]>
Commit | Line | Data |
---|---|---|
490639cd | 1 | ## <summary>Policy for user domains</summary> |
b16c6b8c | 2 | |
8fd36732 CP |
3 | ####################################### |
4 | ## <summary> | |
5 | ## The template containing rules common to unprivileged | |
6 | ## users and administrative users. | |
7 | ## </summary> | |
8 | ## <desc> | |
9 | ## <p> | |
10 | ## This template creates a user domain, types, and | |
11 | ## rules for the user's tty, pty, home directories, | |
12 | ## tmp, and tmpfs files. | |
13 | ## </p> | |
14 | ## <p> | |
15 | ## This generally should not be used, rather the | |
16 | ## unpriv_user_template or admin_user_template should | |
17 | ## be used. | |
18 | ## </p> | |
19 | ## </desc> | |
20 | ## <param name="userdomain_prefix"> | |
21 | ## The prefix of the user domain (e.g., user | |
22 | ## is the prefix for user_t). | |
23 | ## </param> | |
b16c6b8c | 24 | # |
8fd36732 | 25 | template(`base_user_template',` |
b16c6b8c | 26 | |
0c73cd25 CP |
27 | attribute $1_file_type; |
28 | ||
29 | type $1_t, userdomain; | |
c9428d33 CP |
30 | domain_type($1_t) |
31 | corecmd_shell_entry_type($1_t) | |
0c73cd25 CP |
32 | role $1_r types $1_t; |
33 | allow system_r $1_r; | |
34 | ||
35 | # user pseudoterminal | |
36 | type $1_devpts_t; | |
0fd9dc55 | 37 | term_user_pty($1_t,$1_devpts_t) |
0c73cd25 CP |
38 | |
39 | # type for contents of home directory | |
40 | type $1_home_t, $1_file_type, home_type; | |
8fd36732 | 41 | files_type($1_home_t) |
0c73cd25 CP |
42 | |
43 | # type of home directory | |
44 | type $1_home_dir_t, home_dir_type, home_type; | |
8fd36732 | 45 | files_type($1_home_t) |
0c73cd25 CP |
46 | |
47 | type $1_tmp_t, $1_file_type; | |
c9428d33 | 48 | files_tmp_file($1_tmp_t) |
0c73cd25 CP |
49 | |
50 | type $1_tmpfs_t; | |
c9428d33 | 51 | files_tmpfs_file($1_tmpfs_t) |
0c73cd25 CP |
52 | |
53 | type $1_tty_device_t; | |
0fd9dc55 | 54 | term_tty($1_t,$1_tty_device_t) |
0c73cd25 CP |
55 | |
56 | ############################## | |
57 | # | |
58 | # Local policy | |
59 | # | |
60 | ||
61 | allow $1_t self:capability { setgid chown fowner }; | |
62 | dontaudit $1_t self:capability { sys_nice fsetid }; | |
63 | allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; | |
64 | allow $1_t self:process { ptrace setfscreate }; | |
65 | allow $1_t self:fd use; | |
cc41a97c CP |
66 | allow $1_t self:fifo_file rw_file_perms; |
67 | allow $1_t self:unix_dgram_socket create_socket_perms; | |
0fd9dc55 | 68 | allow $1_t self:unix_stream_socket create_stream_socket_perms; |
0c73cd25 CP |
69 | allow $1_t self:unix_dgram_socket sendto; |
70 | allow $1_t self:unix_stream_socket connectto; | |
cc41a97c CP |
71 | allow $1_t self:shm create_shm_perms; |
72 | allow $1_t self:sem create_sem_perms; | |
73 | allow $1_t self:msgq create_msgq_perms; | |
0c73cd25 CP |
74 | allow $1_t self:msg { send receive }; |
75 | dontaudit $1_t self:socket create; | |
76 | # Irrelevant until we have labeled networking. | |
77 | #allow $1_t self:udp_socket { sendto recvfrom }; | |
78 | ||
79 | # evolution and gnome-session try to create a netlink socket | |
80 | dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; | |
81 | dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; | |
82 | ||
83 | # execute files in the home directory | |
cc41a97c | 84 | allow $1_t $1_home_t:file { rx_file_perms execute_no_trans }; |
0c73cd25 CP |
85 | |
86 | # full control of the home directory | |
cc41a97c CP |
87 | allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto }; |
88 | allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto }; | |
89 | allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto }; | |
90 | allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto }; | |
91 | allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto }; | |
92 | allow $1_t $1_home_dir_t:dir create_dir_perms; | |
93 | type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; | |
0c73cd25 | 94 | |
cc41a97c | 95 | allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans }; |
0c73cd25 CP |
96 | |
97 | # Bind to a Unix domain socket in /tmp. | |
98 | # cjp: this is combination is not checked and should be removed | |
99 | allow $1_t $1_tmp_t:unix_stream_socket name_bind; | |
100 | ||
cc41a97c CP |
101 | allow $1_t $1_tmpfs_t:dir rw_dir_perms; |
102 | allow $1_t $1_tmpfs_t:file create_file_perms; | |
103 | allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms; | |
104 | allow $1_t $1_tmpfs_t:sock_file create_file_perms; | |
105 | allow $1_t $1_tmpfs_t:fifo_file create_file_perms; | |
0fd9dc55 | 106 | fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) |
0c73cd25 | 107 | |
cc41a97c | 108 | allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; |
0c73cd25 CP |
109 | |
110 | allow $1_t unpriv_userdomain:fd use; | |
111 | ||
112 | # Instantiate derived domains for a number of programs. | |
113 | # These derived domains encode both information about the calling | |
114 | # user domain and the program, and allow us to maintain separation | |
115 | # between different instances of the program being run by different | |
116 | # user domains. | |
117 | per_userdomain_templates($1) | |
118 | ||
119 | kernel_read_kernel_sysctl($1_t) | |
5e0da6a0 | 120 | selinux_get_fs_mount($1_t) |
0c73cd25 CP |
121 | # Very permissive allowing every domain to see every type: |
122 | kernel_get_sysvipc_info($1_t) | |
123 | # Find CDROM devices: | |
124 | kernel_read_device_sysctl($1_t) | |
ebdc3b79 CP |
125 | |
126 | dev_rw_power_management($1_t) | |
0c73cd25 | 127 | # GNOME checks for usb and other devices: |
8bd67899 | 128 | dev_rw_usbfs($1_t) |
0fd9dc55 CP |
129 | |
130 | corenet_tcp_sendrecv_all_if($1_t) | |
131 | corenet_raw_sendrecv_all_if($1_t) | |
132 | corenet_udp_sendrecv_all_if($1_t) | |
133 | corenet_tcp_sendrecv_all_nodes($1_t) | |
134 | corenet_raw_sendrecv_all_nodes($1_t) | |
135 | corenet_udp_sendrecv_all_nodes($1_t) | |
136 | corenet_tcp_sendrecv_all_ports($1_t) | |
137 | corenet_udp_sendrecv_all_ports($1_t) | |
138 | corenet_tcp_bind_all_nodes($1_t) | |
139 | corenet_udp_bind_all_nodes($1_t) | |
0c73cd25 | 140 | # allow port_t name binding for UDP because it is not very usable otherwise |
0fd9dc55 | 141 | corenet_udp_bind_generic_port($1_t) |
0c73cd25 | 142 | |
f0c985ca KM |
143 | dev_read_input($1_t) |
144 | dev_read_misc($1_t) | |
145 | dev_write_misc($1_t) | |
146 | dev_write_snd_dev($1_t) | |
147 | dev_read_snd_dev($1_t) | |
148 | dev_read_snd_mixer_dev($1_t) | |
149 | dev_write_snd_mixer_dev($1_t) | |
150 | dev_read_rand($1_t) | |
151 | dev_read_urand($1_t) | |
0c73cd25 | 152 | # open office is looking for the following |
f0c985ca KM |
153 | dev_getattr_agp_dev($1_t) |
