]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - refpolicy/policy/modules/system/userdomain.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
more debian cleanup
[people/stevee/selinux-policy.git] / refpolicy / policy / modules / system / userdomain.if
CommitLineData
490639cd 1## <summary>Policy for user domains</summary>
b16c6b8c 2
8fd36732
CP		 3#######################################
4## <summary>
5## The template containing rules common to unprivileged
6## users and administrative users.
7## </summary>
8## <desc>
9## <p>
10## This template creates a user domain, types, and
11## rules for the user's tty, pty, home directories,
12## tmp, and tmpfs files.
13## </p>
14## <p>
15## This generally should not be used, rather the
16## unpriv_user_template or admin_user_template should
17## be used.
18## </p>
19## </desc>
20## <param name="userdomain_prefix">
21## The prefix of the user domain (e.g., user
22## is the prefix for user_t).
23## </param>
b16c6b8c 24#
8fd36732 25template(`base_user_template',`
b16c6b8c 26
0c73cd25
CP		 27 attribute $1_file_type;
28
29 type $1_t, userdomain;
c9428d33
CP		 30 domain_type($1_t)
31 corecmd_shell_entry_type($1_t)
0c73cd25
CP		 32 role $1_r types $1_t;
33 allow system_r $1_r;
34
35 # user pseudoterminal
36 type $1_devpts_t;
0fd9dc55 37 term_user_pty($1_t,$1_devpts_t)
0c73cd25
CP		 38
39 # type for contents of home directory
40 type $1_home_t, $1_file_type, home_type;
8fd36732 41 files_type($1_home_t)
0c73cd25
CP		 42
43 # type of home directory
44 type $1_home_dir_t, home_dir_type, home_type;
8fd36732 45 files_type($1_home_t)
0c73cd25
CP		 46
47 type $1_tmp_t, $1_file_type;
c9428d33 48 files_tmp_file($1_tmp_t)
0c73cd25
CP		 49
50 type $1_tmpfs_t;
c9428d33 51 files_tmpfs_file($1_tmpfs_t)
0c73cd25
CP		 52
53 type $1_tty_device_t;
0fd9dc55 54 term_tty($1_t,$1_tty_device_t)
0c73cd25
CP		 55
56 ##############################
57 #
58 # Local policy
59 #
60
61 allow $1_t self:capability { setgid chown fowner };
62 dontaudit $1_t self:capability { sys_nice fsetid };
63 allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
64 allow $1_t self:process { ptrace setfscreate };
65 allow $1_t self:fd use;
cc41a97c
CP		 66 allow $1_t self:fifo_file rw_file_perms;
67 allow $1_t self:unix_dgram_socket create_socket_perms;
0fd9dc55 68 allow $1_t self:unix_stream_socket create_stream_socket_perms;
0c73cd25
CP		 69 allow $1_t self:unix_dgram_socket sendto;
70 allow $1_t self:unix_stream_socket connectto;
cc41a97c
CP		 71 allow $1_t self:shm create_shm_perms;
72 allow $1_t self:sem create_sem_perms;
73 allow $1_t self:msgq create_msgq_perms;
0c73cd25
CP		 74 allow $1_t self:msg { send receive };
75 dontaudit $1_t self:socket create;
76 # Irrelevant until we have labeled networking.
77 #allow $1_t self:udp_socket { sendto recvfrom };
78
79 # evolution and gnome-session try to create a netlink socket
80 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
81 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
82
83 # execute files in the home directory
cc41a97c 84 allow $1_t $1_home_t:file { rx_file_perms execute_no_trans };
0c73cd25
CP		 85
86 # full control of the home directory
cc41a97c
CP		 87 allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
88 allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
89 allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
90 allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
91 allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
92 allow $1_t $1_home_dir_t:dir create_dir_perms;
93 type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
0c73cd25 94
cc41a97c 95 allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans };
0c73cd25
CP		 96
97 # Bind to a Unix domain socket in /tmp.
98 # cjp: this is combination is not checked and should be removed
99 allow $1_t $1_tmp_t:unix_stream_socket name_bind;
100
cc41a97c
CP		 101 allow $1_t $1_tmpfs_t:dir rw_dir_perms;
102 allow $1_t $1_tmpfs_t:file create_file_perms;
103 allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
104 allow $1_t $1_tmpfs_t:sock_file create_file_perms;
105 allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
0fd9dc55 106 fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
0c73cd25 107
cc41a97c 108 allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
0c73cd25
CP		 109
110 allow $1_t unpriv_userdomain:fd use;
111
112 # Instantiate derived domains for a number of programs.
113 # These derived domains encode both information about the calling
114 # user domain and the program, and allow us to maintain separation
115 # between different instances of the program being run by different
116 # user domains.
117 per_userdomain_templates($1)
118
119 kernel_read_kernel_sysctl($1_t)
5e0da6a0 120 selinux_get_fs_mount($1_t)
0c73cd25
CP		 121 # Very permissive allowing every domain to see every type:
122 kernel_get_sysvipc_info($1_t)
123 # Find CDROM devices:
124 kernel_read_device_sysctl($1_t)
ebdc3b79
CP		 125
126 dev_rw_power_management($1_t)
0c73cd25 127 # GNOME checks for usb and other devices:
8bd67899 128 dev_rw_usbfs($1_t)
0fd9dc55
CP		 129
130 corenet_tcp_sendrecv_all_if($1_t)
131 corenet_raw_sendrecv_all_if($1_t)
132 corenet_udp_sendrecv_all_if($1_t)
133 corenet_tcp_sendrecv_all_nodes($1_t)
134 corenet_raw_sendrecv_all_nodes($1_t)
135 corenet_udp_sendrecv_all_nodes($1_t)
136 corenet_tcp_sendrecv_all_ports($1_t)
137 corenet_udp_sendrecv_all_ports($1_t)
138 corenet_tcp_bind_all_nodes($1_t)
139 corenet_udp_bind_all_nodes($1_t)
0c73cd25 140 # allow port_t name binding for UDP because it is not very usable otherwise
0fd9dc55 141 corenet_udp_bind_generic_port($1_t)
0c73cd25 142
f0c985ca
KM		 143 dev_read_input($1_t)
144 dev_read_misc($1_t)
145 dev_write_misc($1_t)
146 dev_write_snd_dev($1_t)
147 dev_read_snd_dev($1_t)
148 dev_read_snd_mixer_dev($1_t)
149 dev_write_snd_mixer_dev($1_t)
150 dev_read_rand($1_t)
151 dev_read_urand($1_t)
0c73cd25 152 # open office is looking for the following
f0c985ca
KM		 153 dev_getattr_agp_dev($1_t)
154 dev_dontaudit_rw_dri_dev($1_t)
0c73cd25 155
763c441e 156 fs_get_all_fs_quotas($1_t)
0fd9dc55 157 fs_getattr_all_fs($1_t)
ab940a4c 158 fs_search_auto_mountpoints($1_t)
2ec4c9d3 159 fs_exec_noxattr($1_t)
0c73cd25
CP		 160
161 # for eject
0fd9dc55 162 storage_getattr_fixed_disk($1_t)
0c73cd25 163
c9428d33
CP		 164 auth_read_login_records($1_t)
165 auth_dontaudit_write_login_records($1_t)
166 auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
167 auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
0c73cd25 168
c9428d33
CP		 169 corecmd_exec_bin($1_t)
170 corecmd_exec_sbin($1_t)
171 corecmd_exec_ls($1_t)
0c73cd25 172
c9428d33
CP		 173 domain_exec_all_entry_files($1_t)
174 domain_use_wide_inherit_fd($1_t)
2ec4c9d3
CP		 175 # When the user domain runs ps, there will be a number of access
176 # denials when ps tries to search /proc. Do not audit these denials.
