1 ## <summary>Policy for user domains</summary>
3 #######################################
5 ## The template containing the most basic rules common to all users.
9 ## The template containing the most basic rules common to all users.
12 ## This template creates a user domain, types, and
13 ## rules for the user's tty and pty.
16 ## <param name="userdomain_prefix">
18 ## The prefix of the user domain (e.g., user
19 ## is the prefix for user_t).
24 template(`userdom_base_user_template',`
28 type user_devpts_t, user_tty_device_t;
29 class context contains;
32 attribute $1_file_type;
33 attribute $1_usertype;
35 type $1_t, userdomain, $1_usertype;
37 corecmd_shell_entry_type($1_t)
38 corecmd_bin_entry_type($1_t)
39 domain_user_exemption_target($1_t)
40 ubac_constrained($1_t)
44 term_user_pty($1_t, user_devpts_t)
46 term_user_tty($1_t, user_tty_device_t)
47 term_dontaudit_getattr_generic_ptys($1_t)
49 allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
50 allow $1_usertype $1_usertype:fd use;
51 allow $1_usertype $1_t:key { create view read write search link setattr };
53 allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
54 allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
55 allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
56 allow $1_usertype $1_usertype:shm create_shm_perms;
57 allow $1_usertype $1_usertype:sem create_sem_perms;
58 allow $1_usertype $1_usertype:msgq create_msgq_perms;
59 allow $1_usertype $1_usertype:msg { send receive };
60 allow $1_usertype $1_usertype:context contains;
61 dontaudit $1_usertype $1_usertype:socket create;
63 allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
64 term_create_pty($1_usertype, user_devpts_t)
65 # avoid annoying messages on terminal hangup on role change
66 dontaudit $1_usertype user_devpts_t:chr_file ioctl;
68 allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
69 # avoid annoying messages on terminal hangup on role change
70 dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
72 application_exec_all($1_usertype)
74 kernel_read_kernel_sysctls($1_usertype)
75 kernel_read_all_sysctls($1_usertype)
76 kernel_dontaudit_list_unlabeled($1_usertype)
77 kernel_dontaudit_getattr_unlabeled_files($1_usertype)
78 kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
79 kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
80 kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
81 kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
82 kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
83 kernel_dontaudit_list_proc($1_usertype)
85 dev_dontaudit_getattr_all_blk_files($1_usertype)
86 dev_dontaudit_getattr_all_chr_files($1_usertype)
87 dev_getattr_mtrr_dev($1_t)
89 # When the user domain runs ps, there will be a number of access
90 # denials when ps tries to search /proc. Do not audit these denials.
91 domain_dontaudit_read_all_domains_state($1_usertype)
92 domain_dontaudit_getattr_all_domains($1_usertype)
93 domain_dontaudit_getsession_all_domains($1_usertype)
94 dev_dontaudit_all_access_check($1_usertype)
96 files_read_etc_files($1_usertype)
97 files_list_mnt($1_usertype)
98 files_read_mnt_files($1_usertype)
99 files_dontaudit_access_check_mnt($1_usertype)
100 files_read_etc_runtime_files($1_usertype)
101 files_read_usr_files($1_usertype)
102 files_read_usr_src_files($1_usertype)
103 # Read directories and files with the readable_t type.
104 # This type is a general type for "world"-readable files.
105 files_list_world_readable($1_usertype)
106 files_read_world_readable_files($1_usertype)
107 files_read_world_readable_symlinks($1_usertype)
108 files_read_world_readable_pipes($1_usertype)
109 files_read_world_readable_sockets($1_usertype)
110 # old broswer_domain():
111 files_dontaudit_getattr_all_dirs($1_usertype)
112 files_dontaudit_list_non_security($1_usertype)
113 files_dontaudit_getattr_all_files($1_usertype)
114 files_dontaudit_getattr_non_security_symlinks($1_usertype)
115 files_dontaudit_getattr_non_security_pipes($1_usertype)
116 files_dontaudit_getattr_non_security_sockets($1_usertype)
117 files_dontaudit_setattr_etc_runtime_files($1_usertype)
119 files_exec_usr_files($1_t)
121 fs_list_cgroup_dirs($1_usertype)
122 fs_dontaudit_rw_cgroup_files($1_usertype)
124 storage_rw_fuse($1_usertype)
126 auth_use_nsswitch($1_usertype)
128 init_stream_connect($1_usertype)
129 # The library functions always try to open read-write first,
130 # then fall back to read-only if it fails.