154 | dev_dontaudit_rw_dri_dev($1_t) | |
0c73cd25 | 155 | |
763c441e | 156 | fs_get_all_fs_quotas($1_t) |
0fd9dc55 | 157 | fs_getattr_all_fs($1_t) |
ab940a4c | 158 | fs_search_auto_mountpoints($1_t) |
2ec4c9d3 | 159 | fs_exec_noxattr($1_t) |
0c73cd25 CP |
160 | |
161 | # for eject | |
0fd9dc55 | 162 | storage_getattr_fixed_disk($1_t) |
0c73cd25 | 163 | |
c9428d33 CP |
164 | auth_read_login_records($1_t) |
165 | auth_dontaudit_write_login_records($1_t) | |
166 | auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) | |
167 | auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) | |
0c73cd25 | 168 | |
c9428d33 CP |
169 | corecmd_exec_bin($1_t) |
170 | corecmd_exec_sbin($1_t) | |
171 | corecmd_exec_ls($1_t) | |
0c73cd25 | 172 | |
c9428d33 CP |
173 | domain_exec_all_entry_files($1_t) |
174 | domain_use_wide_inherit_fd($1_t) | |
2ec4c9d3 CP |
175 | # When the user domain runs ps, there will be a number of access |
176 | # denials when ps tries to search /proc. Do not audit these denials. | |
177 | domain_dontaudit_read_all_domains_state($1_t) | |
178 | domain_dontaudit_getsession_all_domains($1_t) | |
0c73cd25 | 179 | |
8fd36732 CP |
180 | files_exec_etc_files($1_t) |
181 | files_read_usr_src_files($1_t) | |
ae9e2716 | 182 | files_search_locks($1_t) |
0c73cd25 CP |
183 | |
184 | # Caused by su - init scripts | |
c9428d33 | 185 | init_dontaudit_use_script_pty($1_t) |
0c73cd25 | 186 | |
c9428d33 CP |
187 | libs_use_ld_so($1_t) |
188 | libs_use_shared_libs($1_t) | |
189 | libs_exec_ld_so($1_t) | |
190 | libs_exec_lib_files($1_t) | |
0c73cd25 | 191 | |
c9428d33 | 192 | logging_dontaudit_getattr_all_logs($1_t) |
0c73cd25 CP |
193 | |
194 | miscfiles_read_localization($1_t) | |
c9428d33 | 195 | miscfiles_rw_man_cache($1_t) |
2ec4c9d3 CP |
196 | # for running TeX programs |
197 | miscfiles_read_tetex_data($1_t) | |
198 | miscfiles_exec_tetex_data($1_t) | |
0c73cd25 | 199 | |
5e0da6a0 | 200 | seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) |
0c73cd25 | 201 | |
c9428d33 | 202 | mta_rw_spool($1_t) |
0c73cd25 | 203 | |
34c8fabe | 204 | tunable_policy(`allow_execmem',` |
0c73cd25 CP |
205 | # Allow loading DSOs that require executable stack. |
206 | allow $1_t self:process execmem; | |
34c8fabe | 207 | ') |
0c73cd25 | 208 | |
2ec4c9d3 CP |
209 | tunable_policy(`read_default_t',` |
210 | files_list_default($1_t) | |
211 | files_read_default_files($1_t) | |
212 | files_read_default_symlinks($1_t) | |
213 | files_read_default_sockets($1_t) | |
214 | files_read_default_pipes($1_t) | |
215 | ') | |
216 | ||
34c8fabe | 217 | tunable_policy(`use_nfs_home_dirs',` |
0fd9dc55 | 218 | fs_manage_nfs_dirs($1_t) |
763c441e | 219 | fs_manage_nfs_files($1_t) |
0fd9dc55 | 220 | fs_manage_nfs_symlinks($1_t) |
763c441e CP |
221 | fs_manage_nfs_named_sockets($1_t) |
222 | fs_manage_nfs_named_pipes($1_t) | |
223 | fs_execute_nfs_files($1_t) | |
34c8fabe | 224 | ') |
0c73cd25 | 225 | |
34c8fabe | 226 | tunable_policy(`use_samba_home_dirs',` |
0fd9dc55 CP |
227 | fs_manage_cifs_dirs($1_t) |
228 | fs_manage_cifs_files($1_t) | |
229 | fs_manage_cifs_symlinks($1_t) | |
230 | fs_manage_cifs_named_sockets($1_t) | |
231 | fs_manage_cifs_named_pipes($1_t) | |
232 | fs_execute_cifs_files($1_t) | |
34c8fabe | 233 | ') |
0c73cd25 | 234 | |
34c8fabe | 235 | tunable_policy(`user_direct_mouse',` |
f0c985ca | 236 | dev_read_mouse($1_t) |
34c8fabe | 237 | ') |
0c73cd25 | 238 | |
34c8fabe | 239 | tunable_policy(`user_ttyfile_stat',` |
0fd9dc55 | 240 | term_getattr_all_user_ttys($1_t) |
34c8fabe | 241 | ') |
0c73cd25 | 242 | |
b24f35d8 | 243 | optional_policy(`inetd.te',` |
81343a6f | 244 | inetd_tcp_connect($1_t) |
b24f35d8 CP |
245 | ') |
246 | ||
ab940a4c CP |
247 | optional_policy(`nis.te',` |
248 | nis_use_ypbind($1_t) | |
249 | ') | |
250 | ||
42be7c21 CP |
251 | optional_policy(`mysql.te',` |
252 | ifdef(`targeted_policy',`',` | |
253 | tunable_policy(`allow_user_mysql_connect',` | |
254 | mysql_stream_connect($1_t) | |
255 | ') | |
256 | ') | |
257 | ') | |
258 | ||
493d6c4a CP |
259 | optional_policy(`nscd.te',` |
260 | nscd_use_socket($1_t) | |
261 | ') | |
262 | ||
2ec4c9d3 CP |
263 | optional_policy(`pcmcia.te',` |
264 | # to allow monitoring of pcmcia status | |
265 | pcmcia_read_pid($1_t) | |
266 | ') | |
267 | ||
052c953a CP |
268 | optional_policy(`quota.te',` |
269 | quota_dontaudit_getattr_db($1_t) | |
270 | ') | |
271 | ||
b24f35d8 CP |
272 | optional_policy(`rpm.te',` |
273 | files_getattr_var_lib_dir($1_t) | |
274 | files_search_var_lib($1_t) | |
275 | ') | |
276 | ||
0c73cd25 | 277 | optional_policy(`usermanage.te',` |
c9428d33 CP |
278 | usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) |
279 | usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) | |
0c73cd25 CP |
280 | ') |
281 | ||
282 | ifdef(`TODO',` | |
283 | ||
0c73cd25 CP |
284 | # |
285 | # Cups daemon running as user tries to write /etc/printcap | |
286 | # | |
287 | dontaudit $1_t usr_t:file setattr; | |
288 | ||
0c73cd25 CP |
289 | # Check to see if cdrom is mounted |
290 | allow $1_t mnt_t:dir { getattr search }; | |
291 | ||
292 | # | |
293 | # Added to allow reading of cdrom | |
294 | # | |
295 | allow $1_t rpc_pipefs_t:dir getattr; | |
296 | allow $1_t nfsd_fs_t:dir getattr; | |
297 | allow $1_t binfmt_misc_fs_t:dir getattr; | |
298 | ||
299 | # /initrd is left mounted, various programs try to look at it | |
300 | dontaudit $1_t ramfs_t:dir getattr; | |
301 | ||
0c73cd25 CP |
302 | # |
303 | # Running ifconfig as a user generates the following | |
304 | # | |
305 | dontaudit $1_t sysctl_net_t:dir search; | |
306 | ||
307 | dontaudit $1_t default_context_t:dir search; | |
308 | ||
309 | r_dir_file($1_t, usercanread) | |
310 | ||
3eed1090 | 311 | tunable_policy(`allow_execmod',` |
0c73cd25 CP |
312 | # Allow text relocations on system shared libraries, e.g. libGL. |
313 | allow $1_t texrel_shlib_t:file execmod; | |
3eed1090 | 314 | ') |
0c73cd25 CP |
315 | |
316 | allow $1_t fs_type:dir getattr; | |
317 | ||
318 | # old "file_browse_domain": | |
319 | # Regular files/directories that are not security sensitive | |
320 | dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr; | |
321 | dontaudit $1_t file_type - secure_file_type:dir { read search }; | |
322 | # /dev | |
323 | dontaudit $1_t dev_fs:dir_file_class_set getattr; | |
324 | dontaudit $1_t dev_fs:dir { read search }; | |
325 | # /proc | |
326 | dontaudit $1_t sysctl_t:dir_file_class_set getattr; | |
327 | dontaudit $1_t proc_fs:dir { read search }; | |
328 | ||
3eed1090 | 329 | tunable_policy(`user_rw_noexattrfile',` |
0c73cd25 | 330 | create_dir_file($1_t, noexattrfile) |
0c73cd25 | 331 | # Write floppies |
