1 ## <summary>Policy for user domains</summary>
3 #######################################
5 ## The template containing the most basic rules common to all users.
9 ## The template containing the most basic rules common to all users.
12 ## This template creates a user domain, types, and
13 ## rules for the user's tty and pty.
16 ## <param name="userdomain_prefix">
18 ## The prefix of the user domain (e.g., user
19 ## is the prefix for user_t).
24 template(`userdom_base_user_template',`
28 type user_devpts_t, user_tty_device_t;
29 class context contains;
32 attribute $1_file_type;
33 attribute $1_usertype;
35 type $1_t, userdomain, $1_usertype;
37 corecmd_shell_entry_type($1_t)
38 corecmd_bin_entry_type($1_t)
39 domain_user_exemption_target($1_t)
40 ubac_constrained($1_t)
44 term_user_pty($1_t, user_devpts_t)
46 term_user_tty($1_t, user_tty_device_t)
47 term_dontaudit_getattr_generic_ptys($1_t)
49 allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
50 allow $1_usertype $1_usertype:fd use;
51 allow $1_usertype $1_t:key { create view read write search link setattr };
53 allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
54 allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
55 allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
56 allow $1_usertype $1_usertype:shm create_shm_perms;
57 allow $1_usertype $1_usertype:sem create_sem_perms;
58 allow $1_usertype $1_usertype:msgq create_msgq_perms;
59 allow $1_usertype $1_usertype:msg { send receive };
60 allow $1_usertype $1_usertype:context contains;
61 dontaudit $1_usertype $1_usertype:socket create;
63 allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
64 term_create_pty($1_usertype, user_devpts_t)
65 # avoid annoying messages on terminal hangup on role change
66 dontaudit $1_usertype user_devpts_t:chr_file ioctl;
68 allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
69 # avoid annoying messages on terminal hangup on role change
70 dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
72 application_exec_all($1_usertype)
74 kernel_read_kernel_sysctls($1_usertype)
75 kernel_read_all_sysctls($1_usertype)
76 kernel_dontaudit_list_unlabeled($1_usertype)
77 kernel_dontaudit_getattr_unlabeled_files($1_usertype)
78 kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
79 kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
80 kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
81 kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
82 kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
83 kernel_dontaudit_list_proc($1_usertype)
85 dev_dontaudit_getattr_all_blk_files($1_usertype)
86 dev_dontaudit_getattr_all_chr_files($1_usertype)
87 dev_getattr_mtrr_dev($1_t)
89 # When the user domain runs ps, there will be a number of access
90 # denials when ps tries to search /proc. Do not audit these denials.
91 domain_dontaudit_read_all_domains_state($1_usertype)
92 domain_dontaudit_getattr_all_domains($1_usertype)
93 domain_dontaudit_getsession_all_domains($1_usertype)
94 dev_dontaudit_all_access_check($1_usertype)
96 files_read_etc_files($1_usertype)
97 files_list_mnt($1_usertype)
98 files_list_var($1_usertype)
99 files_read_mnt_files($1_usertype)
100 files_dontaudit_access_check_mnt($1_usertype)
101 files_read_etc_runtime_files($1_usertype)
102 files_read_usr_files($1_usertype)
103 files_read_usr_src_files($1_usertype)
104 # Read directories and files with the readable_t type.
105 # This type is a general type for "world"-readable files.
106 files_list_world_readable($1_usertype)
107 files_read_world_readable_files($1_usertype)
108 files_read_world_readable_symlinks($1_usertype)
109 files_read_world_readable_pipes($1_usertype)
110 files_read_world_readable_sockets($1_usertype)
111 # old broswer_domain():
112 files_dontaudit_getattr_all_dirs($1_usertype)
113 files_dontaudit_list_non_security($1_usertype)
114 files_dontaudit_getattr_all_files($1_usertype)
115 files_dontaudit_getattr_non_security_symlinks($1_usertype)
116 files_dontaudit_getattr_non_security_pipes($1_usertype)
117 files_dontaudit_getattr_non_security_sockets($1_usertype)
118 files_dontaudit_setattr_etc_runtime_files($1_usertype)
120 files_exec_usr_files($1_t)
122 fs_list_cgroup_dirs($1_usertype)
123 fs_dontaudit_rw_cgroup_files($1_usertype)
125 storage_rw_fuse($1_usertype)
127 auth_use_nsswitch($1_usertype)
129 init_stream_connect($1_usertype)
130 # The library functions always try to open read-write first,
131 # then fall back to read-only if it fails.
132 init_dontaudit_rw_utmp($1_usertype)
134 libs_exec_ld_so($1_usertype)
136 logging_send_audit_msgs($1_t)
138 miscfiles_read_localization($1_t)
139 miscfiles_read_generic_certs($1_t)
141 miscfiles_read_all_certs($1_usertype)
142 miscfiles_read_localization($1_usertype)
143 miscfiles_read_man_pages($1_usertype)
144 miscfiles_read_public_files($1_usertype)
146 tunable_policy(`allow_execmem',`
147 # Allow loading DSOs that require executable stack.
148 allow $1_t self:process execmem;
151 tunable_policy(`allow_execmem && allow_execstack',`
152 # Allow making the stack executable via mprotect.
153 allow $1_t self:process execstack;
157 abrt_stream_connect($1_usertype)
161 fs_list_cgroup_dirs($1_usertype)
165 ssh_rw_stream_sockets($1_usertype)
171 #######################################
173 ## Allow a home directory for which the
174 ## role has read-only access.
178 ## Allow a home directory for which the
179 ## role has read-only access.
182 ## This does not allow execute access.
185 ## <param name="role">
190 ## <param name="userdomain">
197 interface(`userdom_ro_home_role',`
199 type user_home_t, user_home_dir_t;
202 role $1 types { user_home_t user_home_dir_t };
204 ##############################
206 # Domain access to home dir
209 type_member $2 user_home_dir_t:dir user_home_dir_t;
211 # read-only home directory
212 allow $2 user_home_dir_t:dir list_dir_perms;
213 allow $2 user_home_t:dir list_dir_perms;
214 allow $2 user_home_t:file entrypoint;
215 read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
216 read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
217 read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
218 read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
223 #######################################
225 ## Allow a home directory for which the
226 ## role has full access.
230 ## Allow a home directory for which the
231 ## role has full access.
234 ## This does not allow execute access.
237 ## <param name="role">
242 ## <param name="userdomain">
249 interface(`userdom_manage_home_role',`
251 type user_home_t, user_home_dir_t;
252 attribute user_home_type;
255 role $1 types { user_home_type user_home_dir_t };
257 ##############################
259 # Domain access to home dir
262 type_member $2 user_home_dir_t:dir user_home_dir_t;
264 # full control of the home directory
265 allow $2 user_home_t:dir mounton;
266 allow $2 user_home_t:file entrypoint;
268 allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
269 allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
270 manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
271 manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
272 manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
273 manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
274 manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
275 relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
276 relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
277 relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
278 relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
279 relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
280 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
283 # cjp: this should probably be removed:
284 allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
286 tunable_policy(`use_nfs_home_dirs',`
289 fs_manage_nfs_dirs($2)
290 fs_manage_nfs_files($2)
291 fs_manage_nfs_symlinks($2)
292 fs_manage_nfs_named_sockets($2)
293 fs_manage_nfs_named_pipes($2)
296 tunable_policy(`use_samba_home_dirs',`
299 fs_manage_cifs_dirs($2)
300 fs_manage_cifs_files($2)
301 fs_manage_cifs_symlinks($2)
302 fs_manage_cifs_named_sockets($2)
303 fs_manage_cifs_named_pipes($2)
307 #######################################
309 ## Manage user temporary files
311 ## <param name="role">
313 ## Role allowed access.
316 ## <param name="domain">
318 ## Domain allowed access.
323 interface(`userdom_manage_tmp_role',`
325 attribute user_tmp_type;
329 role $1 types user_tmp_t;
331 files_poly_member_tmp($2, user_tmp_t)
333 manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
334 manage_files_pattern($2, user_tmp_type, user_tmp_type)
335 manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
336 manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
337 manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
338 files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
339 relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
340 relabel_files_pattern($2, user_tmp_type, user_tmp_type)
341 relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
342 relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
343 relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
346 #######################################
348 ## Dontaudit search of user bin dirs.
350 ## <param name="domain">
352 ## Domain to not audit.
356 interface(`userdom_dontaudit_search_user_bin_dirs',`
361 dontaudit $1 home_bin_t:dir search_dir_perms;
364 #######################################
366 ## Execute user bin files.
368 ## <param name="domain">
370 ## Domain allowed access.
374 interface(`userdom_exec_user_bin_files',`
376 attribute user_home_type;
377 type home_bin_t, user_home_dir_t;
380 exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
381 files_search_home($1)
384 #######################################
386 ## The execute access user temporary files.
388 ## <param name="domain">
390 ## Domain allowed access.
395 interface(`userdom_exec_user_tmp_files',`
400 exec_files_pattern($1, user_tmp_t, user_tmp_t)
401 dontaudit $1 user_tmp_t:sock_file execute;
405 #######################################
407 ## Role access for the user tmpfs type
408 ## that the user has full access.
412 ## Role access for the user tmpfs type
413 ## that the user has full access.
416 ## This does not allow execute access.
419 ## <param name="role">
421 ## Role allowed access.
424 ## <param name="domain">
426 ## Domain allowed access.
431 interface(`userdom_manage_tmpfs_role',`
433 attribute user_tmpfs_type;
437 role $1 types user_tmpfs_t;
439 manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
440 manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
441 manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
442 manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
443 manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
444 fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
445 relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
446 relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
447 relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
448 relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
449 relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
452 #######################################
454 ## The interface allowing the user basic
455 ## network permissions
457 ## <param name="userdomain">
464 interface(`userdom_basic_networking',`
466 allow $1 self:tcp_socket create_stream_socket_perms;
467 allow $1 self:udp_socket create_socket_perms;
469 corenet_all_recvfrom_unlabeled($1)
470 corenet_all_recvfrom_netlabel($1)
471 corenet_tcp_sendrecv_generic_if($1)
472 corenet_udp_sendrecv_generic_if($1)
473 corenet_tcp_sendrecv_generic_node($1)
474 corenet_udp_sendrecv_generic_node($1)
475 corenet_tcp_sendrecv_all_ports($1)
476 corenet_udp_sendrecv_all_ports($1)
477 corenet_tcp_connect_all_ports($1)
478 corenet_sendrecv_all_client_packets($1)
481 init_tcp_recvfrom_all_daemons($1)
482 init_udp_recvfrom_all_daemons($1)
486 ipsec_match_default_spd($1)
491 #######################################
493 ## The template for creating a user xwindows client. (Deprecated)
495 ## <param name="userdomain_prefix">
497 ## The prefix of the user domain (e.g., user
498 ## is the prefix for user_t).
503 template(`userdom_xwindows_client_template',`
504 refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
506 type $1_t, user_tmpfs_t;
509 dev_rw_xserver_misc($1_t)
510 dev_rw_power_management($1_t)
514 # open office is looking for the following
515 dev_getattr_agp_dev($1_t)
516 dev_dontaudit_rw_dri($1_t)
517 # GNOME checks for usb and other devices:
519 dev_rw_generic_usb_dev($1_t)
521 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
522 xserver_xsession_entry_type($1_t)
523 xserver_dontaudit_write_log($1_t)
524 xserver_stream_connect_xdm($1_t)
525 # certain apps want to read xdm.pid file
526 xserver_read_xdm_pid($1_t)
527 # gnome-session creates socket under /tmp/.ICE-unix/
528 xserver_create_xdm_tmp_sockets($1_t)
529 # Needed for escd, remove if we get escd policy
530 xserver_manage_xdm_tmp_files($1_t)
533 #######################################
535 ## The template for allowing the user to change passwords.
