X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=policy%2Fmodules%2Fsystem%2Fuserdomain.if;h=b523cbe02f931b4fcff22d2dc1773a9c5511b314;hb=482db96eda5501b7f662a83410e3cb222a0e9c3c;hp=78f35d21864519cb135a568da4851d1283712590;hpb=d141ac473666265936f2ac70cf9e8c72af025c25;p=people%2Fstevee%2Fselinux-policy.git
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 78f35d21..b523cbe0 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -34,6 +34,7 @@ template(`userdom_base_user_template',`
type $1_t, userdomain, $1_usertype;
domain_type($1_t)
+ role $1_r;
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
@@ -46,7 +47,10 @@ template(`userdom_base_user_template',`
term_user_tty($1_t, user_tty_device_t)
term_dontaudit_getattr_generic_ptys($1_t)
- allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ tunable_policy(`deny_ptrace',`',`
+ allow $1_usertype $1_usertype:process ptrace;
+ ')
allow $1_usertype $1_usertype:fd use;
allow $1_usertype $1_t:key { create view read write search link setattr };
@@ -95,6 +99,7 @@ template(`userdom_base_user_template',`
files_read_etc_files($1_usertype)
files_list_mnt($1_usertype)
+ files_list_var($1_usertype)
files_read_mnt_files($1_usertype)
files_dontaudit_access_check_mnt($1_usertype)
files_read_etc_runtime_files($1_usertype)
@@ -123,7 +128,7 @@ template(`userdom_base_user_template',`
storage_rw_fuse($1_usertype)
- auth_use_nsswitch($1_usertype)
+ auth_use_nsswitch($1_t)
init_stream_connect($1_usertype)
# The library functions always try to open read-write first,
@@ -132,6 +137,8 @@ template(`userdom_base_user_template',`
libs_exec_ld_so($1_usertype)
+ logging_send_audit_msgs($1_t)
+
miscfiles_read_localization($1_t)
miscfiles_read_generic_certs($1_t)
@@ -140,16 +147,22 @@ template(`userdom_base_user_template',`
miscfiles_read_man_pages($1_usertype)
miscfiles_read_public_files($1_usertype)
- tunable_policy(`allow_execmem',`
+ systemd_dbus_chat_logind($1_usertype)
+
+ tunable_policy(`deny_execmem',`', `
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
')
- tunable_policy(`allow_execmem && allow_execstack',`
+ tunable_policy(`allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+ optional_policy(`
+ abrt_stream_connect($1_usertype)
+ ')
+
optional_policy(`
fs_list_cgroup_dirs($1_usertype)
')
@@ -271,6 +284,8 @@ interface(`userdom_manage_home_role',`
relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+ userdom_filetrans_home_content($2)
+
files_list_home($2)
# cjp: this should probably be removed:
@@ -315,6 +330,7 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
+ attribute user_tmp_type;
type user_tmp_t;
')
@@ -322,13 +338,17 @@ interface(`userdom_manage_tmp_role',`
files_poly_member_tmp($2, user_tmp_t)
- manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
- manage_files_pattern($2, user_tmp_t, user_tmp_t)
- manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
- manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
- manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
+ manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
+ manage_files_pattern($2, user_tmp_type, user_tmp_type)
+ manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
- relabel_files_pattern($2, user_tmp_t, user_tmp_t)
+ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_files_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
')
#######################################
@@ -337,7 +357,7 @@ interface(`userdom_manage_tmp_role',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -418,17 +438,23 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
+ attribute user_tmpfs_type;
type user_tmpfs_t;
')
role $1 types user_tmpfs_t;
- manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
')
#######################################
@@ -629,6 +655,8 @@ template(`userdom_common_user_template',`
auth_read_login_records($1_usertype)
auth_run_pam($1_t,$1_r)
auth_run_utempter($1_t,$1_r)
+ auth_filetrans_admin_home_content($1_t)
+ auth_filetrans_home_content($1_t)
init_read_utmp($1_usertype)
@@ -650,12 +678,6 @@ template(`userdom_common_user_template',`
term_getattr_all_ttys($1_t)
')
- optional_policy(`
- alsa_read_rw_config($1_usertype)
- alsa_manage_home_files($1_t)
- alsa_relabel_home_files($1_t)
- ')
-
optional_policy(`
# Allow graphical boot to check battery lifespan
apm_stream_connect($1_usertype)
@@ -665,10 +687,6 @@ template(`userdom_common_user_template',`
canna_stream_connect($1_usertype)
')
- optional_policy(`
- chrome_role($1_r, $1_usertype)
- ')
-
optional_policy(`
colord_read_lib_files($1_usertype)
')
@@ -766,10 +784,6 @@ template(`userdom_common_user_template',`
mta_filetrans_home_content($1_usertype)
')
