]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/system/userdomain.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Allow users to list /var directories. per eparis
[people/stevee/selinux-policy.git] / policy / modules / system / userdomain.if
1 ## <summary>Policy for user domains</summary>
2
3 #######################################
4 ## <summary>
5 ## The template containing the most basic rules common to all users.
6 ## </summary>
7 ## <desc>
8 ## <p>
9 ## The template containing the most basic rules common to all users.
10 ## </p>
11 ## <p>
12 ## This template creates a user domain, types, and
13 ## rules for the user's tty and pty.
14 ## </p>
15 ## </desc>
16 ## <param name="userdomain_prefix">
17 ## <summary>
18 ## The prefix of the user domain (e.g., user
19 ## is the prefix for user_t).
20 ## </summary>
21 ## </param>
22 ## <rolebase/>
23 #
24 template(`userdom_base_user_template',`
25
26 gen_require(`
27 attribute userdomain;
28 type user_devpts_t, user_tty_device_t;
29 class context contains;
30 ')
31
32 attribute $1_file_type;
33 attribute $1_usertype;
34
35 type $1_t, userdomain, $1_usertype;
36 domain_type($1_t)
37 corecmd_shell_entry_type($1_t)
38 corecmd_bin_entry_type($1_t)
39 domain_user_exemption_target($1_t)
40 ubac_constrained($1_t)
41 role $1_r types $1_t;
42 allow system_r $1_r;
43
44 term_user_pty($1_t, user_devpts_t)
45
46 term_user_tty($1_t, user_tty_device_t)
47 term_dontaudit_getattr_generic_ptys($1_t)
48
49 allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
50 allow $1_usertype $1_usertype:fd use;
51 allow $1_usertype $1_t:key { create view read write search link setattr };
52
53 allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
54 allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
55 allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
56 allow $1_usertype $1_usertype:shm create_shm_perms;
57 allow $1_usertype $1_usertype:sem create_sem_perms;
58 allow $1_usertype $1_usertype:msgq create_msgq_perms;
59 allow $1_usertype $1_usertype:msg { send receive };
60 allow $1_usertype $1_usertype:context contains;
61 dontaudit $1_usertype $1_usertype:socket create;
62
63 allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
64 term_create_pty($1_usertype, user_devpts_t)
65 # avoid annoying messages on terminal hangup on role change
66 dontaudit $1_usertype user_devpts_t:chr_file ioctl;
67
68 allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
69 # avoid annoying messages on terminal hangup on role change
70 dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
71
72 application_exec_all($1_usertype)
73
74 kernel_read_kernel_sysctls($1_usertype)
75 kernel_read_all_sysctls($1_usertype)
76 kernel_dontaudit_list_unlabeled($1_usertype)
77 kernel_dontaudit_getattr_unlabeled_files($1_usertype)
78 kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
79 kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
80 kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
81 kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
82 kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
83 kernel_dontaudit_list_proc($1_usertype)
84
85 dev_dontaudit_getattr_all_blk_files($1_usertype)
86 dev_dontaudit_getattr_all_chr_files($1_usertype)
87 dev_getattr_mtrr_dev($1_t)
88
89 # When the user domain runs ps, there will be a number of access
90 # denials when ps tries to search /proc. Do not audit these denials.
91 domain_dontaudit_read_all_domains_state($1_usertype)
92 domain_dontaudit_getattr_all_domains($1_usertype)
93 domain_dontaudit_getsession_all_domains($1_usertype)
94 dev_dontaudit_all_access_check($1_usertype)
95
96 files_read_etc_files($1_usertype)
97 files_list_mnt($1_usertype)
98 files_list_var($1_usertype)
99 files_read_mnt_files($1_usertype)
100 files_dontaudit_access_check_mnt($1_usertype)
101 files_read_etc_runtime_files($1_usertype)
102 files_read_usr_files($1_usertype)
103 files_read_usr_src_files($1_usertype)
104 # Read directories and files with the readable_t type.
105 # This type is a general type for "world"-readable files.
106 files_list_world_readable($1_usertype)
107 files_read_world_readable_files($1_usertype)
108 files_read_world_readable_symlinks($1_usertype)
109 files_read_world_readable_pipes($1_usertype)
110 files_read_world_readable_sockets($1_usertype)
111 # old broswer_domain():
112 files_dontaudit_getattr_all_dirs($1_usertype)
113 files_dontaudit_list_non_security($1_usertype)
114 files_dontaudit_getattr_all_files($1_usertype)
115 files_dontaudit_getattr_non_security_symlinks($1_usertype)
116 files_dontaudit_getattr_non_security_pipes($1_usertype)
117 files_dontaudit_getattr_non_security_sockets($1_usertype)
118 files_dontaudit_setattr_etc_runtime_files($1_usertype)
119
120 files_exec_usr_files($1_t)
121
122 fs_list_cgroup_dirs($1_usertype)
123 fs_dontaudit_rw_cgroup_files($1_usertype)
124
125 storage_rw_fuse($1_usertype)
126
127 auth_use_nsswitch($1_usertype)
128
129 init_stream_connect($1_usertype)
130 # The library functions always try to open read-write first,
131 # then fall back to read-only if it fails.
132 init_dontaudit_rw_utmp($1_usertype)
133
134 libs_exec_ld_so($1_usertype)
135
136 logging_send_audit_msgs($1_t)
137
138 miscfiles_read_localization($1_t)
139 miscfiles_read_generic_certs($1_t)
140
141 miscfiles_read_all_certs($1_usertype)
142 miscfiles_read_localization($1_usertype)
143 miscfiles_read_man_pages($1_usertype)
144 miscfiles_read_public_files($1_usertype)
145
146 tunable_policy(`allow_execmem',`
147 # Allow loading DSOs that require executable stack.
148 allow $1_t self:process execmem;
149 ')
150
151 tunable_policy(`allow_execmem && allow_execstack',`
152 # Allow making the stack executable via mprotect.
153 allow $1_t self:process execstack;
154 ')
155
156 optional_policy(`
157 abrt_stream_connect($1_usertype)
158 ')
159
160 optional_policy(`
161 fs_list_cgroup_dirs($1_usertype)
162 ')
163
164 optional_policy(`
165 ssh_rw_stream_sockets($1_usertype)
166 ssh_delete_tmp($1_t)
167 ssh_signal($1_t)
168 ')
169 ')
170
171 #######################################
172 ## <summary>
173 ## Allow a home directory for which the
174 ## role has read-only access.
175 ## </summary>
176 ## <desc>
177 ## <p>
178 ## Allow a home directory for which the
179 ## role has read-only access.
180 ## </p>
181 ## <p>
182 ## This does not allow execute access.
183 ## </p>
184 ## </desc>
185 ## <param name="role">
186 ## <summary>
187 ## The user role
188 ## </summary>
189 ## </param>
190 ## <param name="userdomain">
191 ## <summary>
192 ## The user domain
193 ## </summary>
194 ## </param>
195 ## <rolebase/>
196 #
197 interface(`userdom_ro_home_role',`
198 gen_require(`
199 type user_home_t, user_home_dir_t;
200 ')
201
202 role $1 types { user_home_t user_home_dir_t };
203
204 ##############################
205 #
206 # Domain access to home dir
207 #
208
209 type_member $2 user_home_dir_t:dir user_home_dir_t;
210
211 # read-only home directory
212 allow $2 user_home_dir_t:dir list_dir_perms;
213 allow $2 user_home_t:dir list_dir_perms;
214 allow $2 user_home_t:file entrypoint;
215 read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
216 read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
217 read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
218 read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
219 files_list_home($2)
220
221 ')
222
223 #######################################
224 ## <summary>
225 ## Allow a home directory for which the
226 ## role has full access.
227 ## </summary>
228 ## <desc>
229 ## <p>
230 ## Allow a home directory for which the
231 ## role has full access.
232 ## </p>
233 ## <p>
234 ## This does not allow execute access.
235 ## </p>
236 ## </desc>
237 ## <param name="role">
238 ## <summary>
239 ## The user role
240 ## </summary>
241 ## </param>
242 ## <param name="userdomain">
243 ## <summary>
244 ## The user domain
245 ## </summary>
246 ## </param>
247 ## <rolebase/>
248 #
249 interface(`userdom_manage_home_role',`
250 gen_require(`
251 type user_home_t, user_home_dir_t;
252 attribute user_home_type;
253 ')
254
255 role $1 types { user_home_type user_home_dir_t };
256
257 ##############################
258 #
259 # Domain access to home dir
260 #
261
262 type_member $2 user_home_dir_t:dir user_home_dir_t;
263
264 # full control of the home directory
265 allow $2 user_home_t:dir mounton;
266 allow $2 user_home_t:file entrypoint;
267
268 allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
269 allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
270 manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
271 manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
272 manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
273 manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
274 manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
275 relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
276 relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
277 relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
278 relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
279 relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
280 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
281 files_list_home($2)
282
283 # cjp: this should probably be removed:
284 allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
285
286 tunable_policy(`use_nfs_home_dirs',`
287 fs_mount_nfs($2)
288 fs_mounton_nfs($2)
289 fs_manage_nfs_dirs($2)
290 fs_manage_nfs_files($2)
291 fs_manage_nfs_symlinks($2)
292 fs_manage_nfs_named_sockets($2)
293 fs_manage_nfs_named_pipes($2)
294 ')
295
296 tunable_policy(`use_samba_home_dirs',`
297 fs_mount_cifs($2)
298 fs_mounton_cifs($2)
299 fs_manage_cifs_dirs($2)
300 fs_manage_cifs_files($2)
301 fs_manage_cifs_symlinks($2)
302 fs_manage_cifs_named_sockets($2)
303 fs_manage_cifs_named_pipes($2)
304 ')
305 ')
306
307 #######################################
308 ## <summary>
309 ## Manage user temporary files
310 ## </summary>
311 ## <param name="role">
312 ## <summary>
313 ## Role allowed access.
314 ## </summary>
315 ## </param>
316 ## <param name="domain">
317 ## <summary>
318 ## Domain allowed access.
319 ## </summary>
320 ## </param>
321 ## <rolebase/>
322 #
323 interface(`userdom_manage_tmp_role',`
324 gen_require(`
325 attribute user_tmp_type;
326 type user_tmp_t;
327 ')
328
329 role $1 types user_tmp_t;
330
331 files_poly_member_tmp($2, user_tmp_t)
332
333 manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
334 manage_files_pattern($2, user_tmp_type, user_tmp_type)
335 manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
336 manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
337 manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
338 files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
339 relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
340 relabel_files_pattern($2, user_tmp_type, user_tmp_type)
341 relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
342 relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
343 relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
344 ')
345
346 #######################################
347 ## <summary>
348 ## Dontaudit search of user bin dirs.
349 ## </summary>
350 ## <param name="domain">
351 ## <summary>
352 ## Domain to not audit.
353 ## </summary>
354 ## </param>
355 #
356 interface(`userdom_dontaudit_search_user_bin_dirs',`
357 gen_require(`
358 type home_bin_t;
359 ')
360
361 dontaudit $1 home_bin_t:dir search_dir_perms;
362 ')
363
364 #######################################
365 ## <summary>
366 ## Execute user bin files.
367 ## </summary>
368 ## <param name="domain">
369 ## <summary>
370 ## Domain allowed access.
371 ## </summary>
372 ## </param>
373 #
374 interface(`userdom_exec_user_bin_files',`
375 gen_require(`
376 attribute user_home_type;
377 type home_bin_t, user_home_dir_t;
378 ')
379
380 exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
381 files_search_home($1)
382 ')
383
384 #######################################
385 ## <summary>
386 ## The execute access user temporary files.
387 ## </summary>
388 ## <param name="domain">
389 ## <summary>
390 ## Domain allowed access.
391 ## </summary>
392 ## </param>
393 ## <rolebase/>
394 #
395 interface(`userdom_exec_user_tmp_files',`
396 gen_require(`
397 type user_tmp_t;
398 ')
399
400 exec_files_pattern($1, user_tmp_t, user_tmp_t)
401 dontaudit $1 user_tmp_t:sock_file execute;
402 files_search_tmp($1)
403 ')
404
405 #######################################
406 ## <summary>
407 ## Role access for the user tmpfs type
408 ## that the user has full access.
409 ## </summary>
410 ## <desc>
411 ## <p>
412 ## Role access for the user tmpfs type
413 ## that the user has full access.
414 ## </p>
415 ## <p>
416 ## This does not allow execute access.
417 ## </p>
418 ## </desc>
419 ## <param name="role">
420 ## <summary>
421 ## Role allowed access.
422 ## </summary>
423 ## </param>
424 ## <param name="domain">
425 ## <summary>
426 ## Domain allowed access.
427 ## </summary>
428 ## </param>
429 ## <rolecap/>
430 #
431 interface(`userdom_manage_tmpfs_role',`
432 gen_require(`
433 attribute user_tmpfs_type;
434 type user_tmpfs_t;
435 ')
436
437 role $1 types user_tmpfs_t;
438
439 manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
440 manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
441 manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
442 manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
443 manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
444 fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
445 relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
446 relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
447 relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
448 relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
449 relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
450 ')
451
452 #######################################
453 ## <summary>
454 ## The interface allowing the user basic
455 ## network permissions
456 ## </summary>
457 ## <param name="userdomain">
458 ## <summary>
459 ## The user domain
460 ## </summary>
461 ## </param>
462 ## <rolebase/>
463 #
464 interface(`userdom_basic_networking',`
465
466 allow $1 self:tcp_socket create_stream_socket_perms;
467 allow $1 self:udp_socket create_socket_perms;
468
469 corenet_all_recvfrom_unlabeled($1)
470 corenet_all_recvfrom_netlabel($1)
471 corenet_tcp_sendrecv_generic_if($1)
472 corenet_udp_sendrecv_generic_if($1)
473 corenet_tcp_sendrecv_generic_node($1)
474 corenet_udp_sendrecv_generic_node($1)
475 corenet_tcp_sendrecv_all_ports($1)
476 corenet_udp_sendrecv_all_ports($1)
477 corenet_tcp_connect_all_ports($1)
478 corenet_sendrecv_all_client_packets($1)
479
480 optional_policy(`
481 init_tcp_recvfrom_all_daemons($1)
482 init_udp_recvfrom_all_daemons($1)
483 ')
484
485 optional_policy(`
486 ipsec_match_default_spd($1)
487 ')
488
489 ')
490
491 #######################################
492 ## <summary>
493 ## The template for creating a user xwindows client. (Deprecated)
494 ## </summary>
495 ## <param name="userdomain_prefix">
496 ## <summary>
497 ## The prefix of the user domain (e.g., user
498 ## is the prefix for user_t).
499 ## </summary>
500 ## </param>
501 ## <rolebase/>
502 #
503 template(`userdom_xwindows_client_template',`
504 refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
505 gen_require(`
506 type $1_t, user_tmpfs_t;
507 ')
508
509 dev_rw_xserver_misc($1_t)
510 dev_rw_power_management($1_t)
511 dev_read_input($1_t)
512 dev_read_misc($1_t)
513 dev_write_misc($1_t)
514 # open office is looking for the following
515 dev_getattr_agp_dev($1_t)
516 dev_dontaudit_rw_dri($1_t)
517 # GNOME checks for usb and other devices:
518 dev_rw_usbfs($1_t)
519 dev_rw_generic_usb_dev($1_t)
520
521 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
522 xserver_xsession_entry_type($1_t)
523 xserver_dontaudit_write_log($1_t)
524 xserver_stream_connect_xdm($1_t)
525 # certain apps want to read xdm.pid file
526 xserver_read_xdm_pid($1_t)
527 # gnome-session creates socket under /tmp/.ICE-unix/
528 xserver_create_xdm_tmp_sockets($1_t)
529 # Needed for escd, remove if we get escd policy
530 xserver_manage_xdm_tmp_files($1_t)
531 ')
532
533 #######################################
534 ## <summary>
535 ## The template for allowing the user to change passwords.
536 ## </summary>
537 ## <param name="userdomain_prefix">
538 ## <summary>
539 ## The prefix of the user domain (e.g., user
540 ## is the prefix for user_t).
541 ## </summary>
542 ## </param>
543 ## <rolebase/>
544 #
545 template(`userdom_change_password_template',`
546 gen_require(`
547 type $1_t;
548 role $1_r;
549 ')
550
551 optional_policy(`
552 usermanage_run_chfn($1_t,$1_r)
553 usermanage_run_passwd($1_t,$1_r)
554 ')
555 ')
556
557 #######################################
558 ## <summary>
559 ## The template containing rules common to unprivileged
560 ## users and administrative users.
561 ## </summary>
562 ## <desc>
563 ## <p>
564 ## This template creates a user domain, types, and
565 ## rules for the user's tty, pty, tmp, and tmpfs files.
566 ## </p>
567 ## </desc>
568 ## <param name="userdomain_prefix">
569 ## <summary>
570 ## The prefix of the user domain (e.g., user
571 ## is the prefix for user_t).