177 domain_dontaudit_read_all_domains_state($1_t)
178 domain_dontaudit_getsession_all_domains($1_t)
0c73cd25 179
8fd36732
CP		 180 files_exec_etc_files($1_t)
181 files_read_usr_src_files($1_t)
ae9e2716 182 files_search_locks($1_t)
0c73cd25
CP		 183
184 # Caused by su - init scripts
c9428d33 185 init_dontaudit_use_script_pty($1_t)
0c73cd25 186
c9428d33
CP		 187 libs_use_ld_so($1_t)
188 libs_use_shared_libs($1_t)
189 libs_exec_ld_so($1_t)
190 libs_exec_lib_files($1_t)
0c73cd25 191
c9428d33 192 logging_dontaudit_getattr_all_logs($1_t)
0c73cd25
CP		 193
194 miscfiles_read_localization($1_t)
c9428d33 195 miscfiles_rw_man_cache($1_t)
2ec4c9d3
CP		 196 # for running TeX programs
197 miscfiles_read_tetex_data($1_t)
198 miscfiles_exec_tetex_data($1_t)
0c73cd25 199
5e0da6a0 200 seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
0c73cd25 201
c9428d33 202 mta_rw_spool($1_t)
0c73cd25 203
34c8fabe 204 tunable_policy(`allow_execmem',`
0c73cd25
CP		 205 # Allow loading DSOs that require executable stack.
206 allow $1_t self:process execmem;
34c8fabe 207 ')
0c73cd25 208
2ec4c9d3
CP		 209 tunable_policy(`read_default_t',`
210 files_list_default($1_t)
211 files_read_default_files($1_t)
212 files_read_default_symlinks($1_t)
213 files_read_default_sockets($1_t)
214 files_read_default_pipes($1_t)
215 ')
216
34c8fabe 217 tunable_policy(`use_nfs_home_dirs',`
0fd9dc55 218 fs_manage_nfs_dirs($1_t)
763c441e 219 fs_manage_nfs_files($1_t)
0fd9dc55 220 fs_manage_nfs_symlinks($1_t)
763c441e
CP		 221 fs_manage_nfs_named_sockets($1_t)
222 fs_manage_nfs_named_pipes($1_t)
223 fs_execute_nfs_files($1_t)
34c8fabe 224 ')
0c73cd25 225
34c8fabe 226 tunable_policy(`use_samba_home_dirs',`
0fd9dc55
CP		 227 fs_manage_cifs_dirs($1_t)
228 fs_manage_cifs_files($1_t)
229 fs_manage_cifs_symlinks($1_t)
230 fs_manage_cifs_named_sockets($1_t)
231 fs_manage_cifs_named_pipes($1_t)
232 fs_execute_cifs_files($1_t)
34c8fabe 233 ')
0c73cd25 234
34c8fabe 235 tunable_policy(`user_direct_mouse',`
f0c985ca 236 dev_read_mouse($1_t)
34c8fabe 237 ')
0c73cd25 238
34c8fabe 239 tunable_policy(`user_ttyfile_stat',`
0fd9dc55 240 term_getattr_all_user_ttys($1_t)
34c8fabe 241 ')
0c73cd25 242
b24f35d8 243 optional_policy(`inetd.te',`
81343a6f 244 inetd_tcp_connect($1_t)
b24f35d8
CP		 245 ')
246
ab940a4c
CP		 247 optional_policy(`nis.te',`
248 nis_use_ypbind($1_t)
249 ')
250
42be7c21
CP		 251 optional_policy(`mysql.te',`
252 ifdef(`targeted_policy',`',`
253 tunable_policy(`allow_user_mysql_connect',`
254 mysql_stream_connect($1_t)
255 ')
256 ')
257 ')
258
493d6c4a
CP		 259 optional_policy(`nscd.te',`
260 nscd_use_socket($1_t)
261 ')
262
2ec4c9d3
CP		 263 optional_policy(`pcmcia.te',`
264 # to allow monitoring of pcmcia status
265 pcmcia_read_pid($1_t)
266 ')
267
052c953a
CP		 268 optional_policy(`quota.te',`
269 quota_dontaudit_getattr_db($1_t)
270 ')
271
b24f35d8
CP		 272 optional_policy(`rpm.te',`
273 files_getattr_var_lib_dir($1_t)
274 files_search_var_lib($1_t)
275 ')
276
0c73cd25 277 optional_policy(`usermanage.te',`
c9428d33
CP		 278 usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
279 usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
0c73cd25
CP		 280 ')
281
282 ifdef(`TODO',`
283
0c73cd25
CP		 284 #
285 # Cups daemon running as user tries to write /etc/printcap
286 #
287 dontaudit $1_t usr_t:file setattr;
288
0c73cd25
CP		 289 # Check to see if cdrom is mounted
290 allow $1_t mnt_t:dir { getattr search };
291
292 #
293 # Added to allow reading of cdrom
294 #
295 allow $1_t rpc_pipefs_t:dir getattr;
296 allow $1_t nfsd_fs_t:dir getattr;
297 allow $1_t binfmt_misc_fs_t:dir getattr;
298
299 # /initrd is left mounted, various programs try to look at it
300 dontaudit $1_t ramfs_t:dir getattr;
301
0c73cd25
CP		 302 #
303 # Running ifconfig as a user generates the following
304 #
305 dontaudit $1_t sysctl_net_t:dir search;
306
307 dontaudit $1_t default_context_t:dir search;
308
309 r_dir_file($1_t, usercanread)
310
3eed1090 311 tunable_policy(`allow_execmod',`
0c73cd25
CP		 312 # Allow text relocations on system shared libraries, e.g. libGL.