ebdc3b79 CP |
332 | storage_raw_read_removable_device($1_t) |
333 | storage_raw_write_removable_device($1_t) | |
334 | # cjp: what does this have to do with removable devices? | |
0c73cd25 | 335 | allow $1_t usbtty_device_t:chr_file write; |
3eed1090 | 336 | ',` |
0c73cd25 CP |
337 | r_dir_file($1_t, noexattrfile) |
338 | r_dir_file($1_t, removable_t) | |
339 | allow $1_t removable_device_t:blk_file r_file_perms; | |
3eed1090 CP |
340 | ') |
341 | ||
0c73cd25 CP |
342 | allow $1_t usbtty_device_t:chr_file read; |
343 | ||
0c73cd25 CP |
344 | can_resmgrd_connect($1_t) |
345 | ||
0c73cd25 CP |
346 | # Grant permissions to access the system DBus |
347 | ifdef(`dbusd.te', ` | |
348 | dbusd_client(system, $1) | |
349 | can_network_server_tcp($1_dbusd_t) | |
350 | allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; | |
351 | ||
352 | allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; | |
353 | dbusd_client($1, $1) | |
354 | allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; | |
355 | dbusd_domain($1) | |
356 | ifdef(`hald.te', ` | |
357 | allow $1_t hald_t:dbus send_msg; | |
358 | allow hald_t $1_t:dbus send_msg; | |
359 | ') | |
360 | ') | |
361 | ||
362 | # Gnome pannel binds to the following | |
363 | ifdef(`cups.te', ` | |
cc41a97c | 364 | allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms; |
0c73cd25 CP |
365 | ') |
366 | ||
0c73cd25 | 367 | ifdef(`inetd.te', ` |
2ec4c9d3 | 368 | # Connect to inetd. |
0c73cd25 CP |
369 | can_tcp_connect($1_t, inetd_t) |
370 | can_udp_send($1_t, inetd_t) | |
371 | can_udp_send(inetd_t, $1_t) | |
2ec4c9d3 CP |
372 | # Inherit and use sockets from inetd |
373 | allow $1_t inetd_t:fd use; | |
374 | allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; | |
0c73cd25 CP |
375 | ') |
376 | ||
377 | # Connect to portmap. | |
378 | ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') | |
379 | ||
0c73cd25 CP |
380 | ifdef(`xserver.te', ` |
381 | # for /tmp/.ICE-unix | |
382 | file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) | |
383 | allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; | |
384 | ') | |
385 | ||
386 | ifdef(`xdm.te', ` | |
387 | # Connect to the X server run by the X Display Manager. | |
388 | can_unix_connect($1_t, xdm_t) | |
389 | allow $1_t xdm_tmp_t:sock_file rw_file_perms; | |
390 | allow $1_t xdm_tmp_t:dir r_dir_perms; | |
cc41a97c | 391 | allow $1_t xdm_tmp_t:file r_file_perms; |
0c73cd25 CP |
392 | allow $1_t xdm_xserver_tmp_t:sock_file { read write }; |
393 | allow $1_t xdm_xserver_tmp_t:dir search; | |
394 | allow $1_t xdm_xserver_t:unix_stream_socket connectto; | |
395 | # certain apps want to read xdm.pid file | |
396 | r_dir_file($1_t, xdm_var_run_t) | |
cc41a97c | 397 | allow $1_t xdm_var_lib_t:file r_file_perms; |
0c73cd25 CP |
398 | allow xdm_t $1_home_dir_t:dir getattr; |
399 | ifdef(`xauth.te', ` | |
400 | file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) | |
401 | ') | |
402 | ||
403 | # for shared memory | |
404 | allow xdm_xserver_t $1_tmpfs_t:file { read write }; | |
405 | ||
406 | ') | |
407 | ||
408 | ifdef(`rpcd.te', ` | |
409 | create_dir_file($1_t, nfsd_rw_t) | |
410 | ') | |
411 | ||
0c73cd25 CP |
412 | # |
413 | # Allow graphical boot to check battery lifespan | |
414 | # | |
415 | ifdef(`apmd.te', ` | |
416 | allow $1_t apmd_t:unix_stream_socket connectto; | |
417 | allow $1_t apmd_var_run_t:sock_file write; | |
418 | ') | |
419 | ||
0c73cd25 CP |
420 | ifdef(`pamconsole.te', ` |
421 | allow $1_t pam_var_console_t:dir search; | |
422 | ') | |
423 | ||
424 | ') dnl endif TODO | |
b16c6b8c | 425 | |
2ec4c9d3 | 426 | ') |
b16c6b8c | 427 | |
8fd36732 CP |
428 | ####################################### |
429 | ## <summary> | |
430 | ## The template for creating a unprivileged user. | |
431 | ## </summary> | |
432 | ## <desc> | |
433 | ## <p> | |
434 | ## This template creates a user domain, types, and | |
435 | ## rules for the user's tty, pty, home directories, | |
436 | ## tmp, and tmpfs files. | |
437 | ## </p> | |
438 | ## </desc> | |
439 | ## <param name="userdomain_prefix"> | |
440 | ## The prefix of the user domain (e.g., user | |
441 | ## is the prefix for user_t). | |
442 | ## </param> | |
b16c6b8c | 443 | # |
8fd36732 | 444 | template(`unpriv_user_template', ` |
0c73cd25 CP |
445 | ############################## |
446 | # | |
447 | # Declarations | |
448 | # | |
b16c6b8c | 449 | |
0c73cd25 | 450 | # Inherit rules for ordinary users. |
8fd36732 | 451 | base_user_template($1) |
b16c6b8c | 452 | |
493d6c4a | 453 | typeattribute $1_t unpriv_userdomain; #, web_client_domain |
c9428d33 | 454 | domain_wide_inherit_fd($1_t) |
b16c6b8c | 455 | |
0c73cd25 CP |
456 | #typeattribute $1_devpts_t userpty_type, user_tty_type; |
457 | #typeattribute $1_home_dir_t user_home_dir_type; | |
458 | #typeattribute $1_home_t user_home_type; | |
b16c6b8c | 459 | |
ab940a4c | 460 | typeattribute $1_tmp_t user_tmpfile; |
b16c6b8c | 461 | |
ebdc3b79 | 462 | typeattribute $1_tty_device_t user_ttynode; |
b16c6b8c | 463 | |
0c73cd25 CP |
464 | ############################## |
465 | # | |
466 | # Local policy | |
467 | # | |
468 | ||
469 | allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; | |
0fd9dc55 | 470 | term_create_pty($1_t,$1_devpts_t) |
0c73cd25 CP |
471 | |
472 | # Rules used to associate a homedir as a mountpoint | |
473 | allow $1_home_t self:filesystem associate; | |
474 | allow $1_file_type $1_home_t:filesystem associate; | |
475 | ||
476 | # user temporary files | |
cc41a97c CP |
477 | allow $1_t $1_tmp_t:file create_file_perms; |
478 | allow $1_t $1_tmp_t:lnk_file create_lnk_perms; | |
479 | allow $1_t $1_tmp_t:dir create_dir_perms; | |
480 | allow $1_t $1_tmp_t:sock_file create_file_perms; | |
481 | allow $1_t $1_tmp_t:fifo_file create_file_perms; | |
c9428d33 | 482 | files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) |
0c73cd25 CP |
483 | |
484 | # privileged home directory writers | |
cc41a97c CP |
485 | allow privhome $1_home_t:file create_file_perms; |
486 | allow privhome $1_home_t:lnk_file create_lnk_perms; | |
487 | allow privhome $1_home_t:dir create_dir_perms; | |
488 | allow privhome $1_home_t:sock_file create_file_perms; | |
489 | allow privhome $1_home_t:fifo_file create_file_perms; | |
490 | type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; | |
0c73cd25 CP |
491 | |
492 | kernel_read_system_state($1_t) | |
493 | kernel_read_network_state($1_t) | |
8bd67899 | 494 | dev_read_sysfs($1_t) |
0c73cd25 CP |
495 | |
496 | # cjp: why? | |
497 | bootloader_read_kernel_symbol_table($1_t) | |
498 | ||
499 | # port access is audited even if dac would not have allowed it, so dontaudit it here | |