572 ## </summary>
573 ## </param>
574 #
575 template(`userdom_common_user_template',`
576 gen_require(`
577 attribute unpriv_userdomain;
578 ')
579
580 userdom_basic_networking($1_usertype)
581
582 ##############################
583 #
584 # User domain Local policy
585 #
586
587 # evolution and gnome-session try to create a netlink socket
588 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
589 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
590 allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
591 allow $1_t self:socket create_socket_perms;
592
593 allow $1_usertype unpriv_userdomain:fd use;
594
595 kernel_read_system_state($1_usertype)
596 kernel_read_network_state($1_usertype)
597 kernel_read_software_raid_state($1_usertype)
598 kernel_read_net_sysctls($1_usertype)
599 # Very permissive allowing every domain to see every type:
600 kernel_get_sysvipc_info($1_usertype)
601 # Find CDROM devices:
602 kernel_read_device_sysctls($1_usertype)
603 kernel_request_load_module($1_usertype)
604
605 corenet_udp_bind_generic_node($1_usertype)
606 corenet_udp_bind_generic_port($1_usertype)
607
608 dev_read_rand($1_usertype)
609 dev_write_sound($1_usertype)
610 dev_read_sound($1_usertype)
611 dev_read_sound_mixer($1_usertype)
612 dev_write_sound_mixer($1_usertype)
613
614 files_exec_etc_files($1_usertype)
615 files_search_locks($1_usertype)
616 # Check to see if cdrom is mounted
617 files_search_mnt($1_usertype)
618 # cjp: perhaps should cut back on file reads:
619 files_read_var_files($1_usertype)
620 files_read_var_symlinks($1_usertype)
621 files_read_generic_spool($1_usertype)
622 files_read_var_lib_files($1_usertype)
623 # Stat lost+found.
624 files_getattr_lost_found_dirs($1_usertype)
625 files_read_config_files($1_usertype)
626 fs_read_noxattr_fs_files($1_usertype)
627 fs_read_noxattr_fs_symlinks($1_usertype)
628 fs_rw_cgroup_files($1_usertype)
629
630 application_getattr_socket($1_usertype)
631
632 logging_send_syslog_msg($1_usertype)
633 logging_send_audit_msgs($1_usertype)
634 selinux_get_enforce_mode($1_usertype)
635
636 # cjp: some of this probably can be removed
637 selinux_get_fs_mount($1_usertype)
638 selinux_validate_context($1_usertype)
639 selinux_compute_access_vector($1_usertype)
640 selinux_compute_create_context($1_usertype)
641 selinux_compute_relabel_context($1_usertype)
642 selinux_compute_user_contexts($1_usertype)
643
644 # for eject
645 storage_getattr_fixed_disk_dev($1_usertype)
646
647 auth_read_login_records($1_usertype)
648 auth_run_pam($1_t,$1_r)
649 auth_run_utempter($1_t,$1_r)
650
651 init_read_utmp($1_usertype)
652
653 seutil_read_file_contexts($1_usertype)
654 seutil_read_default_contexts($1_usertype)
655 seutil_run_newrole($1_t,$1_r)
656 seutil_exec_checkpolicy($1_t)
657 seutil_exec_setfiles($1_usertype)
658 # for when the network connection is killed
659 # this is needed when a login role can change
660 # to this one.
661 seutil_dontaudit_signal_newrole($1_t)
662
663 tunable_policy(`user_direct_mouse',`
664 dev_read_mouse($1_usertype)
665 ')
666
667 tunable_policy(`user_ttyfile_stat',`
668 term_getattr_all_ttys($1_t)
669 ')
670
671 optional_policy(`
672 alsa_read_rw_config($1_usertype)
673 alsa_manage_home_files($1_t)
674 alsa_relabel_home_files($1_t)
675 ')
676
677 optional_policy(`
678 # Allow graphical boot to check battery lifespan
679 apm_stream_connect($1_usertype)
680 ')
681
682 optional_policy(`
683 canna_stream_connect($1_usertype)
684 ')
685
686 optional_policy(`
687 chrome_role($1_r, $1_usertype)
688 ')
689
690 optional_policy(`
691 colord_read_lib_files($1_usertype)
692 ')
693
694 optional_policy(`
695 dbus_system_bus_client($1_usertype)
696
697 allow $1_usertype $1_usertype:dbus send_msg;
698
699 optional_policy(`
700 avahi_dbus_chat($1_usertype)
701 ')
702
703 optional_policy(`
704 policykit_dbus_chat($1_usertype)
705 ')
706
707 optional_policy(`
708 bluetooth_dbus_chat($1_usertype)
709 ')
710
711 optional_policy(`
712 consolekit_dbus_chat($1_usertype)
713 consolekit_read_log($1_usertype)
714 ')
715
716 optional_policy(`
717 devicekit_dbus_chat($1_usertype)
718 devicekit_dbus_chat_power($1_usertype)
719 devicekit_dbus_chat_disk($1_usertype)
720 ')
721
722 optional_policy(`
723 evolution_dbus_chat($1_usertype)
724 evolution_alarm_dbus_chat($1_usertype)
725 ')
726
727 optional_policy(`
728 gnome_dbus_chat_gconfdefault($1_usertype)
729 ')
730
731 optional_policy(`
732 hal_dbus_chat($1_usertype)
733 ')
734
735 optional_policy(`
736 kde_dbus_chat_backlighthelper($1_usertype)
737 ')
738
739 optional_policy(`
740 modemmanager_dbus_chat($1_usertype)
741 ')
742
743 optional_policy(`
744 networkmanager_dbus_chat($1_usertype)
745 networkmanager_read_lib_files($1_usertype)
746 ')
747
748 optional_policy(`
749 vpn_dbus_chat($1_usertype)
750 ')
751 ')
752
753 optional_policy(`
754 git_session_role($1_r, $1_usertype)
755 ')
756
757 optional_policy(`
758 inetd_use_fds($1_usertype)
759 inetd_rw_tcp_sockets($1_usertype)
760 ')
761
762 optional_policy(`
763 inn_read_config($1_usertype)
764 inn_read_news_lib($1_usertype)
765 inn_read_news_spool($1_usertype)
766 ')
767
768 optional_policy(`
769 lircd_stream_connect($1_usertype)
770 ')
771
772 optional_policy(`
773 locate_read_lib_files($1_usertype)
774 ')
775
776 # for running depmod as part of the kernel packaging process
777 optional_policy(`
778 modutils_read_module_config($1_usertype)
779 ')
780
781 optional_policy(`
782 mta_rw_spool($1_usertype)
783 mta_manage_queue($1_usertype)
784 mta_filetrans_home_content($1_usertype)
785 ')
786
787 optional_policy(`
788 nsplugin_role($1_r, $1_usertype)
789 ')
790
791 optional_policy(`
792 tunable_policy(`allow_user_mysql_connect',`
793 mysql_stream_connect($1_t)
794 ')
795 ')
796
797 optional_policy(`
798 oident_manage_user_content($1_t)
799 oident_relabel_user_content($1_t)
800 ')
801
802 optional_policy(`
803 # to allow monitoring of pcmcia status
804 pcmcia_read_pid($1_usertype)
805 ')
806
807 optional_policy(`
808 pcscd_read_pub_files($1_usertype)
809 pcscd_stream_connect($1_usertype)
810 ')
811
812 optional_policy(`
813 tunable_policy(`allow_user_postgresql_connect',`
814 postgresql_stream_connect($1_usertype)
815 postgresql_tcp_connect($1_usertype)
816 ')
817 ')
818
819 optional_policy(`
820 resmgr_stream_connect($1_usertype)
821 ')
822
823 optional_policy(`
824 rpc_dontaudit_getattr_exports($1_usertype)
825 rpc_manage_nfs_rw_content($1_usertype)
826 ')
827
828 optional_policy(`
829 rpcbind_stream_connect($1_usertype)
830 ')
831
832 optional_policy(`
833 samba_stream_connect_winbind($1_usertype)
834 ')
835
836 optional_policy(`
837 sandbox_transition($1_usertype, $1_r)
838 ')
839
840 optional_policy(`
841 seunshare_role_template($1, $1_r, $1_t)
842 ')
843
844 optional_policy(`
845 slrnpull_search_spool($1_usertype)
846 ')
847
848 ')
849
850 #######################################
851 ## <summary>
852 ## The template for creating a login user.
853 ## </summary>
854 ## <desc>
855 ## <p>
856 ## This template creates a user domain, types, and
857 ## rules for the user's tty, pty, home directories,
858 ## tmp, and tmpfs files.
859 ## </p>
860 ## </desc>
861 ## <param name="userdomain_prefix">
862 ## <summary>
863 ## The prefix of the user domain (e.g., user
864 ## is the prefix for user_t).
865 ## </summary>
866 ## </param>
867 #
868 template(`userdom_login_user_template', `
869 gen_require(`
870 class context contains;
871 ')
872
873 userdom_base_user_template($1)
874
875 userdom_manage_home_role($1_r, $1_usertype)
876
877 userdom_manage_tmp_role($1_r, $1_usertype)
878 userdom_manage_tmpfs_role($1_r, $1_usertype)
879
880 ifelse(`$1',`unconfined',`',`
881 gen_tunable(allow_$1_exec_content, true)
882
883 tunable_policy(`allow_$1_exec_content',`
884 userdom_exec_user_tmp_files($1_usertype)
885 userdom_exec_user_home_content_files($1_usertype)
886 ')
887 tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
888 fs_exec_nfs_files($1_usertype)
889 ')
890
891 tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
892 fs_exec_cifs_files($1_usertype)
893 ')
894 ')
895
896 userdom_change_password_template($1)
897
898 ##############################
899 #
900 # User domain Local policy
901 #
902
903 allow $1_t self:capability { setgid chown fowner };
904 dontaudit $1_t self:capability { sys_nice fsetid };
905
906 allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
907 dontaudit $1_t self:process setrlimit;
908 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
909
910 allow $1_t self:context contains;
911
912 kernel_dontaudit_read_system_state($1_usertype)
913 kernel_dontaudit_list_all_proc($1_usertype)
914
915 dev_read_sysfs($1_usertype)
916 dev_read_urand($1_usertype)
917
918 domain_use_interactive_fds($1_usertype)
919 # Command completion can fire hundreds of denials
920 domain_dontaudit_exec_all_entry_files($1_usertype)
921
922 files_dontaudit_list_default($1_usertype)
923 files_dontaudit_read_default_files($1_usertype)
924 # Stat lost+found.
925 files_getattr_lost_found_dirs($1_usertype)
926
927 fs_get_all_fs_quotas($1_usertype)
928 fs_getattr_all_fs($1_usertype)
929 fs_search_all($1_usertype)
930 fs_list_inotifyfs($1_usertype)
931 fs_rw_anon_inodefs_files($1_usertype)
932
933 auth_dontaudit_write_login_records($1_t)
934 auth_rw_cache($1_t)
935
936 application_exec_all($1_t)
937 # The library functions always try to open read-write first,
938 # then fall back to read-only if it fails.
939 init_dontaudit_rw_utmp($1_t)
940
941 # Stop warnings about access to /dev/console
942 init_dontaudit_use_fds($1_usertype)
943 init_dontaudit_use_script_fds($1_usertype)
944
945 libs_exec_lib_files($1_usertype)
946
947 logging_dontaudit_getattr_all_logs($1_usertype)
948
949 # for running TeX programs
950 miscfiles_read_tetex_data($1_usertype)
951 miscfiles_exec_tetex_data($1_usertype)
952
953 seutil_read_config($1_usertype)
954
955 optional_policy(`
956 cups_read_config($1_usertype)
957 cups_stream_connect($1_usertype)
958 cups_stream_connect_ptal($1_usertype)
959 ')
960
961 optional_policy(`
962 kerberos_use($1_usertype)
963 kerberos_filetrans_home_content($1_usertype)
964 ')
965
966 optional_policy(`
967 mta_dontaudit_read_spool_symlinks($1_usertype)
968 ')
969
970 optional_policy(`
971 quota_dontaudit_getattr_db($1_usertype)
972 ')
973
974 optional_policy(`
975 rpm_read_db($1_usertype)
976 rpm_dontaudit_manage_db($1_usertype)
977 rpm_read_cache($1_usertype)
978 ')
979
980 optional_policy(`
981 oddjob_run_mkhomedir($1_t, $1_r)
982 ')
983 ')
984
985 #######################################
986 ## <summary>
987 ## The template for creating a unprivileged login user.
988 ## </summary>
989 ## <desc>
990 ## <p>
991 ## This template creates a user domain, types, and
992 ## rules for the user's tty, pty, home directories,
993 ## tmp, and tmpfs files.
994 ## </p>
995 ## </desc>
996 ## <param name="userdomain_prefix">
997 ## <summary>
998 ## The prefix of the user domain (e.g., user
999 ## is the prefix for user_t).
1000 ## </summary>
1001 ## </param>
1002 #
1003 template(`userdom_restricted_user_template',`
1004 gen_require(`
1005 attribute unpriv_userdomain;
1006 ')
1007
1008 userdom_login_user_template($1)
1009
1010 typeattribute $1_t unpriv_userdomain;
1011 domain_interactive_fd($1_t)
1012
1013 allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
1014 dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
1015
1016 ##############################
1017 #
1018 # Local policy
1019 #
1020
1021 optional_policy(`
1022 loadkeys_run($1_t, $1_r)
1023 ')
1024 ')
1025
1026 #######################################
1027 ## <summary>
1028 ## The template for creating a unprivileged xwindows login user.
1029 ## </summary>
1030 ## <desc>
1031 ## <p>
1032 ## The template for creating a unprivileged xwindows login user.
1033 ## </p>
1034 ## <p>
1035 ## This template creates a user domain, types, and
1036 ## rules for the user's tty, pty, home directories,
1037 ## tmp, and tmpfs files.
1038 ## </p>
1039 ## </desc>
1040 ## <param name="userdomain_prefix">
1041 ## <summary>
1042 ## The prefix of the user domain (e.g., user
1043 ## is the prefix for user_t).
1044 ## </summary>
1045 ## </param>
1046 #
1047 template(`userdom_restricted_xwindows_user_template',`
1048
1049 userdom_restricted_user_template($1)
1050
1051 ##############################
1052 #
1053 # Local policy
1054 #
1055
1056 auth_role($1_r, $1_t)
1057 auth_search_pam_console_data($1_usertype)
1058 auth_dontaudit_read_login_records($1_usertype)
1059
1060 dev_read_sound($1_usertype)
1061 dev_write_sound($1_usertype)
1062 # gnome keyring wants to read this.
1063 dev_dontaudit_read_rand($1_usertype)
1064 # temporarily allow since openoffice requires this
1065 dev_read_rand($1_usertype)
1066
1067 dev_read_video_dev($1_usertype)
1068 dev_write_video_dev($1_usertype)
1069 dev_rw_wireless($1_usertype)
1070
1071 libs_dontaudit_setattr_lib_files($1_usertype)
1072
1073 tunable_policy(`user_rw_noexattrfile',`
1074 dev_rw_usbfs($1_t)
1075 dev_rw_generic_usb_dev($1_usertype)
1076
1077 fs_manage_noxattr_fs_files($1_usertype)
1078 fs_manage_noxattr_fs_dirs($1_usertype)
1079 fs_manage_dos_dirs($1_usertype)
1080 fs_manage_dos_files($1_usertype)
1081 storage_raw_read_removable_device($1_usertype)
1082 storage_raw_write_removable_device($1_usertype)
1083 ')
1084
1085 logging_send_syslog_msg($1_usertype)
1086 logging_dontaudit_send_audit_msgs($1_t)
1087
1088 # Need to to this just so screensaver will work. Should be moved to screensaver domain
1089 logging_send_audit_msgs($1_t)
1090 selinux_get_enforce_mode($1_t)
1091 seutil_exec_restorecond($1_t)
1092 seutil_read_file_contexts($1_t)
1093 seutil_read_default_contexts($1_t)
1094
1095 xserver_restricted_role($1_r, $1_t)
1096
1097 optional_policy(`
1098 alsa_read_rw_config($1_usertype)
1099 ')
1100
1101 # cjp: needed by KDE apps
1102 # bug: #682499
1103 optional_policy(`
1104 gnome_read_usr_config($1_usertype)
1105 gnome_role_gkeyringd($1, $1_r, $1_t)
1106 # cjp: telepathy F15 bugs
1107 telepathy_role($1_r, $1_t, $1)
1108 ')
1109
1110 optional_policy(`
1111 dbus_role_template($1, $1_r, $1_usertype)
1112 dbus_system_bus_client($1_usertype)
1113 allow $1_usertype $1_usertype:dbus send_msg;
1114
1115 optional_policy(`
1116 abrt_dbus_chat($1_usertype)
1117 abrt_run_helper($1_usertype, $1_r)
1118 ')
1119
1120 optional_policy(`
1121 consolekit_dontaudit_read_log($1_usertype)
1122 consolekit_dbus_chat($1_usertype)
1123 ')
1124
1125 optional_policy(`
1126 cups_dbus_chat($1_usertype)
1127 cups_dbus_chat_config($1_usertype)
1128 ')
1129
1130 optional_policy(`
1131 devicekit_dbus_chat($1_usertype)
1132 devicekit_dbus_chat_disk($1_usertype)
1133 devicekit_dbus_chat_power($1_usertype)
1134 ')
1135
1136 optional_policy(`
1137 fprintd_dbus_chat($1_t)
1138 ')
1139 ')
1140
1141 optional_policy(`
1142 openoffice_role_template($1, $1_r, $1_usertype)
1143 ')
1144
1145 optional_policy(`
1146 policykit_role($1_r, $1_usertype)
1147 ')
1148
1149 optional_policy(`
1150 pulseaudio_role($1_r, $1_usertype)
1151 pulseaudio_filetrans_admin_home_content($1_usertype)
1152 pulseaudio_filetrans_home_content($1_usertype)
1153 ')
1154
1155 optional_policy(`
1156 rtkit_scheduled($1_usertype)
1157 ')
1158
1159 optional_policy(`
1160 setroubleshoot_dontaudit_stream_connect($1_t)
1161 ')
1162
1163 optional_policy(`
1164 udev_read_db($1_usertype)
1165 ')
1166
1167 optional_policy(`
1168 wm_role_template($1, $1_r, $1_t)
1169 ')
1170 ')
1171
1172 #######################################
1173 ## <summary>
1174 ## The template for creating a unprivileged user roughly
1175 ## equivalent to a regular linux user.