537 ## <param name="userdomain_prefix">
539 ## The prefix of the user domain (e.g., user
540 ## is the prefix for user_t).
545 template(`userdom_change_password_template',`
552 usermanage_run_chfn($1_t,$1_r)
553 usermanage_run_passwd($1_t,$1_r)
557 #######################################
559 ## The template containing rules common to unprivileged
560 ## users and administrative users.
564 ## This template creates a user domain, types, and
565 ## rules for the user's tty, pty, tmp, and tmpfs files.
568 ## <param name="userdomain_prefix">
570 ## The prefix of the user domain (e.g., user
571 ## is the prefix for user_t).
575 template(`userdom_common_user_template',`
577 attribute unpriv_userdomain;
580 userdom_basic_networking($1_usertype)
582 ##############################
584 # User domain Local policy
587 # evolution and gnome-session try to create a netlink socket
588 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
589 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
590 allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
591 allow $1_t self:socket create_socket_perms;
593 allow $1_usertype unpriv_userdomain:fd use;
595 kernel_read_system_state($1_usertype)
596 kernel_read_network_state($1_usertype)
597 kernel_read_software_raid_state($1_usertype)
598 kernel_read_net_sysctls($1_usertype)
599 # Very permissive allowing every domain to see every type:
600 kernel_get_sysvipc_info($1_usertype)
601 # Find CDROM devices:
602 kernel_read_device_sysctls($1_usertype)
603 kernel_request_load_module($1_usertype)
605 corenet_udp_bind_generic_node($1_usertype)
606 corenet_udp_bind_generic_port($1_usertype)
608 dev_read_rand($1_usertype)
609 dev_write_sound($1_usertype)
610 dev_read_sound($1_usertype)
611 dev_read_sound_mixer($1_usertype)
612 dev_write_sound_mixer($1_usertype)
614 files_exec_etc_files($1_usertype)
615 files_search_locks($1_usertype)
616 # Check to see if cdrom is mounted
617 files_search_mnt($1_usertype)
618 # cjp: perhaps should cut back on file reads:
619 files_read_var_files($1_usertype)
620 files_read_var_symlinks($1_usertype)
621 files_read_generic_spool($1_usertype)
622 files_read_var_lib_files($1_usertype)
624 files_getattr_lost_found_dirs($1_usertype)
625 files_read_config_files($1_usertype)
626 fs_read_noxattr_fs_files($1_usertype)
627 fs_read_noxattr_fs_symlinks($1_usertype)
628 fs_rw_cgroup_files($1_usertype)
630 application_getattr_socket($1_usertype)
632 logging_send_syslog_msg($1_usertype)
633 logging_send_audit_msgs($1_usertype)
634 selinux_get_enforce_mode($1_usertype)
636 # cjp: some of this probably can be removed
637 selinux_get_fs_mount($1_usertype)
638 selinux_validate_context($1_usertype)
639 selinux_compute_access_vector($1_usertype)
640 selinux_compute_create_context($1_usertype)
641 selinux_compute_relabel_context($1_usertype)
642 selinux_compute_user_contexts($1_usertype)
645 storage_getattr_fixed_disk_dev($1_usertype)
647 auth_read_login_records($1_usertype)
648 auth_run_pam($1_t,$1_r)
649 auth_run_utempter($1_t,$1_r)
651 init_read_utmp($1_usertype)
653 seutil_read_file_contexts($1_usertype)
654 seutil_read_default_contexts($1_usertype)
655 seutil_run_newrole($1_t,$1_r)
656 seutil_exec_checkpolicy($1_t)
657 seutil_exec_setfiles($1_usertype)
658 # for when the network connection is killed
659 # this is needed when a login role can change
661 seutil_dontaudit_signal_newrole($1_t)
663 tunable_policy(`user_direct_mouse',`
664 dev_read_mouse($1_usertype)
667 tunable_policy(`user_ttyfile_stat',`
668 term_getattr_all_ttys($1_t)
672 alsa_read_rw_config($1_usertype)
673 alsa_manage_home_files($1_t)
674 alsa_relabel_home_files($1_t)
678 # Allow graphical boot to check battery lifespan
679 apm_stream_connect($1_usertype)
683 canna_stream_connect($1_usertype)
687 chrome_role($1_r, $1_usertype)
691 colord_read_lib_files($1_usertype)
695 dbus_system_bus_client($1_usertype)
697 allow $1_usertype $1_usertype:dbus send_msg;
700 avahi_dbus_chat($1_usertype)
704 policykit_dbus_chat($1_usertype)
708 bluetooth_dbus_chat($1_usertype)
712 consolekit_dbus_chat($1_usertype)
713 consolekit_read_log($1_usertype)
717 devicekit_dbus_chat($1_usertype)
718 devicekit_dbus_chat_power($1_usertype)
719 devicekit_dbus_chat_disk($1_usertype)
723 evolution_dbus_chat($1_usertype)
724 evolution_alarm_dbus_chat($1_usertype)
728 gnome_dbus_chat_gconfdefault($1_usertype)
732 hal_dbus_chat($1_usertype)
736 kde_dbus_chat_backlighthelper($1_usertype)
740 modemmanager_dbus_chat($1_usertype)
744 networkmanager_dbus_chat($1_usertype)
745 networkmanager_read_lib_files($1_usertype)
749 vpn_dbus_chat($1_usertype)
754 git_session_role($1_r, $1_usertype)
758 inetd_use_fds($1_usertype)
759 inetd_rw_tcp_sockets($1_usertype)
763 inn_read_config($1_usertype)
764 inn_read_news_lib($1_usertype)
765 inn_read_news_spool($1_usertype)
769 lircd_stream_connect($1_usertype)
773 locate_read_lib_files($1_usertype)
776 # for running depmod as part of the kernel packaging process
778 modutils_read_module_config($1_usertype)
782 mta_rw_spool($1_usertype)
783 mta_manage_queue($1_usertype)
784 mta_filetrans_home_content($1_usertype)
788 nsplugin_role($1_r, $1_usertype)
792 tunable_policy(`allow_user_mysql_connect',`
793 mysql_stream_connect($1_t)
798 oident_manage_user_content($1_t)
799 oident_relabel_user_content($1_t)
803 # to allow monitoring of pcmcia status
804 pcmcia_read_pid($1_usertype)
808 pcscd_read_pub_files($1_usertype)
809 pcscd_stream_connect($1_usertype)
813 tunable_policy(`allow_user_postgresql_connect',`
814 postgresql_stream_connect($1_usertype)
815 postgresql_tcp_connect($1_usertype)
820 resmgr_stream_connect($1_usertype)
824 rpc_dontaudit_getattr_exports($1_usertype)
825 rpc_manage_nfs_rw_content($1_usertype)
829 rpcbind_stream_connect($1_usertype)
833 samba_stream_connect_winbind($1_usertype)
837 sandbox_transition($1_usertype, $1_r)
841 seunshare_role_template($1, $1_r, $1_t)
845 slrnpull_search_spool($1_usertype)
850 #######################################
852 ## The template for creating a login user.
856 ## This template creates a user domain, types, and
857 ## rules for the user's tty, pty, home directories,
858 ## tmp, and tmpfs files.
861 ## <param name="userdomain_prefix">
863 ## The prefix of the user domain (e.g., user
864 ## is the prefix for user_t).
868 template(`userdom_login_user_template', `
870 class context contains;
873 userdom_base_user_template($1)
875 userdom_manage_home_role($1_r, $1_usertype)
877 userdom_manage_tmp_role($1_r, $1_usertype)
878 userdom_manage_tmpfs_role($1_r, $1_usertype)
880 ifelse(`$1',`unconfined',`',`
881 gen_tunable(allow_$1_exec_content, true)
883 tunable_policy(`allow_$1_exec_content',`
884 userdom_exec_user_tmp_files($1_usertype)
885 userdom_exec_user_home_content_files($1_usertype)
887 tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
888 fs_exec_nfs_files($1_usertype)
891 tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
892 fs_exec_cifs_files($1_usertype)
896 userdom_change_password_template($1)
898 ##############################
900 # User domain Local policy
903 allow $1_t self:capability { setgid chown fowner };
904 dontaudit $1_t self:capability { sys_nice fsetid };
906 allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
907 dontaudit $1_t self:process setrlimit;
908 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
910 allow $1_t self:context contains;
912 kernel_dontaudit_read_system_state($1_usertype)
913 kernel_dontaudit_list_all_proc($1_usertype)
915 dev_read_sysfs($1_usertype)
916 dev_read_urand($1_usertype)
918 domain_use_interactive_fds($1_usertype)
919 # Command completion can fire hundreds of denials
920 domain_dontaudit_exec_all_entry_files($1_usertype)
922 files_dontaudit_list_default($1_usertype)
923 files_dontaudit_read_default_files($1_usertype)
925 files_getattr_lost_found_dirs($1_usertype)
927 fs_get_all_fs_quotas($1_usertype)
928 fs_getattr_all_fs($1_usertype)
929 fs_search_all($1_usertype)
930 fs_list_inotifyfs($1_usertype)
931 fs_rw_anon_inodefs_files($1_usertype)
933 auth_dontaudit_write_login_records($1_t)
936 application_exec_all($1_t)
937 # The library functions always try to open read-write first,
938 # then fall back to read-only if it fails.
939 init_dontaudit_rw_utmp($1_t)
941 # Stop warnings about access to /dev/console
942 init_dontaudit_use_fds($1_usertype)
943 init_dontaudit_use_script_fds($1_usertype)
945 libs_exec_lib_files($1_usertype)
947 logging_dontaudit_getattr_all_logs($1_usertype)
949 # for running TeX programs
950 miscfiles_read_tetex_data($1_usertype)
951 miscfiles_exec_tetex_data($1_usertype)
953 seutil_read_config($1_usertype)
956 cups_read_config($1_usertype)
957 cups_stream_connect($1_usertype)
958 cups_stream_connect_ptal($1_usertype)
962 kerberos_use($1_usertype)
963 kerberos_filetrans_home_content($1_usertype)
967 mta_dontaudit_read_spool_symlinks($1_usertype)
971 quota_dontaudit_getattr_db($1_usertype)
975 rpm_read_db($1_usertype)
976 rpm_dontaudit_manage_db($1_usertype)
977 rpm_read_cache($1_usertype)
981 oddjob_run_mkhomedir($1_t, $1_r)
985 #######################################
987 ## The template for creating a unprivileged login user.
991 ## This template creates a user domain, types, and
992 ## rules for the user's tty, pty, home directories,
993 ## tmp, and tmpfs files.
996 ## <param name="userdomain_prefix">
998 ## The prefix of the user domain (e.g., user
999 ## is the prefix for user_t).
1003 template(`userdom_restricted_user_template',`
1005 attribute unpriv_userdomain;
1008 userdom_login_user_template($1)
1010 typeattribute $1_t unpriv_userdomain;
1011 domain_interactive_fd($1_t)
1013 allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
1014 dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
1016 ##############################
1022 loadkeys_run($1_t, $1_r)
1026 #######################################
1028 ## The template for creating a unprivileged xwindows login user.
1032 ## The template for creating a unprivileged xwindows login user.