0fd9dc55 | 500 | corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) |
0c73cd25 | 501 | |
8fd36732 | 502 | files_read_etc_files($1_t) |
c9428d33 CP |
503 | files_list_home($1_t) |
504 | files_read_usr_files($1_t) | |
2ec4c9d3 CP |
505 | files_exec_usr_files($1_t) |
506 | # Read directories and files with the readable_t type. | |
507 | # This type is a general type for "world"-readable files. | |
508 | files_list_world_readable($1_t) | |
509 | files_read_world_readable_files($1_t) | |
510 | files_read_world_readable_symlinks($1_t) | |
511 | files_read_world_readable_pipes($1_t) | |
512 | files_read_world_readable_sockets($1_t) | |
0c73cd25 | 513 | |
c9428d33 | 514 | init_read_script_pid($1_t) |
0c73cd25 CP |
515 | # The library functions always try to open read-write first, |
516 | # then fall back to read-only if it fails. | |
c9428d33 | 517 | init_dontaudit_write_script_pid($1_t) |
0c73cd25 | 518 | # Stop warnings about access to /dev/console |
c9428d33 CP |
519 | init_dontaudit_use_fd($1_t) |
520 | init_dontaudit_use_script_fd($1_t) | |
0c73cd25 CP |
521 | |
522 | miscfiles_read_man_pages($1_t) | |
523 | ||
5e0da6a0 | 524 | seutil_read_config($1_t) |
0c73cd25 CP |
525 | # Allow users to execute checkpolicy without a domain transition |
526 | # so it can be used without privilege to write real binary policy file | |
5e0da6a0 | 527 | seutil_exec_checkpol($1_t) |
0c73cd25 | 528 | |
34c8fabe | 529 | tunable_policy(`user_dmesg',` |
0c73cd25 | 530 | kernel_read_ring_buffer($1_t) |
34c8fabe | 531 | ',` |
0fd9dc55 | 532 | kernel_dontaudit_read_ring_buffer($1_t) |
34c8fabe | 533 | ') |
0c73cd25 CP |
534 | |
535 | # Allow users to run TCP servers (bind to ports and accept connection from | |
536 | # the same domain and outside users) disabling this forces FTP passive mode | |
537 | # and may change other protocols | |
34c8fabe | 538 | tunable_policy(`user_tcp_server',` |
0fd9dc55 | 539 | corenet_tcp_bind_generic_port($1_t) |
34c8fabe | 540 | ') |
0c73cd25 | 541 | |
a7a9799d CP |
542 | optional_policy(`kerberos.te',` |
543 | kerberos_use($1_t) | |
544 | ') | |
545 | ||
21468a60 CP |
546 | optional_policy(`loadkeys.te',` |
547 | loadkeys_run($1_t,$1_r,$1_tty_device_t) | |
548 | ') | |
549 | ||
0c73cd25 CP |
550 | # for running depmod as part of the kernel packaging process |
551 | optional_policy(`modutils.te',` | |
c9428d33 | 552 | modutils_read_module_conf($1_t) |
0c73cd25 CP |
553 | ') |
554 | ||
ae9e2716 | 555 | optional_policy(`selinuxutil.te',` |
0c73cd25 | 556 | # for when the network connection is killed |
8fd36732 | 557 | seutil_dontaudit_signal_newrole($1_t) |
0c73cd25 CP |
558 | ') |
559 | ||
560 | # Need the following rule to allow users to run vpnc | |
561 | optional_policy(`xserver.te', ` | |
562 | corenetwork_bind_tcp_on_xserver_port($1_t) | |
563 | ') | |
564 | ||
565 | ifdef(`TODO',` | |
566 | ||
567 | dontaudit $1_t boot_t:lnk_file read; | |
568 | dontaudit $1_t boot_t:file read; | |
569 | ||
0c73cd25 CP |
570 | # do not audit read on disk devices |
571 | dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; | |
572 | ||
573 | ifdef(`xdm.te', ` | |
574 | allow xdm_t $1_home_t:lnk_file read; | |
575 | allow xdm_t $1_home_t:dir search; | |
576 | # | |
577 | # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp | |
578 | # | |
579 | dontaudit xdm_t $1_home_t:file rw_file_perms; | |
580 | ') | |
581 | ||
582 | ifdef(`ftpd.te', ` | |
3eed1090 | 583 | tunable_policy(`ftp_home_dir',` |
0c73cd25 | 584 | file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) |
3eed1090 | 585 | ') |
0c73cd25 CP |
586 | ') |
587 | ||
0c73cd25 CP |
588 | # Stat lost+found. |
589 | allow $1_t lost_found_t:dir getattr; | |
590 | ||
591 | # Read /var, /var/spool, /var/run. | |
592 | allow $1_t var_t:dir r_dir_perms; | |
593 | allow $1_t var_t:notdevfile_class_set r_file_perms; | |
594 | allow $1_t var_spool_t:dir r_dir_perms; | |
595 | allow $1_t var_spool_t:notdevfile_class_set r_file_perms; | |
596 | allow $1_t var_run_t:dir r_dir_perms; | |
597 | allow $1_t var_run_t:{ file lnk_file } r_file_perms; | |
598 | allow $1_t var_lib_t:dir r_dir_perms; | |
599 | allow $1_t var_lib_t:file { getattr read }; | |
600 | ||
601 | # Allow users to rw usb devices | |
3eed1090 | 602 | tunable_policy(`user_rw_usb',` |
0c73cd25 | 603 | rw_dir_create_file($1_t,usbdevfs_t) |
3eed1090 | 604 | ',` |
0c73cd25 | 605 | r_dir_file($1_t,usbdevfs_t) |
3eed1090 | 606 | ') |
0c73cd25 CP |
607 | |
608 | # Do not audit write denials to /etc/ld.so.cache. | |
609 | dontaudit $1_t ld_so_cache_t:file write; | |
610 | ||
611 | dontaudit $1_t sysadm_home_t:file { read append }; | |
612 | ||
613 | ifdef(`syslogd.te', ` | |
614 | # Some programs that are left in $1_t will try to connect | |
615 | # to syslogd, but we do not want to let them generate log messages. | |
616 | # Do not audit. | |
617 | dontaudit $1_t devlog_t:sock_file { read write }; | |
618 | dontaudit $1_t syslogd_t:unix_dgram_socket sendto; | |
619 | ') | |
620 | ||
621 | allow $1_t initrc_t:fifo_file write; | |
622 | ||
623 | ifdef(`user_can_mount', ` | |
624 | # | |
625 | # Allow users to mount file systems like floppies and cdrom | |
626 | # | |
627 | mount_domain($1, $1_mount, `, fs_domain') | |
628 | r_dir_file($1_t, mnt_t) | |
629 | allow $1_mount_t device_t:lnk_file read; | |
630 | allow $1_mount_t removable_device_t:blk_file read; | |
631 | allow $1_mount_t iso9660_t:filesystem relabelfrom; | |
632 | allow $1_mount_t removable_t:filesystem { mount relabelto }; | |
633 | allow $1_mount_t removable_t:dir mounton; | |
634 | ifdef(`xdm.te', ` | |
635 | allow $1_mount_t xdm_t:fd use; | |
636 | allow $1_mount_t xdm_t:fifo_file { read write }; | |
637 | ') | |
638 | ') | |
639 | ||
640 | ') dnl end TODO | |
b16c6b8c | 641 | ') |
4d8ddf9a | 642 | |
8fd36732 CP |
643 | ####################################### |
644 | ## <summary> | |
645 | ## The template for creating an administrative user. | |
646 | ## </summary> | |
647 | ## <desc> | |
648 | ## <p> | |
649 | ## This template creates a user domain, types, and | |
650 | ## rules for the user's tty, pty, home directories, | |
651 | ## tmp, and tmpfs files. | |
652 | ## </p> | |
2ec4c9d3 | 653 | ## <p> |
8fd36732 CP |
654 | ## The privileges given to administrative users are: |
655 | ## <ul> | |
656 | ## <li>Raw disk access</li> | |
657 | ## <li>Set all sysctls</li> | |
658 | ## <li>All kernel ring buffer controls</li> | |
659 | ## <li>Set SELinux enforcement mode (enforcing/permissive)</li> | |
660 | ## <li>Set SELinux booleans</li> | |
661 | ## <li>Relabel all files but shadow</li> | |
662 | ## <li>Create, read, write, and delete all files but shadow</li> | |