1176 ## </summary>
1177 ## <desc>
1178 ## <p>
1179 ## The template for creating a unprivileged user roughly
1180 ## equivalent to a regular linux user.
1181 ## </p>
1182 ## <p>
1183 ## This template creates a user domain, types, and
1184 ## rules for the user's tty, pty, home directories,
1185 ## tmp, and tmpfs files.
1186 ## </p>
1187 ## </desc>
1188 ## <param name="userdomain_prefix">
1189 ## <summary>
1190 ## The prefix of the user domain (e.g., user
1191 ## is the prefix for user_t).
1192 ## </summary>
1193 ## </param>
1194 #
1195 template(`userdom_unpriv_user_template', `
1196
1197 ##############################
1198 #
1199 # Declarations
1200 #
1201
1202 # Inherit rules for ordinary users.
1203 userdom_restricted_xwindows_user_template($1)
1204 userdom_common_user_template($1)
1205
1206 ##############################
1207 #
1208 # Local policy
1209 #
1210
1211 # port access is audited even if dac would not have allowed it, so dontaudit it here
1212 # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
1213 # Need the following rule to allow users to run vpnc
1214 corenet_tcp_bind_xserver_port($1_t)
1215 corenet_tcp_bind_generic_node($1_usertype)
1216
1217 storage_rw_fuse($1_t)
1218
1219 files_exec_usr_files($1_t)
1220 # cjp: why?
1221 files_read_kernel_symbol_table($1_t)
1222
1223 ifndef(`enable_mls',`
1224 fs_exec_noxattr($1_t)
1225
1226 tunable_policy(`user_rw_noexattrfile',`
1227 fs_manage_noxattr_fs_files($1_t)
1228 fs_manage_noxattr_fs_dirs($1_t)
1229 # Write floppies
1230 storage_raw_read_removable_device($1_t)
1231 storage_raw_write_removable_device($1_t)
1232 ',`
1233 storage_raw_read_removable_device($1_t)
1234 ')
1235 ')
1236
1237 miscfiles_read_hwdata($1_usertype)
1238
1239 # Allow users to run TCP servers (bind to ports and accept connection from
1240 # the same domain and outside users) disabling this forces FTP passive mode
1241 # and may change other protocols
1242
1243 tunable_policy(`user_share_music',`
1244 corenet_tcp_bind_daap_port($1_usertype)
1245 ')
1246
1247 tunable_policy(`user_tcp_server',`
1248 corenet_tcp_bind_all_unreserved_ports($1_usertype)
1249 ')
1250
1251 tunable_policy(`user_setrlimit',`
1252 allow $1_usertype self:process setrlimit;
1253 ')
1254
1255 optional_policy(`
1256 cdrecord_role($1_r, $1_t)
1257 ')
1258
1259 optional_policy(`
1260 cron_role($1_r, $1_t)
1261 ')
1262
1263 optional_policy(`
1264 games_rw_data($1_usertype)
1265 ')
1266
1267 optional_policy(`
1268 gpg_role($1_r, $1_usertype)
1269 ')
1270
1271 optional_policy(`
1272 gnomeclock_dbus_chat($1_t)
1273 ')
1274
1275 optional_policy(`
1276 gpm_stream_connect($1_usertype)
1277 ')
1278
1279 optional_policy(`
1280 execmem_role_template($1, $1_r, $1_t)
1281 ')
1282
1283 optional_policy(`
1284 java_role_template($1, $1_r, $1_t)
1285 ')
1286
1287 optional_policy(`
1288 mono_role_template($1, $1_r, $1_t)
1289 ')
1290
1291 optional_policy(`
1292 mount_run_fusermount($1_t, $1_r)
1293 mount_read_pid_files($1_t)
1294 ')
1295
1296 optional_policy(`
1297 wine_role_template($1, $1_r, $1_t)
1298 ')
1299
1300 optional_policy(`
1301 postfix_run_postdrop($1_t, $1_r)
1302 ')
1303
1304 # Run pppd in pppd_t by default for user
1305 optional_policy(`
1306 ppp_run_cond($1_t, $1_r)
1307 ')
1308 ')
1309
1310 #######################################
1311 ## <summary>
1312 ## The template for creating an administrative user.
1313 ## </summary>
1314 ## <desc>
1315 ## <p>
1316 ## This template creates a user domain, types, and
1317 ## rules for the user's tty, pty, home directories,
1318 ## tmp, and tmpfs files.
1319 ## </p>
1320 ## <p>
1321 ## The privileges given to administrative users are:
1322 ## <ul>
1323 ## <li>Raw disk access</li>
1324 ## <li>Set all sysctls</li>
1325 ## <li>All kernel ring buffer controls</li>
1326 ## <li>Create, read, write, and delete all files but shadow</li>
1327 ## <li>Manage source and binary format SELinux policy</li>
1328 ## <li>Run insmod</li>
1329 ## </ul>
1330 ## </p>
1331 ## </desc>
1332 ## <param name="userdomain_prefix">
1333 ## <summary>
1334 ## The prefix of the user domain (e.g., sysadm
1335 ## is the prefix for sysadm_t).
1336 ## </summary>
1337 ## </param>
1338 #
1339 template(`userdom_admin_user_template',`
1340 gen_require(`
1341 attribute admindomain;
1342 class passwd { passwd chfn chsh rootok crontab };
1343 ')
1344
1345 ##############################
1346 #
1347 # Declarations
1348 #
1349
1350 # Inherit rules for ordinary users.
1351 userdom_login_user_template($1)
1352 userdom_common_user_template($1)
1353
1354 domain_obj_id_change_exemption($1_t)
1355 role system_r types $1_t;
1356
1357 typeattribute $1_t admindomain;
1358
1359 ifdef(`direct_sysadm_daemon',`
1360 domain_system_change_exemption($1_t)
1361 ')
1362
1363 ##############################
1364 #
1365 # $1_t local policy
1366 #
1367
1368 allow $1_t self:capability ~{ sys_module audit_control audit_write };
1369 allow $1_t self:capability2 syslog;
1370 allow $1_t self:process { setexec setfscreate };
1371 allow $1_t self:netlink_audit_socket nlmsg_readpriv;
1372 allow $1_t self:tun_socket create;
1373 # Set password information for other users.
1374 allow $1_t self:passwd { passwd chfn chsh };
1375 # Skip authentication when pam_rootok is specified.
1376 allow $1_t self:passwd rootok;
1377
1378 # Manipulate other users crontab.
1379 allow $1_t self:passwd crontab;
1380
1381 kernel_read_software_raid_state($1_t)
1382 kernel_getattr_core_if($1_t)
1383 kernel_getattr_message_if($1_t)
1384 kernel_change_ring_buffer_level($1_t)
1385 kernel_clear_ring_buffer($1_t)
1386 kernel_read_ring_buffer($1_t)
1387 kernel_get_sysvipc_info($1_t)
1388 kernel_rw_all_sysctls($1_t)
1389 # signal unlabeled processes:
1390 kernel_kill_unlabeled($1_t)
1391 kernel_signal_unlabeled($1_t)
1392 kernel_sigstop_unlabeled($1_t)
1393 kernel_signull_unlabeled($1_t)
1394 kernel_sigchld_unlabeled($1_t)
1395 kernel_signal($1_t)
1396
1397 corenet_tcp_bind_generic_port($1_t)
1398 # allow setting up tunnels
1399 corenet_rw_tun_tap_dev($1_t)
1400
1401 dev_getattr_generic_blk_files($1_t)
1402 dev_getattr_generic_chr_files($1_t)
1403 # for lsof
1404 dev_getattr_mtrr_dev($1_t)
1405 # Allow MAKEDEV to work
1406 dev_create_all_blk_files($1_t)
1407 dev_create_all_chr_files($1_t)
1408 dev_delete_all_blk_files($1_t)
1409 dev_delete_all_chr_files($1_t)
1410 dev_rename_all_blk_files($1_t)
1411 dev_rename_all_chr_files($1_t)
1412 dev_create_generic_symlinks($1_t)
1413 dev_rw_generic_usb_dev($1_t)
1414 dev_rw_usbfs($1_t)
1415
1416 domain_setpriority_all_domains($1_t)
1417 domain_read_all_domains_state($1_t)
1418 domain_getattr_all_domains($1_t)
1419 domain_getcap_all_domains($1_t)
1420 domain_dontaudit_ptrace_all_domains($1_t)
1421 # signal all domains:
1422 domain_kill_all_domains($1_t)
1423 domain_signal_all_domains($1_t)
1424 domain_signull_all_domains($1_t)
1425 domain_sigstop_all_domains($1_t)
1426 domain_sigstop_all_domains($1_t)
1427 domain_sigchld_all_domains($1_t)
1428 # for lsof
1429 domain_getattr_all_sockets($1_t)
1430 domain_dontaudit_getattr_all_sockets($1_t)
1431
1432 files_exec_usr_src_files($1_t)
1433
1434 fs_getattr_all_fs($1_t)
1435 fs_getattr_all_files($1_t)
1436 fs_list_all($1_t)
1437 fs_set_all_quotas($1_t)
1438 fs_exec_noxattr($1_t)
1439
1440 storage_raw_read_removable_device($1_t)
1441 storage_raw_write_removable_device($1_t)
1442 storage_dontaudit_read_fixed_disk($1_t)
1443
1444 term_use_all_inherited_terms($1_t)
1445 term_use_unallocated_ttys($1_t)
1446
1447 auth_getattr_shadow($1_t)
1448 # Manage almost all files
1449 auth_manage_all_files_except_shadow($1_t)
1450 # Relabel almost all files
1451 auth_relabel_all_files_except_shadow($1_t)
1452
1453 init_telinit($1_t)
1454
1455 logging_send_syslog_msg($1_t)
1456
1457 optional_policy(`
1458 modutils_domtrans_insmod($1_t)
1459 modutils_domtrans_depmod($1_t)
1460 ')
1461
1462 # The following rule is temporary until such time that a complete
1463 # policy management infrastructure is in place so that an administrator
1464 # cannot directly manipulate policy files with arbitrary programs.
1465 seutil_manage_src_policy($1_t)
1466 # Violates the goal of limiting write access to checkpolicy.
1467 # But presently necessary for installing the file_contexts file.
1468 seutil_manage_bin_policy($1_t)
1469
1470 systemd_config_all_services($1_t)
1471
1472 userdom_manage_user_home_content_dirs($1_t)
1473 userdom_manage_user_home_content_files($1_t)
1474 userdom_manage_user_home_content_symlinks($1_t)
1475 userdom_manage_user_home_content_pipes($1_t)
1476 userdom_manage_user_home_content_sockets($1_t)
1477 userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
1478
1479 tunable_policy(`user_rw_noexattrfile',`
1480 fs_manage_noxattr_fs_files($1_t)
1481 fs_manage_noxattr_fs_dirs($1_t)
1482 ',`
1483 fs_read_noxattr_fs_files($1_t)
1484 ')
1485
1486 optional_policy(`
1487 postgresql_unconfined($1_t)
1488 ')
1489
1490 optional_policy(`
1491 userhelper_exec($1_t)
1492 ')
1493 ')
1494
1495 ########################################
1496 ## <summary>
1497 ## Allow user to run as a secadm
1498 ## </summary>
1499 ## <desc>
1500 ## <p>
1501 ## Create objects in a user home directory
1502 ## with an automatic type transition to
1503 ## a specified private type.
1504 ## </p>
1505 ## <p>
1506 ## This is a templated interface, and should only
1507 ## be called from a per-userdomain template.
1508 ## </p>
1509 ## </desc>
1510 ## <param name="domain">
1511 ## <summary>
1512 ## Domain allowed access.
1513 ## </summary>
1514 ## </param>
1515 ## <param name="role">
1516 ## <summary>
1517 ## The role of the object to create.
1518 ## </summary>
1519 ## </param>
1520 #
1521 template(`userdom_security_admin_template',`
1522 allow $1 self:capability { dac_read_search dac_override };
1523
1524 corecmd_exec_shell($1)
1525
1526 domain_obj_id_change_exemption($1)
1527
1528 dev_relabel_all_dev_nodes($1)
1529
1530 files_create_boot_flag($1)
1531 files_create_default_dir($1)
1532 files_root_filetrans_default($1, dir)
1533
1534 # Necessary for managing /boot/efi
1535 fs_manage_dos_files($1)
1536
1537 mls_process_read_up($1)
1538 mls_file_read_all_levels($1)
1539 mls_file_upgrade($1)
1540 mls_file_downgrade($1)
1541
1542 selinux_set_enforce_mode($1)
1543 selinux_set_all_booleans($1)
1544 selinux_set_parameters($1)
1545 selinux_read_policy($1)
1546
1547 auth_relabel_all_files_except_shadow($1)
1548 auth_relabel_shadow($1)
1549
1550 init_exec($1)
1551
1552 logging_send_syslog_msg($1)
1553 logging_read_audit_log($1)
1554 logging_read_generic_logs($1)
1555 logging_read_audit_config($1)
1556
1557 seutil_manage_bin_policy($1)
1558 seutil_manage_default_contexts($1)
1559 seutil_manage_file_contexts($1)
1560 seutil_manage_module_store($1)
1561 seutil_manage_config($1)
1562 seutil_run_checkpolicy($1,$2)
1563 seutil_run_loadpolicy($1,$2)
1564 seutil_run_semanage($1,$2)
1565 seutil_run_setsebool($1,$2)
1566 seutil_run_setfiles($1, $2)
1567
1568 seutil_manage_bin_policy($1)
1569 seutil_manage_default_contexts($1)
1570 seutil_manage_file_contexts($1)
1571 seutil_manage_module_store($1)
1572 seutil_manage_config($1)
1573
1574 optional_policy(`
1575 aide_run($1,$2)
1576 ')
1577
1578 optional_policy(`
1579 consoletype_exec($1)
1580 ')
1581
1582 optional_policy(`
1583 dmesg_exec($1)
1584 ')
1585
1586 optional_policy(`
1587 ipsec_run_setkey($1,$2)
1588 ')
1589
1590 optional_policy(`
1591 netlabel_run_mgmt($1,$2)
1592 ')
1593
1594 optional_policy(`
1595 samhain_run($1, $2)
1596 ')
1597 ')
1598
1599 ########################################
1600 ## <summary>
1601 ## Make the specified type usable in a
1602 ## user home directory.
1603 ## </summary>
1604 ## <param name="type">
1605 ## <summary>
1606 ## Type to be used as a file in the
1607 ## user home directory.
1608 ## </summary>
1609 ## </param>
1610 #
1611 interface(`userdom_user_home_content',`
1612 gen_require(`
1613 type user_home_t;
1614 attribute user_home_type;
1615 ')
1616
1617 allow $1 user_home_t:filesystem associate;
1618 files_type($1)
1619 ubac_constrained($1)
1620
1621 files_poly_member($1)
1622 typeattribute $1 user_home_type;
1623 ')
1624
1625 ########################################
1626 ## <summary>
1627 ## Make the specified type usable in a
1628 ## generic temporary directory.
1629 ## </summary>
1630 ## <param name="type">
1631 ## <summary>
1632 ## Type to be used as a file in the
1633 ## generic temporary directory.
1634 ## </summary>
1635 ## </param>
1636 #
1637 interface(`userdom_user_tmp_content',`
1638 gen_require(`
1639 attribute user_tmp_type;
1640 ')
1641
1642 typeattribute $1 user_tmp_type;
1643
1644 files_tmp_file($1)
1645 ubac_constrained($1)
1646 ')
1647
1648 ########################################
1649 ## <summary>
1650 ## Make the specified type usable in a
1651 ## generic tmpfs_t directory.
1652 ## </summary>
1653 ## <param name="type">
1654 ## <summary>
1655 ## Type to be used as a file in the
1656 ## generic temporary directory.
1657 ## </summary>
1658 ## </param>
1659 #
1660 interface(`userdom_user_tmpfs_content',`
1661 gen_require(`
1662 attribute user_tmpfs_type;
1663 ')
1664
1665 typeattribute $1 user_tmpfs_type;
1666
1667 files_tmpfs_file($1)
1668 ubac_constrained($1)
1669 ')
1670
1671 ########################################
1672 ## <summary>
1673 ## Allow domain to attach to TUN devices created by administrative users.
1674 ## </summary>
1675 ## <param name="domain">
1676 ## <summary>
1677 ## Domain allowed access.
1678 ## </summary>
1679 ## </param>
1680 #
1681 interface(`userdom_attach_admin_tun_iface',`
1682 gen_require(`
1683 attribute admindomain;
1684 ')
1685
1686 allow $1 admindomain:tun_socket relabelfrom;
1687 allow $1 self:tun_socket relabelto;
1688 ')
1689
1690 ########################################
1691 ## <summary>
1692 ## Set the attributes of a user pty.
1693 ## </summary>
1694 ## <param name="domain">
1695 ## <summary>
1696 ## Domain allowed access.
1697 ## </summary>
1698 ## </param>
1699 #
1700 interface(`userdom_setattr_user_ptys',`
1701 gen_require(`
1702 type user_devpts_t;
1703 ')
1704
1705 allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
1706 ')
1707
1708 ########################################
1709 ## <summary>
1710 ## Create a user pty.
1711 ## </summary>
1712 ## <param name="domain">
1713 ## <summary>
1714 ## Domain allowed access.