131 init_dontaudit_rw_utmp($1_usertype)
133 libs_exec_ld_so($1_usertype)
135 logging_send_audit_msgs($1_t)
137 miscfiles_read_localization($1_t)
138 miscfiles_read_generic_certs($1_t)
140 miscfiles_read_all_certs($1_usertype)
141 miscfiles_read_localization($1_usertype)
142 miscfiles_read_man_pages($1_usertype)
143 miscfiles_read_public_files($1_usertype)
145 tunable_policy(`allow_execmem',`
146 # Allow loading DSOs that require executable stack.
147 allow $1_t self:process execmem;
150 tunable_policy(`allow_execmem && allow_execstack',`
151 # Allow making the stack executable via mprotect.
152 allow $1_t self:process execstack;
156 fs_list_cgroup_dirs($1_usertype)
160 ssh_rw_stream_sockets($1_usertype)
166 #######################################
168 ## Allow a home directory for which the
169 ## role has read-only access.
173 ## Allow a home directory for which the
174 ## role has read-only access.
177 ## This does not allow execute access.
180 ## <param name="role">
185 ## <param name="userdomain">
192 interface(`userdom_ro_home_role',`
194 type user_home_t, user_home_dir_t;
197 role $1 types { user_home_t user_home_dir_t };
199 ##############################
201 # Domain access to home dir
204 type_member $2 user_home_dir_t:dir user_home_dir_t;
206 # read-only home directory
207 allow $2 user_home_dir_t:dir list_dir_perms;
208 allow $2 user_home_t:dir list_dir_perms;
209 allow $2 user_home_t:file entrypoint;
210 read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
211 read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
212 read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
213 read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
218 #######################################
220 ## Allow a home directory for which the
221 ## role has full access.
225 ## Allow a home directory for which the
226 ## role has full access.
229 ## This does not allow execute access.
232 ## <param name="role">
237 ## <param name="userdomain">
244 interface(`userdom_manage_home_role',`
246 type user_home_t, user_home_dir_t;
247 attribute user_home_type;
250 role $1 types { user_home_type user_home_dir_t };
252 ##############################
254 # Domain access to home dir
257 type_member $2 user_home_dir_t:dir user_home_dir_t;
259 # full control of the home directory
260 allow $2 user_home_t:dir mounton;
261 allow $2 user_home_t:file entrypoint;
263 allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
264 allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
265 manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
266 manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
267 manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
268 manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
269 manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
270 relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
271 relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
272 relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
273 relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
274 relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
275 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
278 # cjp: this should probably be removed:
279 allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
281 tunable_policy(`use_nfs_home_dirs',`
284 fs_manage_nfs_dirs($2)
285 fs_manage_nfs_files($2)
286 fs_manage_nfs_symlinks($2)
287 fs_manage_nfs_named_sockets($2)
288 fs_manage_nfs_named_pipes($2)
291 tunable_policy(`use_samba_home_dirs',`
294 fs_manage_cifs_dirs($2)
295 fs_manage_cifs_files($2)
296 fs_manage_cifs_symlinks($2)
297 fs_manage_cifs_named_sockets($2)
298 fs_manage_cifs_named_pipes($2)
302 #######################################
304 ## Manage user temporary files
306 ## <param name="role">
308 ## Role allowed access.
311 ## <param name="domain">
313 ## Domain allowed access.
318 interface(`userdom_manage_tmp_role',`
323 role $1 types user_tmp_t;
325 files_poly_member_tmp($2, user_tmp_t)
327 manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
328 manage_files_pattern($2, user_tmp_t, user_tmp_t)
329 manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
330 manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
331 manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
332 files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
333 relabel_files_pattern($2, user_tmp_t, user_tmp_t)
336 #######################################
338 ## Dontaudit search of user bin dirs.
340 ## <param name="domain">
342 ## Domain to not audit.
346 interface(`userdom_dontaudit_search_user_bin_dirs',`
351 dontaudit $1 home_bin_t:dir search_dir_perms;
354 #######################################
356 ## Execute user bin files.
358 ## <param name="domain">
360 ## Domain allowed access.
364 interface(`userdom_exec_user_bin_files',`
366 attribute user_home_type;
367 type home_bin_t, user_home_dir_t;
370 exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
371 files_search_home($1)
374 #######################################
376 ## The execute access user temporary files.
378 ## <param name="domain">
380 ## Domain allowed access.
385 interface(`userdom_exec_user_tmp_files',`
390 exec_files_pattern($1, user_tmp_t, user_tmp_t)
391 dontaudit $1 user_tmp_t:sock_file execute;
395 #######################################
397 ## Role access for the user tmpfs type
398 ## that the user has full access.