663 | ## <li>Manage source and binary format SELinux policy</li> | |
664 | ## <li>Run insmod</li> | |
665 | ## </ul> | |
2ec4c9d3 CP |
666 | ## </p> |
667 | ## </desc> | |
8fd36732 CP |
668 | ## <param name="userdomain_prefix"> |
669 | ## The prefix of the user domain (e.g., sysadm | |
670 | ## is the prefix for sysadm_t). | |
671 | ## </param> | |
4d8ddf9a | 672 | # |
8fd36732 | 673 | template(`admin_user_template',` |
0c73cd25 CP |
674 | ############################## |
675 | # | |
676 | # Declarations | |
677 | # | |
678 | ||
679 | # Inherit rules for ordinary users. | |
8fd36732 | 680 | base_user_template($1) |
0c73cd25 | 681 | |
493d6c4a | 682 | typeattribute $1_t privhome; #, admin, web_client_domain |
8bd67899 | 683 | domain_obj_id_change_exempt($1_t) |
0c73cd25 CP |
684 | role system_r types $1_t; |
685 | ||
686 | #ifdef(`direct_sysadm_daemon', `, priv_system_role') | |
687 | #; dnl end of sysadm_t type declaration | |
688 | ||
689 | typeattribute $1_devpts_t admin_terminal; | |
690 | ||
691 | typeattribute $1_tty_device_t admin_terminal; | |
692 | ||
693 | ############################## | |
694 | # | |
695 | # $1_t local policy | |
696 | # | |
697 | ||
698 | allow $1_t self:capability ~sys_module; | |
699 | allow $1_t self:process { setexec setfscreate }; | |
700 | ||
701 | # Set password information for other users. | |
702 | allow $1_t self:passwd { passwd chfn chsh }; | |
703 | ||
704 | # Skip authentication when pam_rootok is specified. | |
705 | allow $1_t self:passwd rootok; | |
706 | ||
707 | # Manipulate other users crontab. | |
708 | allow $1_t self:passwd crontab; | |
709 | ||
710 | # for the administrator to run TCP servers directly | |
711 | allow $1_t self:tcp_socket { acceptfrom connectto recvfrom }; | |
712 | ||
713 | allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; | |
0fd9dc55 | 714 | term_create_pty($1_t,$1_devpts_t) |
0c73cd25 | 715 | |
cc41a97c CP |
716 | allow $1_t $1_tmp_t:dir create_dir_perms; |
717 | allow $1_t $1_tmp_t:file create_file_perms; | |
718 | allow $1_t $1_tmp_t:lnk_file create_file_perms; | |
719 | allow $1_t $1_tmp_t:fifo_file create_file_perms; | |
720 | allow $1_t $1_tmp_t:sock_file create_file_perms; | |
c9428d33 | 721 | files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) |
0c73cd25 CP |
722 | |
723 | kernel_read_system_state($1_t) | |
724 | kernel_read_network_state($1_t) | |
725 | kernel_read_software_raid_state($1_t) | |
0fd9dc55 CP |
726 | kernel_getattr_core($1_t) |
727 | kernel_getattr_message_if($1_t) | |
0c73cd25 CP |
728 | kernel_change_ring_buffer_level($1_t) |
729 | kernel_clear_ring_buffer($1_t) | |
730 | kernel_read_ring_buffer($1_t) | |
731 | kernel_get_sysvipc_info($1_t) | |
0fd9dc55 | 732 | kernel_rw_all_sysctl($1_t) |
8fd36732 CP |
733 | # signal unlabeled processes: |
734 | kernel_kill_unlabeled($1_t) | |
735 | kernel_signal_unlabeled($1_t) | |
736 | kernel_sigstop_unlabeled($1_t) | |
737 | kernel_signull_unlabeled($1_t) | |
738 | kernel_sigchld_unlabeled($1_t) | |
2ec4c9d3 CP |
739 | # for the administrator to run TCP servers directly |
740 | kernel_tcp_recvfrom($1_t) | |
741 | ||
742 | corenet_tcp_bind_generic_port($1_t) | |
743 | # allow setting up tunnels | |
744 | corenet_use_tun_tap_device($1_t) | |
745 | ||
746 | dev_getattr_generic_blk_file($1_t) | |
747 | dev_getattr_generic_chr_file($1_t) | |
748 | dev_getattr_all_blk_files($1_t) | |
749 | dev_getattr_all_chr_files($1_t) | |
750 | ||
751 | fs_getattr_all_fs($1_t) | |
752 | fs_set_all_quotas($1_t) | |
8fd36732 | 753 | |
5e0da6a0 CP |
754 | selinux_set_enforce_mode($1_t) |
755 | selinux_set_boolean($1_t) | |
756 | selinux_set_parameters($1_t) | |
0c73cd25 | 757 | # Get security policy decisions: |
5e0da6a0 CP |
758 | selinux_get_fs_mount($1_t) |
759 | selinux_validate_context($1_t) | |
760 | selinux_compute_access_vector($1_t) | |
761 | selinux_compute_create_context($1_t) | |
762 | selinux_compute_relabel_context($1_t) | |
763 | selinux_compute_user_contexts($1_t) | |
0c73cd25 | 764 | |
0c73cd25 CP |
765 | storage_raw_read_removable_device($1_t) |
766 | storage_raw_write_removable_device($1_t) | |
767 | ||
0fd9dc55 CP |
768 | term_use_console($1_t) |
769 | term_use_unallocated_tty($1_t) | |
770 | term_use_all_user_ptys($1_t) | |
771 | term_use_all_user_ttys($1_t) | |
0c73cd25 | 772 | |
2ec4c9d3 | 773 | auth_getattr_shadow($1_t) |
0c73cd25 | 774 | # Manage almost all files |
c9428d33 | 775 | auth_manage_all_files_except_shadow($1_t) |
0c73cd25 | 776 | # Relabel almost all files |
c9428d33 | 777 | auth_relabel_all_files_except_shadow($1_t) |
0c73cd25 | 778 | |
c9428d33 CP |
779 | domain_setpriority_all_domains($1_t) |
780 | domain_read_all_domains_state($1_t) | |
0c73cd25 CP |
781 | # signal all domains: |
782 | domain_kill_all_domains($1_t) | |
783 | domain_signal_all_domains($1_t) | |
784 | domain_signull_all_domains($1_t) | |
785 | domain_sigstop_all_domains($1_t) | |
786 | domain_sigstop_all_domains($1_t) | |
787 | domain_sigchld_all_domains($1_t) | |
2ec4c9d3 CP |
788 | # for lsof |
789 | domain_getattr_all_sockets($1_t) | |
0c73cd25 | 790 | |
c9428d33 | 791 | files_exec_usr_files($1_t) |
0c73cd25 | 792 | |
c9428d33 | 793 | init_use_initctl($1_t) |
0c73cd25 | 794 | |
c9428d33 | 795 | logging_send_syslog_msg($1_t) |
0c73cd25 | 796 | |
c9428d33 | 797 | modutils_domtrans_insmod($1_t) |
0c73cd25 | 798 | |
5e0da6a0 | 799 | seutil_read_config($1_t) |
0c73cd25 CP |
800 | # The following rule is temporary until such time that a complete |
801 | # policy management infrastructure is in place so that an administrator | |
802 | # cannot directly manipulate policy files with arbitrary programs. | |
5e0da6a0 | 803 | seutil_manage_src_pol($1_t) |
0c73cd25 CP |
804 | # Violates the goal of limiting write access to checkpolicy. |
805 | # But presently necessary for installing the file_contexts file. | |
5e0da6a0 | 806 | seutil_manage_binary_pol($1_t) |
0c73cd25 CP |
807 | |
808 | optional_policy(`cron.te',` | |
809 | cron_admin_template($1) | |
810 | ') | |
811 | ||
812 | ifdef(`TODO',` | |
813 | ||
0c73cd25 CP |
814 | # for lsof |
815 | allow $1_t mtrr_device_t:file getattr; | |
816 | ||
2ec4c9d3 CP |
817 | # for lsof |
818 | allow $1_t eventpollfs_t:file getattr; | |
0c73cd25 | 819 | |
2ec4c9d3 | 820 | allow $1_t serial_device:chr_file setattr; |
0c73cd25 CP |
821 | |
822 | allow $1_t ptyfile:chr_file getattr; | |
823 | ||
0c73cd25 CP |
824 | # Run admin programs that require different permissions in their own domain. |
825 | # These rules were moved into the appropriate program domain file. | |
826 | ||
2ec4c9d3 CP |
827 | ifdef(`xserver.te', ` |
828 | # Create files in /tmp/.X11-unix with our X servers derived | |