313 allow $1_t texrel_shlib_t:file execmod;
3eed1090 314 ')
0c73cd25
CP		 315
316 allow $1_t fs_type:dir getattr;
317
318 # old "file_browse_domain":
319 # Regular files/directories that are not security sensitive
320 dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
321 dontaudit $1_t file_type - secure_file_type:dir { read search };
322 # /dev
323 dontaudit $1_t dev_fs:dir_file_class_set getattr;
324 dontaudit $1_t dev_fs:dir { read search };
325 # /proc
326 dontaudit $1_t sysctl_t:dir_file_class_set getattr;
327 dontaudit $1_t proc_fs:dir { read search };
328
3eed1090 329 tunable_policy(`user_rw_noexattrfile',`
0c73cd25 330 create_dir_file($1_t, noexattrfile)
0c73cd25 331 # Write floppies
ebdc3b79
CP		 332 storage_raw_read_removable_device($1_t)
333 storage_raw_write_removable_device($1_t)
334 # cjp: what does this have to do with removable devices?
0c73cd25 335 allow $1_t usbtty_device_t:chr_file write;
3eed1090 336 ',`
0c73cd25
CP		 337 r_dir_file($1_t, noexattrfile)
338 r_dir_file($1_t, removable_t)
339 allow $1_t removable_device_t:blk_file r_file_perms;
3eed1090
CP		 340 ')
341
0c73cd25
CP		 342 allow $1_t usbtty_device_t:chr_file read;
343
0c73cd25
CP		 344 can_resmgrd_connect($1_t)
345
0c73cd25
CP		 346 # Grant permissions to access the system DBus
347 ifdef(`dbusd.te', `
348 dbusd_client(system, $1)
349 can_network_server_tcp($1_dbusd_t)
350 allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
351
352 allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
353 dbusd_client($1, $1)
354 allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
355 dbusd_domain($1)
356 ifdef(`hald.te', `
357 allow $1_t hald_t:dbus send_msg;
358 allow hald_t $1_t:dbus send_msg;
359 ')
360 ')
361
362 # Gnome pannel binds to the following
363 ifdef(`cups.te', `
cc41a97c 364 allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
0c73cd25
CP		 365 ')
366
0c73cd25 367 ifdef(`inetd.te', `
2ec4c9d3 368 # Connect to inetd.
0c73cd25
CP		 369 can_tcp_connect($1_t, inetd_t)
370 can_udp_send($1_t, inetd_t)
371 can_udp_send(inetd_t, $1_t)
2ec4c9d3
CP		 372 # Inherit and use sockets from inetd
373 allow $1_t inetd_t:fd use;
374 allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
0c73cd25
CP		 375 ')
376
377 # Connect to portmap.
378 ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
379
0c73cd25
CP		 380 ifdef(`xserver.te', `
381 # for /tmp/.ICE-unix
382 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
383 allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
384 ')
385
386 ifdef(`xdm.te', `
387 # Connect to the X server run by the X Display Manager.
388 can_unix_connect($1_t, xdm_t)
389 allow $1_t xdm_tmp_t:sock_file rw_file_perms;
390 allow $1_t xdm_tmp_t:dir r_dir_perms;
cc41a97c 391 allow $1_t xdm_tmp_t:file r_file_perms;
0c73cd25
CP		 392 allow $1_t xdm_xserver_tmp_t:sock_file { read write };
393 allow $1_t xdm_xserver_tmp_t:dir search;
394 allow $1_t xdm_xserver_t:unix_stream_socket connectto;
395 # certain apps want to read xdm.pid file
396 r_dir_file($1_t, xdm_var_run_t)
cc41a97c 397 allow $1_t xdm_var_lib_t:file r_file_perms;
0c73cd25
CP		 398 allow xdm_t $1_home_dir_t:dir getattr;
399 ifdef(`xauth.te', `
400 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
401 ')
402
403 # for shared memory
404 allow xdm_xserver_t $1_tmpfs_t:file { read write };
405
406 ')
407
408 ifdef(`rpcd.te', `
409 create_dir_file($1_t, nfsd_rw_t)
410 ')
411
0c73cd25
CP		 412 #
413 # Allow graphical boot to check battery lifespan
414 #
415 ifdef(`apmd.te', `
416 allow $1_t apmd_t:unix_stream_socket connectto;
417 allow $1_t apmd_var_run_t:sock_file write;
418 ')
419
0c73cd25
CP		 420 ifdef(`pamconsole.te', `
421 allow $1_t pam_var_console_t:dir search;
422 ')
423
424 ') dnl endif TODO
b16c6b8c 425
2ec4c9d3 426')
b16c6b8c 427
8fd36732
CP		 428#######################################
429## <summary>
430## The template for creating a unprivileged user.
431## </summary>
432## <desc>
433## <p>
434## This template creates a user domain, types, and
435## rules for the user's tty, pty, home directories,
436## tmp, and tmpfs files.
437## </p>
438## </desc>
439## <param name="userdomain_prefix">
440## The prefix of the user domain (e.g., user
441## is the prefix for user_t).
442## </param>
b16c6b8c 443#
8fd36732 444template(`unpriv_user_template', `
0c73cd25
CP		 445 ##############################
446 #
447 # Declarations
448 #
b16c6b8c 449
0c73cd25 450 # Inherit rules for ordinary users.
8fd36732 451 base_user_template($1)
b16c6b8c 452
493d6c4a 453 typeattribute $1_t unpriv_userdomain; #, web_client_domain
c9428d33 454 domain_wide_inherit_fd($1_t)
b16c6b8c 455
0c73cd25
CP		 456 #typeattribute $1_devpts_t userpty_type, user_tty_type;
457 #typeattribute $1_home_dir_t user_home_dir_type;
458 #typeattribute $1_home_t user_home_type;
b16c6b8c 459
ab940a4c 460 typeattribute $1_tmp_t user_tmpfile;
b16c6b8c 461
ebdc3b79 462 typeattribute $1_tty_device_t user_ttynode;
b16c6b8c 463
0c73cd25
CP		 464 ##############################
465 #
466 # Local policy
467 #
468
469 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
0fd9dc55 470 term_create_pty($1_t,$1_devpts_t)
0c73cd25
CP		 471
472 # Rules used to associate a homedir as a mountpoint
473 allow $1_home_t self:filesystem associate;
474 allow $1_file_type $1_home_t:filesystem associate;
475
476 # user temporary files
cc41a97c
CP		 477 allow $1_t $1_tmp_t:file create_file_perms;
478 allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
479 allow $1_t $1_tmp_t:dir create_dir_perms;
480 allow $1_t $1_tmp_t:sock_file create_file_perms;
481 allow $1_t $1_tmp_t:fifo_file create_file_perms;
c9428d33 482 files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
0c73cd25
CP		 483
484 # privileged home directory writers
cc41a97c
CP		 485 allow privhome $1_home_t:file create_file_perms;
486 allow privhome $1_home_t:lnk_file create_lnk_perms;
487 allow privhome $1_home_t:dir create_dir_perms;
488 allow privhome $1_home_t:sock_file create_file_perms;
489 allow privhome $1_home_t:fifo_file create_file_perms;
490 type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
0c73cd25
CP		 491
492 kernel_read_system_state($1_t)
493 kernel_read_network_state($1_t)
8bd67899 494 dev_read_sysfs($1_t)
0c73cd25
CP		 495
496 # cjp: why?
