sock_file write_sock_file_perms;
2397 files_search_tmp($1)
2400 ########################################
2402 ## List user temporary directories.
2404 ## <param name="domain">
2406 ## Domain allowed access.
2410 interface(`userdom_list_user_tmp',`
2415 allow $1 user_tmp_t:dir list_dir_perms;
2416 files_search_tmp($1)
2419 ########################################
2421 ## Do not audit attempts to list user
2422 ## temporary directories.
2424 ## <param name="domain">
2426 ## Domain to not audit.
2430 interface(`userdom_dontaudit_list_user_tmp',`
2435 dontaudit $1 user_tmp_t:dir list_dir_perms;
2438 ########################################
2440 ## Do not audit attempts to manage users
2441 ## temporary directories.
2443 ## <param name="domain">
2445 ## Domain to not audit.
2449 interface(`userdom_dontaudit_manage_user_tmp_dirs',`
2454 dontaudit $1 user_tmp_t:dir manage_dir_perms;
2457 ########################################
2459 ## Read user temporary files.
2461 ## <param name="domain">
2463 ## Domain allowed access.
2467 interface(`userdom_read_user_tmp_files',`
2472 read_files_pattern($1, user_tmp_t, user_tmp_t)
2473 allow $1 user_tmp_t:dir list_dir_perms;
2474 files_search_tmp($1)
2477 ########################################
2479 ## Do not audit attempts to read users
2482 ## <param name="domain">
2484 ## Domain to not audit.
2488 interface(`userdom_dontaudit_read_user_tmp_files',`
2493 dontaudit $1 user_tmp_t:file read_inherited_file_perms;
2496 ########################################
2498 ## Do not audit attempts to append users
2501 ## <param name="domain">
2503 ## Domain to not audit.
2507 interface(`userdom_dontaudit_append_user_tmp_files',`
2512 dontaudit $1 user_tmp_t:file append_file_perms;
2515 ########################################
2517 ## Read and write user temporary files.
2519 ## <param name="domain">
2521 ## Domain allowed access.
2525 interface(`userdom_rw_user_tmp_files',`
2530 allow $1 user_tmp_t:dir list_dir_perms;
2531 rw_files_pattern($1, user_tmp_t, user_tmp_t)
2532 files_search_tmp($1)
2535 ########################################
2537 ## Do not audit attempts to manage users
2540 ## <param name="domain">
2542 ## Domain to not audit.
2546 interface(`userdom_dontaudit_manage_user_tmp_files',`
2551 dontaudit $1 user_tmp_t:file manage_file_perms;
2554 ########################################
2556 ## Read user temporary symbolic links.
2558 ## <param name="domain">
2560 ## Domain allowed access.
2564 interface(`userdom_read_user_tmp_symlinks',`
2569 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2570 allow $1 user_tmp_t:dir list_dir_perms;
2571 files_search_tmp($1)
2574 ########################################
2576 ## Create, read, write, and delete user
2577 ## temporary directories.
2579 ## <param name="domain">
2581 ## Domain allowed access.
2585 interface(`userdom_manage_user_tmp_dirs',`
2590 manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
2591 files_search_tmp($1)
2594 ########################################
2596 ## Create, read, write, and delete user
2599 ## <param name="domain">
2601 ## Domain allowed access.
2605 interface(`userdom_manage_user_tmp_files',`
2610 manage_files_pattern($1, user_tmp_t, user_tmp_t)
2611 files_search_tmp($1)
2614 ########################################
2616 ## Create, read, write, and delete user
2617 ## temporary symbolic links.
2619 ## <param name="domain">
2621 ## Domain allowed access.
2625 interface(`userdom_manage_user_tmp_symlinks',`
2630 manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2631 files_search_tmp($1)
2634 ########################################
2636 ## Create, read, write, and delete user
2637 ## temporary named pipes.
2639 ## <param name="domain">
2641 ## Domain allowed access.