- optional_policy(`
- nsplugin_role($1_r, $1_usertype)
- ')
-
optional_policy(`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
@@ -827,6 +841,9 @@ template(`userdom_common_user_template',`
slrnpull_search_spool($1_usertype)
')
+ optional_policy(`
+ thumb_role($1_r, $1_usertype)
+ ')
')
#######################################
@@ -885,7 +902,7 @@ template(`userdom_login_user_template', `
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+ allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -915,6 +932,11 @@ template(`userdom_login_user_template', `
auth_dontaudit_write_login_records($1_t)
auth_rw_cache($1_t)
+ application_exec_all($1_t)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_rw_utmp($1_t)
+
# Stop warnings about access to /dev/console
init_dontaudit_use_fds($1_usertype)
init_dontaudit_use_script_fds($1_usertype)
@@ -996,7 +1018,7 @@ template(`userdom_restricted_user_template',`
#
optional_policy(`
- loadkeys_run($1_t,$1_r)
+ loadkeys_run($1_t, $1_r)
')
')
@@ -1079,6 +1101,9 @@ template(`userdom_restricted_xwindows_user_template',`
# bug: #682499
optional_policy(`
gnome_read_usr_config($1_usertype)
+ gnome_role_gkeyringd($1, $1_r, $1_usertype)
+ # cjp: telepathy F15 bugs
+ telepathy_role($1_r, $1_t, $1)
')
optional_policy(`
@@ -1112,16 +1137,14 @@ template(`userdom_restricted_xwindows_user_template',`
')
')
- optional_policy(`
- openoffice_role_template($1, $1_r, $1_usertype)
- ')
-
optional_policy(`
policykit_role($1_r, $1_usertype)
')
optional_policy(`
pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
')
optional_policy(`
@@ -1188,6 +1211,24 @@ template(`userdom_unpriv_user_template', `
storage_rw_fuse($1_t)
+ files_exec_usr_files($1_t)
+ # cjp: why?
+ files_read_kernel_symbol_table($1_t)
+
+ ifndef(`enable_mls',`
+ fs_exec_noxattr($1_t)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ # Write floppies
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ ',`
+ storage_raw_read_removable_device($1_t)
+ ')
+ ')
+
miscfiles_read_hwdata($1_usertype)
# Allow users to run TCP servers (bind to ports and accept connection from
@@ -1230,18 +1271,6 @@ template(`userdom_unpriv_user_template', `
gpm_stream_connect($1_usertype)
')
- optional_policy(`
- execmem_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
- java_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
- mono_role_template($1, $1_r, $1_t)
- ')
-
optional_policy(`
mount_run_fusermount($1_t, $1_r)
mount_read_pid_files($1_t)
@@ -1253,12 +1282,19 @@ template(`userdom_unpriv_user_template', `
optional_policy(`
postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
optional_policy(`
ppp_run_cond($1_t, $1_r)
')
+
+ optional_policy(`
+ vdagent_getattr_log($1_t)
+ vdagent_getattr_exec($1_t)
+ vdagent_stream_connect($1_t)
+ ')
')
#######################################
@@ -1319,7 +1355,10 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
- allow $1_t self:capability ~{ sys_module audit_control audit_write };
+ allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
+ tunable_policy(`deny_ptrace',`',`
+ allow $1_t self:capability sys_ptrace;
+ ')
allow $1_t self:capability2 syslog;
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
@@ -1396,12 +1435,14 @@ template(`userdom_admin_user_template',`
storage_dontaudit_read_fixed_disk($1_t)
term_use_all_inherited_terms($1_t)
+ term_use_unallocated_ttys($1_t)
auth_getattr_shadow($1_t)
# Manage almost all files
- auth_manage_all_files_except_shadow($1_t)
+ files_manage_non_security_dirs($1_t)
+ files_manage_non_security_files($1_t)
# Relabel almost all files
- auth_relabel_all_files_except_shadow($1_t)
+ files_relabel_non_security_files($1_t)
init_telinit($1_t)
@@ -1420,6 +1461,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
+ systemd_config_all_services($1_t)
+
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
@@ -1495,7 +1538,7 @@ template(`userdom_security_admin_template',`
selinux_set_parameters($1)
selinux_read_policy($1)
- auth_relabel_all_files_except_shadow($1)
+ files_relabel_all_files($1)
auth_relabel_shadow($1)
init_exec($1)
@@ -1506,12 +1549,22 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
+ seutil_manage_default_contexts($1)
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
seutil_run_setsebool($1,$2)
seutil_run_setfiles($1, $2)
+ seutil_manage_bin_policy($1)
+ seutil_manage_default_contexts($1)
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
+
optional_policy(`
aide_run($1,$2)
')
@@ -1586,6 +1639,29 @@ interface(`userdom_user_tmp_content',`
ubac_constrained($1)
')
+########################################
+##
+## Make the specified type usable in a
+## generic tmpfs_t directory.