497 bootloader_read_kernel_symbol_table($1_t)
498
499 # port access is audited even if dac would not have allowed it, so dontaudit it here
0fd9dc55 500 corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
0c73cd25 501
8fd36732 502 files_read_etc_files($1_t)
c9428d33
CP		 503 files_list_home($1_t)
504 files_read_usr_files($1_t)
2ec4c9d3
CP		 505 files_exec_usr_files($1_t)
506 # Read directories and files with the readable_t type.
507 # This type is a general type for "world"-readable files.
508 files_list_world_readable($1_t)
509 files_read_world_readable_files($1_t)
510 files_read_world_readable_symlinks($1_t)
511 files_read_world_readable_pipes($1_t)
512 files_read_world_readable_sockets($1_t)
0c73cd25 513
c9428d33 514 init_read_script_pid($1_t)
0c73cd25
CP		 515 # The library functions always try to open read-write first,
516 # then fall back to read-only if it fails.
c9428d33 517 init_dontaudit_write_script_pid($1_t)
0c73cd25 518 # Stop warnings about access to /dev/console
c9428d33
CP		 519 init_dontaudit_use_fd($1_t)
520 init_dontaudit_use_script_fd($1_t)
0c73cd25
CP		 521
522 miscfiles_read_man_pages($1_t)
523
5e0da6a0 524 seutil_read_config($1_t)
0c73cd25
CP		 525 # Allow users to execute checkpolicy without a domain transition
526 # so it can be used without privilege to write real binary policy file
5e0da6a0 527 seutil_exec_checkpol($1_t)
0c73cd25 528
34c8fabe 529 tunable_policy(`user_dmesg',`
0c73cd25 530 kernel_read_ring_buffer($1_t)
34c8fabe 531 ',`
0fd9dc55 532 kernel_dontaudit_read_ring_buffer($1_t)
34c8fabe 533 ')
0c73cd25
CP		 534
535 # Allow users to run TCP servers (bind to ports and accept connection from
536 # the same domain and outside users) disabling this forces FTP passive mode
537 # and may change other protocols
34c8fabe 538 tunable_policy(`user_tcp_server',`
0fd9dc55 539 corenet_tcp_bind_generic_port($1_t)
34c8fabe 540 ')
0c73cd25 541
a7a9799d
CP		 542 optional_policy(`kerberos.te',`
543 kerberos_use($1_t)
544 ')
545
21468a60
CP		 546 optional_policy(`loadkeys.te',`
547 loadkeys_run($1_t,$1_r,$1_tty_device_t)
548 ')
549
0c73cd25
CP		 550 # for running depmod as part of the kernel packaging process
551 optional_policy(`modutils.te',`
c9428d33 552 modutils_read_module_conf($1_t)
0c73cd25
CP		 553 ')
554
ae9e2716 555 optional_policy(`selinuxutil.te',`
0c73cd25 556 # for when the network connection is killed
8fd36732 557 seutil_dontaudit_signal_newrole($1_t)
0c73cd25
CP		 558 ')
559
560 # Need the following rule to allow users to run vpnc
561 optional_policy(`xserver.te', `
562 corenetwork_bind_tcp_on_xserver_port($1_t)
563 ')
564
565 ifdef(`TODO',`
566
567 dontaudit $1_t boot_t:lnk_file read;
568 dontaudit $1_t boot_t:file read;
569
0c73cd25
CP		 570 # do not audit read on disk devices
571 dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
572
573 ifdef(`xdm.te', `
574 allow xdm_t $1_home_t:lnk_file read;
575 allow xdm_t $1_home_t:dir search;
576 #
577 # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
578 #
579 dontaudit xdm_t $1_home_t:file rw_file_perms;
580 ')
581
582 ifdef(`ftpd.te', `
3eed1090 583 tunable_policy(`ftp_home_dir',`
0c73cd25 584 file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
3eed1090 585 ')
0c73cd25
CP		 586 ')
587
0c73cd25
CP		 588 # Stat lost+found.
589 allow $1_t lost_found_t:dir getattr;
590
591 # Read /var, /var/spool, /var/run.
592 allow $1_t var_t:dir r_dir_perms;
593 allow $1_t var_t:notdevfile_class_set r_file_perms;
594 allow $1_t var_spool_t:dir r_dir_perms;
595 allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
596 allow $1_t var_run_t:dir r_dir_perms;
597 allow $1_t var_run_t:{ file lnk_file } r_file_perms;
598 allow $1_t var_lib_t:dir r_dir_perms;
599 allow $1_t var_lib_t:file { getattr read };
600
601 # Allow users to rw usb devices
3eed1090 602 tunable_policy(`user_rw_usb',`
0c73cd25 603 rw_dir_create_file($1_t,usbdevfs_t)
3eed1090 604 ',`
0c73cd25 605 r_dir_file($1_t,usbdevfs_t)
3eed1090 606 ')
0c73cd25
CP		 607
608 # Do not audit write denials to /etc/ld.so.cache.
609 dontaudit $1_t ld_so_cache_t:file write;
610
611 dontaudit $1_t sysadm_home_t:file { read append };
612
613 ifdef(`syslogd.te', `
614 # Some programs that are left in $1_t will try to connect
615 # to syslogd, but we do not want to let them generate log messages.
616 # Do not audit.
617 dontaudit $1_t devlog_t:sock_file { read write };
618 dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
619 ')
620
621 allow $1_t initrc_t:fifo_file write;
622
623 ifdef(`user_can_mount', `
624 #
625 # Allow users to mount file systems like floppies and cdrom
626 #
627 mount_domain($1, $1_mount, `, fs_domain')
628 r_dir_file($1_t, mnt_t)
629 allow $1_mount_t device_t:lnk_file read;
630 allow $1_mount_t removable_device_t:blk_file read;
631 allow $1_mount_t iso9660_t:filesystem relabelfrom;
632 allow $1_mount_t removable_t:filesystem { mount relabelto };
633 allow $1_mount_t removable_t:dir mounton;
634 ifdef(`xdm.te', `
635 allow $1_mount_t xdm_t:fd use;
636 allow $1_mount_t xdm_t:fifo_file { read write };
637 ')
638 ')
639
640 ') dnl end TODO
b16c6b8c 641')
4d8ddf9a 642
8fd36732
CP		 643#######################################
644## <summary>
645## The template for creating an administrative user.