1715 ## </summary>
1716 ## </param>
1717 #
1718 interface(`userdom_create_user_pty',`
1719 gen_require(`
1720 type user_devpts_t;
1721 ')
1722
1723 term_create_pty($1, user_devpts_t)
1724 ')
1725
1726 ########################################
1727 ## <summary>
1728 ## Get the attributes of user home directories.
1729 ## </summary>
1730 ## <param name="domain">
1731 ## <summary>
1732 ## Domain allowed access.
1733 ## </summary>
1734 ## </param>
1735 #
1736 interface(`userdom_getattr_user_home_dirs',`
1737 gen_require(`
1738 type user_home_dir_t;
1739 ')
1740
1741 allow $1 user_home_dir_t:dir getattr_dir_perms;
1742 files_search_home($1)
1743 ')
1744
1745 ########################################
1746 ## <summary>
1747 ## Do not audit attempts to get the attributes of user home directories.
1748 ## </summary>
1749 ## <param name="domain">
1750 ## <summary>
1751 ## Domain to not audit.
1752 ## </summary>
1753 ## </param>
1754 #
1755 interface(`userdom_dontaudit_getattr_user_home_dirs',`
1756 gen_require(`
1757 type user_home_dir_t;
1758 ')
1759
1760 dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
1761 ')
1762
1763 ########################################
1764 ## <summary>
1765 ## Search user home directories.
1766 ## </summary>
1767 ## <param name="domain">
1768 ## <summary>
1769 ## Domain allowed access.
1770 ## </summary>
1771 ## </param>
1772 #
1773 interface(`userdom_search_user_home_dirs',`
1774 gen_require(`
1775 type user_home_dir_t;
1776 ')
1777
1778 allow $1 user_home_dir_t:dir search_dir_perms;
1779 allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
1780 files_search_home($1)
1781 ')
1782
1783 ########################################
1784 ## <summary>
1785 ## Do not audit attempts to search user home directories.
1786 ## </summary>
1787 ## <desc>
1788 ## <p>
1789 ## Do not audit attempts to search user home directories.
1790 ## This will supress SELinux denial messages when the specified
1791 ## domain is denied the permission to search these directories.
1792 ## </p>
1793 ## </desc>
1794 ## <param name="domain">
1795 ## <summary>
1796 ## Domain to not audit.
1797 ## </summary>
1798 ## </param>
1799 ## <infoflow type="none"/>
1800 #
1801 interface(`userdom_dontaudit_search_user_home_dirs',`
1802 gen_require(`
1803 type user_home_dir_t;
1804 ')
1805
1806 dontaudit $1 user_home_dir_t:dir search_dir_perms;
1807 ')
1808
1809 ########################################
1810 ## <summary>
1811 ## List user home directories.
1812 ## </summary>
1813 ## <param name="domain">
1814 ## <summary>
1815 ## Domain allowed access.
1816 ## </summary>
1817 ## </param>
1818 #
1819 interface(`userdom_list_user_home_dirs',`
1820 gen_require(`
1821 type user_home_dir_t;
1822 ')
1823
1824 allow $1 user_home_dir_t:dir list_dir_perms;
1825 files_search_home($1)
1826
1827 tunable_policy(`use_nfs_home_dirs',`
1828 fs_list_nfs($1)
1829 ')
1830
1831 tunable_policy(`use_samba_home_dirs',`
1832 fs_list_cifs($1)
1833 ')
1834 ')
1835
1836 ########################################
1837 ## <summary>
1838 ## Do not audit attempts to list user home subdirectories.
1839 ## </summary>
1840 ## <param name="domain">
1841 ## <summary>
1842 ## Domain to not audit.
1843 ## </summary>
1844 ## </param>
1845 #
1846 interface(`userdom_dontaudit_list_user_home_dirs',`
1847 gen_require(`
1848 type user_home_dir_t;
1849 type user_home_t;
1850 ')
1851
1852 dontaudit $1 user_home_dir_t:dir list_dir_perms;
1853 dontaudit $1 user_home_t:dir list_dir_perms;
1854 ')
1855
1856 ########################################
1857 ## <summary>
1858 ## Create user home directories.
1859 ## </summary>
1860 ## <param name="domain">
1861 ## <summary>
1862 ## Domain allowed access.
1863 ## </summary>
1864 ## </param>
1865 #
1866 interface(`userdom_create_user_home_dirs',`
1867 gen_require(`
1868 type user_home_dir_t;
1869 ')
1870
1871 allow $1 user_home_dir_t:dir create_dir_perms;
1872 ')
1873
1874 ########################################
1875 ## <summary>
1876 ## Create user home directories.
1877 ## </summary>
1878 ## <param name="domain">
1879 ## <summary>
1880 ## Domain allowed access.
1881 ## </summary>
1882 ## </param>
1883 #
1884 interface(`userdom_manage_user_home_dirs',`
1885 gen_require(`
1886 type user_home_dir_t;
1887 ')
1888
1889 allow $1 user_home_dir_t:dir manage_dir_perms;
1890 ')
1891
1892 ########################################
1893 ## <summary>
1894 ## Relabel to user home directories.
1895 ## </summary>
1896 ## <param name="domain">
1897 ## <summary>
1898 ## Domain allowed access.
1899 ## </summary>
1900 ## </param>
1901 #
1902 interface(`userdom_relabelto_user_home_dirs',`
1903 gen_require(`
1904 type user_home_dir_t;
1905 ')
1906
1907 allow $1 user_home_dir_t:dir relabelto;
1908 ')
1909
1910
1911 ########################################
1912 ## <summary>
1913 ## Relabel to user home files.
1914 ## </summary>
1915 ## <param name="domain">
1916 ## <summary>
1917 ## Domain allowed access.
1918 ## </summary>
1919 ## </param>
1920 #
1921 interface(`userdom_relabelto_user_home_files',`
1922 gen_require(`
1923 type user_home_t;
1924 ')
1925
1926 allow $1 user_home_t:file relabelto;
1927 ')
1928 ########################################
1929 ## <summary>
1930 ## Relabel user home files.
1931 ## </summary>
1932 ## <param name="domain">
1933 ## <summary>
1934 ## Domain allowed access.
1935 ## </summary>
1936 ## </param>
1937 #
1938 interface(`userdom_relabel_user_home_files',`
1939 gen_require(`
1940 type user_home_t;
1941 ')
1942
1943 allow $1 user_home_t:file relabel_file_perms;
1944 ')
1945
1946 ########################################
1947 ## <summary>
1948 ## Create directories in the home dir root with
1949 ## the user home directory type.
1950 ## </summary>
1951 ## <param name="domain">
1952 ## <summary>
1953 ## Domain allowed access.
1954 ## </summary>
1955 ## </param>
1956 #
1957 interface(`userdom_home_filetrans_user_home_dir',`
1958 gen_require(`
1959 type user_home_dir_t;
1960 ')
1961
1962 files_home_filetrans($1, user_home_dir_t, dir)
1963 ')
1964
1965 ########################################
1966 ## <summary>
1967 ## Do a domain transition to the specified
1968 ## domain when executing a program in the
1969 ## user home directory.
1970 ## </summary>
1971 ## <desc>
1972 ## <p>
1973 ## Do a domain transition to the specified
1974 ## domain when executing a program in the
1975 ## user home directory.
1976 ## </p>
1977 ## <p>
1978 ## No interprocess communication (signals, pipes,
1979 ## etc.) is provided by this interface since
1980 ## the domains are not owned by this module.
1981 ## </p>
1982 ## </desc>
1983 ## <param name="source_domain">
1984 ## <summary>
1985 ## Domain allowed to transition.
1986 ## </summary>
1987 ## </param>
1988 ## <param name="target_domain">
1989 ## <summary>
1990 ## Domain to transition to.
1991 ## </summary>
1992 ## </param>
1993 #
1994 interface(`userdom_user_home_domtrans',`
1995 gen_require(`
1996 type user_home_dir_t, user_home_t;
1997 ')
1998
1999 domain_auto_trans($1, user_home_t, $2)
2000 allow $1 user_home_dir_t:dir search_dir_perms;
2001 files_search_home($1)
2002 ')
2003
2004 ########################################
2005 ## <summary>
2006 ## Do not audit attempts to search user home content directories.
2007 ## </summary>
2008 ## <param name="domain">
2009 ## <summary>
2010 ## Domain to not audit.
2011 ## </summary>
2012 ## </param>
2013 #
2014 interface(`userdom_dontaudit_search_user_home_content',`
2015 gen_require(`
2016 type user_home_t;
2017 ')
2018
2019 dontaudit $1 user_home_t:dir search_dir_perms;
2020 fs_dontaudit_list_nfs($1)
2021 fs_dontaudit_list_cifs($1)
2022 ')
2023
2024 ########################################
2025 ## <summary>
2026 ## List contents of users home directory.
2027 ## </summary>
2028 ## <param name="domain">
2029 ## <summary>
2030 ## Domain allowed access.
2031 ## </summary>
2032 ## </param>
2033 #
2034 interface(`userdom_list_user_home_content',`
2035 gen_require(`
2036 type user_home_dir_t;
2037 attribute user_home_type;
2038 ')
2039
2040 files_list_home($1)
2041 allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
2042 ')
2043
2044 ########################################
2045 ## <summary>
2046 ## Create, read, write, and delete directories
2047 ## in a user home subdirectory.
2048 ## </summary>
2049 ## <param name="domain">
2050 ## <summary>
2051 ## Domain allowed access.
2052 ## </summary>
2053 ## </param>
2054 #
2055 interface(`userdom_manage_user_home_content_dirs',`
2056 gen_require(`
2057 type user_home_dir_t, user_home_t;
2058 ')
2059
2060 manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2061 files_search_home($1)
2062 ')
2063
2064 ########################################
2065 ## <summary>
2066 ## Delete directories in a user home subdirectory.
2067 ## </summary>
2068 ## <param name="domain">
2069 ## <summary>
2070 ## Domain allowed access.
2071 ## </summary>
2072 ## </param>
2073 #
2074 interface(`userdom_delete_user_home_content_dirs',`
2075 gen_require(`
2076 type user_home_t;
2077 ')
2078
2079 allow $1 user_home_t:dir delete_dir_perms;
2080 ')
2081
2082 ########################################
2083 ## <summary>
2084 ## Delete all directories in a user home subdirectory.
2085 ## </summary>
2086 ## <param name="domain">
2087 ## <summary>
2088 ## Domain allowed access.
2089 ## </summary>
2090 ## </param>
2091 #
2092 interface(`userdom_delete_all_user_home_content_dirs',`
2093 gen_require(`
2094 attribute user_home_type;
2095 ')
2096
2097 allow $1 user_home_type:dir delete_dir_perms;
2098 ')
2099
2100 ########################################
2101 ## <summary>
2102 ## Set the attributes of user home files.
2103 ## </summary>
2104 ## <param name="domain">
2105 ## <summary>
2106 ## Domain allowed access.
2107 ## </summary>
2108 ## </param>
2109 ## <rolecap/>
2110 #
2111 interface(`userdom_setattr_user_home_content_files',`
2112 gen_require(`
2113 type user_home_t;
2114 ')
2115
2116 allow $1 user_home_t:file setattr;
2117 ')
2118
2119 ########################################
2120 ## <summary>
2121 ## Do not audit attempts to set the
2122 ## attributes of user home files.
2123 ## </summary>
2124 ## <param name="domain">
2125 ## <summary>
2126 ## Domain to not audit.
2127 ## </summary>
2128 ## </param>
2129 #
2130 interface(`userdom_dontaudit_setattr_user_home_content_files',`
2131 gen_require(`
2132 type user_home_t;
2133 ')
2134
2135 dontaudit $1 user_home_t:file setattr_file_perms;
2136 ')
2137
2138 ########################################
2139 ## <summary>
2140 ## Set the attributes of all user home directories.
2141 ## </summary>
2142 ## <param name="domain">
2143 ## <summary>
2144 ## Domain allowed access.
2145 ## </summary>
2146 ## </param>
2147 ## <rolecap/>
2148 #
2149 interface(`userdom_setattr_all_user_home_content_dirs',`
2150 gen_require(`
2151 attribute user_home_type;
2152 ')
2153
2154 allow $1 user_home_type:dir setattr_dir_perms;
2155 ')
2156
2157 ########################################
2158 ## <summary>
2159 ## Mmap user home files.
2160 ## </summary>
2161 ## <param name="domain">
2162 ## <summary>
2163 ## Domain allowed access.
2164 ## </summary>
2165 ## </param>
2166 #
2167 interface(`userdom_mmap_user_home_content_files',`
2168 gen_require(`
2169 type user_home_dir_t, user_home_t;
2170 ')
2171
2172 mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2173 files_search_home($1)
2174 ')
2175
2176 ########################################
2177 ## <summary>
2178 ## Read user home files.
2179 ## </summary>
2180 ## <param name="domain">
2181 ## <summary>
2182 ## Domain allowed access.
2183 ## </summary>
2184 ## </param>
2185 #
2186 interface(`userdom_read_user_home_content_files',`
2187 gen_require(`
2188 type user_home_dir_t, user_home_t;
2189 ')
2190
2191 list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
2192 read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2193 files_search_home($1)
2194 ')
2195
2196 ########################################
2197 ## <summary>
2198 ## Do not audit attempts to getattr user home files.
2199 ## </summary>
2200 ## <param name="domain">
2201 ## <summary>
2202 ## Domain to not audit.
2203 ## </summary>
2204 ## </param>
2205 #
2206 interface(`userdom_dontaudit_getattr_user_home_content',`
2207 gen_require(`
2208 attribute user_home_type;
2209 ')
2210
2211 dontaudit $1 user_home_type:dir getattr;
2212 dontaudit $1 user_home_type:file getattr;
2213 ')
2214
2215 ########################################
2216 ## <summary>
2217 ## Do not audit attempts to read user home files.
2218 ## </summary>
2219 ## <param name="domain">
2220 ## <summary>
2221 ## Domain to not audit.
2222 ## </summary>
2223 ## </param>
2224 #
2225 interface(`userdom_dontaudit_read_user_home_content_files',`
2226 gen_require(`
2227 attribute user_home_type;
2228 type user_home_dir_t;
2229 ')
2230
2231 dontaudit $1 user_home_dir_t:dir list_dir_perms;
2232 dontaudit $1 user_home_type:dir list_dir_perms;
2233 dontaudit $1 user_home_type:file read_file_perms;
2234 dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
2235 ')
2236
2237 ########################################
2238 ## <summary>
2239 ## Do not audit attempts to append user home files.
2240 ## </summary>
2241 ## <param name="domain">
2242 ## <summary>
2243 ## Domain to not audit.
2244 ## </summary>
2245 ## </param>
2246 #
2247 interface(`userdom_dontaudit_append_user_home_content_files',`
2248 gen_require(`
2249 type user_home_t;
2250 ')
2251
2252 dontaudit $1 user_home_t:file append_file_perms;
2253 ')
2254
2255 ########################################
2256 ## <summary>
2257 ## Do not audit attempts to write user home files.
2258 ## </summary>
2259 ## <param name="domain">
2260 ## <summary>
2261 ## Domain to not audit.
2262 ## </summary>
2263 ## </param>
2264 #
2265 interface(`userdom_dontaudit_write_user_home_content_files',`
2266 gen_require(`
2267 type user_home_t;
2268 ')
2269
2270 dontaudit $1 user_home_t:file write_file_perms;
2271 ')
2272
2273 ########################################
2274 ## <summary>
2275 ## Delete files in a user home subdirectory.
2276 ## </summary>
2277 ## <param name="domain">
2278 ## <summary>
2279 ## Domain allowed access.
2280 ## </summary>
2281 ## </param>
2282 #
2283 interface(`userdom_delete_user_home_content_files',`
2284 gen_require(`
2285 type user_home_t;
2286 ')
2287
2288 allow $1 user_home_t:file delete_file_perms;
2289 ')
2290
2291 ########################################
2292 ## <summary>
2293 ## Delete all files in a user home subdirectory.
2294 ## </summary>
2295 ## <param name="domain">
2296 ## <summary>
2297 ## Domain allowed access.
2298 ## </summary>
2299 ## </param>
2300 #
2301 interface(`userdom_delete_all_user_home_content_files',`
2302 gen_require(`
2303 attribute user_home_type;
2304 ')
2305
2306 allow $1 user_home_type:file delete_file_perms;
2307 ')
2308
2309 ########################################
2310 ## <summary>
2311 ## Delete sock files in a user home subdirectory.
2312 ## </summary>
2313 ## <param name="domain">
2314 ## <summary>
2315 ## Domain allowed access.
2316 ## </summary>
2317 ## </param>
2318 #
2319 interface(`userdom_delete_user_home_content_sock_files',`
2320 gen_require(`
2321 type user_home_t;
2322 ')
2323
2324 allow $1 user_home_t:sock_file delete_file_perms;
2325 ')
2326
2327 ########################################
2328 ## <summary>
2329 ## Delete all sock files in a user home subdirectory.
2330 ## </summary>
2331 ## <param name="domain">
2332 ## <summary>
2333 ## Domain allowed access.
2334 ## </summary>
2335 ## </param>
2336 #
2337 interface(`userdom_delete_all_user_home_content_sock_files',`
2338 gen_require(`
2339 attribute user_home_type;
2340 ')
2341
2342 allow $1 user_home_type:sock_file delete_file_perms;
2343 ')
2344
2345 ########################################
2346 ## <summary>
2347 ## Do not audit attempts to write user home files.
2348 ## </summary>
2349 ## <param name="domain">
2350 ## <summary>
2351 ## Domain to not audit.