+##
+##
+##
+## Type to be used as a file in the
+## generic temporary directory.
+##
+##
+#
+interface(`userdom_user_tmpfs_content',`
+ gen_require(`
+ attribute user_tmpfs_type;
+ ')
+
+ typeattribute $1 user_tmpfs_type;
+
+ files_tmpfs_file($1)
+ ubac_constrained($1)
+')
+
########################################
##
## Allow domain to attach to TUN devices created by administrative users.
@@ -1997,6 +2073,24 @@ interface(`userdom_delete_user_home_content_dirs',`
allow $1 user_home_t:dir delete_dir_perms;
')
+########################################
+##
+## Delete all directories in a user home subdirectory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_delete_all_user_home_content_dirs',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:dir delete_dir_perms;
+')
+
########################################
##
## Set the attributes of user home files.
@@ -2035,6 +2129,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
dontaudit $1 user_home_t:file setattr_file_perms;
')
+########################################
+##
+## Set the attributes of all user home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`userdom_setattr_all_user_home_content_dirs',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:dir setattr_dir_perms;
+')
+
########################################
##
## Mmap user home files.
@@ -2169,6 +2282,24 @@ interface(`userdom_delete_user_home_content_files',`
allow $1 user_home_t:file delete_file_perms;
')
+########################################
+##
+## Delete all files in a user home subdirectory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_delete_all_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:file delete_file_perms;
+')
+
########################################
##
## Delete sock files in a user home subdirectory.
@@ -2187,6 +2318,24 @@ interface(`userdom_delete_user_home_content_sock_files',`
allow $1 user_home_t:sock_file delete_file_perms;
')
+########################################
+##
+## Delete all sock files in a user home subdirectory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_delete_all_user_home_content_sock_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:sock_file delete_file_perms;
+')
+
########################################
##
## Do not audit attempts to write user home files.
@@ -2342,6 +2491,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
allow $1 user_home_t:lnk_file delete_lnk_file_perms;
')
+########################################
+##
+## Delete all symbolic links in a user home directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_delete_all_user_home_content_symlinks',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:lnk_file delete_lnk_file_perms;
+')
+
########################################
##
## Create, read, write, and delete named pipes
@@ -2442,7 +2609,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
- filetrans_pattern($1, user_home_t, $2, $3)
+ filetrans_pattern($1, user_home_t, $2, $3, $4)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
@@ -2793,7 +2960,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
- filetrans_pattern($1, user_tmp_t, $2, $3)
+ filetrans_pattern($1, user_tmp_t, $2, $3, $4)
files_search_tmp($1)
')
@@ -2822,6 +2989,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
+#######################################
+##
+## Getattr user tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_getattr_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
########################################
##
## Read user tmpfs files.
@@ -2864,6 +3050,42 @@ interface(`userdom_rw_user_tmpfs_files',`
fs_search_tmpfs($1)
')
+########################################
+##
+## Read/Write inherited user tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_rw_inherited_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Execute user tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_execute_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file execute;
+')