402 ## Role access for the user tmpfs type
403 ## that the user has full access.
406 ## This does not allow execute access.
409 ## <param name="role">
411 ## Role allowed access.
414 ## <param name="domain">
416 ## Domain allowed access.
421 interface(`userdom_manage_tmpfs_role',`
426 role $1 types user_tmpfs_t;
428 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
429 manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
430 manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
431 manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
432 manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
433 fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
436 #######################################
438 ## The interface allowing the user basic
439 ## network permissions
441 ## <param name="userdomain">
448 interface(`userdom_basic_networking',`
450 allow $1 self:tcp_socket create_stream_socket_perms;
451 allow $1 self:udp_socket create_socket_perms;
453 corenet_all_recvfrom_unlabeled($1)
454 corenet_all_recvfrom_netlabel($1)
455 corenet_tcp_sendrecv_generic_if($1)
456 corenet_udp_sendrecv_generic_if($1)
457 corenet_tcp_sendrecv_generic_node($1)
458 corenet_udp_sendrecv_generic_node($1)
459 corenet_tcp_sendrecv_all_ports($1)
460 corenet_udp_sendrecv_all_ports($1)
461 corenet_tcp_connect_all_ports($1)
462 corenet_sendrecv_all_client_packets($1)
465 init_tcp_recvfrom_all_daemons($1)
466 init_udp_recvfrom_all_daemons($1)
470 ipsec_match_default_spd($1)
475 #######################################
477 ## The template for creating a user xwindows client. (Deprecated)
479 ## <param name="userdomain_prefix">
481 ## The prefix of the user domain (e.g., user
482 ## is the prefix for user_t).
487 template(`userdom_xwindows_client_template',`
488 refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
490 type $1_t, user_tmpfs_t;
493 dev_rw_xserver_misc($1_t)
494 dev_rw_power_management($1_t)
498 # open office is looking for the following
499 dev_getattr_agp_dev($1_t)
500 dev_dontaudit_rw_dri($1_t)
501 # GNOME checks for usb and other devices:
503 dev_rw_generic_usb_dev($1_t)
505 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
506 xserver_xsession_entry_type($1_t)
507 xserver_dontaudit_write_log($1_t)
508 xserver_stream_connect_xdm($1_t)
509 # certain apps want to read xdm.pid file
510 xserver_read_xdm_pid($1_t)
511 # gnome-session creates socket under /tmp/.ICE-unix/
512 xserver_create_xdm_tmp_sockets($1_t)
513 # Needed for escd, remove if we get escd policy
514 xserver_manage_xdm_tmp_files($1_t)
517 #######################################
519 ## The template for allowing the user to change passwords.
521 ## <param name="userdomain_prefix">
523 ## The prefix of the user domain (e.g., user
524 ## is the prefix for user_t).
529 template(`userdom_change_password_template',`
536 usermanage_run_chfn($1_t,$1_r)
537 usermanage_run_passwd($1_t,$1_r)
541 #######################################
543 ## The template containing rules common to unprivileged
544 ## users and administrative users.
548 ## This template creates a user domain, types, and
549 ## rules for the user's tty, pty, tmp, and tmpfs files.
552 ## <param name="userdomain_prefix">
554 ## The prefix of the user domain (e.g., user
555 ## is the prefix for user_t).