2645 interface(`userdom_manage_user_tmp_pipes',`
2650 manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
2651 files_search_tmp($1)
2654 ########################################
2656 ## Create, read, write, and delete user
2657 ## temporary named sockets.
2659 ## <param name="domain">
2661 ## Domain allowed access.
2665 interface(`userdom_manage_user_tmp_sockets',`
2670 manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
2671 files_search_tmp($1)
2674 ########################################
2676 ## Create objects in a user temporary directory
2677 ## with an automatic type transition to
2678 ## a specified private type.
2680 ## <param name="domain">
2682 ## Domain allowed access.
2685 ## <param name="private_type">
2687 ## The type of the object to create.
2690 ## <param name="object_class">
2692 ## The class of the object to be created.
2696 interface(`userdom_user_tmp_filetrans',`
2701 filetrans_pattern($1, user_tmp_t, $2, $3)
2702 files_search_tmp($1)
2705 ########################################
2707 ## Create objects in the temporary directory
2708 ## with an automatic type transition to
2709 ## the user temporary type.
2711 ## <param name="domain">
2713 ## Domain allowed access.
2716 ## <param name="object_class">
2718 ## The class of the object to be created.
2722 interface(`userdom_tmp_filetrans_user_tmp',`
2727 files_tmp_filetrans($1, user_tmp_t, $2)
2730 ########################################
2732 ## Read user tmpfs files.
2734 ## <param name="domain">
2736 ## Domain allowed access.
2740 interface(`userdom_read_user_tmpfs_files',`
2745 read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2746 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2747 allow $1 user_tmpfs_t:dir list_dir_perms;
2751 ########################################
2753 ## Read/Write user tmpfs files.
2755 ## <param name="domain">
2757 ## Domain allowed access.
2761 interface(`userdom_rw_user_tmpfs_files',`
2766 rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2767 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2768 allow $1 user_tmpfs_t:dir list_dir_perms;
2772 ########################################
2774 ## Get the attributes of a user domain tty.
2776 ## <param name="domain">
2778 ## Domain allowed access.
2782 interface(`userdom_getattr_user_ttys',`
2784 type user_tty_device_t;
2787 allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
2790 ########################################
2792 ## Do not audit attempts to get the attributes of a user domain tty.
2794 ## <param name="domain">
2796 ## Domain to not audit.
2800 interface(`userdom_dontaudit_getattr_user_ttys',`
2802 type user_tty_device_t;
2805 dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
2808 ########################################
2810 ## Set the attributes of a user domain tty.
2812 ## <param name="domain">
2814 ## Domain allowed access.
2818 interface(`userdom_setattr_user_ttys',`
2820 type user_tty_device_t;
2823 allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
2826 ########################################
2828 ## Do not audit attempts to set the attributes of a user domain tty.
2830 ## <param name="domain">
2832 ## Domain to not audit.
2836 interface(`userdom_dontaudit_setattr_user_ttys',`
2838 type user_tty_device_t;
2841 dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
2844 ########################################
2846 ## Read and write a user domain tty.
2848 ## <param name="domain">
2850 ## Domain allowed access.
2854 interface(`userdom_use_user_ttys',`
2856 type user_tty_device_t;
2859 allow $1 user_tty_device_t:chr_file rw_term_perms;
2862 ########################################
2864 ## Read and write a user domain pty.
2866 ## <param name="domain">
2868 ## Domain allowed access.
2872 interface(`userdom_use_user_ptys',`
2877 allow $1 user_devpts_t:chr_file rw_term_perms;
2880 ########################################
2882 ## Read and write a user TTYs and PTYs.
2886 ## Allow the specified domain to read and write user
2887 ## TTYs and PTYs. This will allow the domain to
2888 ## interact with the user via the terminal. Typically
2889 ## all interactive applications will require this
2893 ## However, this also allows the applications to spy
2894 ## on user sessions or inject information into the
2895 ## user session. Thus, this access should likely
2896 ## not be allowed for non-interactive domains.
2899 ## <param name="domain">
2901 ## Domain allowed access.