646## </summary>
647## <desc>
648## <p>
649## This template creates a user domain, types, and
650## rules for the user's tty, pty, home directories,
651## tmp, and tmpfs files.
652## </p>
2ec4c9d3 653## <p>
8fd36732
CP		 654## The privileges given to administrative users are:
655## <ul>
656## <li>Raw disk access</li>
657## <li>Set all sysctls</li>
658## <li>All kernel ring buffer controls</li>
659## <li>Set SELinux enforcement mode (enforcing/permissive)</li>
660## <li>Set SELinux booleans</li>
661## <li>Relabel all files but shadow</li>
662## <li>Create, read, write, and delete all files but shadow</li>
663## <li>Manage source and binary format SELinux policy</li>
664## <li>Run insmod</li>
665## </ul>
2ec4c9d3
CP		 666## </p>
667## </desc>
8fd36732
CP		 668## <param name="userdomain_prefix">
669## The prefix of the user domain (e.g., sysadm
670## is the prefix for sysadm_t).
671## </param>
4d8ddf9a 672#
8fd36732 673template(`admin_user_template',`
0c73cd25
CP		 674 ##############################
675 #
676 # Declarations
677 #
678
679 # Inherit rules for ordinary users.
8fd36732 680 base_user_template($1)
0c73cd25 681
493d6c4a 682 typeattribute $1_t privhome; #, admin, web_client_domain
8bd67899 683 domain_obj_id_change_exempt($1_t)
0c73cd25
CP		 684 role system_r types $1_t;
685
686 #ifdef(`direct_sysadm_daemon', `, priv_system_role')
687 #; dnl end of sysadm_t type declaration
688
689 typeattribute $1_devpts_t admin_terminal;
690
691 typeattribute $1_tty_device_t admin_terminal;
692
693 ##############################
694 #
695 # $1_t local policy
696 #
697
698 allow $1_t self:capability ~sys_module;
699 allow $1_t self:process { setexec setfscreate };
700
701 # Set password information for other users.
702 allow $1_t self:passwd { passwd chfn chsh };
703
704 # Skip authentication when pam_rootok is specified.
705 allow $1_t self:passwd rootok;
706
707 # Manipulate other users crontab.
708 allow $1_t self:passwd crontab;
709
710 # for the administrator to run TCP servers directly
711 allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
712
713 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
0fd9dc55 714 term_create_pty($1_t,$1_devpts_t)
0c73cd25 715
cc41a97c
CP		 716 allow $1_t $1_tmp_t:dir create_dir_perms;
717 allow $1_t $1_tmp_t:file create_file_perms;
718 allow $1_t $1_tmp_t:lnk_file create_file_perms;
719 allow $1_t $1_tmp_t:fifo_file create_file_perms;
720 allow $1_t $1_tmp_t:sock_file create_file_perms;
c9428d33 721 files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
0c73cd25
CP		 722
723 kernel_read_system_state($1_t)
724 kernel_read_network_state($1_t)
725 kernel_read_software_raid_state($1_t)
0fd9dc55
CP		 726 kernel_getattr_core($1_t)
727 kernel_getattr_message_if($1_t)
0c73cd25
CP		 728 kernel_change_ring_buffer_level($1_t)
729 kernel_clear_ring_buffer($1_t)
730 kernel_read_ring_buffer($1_t)
731 kernel_get_sysvipc_info($1_t)
0fd9dc55 732 kernel_rw_all_sysctl($1_t)
8fd36732
CP		 733 # signal unlabeled processes:
734 kernel_kill_unlabeled($1_t)
735 kernel_signal_unlabeled($1_t)
736 kernel_sigstop_unlabeled($1_t)
737 kernel_signull_unlabeled($1_t)
738 kernel_sigchld_unlabeled($1_t)
2ec4c9d3
CP		 739 # for the administrator to run TCP servers directly
740 kernel_tcp_recvfrom($1_t)
741
742 corenet_tcp_bind_generic_port($1_t)
743 # allow setting up tunnels
744 corenet_use_tun_tap_device($1_t)
745
746 dev_getattr_generic_blk_file($1_t)
747 dev_getattr_generic_chr_file($1_t)
748 dev_getattr_all_blk_files($1_t)
749 dev_getattr_all_chr_files($1_t)
750
751 fs_getattr_all_fs($1_t)
752 fs_set_all_quotas($1_t)
8fd36732 753
5e0da6a0
CP		 754 selinux_set_enforce_mode($1_t)
755 selinux_set_boolean($1_t)
756 selinux_set_parameters($1_t)
0c73cd25 757 # Get security policy decisions:
5e0da6a0
CP		 758 selinux_get_fs_mount($1_t)
759 selinux_validate_context($1_t)
760 selinux_compute_access_vector($1_t)
761 selinux_compute_create_context($1_t)
762 selinux_compute_relabel_context($1_t)
763 selinux_compute_user_contexts($1_t)
0c73cd25 764
0c73cd25
CP		 765 storage_raw_read_removable_device($1_t)
766 storage_raw_write_removable_device($1_t)
767
0fd9dc55
CP		 768 term_use_console($1_t)
769 term_use_unallocated_tty($1_t)
770 term_use_all_user_ptys($1_t)
771 term_use_all_user_ttys($1_t)
0c73cd25 772
2ec4c9d3 773 auth_getattr_shadow($1_t)
0c73cd25 774 # Manage almost all files
c9428d33 775 auth_manage_all_files_except_shadow($1_t)
0c73cd25 776 # Relabel almost all files
c9428d33 777 auth_relabel_all_files_except_shadow($1_t)
0c73cd25 778
c9428d33
CP		 779 domain_setpriority_all_domains($1_t)
780 domain_read_all_domains_state($1_t)
0c73cd25
CP		 781 # signal all domains:
782 domain_kill_all_domains($1_t)
783 domain_signal_all_domains($1_t)
784 domain_signull_all_domains($1_t)
785 domain_sigstop_all_domains($1_t)
786 domain_sigstop_all_domains($1_t)
787 domain_sigchld_all_domains($1_t)
2ec4c9d3
CP		 788 # for lsof
789 domain_getattr_all_sockets($1_t)
0c73cd25 790
c9428d33 791 files_exec_usr_files($1_t)
0c73cd25 792
c9428d33 793 init_use_initctl($1_t)
0c73cd25 794
c9428d33 795 logging_send_syslog_msg($1_t)
0c73cd25 796
c9428d33 797 modutils_domtrans_insmod($1_t)
0c73cd25 798
5e0da6a0 799 seutil_read_config($1_t)
0c73cd25
CP		 800 # The following rule is temporary until such time that a complete
801 # policy management infrastructure is in place so that an administrator
802 # cannot directly manipulate policy files with arbitrary programs.