829 | # tmp type rather than user_xserver_tmp_t. | |
830 | file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) | |
0c73cd25 CP |
831 | ') |
832 | ||
2ec4c9d3 | 833 | |
0c73cd25 | 834 | ifdef(`xdm.te', ` |
2ec4c9d3 CP |
835 | tunable_policy(`xdm_sysadm_login',` |
836 | allow xdm_t $1_home_t:lnk_file read; | |
837 | allow xdm_t $1_home_t:dir search; | |
0c73cd25 | 838 | ') |
2ec4c9d3 | 839 | allow $1_t xdm_t:fifo_file rw_file_perms; |
0c73cd25 CP |
840 | ') |
841 | ||
2ec4c9d3 CP |
842 | # Connect data port to ftpd. |
843 | ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') | |
844 | ||
845 | # Connect second port to rshd. | |
846 | ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') | |
847 | ||
848 | # Allow MAKEDEV to work | |
849 | allow $1_t device_t:dir rw_dir_perms; | |
850 | allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; | |
851 | allow $1_t device_t:lnk_file { create read }; | |
852 | ||
0c73cd25 CP |
853 | # |
854 | # A user who is authorized for sysadm_t may nonetheless have | |
855 | # a home directory labeled with user_home_t if the user is expected | |
856 | # to login in either user_t or sysadm_t. Hence, the derived domains | |
857 | # for programs need to be able to access user_home_t. | |
858 | # | |
4d8ddf9a | 859 | |
0c73cd25 CP |
860 | # Allow our gph domain to write to .xsession-errors. |
861 | ifdef(`gnome-pty-helper.te', ` | |
862 | allow $1_gph_t user_home_dir_type:dir rw_dir_perms; | |
863 | allow $1_gph_t user_home_type:file create_file_perms; | |
864 | ') | |
4d8ddf9a | 865 | |
2ec4c9d3 CP |
866 | # Run programs from staff home directories. |
867 | # Not ideal, but typical if users want to login as both sysadm_t or staff_t. | |
868 | can_exec($1_t, staff_home_t) | |
0c73cd25 | 869 | ') dnl endif TODO |
4d8ddf9a | 870 | ') |
490639cd | 871 | |
4bf4ed9e | 872 | ######################################## |
ab940a4c | 873 | ## <summary> |
414e4151 CP |
874 | ## Execute a shell in all user domains. This |
875 | ## is an explicit transition, requiring the | |
876 | ## caller to use setexeccon(). | |
ab940a4c | 877 | ## </summary> |
414e4151 CP |
878 | ## <param name="domain"> |
879 | ## The type of the process performing this action. | |
880 | ## </param> | |
4bf4ed9e | 881 | # |
199895e2 | 882 | interface(`userdom_spec_domtrans_all_users',` |
21871a5c CP |
883 | gen_require(` |
884 | attribute userdomain; | |
885 | ') | |
886 | ||
c9428d33 | 887 | corecmd_shell_spec_domtrans($1,userdomain) |
4bf4ed9e CP |
888 | ') |
889 | ||
21871a5c | 890 | ######################################## |
ab940a4c | 891 | ## <summary> |
414e4151 CP |
892 | ## Execute a shell in all unprivileged user domains. This |
893 | ## is an explicit transition, requiring the | |
894 | ## caller to use setexeccon(). | |
ab940a4c | 895 | ## </summary> |
414e4151 CP |
896 | ## <param name="domain"> |
897 | ## The type of the process performing this action. | |
898 | ## </param> | |
21871a5c | 899 | # |
199895e2 | 900 | interface(`userdom_spec_domtrans_unpriv_users',` |
21871a5c CP |
901 | gen_require(` |
902 | attribute unpriv_userdomain; | |
903 | ') | |
904 | ||
905 | corecmd_shell_spec_domtrans($1,unpriv_userdomain) | |
4bf4ed9e CP |
906 | ') |
907 | ||
d490eb6b | 908 | ######################################## |
ab940a4c | 909 | ## <summary> |
414e4151 | 910 | ## Execute a shell in the sysadm domain. |
ab940a4c | 911 | ## </summary> |
414e4151 CP |
912 | ## <param name="domain"> |
913 | ## The type of the process performing this action. | |
914 | ## </param> | |
d490eb6b | 915 | # |
199895e2 | 916 | interface(`userdom_shell_domtrans_sysadm',` |
c98340cf CP |
917 | ifdef(`targeted_policy',` |
918 | #cjp: need to doublecheck this one | |
a42ca7eb | 919 | unconfined_shell_domtrans($1) |
c98340cf CP |
920 | ',` |
921 | gen_require(` | |
922 | type sysadm_t; | |
df00b2e2 CP |
923 | class fd use; |
924 | class fifo_file rw_file_perms; | |
925 | class process sigchld; | |
c98340cf | 926 | ') |
0c73cd25 | 927 | |
df00b2e2 CP |
928 | corecmd_shell_domtrans($1,sysadm_t) |
929 | ||
930 | allow $1 sysadm_t:fd use; | |
931 | allow sysadm_t $1:fd use; | |
932 | allow sysadm_t $1:fifo_file rw_file_perms; | |
933 | allow sysadm_t $1:process sigchld; | |
c98340cf | 934 | ') |
d490eb6b CP |
935 | ') |
936 | ||
ae9e2716 CP |
937 | ######################################## |
938 | ## <summary> | |
939 | ## Search the staff users home directory. | |
940 | ## </summary> | |
941 | ## <param name="domain"> | |
942 | ## Domain to not audit. | |
943 | ## </param> | |
944 | # | |
945 | interface(`userdom_search_staff_home_dir',` | |
946 | gen_require(` | |
947 | type staff_home_dir_t; | |
948 | class dir search; | |
949 | ') | |
950 | ||
951 | files_search_home($1) | |
952 | allow $1 staff_home_dir_t:dir search; | |
953 | ') | |
954 | ||
955 | ######################################## | |
956 | ## <summary> | |
957 | ## Do not audit attempts to search the staff | |
958 | ## users home directory. | |
959 | ## </summary> | |
960 | ## <param name="domain"> | |
961 | ## Domain to not audit. | |
962 | ## </param> | |
963 | # | |
964 | interface(`userdom_dontaudit_search_staff_home_dir',` | |
965 | gen_require(` | |
966 | type staff_home_dir_t; | |
967 | class dir search; | |
968 | ') | |
969 | ||
970 | dontaudit $1 staff_home_dir_t:dir search; | |
971 | ') | |
972 | ||
fd89e19f CP |
973 | ######################################## |
974 | ## <summary> | |
975 | ## Read files in the staff users home directory. | |
976 | ## </summary> | |
977 | ## <param name="domain"> | |
978 | ## The type of the process performing this action. | |
979 | ## </param> | |
980 | # | |
981 | interface(`userdom_read_staff_home_files',` | |
982 | gen_require(` | |
983 | type staff_home_dir_t, staff_home_t; | |
984 | class dir r_dir_perms; | |
985 | class file r_file_perms; | |
986 | class lnk_file r_file_perms; | |
987 | ') | |
988 | ||
989 | files_search_home($1) | |
990 | allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms; | |
991 | allow $1 staff_home_t:{ file lnk_file } r_file_perms; | |
992 | ') | |
993 | ||
daa0e0b0 | 994 | ######################################## |
ab940a4c | 995 | ## <summary> |
414e4151 | 996 | ## Read and write sysadm ttys. |
ab940a4c | 997 | ## </summary> |
414e4151 CP |
998 | ## <param name="domain"> |
999 | ## The type of the process performing this action. | |
1000 | ## </param> | |
490639cd | 1001 | # |
199895e2 | 1002 | interface(`userdom_use_sysadm_tty',` |
c98340cf CP |
1003 | ifdef(`targeted_policy',` |
1004 | term_use_unallocated_tty($1) | |
1005 | ',` | |
1006 | gen_require(` | |
1007 | type sysadm_tty_device_t; | |