2904 ## <infoflow type="both" weight="10"/>
2906 interface(`userdom_use_user_terminals',`
2908 type user_tty_device_t, user_devpts_t;
2911 allow $1 user_tty_device_t:chr_file rw_term_perms;
2912 allow $1 user_devpts_t:chr_file rw_term_perms;
2916 ########################################
2918 ## Do not audit attempts to read and write
2919 ## a user domain tty and pty.
2921 ## <param name="domain">
2923 ## Domain to not audit.
2927 interface(`userdom_dontaudit_use_user_terminals',`
2929 type user_tty_device_t, user_devpts_t;
2932 dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
2933 dontaudit $1 user_devpts_t:chr_file rw_term_perms;
2936 ########################################
2938 ## Execute a shell in all user domains. This
2939 ## is an explicit transition, requiring the
2940 ## caller to use setexeccon().
2942 ## <param name="domain">
2944 ## Domain allowed to transition.
2948 interface(`userdom_spec_domtrans_all_users',`
2950 attribute userdomain;
2953 corecmd_shell_spec_domtrans($1, userdomain)
2954 allow userdomain $1:fd use;
2955 allow userdomain $1:fifo_file rw_file_perms;
2956 allow userdomain $1:process sigchld;
2959 ########################################
2961 ## Execute an Xserver session in all unprivileged user domains. This
2962 ## is an explicit transition, requiring the
2963 ## caller to use setexeccon().
2965 ## <param name="domain">
2967 ## Domain allowed to transition.
2971 interface(`userdom_xsession_spec_domtrans_all_users',`
2973 attribute userdomain;
2976 xserver_xsession_spec_domtrans($1, userdomain)
2977 allow userdomain $1:fd use;
2978 allow userdomain $1:fifo_file rw_file_perms;
2979 allow userdomain $1:process sigchld;
2982 ########################################
2984 ## Execute a shell in all unprivileged user domains. This
2985 ## is an explicit transition, requiring the
2986 ## caller to use setexeccon().
2988 ## <param name="domain">
2990 ## Domain allowed to transition.
2994 interface(`userdom_spec_domtrans_unpriv_users',`
2996 attribute unpriv_userdomain;
2999 corecmd_shell_spec_domtrans($1, unpriv_userdomain)
3000 allow unpriv_userdomain $1:fd use;
3001 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3002 allow unpriv_userdomain $1:process sigchld;
3005 ########################################
3007 ## Execute an Xserver session in all unprivileged user domains. This
3008 ## is an explicit transition, requiring the
3009 ## caller to use setexeccon().
3011 ## <param name="domain">
3013 ## Domain allowed to transition.
3017 interface(`userdom_xsession_spec_domtrans_unpriv_users',`
3019 attribute unpriv_userdomain;
3022 xserver_xsession_spec_domtrans($1, unpriv_userdomain)
3023 allow unpriv_userdomain $1:fd use;
3024 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3025 allow unpriv_userdomain $1:process sigchld;
3028 ########################################
3030 ## Manage unpriviledged user SysV sempaphores.
3032 ## <param name="domain">
3034 ## Domain allowed access.
3038 interface(`userdom_manage_unpriv_user_semaphores',`
3040 attribute unpriv_userdomain;
3043 allow $1 unpriv_userdomain:sem create_sem_perms;
3046 ########################################
3048 ## Manage unpriviledged user SysV shared
3051 ## <param name="domain">
3053 ## Domain allowed access.
3057 interface(`userdom_manage_unpriv_user_shared_mem',`
3059 attribute unpriv_userdomain;
3062 allow $1 unpriv_userdomain:shm create_shm_perms;
3065 ########################################
3067 ## Execute bin_t in the unprivileged user domains. This
3068 ## is an explicit transition, requiring the
3069 ## caller to use setexeccon().
3071 ## <param name="domain">
3073 ## Domain allowed to transition.