1035 ## This template creates a user domain, types, and
1036 ## rules for the user's tty, pty, home directories,
1037 ## tmp, and tmpfs files.
1040 ## <param name="userdomain_prefix">
1042 ## The prefix of the user domain (e.g., user
1043 ## is the prefix for user_t).
1047 template(`userdom_restricted_xwindows_user_template',`
1049 userdom_restricted_user_template($1)
1051 ##############################
1056 auth_role($1_r, $1_t)
1057 auth_search_pam_console_data($1_usertype)
1058 auth_dontaudit_read_login_records($1_usertype)
1060 dev_read_sound($1_usertype)
1061 dev_write_sound($1_usertype)
1062 # gnome keyring wants to read this.
1063 dev_dontaudit_read_rand($1_usertype)
1064 # temporarily allow since openoffice requires this
1065 dev_read_rand($1_usertype)
1067 dev_read_video_dev($1_usertype)
1068 dev_write_video_dev($1_usertype)
1069 dev_rw_wireless($1_usertype)
1071 libs_dontaudit_setattr_lib_files($1_usertype)
1073 tunable_policy(`user_rw_noexattrfile',`
1075 dev_rw_generic_usb_dev($1_usertype)
1077 fs_manage_noxattr_fs_files($1_usertype)
1078 fs_manage_noxattr_fs_dirs($1_usertype)
1079 fs_manage_dos_dirs($1_usertype)
1080 fs_manage_dos_files($1_usertype)
1081 storage_raw_read_removable_device($1_usertype)
1082 storage_raw_write_removable_device($1_usertype)
1085 logging_send_syslog_msg($1_usertype)
1086 logging_dontaudit_send_audit_msgs($1_t)
1088 # Need to to this just so screensaver will work. Should be moved to screensaver domain
1089 logging_send_audit_msgs($1_t)
1090 selinux_get_enforce_mode($1_t)
1091 seutil_exec_restorecond($1_t)
1092 seutil_read_file_contexts($1_t)
1093 seutil_read_default_contexts($1_t)
1095 xserver_restricted_role($1_r, $1_t)
1098 alsa_read_rw_config($1_usertype)
1101 # cjp: needed by KDE apps
1104 gnome_read_usr_config($1_usertype)
1105 gnome_role_gkeyringd($1, $1_r, $1_t)
1106 # cjp: telepathy F15 bugs
1107 telepathy_role($1_r, $1_t, $1)
1111 dbus_role_template($1, $1_r, $1_usertype)
1112 dbus_system_bus_client($1_usertype)
1113 allow $1_usertype $1_usertype:dbus send_msg;
1116 abrt_dbus_chat($1_usertype)
1117 abrt_run_helper($1_usertype, $1_r)
1121 consolekit_dontaudit_read_log($1_usertype)
1122 consolekit_dbus_chat($1_usertype)
1126 cups_dbus_chat($1_usertype)
1127 cups_dbus_chat_config($1_usertype)
1131 devicekit_dbus_chat($1_usertype)
1132 devicekit_dbus_chat_disk($1_usertype)
1133 devicekit_dbus_chat_power($1_usertype)
1137 fprintd_dbus_chat($1_t)
1142 openoffice_role_template($1, $1_r, $1_usertype)
1146 policykit_role($1_r, $1_usertype)
1150 pulseaudio_role($1_r, $1_usertype)
1151 pulseaudio_filetrans_admin_home_content($1_usertype)
1152 pulseaudio_filetrans_home_content($1_usertype)
1156 rtkit_scheduled($1_usertype)
1160 setroubleshoot_dontaudit_stream_connect($1_t)
1164 udev_read_db($1_usertype)
1168 wm_role_template($1, $1_r, $1_t)
1172 #######################################
1174 ## The template for creating a unprivileged user roughly
1175 ## equivalent to a regular linux user.
1179 ## The template for creating a unprivileged user roughly
1180 ## equivalent to a regular linux user.
1183 ## This template creates a user domain, types, and
1184 ## rules for the user's tty, pty, home directories,
1185 ## tmp, and tmpfs files.
1188 ## <param name="userdomain_prefix">
1190 ## The prefix of the user domain (e.g., user
1191 ## is the prefix for user_t).
1195 template(`userdom_unpriv_user_template', `
1197 ##############################
1202 # Inherit rules for ordinary users.
1203 userdom_restricted_xwindows_user_template($1)
1204 userdom_common_user_template($1)
1206 ##############################
1211 # port access is audited even if dac would not have allowed it, so dontaudit it here
1212 # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
1213 # Need the following rule to allow users to run vpnc
1214 corenet_tcp_bind_xserver_port($1_t)
1215 corenet_tcp_bind_generic_node($1_usertype)
1217 storage_rw_fuse($1_t)
1219 files_exec_usr_files($1_t)
1221 files_read_kernel_symbol_table($1_t)
1223 ifndef(`enable_mls',`
1224 fs_exec_noxattr($1_t)
1226 tunable_policy(`user_rw_noexattrfile',`
1227 fs_manage_noxattr_fs_files($1_t)
1228 fs_manage_noxattr_fs_dirs($1_t)
1230 storage_raw_read_removable_device($1_t)
1231 storage_raw_write_removable_device($1_t)
1233 storage_raw_read_removable_device($1_t)
1237 miscfiles_read_hwdata($1_usertype)
1239 # Allow users to run TCP servers (bind to ports and accept connection from
1240 # the same domain and outside users) disabling this forces FTP passive mode
1241 # and may change other protocols
1243 tunable_policy(`user_share_music',`
1244 corenet_tcp_bind_daap_port($1_usertype)
1247 tunable_policy(`user_tcp_server',`
1248 corenet_tcp_bind_all_unreserved_ports($1_usertype)
1251 tunable_policy(`user_setrlimit',`
1252 allow $1_usertype self:process setrlimit;
1256 cdrecord_role($1_r, $1_t)
1260 cron_role($1_r, $1_t)
1264 games_rw_data($1_usertype)
1268 gpg_role($1_r, $1_usertype)
1272 gnomeclock_dbus_chat($1_t)
1276 gpm_stream_connect($1_usertype)
1280 execmem_role_template($1, $1_r, $1_t)
1284 java_role_template($1, $1_r, $1_t)
1288 mono_role_template($1, $1_r, $1_t)
1292 mount_run_fusermount($1_t, $1_r)
1293 mount_read_pid_files($1_t)
1297 wine_role_template($1, $1_r, $1_t)
1301 postfix_run_postdrop($1_t, $1_r)
1304 # Run pppd in pppd_t by default for user
1306 ppp_run_cond($1_t, $1_r)
1310 #######################################
1312 ## The template for creating an administrative user.
1316 ## This template creates a user domain, types, and
1317 ## rules for the user's tty, pty, home directories,
1318 ## tmp, and tmpfs files.
1321 ## The privileges given to administrative users are:
1323 ## <li>Raw disk access</li>
1324 ## <li>Set all sysctls</li>
1325 ## <li>All kernel ring buffer controls</li>
1326 ## <li>Create, read, write, and delete all files but shadow</li>
1327 ## <li>Manage source and binary format SELinux policy</li>
1328 ## <li>Run insmod</li>
1332 ## <param name="userdomain_prefix">
1334 ## The prefix of the user domain (e.g., sysadm
1335 ## is the prefix for sysadm_t).
1339 template(`userdom_admin_user_template',`
1341 attribute admindomain;
1342 class passwd { passwd chfn chsh rootok crontab };
1345 ##############################
1350 # Inherit rules for ordinary users.
1351 userdom_login_user_template($1)
1352 userdom_common_user_template($1)
1354 domain_obj_id_change_exemption($1_t)
1355 role system_r types $1_t;
1357 typeattribute $1_t admindomain;
1359 ifdef(`direct_sysadm_daemon',`
1360 domain_system_change_exemption($1_t)
1363 ##############################
1368 allow $1_t self:capability ~{ sys_module audit_control audit_write };
1369 allow $1_t self:capability2 syslog;
1370 allow $1_t self:process { setexec setfscreate };
1371 allow $1_t self:netlink_audit_socket nlmsg_readpriv;
1372 allow $1_t self:tun_socket create;
1373 # Set password information for other users.
1374 allow $1_t self:passwd { passwd chfn chsh };
1375 # Skip authentication when pam_rootok is specified.
1376 allow $1_t self:passwd rootok;
1378 # Manipulate other users crontab.
1379 allow $1_t self:passwd crontab;
1381 kernel_read_software_raid_state($1_t)
1382 kernel_getattr_core_if($1_t)
1383 kernel_getattr_message_if($1_t)
1384 kernel_change_ring_buffer_level($1_t)
1385 kernel_clear_ring_buffer($1_t)
1386 kernel_read_ring_buffer($1_t)
1387 kernel_get_sysvipc_info($1_t)
1388 kernel_rw_all_sysctls($1_t)
1389 # signal unlabeled processes:
1390 kernel_kill_unlabeled($1_t)
1391 kernel_signal_unlabeled($1_t)
1392 kernel_sigstop_unlabeled($1_t)
1393 kernel_signull_unlabeled($1_t)
1394 kernel_sigchld_unlabeled($1_t)
1397 corenet_tcp_bind_generic_port($1_t)
1398 # allow setting up tunnels
1399 corenet_rw_tun_tap_dev($1_t)
1401 dev_getattr_generic_blk_files($1_t)
1402 dev_getattr_generic_chr_files($1_t)
1404 dev_getattr_mtrr_dev($1_t)
1405 # Allow MAKEDEV to work
1406 dev_create_all_blk_files($1_t)
1407 dev_create_all_chr_files($1_t)
1408 dev_delete_all_blk_files($1_t)
1409 dev_delete_all_chr_files($1_t)
1410 dev_rename_all_blk_files($1_t)
1411 dev_rename_all_chr_files($1_t)
1412 dev_create_generic_symlinks($1_t)
1413 dev_rw_generic_usb_dev($1_t)
1416 domain_setpriority_all_domains($1_t)
1417 domain_read_all_domains_state($1_t)
1418 domain_getattr_all_domains($1_t)
1419 domain_getcap_all_domains($1_t)
1420 domain_dontaudit_ptrace_all_domains($1_t)
1421 # signal all domains:
1422 domain_kill_all_domains($1_t)
1423 domain_signal_all_domains($1_t)
1424 domain_signull_all_domains($1_t)
1425 domain_sigstop_all_domains($1_t)
1426 domain_sigstop_all_domains($1_t)
1427 domain_sigchld_all_domains($1_t)
1429 domain_getattr_all_sockets($1_t)
1430 domain_dontaudit_getattr_all_sockets($1_t)
1432 files_exec_usr_src_files($1_t)
1434 fs_getattr_all_fs($1_t)
1435 fs_getattr_all_files($1_t)
1437 fs_set_all_quotas($1_t)
1438 fs_exec_noxattr($1_t)
1440 storage_raw_read_removable_device($1_t)
1441 storage_raw_write_removable_device($1_t)
1442 storage_dontaudit_read_fixed_disk($1_t)
1444 term_use_all_inherited_terms($1_t)
1445 term_use_unallocated_ttys($1_t)
1447 auth_getattr_shadow($1_t)
1448 # Manage almost all files
1449 auth_manage_all_files_except_shadow($1_t)
1450 # Relabel almost all files
1451 auth_relabel_all_files_except_shadow($1_t)
1455 logging_send_syslog_msg($1_t)
1458 modutils_domtrans_insmod($1_t)
1459 modutils_domtrans_depmod($1_t)
1462 # The following rule is temporary until such time that a complete
1463 # policy management infrastructure is in place so that an administrator
1464 # cannot directly manipulate policy files with arbitrary programs.