2352 ## </summary>
2353 ## </param>
2354 #
2355 interface(`userdom_dontaudit_relabel_user_home_content_files',`
2356 gen_require(`
2357 type user_home_t;
2358 ')
2359
2360 dontaudit $1 user_home_t:file relabel_file_perms;
2361 ')
2362
2363 ########################################
2364 ## <summary>
2365 ## Read user home subdirectory symbolic links.
2366 ## </summary>
2367 ## <param name="domain">
2368 ## <summary>
2369 ## Domain allowed access.
2370 ## </summary>
2371 ## </param>
2372 #
2373 interface(`userdom_read_user_home_content_symlinks',`
2374 gen_require(`
2375 type user_home_dir_t, user_home_t;
2376 ')
2377
2378 allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
2379 ')
2380
2381 ########################################
2382 ## <summary>
2383 ## Execute user home files.
2384 ## </summary>
2385 ## <param name="domain">
2386 ## <summary>
2387 ## Domain allowed access.
2388 ## </summary>
2389 ## </param>
2390 ## <rolecap/>
2391 #
2392 interface(`userdom_exec_user_home_content_files',`
2393 gen_require(`
2394 type user_home_dir_t;
2395 attribute user_home_type;
2396 ')
2397
2398 files_search_home($1)
2399 exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
2400 dontaudit $1 user_home_type:sock_file execute;
2401 ')
2402
2403 ########################################
2404 ## <summary>
2405 ## Do not audit attempts to execute user home files.
2406 ## </summary>
2407 ## <param name="domain">
2408 ## <summary>
2409 ## Domain to not audit.
2410 ## </summary>
2411 ## </param>
2412 #
2413 interface(`userdom_dontaudit_exec_user_home_content_files',`
2414 gen_require(`
2415 type user_home_t;
2416 ')
2417
2418 dontaudit $1 user_home_t:file exec_file_perms;
2419 ')
2420
2421 ########################################
2422 ## <summary>
2423 ## Create, read, write, and delete files
2424 ## in a user home subdirectory.
2425 ## </summary>
2426 ## <param name="domain">
2427 ## <summary>
2428 ## Domain allowed access.
2429 ## </summary>
2430 ## </param>
2431 #
2432 interface(`userdom_manage_user_home_content_files',`
2433 gen_require(`
2434 type user_home_dir_t, user_home_t;
2435 ')
2436
2437 manage_files_pattern($1, user_home_t, user_home_t)
2438 allow $1 user_home_dir_t:dir search_dir_perms;
2439 files_search_home($1)
2440 ')
2441
2442 ########################################
2443 ## <summary>
2444 ## Do not audit attempts to create, read, write, and delete directories
2445 ## in a user home subdirectory.
2446 ## </summary>
2447 ## <param name="domain">
2448 ## <summary>
2449 ## Domain to not audit.
2450 ## </summary>
2451 ## </param>
2452 #
2453 interface(`userdom_dontaudit_manage_user_home_content_dirs',`
2454 gen_require(`
2455 type user_home_dir_t, user_home_t;
2456 ')
2457
2458 dontaudit $1 user_home_t:dir manage_dir_perms;
2459 ')
2460
2461 ########################################
2462 ## <summary>
2463 ## Create, read, write, and delete symbolic links
2464 ## in a user home subdirectory.
2465 ## </summary>
2466 ## <param name="domain">
2467 ## <summary>
2468 ## Domain allowed access.
2469 ## </summary>
2470 ## </param>
2471 #
2472 interface(`userdom_manage_user_home_content_symlinks',`
2473 gen_require(`
2474 type user_home_dir_t, user_home_t;
2475 ')
2476
2477 manage_lnk_files_pattern($1, user_home_t, user_home_t)
2478 allow $1 user_home_dir_t:dir search_dir_perms;
2479 files_search_home($1)
2480 ')
2481
2482 ########################################
2483 ## <summary>
2484 ## Delete symbolic links in a user home directory.
2485 ## </summary>
2486 ## <param name="domain">
2487 ## <summary>
2488 ## Domain allowed access.
2489 ## </summary>
2490 ## </param>
2491 #
2492 interface(`userdom_delete_user_home_content_symlinks',`
2493 gen_require(`
2494 type user_home_t;
2495 ')
2496
2497 allow $1 user_home_t:lnk_file delete_lnk_file_perms;
2498 ')
2499
2500 ########################################
2501 ## <summary>
2502 ## Delete all symbolic links in a user home directory.
2503 ## </summary>
2504 ## <param name="domain">
2505 ## <summary>
2506 ## Domain allowed access.
2507 ## </summary>
2508 ## </param>
2509 #
2510 interface(`userdom_delete_all_user_home_content_symlinks',`
2511 gen_require(`
2512 attribute user_home_type;
2513 ')
2514
2515 allow $1 user_home_type:lnk_file delete_lnk_file_perms;
2516 ')
2517
2518 ########################################
2519 ## <summary>
2520 ## Create, read, write, and delete named pipes
2521 ## in a user home subdirectory.
2522 ## </summary>
2523 ## <param name="domain">
2524 ## <summary>
2525 ## Domain allowed access.
2526 ## </summary>
2527 ## </param>
2528 #
2529 interface(`userdom_manage_user_home_content_pipes',`
2530 gen_require(`
2531 type user_home_dir_t, user_home_t;
2532 ')
2533
2534 manage_fifo_files_pattern($1, user_home_t, user_home_t)
2535 allow $1 user_home_dir_t:dir search_dir_perms;
2536 files_search_home($1)
2537 ')
2538
2539 ########################################
2540 ## <summary>
2541 ## Create, read, write, and delete named sockets
2542 ## in a user home subdirectory.
2543 ## </summary>
2544 ## <param name="domain">
2545 ## <summary>
2546 ## Domain allowed access.
2547 ## </summary>
2548 ## </param>
2549 #
2550 interface(`userdom_manage_user_home_content_sockets',`
2551 gen_require(`
2552 type user_home_dir_t, user_home_t;
2553 ')
2554
2555 allow $1 user_home_dir_t:dir search_dir_perms;
2556 manage_sock_files_pattern($1, user_home_t, user_home_t)
2557 files_search_home($1)
2558 ')
2559
2560 ########################################
2561 ## <summary>
2562 ## Create objects in a user home directory
2563 ## with an automatic type transition to
2564 ## a specified private type.
2565 ## </summary>
2566 ## <param name="domain">
2567 ## <summary>
2568 ## Domain allowed access.
2569 ## </summary>
2570 ## </param>
2571 ## <param name="private_type">
2572 ## <summary>
2573 ## The type of the object to create.
2574 ## </summary>
2575 ## </param>
2576 ## <param name="object_class">
2577 ## <summary>
2578 ## The class of the object to be created.
2579 ## </summary>
2580 ## </param>
2581 #
2582 interface(`userdom_user_home_dir_filetrans',`
2583 gen_require(`
2584 type user_home_dir_t;
2585 ')
2586
2587 filetrans_pattern($1, user_home_dir_t, $2, $3, $4)
2588 files_search_home($1)
2589 ')
2590
2591 ########################################
2592 ## <summary>
2593 ## Create objects in a user home directory
2594 ## with an automatic type transition to
2595 ## a specified private type.
2596 ## </summary>
2597 ## <param name="domain">
2598 ## <summary>
2599 ## Domain allowed access.
2600 ## </summary>
2601 ## </param>
2602 ## <param name="private_type">
2603 ## <summary>
2604 ## The type of the object to create.
2605 ## </summary>
2606 ## </param>
2607 ## <param name="object_class">
2608 ## <summary>
2609 ## The class of the object to be created.
2610 ## </summary>
2611 ## </param>
2612 #
2613 interface(`userdom_user_home_content_filetrans',`
2614 gen_require(`
2615 type user_home_dir_t, user_home_t;
2616 ')
2617
2618 filetrans_pattern($1, user_home_t, $2, $3)
2619 allow $1 user_home_dir_t:dir search_dir_perms;
2620 files_search_home($1)
2621 ')
2622
2623 ########################################
2624 ## <summary>
2625 ## Create objects in a user home directory
2626 ## with an automatic type transition to
2627 ## the user home file type.
2628 ## </summary>
2629 ## <param name="domain">
2630 ## <summary>
2631 ## Domain allowed access.
2632 ## </summary>
2633 ## </param>
2634 ## <param name="object_class">
2635 ## <summary>
2636 ## The class of the object to be created.
2637 ## </summary>
2638 ## </param>
2639 #
2640 interface(`userdom_user_home_dir_filetrans_user_home_content',`
2641 gen_require(`
2642 type user_home_dir_t, user_home_t;
2643 ')
2644
2645 filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
2646 files_search_home($1)
2647 ')
2648
2649 ########################################
2650 ## <summary>
2651 ## Write to user temporary named sockets.
2652 ## </summary>
2653 ## <param name="domain">
2654 ## <summary>
2655 ## Domain allowed access.
2656 ## </summary>
2657 ## </param>
2658 #
2659 interface(`userdom_write_user_tmp_sockets',`
2660 gen_require(`
2661 type user_tmp_t;
2662 ')
2663
2664 allow $1 user_tmp_t:sock_file write_sock_file_perms;
2665 files_search_tmp($1)
2666 ')
2667
2668 ########################################
2669 ## <summary>
2670 ## List user temporary directories.
2671 ## </summary>
2672 ## <param name="domain">
2673 ## <summary>
2674 ## Domain allowed access.
2675 ## </summary>
2676 ## </param>
2677 #
2678 interface(`userdom_list_user_tmp',`
2679 gen_require(`
2680 type user_tmp_t;
2681 ')
2682
2683 allow $1 user_tmp_t:dir list_dir_perms;
2684 files_search_tmp($1)
2685 ')
2686
2687 ########################################
2688 ## <summary>
2689 ## Do not audit attempts to list user
2690 ## temporary directories.
2691 ## </summary>
2692 ## <param name="domain">
2693 ## <summary>
2694 ## Domain to not audit.
2695 ## </summary>
2696 ## </param>
2697 #
2698 interface(`userdom_dontaudit_list_user_tmp',`
2699 gen_require(`
2700 type user_tmp_t;
2701 ')
2702
2703 dontaudit $1 user_tmp_t:dir list_dir_perms;
2704 ')
2705
2706 ########################################
2707 ## <summary>
2708 ## Do not audit attempts to manage users
2709 ## temporary directories.
2710 ## </summary>
2711 ## <param name="domain">
2712 ## <summary>
2713 ## Domain to not audit.
2714 ## </summary>
2715 ## </param>
2716 #
2717 interface(`userdom_dontaudit_manage_user_tmp_dirs',`
2718 gen_require(`
2719 type user_tmp_t;
2720 ')
2721
2722 dontaudit $1 user_tmp_t:dir manage_dir_perms;
2723 ')
2724
2725 ########################################
2726 ## <summary>
2727 ## Read user temporary files.
2728 ## </summary>
2729 ## <param name="domain">
2730 ## <summary>
2731 ## Domain allowed access.
2732 ## </summary>
2733 ## </param>
2734 #
2735 interface(`userdom_read_user_tmp_files',`
2736 gen_require(`
2737 type user_tmp_t;
2738 ')
2739
2740 read_files_pattern($1, user_tmp_t, user_tmp_t)
2741 allow $1 user_tmp_t:dir list_dir_perms;
2742 files_search_tmp($1)
2743 ')
2744
2745 ########################################
2746 ## <summary>
2747 ## Do not audit attempts to read users
2748 ## temporary files.
2749 ## </summary>
2750 ## <param name="domain">
2751 ## <summary>
2752 ## Domain to not audit.
2753 ## </summary>
2754 ## </param>
2755 #
2756 interface(`userdom_dontaudit_read_user_tmp_files',`
2757 gen_require(`
2758 type user_tmp_t;
2759 ')
2760
2761 dontaudit $1 user_tmp_t:file read_inherited_file_perms;
2762 ')
2763
2764 ########################################
2765 ## <summary>
2766 ## Do not audit attempts to append users
2767 ## temporary files.
2768 ## </summary>
2769 ## <param name="domain">
2770 ## <summary>
2771 ## Domain to not audit.
2772 ## </summary>
2773 ## </param>
2774 #
2775 interface(`userdom_dontaudit_append_user_tmp_files',`
2776 gen_require(`
2777 type user_tmp_t;
2778 ')
2779
2780 dontaudit $1 user_tmp_t:file append_file_perms;
2781 ')
2782
2783 ########################################
2784 ## <summary>
2785 ## Read and write user temporary files.
2786 ## </summary>
2787 ## <param name="domain">
2788 ## <summary>
2789 ## Domain allowed access.
2790 ## </summary>
2791 ## </param>
2792 #
2793 interface(`userdom_rw_user_tmp_files',`
2794 gen_require(`
2795 type user_tmp_t;
2796 ')
2797
2798 allow $1 user_tmp_t:dir list_dir_perms;
2799 rw_files_pattern($1, user_tmp_t, user_tmp_t)
2800 files_search_tmp($1)
2801 ')
2802
2803 ########################################
2804 ## <summary>
2805 ## Do not audit attempts to manage users
2806 ## temporary files.
2807 ## </summary>
2808 ## <param name="domain">
2809 ## <summary>
2810 ## Domain to not audit.
2811 ## </summary>
2812 ## </param>
2813 #
2814 interface(`userdom_dontaudit_manage_user_tmp_files',`
2815 gen_require(`
2816 type user_tmp_t;
2817 ')
2818
2819 dontaudit $1 user_tmp_t:file manage_file_perms;
2820 ')
2821
2822 ########################################
2823 ## <summary>
2824 ## Read user temporary symbolic links.
2825 ## </summary>
2826 ## <param name="domain">
2827 ## <summary>
2828 ## Domain allowed access.
2829 ## </summary>
2830 ## </param>
2831 #
2832 interface(`userdom_read_user_tmp_symlinks',`
2833 gen_require(`
2834 type user_tmp_t;
2835 ')
2836
2837 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2838 allow $1 user_tmp_t:dir list_dir_perms;
2839 files_search_tmp($1)
2840 ')
2841
2842 ########################################
2843 ## <summary>
2844 ## Create, read, write, and delete user
2845 ## temporary directories.
2846 ## </summary>
2847 ## <param name="domain">
2848 ## <summary>
2849 ## Domain allowed access.
2850 ## </summary>
2851 ## </param>
2852 #
2853 interface(`userdom_manage_user_tmp_dirs',`
2854 gen_require(`
2855 type user_tmp_t;
2856 ')
2857
2858 manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
2859 files_search_tmp($1)
2860 ')
2861
2862 ########################################
2863 ## <summary>
2864 ## Create, read, write, and delete user
2865 ## temporary files.
2866 ## </summary>
2867 ## <param name="domain">
2868 ## <summary>
2869 ## Domain allowed access.
2870 ## </summary>
2871 ## </param>
2872 #
2873 interface(`userdom_manage_user_tmp_files',`
2874 gen_require(`
2875 type user_tmp_t;
2876 ')
2877
2878 manage_files_pattern($1, user_tmp_t, user_tmp_t)
2879 files_search_tmp($1)
2880 ')
2881
2882 ########################################
2883 ## <summary>
2884 ## Create, read, write, and delete user
2885 ## temporary symbolic links.
2886 ## </summary>
2887 ## <param name="domain">
2888 ## <summary>
2889 ## Domain allowed access.
2890 ## </summary>
2891 ## </param>
2892 #
2893 interface(`userdom_manage_user_tmp_symlinks',`
2894 gen_require(`
2895 type user_tmp_t;
2896 ')
2897
2898 manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2899 files_search_tmp($1)
2900 ')
2901
2902 ########################################
2903 ## <summary>
2904 ## Create, read, write, and delete user
2905 ## temporary named pipes.
2906 ## </summary>
2907 ## <param name="domain">
2908 ## <summary>
2909 ## Domain allowed access.
2910 ## </summary>
2911 ## </param>
2912 #
2913 interface(`userdom_manage_user_tmp_pipes',`
2914 gen_require(`
2915 type user_tmp_t;
2916 ')
2917
2918 manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
2919 files_search_tmp($1)
2920 ')
2921
2922 ########################################
2923 ## <summary>
2924 ## Create, read, write, and delete user
2925 ## temporary named sockets.
2926 ## </summary>
2927 ## <param name="domain">
2928 ## <summary>
2929 ## Domain allowed access.
2930 ## </summary>
2931 ## </param>
2932 #
2933 interface(`userdom_manage_user_tmp_sockets',`
2934 gen_require(`
2935 type user_tmp_t;
2936 ')
2937
2938 manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
2939 files_search_tmp($1)
2940 ')
2941
2942 ########################################
2943 ## <summary>
2944 ## Create objects in a user temporary directory
2945 ## with an automatic type transition to
2946 ## a specified private type.
2947 ## </summary>
2948 ## <param name="domain">
2949 ## <summary>
2950 ## Domain allowed access.
2951 ## </summary>
2952 ## </param>
2953 ## <param name="private_type">
2954 ## <summary>
2955 ## The type of the object to create.
2956 ## </summary>
2957 ## </param>
2958 ## <param name="object_class">
2959 ## <summary>
2960 ## The class of the object to be created.
2961 ## </summary>
2962 ## </param>
2963 #
2964 interface(`userdom_user_tmp_filetrans',`
2965 gen_require(`
2966 type user_tmp_t;
2967 ')
2968
2969 filetrans_pattern($1, user_tmp_t, $2, $3)
2970 files_search_tmp($1)
2971 ')
2972
2973 ########################################
2974 ## <summary>
2975 ## Create objects in the temporary directory
2976 ## with an automatic type transition to
2977 ## the user temporary type.
2978 ## </summary>
2979 ## <param name="domain">
2980 ## <summary>
2981 ## Domain allowed access.