3077 interface(`userdom_bin_spec_domtrans_unpriv_users',`
3079 attribute unpriv_userdomain;
3082 corecmd_bin_spec_domtrans($1, unpriv_userdomain)
3083 allow unpriv_userdomain $1:fd use;
3084 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3085 allow unpriv_userdomain $1:process sigchld;
3088 ########################################
3090 ## Execute all entrypoint files in unprivileged user
3091 ## domains. This is an explicit transition, requiring the
3092 ## caller to use setexeccon().
3094 ## <param name="domain">
3096 ## Domain allowed access.
3100 interface(`userdom_entry_spec_domtrans_unpriv_users',`
3102 attribute unpriv_userdomain;
3105 domain_entry_file_spec_domtrans($1, unpriv_userdomain)
3106 allow unpriv_userdomain $1:fd use;
3107 allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
3108 allow unpriv_userdomain $1:process sigchld;
3111 ########################################
3113 ## Search users home directories.
3115 ## <param name="domain">
3117 ## Domain allowed access.
3121 interface(`userdom_search_user_home_content',`
3123 type user_home_dir_t;
3124 attribute user_home_type;
3128 allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
3129 allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
3132 ########################################
3134 ## Send general signals to unprivileged user domains.
3136 ## <param name="domain">
3138 ## Domain allowed access.
3142 interface(`userdom_signal_unpriv_users',`
3144 attribute unpriv_userdomain;
3147 allow $1 unpriv_userdomain:process signal;
3150 ########################################
3152 ## Inherit the file descriptors from unprivileged user domains.
3154 ## <param name="domain">
3156 ## Domain allowed access.
3160 interface(`userdom_use_unpriv_users_fds',`
3162 attribute unpriv_userdomain;
3165 allow $1 unpriv_userdomain:fd use;
3168 ########################################
3170 ## Do not audit attempts to inherit the file descriptors
3171 ## from unprivileged user domains.
3175 ## Do not audit attempts to inherit the file descriptors
3176 ## from unprivileged user domains. This will supress
3177 ## SELinux denial messages when the specified domain is denied
3178 ## the permission to inherit these file descriptors.
3181 ## <param name="domain">
3183 ## Domain to not audit.
3186 ## <infoflow type="none"/>
3188 interface(`userdom_dontaudit_use_unpriv_user_fds',`
3190 attribute unpriv_userdomain;
3193 dontaudit $1 unpriv_userdomain:fd use;
3196 ########################################
3198 ## Do not audit attempts to use user ptys.
3200 ## <param name="domain">
3202 ## Domain to not audit.
3206 interface(`userdom_dontaudit_use_user_ptys',`
3211 dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
3214 ########################################
3216 ## Relabel files to unprivileged user pty types.
3218 ## <param name="domain">
3220 ## Domain allowed access.
3224 interface(`userdom_relabelto_user_ptys',`
3229 allow $1 user_devpts_t:chr_file relabelto;
3232 ########################################
3234 ## Do not audit attempts to relabel files from
3237 ## <param name="domain">
3239 ## Domain to not audit.
3243 interface(`userdom_dontaudit_relabelfrom_user_ptys',`
3248 dontaudit $1 user_devpts_t:chr_file relabelfrom;
3251 ########################################
3253 ## Write all users files in /tmp
3255 ## <param name="domain">
3257 ## Domain allowed access.
3261 interface(`userdom_write_user_tmp_files',`
3266 write_files_pattern($1, user_tmp_t, user_tmp_t)
3269 ########################################
3271 ## Do not audit attempts to write users
3274 ## <param name="domain">
3276 ## Domain to not audit.
3280 interface(`userdom_dontaudit_write_user_tmp_files',`
3285 dontaudit $1 user_tmp_t:file write;
3288 ########################################
3290 ## Do not audit attempts to read/write users
3291 ## temporary fifo files.
3293 ## <param name="domain">
3295 ## Domain to not audit.
3299 interface(`userdom_dontaudit_rw_user_tmp_pipes',`
3304 dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
3307 ########################################
3309 ## Do not audit attempts to use user ttys.
3311 ## <param name="domain">
3313 ## Domain to not audit.