1465 seutil_manage_src_policy($1_t)
1466 # Violates the goal of limiting write access to checkpolicy.
1467 # But presently necessary for installing the file_contexts file.
1468 seutil_manage_bin_policy($1_t)
1470 systemd_config_all_services($1_t)
1472 userdom_manage_user_home_content_dirs($1_t)
1473 userdom_manage_user_home_content_files($1_t)
1474 userdom_manage_user_home_content_symlinks($1_t)
1475 userdom_manage_user_home_content_pipes($1_t)
1476 userdom_manage_user_home_content_sockets($1_t)
1477 userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
1479 tunable_policy(`user_rw_noexattrfile',`
1480 fs_manage_noxattr_fs_files($1_t)
1481 fs_manage_noxattr_fs_dirs($1_t)
1483 fs_read_noxattr_fs_files($1_t)
1487 postgresql_unconfined($1_t)
1491 userhelper_exec($1_t)
1495 ########################################
1497 ## Allow user to run as a secadm
1501 ## Create objects in a user home directory
1502 ## with an automatic type transition to
1503 ## a specified private type.
1506 ## This is a templated interface, and should only
1507 ## be called from a per-userdomain template.
1510 ## <param name="domain">
1512 ## Domain allowed access.
1515 ## <param name="role">
1517 ## The role of the object to create.
1521 template(`userdom_security_admin_template',`
1522 allow $1 self:capability { dac_read_search dac_override };
1524 corecmd_exec_shell($1)
1526 domain_obj_id_change_exemption($1)
1528 dev_relabel_all_dev_nodes($1)
1530 files_create_boot_flag($1)
1531 files_create_default_dir($1)
1532 files_root_filetrans_default($1, dir)
1534 # Necessary for managing /boot/efi
1535 fs_manage_dos_files($1)
1537 mls_process_read_up($1)
1538 mls_file_read_all_levels($1)
1539 mls_file_upgrade($1)
1540 mls_file_downgrade($1)
1542 selinux_set_enforce_mode($1)
1543 selinux_set_all_booleans($1)
1544 selinux_set_parameters($1)
1545 selinux_read_policy($1)
1547 auth_relabel_all_files_except_shadow($1)
1548 auth_relabel_shadow($1)
1552 logging_send_syslog_msg($1)
1553 logging_read_audit_log($1)
1554 logging_read_generic_logs($1)
1555 logging_read_audit_config($1)
1557 seutil_manage_bin_policy($1)
1558 seutil_manage_default_contexts($1)
1559 seutil_manage_file_contexts($1)
1560 seutil_manage_module_store($1)
1561 seutil_manage_config($1)
1562 seutil_run_checkpolicy($1,$2)
1563 seutil_run_loadpolicy($1,$2)
1564 seutil_run_semanage($1,$2)
1565 seutil_run_setsebool($1,$2)
1566 seutil_run_setfiles($1, $2)
1568 seutil_manage_bin_policy($1)
1569 seutil_manage_default_contexts($1)
1570 seutil_manage_file_contexts($1)
1571 seutil_manage_module_store($1)
1572 seutil_manage_config($1)
1579 consoletype_exec($1)
1587 ipsec_run_setkey($1,$2)
1591 netlabel_run_mgmt($1,$2)
1599 ########################################
1601 ## Make the specified type usable in a
1602 ## user home directory.
1604 ## <param name="type">
1606 ## Type to be used as a file in the
1607 ## user home directory.
1611 interface(`userdom_user_home_content',`
1614 attribute user_home_type;
1617 allow $1 user_home_t:filesystem associate;
1619 ubac_constrained($1)
1621 files_poly_member($1)
1622 typeattribute $1 user_home_type;
1625 ########################################
1627 ## Make the specified type usable in a
1628 ## generic temporary directory.
1630 ## <param name="type">
1632 ## Type to be used as a file in the
1633 ## generic temporary directory.
1637 interface(`userdom_user_tmp_content',`
1639 attribute user_tmp_type;
1642 typeattribute $1 user_tmp_type;
1645 ubac_constrained($1)
1648 ########################################
1650 ## Make the specified type usable in a
1651 ## generic tmpfs_t directory.
1653 ## <param name="type">
1655 ## Type to be used as a file in the
1656 ## generic temporary directory.
1660 interface(`userdom_user_tmpfs_content',`
1662 attribute user_tmpfs_type;
1665 typeattribute $1 user_tmpfs_type;
1667 files_tmpfs_file($1)
1668 ubac_constrained($1)
1671 ########################################
1673 ## Allow domain to attach to TUN devices created by administrative users.
1675 ## <param name="domain">
1677 ## Domain allowed access.
1681 interface(`userdom_attach_admin_tun_iface',`
1683 attribute admindomain;
1686 allow $1 admindomain:tun_socket relabelfrom;
1687 allow $1 self:tun_socket relabelto;
1690 ########################################
1692 ## Set the attributes of a user pty.
1694 ## <param name="domain">
1696 ## Domain allowed access.
1700 interface(`userdom_setattr_user_ptys',`
1705 allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
1708 ########################################
1710 ## Create a user pty.
1712 ## <param name="domain">
1714 ## Domain allowed access.
1718 interface(`userdom_create_user_pty',`
1723 term_create_pty($1, user_devpts_t)
1726 ########################################
1728 ## Get the attributes of user home directories.
1730 ## <param name="domain">
1732 ## Domain allowed access.
1736 interface(`userdom_getattr_user_home_dirs',`
1738 type user_home_dir_t;
1741 allow $1 user_home_dir_t:dir getattr_dir_perms;
1742 files_search_home($1)
1745 ########################################
1747 ## Do not audit attempts to get the attributes of user home directories.
1749 ## <param name="domain">
1751 ## Domain to not audit.
1755 interface(`userdom_dontaudit_getattr_user_home_dirs',`
1757 type user_home_dir_t;
1760 dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
1763 ########################################
1765 ## Search user home directories.
1767 ## <param name="domain">
1769 ## Domain allowed access.
1773 interface(`userdom_search_user_home_dirs',`
1775 type user_home_dir_t;
1778 allow $1 user_home_dir_t:dir search_dir_perms;
1779 allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
1780 files_search_home($1)
1783 ########################################
1785 ## Do not audit attempts to search user home directories.
1789 ## Do not audit attempts to search user home directories.
1790 ## This will supress SELinux denial messages when the specified
1791 ## domain is denied the permission to search these directories.
1794 ## <param name="domain">
1796 ## Domain to not audit.
1799 ## <infoflow type="none"/>
1801 interface(`userdom_dontaudit_search_user_home_dirs',`
1803 type user_home_dir_t;
1806 dontaudit $1 user_home_dir_t:dir search_dir_perms;
1809 ########################################
1811 ## List user home directories.
1813 ## <param name="domain">
1815 ## Domain allowed access.
1819 interface(`userdom_list_user_home_dirs',`
1821 type user_home_dir_t;
1824 allow $1 user_home_dir_t:dir list_dir_perms;
1825 files_search_home($1)
1827 tunable_policy(`use_nfs_home_dirs',`
1831 tunable_policy(`use_samba_home_dirs',`
1836 ########################################
1838 ## Do not audit attempts to list user home subdirectories.
1840 ## <param name="domain">
1842 ## Domain to not audit.
1846 interface(`userdom_dontaudit_list_user_home_dirs',`
1848 type user_home_dir_t;
1852 dontaudit $1 user_home_dir_t:dir list_dir_perms;
1853 dontaudit $1 user_home_t:dir list_dir_perms;
1856 ########################################
1858 ## Create user home directories.
1860 ## <param name="domain">
1862 ## Domain allowed access.
1866 interface(`userdom_create_user_home_dirs',`
1868 type user_home_dir_t;
1871 allow $1 user_home_dir_t:dir create_dir_perms;
1874 ########################################
1876 ## Create user home directories.
1878 ## <param name="domain">
1880 ## Domain allowed access.
1884 interface(`userdom_manage_user_home_dirs',`
1886 type user_home_dir_t;
1889 allow $1 user_home_dir_t:dir manage_dir_perms;
1892 ########################################
1894 ## Relabel to user home directories.
1896 ## <param name="domain">
1898 ## Domain allowed access.
1902 interface(`userdom_relabelto_user_home_dirs',`
1904 type user_home_dir_t;
1907 allow $1 user_home_dir_t:dir relabelto;
1911 ########################################
1913 ## Relabel to user home files.
1915 ## <param name="domain">
1917 ## Domain allowed access.
1921 interface(`userdom_relabelto_user_home_files',`
1926 allow $1 user_home_t:file relabelto;
1928 ########################################
1930 ## Relabel user home files.
1932 ## <param name="domain">
1934 ## Domain allowed access.
1938 interface(`userdom_relabel_user_home_files',`
1943 allow $1 user_home_t:file relabel_file_perms;
1946 ########################################
1948 ## Create directories in the home dir root with
1949 ## the user home directory type.
1951 ## <param name="domain">
1953 ## Domain allowed access.
1957 interface(`userdom_home_filetrans_user_home_dir',`
1959 type user_home_dir_t;
1962 files_home_filetrans($1, user_home_dir_t, dir)
1965 ########################################
1967 ## Do a domain transition to the specified
1968 ## domain when executing a program in the
1969 ## user home directory.
1973 ## Do a domain transition to the specified
1974 ## domain when executing a program in the
1975 ## user home directory.
1978 ## No interprocess communication (signals, pipes,
1979 ## etc.) is provided by this interface since
1980 ## the domains are not owned by this module.
1983 ## <param name="source_domain">
1985 ## Domain allowed to transition.
1988 ## <param name="target_domain">
1990 ## Domain to transition to.
1994 interface(`userdom_user_home_domtrans',`
1996 type user_home_dir_t, user_home_t;
1999 domain_auto_trans($1, user_home_t, $2)
2000 allow $1 user_home_dir_t:dir search_dir_perms;
2001 files_search_home($1)
2004 ########################################
2006 ## Do not audit attempts to search user home content directories.
2008 ## <param name="domain">
2010 ## Domain to not audit.
2014 interface(`userdom_dontaudit_search_user_home_content',`
2019 dontaudit $1 user_home_t:dir search_dir_perms;
2020 fs_dontaudit_list_nfs($1)
2021 fs_dontaudit_list_cifs($1)
2024 ########################################
2026 ## List contents of users home directory.
2028 ## <param name="domain">
2030 ## Domain allowed access.
2034 interface(`userdom_list_user_home_content',`
2036 type user_home_dir_t;
2037 attribute user_home_type;
2041 allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
2044 ########################################
2046 ## Create, read, write, and delete directories
2047 ## in a user home subdirectory.
2049 ## <param name="domain">
2051 ## Domain allowed access.
2055 interface(`userdom_manage_user_home_content_dirs',`
2057 type user_home_dir_t, user_home_t;
2060 manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2061 files_search_home($1)
2064 ########################################
2066 ## Delete directories in a user home subdirectory.
2068 ## <param name="domain">
2070 ## Domain allowed access.
2074 interface(`userdom_delete_user_home_content_dirs',`
2079 allow $1 user_home_t:dir delete_dir_perms;
2082 ########################################
2084 ## Delete all directories in a user home subdirectory.
2086 ## <param name="domain">
2088 ## Domain allowed access.