2982 ## </summary>
2983 ## </param>
2984 ## <param name="object_class">
2985 ## <summary>
2986 ## The class of the object to be created.
2987 ## </summary>
2988 ## </param>
2989 #
2990 interface(`userdom_tmp_filetrans_user_tmp',`
2991 gen_require(`
2992 type user_tmp_t;
2993 ')
2994
2995 files_tmp_filetrans($1, user_tmp_t, $2)
2996 ')
2997
2998 ########################################
2999 ## <summary>
3000 ## Read user tmpfs files.
3001 ## </summary>
3002 ## <param name="domain">
3003 ## <summary>
3004 ## Domain allowed access.
3005 ## </summary>
3006 ## </param>
3007 #
3008 interface(`userdom_read_user_tmpfs_files',`
3009 gen_require(`
3010 type user_tmpfs_t;
3011 ')
3012
3013 read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3014 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3015 allow $1 user_tmpfs_t:dir list_dir_perms;
3016 fs_search_tmpfs($1)
3017 ')
3018
3019 ########################################
3020 ## <summary>
3021 ## Read/Write user tmpfs files.
3022 ## </summary>
3023 ## <param name="domain">
3024 ## <summary>
3025 ## Domain allowed access.
3026 ## </summary>
3027 ## </param>
3028 #
3029 interface(`userdom_rw_user_tmpfs_files',`
3030 gen_require(`
3031 type user_tmpfs_t;
3032 ')
3033
3034 rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3035 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3036 allow $1 user_tmpfs_t:dir list_dir_perms;
3037 fs_search_tmpfs($1)
3038 ')
3039
3040 ########################################
3041 ## <summary>
3042 ## Get the attributes of a user domain tty.
3043 ## </summary>
3044 ## <param name="domain">
3045 ## <summary>
3046 ## Domain allowed access.
3047 ## </summary>
3048 ## </param>
3049 #
3050 interface(`userdom_getattr_user_ttys',`
3051 gen_require(`
3052 type user_tty_device_t;
3053 ')
3054
3055 allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
3056 ')
3057
3058 ########################################
3059 ## <summary>
3060 ## Do not audit attempts to get the attributes of a user domain tty.
3061 ## </summary>
3062 ## <param name="domain">
3063 ## <summary>
3064 ## Domain to not audit.
3065 ## </summary>
3066 ## </param>
3067 #
3068 interface(`userdom_dontaudit_getattr_user_ttys',`
3069 gen_require(`
3070 type user_tty_device_t;
3071 ')
3072
3073 dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
3074 ')
3075
3076 ########################################
3077 ## <summary>
3078 ## Set the attributes of a user domain tty.
3079 ## </summary>
3080 ## <param name="domain">
3081 ## <summary>
3082 ## Domain allowed access.
3083 ## </summary>
3084 ## </param>
3085 #
3086 interface(`userdom_setattr_user_ttys',`
3087 gen_require(`
3088 type user_tty_device_t;
3089 ')
3090
3091 allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
3092 ')
3093
3094 ########################################
3095 ## <summary>
3096 ## Do not audit attempts to set the attributes of a user domain tty.
3097 ## </summary>
3098 ## <param name="domain">
3099 ## <summary>
3100 ## Domain to not audit.
3101 ## </summary>
3102 ## </param>
3103 #
3104 interface(`userdom_dontaudit_setattr_user_ttys',`
3105 gen_require(`
3106 type user_tty_device_t;
3107 ')
3108
3109 dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
3110 ')
3111
3112 ########################################
3113 ## <summary>
3114 ## Read and write a user domain tty.
3115 ## </summary>
3116 ## <param name="domain">
3117 ## <summary>
3118 ## Domain allowed access.
3119 ## </summary>
3120 ## </param>
3121 #
3122 interface(`userdom_use_user_ttys',`
3123 gen_require(`
3124 type user_tty_device_t;
3125 ')
3126
3127 allow $1 user_tty_device_t:chr_file rw_term_perms;
3128 ')
3129
3130 ########################################
3131 ## <summary>
3132 ## Read and write a inherited user domain tty.
3133 ## </summary>
3134 ## <param name="domain">
3135 ## <summary>
3136 ## Domain allowed access.
3137 ## </summary>
3138 ## </param>
3139 #
3140 interface(`userdom_use_inherited_user_ttys',`
3141 gen_require(`
3142 type user_tty_device_t;
3143 ')
3144
3145 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
3146 ')
3147
3148 ########################################
3149 ## <summary>
3150 ## Read and write a user domain pty.
3151 ## </summary>
3152 ## <param name="domain">
3153 ## <summary>
3154 ## Domain allowed access.
3155 ## </summary>
3156 ## </param>
3157 #
3158 interface(`userdom_use_user_ptys',`
3159 gen_require(`
3160 type user_devpts_t;
3161 ')
3162
3163 allow $1 user_devpts_t:chr_file rw_term_perms;
3164 ')
3165
3166 ########################################
3167 ## <summary>
3168 ## Read and write a inherited user domain pty.
3169 ## </summary>
3170 ## <param name="domain">
3171 ## <summary>
3172 ## Domain allowed access.
3173 ## </summary>
3174 ## </param>
3175 #
3176 interface(`userdom_use_inherited_user_ptys',`
3177 gen_require(`
3178 type user_devpts_t;
3179 ')
3180
3181 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3182 ')
3183
3184 ########################################
3185 ## <summary>
3186 ## Read and write a inherited user TTYs and PTYs.
3187 ## </summary>
3188 ## <desc>
3189 ## <p>
3190 ## Allow the specified domain to read and write inherited user
3191 ## TTYs and PTYs. This will allow the domain to
3192 ## interact with the user via the terminal. Typically
3193 ## all interactive applications will require this
3194 ## access.
3195 ## </p>
3196 ## </desc>
3197 ## <param name="domain">
3198 ## <summary>
3199 ## Domain allowed access.
3200 ## </summary>
3201 ## </param>
3202 ## <infoflow type="both" weight="10"/>
3203 #
3204 interface(`userdom_use_inherited_user_terminals',`
3205 gen_require(`
3206 type user_tty_device_t, user_devpts_t;
3207 ')
3208
3209 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
3210 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3211 ')
3212
3213 #######################################
3214 ## <summary>
3215 ## Allow attempts to read and write
3216 ## a user domain tty and pty.
3217 ## </summary>
3218 ## <param name="domain">
3219 ## <summary>
3220 ## Domain to not audit.
3221 ## </summary>
3222 ## </param>
3223 #
3224 interface(`userdom_use_user_terminals',`
3225 gen_require(`
3226 type user_tty_device_t, user_devpts_t;
3227 ')
3228
3229 allow $1 user_tty_device_t:chr_file rw_term_perms;
3230 allow $1 user_devpts_t:chr_file rw_term_perms;
3231 ')
3232
3233 ########################################
3234 ## <summary>
3235 ## Do not audit attempts to read and write
3236 ## a user domain tty and pty.
3237 ## </summary>
3238 ## <param name="domain">
3239 ## <summary>
3240 ## Domain to not audit.
3241 ## </summary>
3242 ## </param>
3243 #
3244 interface(`userdom_dontaudit_use_user_terminals',`
3245 gen_require(`
3246 type user_tty_device_t, user_devpts_t;
3247 ')
3248
3249 dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
3250 dontaudit $1 user_devpts_t:chr_file rw_term_perms;
3251 ')
3252
3253
3254 ########################################
3255 ## <summary>
3256 ## Get attributes of user domain tty and pty.
3257 ## </summary>
3258 ## <param name="domain">
3259 ## <summary>
3260 ## Domain allowed access.
3261 ## </summary>
3262 ## </param>
3263 #
3264 interface(`userdom_getattr_user_terminals',`
3265 gen_require(`
3266 type user_tty_device_t, user_devpts_t;
3267 ')
3268
3269 allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
3270 ')
3271
3272 ########################################
3273 ## <summary>
3274 ## Execute a shell in all user domains. This
3275 ## is an explicit transition, requiring the
3276 ## caller to use setexeccon().
3277 ## </summary>
3278 ## <param name="domain">
3279 ## <summary>
3280 ## Domain allowed to transition.
3281 ## </summary>
3282 ## </param>
3283 #
3284 interface(`userdom_spec_domtrans_all_users',`
3285 gen_require(`
3286 attribute userdomain;
3287 ')
3288
3289 corecmd_shell_spec_domtrans($1, userdomain)
3290 allow userdomain $1:fd use;
3291 allow userdomain $1:fifo_file rw_file_perms;
3292 allow userdomain $1:process sigchld;
3293 ')
3294
3295 ########################################
3296 ## <summary>
3297 ## Execute an Xserver session in all unprivileged user domains. This
3298 ## is an explicit transition, requiring the
3299 ## caller to use setexeccon().
3300 ## </summary>
3301 ## <param name="domain">
3302 ## <summary>
3303 ## Domain allowed to transition.
3304 ## </summary>
3305 ## </param>
3306 #
3307 interface(`userdom_xsession_spec_domtrans_all_users',`
3308 gen_require(`
3309 attribute userdomain;
3310 ')
3311
3312 xserver_xsession_spec_domtrans($1, userdomain)
3313 allow userdomain $1:fd use;
3314 allow userdomain $1:fifo_file rw_file_perms;
3315 allow userdomain $1:process sigchld;
3316 ')
3317
3318 ########################################
3319 ## <summary>
3320 ## Execute a shell in all unprivileged user domains. This
3321 ## is an explicit transition, requiring the
3322 ## caller to use setexeccon().
3323 ## </summary>
3324 ## <param name="domain">
3325 ## <summary>
3326 ## Domain allowed to transition.
3327 ## </summary>
3328 ## </param>
3329 #
3330 interface(`userdom_spec_domtrans_unpriv_users',`
3331 gen_require(`
3332 attribute unpriv_userdomain;
3333 ')
3334
3335 corecmd_shell_spec_domtrans($1, unpriv_userdomain)
3336 allow unpriv_userdomain $1:fd use;
3337 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3338 allow unpriv_userdomain $1:process sigchld;
3339 ')
3340
3341 ########################################
3342 ## <summary>
3343 ## Execute an Xserver session in all unprivileged user domains. This
3344 ## is an explicit transition, requiring the
3345 ## caller to use setexeccon().
3346 ## </summary>
3347 ## <param name="domain">
3348 ## <summary>
3349 ## Domain allowed to transition.
3350 ## </summary>
3351 ## </param>
3352 #
3353 interface(`userdom_xsession_spec_domtrans_unpriv_users',`
3354 gen_require(`
3355 attribute unpriv_userdomain;
3356 ')
3357
3358 xserver_xsession_spec_domtrans($1, unpriv_userdomain)
3359 allow unpriv_userdomain $1:fd use;
3360 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3361 allow unpriv_userdomain $1:process sigchld;
3362 ')
3363
3364 ########################################
3365 ## <summary>
3366 ## Manage unpriviledged user SysV sempaphores.
3367 ## </summary>
3368 ## <param name="domain">
3369 ## <summary>
3370 ## Domain allowed access.
3371 ## </summary>
3372 ## </param>
3373 #
3374 interface(`userdom_manage_unpriv_user_semaphores',`
3375 gen_require(`
3376 attribute unpriv_userdomain;
3377 ')
3378
3379 allow $1 unpriv_userdomain:sem create_sem_perms;
3380 ')
3381
3382 ########################################
3383 ## <summary>
3384 ## Manage unpriviledged user SysV shared
3385 ## memory segments.
3386 ## </summary>
3387 ## <param name="domain">
3388 ## <summary>
3389 ## Domain allowed access.
3390 ## </summary>
3391 ## </param>
3392 #
3393 interface(`userdom_manage_unpriv_user_shared_mem',`
3394 gen_require(`
3395 attribute unpriv_userdomain;
3396 ')
3397
3398 allow $1 unpriv_userdomain:shm create_shm_perms;
3399 ')
3400
3401 ########################################
3402 ## <summary>
3403 ## Execute bin_t in the unprivileged user domains. This
3404 ## is an explicit transition, requiring the
3405 ## caller to use setexeccon().
3406 ## </summary>
3407 ## <param name="domain">
3408 ## <summary>
3409 ## Domain allowed to transition.
3410 ## </summary>
3411 ## </param>
3412 #
3413 interface(`userdom_bin_spec_domtrans_unpriv_users',`
3414 gen_require(`
3415 attribute unpriv_userdomain;
3416 ')
3417
3418 corecmd_bin_spec_domtrans($1, unpriv_userdomain)
3419 allow unpriv_userdomain $1:fd use;
3420 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3421 allow unpriv_userdomain $1:process sigchld;
3422 ')
3423
3424 ########################################
3425 ## <summary>
3426 ## Execute all entrypoint files in unprivileged user
3427 ## domains. This is an explicit transition, requiring the
3428 ## caller to use setexeccon().
3429 ## </summary>
3430 ## <param name="domain">
3431 ## <summary>
3432 ## Domain allowed access.
3433 ## </summary>
3434 ## </param>
3435 #
3436 interface(`userdom_entry_spec_domtrans_unpriv_users',`
3437 gen_require(`
3438 attribute unpriv_userdomain;
3439 ')
3440
3441 domain_entry_file_spec_domtrans($1, unpriv_userdomain)
3442 allow unpriv_userdomain $1:fd use;
3443 allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
3444 allow unpriv_userdomain $1:process sigchld;
3445 ')
3446
3447 ########################################
3448 ## <summary>
3449 ## Search users home directories.
3450 ## </summary>
3451 ## <param name="domain">
3452 ## <summary>
3453 ## Domain allowed access.
3454 ## </summary>
3455 ## </param>
3456 #
3457 interface(`userdom_search_user_home_content',`
3458 gen_require(`
3459 type user_home_dir_t;
3460 attribute user_home_type;
3461 ')
3462
3463 files_list_home($1)
3464 allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
3465 allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
3466 ')
3467
3468 ########################################
3469 ## <summary>
3470 ## Send general signals to unprivileged user domains.
3471 ## </summary>
3472 ## <param name="domain">
3473 ## <summary>
3474 ## Domain allowed access.
3475 ## </summary>
3476 ## </param>
3477 #
3478 interface(`userdom_signal_unpriv_users',`
3479 gen_require(`
3480 attribute unpriv_userdomain;
3481 ')
3482
3483 allow $1 unpriv_userdomain:process signal;
3484 ')
3485
3486 ########################################
3487 ## <summary>
3488 ## Inherit the file descriptors from unprivileged user domains.
3489 ## </summary>
3490 ## <param name="domain">
3491 ## <summary>
3492 ## Domain allowed access.
3493 ## </summary>
3494 ## </param>
3495 #
3496 interface(`userdom_use_unpriv_users_fds',`
3497 gen_require(`
3498 attribute unpriv_userdomain;
3499 ')
3500
3501 allow $1 unpriv_userdomain:fd use;
3502 ')
3503
3504 ########################################
3505 ## <summary>
3506 ## Do not audit attempts to inherit the file descriptors
3507 ## from unprivileged user domains.
3508 ## </summary>
3509 ## <desc>
3510 ## <p>
3511 ## Do not audit attempts to inherit the file descriptors
3512 ## from unprivileged user domains. This will supress
3513 ## SELinux denial messages when the specified domain is denied
3514 ## the permission to inherit these file descriptors.
3515 ## </p>
3516 ## </desc>
3517 ## <param name="domain">
3518 ## <summary>
3519 ## Domain to not audit.
3520 ## </summary>
3521 ## </param>
3522 ## <infoflow type="none"/>
3523 #
3524 interface(`userdom_dontaudit_use_unpriv_user_fds',`
3525 gen_require(`
3526 attribute unpriv_userdomain;
3527 ')
3528
3529 dontaudit $1 unpriv_userdomain:fd use;
3530 ')
3531
3532 ########################################
3533 ## <summary>
3534 ## Do not audit attempts to use user ptys.
3535 ## </summary>
3536 ## <param name="domain">
3537 ## <summary>
3538 ## Domain to not audit.
3539 ## </summary>
3540 ## </param>
3541 #
3542 interface(`userdom_dontaudit_use_user_ptys',`
3543 gen_require(`
3544 type user_devpts_t;
3545 ')
3546
3547 dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
3548 ')
3549
3550 ########################################
3551 ## <summary>
3552 ## Relabel files to unprivileged user pty types.
3553 ## </summary>
3554 ## <param name="domain">
3555 ## <summary>
3556 ## Domain allowed access.
3557 ## </summary>
3558 ## </param>
3559 #
3560 interface(`userdom_relabelto_user_ptys',`
3561 gen_require(`
3562 type user_devpts_t;
3563 ')
3564
3565 allow $1 user_devpts_t:chr_file relabelto;
3566 ')
3567
3568 ########################################
3569 ## <summary>
3570 ## Do not audit attempts to relabel files from
3571 ## user pty types.
3572 ## </summary>
3573 ## <param name="domain">
3574 ## <summary>
3575 ## Domain to not audit.
3576 ## </summary>
3577 ## </param>
3578 #
3579 interface(`userdom_dontaudit_relabelfrom_user_ptys',`
3580 gen_require(`
3581 type user_devpts_t;
3582 ')
3583
3584 dontaudit $1 user_devpts_t:chr_file relabelfrom;
3585 ')
3586
3587 ########################################
3588 ## <summary>
3589 ## Write all users files in /tmp
3590 ## </summary>
3591 ## <param name="domain">
3592 ## <summary>
3593 ## Domain allowed access.