3317 interface(`userdom_dontaudit_use_user_ttys',`
3319 type user_tty_device_t;
3322 dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
3325 ########################################
3327 ## Read the process state of all user domains.
3329 ## <param name="domain">
3331 ## Domain allowed access.
3335 interface(`userdom_read_all_users_state',`
3337 attribute userdomain;
3340 read_files_pattern($1, userdomain, userdomain)
3341 read_lnk_files_pattern($1,userdomain,userdomain)
3342 kernel_search_proc($1)
3345 ########################################
3347 ## Get the attributes of all user domains.
3349 ## <param name="domain">
3351 ## Domain allowed access.
3355 interface(`userdom_getattr_all_users',`
3357 attribute userdomain;
3360 allow $1 userdomain:process getattr;
3363 ########################################
3365 ## Inherit the file descriptors from all user domains
3367 ## <param name="domain">
3369 ## Domain allowed access.
3373 interface(`userdom_use_all_users_fds',`
3375 attribute userdomain;
3378 allow $1 userdomain:fd use;
3381 ########################################
3383 ## Do not audit attempts to inherit the file
3384 ## descriptors from any user domains.
3386 ## <param name="domain">
3388 ## Domain to not audit.
3392 interface(`userdom_dontaudit_use_all_users_fds',`
3394 attribute userdomain;
3397 dontaudit $1 userdomain:fd use;
3400 ########################################
3402 ## Send general signals to all user domains.
3404 ## <param name="domain">
3406 ## Domain allowed access.
3410 interface(`userdom_signal_all_users',`
3412 attribute userdomain;
3415 allow $1 userdomain:process signal;
3418 ########################################
3420 ## Send a SIGCHLD signal to all user domains.
3422 ## <param name="domain">
3424 ## Domain allowed access.
3428 interface(`userdom_sigchld_all_users',`
3430 attribute userdomain;
3433 allow $1 userdomain:process sigchld;
3436 ########################################
3438 ## Create keys for all user domains.
3440 ## <param name="domain">
3442 ## Domain allowed access.
3446 interface(`userdom_create_all_users_keys',`
3448 attribute userdomain;
3451 allow $1 userdomain:key create;
3454 ########################################
3456 ## Send a dbus message to all user domains.
3458 ## <param name="domain">
3460 ## Domain allowed access.
3464 interface(`userdom_dbus_send_all_users',`
3466 attribute userdomain;
3467 class dbus send_msg;
3470 allow $1 userdomain:dbus send_msg;
3473 ########################################
3475 ## Allow apps to set rlimits on userdomain
3477 ## <param name="domain">
3479 ## Domain allowed access.
3483 interface(`userdom_set_rlimitnh',`
3485 attribute userdomain;
3488 allow $1 userdomain:process rlimitinh;
3491 ########################################
3493 ## Define this type as a Allow apps to set rlimits on userdomain
3495 ## <param name="domain">
3497 ## Domain allowed access.
3500 ## <param name="userdomain_prefix">
3502 ## The prefix of the user domain (e.g., user
3503 ## is the prefix for user_t).
3506 ## <param name="domain">
3508 ## Domain allowed access.
3512 template(`userdom_unpriv_usertype',`
3514 attribute unpriv_userdomain, userdomain;
3515 attribute $1_usertype;
3517 typeattribute $2 $1_usertype;
3518 typeattribute $2 unpriv_userdomain;
3519 typeattribute $2 userdomain;
3521 ubac_constrained($2)
3524 ########################################
3526 ## Connect to users over an unix stream socket.
3528 ## <param name="domain">
3530 ## Domain allowed access.
3534 interface(`userdom_stream_connect',`
3537 attribute userdomain;
3540 stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
3543 ########################################
3545 ## Ptrace user domains.
3547 ## <param name="domain">
3549 ## Domain allowed access.
3553 interface(`userdom_ptrace_all_users',`
3555 attribute userdomain;
3558 allow $1 userdomain:process ptrace;
3561 ########################################
3563 ## dontaudit Search /root
3565 ## <param name="domain">
3567 ## Domain allowed access.