1008 | class chr_file rw_term_perms; | |
1009 | ') | |
fd89e19f | 1010 | |
c98340cf CP |
1011 | dev_list_all_dev_nodes($1) |
1012 | term_list_ptys($1) | |
1013 | allow $1 sysadm_tty_device_t:chr_file rw_term_perms; | |
1014 | ') | |
fd89e19f CP |
1015 | ') |
1016 | ||
50aca6d2 CP |
1017 | ######################################## |
1018 | ## <summary> | |
1019 | ## Do not audit attempts to use sysadm ttys. | |
1020 | ## </summary> | |
1021 | ## <param name="domain"> | |
1022 | ## Domain to not audit. | |
1023 | ## </param> | |
1024 | # | |
1025 | interface(`userdom_dontaudit_use_sysadm_tty',` | |
1026 | ifdef(`targeted_policy',` | |
1027 | term_dontaudit_use_unallocated_tty($1) | |
1028 | ',` | |
1029 | gen_require(` | |
1030 | attribute sysadm_tty_device_t; | |
1031 | class chr_file { read write }; | |
1032 | ') | |
1033 | ||
1034 | dontaudit $1 sysadm_tty_device_t:chr_file { read write }; | |
1035 | ') | |
1036 | ') | |
1037 | ||
fd89e19f CP |
1038 | ######################################## |
1039 | ## <summary> | |
1040 | ## Read and write sysadm ptys. | |
1041 | ## </summary> | |
1042 | ## <param name="domain"> | |
1043 | ## The type of the process performing this action. | |
1044 | ## </param> | |
1045 | # | |
1046 | interface(`userdom_use_sysadm_pty',` | |
c98340cf CP |
1047 | ifdef(`targeted_policy',` |
1048 | term_use_generic_pty($1) | |
1049 | ',` | |
1050 | gen_require(` | |
1051 | type sysadm_devpts_t; | |
1052 | class chr_file rw_term_perms; | |
1053 | ') | |
0c73cd25 | 1054 | |
c98340cf CP |
1055 | dev_list_all_dev_nodes($1) |
1056 | term_list_ptys($1) | |
1057 | allow $1 sysadm_devpts_t:chr_file rw_term_perms; | |
1058 | ') | |
daa0e0b0 CP |
1059 | ') |
1060 | ||
0404a390 | 1061 | ######################################## |
ab940a4c | 1062 | ## <summary> |
414e4151 | 1063 | ## Read and write sysadm ttys and ptys. |
ab940a4c | 1064 | ## </summary> |
414e4151 CP |
1065 | ## <param name="domain"> |
1066 | ## The type of the process performing this action. | |
1067 | ## </param> | |
0404a390 | 1068 | # |
199895e2 | 1069 | interface(`userdom_use_sysadm_terms',` |
c98340cf CP |
1070 | userdom_use_sysadm_tty($1) |
1071 | userdom_use_sysadm_pty($1) | |
daa0e0b0 CP |
1072 | ') |
1073 | ||
763c441e | 1074 | ######################################## |
ab940a4c | 1075 | ## <summary> |
50aca6d2 | 1076 | ## Do not audit attempts to use sysadm ttys and ptys. |
ab940a4c | 1077 | ## </summary> |
414e4151 | 1078 | ## <param name="domain"> |
50aca6d2 | 1079 | ## Domain to not audit. |
414e4151 | 1080 | ## </param> |
763c441e | 1081 | # |
199895e2 | 1082 | interface(`userdom_dontaudit_use_sysadm_terms',` |
c98340cf CP |
1083 | ifdef(`targeted_policy',` |
1084 | term_dontaudit_use_generic_pty($1) | |
1085 | ',` | |
1086 | gen_require(` | |
1087 | attribute admin_terminal; | |
1088 | class chr_file { read write }; | |
1089 | ') | |
763c441e | 1090 | |
c98340cf CP |
1091 | dontaudit $1 admin_terminal:chr_file { read write }; |
1092 | ') | |
763c441e CP |
1093 | ') |
1094 | ||
fd89e19f CP |
1095 | ######################################## |
1096 | ## <summary> | |
1097 | ## Inherit and use sysadm file descriptors | |
1098 | ## </summary> | |
1099 | ## <param name="domain"> | |
1100 | ## The type of the process performing this action. | |
1101 | ## </param> | |
1102 | # | |
1103 | interface(`userdom_use_sysadm_fd',` | |
c98340cf CP |
1104 | ifdef(`targeted_policy',` |
1105 | #cjp: need to doublecheck this one | |
1106 | unconfined_use_fd($1) | |
1107 | ',` | |
1108 | gen_require(` | |
1109 | type sysadm_t; | |
1110 | class fd use; | |
1111 | ') | |
fd89e19f | 1112 | |
c98340cf CP |
1113 | allow $1 sysadm_t:fd use; |
1114 | ') | |
fd89e19f CP |
1115 | ') |
1116 | ||
1117 | ######################################## | |
1118 | ## <summary> | |
1119 | ## Read and write sysadm user unnamed pipes. | |
1120 | ## </summary> | |
1121 | ## <param name="domain"> | |
1122 | ## The type of the process performing this action. | |
1123 | ## </param> | |
1124 | # | |
1125 | interface(`userdom_rw_sysadm_pipe',` | |
c98340cf CP |
1126 | ifdef(`targeted_policy',` |
1127 | #cjp: need to doublecheck this one | |
1128 | unconfined_rw_pipe($1) | |
1129 | ',` | |
1130 | gen_require(` | |
1131 | type sysadm_t; | |
1132 | class fifo_file rw_file_perms; | |
1133 | ') | |
fd89e19f | 1134 | |
c98340cf CP |
1135 | allow $1 sysadm_t:fifo_file rw_file_perms; |
1136 | ') | |
fd89e19f CP |
1137 | ') |
1138 | ||
ae9e2716 CP |
1139 | ######################################## |
1140 | ## <summary> | |
1141 | ## Search the sysadm users home directory. | |
1142 | ## </summary> | |
1143 | ## <param name="domain"> | |
1144 | ## Domain to not audit. | |
1145 | ## </param> | |
1146 | # | |
1147 | interface(`userdom_search_sysadm_home_dir',` | |
1148 | gen_require(` | |
1149 | type sysadm_home_dir_t; | |
1150 | class dir search; | |
1151 | ') | |
1152 | ||
1153 | files_search_home($1) | |
1154 | allow $1 sysadm_home_dir_t:dir search; | |
1155 | ') | |
1156 | ||
1157 | ######################################## | |
1158 | ## <summary> | |
1159 | ## Do not audit attempts to search the sysadm | |
1160 | ## users home directory. | |
1161 | ## </summary> | |
1162 | ## <param name="domain"> | |
1163 | ## Domain to not audit. | |
1164 | ## </param> | |
1165 | # | |
1166 | interface(`userdom_dontaudit_search_sysadm_home_dir',` | |
1167 | gen_require(` | |
1168 | type sysadm_home_dir_t; | |
1169 | class dir search; | |
1170 | ') | |
1171 | ||
1172 | dontaudit $1 sysadm_home_dir_t:dir search; | |
1173 | ') | |
1174 | ||
fd89e19f CP |
1175 | ######################################## |
1176 | ## <summary> | |
1177 | ## Read files in the sysadm users home directory. | |
1178 | ## </summary> | |
1179 | ## <param name="domain"> | |
1180 | ## The type of the process performing this action. | |
1181 | ## </param> | |
1182 | # | |
1183 | interface(`userdom_read_sysadm_home_files',` | |
1184 | gen_require(` | |
1185 | type sysadm_home_dir_t, sysadm_home_t; | |
1186 | class dir r_dir_perms; | |
1187 | class file r_file_perms; | |
1188 | class lnk_file r_file_perms; | |
1189 | ') | |
1190 | ||
1191 | files_search_home($1) | |
1192 | allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms; | |
1193 | allow $1 sysadm_home_t:{ file lnk_file } r_file_perms; | |
1194 | ') | |
1195 | ||
4bf4ed9e | 1196 | ######################################## |
ab940a4c | 1197 | ## <summary> |
414e4151 | 1198 | ## Search all users home directories. |
ab940a4c | 1199 | ## </summary> |
414e4151 CP |
1200 | ## <param name="domain"> |
1201 | ## The type of the process performing this action. | |
1202 | ## </param> | |
4bf4ed9e | 1203 | # |