2092 interface(`userdom_delete_all_user_home_content_dirs',`
2094 attribute user_home_type;
2097 allow $1 user_home_type:dir delete_dir_perms;
2100 ########################################
2102 ## Set the attributes of user home files.
2104 ## <param name="domain">
2106 ## Domain allowed access.
2111 interface(`userdom_setattr_user_home_content_files',`
2116 allow $1 user_home_t:file setattr;
2119 ########################################
2121 ## Do not audit attempts to set the
2122 ## attributes of user home files.
2124 ## <param name="domain">
2126 ## Domain to not audit.
2130 interface(`userdom_dontaudit_setattr_user_home_content_files',`
2135 dontaudit $1 user_home_t:file setattr_file_perms;
2138 ########################################
2140 ## Set the attributes of all user home directories.
2142 ## <param name="domain">
2144 ## Domain allowed access.
2149 interface(`userdom_setattr_all_user_home_content_dirs',`
2151 attribute user_home_type;
2154 allow $1 user_home_type:dir setattr_dir_perms;
2157 ########################################
2159 ## Mmap user home files.
2161 ## <param name="domain">
2163 ## Domain allowed access.
2167 interface(`userdom_mmap_user_home_content_files',`
2169 type user_home_dir_t, user_home_t;
2172 mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2173 files_search_home($1)
2176 ########################################
2178 ## Read user home files.
2180 ## <param name="domain">
2182 ## Domain allowed access.
2186 interface(`userdom_read_user_home_content_files',`
2188 type user_home_dir_t, user_home_t;
2191 list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
2192 read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2193 files_search_home($1)
2196 ########################################
2198 ## Do not audit attempts to getattr user home files.
2200 ## <param name="domain">
2202 ## Domain to not audit.
2206 interface(`userdom_dontaudit_getattr_user_home_content',`
2208 attribute user_home_type;
2211 dontaudit $1 user_home_type:dir getattr;
2212 dontaudit $1 user_home_type:file getattr;
2215 ########################################
2217 ## Do not audit attempts to read user home files.
2219 ## <param name="domain">
2221 ## Domain to not audit.
2225 interface(`userdom_dontaudit_read_user_home_content_files',`
2227 attribute user_home_type;
2228 type user_home_dir_t;
2231 dontaudit $1 user_home_dir_t:dir list_dir_perms;
2232 dontaudit $1 user_home_type:dir list_dir_perms;
2233 dontaudit $1 user_home_type:file read_file_perms;
2234 dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
2237 ########################################
2239 ## Do not audit attempts to append user home files.
2241 ## <param name="domain">
2243 ## Domain to not audit.
2247 interface(`userdom_dontaudit_append_user_home_content_files',`
2252 dontaudit $1 user_home_t:file append_file_perms;
2255 ########################################
2257 ## Do not audit attempts to write user home files.
2259 ## <param name="domain">
2261 ## Domain to not audit.
2265 interface(`userdom_dontaudit_write_user_home_content_files',`
2270 dontaudit $1 user_home_t:file write_file_perms;
2273 ########################################
2275 ## Delete files in a user home subdirectory.
2277 ## <param name="domain">
2279 ## Domain allowed access.
2283 interface(`userdom_delete_user_home_content_files',`
2288 allow $1 user_home_t:file delete_file_perms;
2291 ########################################
2293 ## Delete all files in a user home subdirectory.
2295 ## <param name="domain">
2297 ## Domain allowed access.
2301 interface(`userdom_delete_all_user_home_content_files',`
2303 attribute user_home_type;
2306 allow $1 user_home_type:file delete_file_perms;
2309 ########################################
2311 ## Delete sock files in a user home subdirectory.
2313 ## <param name="domain">
2315 ## Domain allowed access.
2319 interface(`userdom_delete_user_home_content_sock_files',`
2324 allow $1 user_home_t:sock_file delete_file_perms;
2327 ########################################
2329 ## Delete all sock files in a user home subdirectory.
2331 ## <param name="domain">
2333 ## Domain allowed access.
2337 interface(`userdom_delete_all_user_home_content_sock_files',`
2339 attribute user_home_type;
2342 allow $1 user_home_type:sock_file delete_file_perms;
2345 ########################################
2347 ## Do not audit attempts to write user home files.
2349 ## <param name="domain">
2351 ## Domain to not audit.
2355 interface(`userdom_dontaudit_relabel_user_home_content_files',`
2360 dontaudit $1 user_home_t:file relabel_file_perms;
2363 ########################################
2365 ## Read user home subdirectory symbolic links.
2367 ## <param name="domain">
2369 ## Domain allowed access.
2373 interface(`userdom_read_user_home_content_symlinks',`
2375 type user_home_dir_t, user_home_t;
2378 allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
2381 ########################################
2383 ## Execute user home files.
2385 ## <param name="domain">
2387 ## Domain allowed access.
2392 interface(`userdom_exec_user_home_content_files',`
2394 type user_home_dir_t;
2395 attribute user_home_type;
2398 files_search_home($1)
2399 exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
2400 dontaudit $1 user_home_type:sock_file execute;
2403 ########################################
2405 ## Do not audit attempts to execute user home files.
2407 ## <param name="domain">
2409 ## Domain to not audit.
2413 interface(`userdom_dontaudit_exec_user_home_content_files',`
2418 dontaudit $1 user_home_t:file exec_file_perms;
2421 ########################################
2423 ## Create, read, write, and delete files
2424 ## in a user home subdirectory.
2426 ## <param name="domain">
2428 ## Domain allowed access.
2432 interface(`userdom_manage_user_home_content_files',`
2434 type user_home_dir_t, user_home_t;
2437 manage_files_pattern($1, user_home_t, user_home_t)
2438 allow $1 user_home_dir_t:dir search_dir_perms;
2439 files_search_home($1)
2442 ########################################
2444 ## Do not audit attempts to create, read, write, and delete directories
2445 ## in a user home subdirectory.
2447 ## <param name="domain">
2449 ## Domain to not audit.
2453 interface(`userdom_dontaudit_manage_user_home_content_dirs',`
2455 type user_home_dir_t, user_home_t;
2458 dontaudit $1 user_home_t:dir manage_dir_perms;
2461 ########################################
2463 ## Create, read, write, and delete symbolic links
2464 ## in a user home subdirectory.
2466 ## <param name="domain">
2468 ## Domain allowed access.
2472 interface(`userdom_manage_user_home_content_symlinks',`
2474 type user_home_dir_t, user_home_t;
2477 manage_lnk_files_pattern($1, user_home_t, user_home_t)
2478 allow $1 user_home_dir_t:dir search_dir_perms;
2479 files_search_home($1)
2482 ########################################
2484 ## Delete symbolic links in a user home directory.
2486 ## <param name="domain">
2488 ## Domain allowed access.
2492 interface(`userdom_delete_user_home_content_symlinks',`
2497 allow $1 user_home_t:lnk_file delete_lnk_file_perms;
2500 ########################################
2502 ## Delete all symbolic links in a user home directory.
2504 ## <param name="domain">
2506 ## Domain allowed access.
2510 interface(`userdom_delete_all_user_home_content_symlinks',`
2512 attribute user_home_type;
2515 allow $1 user_home_type:lnk_file delete_lnk_file_perms;
2518 ########################################
2520 ## Create, read, write, and delete named pipes
2521 ## in a user home subdirectory.
2523 ## <param name="domain">
2525 ## Domain allowed access.
2529 interface(`userdom_manage_user_home_content_pipes',`
2531 type user_home_dir_t, user_home_t;
2534 manage_fifo_files_pattern($1, user_home_t, user_home_t)
2535 allow $1 user_home_dir_t:dir search_dir_perms;
2536 files_search_home($1)
2539 ########################################
2541 ## Create, read, write, and delete named sockets
2542 ## in a user home subdirectory.
2544 ## <param name="domain">
2546 ## Domain allowed access.
2550 interface(`userdom_manage_user_home_content_sockets',`
2552 type user_home_dir_t, user_home_t;
2555 allow $1 user_home_dir_t:dir search_dir_perms;
2556 manage_sock_files_pattern($1, user_home_t, user_home_t)
2557 files_search_home($1)
2560 ########################################
2562 ## Create objects in a user home directory
2563 ## with an automatic type transition to
2564 ## a specified private type.
2566 ## <param name="domain">
2568 ## Domain allowed access.
2571 ## <param name="private_type">
2573 ## The type of the object to create.
2576 ## <param name="object_class">
2578 ## The class of the object to be created.
2582 interface(`userdom_user_home_dir_filetrans',`
2584 type user_home_dir_t;
2587 filetrans_pattern($1, user_home_dir_t, $2, $3, $4)
2588 files_search_home($1)
2591 ########################################
2593 ## Create objects in a user home directory
2594 ## with an automatic type transition to
2595 ## a specified private type.
2597 ## <param name="domain">
2599 ## Domain allowed access.
2602 ## <param name="private_type">
2604 ## The type of the object to create.
2607 ## <param name="object_class">
2609 ## The class of the object to be created.
2613 interface(`userdom_user_home_content_filetrans',`
2615 type user_home_dir_t, user_home_t;
2618 filetrans_pattern($1, user_home_t, $2, $3)
2619 allow $1 user_home_dir_t:dir search_dir_perms;
2620 files_search_home($1)
2623 ########################################
2625 ## Create objects in a user home directory
2626 ## with an automatic type transition to
2627 ## the user home file type.
2629 ## <param name="domain">
2631 ## Domain allowed access.
2634 ## <param name="object_class">
2636 ## The class of the object to be created.
2640 interface(`userdom_user_home_dir_filetrans_user_home_content',`
2642 type user_home_dir_t, user_home_t;
2645 filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
2646 files_search_home($1)
2649 ########################################
2651 ## Write to user temporary named sockets.
2653 ## <param name="domain">
2655 ## Domain allowed access.
2659 interface(`userdom_write_user_tmp_sockets',`
2664 allow $1 user_tmp_t:sock_file write_sock_file_perms;
2665 files_search_tmp($1)
2668 ########################################
2670 ## List user temporary directories.
2672 ## <param name="domain">
2674 ## Domain allowed access.
2678 interface(`userdom_list_user_tmp',`
2683 allow $1 user_tmp_t:dir list_dir_perms;
2684 files_search_tmp($1)
2687 ########################################
2689 ## Do not audit attempts to list user
2690 ## temporary directories.
2692 ## <param name="domain">
2694 ## Domain to not audit.
2698 interface(`userdom_dontaudit_list_user_tmp',`
2703 dontaudit $1 user_tmp_t:dir list_dir_perms;
2706 ########################################
2708 ## Do not audit attempts to manage users
2709 ## temporary directories.
2711 ## <param name="domain">
2713 ## Domain to not audit.
2717 interface(`userdom_dontaudit_manage_user_tmp_dirs',`
2722 dontaudit $1 user_tmp_t:dir manage_dir_perms;
2725 ########################################
2727 ## Read user temporary files.
2729 ## <param name="domain">
2731 ## Domain allowed access.
2735 interface(`userdom_read_user_tmp_files',`
2740 read_files_pattern($1, user_tmp_t, user_tmp_t)
2741 allow $1 user_tmp_t:dir list_dir_perms;
2742 files_search_tmp($1)
2745 ########################################
2747 ## Do not audit attempts to read users
2750 ## <param name="domain">
2752 ## Domain to not audit.
2756 interface(`userdom_dontaudit_read_user_tmp_files',`
2761 dontaudit $1 user_tmp_t:file read_inherited_file_perms;
2764 ########################################
2766 ## Do not audit attempts to append users
2769 ## <param name="domain">
2771 ## Domain to not audit.