3571 interface(`userdom_dontaudit_search_admin_dir',`
3576 dontaudit $1 admin_home_t:dir search_dir_perms;
3579 ########################################
3581 ## dontaudit list /root
3583 ## <param name="domain">
3585 ## Domain allowed access.
3589 interface(`userdom_dontaudit_list_admin_dir',`
3594 dontaudit $1 admin_home_t:dir list_dir_perms;
3597 ########################################
3599 ## Allow domain to list /root
3601 ## <param name="domain">
3603 ## Domain allowed access.
3607 interface(`userdom_list_admin_dir',`
3612 allow $1 admin_home_t:dir list_dir_perms;
3615 ########################################
3617 ## Allow Search /root
3619 ## <param name="domain">
3621 ## Domain allowed access.
3625 interface(`userdom_search_admin_dir',`
3630 allow $1 admin_home_t:dir search_dir_perms;
3633 ########################################
3635 ## RW unpriviledged user SysV sempaphores.
3637 ## <param name="domain">
3639 ## Domain allowed access.
3643 interface(`userdom_rw_semaphores',`
3645 attribute unpriv_userdomain;
3648 allow $1 unpriv_userdomain:sem rw_sem_perms;
3651 ########################################
3653 ## Send a message to unpriv users over a unix domain
3656 ## <param name="domain">
3658 ## Domain allowed access.
3662 interface(`userdom_dgram_send',`
3664 attribute unpriv_userdomain;
3667 allow $1 unpriv_userdomain:unix_dgram_socket sendto;
3670 ######################################
3672 ## Send a message to users over a unix domain
3675 ## <param name="domain">
3677 ## Domain allowed access.
3681 interface(`userdom_users_dgram_send',`
3683 attribute userdomain;
3686 allow $1 userdomain:unix_dgram_socket sendto;
3689 #######################################
3691 ## Allow execmod on files in homedirectory
3693 ## <param name="domain">
3695 ## Domain allowed access.
3700 interface(`userdom_execmod_user_home_files',`
3702 type user_home_type;
3705 allow $1 user_home_type:file execmod;
3708 ########################################
3710 ## Read admin home files.
3712 ## <param name="domain">
3714 ## Domain allowed access.
3719 interface(`userdom_read_admin_home_files',`
3724 read_files_pattern($1, admin_home_t, admin_home_t)
3727 ########################################
3729 ## Execute admin home files.
3731 ## <param name="domain">
3733 ## Domain allowed access.
3738 interface(`userdom_exec_admin_home_files',`
3743 exec_files_pattern($1, admin_home_t, admin_home_t)
3746 ########################################
3748 ## Append files inherited
3749 ## in the /root directory.
3751 ## <param name="domain">
3753 ## Domain allowed access.
3757 interface(`userdom_inherit_append_admin_home_files',`
3762 allow $1 admin_home_t:file { getattr append };
3766 #######################################
3768 ## Manage all files/directories in the homedir
3770 ## <param name="userdomain">
3777 interface(`userdom_manage_user_home_content',`
3779 type user_home_dir_t, user_home_t;
3780 attribute user_home_type;
3784 manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3785 manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3786 manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3787 manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3788 manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3789 filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
3794 ########################################
3796 ## Create objects in a user home directory
3797 ## with an automatic type transition to
3798 ## the user home file type.
3800 ## <param name="domain">
3802 ## Domain allowed access.
3805 ## <param name="object_class">
3807 ## The class of the object to be created.
3811 interface(`userdom_user_home_dir_filetrans_pattern',`
3813 type user_home_dir_t, user_home_t;
3816 type_transition $1 user_home_dir_t:$2 user_home_t;
3819 ########################################
3821 ## Create objects in the /root directory
3822 ## with an automatic type transition to
3823 ## a specified private type.
3825 ## <param name="domain">
3827 ## Domain allowed access.
3830 ## <param name="private_type">
3832 ## The type of the object to create.