3594 ## </summary>
3595 ## </param>
3596 #
3597 interface(`userdom_write_user_tmp_files',`
3598 gen_require(`
3599 type user_tmp_t;
3600 ')
3601
3602 write_files_pattern($1, user_tmp_t, user_tmp_t)
3603 ')
3604
3605 ########################################
3606 ## <summary>
3607 ## Do not audit attempts to write users
3608 ## temporary files.
3609 ## </summary>
3610 ## <param name="domain">
3611 ## <summary>
3612 ## Domain to not audit.
3613 ## </summary>
3614 ## </param>
3615 #
3616 interface(`userdom_dontaudit_write_user_tmp_files',`
3617 gen_require(`
3618 type user_tmp_t;
3619 ')
3620
3621 dontaudit $1 user_tmp_t:file write;
3622 ')
3623
3624 ########################################
3625 ## <summary>
3626 ## Do not audit attempts to read/write users
3627 ## temporary fifo files.
3628 ## </summary>
3629 ## <param name="domain">
3630 ## <summary>
3631 ## Domain to not audit.
3632 ## </summary>
3633 ## </param>
3634 #
3635 interface(`userdom_dontaudit_rw_user_tmp_pipes',`
3636 gen_require(`
3637 type user_tmp_t;
3638 ')
3639
3640 dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
3641 ')
3642
3643 ########################################
3644 ## <summary>
3645 ## Do not audit attempts to use user ttys.
3646 ## </summary>
3647 ## <param name="domain">
3648 ## <summary>
3649 ## Domain to not audit.
3650 ## </summary>
3651 ## </param>
3652 #
3653 interface(`userdom_dontaudit_use_user_ttys',`
3654 gen_require(`
3655 type user_tty_device_t;
3656 ')
3657
3658 dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
3659 ')
3660
3661 ########################################
3662 ## <summary>
3663 ## Read the process state of all user domains.
3664 ## </summary>
3665 ## <param name="domain">
3666 ## <summary>
3667 ## Domain allowed access.
3668 ## </summary>
3669 ## </param>
3670 #
3671 interface(`userdom_read_all_users_state',`
3672 gen_require(`
3673 attribute userdomain;
3674 ')
3675
3676 read_files_pattern($1, userdomain, userdomain)
3677 read_lnk_files_pattern($1,userdomain,userdomain)
3678 kernel_search_proc($1)
3679 ')
3680
3681 ########################################
3682 ## <summary>
3683 ## Get the attributes of all user domains.
3684 ## </summary>
3685 ## <param name="domain">
3686 ## <summary>
3687 ## Domain allowed access.
3688 ## </summary>
3689 ## </param>
3690 #
3691 interface(`userdom_getattr_all_users',`
3692 gen_require(`
3693 attribute userdomain;
3694 ')
3695
3696 allow $1 userdomain:process getattr;
3697 ')
3698
3699 ########################################
3700 ## <summary>
3701 ## Inherit the file descriptors from all user domains
3702 ## </summary>
3703 ## <param name="domain">
3704 ## <summary>
3705 ## Domain allowed access.
3706 ## </summary>
3707 ## </param>
3708 #
3709 interface(`userdom_use_all_users_fds',`
3710 gen_require(`
3711 attribute userdomain;
3712 ')
3713
3714 allow $1 userdomain:fd use;
3715 ')
3716
3717 ########################################
3718 ## <summary>
3719 ## Do not audit attempts to inherit the file
3720 ## descriptors from any user domains.
3721 ## </summary>
3722 ## <param name="domain">
3723 ## <summary>
3724 ## Domain to not audit.
3725 ## </summary>
3726 ## </param>
3727 #
3728 interface(`userdom_dontaudit_use_all_users_fds',`
3729 gen_require(`
3730 attribute userdomain;
3731 ')
3732
3733 dontaudit $1 userdomain:fd use;
3734 ')
3735
3736 ########################################
3737 ## <summary>
3738 ## Send general signals to all user domains.
3739 ## </summary>
3740 ## <param name="domain">
3741 ## <summary>
3742 ## Domain allowed access.
3743 ## </summary>
3744 ## </param>
3745 #
3746 interface(`userdom_signal_all_users',`
3747 gen_require(`
3748 attribute userdomain;
3749 ')
3750
3751 allow $1 userdomain:process signal;
3752 ')
3753
3754 ########################################
3755 ## <summary>
3756 ## Send kill signals to all user domains.
3757 ## </summary>
3758 ## <param name="domain">
3759 ## <summary>
3760 ## Domain allowed access.
3761 ## </summary>
3762 ## </param>
3763 #
3764 interface(`userdom_kill_all_users',`
3765 gen_require(`
3766 attribute userdomain;
3767 ')
3768
3769 allow $1 userdomain:process sigkill;
3770 ')
3771
3772 ########################################
3773 ## <summary>
3774 ## Send a SIGCHLD signal to all user domains.
3775 ## </summary>
3776 ## <param name="domain">
3777 ## <summary>
3778 ## Domain allowed access.
3779 ## </summary>
3780 ## </param>
3781 #
3782 interface(`userdom_sigchld_all_users',`
3783 gen_require(`
3784 attribute userdomain;
3785 ')
3786
3787 allow $1 userdomain:process sigchld;
3788 ')
3789
3790 ########################################
3791 ## <summary>
3792 ## Create keys for all user domains.
3793 ## </summary>
3794 ## <param name="domain">
3795 ## <summary>
3796 ## Domain allowed access.
3797 ## </summary>
3798 ## </param>
3799 #
3800 interface(`userdom_create_all_users_keys',`
3801 gen_require(`
3802 attribute userdomain;
3803 ')
3804
3805 allow $1 userdomain:key create;
3806 ')
3807
3808 ########################################
3809 ## <summary>
3810 ## Send a dbus message to all user domains.
3811 ## </summary>
3812 ## <param name="domain">
3813 ## <summary>
3814 ## Domain allowed access.
3815 ## </summary>
3816 ## </param>
3817 #
3818 interface(`userdom_dbus_send_all_users',`
3819 gen_require(`
3820 attribute userdomain;
3821 class dbus send_msg;
3822 ')
3823
3824 allow $1 userdomain:dbus send_msg;
3825 ')
3826
3827 ########################################
3828 ## <summary>
3829 ## Allow apps to set rlimits on userdomain
3830 ## </summary>
3831 ## <param name="domain">
3832 ## <summary>
3833 ## Domain allowed access.
3834 ## </summary>
3835 ## </param>
3836 #
3837 interface(`userdom_set_rlimitnh',`
3838 gen_require(`
3839 attribute userdomain;
3840 ')
3841
3842 allow $1 userdomain:process rlimitinh;
3843 ')
3844
3845 ########################################
3846 ## <summary>
3847 ## Define this type as a Allow apps to set rlimits on userdomain
3848 ## </summary>
3849 ## <param name="domain">
3850 ## <summary>
3851 ## Domain allowed access.
3852 ## </summary>
3853 ## </param>
3854 ## <param name="userdomain_prefix">
3855 ## <summary>
3856 ## The prefix of the user domain (e.g., user
3857 ## is the prefix for user_t).
3858 ## </summary>
3859 ## </param>
3860 ## <param name="domain">
3861 ## <summary>
3862 ## Domain allowed access.
3863 ## </summary>
3864 ## </param>
3865 #
3866 template(`userdom_unpriv_usertype',`
3867 gen_require(`
3868 attribute unpriv_userdomain, userdomain;
3869 attribute $1_usertype;
3870 ')
3871 typeattribute $2 $1_usertype;
3872 typeattribute $2 unpriv_userdomain;
3873 typeattribute $2 userdomain;
3874
3875 ubac_constrained($2)
3876 ')
3877
3878 ########################################
3879 ## <summary>
3880 ## Connect to users over an unix stream socket.
3881 ## </summary>
3882 ## <param name="domain">
3883 ## <summary>
3884 ## Domain allowed access.
3885 ## </summary>
3886 ## </param>
3887 #
3888 interface(`userdom_stream_connect',`
3889 gen_require(`
3890 type user_tmp_t;
3891 attribute userdomain;
3892 ')
3893
3894 stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
3895 ')
3896
3897 ########################################
3898 ## <summary>
3899 ## Ptrace user domains.
3900 ## </summary>
3901 ## <param name="domain">
3902 ## <summary>
3903 ## Domain allowed access.
3904 ## </summary>
3905 ## </param>
3906 #
3907 interface(`userdom_ptrace_all_users',`
3908 gen_require(`
3909 attribute userdomain;
3910 ')
3911
3912 allow $1 userdomain:process ptrace;
3913 ')
3914
3915 ########################################
3916 ## <summary>
3917 ## dontaudit Search /root
3918 ## </summary>
3919 ## <param name="domain">
3920 ## <summary>
3921 ## Domain to not audit.
3922 ## </summary>
3923 ## </param>
3924 #
3925 interface(`userdom_dontaudit_search_admin_dir',`
3926 gen_require(`
3927 type admin_home_t;
3928 ')
3929
3930 dontaudit $1 admin_home_t:dir search_dir_perms;
3931 ')
3932
3933 ########################################
3934 ## <summary>
3935 ## dontaudit list /root
3936 ## </summary>
3937 ## <param name="domain">
3938 ## <summary>
3939 ## Domain to not audit.
3940 ## </summary>
3941 ## </param>
3942 #
3943 interface(`userdom_dontaudit_list_admin_dir',`
3944 gen_require(`
3945 type admin_home_t;
3946 ')
3947
3948 dontaudit $1 admin_home_t:dir list_dir_perms;
3949 ')
3950
3951 ########################################
3952 ## <summary>
3953 ## Allow domain to list /root
3954 ## </summary>
3955 ## <param name="domain">
3956 ## <summary>
3957 ## Domain allowed access.
3958 ## </summary>
3959 ## </param>
3960 #
3961 interface(`userdom_list_admin_dir',`
3962 gen_require(`
3963 type admin_home_t;
3964 ')
3965
3966 allow $1 admin_home_t:dir list_dir_perms;
3967 ')
3968
3969 ########################################
3970 ## <summary>
3971 ## Allow Search /root
3972 ## </summary>
3973 ## <param name="domain">
3974 ## <summary>
3975 ## Domain allowed access.
3976 ## </summary>
3977 ## </param>
3978 #
3979 interface(`userdom_search_admin_dir',`
3980 gen_require(`
3981 type admin_home_t;
3982 ')
3983
3984 allow $1 admin_home_t:dir search_dir_perms;
3985 ')
3986
3987 ########################################
3988 ## <summary>
3989 ## RW unpriviledged user SysV sempaphores.
3990 ## </summary>
3991 ## <param name="domain">
3992 ## <summary>
3993 ## Domain allowed access.
3994 ## </summary>
3995 ## </param>
3996 #
3997 interface(`userdom_rw_semaphores',`
3998 gen_require(`
3999 attribute unpriv_userdomain;
4000 ')
4001
4002 allow $1 unpriv_userdomain:sem rw_sem_perms;
4003 ')
4004
4005 ########################################
4006 ## <summary>
4007 ## Send a message to unpriv users over a unix domain
4008 ## datagram socket.
4009 ## </summary>
4010 ## <param name="domain">
4011 ## <summary>
4012 ## Domain allowed access.
4013 ## </summary>
4014 ## </param>
4015 #
4016 interface(`userdom_dgram_send',`
4017 gen_require(`
4018 attribute unpriv_userdomain;
4019 ')
4020
4021 allow $1 unpriv_userdomain:unix_dgram_socket sendto;
4022 ')
4023
4024 ######################################
4025 ## <summary>
4026 ## Send a message to users over a unix domain
4027 ## datagram socket.
4028 ## </summary>
4029 ## <param name="domain">
4030 ## <summary>
4031 ## Domain allowed access.
4032 ## </summary>
4033 ## </param>
4034 #
4035 interface(`userdom_users_dgram_send',`
4036 gen_require(`
4037 attribute userdomain;
4038 ')
4039
4040 allow $1 userdomain:unix_dgram_socket sendto;
4041 ')
4042
4043 #######################################
4044 ## <summary>
4045 ## Allow execmod on files in homedirectory
4046 ## </summary>
4047 ## <param name="domain">
4048 ## <summary>
4049 ## Domain allowed access.
4050 ## </summary>
4051 ## </param>
4052 ## <rolebase/>
4053 #
4054 interface(`userdom_execmod_user_home_files',`
4055 gen_require(`
4056 type user_home_type;
4057 ')
4058
4059 allow $1 user_home_type:file execmod;
4060 ')
4061
4062 ########################################
4063 ## <summary>
4064 ## Read admin home files.
4065 ## </summary>
4066 ## <param name="domain">
4067 ## <summary>
4068 ## Domain allowed access.
4069 ## </summary>
4070 ## </param>
4071 ## <rolecap/>
4072 #
4073 interface(`userdom_read_admin_home_files',`
4074 gen_require(`
4075 type admin_home_t;
4076 ')
4077
4078 read_files_pattern($1, admin_home_t, admin_home_t)
4079 ')
4080
4081 ########################################
4082 ## <summary>
4083 ## Execute admin home files.
4084 ## </summary>
4085 ## <param name="domain">
4086 ## <summary>
4087 ## Domain allowed access.
4088 ## </summary>
4089 ## </param>
4090 ## <rolecap/>
4091 #
4092 interface(`userdom_exec_admin_home_files',`
4093 gen_require(`
4094 type admin_home_t;
4095 ')
4096
4097 exec_files_pattern($1, admin_home_t, admin_home_t)
4098 ')
4099
4100 ########################################
4101 ## <summary>
4102 ## Append files inherited
4103 ## in the /root directory.
4104 ## </summary>
4105 ## <param name="domain">
4106 ## <summary>
4107 ## Domain allowed access.
4108 ## </summary>
4109 ## </param>
4110 #
4111 interface(`userdom_inherit_append_admin_home_files',`
4112 gen_require(`
4113 type admin_home_t;
4114 ')
4115
4116 allow $1 admin_home_t:file { getattr append };
4117 ')
4118
4119
4120 #######################################
4121 ## <summary>
4122 ## Manage all files/directories in the homedir
4123 ## </summary>
4124 ## <param name="userdomain">
4125 ## <summary>
4126 ## The user domain
4127 ## </summary>
4128 ## </param>
4129 ## <rolebase/>
4130 #
4131 interface(`userdom_manage_user_home_content',`
4132 gen_require(`
4133 type user_home_dir_t, user_home_t;
4134 attribute user_home_type;
4135 ')
4136
4137 files_list_home($1)
4138 manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4139 manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4140 manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4141 manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4142 manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4143 filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
4144
4145 ')
4146
4147
4148 ########################################
4149 ## <summary>
4150 ## Create objects in a user home directory
4151 ## with an automatic type transition to
4152 ## the user home file type.
4153 ## </summary>
4154 ## <param name="domain">
4155 ## <summary>
4156 ## Domain allowed access.
4157 ## </summary>
4158 ## </param>
4159 ## <param name="object_class">
4160 ## <summary>
4161 ## The class of the object to be created.
4162 ## </summary>
4163 ## </param>
4164 #
4165 interface(`userdom_user_home_dir_filetrans_pattern',`
4166 gen_require(`
4167 type user_home_dir_t, user_home_t;
4168 ')
4169
4170 type_transition $1 user_home_dir_t:$2 user_home_t;
4171 ')
4172
4173 ########################################
4174 ## <summary>
4175 ## Create objects in the /root directory
4176 ## with an automatic type transition to
4177 ## a specified private type.
4178 ## </summary>
4179 ## <param name="domain">
4180 ## <summary>
4181 ## Domain allowed access.
4182 ## </summary>
4183 ## </param>
4184 ## <param name="private_type">
4185 ## <summary>
4186 ## The type of the object to create.
4187 ## </summary>
4188 ## </param>
4189 ## <param name="object_class">
4190 ## <summary>
4191 ## The class of the object to be created.
4192 ## </summary>
4193 ## </param>
4194 #
4195 interface(`userdom_admin_home_dir_filetrans',`
4196 gen_require(`
4197 type admin_home_t;
4198 ')
4199
4200 filetrans_pattern($1, admin_home_t, $2, $3, $4)
4201 ')
4202
4203 ########################################
4204 ## <summary>
4205 ## Send signull to unprivileged user domains.
4206 ## </summary>
4207 ## <param name="domain">
4208 ## <summary>
4209 ## Domain allowed access.
4210 ## </summary>
4211 ## </param>
4212 #
4213 interface(`userdom_signull_unpriv_users',`
4214 gen_require(`
4215 attribute unpriv_userdomain;
4216 ')
4217
4218 allow $1 unpriv_userdomain:process signull;
4219 ')
4220
4221 ########################################
4222 ## <summary>
4223 ## Write all users files in /tmp
4224 ## </summary>
4225 ## <param name="domain">
4226 ## <summary>
4227 ## Domain allowed access.
4228 ## </summary>
4229 ## </param>
4230 #
4231 interface(`userdom_write_user_tmp_dirs',`
4232 gen_require(`
4233 type user_tmp_t;
4234 ')
4235
4236 write_files_pattern($1, user_tmp_t, user_tmp_t)
4237 ')
4238
4239 ########################################
4240 ## <summary>
4241 ## Manage keys for all user domains.
4242 ## </summary>
4243 ## <param name="domain">
4244 ## <summary>
4245 ## Domain allowed access.
4246 ## </summary>
4247 ## </param>
4248 #
4249 interface(`userdom_manage_all_users_keys',`
4250 gen_require(`
4251 attribute userdomain;
4252 ')
4253
4254 allow $1 userdomain:key manage_key_perms;
4255 ')
4256
4257
4258 ########################################
4259 ## <summary>
4260 ## Do not audit attempts to read and write
4261 ## unserdomain stream.