2775 interface(`userdom_dontaudit_append_user_tmp_files',`
2780 dontaudit $1 user_tmp_t:file append_file_perms;
2783 ########################################
2785 ## Read and write user temporary files.
2787 ## <param name="domain">
2789 ## Domain allowed access.
2793 interface(`userdom_rw_user_tmp_files',`
2798 allow $1 user_tmp_t:dir list_dir_perms;
2799 rw_files_pattern($1, user_tmp_t, user_tmp_t)
2800 files_search_tmp($1)
2803 ########################################
2805 ## Do not audit attempts to manage users
2808 ## <param name="domain">
2810 ## Domain to not audit.
2814 interface(`userdom_dontaudit_manage_user_tmp_files',`
2819 dontaudit $1 user_tmp_t:file manage_file_perms;
2822 ########################################
2824 ## Read user temporary symbolic links.
2826 ## <param name="domain">
2828 ## Domain allowed access.
2832 interface(`userdom_read_user_tmp_symlinks',`
2837 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2838 allow $1 user_tmp_t:dir list_dir_perms;
2839 files_search_tmp($1)
2842 ########################################
2844 ## Create, read, write, and delete user
2845 ## temporary directories.
2847 ## <param name="domain">
2849 ## Domain allowed access.
2853 interface(`userdom_manage_user_tmp_dirs',`
2858 manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
2859 files_search_tmp($1)
2862 ########################################
2864 ## Create, read, write, and delete user
2867 ## <param name="domain">
2869 ## Domain allowed access.
2873 interface(`userdom_manage_user_tmp_files',`
2878 manage_files_pattern($1, user_tmp_t, user_tmp_t)
2879 files_search_tmp($1)
2882 ########################################
2884 ## Create, read, write, and delete user
2885 ## temporary symbolic links.
2887 ## <param name="domain">
2889 ## Domain allowed access.
2893 interface(`userdom_manage_user_tmp_symlinks',`
2898 manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2899 files_search_tmp($1)
2902 ########################################
2904 ## Create, read, write, and delete user
2905 ## temporary named pipes.
2907 ## <param name="domain">
2909 ## Domain allowed access.
2913 interface(`userdom_manage_user_tmp_pipes',`
2918 manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
2919 files_search_tmp($1)
2922 ########################################
2924 ## Create, read, write, and delete user
2925 ## temporary named sockets.
2927 ## <param name="domain">
2929 ## Domain allowed access.
2933 interface(`userdom_manage_user_tmp_sockets',`
2938 manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
2939 files_search_tmp($1)
2942 ########################################
2944 ## Create objects in a user temporary directory
2945 ## with an automatic type transition to
2946 ## a specified private type.
2948 ## <param name="domain">
2950 ## Domain allowed access.
2953 ## <param name="private_type">
2955 ## The type of the object to create.
2958 ## <param name="object_class">
2960 ## The class of the object to be created.
2964 interface(`userdom_user_tmp_filetrans',`
2969 filetrans_pattern($1, user_tmp_t, $2, $3)
2970 files_search_tmp($1)
2973 ########################################
2975 ## Create objects in the temporary directory
2976 ## with an automatic type transition to
2977 ## the user temporary type.
2979 ## <param name="domain">
2981 ## Domain allowed access.
2984 ## <param name="object_class">
2986 ## The class of the object to be created.
2990 interface(`userdom_tmp_filetrans_user_tmp',`
2995 files_tmp_filetrans($1, user_tmp_t, $2)
2998 ########################################
3000 ## Read user tmpfs files.
3002 ## <param name="domain">
3004 ## Domain allowed access.
3008 interface(`userdom_read_user_tmpfs_files',`
3013 read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3014 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3015 allow $1 user_tmpfs_t:dir list_dir_perms;
3019 ########################################
3021 ## Read/Write user tmpfs files.
3023 ## <param name="domain">
3025 ## Domain allowed access.
3029 interface(`userdom_rw_user_tmpfs_files',`
3034 rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3035 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3036 allow $1 user_tmpfs_t:dir list_dir_perms;
3040 ########################################
3042 ## Get the attributes of a user domain tty.
3044 ## <param name="domain">
3046 ## Domain allowed access.
3050 interface(`userdom_getattr_user_ttys',`
3052 type user_tty_device_t;
3055 allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
3058 ########################################
3060 ## Do not audit attempts to get the attributes of a user domain tty.
3062 ## <param name="domain">
3064 ## Domain to not audit.
3068 interface(`userdom_dontaudit_getattr_user_ttys',`
3070 type user_tty_device_t;
3073 dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
3076 ########################################
3078 ## Set the attributes of a user domain tty.
3080 ## <param name="domain">
3082 ## Domain allowed access.
3086 interface(`userdom_setattr_user_ttys',`
3088 type user_tty_device_t;
3091 allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
3094 ########################################
3096 ## Do not audit attempts to set the attributes of a user domain tty.
3098 ## <param name="domain">
3100 ## Domain to not audit.
3104 interface(`userdom_dontaudit_setattr_user_ttys',`
3106 type user_tty_device_t;
3109 dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
3112 ########################################
3114 ## Read and write a user domain tty.
3116 ## <param name="domain">
3118 ## Domain allowed access.
3122 interface(`userdom_use_user_ttys',`
3124 type user_tty_device_t;
3127 allow $1 user_tty_device_t:chr_file rw_term_perms;
3130 ########################################
3132 ## Read and write a inherited user domain tty.
3134 ## <param name="domain">
3136 ## Domain allowed access.
3140 interface(`userdom_use_inherited_user_ttys',`
3142 type user_tty_device_t;
3145 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
3148 ########################################
3150 ## Read and write a user domain pty.
3152 ## <param name="domain">
3154 ## Domain allowed access.
3158 interface(`userdom_use_user_ptys',`
3163 allow $1 user_devpts_t:chr_file rw_term_perms;
3166 ########################################
3168 ## Read and write a inherited user domain pty.
3170 ## <param name="domain">
3172 ## Domain allowed access.
3176 interface(`userdom_use_inherited_user_ptys',`
3181 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3184 ########################################
3186 ## Read and write a inherited user TTYs and PTYs.
3190 ## Allow the specified domain to read and write inherited user
3191 ## TTYs and PTYs. This will allow the domain to
3192 ## interact with the user via the terminal. Typically
3193 ## all interactive applications will require this
3197 ## <param name="domain">
3199 ## Domain allowed access.
3202 ## <infoflow type="both" weight="10"/>
3204 interface(`userdom_use_inherited_user_terminals',`
3206 type user_tty_device_t, user_devpts_t;
3209 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
3210 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3213 #######################################
3215 ## Allow attempts to read and write
3216 ## a user domain tty and pty.
3218 ## <param name="domain">
3220 ## Domain to not audit.
3224 interface(`userdom_use_user_terminals',`
3226 type user_tty_device_t, user_devpts_t;
3229 allow $1 user_tty_device_t:chr_file rw_term_perms;
3230 allow $1 user_devpts_t:chr_file rw_term_perms;
3233 ########################################
3235 ## Do not audit attempts to read and write
3236 ## a user domain tty and pty.
3238 ## <param name="domain">
3240 ## Domain to not audit.
3244 interface(`userdom_dontaudit_use_user_terminals',`
3246 type user_tty_device_t, user_devpts_t;
3249 dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
3250 dontaudit $1 user_devpts_t:chr_file rw_term_perms;
3254 ########################################
3256 ## Get attributes of user domain tty and pty.
3258 ## <param name="domain">
3260 ## Domain allowed access.
3264 interface(`userdom_getattr_user_terminals',`
3266 type user_tty_device_t, user_devpts_t;
3269 allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
3272 ########################################
3274 ## Execute a shell in all user domains. This
3275 ## is an explicit transition, requiring the
3276 ## caller to use setexeccon().
3278 ## <param name="domain">
3280 ## Domain allowed to transition.
3284 interface(`userdom_spec_domtrans_all_users',`
3286 attribute userdomain;
3289 corecmd_shell_spec_domtrans($1, userdomain)
3290 allow userdomain $1:fd use;
3291 allow userdomain $1:fifo_file rw_file_perms;
3292 allow userdomain $1:process sigchld;
3295 ########################################
3297 ## Execute an Xserver session in all unprivileged user domains. This
3298 ## is an explicit transition, requiring the
3299 ## caller to use setexeccon().
3301 ## <param name="domain">
3303 ## Domain allowed to transition.
3307 interface(`userdom_xsession_spec_domtrans_all_users',`
3309 attribute userdomain;
3312 xserver_xsession_spec_domtrans($1, userdomain)
3313 allow userdomain $1:fd use;
3314 allow userdomain $1:fifo_file rw_file_perms;
3315 allow userdomain $1:process sigchld;
3318 ########################################
3320 ## Execute a shell in all unprivileged user domains. This
3321 ## is an explicit transition, requiring the
3322 ## caller to use setexeccon().
3324 ## <param name="domain">
3326 ## Domain allowed to transition.
3330 interface(`userdom_spec_domtrans_unpriv_users',`
3332 attribute unpriv_userdomain;
3335 corecmd_shell_spec_domtrans($1, unpriv_userdomain)
3336 allow unpriv_userdomain $1:fd use;
3337 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3338 allow unpriv_userdomain $1:process sigchld;
3341 ########################################
3343 ## Execute an Xserver session in all unprivileged user domains. This
3344 ## is an explicit transition, requiring the
3345 ## caller to use setexeccon().
3347 ## <param name="domain">
3349 ## Domain allowed to transition.
3353 interface(`userdom_xsession_spec_domtrans_unpriv_users',`
3355 attribute unpriv_userdomain;
3358 xserver_xsession_spec_domtrans($1, unpriv_userdomain)
3359 allow unpriv_userdomain $1:fd use;
3360 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3361 allow unpriv_userdomain $1:process sigchld;
3364 ########################################
3366 ## Manage unpriviledged user SysV sempaphores.
3368 ## <param name="domain">
3370 ## Domain allowed access.
3374 interface(`userdom_manage_unpriv_user_semaphores',`
3376 attribute unpriv_userdomain;
3379 allow $1 unpriv_userdomain:sem create_sem_perms;
3382 ########################################
3384 ## Manage unpriviledged user SysV shared
3387 ## <param name="domain">
3389 ## Domain allowed access.
3393 interface(`userdom_manage_unpriv_user_shared_mem',`
3395 attribute unpriv_userdomain;
3398 allow $1 unpriv_userdomain:shm create_shm_perms;
3401 ########################################
3403 ## Execute bin_t in the unprivileged user domains. This
3404 ## is an explicit transition, requiring the
3405 ## caller to use setexeccon().
3407 ## <param name="domain">
3409 ## Domain allowed to transition.
3413 interface(`userdom_bin_spec_domtrans_unpriv_users',`
3415 attribute unpriv_userdomain;
3418 corecmd_bin_spec_domtrans($1, unpriv_userdomain)
3419 allow unpriv_userdomain $1:fd use;
3420 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3421 allow unpriv_userdomain $1:process sigchld;
3424 ########################################
3426 ## Execute all entrypoint files in unprivileged user
3427 ## domains. This is an explicit transition, requiring the
3428 ## caller to use setexeccon().
3430 ## <param name="domain">
3432 ## Domain allowed access.