3835 ## <param name="object_class">
3837 ## The class of the object to be created.
3841 interface(`userdom_admin_home_dir_filetrans',`
3846 filetrans_pattern($1, admin_home_t, $2, $3)
3849 ########################################
3851 ## Send signull to unprivileged user domains.
3853 ## <param name="domain">
3855 ## Domain allowed access.
3859 interface(`userdom_signull_unpriv_users',`
3861 attribute unpriv_userdomain;
3864 allow $1 unpriv_userdomain:process signull;
3867 ########################################
3869 ## Write all users files in /tmp
3871 ## <param name="domain">
3873 ## Domain allowed access.
3877 interface(`userdom_write_user_tmp_dirs',`
3882 write_files_pattern($1, user_tmp_t, user_tmp_t)
3885 ########################################
3887 ## Manage keys for all user domains.
3889 ## <param name="domain">
3891 ## Domain allowed access.
3895 interface(`userdom_manage_all_users_keys',`
3897 attribute userdomain;
3900 allow $1 userdomain:key manage_key_perms;
3904 ########################################
3906 ## Do not audit attempts to read and write
3907 ## unserdomain stream.
3909 ## <param name="domain">
3911 ## Domain to not audit.
3915 interface(`userdom_dontaudit_rw_stream',`
3917 attribute userdomain;
3920 dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
3923 ########################################
3926 ## in a user home subdirectory.
3928 ## <param name="domain">
3930 ## Domain allowed access.
3934 interface(`userdom_append_user_home_content_files',`
3936 type user_home_dir_t, user_home_t;
3939 append_files_pattern($1, user_home_t, user_home_t)
3940 allow $1 user_home_dir_t:dir search_dir_perms;
3941 files_search_home($1)
3944 ########################################
3946 ## Read files inherited
3947 ## in a user home subdirectory.
3949 ## <param name="domain">
3951 ## Domain allowed access.
3955 interface(`userdom_read_inherited_user_home_content_files',`
3957 attribute user_home_type;
3960 allow $1 user_home_type:file { getattr read };
3963 ########################################
3965 ## Append files inherited
3966 ## in a user home subdirectory.
3968 ## <param name="domain">
3970 ## Domain allowed access.
3974 interface(`userdom_inherit_append_user_home_content_files',`
3979 allow $1 user_home_t:file { getattr append };
3982 ########################################
3984 ## Append files inherited
3985 ## in a user tmp files.
3987 ## <param name="domain">
3989 ## Domain allowed access.
3993 interface(`userdom_inherit_append_user_tmp_files',`
3998 allow $1 user_tmp_t:file { getattr append };
4001 ######################################
4003 ## Read audio files in the users homedir.
4005 ## <param name="domain">
4007 ## Domain allowed access.
4012 interface(`userdom_read_home_audio_files',`
4017 userdom_search_user_home_dirs($1)
4018 allow $1 audio_home_t:dir list_dir_perms;
4019 read_files_pattern($1, audio_home_t, audio_home_t)
4020 read_lnk_files_pattern($1, audio_home_t, audio_home_t)
4023 ########################################
4025 ## Read system SSL certificates in the users homedir.
4027 ## <param name="domain">
4029 ## Domain allowed access.
4034 interface(`userdom_read_home_certs',`
4039 userdom_search_user_home_dirs($1)
4040 allow $1 home_cert_t:dir list_dir_perms;
4041 read_files_pattern($1, home_cert_t, home_cert_t)
4042 read_lnk_files_pattern($1, home_cert_t, home_cert_t)
4045 ########################################
4047 ## dontaudit Search getatrr /root files
4049 ## <param name="domain">
4051 ## Domain allowed access.
4055 interface(`userdom_dontaudit_getattr_admin_home_files',`
4060 dontaudit $1 admin_home_t:file getattr;
4063 ########################################
4065 ## dontaudit read /root lnk files
4067 ## <param name="domain">
4069 ## Domain allowed access.