+
########################################
##
## Get the attributes of a user domain tty.
@@ -3073,8 +3295,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+
+########################################
+##
+## Get attributes of user domain tty and pty.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_getattr_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
')
########################################
@@ -3146,6 +3387,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
+#####################################
+##
+## Allow domain dyntrans to unpriv userdomain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_dyntransition_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process dyntransition;
+')
+
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
@@ -3463,7 +3722,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
')
########################################
@@ -3595,6 +3854,24 @@ interface(`userdom_sigchld_all_users',`
allow $1 userdomain:process sigchld;
')
+########################################
+##
+## Read keys for all user domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key read;
+')
+
########################################
##
## Create keys for all user domains.
@@ -3679,10 +3956,43 @@ template(`userdom_unpriv_usertype',`
typeattribute $2 $1_usertype;
typeattribute $2 unpriv_userdomain;
typeattribute $2 userdomain;
-
+
+ auth_use_nsswitch($2)
ubac_constrained($2)
')
+#######################################
+##
+## Define this type as a Allow apps to set rlimits on userdomain
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`userdom_unpriv_type',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ ')
+ typeattribute $2 unpriv_userdomain;
+ typeattribute $2 userdomain;
+
+ auth_use_nsswitch($2)
+ ubac_constrained($2)
+')
+
########################################
##
## Connect to users over an unix stream socket.
@@ -3717,7 +4027,9 @@ interface(`userdom_ptrace_all_users',`
attribute userdomain;
')
- allow $1 userdomain:process ptrace;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 userdomain:process ptrace;
+ ')
')
########################################
@@ -3726,7 +4038,7 @@ interface(`userdom_ptrace_all_users',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -3744,7 +4056,7 @@ interface(`userdom_dontaudit_search_admin_dir',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -3886,6 +4198,25 @@ interface(`userdom_read_admin_home_files',`
read_files_pattern($1, admin_home_t, admin_home_t)
')
+########################################
+##
+## Delete admin home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`userdom_delete_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:file delete_file_perms;
+')
+
########################################
##
## Execute admin home files.
@@ -4353,13 +4684,36 @@ interface(`userdom_read_home_certs',`
read_lnk_files_pattern($1, home_cert_t, home_cert_t)
')
+########################################
+##
+## Manage system SSL certificates in the users homedir.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_manage_home_certs',`
+ gen_require(`
+ type home_cert_t;
+ ')
+
+ allow $1 home_cert_t:dir list_dir_perms;
+ manage_files_pattern($1, home_cert_t, home_cert_t)
+ manage_lnk_files_pattern($1, home_cert_t, home_cert_t)
+
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
+')
+
#######################################
##
## Dontaudit Write system SSL certificates in the users homedir.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -4377,7 +4731,7 @@ interface(`userdom_dontaudit_write_home_certs',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -4395,7 +4749,7 @@ interface(`userdom_dontaudit_getattr_admin_home_files',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -4413,7 +4767,7 @@ interface(`userdom_dontaudit_read_admin_home_lnk_files',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -4471,7 +4825,7 @@ interface(`userdom_manage_user_tmp_blk_files',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -4483,6 +4837,24 @@ interface(`userdom_dontaudit_setattr_user_tmp',`
dontaudit $1 user_tmp_t:dir setattr;
')
+########################################
+##
+## Read all inherited users files in /tmp
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_read_inherited_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file read_inherited_file_perms;
+')
+
########################################
##
## Write all inherited users files in /tmp
@@ -4686,3 +5058,86 @@ interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
dontaudit $1 user_tmp_type:file read_file_perms;
')
+#######################################
+##
+## Read and write unpriviledged user SysV sempaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_rw_unpriv_user_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
+########################################
+##
+## Transition to userdom named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_filetrans_home_content',`
+ gen_require(`
+ type home_bin_t, home_cert_t;
+ type audio_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
+ gnome_config_filetrans($1, home_cert_t, dir, "certificates")
+
+ #optional_policy(`
+ # gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
+ #')
+')
+
+########################################
+##
+## Make the specified type able to read content in user home dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_home_reader',`
+ gen_require(`
+ attribute userdom_home_reader_type;
+ ')
+
+ typeattribute $1 userdom_home_reader_type;
+')
+
+
+########################################
+##
+## Make the specified type able to manage content in user home dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_home_manager',`
+ gen_require(`
+ attribute userdom_home_manager_type;
+ ')
+
+ typeattribute $1 userdom_home_manager_type;
+')