5e0da6a0 803 seutil_manage_src_pol($1_t)
0c73cd25
CP		 804 # Violates the goal of limiting write access to checkpolicy.
805 # But presently necessary for installing the file_contexts file.
5e0da6a0 806 seutil_manage_binary_pol($1_t)
0c73cd25
CP		 807
808 optional_policy(`cron.te',`
809 cron_admin_template($1)
810 ')
811
812 ifdef(`TODO',`
813
0c73cd25
CP		 814 # for lsof
815 allow $1_t mtrr_device_t:file getattr;
816
2ec4c9d3
CP		 817 # for lsof
818 allow $1_t eventpollfs_t:file getattr;
0c73cd25 819
2ec4c9d3 820 allow $1_t serial_device:chr_file setattr;
0c73cd25
CP		 821
822 allow $1_t ptyfile:chr_file getattr;
823
0c73cd25
CP		 824 # Run admin programs that require different permissions in their own domain.
825 # These rules were moved into the appropriate program domain file.
826
2ec4c9d3
CP		 827 ifdef(`xserver.te', `
828 # Create files in /tmp/.X11-unix with our X servers derived
829 # tmp type rather than user_xserver_tmp_t.
830 file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
0c73cd25
CP		 831 ')
832
2ec4c9d3 833
0c73cd25 834 ifdef(`xdm.te', `
2ec4c9d3
CP		 835 tunable_policy(`xdm_sysadm_login',`
836 allow xdm_t $1_home_t:lnk_file read;
837 allow xdm_t $1_home_t:dir search;
0c73cd25 838 ')
2ec4c9d3 839 allow $1_t xdm_t:fifo_file rw_file_perms;
0c73cd25
CP		 840 ')
841
2ec4c9d3
CP		 842 # Connect data port to ftpd.
843 ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
844
845 # Connect second port to rshd.
846 ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
847
848 # Allow MAKEDEV to work
849 allow $1_t device_t:dir rw_dir_perms;
850 allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
851 allow $1_t device_t:lnk_file { create read };
852
0c73cd25
CP		 853 #
854 # A user who is authorized for sysadm_t may nonetheless have
855 # a home directory labeled with user_home_t if the user is expected
856 # to login in either user_t or sysadm_t. Hence, the derived domains
857 # for programs need to be able to access user_home_t.
858 #
4d8ddf9a 859
0c73cd25
CP		 860 # Allow our gph domain to write to .xsession-errors.
861 ifdef(`gnome-pty-helper.te', `
862 allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
863 allow $1_gph_t user_home_type:file create_file_perms;
864 ')
4d8ddf9a 865
2ec4c9d3
CP		 866 # Run programs from staff home directories.
867 # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
868 can_exec($1_t, staff_home_t)
0c73cd25 869 ') dnl endif TODO
4d8ddf9a 870')
490639cd 871
4bf4ed9e 872########################################
ab940a4c 873## <summary>
414e4151
CP		 874## Execute a shell in all user domains. This
875## is an explicit transition, requiring the
876## caller to use setexeccon().
ab940a4c 877## </summary>
414e4151
CP		 878## <param name="domain">
879## The type of the process performing this action.
880## </param>
4bf4ed9e 881#
199895e2 882interface(`userdom_spec_domtrans_all_users',`
21871a5c
CP		 883 gen_require(`
884 attribute userdomain;
885 ')
886
c9428d33 887 corecmd_shell_spec_domtrans($1,userdomain)
4bf4ed9e
CP		 888')
889
21871a5c 890########################################
ab940a4c 891## <summary>
414e4151
CP		 892## Execute a shell in all unprivileged user domains. This
893## is an explicit transition, requiring the
894## caller to use setexeccon().
ab940a4c 895## </summary>
414e4151
CP		 896## <param name="domain">
897## The type of the process performing this action.
898## </param>
21871a5c 899#
199895e2 900interface(`userdom_spec_domtrans_unpriv_users',`
21871a5c
CP		 901 gen_require(`
902 attribute unpriv_userdomain;
903 ')
904
905 corecmd_shell_spec_domtrans($1,unpriv_userdomain)
4bf4ed9e
CP		 906')
907
d490eb6b 908########################################
ab940a4c 909## <summary>
414e4151 910## Execute a shell in the sysadm domain.
ab940a4c 911## </summary>
414e4151
CP		 912## <param name="domain">
913## The type of the process performing this action.
914## </param>
d490eb6b 915#
199895e2 916interface(`userdom_shell_domtrans_sysadm',`
c98340cf
CP		 917 ifdef(`targeted_policy',`
918 #cjp: need to doublecheck this one
a42ca7eb 919 unconfined_shell_domtrans($1)
c98340cf
CP		 920 ',`
921 gen_require(`
922 type sysadm_t;
df00b2e2
CP		 923 class fd use;
924 class fifo_file rw_file_perms;
925 class process sigchld;
c98340cf 926 ')
0c73cd25 927
df00b2e2
CP		 928 corecmd_shell_domtrans($1,sysadm_t)
929
930 allow $1 sysadm_t:fd use;
931 allow sysadm_t $1:fd use;
932 allow sysadm_t $1:fifo_file rw_file_perms;
933 allow sysadm_t $1:process sigchld;
c98340cf 934 ')
d490eb6b
CP		 935')
936
ae9e2716
CP		 937########################################
938## <summary>
939## Search the staff users home directory.
940## </summary>
941## <param name="domain">
942## Domain to not audit.
943## </param>
944#
945interface(`userdom_search_staff_home_dir',`
946 gen_require(`
947 type staff_home_dir_t;
948 class dir search;
949 ')
950
951 files_search_home($1)
952 allow $1 staff_home_dir_t:dir search;
953')
954
955########################################
956## <summary>
957## Do not audit attempts to search the staff
958## users home directory.
959## </summary>
960## <param name="domain">
961## Domain to not audit.
962## </param>
963#
964interface(`userdom_dontaudit_search_staff_home_dir',`
965 gen_require(`
966 type staff_home_dir_t;
967 class dir search;
968 ')
969
970 dontaudit $1 staff_home_dir_t:dir search;
971')
972
fd89e19f
CP		 973########################################
974## <summary>
975## Read files in the staff users home directory.
976## </summary>
977## <param name="domain">
978## The type of the process performing this action.