3436 interface(`userdom_entry_spec_domtrans_unpriv_users',`
3438 attribute unpriv_userdomain;
3441 domain_entry_file_spec_domtrans($1, unpriv_userdomain)
3442 allow unpriv_userdomain $1:fd use;
3443 allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
3444 allow unpriv_userdomain $1:process sigchld;
3447 ########################################
3449 ## Search users home directories.
3451 ## <param name="domain">
3453 ## Domain allowed access.
3457 interface(`userdom_search_user_home_content',`
3459 type user_home_dir_t;
3460 attribute user_home_type;
3464 allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
3465 allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
3468 ########################################
3470 ## Send general signals to unprivileged user domains.
3472 ## <param name="domain">
3474 ## Domain allowed access.
3478 interface(`userdom_signal_unpriv_users',`
3480 attribute unpriv_userdomain;
3483 allow $1 unpriv_userdomain:process signal;
3486 ########################################
3488 ## Inherit the file descriptors from unprivileged user domains.
3490 ## <param name="domain">
3492 ## Domain allowed access.
3496 interface(`userdom_use_unpriv_users_fds',`
3498 attribute unpriv_userdomain;
3501 allow $1 unpriv_userdomain:fd use;
3504 ########################################
3506 ## Do not audit attempts to inherit the file descriptors
3507 ## from unprivileged user domains.
3511 ## Do not audit attempts to inherit the file descriptors
3512 ## from unprivileged user domains. This will supress
3513 ## SELinux denial messages when the specified domain is denied
3514 ## the permission to inherit these file descriptors.
3517 ## <param name="domain">
3519 ## Domain to not audit.
3522 ## <infoflow type="none"/>
3524 interface(`userdom_dontaudit_use_unpriv_user_fds',`
3526 attribute unpriv_userdomain;
3529 dontaudit $1 unpriv_userdomain:fd use;
3532 ########################################
3534 ## Do not audit attempts to use user ptys.
3536 ## <param name="domain">
3538 ## Domain to not audit.
3542 interface(`userdom_dontaudit_use_user_ptys',`
3547 dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
3550 ########################################
3552 ## Relabel files to unprivileged user pty types.
3554 ## <param name="domain">
3556 ## Domain allowed access.
3560 interface(`userdom_relabelto_user_ptys',`
3565 allow $1 user_devpts_t:chr_file relabelto;
3568 ########################################
3570 ## Do not audit attempts to relabel files from
3573 ## <param name="domain">
3575 ## Domain to not audit.
3579 interface(`userdom_dontaudit_relabelfrom_user_ptys',`
3584 dontaudit $1 user_devpts_t:chr_file relabelfrom;
3587 ########################################
3589 ## Write all users files in /tmp
3591 ## <param name="domain">
3593 ## Domain allowed access.
3597 interface(`userdom_write_user_tmp_files',`
3602 write_files_pattern($1, user_tmp_t, user_tmp_t)
3605 ########################################
3607 ## Do not audit attempts to write users
3610 ## <param name="domain">
3612 ## Domain to not audit.
3616 interface(`userdom_dontaudit_write_user_tmp_files',`
3621 dontaudit $1 user_tmp_t:file write;
3624 ########################################
3626 ## Do not audit attempts to read/write users
3627 ## temporary fifo files.
3629 ## <param name="domain">
3631 ## Domain to not audit.
3635 interface(`userdom_dontaudit_rw_user_tmp_pipes',`
3640 dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
3643 ########################################
3645 ## Do not audit attempts to use user ttys.
3647 ## <param name="domain">
3649 ## Domain to not audit.
3653 interface(`userdom_dontaudit_use_user_ttys',`
3655 type user_tty_device_t;
3658 dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
3661 ########################################
3663 ## Read the process state of all user domains.
3665 ## <param name="domain">
3667 ## Domain allowed access.
3671 interface(`userdom_read_all_users_state',`
3673 attribute userdomain;
3676 read_files_pattern($1, userdomain, userdomain)
3677 read_lnk_files_pattern($1,userdomain,userdomain)
3678 kernel_search_proc($1)
3681 ########################################
3683 ## Get the attributes of all user domains.
3685 ## <param name="domain">
3687 ## Domain allowed access.
3691 interface(`userdom_getattr_all_users',`
3693 attribute userdomain;
3696 allow $1 userdomain:process getattr;
3699 ########################################
3701 ## Inherit the file descriptors from all user domains
3703 ## <param name="domain">
3705 ## Domain allowed access.
3709 interface(`userdom_use_all_users_fds',`
3711 attribute userdomain;
3714 allow $1 userdomain:fd use;
3717 ########################################
3719 ## Do not audit attempts to inherit the file
3720 ## descriptors from any user domains.
3722 ## <param name="domain">
3724 ## Domain to not audit.
3728 interface(`userdom_dontaudit_use_all_users_fds',`
3730 attribute userdomain;
3733 dontaudit $1 userdomain:fd use;
3736 ########################################
3738 ## Send general signals to all user domains.
3740 ## <param name="domain">
3742 ## Domain allowed access.
3746 interface(`userdom_signal_all_users',`
3748 attribute userdomain;
3751 allow $1 userdomain:process signal;
3754 ########################################
3756 ## Send kill signals to all user domains.
3758 ## <param name="domain">
3760 ## Domain allowed access.
3764 interface(`userdom_kill_all_users',`
3766 attribute userdomain;
3769 allow $1 userdomain:process sigkill;
3772 ########################################
3774 ## Send a SIGCHLD signal to all user domains.
3776 ## <param name="domain">
3778 ## Domain allowed access.
3782 interface(`userdom_sigchld_all_users',`
3784 attribute userdomain;
3787 allow $1 userdomain:process sigchld;
3790 ########################################
3792 ## Create keys for all user domains.
3794 ## <param name="domain">
3796 ## Domain allowed access.
3800 interface(`userdom_create_all_users_keys',`
3802 attribute userdomain;
3805 allow $1 userdomain:key create;
3808 ########################################
3810 ## Send a dbus message to all user domains.
3812 ## <param name="domain">
3814 ## Domain allowed access.
3818 interface(`userdom_dbus_send_all_users',`
3820 attribute userdomain;
3821 class dbus send_msg;
3824 allow $1 userdomain:dbus send_msg;
3827 ########################################
3829 ## Allow apps to set rlimits on userdomain
3831 ## <param name="domain">
3833 ## Domain allowed access.
3837 interface(`userdom_set_rlimitnh',`
3839 attribute userdomain;
3842 allow $1 userdomain:process rlimitinh;
3845 ########################################
3847 ## Define this type as a Allow apps to set rlimits on userdomain
3849 ## <param name="domain">
3851 ## Domain allowed access.
3854 ## <param name="userdomain_prefix">
3856 ## The prefix of the user domain (e.g., user
3857 ## is the prefix for user_t).
3860 ## <param name="domain">
3862 ## Domain allowed access.
3866 template(`userdom_unpriv_usertype',`
3868 attribute unpriv_userdomain, userdomain;
3869 attribute $1_usertype;
3871 typeattribute $2 $1_usertype;
3872 typeattribute $2 unpriv_userdomain;
3873 typeattribute $2 userdomain;
3875 ubac_constrained($2)
3878 ########################################
3880 ## Connect to users over an unix stream socket.
3882 ## <param name="domain">
3884 ## Domain allowed access.
3888 interface(`userdom_stream_connect',`
3891 attribute userdomain;
3894 stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
3897 ########################################
3899 ## Ptrace user domains.
3901 ## <param name="domain">
3903 ## Domain allowed access.
3907 interface(`userdom_ptrace_all_users',`
3909 attribute userdomain;
3912 allow $1 userdomain:process ptrace;
3915 ########################################
3917 ## dontaudit Search /root
3919 ## <param name="domain">
3921 ## Domain to not audit.
3925 interface(`userdom_dontaudit_search_admin_dir',`
3930 dontaudit $1 admin_home_t:dir search_dir_perms;
3933 ########################################
3935 ## dontaudit list /root
3937 ## <param name="domain">
3939 ## Domain to not audit.
3943 interface(`userdom_dontaudit_list_admin_dir',`
3948 dontaudit $1 admin_home_t:dir list_dir_perms;
3951 ########################################
3953 ## Allow domain to list /root
3955 ## <param name="domain">
3957 ## Domain allowed access.
3961 interface(`userdom_list_admin_dir',`
3966 allow $1 admin_home_t:dir list_dir_perms;
3969 ########################################
3971 ## Allow Search /root
3973 ## <param name="domain">
3975 ## Domain allowed access.
3979 interface(`userdom_search_admin_dir',`
3984 allow $1 admin_home_t:dir search_dir_perms;
3987 ########################################
3989 ## RW unpriviledged user SysV sempaphores.
3991 ## <param name="domain">
3993 ## Domain allowed access.
3997 interface(`userdom_rw_semaphores',`
3999 attribute unpriv_userdomain;
4002 allow $1 unpriv_userdomain:sem rw_sem_perms;
4005 ########################################
4007 ## Send a message to unpriv users over a unix domain
4010 ## <param name="domain">
4012 ## Domain allowed access.
4016 interface(`userdom_dgram_send',`
4018 attribute unpriv_userdomain;
4021 allow $1 unpriv_userdomain:unix_dgram_socket sendto;
4024 ######################################
4026 ## Send a message to users over a unix domain
4029 ## <param name="domain">
4031 ## Domain allowed access.
4035 interface(`userdom_users_dgram_send',`
4037 attribute userdomain;
4040 allow $1 userdomain:unix_dgram_socket sendto;
4043 #######################################
4045 ## Allow execmod on files in homedirectory
4047 ## <param name="domain">
4049 ## Domain allowed access.
4054 interface(`userdom_execmod_user_home_files',`
4056 type user_home_type;
4059 allow $1 user_home_type:file execmod;
4062 ########################################
4064 ## Read admin home files.
4066 ## <param name="domain">
4068 ## Domain allowed access.
4073 interface(`userdom_read_admin_home_files',`
4078 read_files_pattern($1, admin_home_t, admin_home_t)
4081 ########################################
4083 ## Execute admin home files.
4085 ## <param name="domain">
4087 ## Domain allowed access.
4092 interface(`userdom_exec_admin_home_files',`
4097 exec_files_pattern($1, admin_home_t, admin_home_t)
4100 ########################################
4102 ## Append files inherited
4103 ## in the /root directory.
4105 ## <param name="domain">
4107 ## Domain allowed access.
4111 interface(`userdom_inherit_append_admin_home_files',`
4116 allow $1 admin_home_t:file { getattr append };
4120 #######################################
4122 ## Manage all files/directories in the homedir
4124 ## <param name="userdomain">
4131 interface(`userdom_manage_user_home_content',`
4133 type user_home_dir_t, user_home_t;
4134 attribute user_home_type;
4138 manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4139 manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4140 manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4141 manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4142 manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4143 filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
4148 ########################################
4150 ## Create objects in a user home directory
4151 ## with an automatic type transition to
4152 ## the user home file type.
4154 ## <param name="domain">
4156 ## Domain allowed access.
4159 ## <param name="object_class">
4161 ## The class of the object to be created.
4165 interface(`userdom_user_home_dir_filetrans_pattern',`
4167 type user_home_dir_t, user_home_t;
4170 type_transition $1 user_home_dir_t:$2 user_home_t;
4173 ########################################
4175 ## Create objects in the /root directory
4176 ## with an automatic type transition to
4177 ## a specified private type.
4179 ## <param name="domain">
4181 ## Domain allowed access.
4184 ## <param name="private_type">
4186 ## The type of the object to create.
4189 ## <param name="object_class">
4191 ## The class of the object to be created.