199895e2 | 1204 | interface(`userdom_search_all_users_home',` |
0404a390 CP |
1205 | gen_require(` |
1206 | attribute home_dir_type, home_type; | |
1207 | class dir search; | |
1208 | ') | |
0c73cd25 | 1209 | |
c9428d33 | 1210 | files_list_home($1) |
0c73cd25 | 1211 | allow $1 { home_dir_type home_type }:dir search; |
4bf4ed9e CP |
1212 | ') |
1213 | ||
ae9e2716 CP |
1214 | ######################################## |
1215 | ## <summary> | |
1216 | ## Do not audit attempts to search all users home directories. | |
1217 | ## </summary> | |
1218 | ## <param name="domain"> | |
1219 | ## Domain to not audit. | |
1220 | ## </param> | |
1221 | # | |
1222 | interface(`userdom_dontaudit_search_all_users_home',` | |
1223 | gen_require(` | |
1224 | attribute home_dir_type, home_type; | |
1225 | class dir search; | |
1226 | ') | |
1227 | ||
1228 | dontaudit $1 { home_dir_type home_type }:dir search; | |
1229 | ') | |
1230 | ||
daa0e0b0 | 1231 | ######################################## |
ab940a4c | 1232 | ## <summary> |
414e4151 | 1233 | ## Read all files in all users home directories. |
ab940a4c | 1234 | ## </summary> |
414e4151 CP |
1235 | ## <param name="domain"> |
1236 | ## The type of the process performing this action. | |
1237 | ## </param> | |
daa0e0b0 | 1238 | # |
fd89e19f | 1239 | interface(`userdom_read_all_user_files',` |
0404a390 CP |
1240 | gen_require(` |
1241 | attribute home_type; | |
1242 | class dir r_dir_perms; | |
1243 | class file r_file_perms; | |
1244 | ') | |
0c73cd25 | 1245 | |
c9428d33 | 1246 | files_list_home($1) |
cc41a97c | 1247 | allow $1 home_type:dir r_dir_perms; |
0fd9dc55 | 1248 | allow $1 home_type:file r_file_perms; |
daa0e0b0 CP |
1249 | ') |
1250 | ||
daa0e0b0 | 1251 | ######################################## |
ab940a4c CP |
1252 | ## <summary> |
1253 | ## Write all unprivileged users files in /tmp | |
1254 | ## </summary> | |
1255 | ## <param name="domain"> | |
1256 | ## The type of the process performing this action. | |
1257 | ## </param> | |
1258 | # | |
1259 | interface(`userdom_write_unpriv_user_tmp',` | |
1260 | gen_require(` | |
1261 | attribute user_tmpfile; | |
1262 | class file { getattr write append }; | |
1263 | ') | |
1264 | ||
1265 | allow $1 user_tmpfile:file { getattr write append }; | |
1266 | ') | |
1267 | ||
1268 | ######################################## | |
1269 | ## <summary> | |
414e4151 | 1270 | ## Inherit the file descriptors from all user domains |
ab940a4c | 1271 | ## </summary> |
414e4151 CP |
1272 | ## <param name="domain"> |
1273 | ## The type of the process performing this action. | |
1274 | ## </param> | |
490639cd | 1275 | # |
199895e2 | 1276 | interface(`userdom_use_all_user_fd',` |
0404a390 CP |
1277 | gen_require(` |
1278 | attribute userdomain; | |
1279 | class fd use; | |
1280 | ') | |
0c73cd25 CP |
1281 | |
1282 | allow $1 userdomain:fd use; | |
490639cd CP |
1283 | ') |
1284 | ||
4bf4ed9e | 1285 | ######################################## |
ab940a4c | 1286 | ## <summary> |
414e4151 | 1287 | ## Send general signals to all user domains. |
ab940a4c | 1288 | ## </summary> |
414e4151 CP |
1289 | ## <param name="domain"> |
1290 | ## The type of the process performing this action. | |
1291 | ## </param> | |
4bf4ed9e | 1292 | # |
199895e2 | 1293 | interface(`userdom_signal_all_users',` |
0404a390 CP |
1294 | gen_require(` |
1295 | attribute userdomain; | |
1296 | class process signal; | |
1297 | ') | |
0c73cd25 CP |
1298 | |
1299 | allow $1 userdomain:process signal; | |
4bf4ed9e CP |
1300 | ') |
1301 | ||
0404a390 | 1302 | ######################################## |
ab940a4c | 1303 | ## <summary> |
414e4151 | 1304 | ## Send general signals to unprivileged user domains. |
ab940a4c | 1305 | ## </summary> |
414e4151 CP |
1306 | ## <param name="domain"> |
1307 | ## The type of the process performing this action. | |
1308 | ## </param> | |
0404a390 | 1309 | # |
199895e2 | 1310 | interface(`userdom_signal_unpriv_users',` |
0404a390 CP |
1311 | gen_require(` |
1312 | attribute unpriv_userdomain; | |
1313 | class process signal; | |
1314 | ') | |
0c73cd25 | 1315 | |
0404a390 | 1316 | allow $1 unpriv_userdomain:process signal; |
4bf4ed9e CP |
1317 | ') |
1318 | ||
daa0e0b0 | 1319 | ######################################## |
ab940a4c CP |
1320 | ## <summary> |
1321 | ## Inherit the file descriptors from unprivileged user domains. | |
1322 | ## </summary> | |
414e4151 CP |
1323 | ## <param name="domain"> |
1324 | ## The type of the process performing this action. | |
1325 | ## </param> | |
daa0e0b0 | 1326 | # |
199895e2 | 1327 | interface(`userdom_use_unpriv_users_fd',` |
0404a390 CP |
1328 | gen_require(` |
1329 | attribute unpriv_userdomain; | |
1330 | class fd use; | |
1331 | ') | |
0c73cd25 CP |
1332 | |
1333 | allow $1 unpriv_userdomain:fd use; | |
daa0e0b0 CP |
1334 | ') |
1335 | ||
daa0e0b0 | 1336 | ######################################## |
ab940a4c | 1337 | ## <summary> |
414e4151 CP |
1338 | ## Do not audit attempts to inherit the |
1339 | ## file descriptors from all user domains. | |
ab940a4c | 1340 | ## </summary> |
414e4151 CP |
1341 | ## <param name="domain"> |
1342 | ## The type of the process performing this action. | |
1343 | ## </param> | |
daa0e0b0 | 1344 | # |
199895e2 | 1345 | interface(`userdom_dontaudit_use_unpriv_user_fd',` |
0404a390 CP |
1346 | gen_require(` |
1347 | attribute unpriv_userdomain; | |
1348 | class fd use; | |
1349 | ') | |
0c73cd25 CP |
1350 | |
1351 | dontaudit $1 unpriv_userdomain:fd use; | |
daa0e0b0 CP |
1352 | ') |
1353 | ||
ebdc3b79 CP |
1354 | ######################################## |
1355 | ## <summary> | |
1356 | ## Do not audit attempts to use unprivileged | |
1357 | ## user ttys. | |
1358 | ## </summary> | |
1359 | ## <param name="domain"> | |
1360 | ## The type of the process performing this action. | |
1361 | ## </param> | |
1362 | # | |
1363 | interface(`userdom_dontaudit_use_unpriv_user_tty',` | |
1364 | gen_require(` | |
1365 | attribute user_ttynode; | |
1366 | class chr_file rw_file_perms; | |
1367 | ') | |
1368 | ||
1369 | dontaudit $1 user_ttynode:chr_file rw_file_perms; | |
1370 | ') | |
c98340cf CP |
1371 | |
1372 | ######################################## | |
1373 | ## <summary> | |
1374 | ## Unconfined access to user domains. | |
1375 | ## </summary> | |
1376 | ## <param name="domain"> | |
1377 | ## Domain allowed access. | |
1378 | ## </param> | |
1379 | # | |
1380 | interface(`userdom_unconfined',` | |
1381 | gen_require(` | |
1382 | type user_home_dir_t; | |
1383 | class dir create_dir_perms; | |
1384 | ') | |
1385 | ||
1386 | allow $1 user_home_dir_t:dir create_dir_perms; | |
1387 | files_create_home_dirs($1,user_home_dir_t) | |
1388 | ') |