979## </param>
980#
981interface(`userdom_read_staff_home_files',`
982 gen_require(`
983 type staff_home_dir_t, staff_home_t;
984 class dir r_dir_perms;
985 class file r_file_perms;
986 class lnk_file r_file_perms;
987 ')
988
989 files_search_home($1)
990 allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
991 allow $1 staff_home_t:{ file lnk_file } r_file_perms;
992')
993
daa0e0b0 994########################################
ab940a4c 995## <summary>
414e4151 996## Read and write sysadm ttys.
ab940a4c 997## </summary>
414e4151
CP		 998## <param name="domain">
999## The type of the process performing this action.
1000## </param>
490639cd 1001#
199895e2 1002interface(`userdom_use_sysadm_tty',`
c98340cf
CP		 1003 ifdef(`targeted_policy',`
1004 term_use_unallocated_tty($1)
1005 ',`
1006 gen_require(`
1007 type sysadm_tty_device_t;
1008 class chr_file rw_term_perms;
1009 ')
fd89e19f 1010
c98340cf
CP		 1011 dev_list_all_dev_nodes($1)
1012 term_list_ptys($1)
1013 allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
1014 ')
fd89e19f
CP		 1015')
1016
50aca6d2
CP		 1017########################################
1018## <summary>
1019## Do not audit attempts to use sysadm ttys.
1020## </summary>
1021## <param name="domain">
1022## Domain to not audit.
1023## </param>
1024#
1025interface(`userdom_dontaudit_use_sysadm_tty',`
1026 ifdef(`targeted_policy',`
1027 term_dontaudit_use_unallocated_tty($1)
1028 ',`
1029 gen_require(`
1030 attribute sysadm_tty_device_t;
1031 class chr_file { read write };
1032 ')
1033
1034 dontaudit $1 sysadm_tty_device_t:chr_file { read write };
1035 ')
1036')
1037
fd89e19f
CP		 1038########################################
1039## <summary>
1040## Read and write sysadm ptys.
1041## </summary>
1042## <param name="domain">
1043## The type of the process performing this action.
1044## </param>
1045#
1046interface(`userdom_use_sysadm_pty',`
c98340cf
CP		 1047 ifdef(`targeted_policy',`
1048 term_use_generic_pty($1)
1049 ',`
1050 gen_require(`
1051 type sysadm_devpts_t;
1052 class chr_file rw_term_perms;
1053 ')
0c73cd25 1054
c98340cf
CP		 1055 dev_list_all_dev_nodes($1)
1056 term_list_ptys($1)
1057 allow $1 sysadm_devpts_t:chr_file rw_term_perms;
1058 ')
daa0e0b0
CP		 1059')
1060
0404a390 1061########################################
ab940a4c 1062## <summary>
414e4151 1063## Read and write sysadm ttys and ptys.
ab940a4c 1064## </summary>
414e4151
CP		 1065## <param name="domain">
1066## The type of the process performing this action.
1067## </param>
0404a390 1068#
199895e2 1069interface(`userdom_use_sysadm_terms',`
c98340cf
CP		 1070 userdom_use_sysadm_tty($1)
1071 userdom_use_sysadm_pty($1)
daa0e0b0
CP		 1072')
1073
763c441e 1074########################################
ab940a4c 1075## <summary>
50aca6d2 1076## Do not audit attempts to use sysadm ttys and ptys.
ab940a4c 1077## </summary>
414e4151 1078## <param name="domain">
50aca6d2 1079## Domain to not audit.
414e4151 1080## </param>
763c441e 1081#
199895e2 1082interface(`userdom_dontaudit_use_sysadm_terms',`
c98340cf
CP		 1083 ifdef(`targeted_policy',`
1084 term_dontaudit_use_generic_pty($1)
1085 ',`
1086 gen_require(`
1087 attribute admin_terminal;
1088 class chr_file { read write };
1089 ')
763c441e 1090
c98340cf
CP		 1091 dontaudit $1 admin_terminal:chr_file { read write };
1092 ')
763c441e
CP		 1093')
1094
fd89e19f
CP		 1095########################################
1096## <summary>
1097## Inherit and use sysadm file descriptors
1098## </summary>
1099## <param name="domain">
1100## The type of the process performing this action.
1101## </param>
1102#
1103interface(`userdom_use_sysadm_fd',`
c98340cf
CP		 1104 ifdef(`targeted_policy',`
1105 #cjp: need to doublecheck this one
1106 unconfined_use_fd($1)
1107 ',`
1108 gen_require(`
1109 type sysadm_t;
1110 class fd use;
1111 ')
fd89e19f 1112
c98340cf
CP		 1113 allow $1 sysadm_t:fd use;
1114 ')
fd89e19f
CP		 1115')
1116
1117########################################
1118## <summary>
1119## Read and write sysadm user unnamed pipes.
1120## </summary>
1121## <param name="domain">
1122## The type of the process performing this action.
1123## </param>
1124#
1125interface(`userdom_rw_sysadm_pipe',`
c98340cf
CP		 1126 ifdef(`targeted_policy',`
1127 #cjp: need to doublecheck this one
1128 unconfined_rw_pipe($1)
1129 ',`
1130 gen_require(`
1131 type sysadm_t;
1132 class fifo_file rw_file_perms;
1133 ')
fd89e19f 1134
c98340cf
CP		 1135 allow $1 sysadm_t:fifo_file rw_file_perms;
1136 ')
fd89e19f
CP		 1137')
1138
ae9e2716
CP		 1139########################################
1140## <summary>
1141## Search the sysadm users home directory.
1142## </summary>
1143## <param name="domain">
1144## Domain to not audit.
1145## </param>
1146#
1147interface(`userdom_search_sysadm_home_dir',`
1148 gen_require(`
1149 type sysadm_home_dir_t;
1150 class dir search;
1151 ')
1152
1153 files_search_home($1)
1154 allow $1 sysadm_home_dir_t:dir search;
1155')
1156
1157########################################
1158## <summary>
1159## Do not audit attempts to search the sysadm
1160## users home directory.
1161## </summary>
1162## <param name="domain">
1163## Domain to not audit.
1164## </param>
1165#
1166interface(`userdom_dontaudit_search_sysadm_home_dir',`
1167 gen_require(`
1168 type sysadm_home_dir_t;
1169 class dir search;
1170 ')
1171
1172 dontaudit $1 sysadm_home_dir_t:dir search;
1173')
1174
fd89e19f
CP		 1175########################################
1176## <summary>
1177## Read files in the sysadm users home directory.
1178## </summary>
1179## <param name="domain">
1180## The type of the process performing this action.