4195 interface(`userdom_admin_home_dir_filetrans',`
4200 filetrans_pattern($1, admin_home_t, $2, $3, $4)
4203 ########################################
4205 ## Send signull to unprivileged user domains.
4207 ## <param name="domain">
4209 ## Domain allowed access.
4213 interface(`userdom_signull_unpriv_users',`
4215 attribute unpriv_userdomain;
4218 allow $1 unpriv_userdomain:process signull;
4221 ########################################
4223 ## Write all users files in /tmp
4225 ## <param name="domain">
4227 ## Domain allowed access.
4231 interface(`userdom_write_user_tmp_dirs',`
4236 write_files_pattern($1, user_tmp_t, user_tmp_t)
4239 ########################################
4241 ## Manage keys for all user domains.
4243 ## <param name="domain">
4245 ## Domain allowed access.
4249 interface(`userdom_manage_all_users_keys',`
4251 attribute userdomain;
4254 allow $1 userdomain:key manage_key_perms;
4258 ########################################
4260 ## Do not audit attempts to read and write
4261 ## unserdomain stream.
4263 ## <param name="domain">
4265 ## Domain to not audit.
4269 interface(`userdom_dontaudit_rw_stream',`
4271 attribute userdomain;
4274 dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
4277 ########################################
4279 ## Do not audit attempts to read and write
4280 ## unserdomain datagram socket.
4282 ## <param name="domain">
4284 ## Domain to not audit.
4288 interface(`userdom_dontaudit_rw_dgram_socket',`
4290 attribute userdomain;
4293 dontaudit $1 userdomain:unix_dgram_socket { read write };
4296 ########################################
4299 ## in a user home subdirectory.
4301 ## <param name="domain">
4303 ## Domain allowed access.
4307 interface(`userdom_append_user_home_content_files',`
4309 type user_home_dir_t, user_home_t;
4312 append_files_pattern($1, user_home_t, user_home_t)
4313 allow $1 user_home_dir_t:dir search_dir_perms;
4314 files_search_home($1)
4317 ########################################
4319 ## Read files inherited
4320 ## in a user home subdirectory.
4322 ## <param name="domain">
4324 ## Domain allowed access.
4328 interface(`userdom_read_inherited_user_home_content_files',`
4330 attribute user_home_type;
4333 allow $1 user_home_type:file { getattr read };
4336 ########################################
4338 ## Append files inherited
4339 ## in a user home subdirectory.
4341 ## <param name="domain">
4343 ## Domain allowed access.
4347 interface(`userdom_inherit_append_user_home_content_files',`
4352 allow $1 user_home_t:file { getattr append };
4355 ########################################
4357 ## Append files inherited
4358 ## in a user tmp files.
4360 ## <param name="domain">
4362 ## Domain allowed access.
4366 interface(`userdom_inherit_append_user_tmp_files',`
4371 allow $1 user_tmp_t:file { getattr append };
4374 ######################################
4376 ## Read audio files in the users homedir.
4378 ## <param name="domain">
4380 ## Domain allowed access.
4385 interface(`userdom_read_home_audio_files',`
4390 userdom_search_user_home_dirs($1)
4391 allow $1 audio_home_t:dir list_dir_perms;
4392 read_files_pattern($1, audio_home_t, audio_home_t)
4393 read_lnk_files_pattern($1, audio_home_t, audio_home_t)
4396 ########################################
4398 ## Do not audit attempts to write all user home content files.
4400 ## <param name="domain">
4402 ## Domain to not audit.
4406 interface(`userdom_dontaudit_write_all_user_home_content_files',`
4408 attribute user_home_type;
4411 dontaudit $1 user_home_type:file write_file_perms;
4414 ########################################
4416 ## Do not audit attempts to write all user tmp content files.
4418 ## <param name="domain">
4420 ## Domain to not audit.
4424 interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
4426 attribute user_tmp_type;
4429 dontaudit $1 user_tmp_type:file write_file_perms;
4432 ########################################
4434 ## Manage all user temporary content.
4436 ## <param name="domain">
4438 ## Domain allowed access.
4442 interface(`userdom_manage_all_user_tmp_content',`
4444 attribute user_tmp_type;
4447 manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
4448 manage_files_pattern($1, user_tmp_type, user_tmp_type)
4449 manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4450 manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4451 manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4452 files_search_tmp($1)
4455 ########################################
4457 ## List all user temporary content.
4459 ## <param name="domain">
4461 ## Domain allowed access.
4465 interface(`userdom_list_all_user_tmp_content',`
4467 attribute user_tmp_type;
4470 list_dirs_pattern($1, user_tmp_type, user_tmp_type)
4471 getattr_files_pattern($1, user_tmp_type, user_tmp_type)
4472 read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4473 getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4474 getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4475 files_search_var($1)
4476 files_search_tmp($1)
4479 ########################################
4481 ## Manage all user tmpfs content.
4483 ## <param name="domain">
4485 ## Domain allowed access.
4489 interface(`userdom_manage_all_user_tmpfs_content',`
4491 attribute user_tmpfs_type;
4494 manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
4495 manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4496 manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4497 manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4498 manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4502 ########################################
4504 ## Delete all user temporary content.
4506 ## <param name="domain">
4508 ## Domain allowed access.
4512 interface(`userdom_delete_all_user_tmp_content',`
4514 attribute user_tmp_type;
4517 delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
4518 delete_files_pattern($1, user_tmp_type, user_tmp_type)
4519 delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4520 delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4521 delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4523 files_search_var($1)
4524 files_delete_tmp_dir_entry($1)
4527 ########################################
4529 ## Read system SSL certificates in the users homedir.
4531 ## <param name="domain">
4533 ## Domain allowed access.
4537 interface(`userdom_read_home_certs',`
4542 userdom_search_user_home_content($1)
4543 allow $1 home_cert_t:dir list_dir_perms;
4544 read_files_pattern($1, home_cert_t, home_cert_t)
4545 read_lnk_files_pattern($1, home_cert_t, home_cert_t)
4548 #######################################
4550 ## Dontaudit Write system SSL certificates in the users homedir.
4552 ## <param name="domain">
4554 ## Domain to not audit.
4558 interface(`userdom_dontaudit_write_home_certs',`
4563 dontaudit $1 home_cert_t:file write;
4566 ########################################
4568 ## dontaudit Search getatrr /root files
4570 ## <param name="domain">
4572 ## Domain to not audit.
4576 interface(`userdom_dontaudit_getattr_admin_home_files',`
4581 dontaudit $1 admin_home_t:file getattr;
4584 ########################################
4586 ## dontaudit read /root lnk files
4588 ## <param name="domain">
4590 ## Domain to not audit.
4594 interface(`userdom_dontaudit_read_admin_home_lnk_files',`
4599 dontaudit $1 admin_home_t:lnk_file read;
4602 ########################################
4604 ## dontaudit read /root files
4606 ## <param name="domain">
4608 ## Domain to not audit.
4612 interface(`userdom_dontaudit_read_admin_home_files',`
4617 dontaudit $1 admin_home_t:file read_file_perms;
4620 ########################################
4622 ## Create, read, write, and delete user
4623 ## temporary chr files.
4625 ## <param name="domain">
4627 ## Domain allowed access.
4631 interface(`userdom_manage_user_tmp_chr_files',`
4636 manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
4637 files_search_tmp($1)
4640 ########################################
4642 ## Create, read, write, and delete user
4643 ## temporary blk files.
4645 ## <param name="domain">
4647 ## Domain allowed access.
4651 interface(`userdom_manage_user_tmp_blk_files',`
4656 manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
4657 files_search_tmp($1)
4660 ########################################
4662 ## Dontaudit attempt to set attributes on user temporary directories.
4664 ## <param name="domain">
4666 ## Domain to not audit.
4670 interface(`userdom_dontaudit_setattr_user_tmp',`
4675 dontaudit $1 user_tmp_t:dir setattr;
4678 ########################################
4680 ## Write all inherited users files in /tmp
4682 ## <param name="domain">
4684 ## Domain allowed access.
4688 interface(`userdom_write_inherited_user_tmp_files',`
4693 allow $1 user_tmp_t:file write;
4696 ########################################
4698 ## Delete all users files in /tmp
4700 ## <param name="domain">
4702 ## Domain allowed access.
4706 interface(`userdom_delete_user_tmp_files',`
4711 allow $1 user_tmp_t:file delete_file_perms;
4714 ########################################
4716 ## Delete user tmpfs files.
4718 ## <param name="domain">
4720 ## Domain allowed access.
4724 interface(`userdom_delete_user_tmpfs_files',`
4729 allow $1 user_tmpfs_t:file delete_file_perms;
4732 ########################################
4734 ## Read/Write unpriviledged user SysV shared
4737 ## <param name="domain">
4739 ## Domain allowed access.
4743 interface(`userdom_rw_unpriv_user_shared_mem',`
4745 attribute unpriv_userdomain;
4748 allow $1 unpriv_userdomain:shm rw_shm_perms;
4751 ########################################
4753 ## Do not audit attempts to search user
4754 ## temporary directories.
4756 ## <param name="domain">
4758 ## Domain to not audit.
4762 interface(`userdom_dontaudit_search_user_tmp',`
4767 dontaudit $1 user_tmp_t:dir search_dir_perms;
4770 ########################################
4772 ## Execute a file in a user home directory
4773 ## in the specified domain.
4777 ## Execute a file in a user home directory
4778 ## in the specified domain.
4781 ## No interprocess communication (signals, pipes,
4782 ## etc.) is provided by this interface since
4783 ## the domains are not owned by this module.
4786 ## <param name="domain">
4788 ## Domain allowed access.
4791 ## <param name="target_domain">
4793 ## The type of the new process.
4797 interface(`userdom_domtrans_user_home',`
4802 read_lnk_files_pattern($1, user_home_t, user_home_t)
4803 domain_transition_pattern($1, user_home_t, $2)
4804 type_transition $1 user_home_t:process $2;
4807 ########################################
4809 ## Execute a file in a user tmp directory
4810 ## in the specified domain.
4814 ## Execute a file in a user tmp directory
4815 ## in the specified domain.
4818 ## No interprocess communication (signals, pipes,
4819 ## etc.) is provided by this interface since
4820 ## the domains are not owned by this module.
4823 ## <param name="domain">
4825 ## Domain allowed access.
4828 ## <param name="target_domain">
4830 ## The type of the new process.
4834 interface(`userdom_domtrans_user_tmp',`
4839 files_search_tmp($1)
4840 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
4841 domain_transition_pattern($1, user_tmp_t, $2)
4842 type_transition $1 user_tmp_t:process $2;
4845 ########################################
4847 ## Do not audit attempts to read all user home content files.
4849 ## <param name="domain">
4851 ## Domain to not audit.
4855 interface(`userdom_dontaudit_read_all_user_home_content_files',`
4857 attribute user_home_type;
4860 dontaudit $1 user_home_type:file read_file_perms;
4863 ########################################
4865 ## Do not audit attempts to read all user tmp content files.
4867 ## <param name="domain">
4869 ## Domain to not audit.
4873 interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
4875 attribute user_tmp_type;
4878 dontaudit $1 user_tmp_type:file read_file_perms;
4881 #######################################
4883 ## Read and write unpriviledged user SysV sempaphores.
4885 ## <param name="domain">
4887 ## Domain allowed access.
4891 interface(`userdom_rw_unpriv_user_semaphores',`
4893 attribute unpriv_userdomain;
4896 allow $1 unpriv_userdomain:sem rw_sem_perms;