4262 ## </summary>
4263 ## <param name="domain">
4264 ## <summary>
4265 ## Domain to not audit.
4266 ## </summary>
4267 ## </param>
4268 #
4269 interface(`userdom_dontaudit_rw_stream',`
4270 gen_require(`
4271 attribute userdomain;
4272 ')
4273
4274 dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
4275 ')
4276
4277 ########################################
4278 ## <summary>
4279 ## Do not audit attempts to read and write
4280 ## unserdomain datagram socket.
4281 ## </summary>
4282 ## <param name="domain">
4283 ## <summary>
4284 ## Domain to not audit.
4285 ## </summary>
4286 ## </param>
4287 #
4288 interface(`userdom_dontaudit_rw_dgram_socket',`
4289 gen_require(`
4290 attribute userdomain;
4291 ')
4292
4293 dontaudit $1 userdomain:unix_dgram_socket { read write };
4294 ')
4295
4296 ########################################
4297 ## <summary>
4298 ## Append files
4299 ## in a user home subdirectory.
4300 ## </summary>
4301 ## <param name="domain">
4302 ## <summary>
4303 ## Domain allowed access.
4304 ## </summary>
4305 ## </param>
4306 #
4307 interface(`userdom_append_user_home_content_files',`
4308 gen_require(`
4309 type user_home_dir_t, user_home_t;
4310 ')
4311
4312 append_files_pattern($1, user_home_t, user_home_t)
4313 allow $1 user_home_dir_t:dir search_dir_perms;
4314 files_search_home($1)
4315 ')
4316
4317 ########################################
4318 ## <summary>
4319 ## Read files inherited
4320 ## in a user home subdirectory.
4321 ## </summary>
4322 ## <param name="domain">
4323 ## <summary>
4324 ## Domain allowed access.
4325 ## </summary>
4326 ## </param>
4327 #
4328 interface(`userdom_read_inherited_user_home_content_files',`
4329 gen_require(`
4330 attribute user_home_type;
4331 ')
4332
4333 allow $1 user_home_type:file { getattr read };
4334 ')
4335
4336 ########################################
4337 ## <summary>
4338 ## Append files inherited
4339 ## in a user home subdirectory.
4340 ## </summary>
4341 ## <param name="domain">
4342 ## <summary>
4343 ## Domain allowed access.
4344 ## </summary>
4345 ## </param>
4346 #
4347 interface(`userdom_inherit_append_user_home_content_files',`
4348 gen_require(`
4349 type user_home_t;
4350 ')
4351
4352 allow $1 user_home_t:file { getattr append };
4353 ')
4354
4355 ########################################
4356 ## <summary>
4357 ## Append files inherited
4358 ## in a user tmp files.
4359 ## </summary>
4360 ## <param name="domain">
4361 ## <summary>
4362 ## Domain allowed access.
4363 ## </summary>
4364 ## </param>
4365 #
4366 interface(`userdom_inherit_append_user_tmp_files',`
4367 gen_require(`
4368 type user_tmp_t;
4369 ')
4370
4371 allow $1 user_tmp_t:file { getattr append };
4372 ')
4373
4374 ######################################
4375 ## <summary>
4376 ## Read audio files in the users homedir.
4377 ## </summary>
4378 ## <param name="domain">
4379 ## <summary>
4380 ## Domain allowed access.
4381 ## </summary>
4382 ## </param>
4383 ## <rolecap/>
4384 #
4385 interface(`userdom_read_home_audio_files',`
4386 gen_require(`
4387 type audio_home_t;
4388 ')
4389
4390 userdom_search_user_home_dirs($1)
4391 allow $1 audio_home_t:dir list_dir_perms;
4392 read_files_pattern($1, audio_home_t, audio_home_t)
4393 read_lnk_files_pattern($1, audio_home_t, audio_home_t)
4394 ')
4395
4396 ########################################
4397 ## <summary>
4398 ## Do not audit attempts to write all user home content files.
4399 ## </summary>
4400 ## <param name="domain">
4401 ## <summary>
4402 ## Domain to not audit.
4403 ## </summary>
4404 ## </param>
4405 #
4406 interface(`userdom_dontaudit_write_all_user_home_content_files',`
4407 gen_require(`
4408 attribute user_home_type;
4409 ')
4410
4411 dontaudit $1 user_home_type:file write_file_perms;
4412 ')
4413
4414 ########################################
4415 ## <summary>
4416 ## Do not audit attempts to write all user tmp content files.
4417 ## </summary>
4418 ## <param name="domain">
4419 ## <summary>
4420 ## Domain to not audit.
4421 ## </summary>
4422 ## </param>
4423 #
4424 interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
4425 gen_require(`
4426 attribute user_tmp_type;
4427 ')
4428
4429 dontaudit $1 user_tmp_type:file write_file_perms;
4430 ')
4431
4432 ########################################
4433 ## <summary>
4434 ## Manage all user temporary content.
4435 ## </summary>
4436 ## <param name="domain">
4437 ## <summary>
4438 ## Domain allowed access.
4439 ## </summary>
4440 ## </param>
4441 #
4442 interface(`userdom_manage_all_user_tmp_content',`
4443 gen_require(`
4444 attribute user_tmp_type;
4445 ')
4446
4447 manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
4448 manage_files_pattern($1, user_tmp_type, user_tmp_type)
4449 manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4450 manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4451 manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4452 files_search_tmp($1)
4453 ')
4454
4455 ########################################
4456 ## <summary>
4457 ## List all user temporary content.
4458 ## </summary>
4459 ## <param name="domain">
4460 ## <summary>
4461 ## Domain allowed access.
4462 ## </summary>
4463 ## </param>
4464 #
4465 interface(`userdom_list_all_user_tmp_content',`
4466 gen_require(`
4467 attribute user_tmp_type;
4468 ')
4469
4470 list_dirs_pattern($1, user_tmp_type, user_tmp_type)
4471 getattr_files_pattern($1, user_tmp_type, user_tmp_type)
4472 read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4473 getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4474 getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4475 files_search_var($1)
4476 files_search_tmp($1)
4477 ')
4478
4479 ########################################
4480 ## <summary>
4481 ## Manage all user tmpfs content.
4482 ## </summary>
4483 ## <param name="domain">
4484 ## <summary>
4485 ## Domain allowed access.
4486 ## </summary>
4487 ## </param>
4488 #
4489 interface(`userdom_manage_all_user_tmpfs_content',`
4490 gen_require(`
4491 attribute user_tmpfs_type;
4492 ')
4493
4494 manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
4495 manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4496 manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4497 manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4498 manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4499 fs_search_tmpfs($1)
4500 ')
4501
4502 ########################################
4503 ## <summary>
4504 ## Delete all user temporary content.
4505 ## </summary>
4506 ## <param name="domain">
4507 ## <summary>
4508 ## Domain allowed access.
4509 ## </summary>
4510 ## </param>
4511 #
4512 interface(`userdom_delete_all_user_tmp_content',`
4513 gen_require(`
4514 attribute user_tmp_type;
4515 ')
4516
4517 delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
4518 delete_files_pattern($1, user_tmp_type, user_tmp_type)
4519 delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4520 delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4521 delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4522 # /var/tmp
4523 files_search_var($1)
4524 files_delete_tmp_dir_entry($1)
4525 ')
4526
4527 ########################################
4528 ## <summary>
4529 ## Read system SSL certificates in the users homedir.
4530 ## </summary>
4531 ## <param name="domain">
4532 ## <summary>
4533 ## Domain allowed access.
4534 ## </summary>
4535 ## </param>
4536 #
4537 interface(`userdom_read_home_certs',`
4538 gen_require(`
4539 type home_cert_t;
4540 ')
4541
4542 userdom_search_user_home_content($1)
4543 allow $1 home_cert_t:dir list_dir_perms;
4544 read_files_pattern($1, home_cert_t, home_cert_t)
4545 read_lnk_files_pattern($1, home_cert_t, home_cert_t)
4546 ')
4547
4548 #######################################
4549 ## <summary>
4550 ## Dontaudit Write system SSL certificates in the users homedir.
4551 ## </summary>
4552 ## <param name="domain">
4553 ## <summary>
4554 ## Domain to not audit.
4555 ## </summary>
4556 ## </param>
4557 #
4558 interface(`userdom_dontaudit_write_home_certs',`
4559 gen_require(`
4560 type home_cert_t;
4561 ')
4562
4563 dontaudit $1 home_cert_t:file write;
4564 ')
4565
4566 ########################################
4567 ## <summary>
4568 ## dontaudit Search getatrr /root files
4569 ## </summary>
4570 ## <param name="domain">
4571 ## <summary>
4572 ## Domain to not audit.
4573 ## </summary>
4574 ## </param>
4575 #
4576 interface(`userdom_dontaudit_getattr_admin_home_files',`
4577 gen_require(`
4578 type admin_home_t;
4579 ')
4580
4581 dontaudit $1 admin_home_t:file getattr;
4582 ')
4583
4584 ########################################
4585 ## <summary>
4586 ## dontaudit read /root lnk files
4587 ## </summary>
4588 ## <param name="domain">
4589 ## <summary>
4590 ## Domain to not audit.
4591 ## </summary>
4592 ## </param>
4593 #
4594 interface(`userdom_dontaudit_read_admin_home_lnk_files',`
4595 gen_require(`
4596 type admin_home_t;
4597 ')
4598
4599 dontaudit $1 admin_home_t:lnk_file read;
4600 ')
4601
4602 ########################################
4603 ## <summary>
4604 ## dontaudit read /root files
4605 ## </summary>
4606 ## <param name="domain">
4607 ## <summary>
4608 ## Domain to not audit.
4609 ## </summary>
4610 ## </param>
4611 #
4612 interface(`userdom_dontaudit_read_admin_home_files',`
4613 gen_require(`
4614 type admin_home_t;
4615 ')
4616
4617 dontaudit $1 admin_home_t:file read_file_perms;
4618 ')
4619
4620 ########################################
4621 ## <summary>
4622 ## Create, read, write, and delete user
4623 ## temporary chr files.
4624 ## </summary>
4625 ## <param name="domain">
4626 ## <summary>
4627 ## Domain allowed access.
4628 ## </summary>
4629 ## </param>
4630 #
4631 interface(`userdom_manage_user_tmp_chr_files',`
4632 gen_require(`
4633 type user_tmp_t;
4634 ')
4635
4636 manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
4637 files_search_tmp($1)
4638 ')
4639
4640 ########################################
4641 ## <summary>
4642 ## Create, read, write, and delete user
4643 ## temporary blk files.
4644 ## </summary>
4645 ## <param name="domain">
4646 ## <summary>
4647 ## Domain allowed access.
4648 ## </summary>
4649 ## </param>
4650 #
4651 interface(`userdom_manage_user_tmp_blk_files',`
4652 gen_require(`
4653 type user_tmp_t;
4654 ')
4655
4656 manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
4657 files_search_tmp($1)
4658 ')
4659
4660 ########################################
4661 ## <summary>
4662 ## Dontaudit attempt to set attributes on user temporary directories.
4663 ## </summary>
4664 ## <param name="domain">
4665 ## <summary>
4666 ## Domain to not audit.
4667 ## </summary>
4668 ## </param>
4669 #
4670 interface(`userdom_dontaudit_setattr_user_tmp',`
4671 gen_require(`
4672 type user_tmp_t;
4673 ')
4674
4675 dontaudit $1 user_tmp_t:dir setattr;
4676 ')
4677
4678 ########################################
4679 ## <summary>
4680 ## Write all inherited users files in /tmp
4681 ## </summary>
4682 ## <param name="domain">
4683 ## <summary>
4684 ## Domain allowed access.
4685 ## </summary>
4686 ## </param>
4687 #
4688 interface(`userdom_write_inherited_user_tmp_files',`
4689 gen_require(`
4690 type user_tmp_t;
4691 ')
4692
4693 allow $1 user_tmp_t:file write;
4694 ')
4695
4696 ########################################
4697 ## <summary>
4698 ## Delete all users files in /tmp
4699 ## </summary>
4700 ## <param name="domain">
4701 ## <summary>
4702 ## Domain allowed access.
4703 ## </summary>
4704 ## </param>
4705 #
4706 interface(`userdom_delete_user_tmp_files',`
4707 gen_require(`
4708 type user_tmp_t;
4709 ')
4710
4711 allow $1 user_tmp_t:file delete_file_perms;
4712 ')
4713
4714 ########################################
4715 ## <summary>
4716 ## Delete user tmpfs files.
4717 ## </summary>
4718 ## <param name="domain">
4719 ## <summary>
4720 ## Domain allowed access.
4721 ## </summary>
4722 ## </param>
4723 #
4724 interface(`userdom_delete_user_tmpfs_files',`
4725 gen_require(`
4726 type user_tmpfs_t;
4727 ')
4728
4729 allow $1 user_tmpfs_t:file delete_file_perms;
4730 ')
4731
4732 ########################################
4733 ## <summary>
4734 ## Read/Write unpriviledged user SysV shared
4735 ## memory segments.
4736 ## </summary>
4737 ## <param name="domain">
4738 ## <summary>
4739 ## Domain allowed access.
4740 ## </summary>
4741 ## </param>
4742 #
4743 interface(`userdom_rw_unpriv_user_shared_mem',`
4744 gen_require(`
4745 attribute unpriv_userdomain;
4746 ')
4747
4748 allow $1 unpriv_userdomain:shm rw_shm_perms;
4749 ')
4750
4751 ########################################
4752 ## <summary>
4753 ## Do not audit attempts to search user
4754 ## temporary directories.
4755 ## </summary>
4756 ## <param name="domain">
4757 ## <summary>
4758 ## Domain to not audit.
4759 ## </summary>
4760 ## </param>
4761 #
4762 interface(`userdom_dontaudit_search_user_tmp',`
4763 gen_require(`
4764 type user_tmp_t;
4765 ')
4766
4767 dontaudit $1 user_tmp_t:dir search_dir_perms;
4768 ')
4769
4770 ########################################
4771 ## <summary>
4772 ## Execute a file in a user home directory
4773 ## in the specified domain.
4774 ## </summary>
4775 ## <desc>
4776 ## <p>
4777 ## Execute a file in a user home directory
4778 ## in the specified domain.
4779 ## </p>
4780 ## <p>
4781 ## No interprocess communication (signals, pipes,
4782 ## etc.) is provided by this interface since
4783 ## the domains are not owned by this module.
4784 ## </p>
4785 ## </desc>
4786 ## <param name="domain">
4787 ## <summary>
4788 ## Domain allowed access.
4789 ## </summary>
4790 ## </param>
4791 ## <param name="target_domain">
4792 ## <summary>
4793 ## The type of the new process.
4794 ## </summary>
4795 ## </param>
4796 #
4797 interface(`userdom_domtrans_user_home',`
4798 gen_require(`
4799 type user_home_t;
4800 ')
4801
4802 read_lnk_files_pattern($1, user_home_t, user_home_t)
4803 domain_transition_pattern($1, user_home_t, $2)
4804 type_transition $1 user_home_t:process $2;
4805 ')
4806
4807 ########################################
4808 ## <summary>
4809 ## Execute a file in a user tmp directory
4810 ## in the specified domain.
4811 ## </summary>
4812 ## <desc>
4813 ## <p>
4814 ## Execute a file in a user tmp directory
4815 ## in the specified domain.
4816 ## </p>
4817 ## <p>
4818 ## No interprocess communication (signals, pipes,
4819 ## etc.) is provided by this interface since
4820 ## the domains are not owned by this module.
4821 ## </p>
4822 ## </desc>
4823 ## <param name="domain">
4824 ## <summary>
4825 ## Domain allowed access.
4826 ## </summary>
4827 ## </param>
4828 ## <param name="target_domain">
4829 ## <summary>
4830 ## The type of the new process.
4831 ## </summary>
4832 ## </param>
4833 #
4834 interface(`userdom_domtrans_user_tmp',`
4835 gen_require(`
4836 type user_tmp_t;
4837 ')
4838
4839 files_search_tmp($1)
4840 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
4841 domain_transition_pattern($1, user_tmp_t, $2)
4842 type_transition $1 user_tmp_t:process $2;
4843 ')
4844
4845 ########################################
4846 ## <summary>
4847 ## Do not audit attempts to read all user home content files.
4848 ## </summary>
4849 ## <param name="domain">
4850 ## <summary>
4851 ## Domain to not audit.
4852 ## </summary>
4853 ## </param>
4854 #
4855 interface(`userdom_dontaudit_read_all_user_home_content_files',`
4856 gen_require(`
4857 attribute user_home_type;
4858 ')
4859
4860 dontaudit $1 user_home_type:file read_file_perms;
4861 ')
4862
4863 ########################################
4864 ## <summary>
4865 ## Do not audit attempts to read all user tmp content files.
4866 ## </summary>
4867 ## <param name="domain">
4868 ## <summary>
4869 ## Domain to not audit.
4870 ## </summary>
4871 ## </param>
4872 #
4873 interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
4874 gen_require(`
4875 attribute user_tmp_type;
4876 ')
4877
4878 dontaudit $1 user_tmp_type:file read_file_perms;
4879 ')
4880
4881 #######################################
4882 ## <summary>
4883 ## Read and write unpriviledged user SysV sempaphores.
4884 ## </summary>
4885 ## <param name="domain">
4886 ## <summary>
4887 ## Domain allowed access.
4888 ## </summary>
4889 ## </param>
4890 #
4891 interface(`userdom_rw_unpriv_user_semaphores',`
4892 gen_require(`
4893 attribute unpriv_userdomain;
4894 ')
4895
4896 allow $1 unpriv_userdomain:sem rw_sem_perms;
4897 ')
The IPFire selinux policy.