1181## </param>
1182#
1183interface(`userdom_read_sysadm_home_files',`
1184 gen_require(`
1185 type sysadm_home_dir_t, sysadm_home_t;
1186 class dir r_dir_perms;
1187 class file r_file_perms;
1188 class lnk_file r_file_perms;
1189 ')
1190
1191 files_search_home($1)
1192 allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
1193 allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
1194')
1195
4bf4ed9e 1196########################################
ab940a4c 1197## <summary>
414e4151 1198## Search all users home directories.
ab940a4c 1199## </summary>
414e4151
CP		 1200## <param name="domain">
1201## The type of the process performing this action.
1202## </param>
4bf4ed9e 1203#
199895e2 1204interface(`userdom_search_all_users_home',`
0404a390
CP		 1205 gen_require(`
1206 attribute home_dir_type, home_type;
1207 class dir search;
1208 ')
0c73cd25 1209
c9428d33 1210 files_list_home($1)
0c73cd25 1211 allow $1 { home_dir_type home_type }:dir search;
4bf4ed9e
CP		 1212')
1213
ae9e2716
CP		 1214########################################
1215## <summary>
1216## Do not audit attempts to search all users home directories.
1217## </summary>
1218## <param name="domain">
1219## Domain to not audit.
1220## </param>
1221#
1222interface(`userdom_dontaudit_search_all_users_home',`
1223 gen_require(`
1224 attribute home_dir_type, home_type;
1225 class dir search;
1226 ')
1227
1228 dontaudit $1 { home_dir_type home_type }:dir search;
1229')
1230
daa0e0b0 1231########################################
ab940a4c 1232## <summary>
414e4151 1233## Read all files in all users home directories.
ab940a4c 1234## </summary>
414e4151
CP		 1235## <param name="domain">
1236## The type of the process performing this action.
1237## </param>
daa0e0b0 1238#
fd89e19f 1239interface(`userdom_read_all_user_files',`
0404a390
CP		 1240 gen_require(`
1241 attribute home_type;
1242 class dir r_dir_perms;
1243 class file r_file_perms;
1244 ')
0c73cd25 1245
c9428d33 1246 files_list_home($1)
cc41a97c 1247 allow $1 home_type:dir r_dir_perms;
0fd9dc55 1248 allow $1 home_type:file r_file_perms;
daa0e0b0
CP		 1249')
1250
daa0e0b0 1251########################################
ab940a4c
CP		 1252## <summary>
1253## Write all unprivileged users files in /tmp
1254## </summary>
1255## <param name="domain">
1256## The type of the process performing this action.
1257## </param>
1258#
1259interface(`userdom_write_unpriv_user_tmp',`
1260 gen_require(`
1261 attribute user_tmpfile;
1262 class file { getattr write append };
1263 ')
1264
1265 allow $1 user_tmpfile:file { getattr write append };
1266')
1267
1268########################################
1269## <summary>
414e4151 1270## Inherit the file descriptors from all user domains
ab940a4c 1271## </summary>
414e4151
CP		 1272## <param name="domain">
1273## The type of the process performing this action.
1274## </param>
490639cd 1275#
199895e2 1276interface(`userdom_use_all_user_fd',`
0404a390
CP		 1277 gen_require(`
1278 attribute userdomain;
1279 class fd use;
1280 ')
0c73cd25
CP		 1281
1282 allow $1 userdomain:fd use;
490639cd
CP		 1283')
1284
4bf4ed9e 1285########################################
ab940a4c 1286## <summary>
414e4151 1287## Send general signals to all user domains.
ab940a4c 1288## </summary>
414e4151
CP		 1289## <param name="domain">
1290## The type of the process performing this action.
1291## </param>
4bf4ed9e 1292#
199895e2 1293interface(`userdom_signal_all_users',`
0404a390
CP		 1294 gen_require(`
1295 attribute userdomain;
1296 class process signal;
1297 ')
0c73cd25
CP		 1298
1299 allow $1 userdomain:process signal;
4bf4ed9e
CP		 1300')
1301
0404a390 1302########################################
ab940a4c 1303## <summary>
414e4151 1304## Send general signals to unprivileged user domains.
ab940a4c 1305## </summary>
414e4151
CP		 1306## <param name="domain">
1307## The type of the process performing this action.
1308## </param>
0404a390 1309#
199895e2 1310interface(`userdom_signal_unpriv_users',`
0404a390
CP		 1311 gen_require(`
1312 attribute unpriv_userdomain;
1313 class process signal;
1314 ')
0c73cd25 1315
0404a390 1316 allow $1 unpriv_userdomain:process signal;
4bf4ed9e
CP		 1317')
1318
daa0e0b0 1319########################################
ab940a4c
CP		 1320## <summary>
1321## Inherit the file descriptors from unprivileged user domains.
1322## </summary>
414e4151
CP		 1323## <param name="domain">
1324## The type of the process performing this action.
1325## </param>
daa0e0b0 1326#
199895e2 1327interface(`userdom_use_unpriv_users_fd',`
0404a390
CP		 1328 gen_require(`
1329 attribute unpriv_userdomain;
1330 class fd use;
1331 ')
0c73cd25
CP		 1332
1333 allow $1 unpriv_userdomain:fd use;
daa0e0b0
CP		 1334')
1335
daa0e0b0 1336########################################
ab940a4c 1337## <summary>
414e4151
CP		 1338## Do not audit attempts to inherit the
1339## file descriptors from all user domains.
ab940a4c 1340## </summary>
414e4151
CP		 1341## <param name="domain">
1342## The type of the process performing this action.
1343## </param>
daa0e0b0 1344#
199895e2 1345interface(`userdom_dontaudit_use_unpriv_user_fd',`
0404a390
CP		 1346 gen_require(`
1347 attribute unpriv_userdomain;
1348 class fd use;
1349 ')
0c73cd25
CP		 1350
1351 dontaudit $1 unpriv_userdomain:fd use;
daa0e0b0
CP		 1352')
1353
ebdc3b79
CP		 1354########################################
1355## <summary>
1356## Do not audit attempts to use unprivileged
1357## user ttys.
1358## </summary>
1359## <param name="domain">
1360## The type of the process performing this action.
1361## </param>
1362#
1363interface(`userdom_dontaudit_use_unpriv_user_tty',`
1364 gen_require(`
1365 attribute user_ttynode;
1366 class chr_file rw_file_perms;
1367 ')
1368
1369 dontaudit $1 user_ttynode:chr_file rw_file_perms;
1370')
c98340cf
CP		 1371
1372########################################
1373## <summary>
1374## Unconfined access to user domains.
1375## </summary>
1376## <param name="domain">
1377## Domain allowed access.
1378## </param>
1379#
1380interface(`userdom_unconfined',`
1381 gen_require(`
1382 type user_home_dir_t;
1383 class dir create_dir_perms;
1384 ')
1385
1386 allow $1 user_home_dir_t:dir create_dir_perms;
1387 files_create_home_dirs($1,user_home_dir_t)
1388')
The IPFire selinux policy.