4073 interface(`userdom_dontaudit_read_admin_home_lnk_files',`
4078 dontaudit $1 admin_home_t:lnk_file read;
4081 ########################################
4083 ## dontaudit read /root files
4085 ## <param name="domain">
4087 ## Domain allowed access.
4091 interface(`userdom_dontaudit_read_admin_home_files',`
4096 dontaudit $1 admin_home_t:file read_file_perms;
4099 ########################################
4101 ## Create, read, write, and delete user
4102 ## temporary chr files.
4104 ## <param name="domain">
4106 ## Domain allowed access.
4110 interface(`userdom_manage_user_tmp_chr_files',`
4115 manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
4116 files_search_tmp($1)
4119 ########################################
4121 ## Create, read, write, and delete user
4122 ## temporary blk files.
4124 ## <param name="domain">
4126 ## Domain allowed access.
4130 interface(`userdom_manage_user_tmp_blk_files',`
4135 manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
4136 files_search_tmp($1)
4139 ########################################
4141 ## Dontaudit attempt to set attributes on user temporary directories.
4143 ## <param name="domain">
4145 ## Domain allowed access.
4149 interface(`userdom_dontaudit_setattr_user_tmp',`
4154 dontaudit $1 user_tmp_t:dir setattr;
4157 ########################################
4159 ## Write all inherited users files in /tmp
4161 ## <param name="domain">
4163 ## Domain allowed access.
4167 interface(`userdom_write_inherited_user_tmp_files',`
4172 allow $1 user_tmp_t:file write;
4175 ########################################
4177 ## Delete all users files in /tmp
4179 ## <param name="domain">
4181 ## Domain allowed access.
4185 interface(`userdom_delete_user_tmp_files',`
4190 allow $1 user_tmp_t:file delete_file_perms;
4193 ########################################
4195 ## Delete user tmpfs files.
4197 ## <param name="domain">
4199 ## Domain allowed access.
4203 interface(`userdom_delete_user_tmpfs_files',`
4208 allow $1 user_tmpfs_t:file delete_file_perms;
4211 ########################################
4213 ## Read/Write unpriviledged user SysV shared
4216 ## <param name="domain">
4218 ## Domain allowed access.
4222 interface(`userdom_rw_unpriv_user_shared_mem',`
4224 attribute unpriv_userdomain;
4227 allow $1 unpriv_userdomain:shm rw_shm_perms;
4230 ########################################
4232 ## Do not audit attempts to search user
4233 ## temporary directories.
4235 ## <param name="domain">
4237 ## Domain to not audit.
4241 interface(`userdom_dontaudit_search_user_tmp',`
4246 dontaudit $1 user_tmp_t:dir search_dir_perms;
4249 ########################################
4251 ## Execute a file in a user home directory
4252 ## in the specified domain.
4256 ## Execute a file in a user home directory
4257 ## in the specified domain.
4260 ## No interprocess communication (signals, pipes,
4261 ## etc.) is provided by this interface since
4262 ## the domains are not owned by this module.
4265 ## <param name="domain">
4267 ## Domain allowed access.
4270 ## <param name="target_domain">
4272 ## The type of the new process.
4276 interface(`userdom_domtrans_user_home',`
4281 read_lnk_files_pattern($1, user_home_t, user_home_t)
4282 domain_transition_pattern($1, user_home_t, $2)
4283 type_transition $1 user_home_t:process $2;
4286 ########################################
4288 ## Execute a file in a user tmp directory
4289 ## in the specified domain.
4293 ## Execute a file in a user tmp directory
4294 ## in the specified domain.
4297 ## No interprocess communication (signals, pipes,
4298 ## etc.) is provided by this interface since
4299 ## the domains are not owned by this module.
4302 ## <param name="domain">
4304 ## Domain allowed access.
4307 ## <param name="target_domain">
4309 ## The type of the new process.
4313 interface(`userdom_domtrans_user_tmp',`
4318 files_search_tmp($1)
4319 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
4320 domain_transition_pattern($1, user_tmp_t, $2)
4321 type_transition $1 user_tmp_t:process $2;