559 template(`userdom_common_user_template',`
561 attribute unpriv_userdomain;
564 userdom_basic_networking($1_usertype)
566 ##############################
568 # User domain Local policy
571 # evolution and gnome-session try to create a netlink socket
572 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
573 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
574 allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
575 allow $1_t self:socket create_socket_perms;
577 allow $1_usertype unpriv_userdomain:fd use;
579 kernel_read_system_state($1_usertype)
580 kernel_read_network_state($1_usertype)
581 kernel_read_software_raid_state($1_usertype)
582 kernel_read_net_sysctls($1_usertype)
583 # Very permissive allowing every domain to see every type:
584 kernel_get_sysvipc_info($1_usertype)
585 # Find CDROM devices:
586 kernel_read_device_sysctls($1_usertype)
587 kernel_request_load_module($1_usertype)
589 corenet_udp_bind_generic_node($1_usertype)
590 corenet_udp_bind_generic_port($1_usertype)
592 dev_read_rand($1_usertype)
593 dev_write_sound($1_usertype)
594 dev_read_sound($1_usertype)
595 dev_read_sound_mixer($1_usertype)
596 dev_write_sound_mixer($1_usertype)
598 files_exec_etc_files($1_usertype)
599 files_search_locks($1_usertype)
600 # Check to see if cdrom is mounted
601 files_search_mnt($1_usertype)
602 # cjp: perhaps should cut back on file reads:
603 files_read_var_files($1_usertype)
604 files_read_var_symlinks($1_usertype)
605 files_read_generic_spool($1_usertype)
606 files_read_var_lib_files($1_usertype)
608 files_getattr_lost_found_dirs($1_usertype)
609 files_read_config_files($1_usertype)
610 fs_read_noxattr_fs_files($1_usertype)
611 fs_read_noxattr_fs_symlinks($1_usertype)
612 fs_rw_cgroup_files($1_usertype)
614 application_getattr_socket($1_usertype)
616 logging_send_syslog_msg($1_usertype)
617 logging_send_audit_msgs($1_usertype)
618 selinux_get_enforce_mode($1_usertype)
620 # cjp: some of this probably can be removed
621 selinux_get_fs_mount($1_usertype)
622 selinux_validate_context($1_usertype)
623 selinux_compute_access_vector($1_usertype)
624 selinux_compute_create_context($1_usertype)
625 selinux_compute_relabel_context($1_usertype)
626 selinux_compute_user_contexts($1_usertype)
629 storage_getattr_fixed_disk_dev($1_usertype)
631 auth_read_login_records($1_usertype)
632 auth_run_pam($1_t,$1_r)
633 auth_run_utempter($1_t,$1_r)
635 init_read_utmp($1_usertype)
637 seutil_read_file_contexts($1_usertype)
638 seutil_read_default_contexts($1_usertype)
639 seutil_run_newrole($1_t,$1_r)
640 seutil_exec_checkpolicy($1_t)
641 seutil_exec_setfiles($1_usertype)
642 # for when the network connection is killed
643 # this is needed when a login role can change
645 seutil_dontaudit_signal_newrole($1_t)
647 tunable_policy(`user_direct_mouse',`
648 dev_read_mouse($1_usertype)
651 tunable_policy(`user_ttyfile_stat',`
652 term_getattr_all_ttys($1_t)
656 alsa_read_rw_config($1_usertype)
657 alsa_manage_home_files($1_t)
658 alsa_relabel_home_files($1_t)
662 # Allow graphical boot to check battery lifespan
663 apm_stream_connect($1_usertype)
667 canna_stream_connect($1_usertype)
671 chrome_role($1_r, $1_usertype)
675 colord_read_lib_files($1_usertype)
679 dbus_system_bus_client($1_usertype)
681 allow $1_usertype $1_usertype:dbus send_msg;
684 avahi_dbus_chat($1_usertype)
688 policykit_dbus_chat($1_usertype)
692 bluetooth_dbus_chat($1_usertype)
696 consolekit_dbus_chat($1_usertype)
697 consolekit_read_log($1_usertype)
701 devicekit_dbus_chat($1_usertype)
702 devicekit_dbus_chat_power($1_usertype)
703 devicekit_dbus_chat_disk($1_usertype)
707 evolution_dbus_chat($1_usertype)
708 evolution_alarm_dbus_chat($1_usertype)
712 gnome_dbus_chat_gconfdefault($1_usertype)
716 hal_dbus_chat($1_usertype)
720 kde_dbus_chat_backlighthelper($1_usertype)
724 modemmanager_dbus_chat($1_usertype)
728 networkmanager_dbus_chat($1_usertype)
729 networkmanager_read_lib_files($1_usertype)
733 vpn_dbus_chat($1_usertype)
738 git_session_role($1_r, $1_usertype)
742 inetd_use_fds($1_usertype)
743 inetd_rw_tcp_sockets($1_usertype)
747 inn_read_config($1_usertype)
748 inn_read_news_lib($1_usertype)
749 inn_read_news_spool($1_usertype)
753 lircd_stream_connect($1_usertype)
757 locate_read_lib_files($1_usertype)
760 # for running depmod as part of the kernel packaging process
762 modutils_read_module_config($1_usertype)
766 mta_rw_spool($1_usertype)
767 mta_manage_queue($1_usertype)
768 mta_filetrans_home_content($1_usertype)
772 nsplugin_role($1_r, $1_usertype)
776 tunable_policy(`allow_user_mysql_connect',`
777 mysql_stream_connect($1_t)
782 oident_manage_user_content($1_t)
783 oident_relabel_user_content($1_t)
787 # to allow monitoring of pcmcia status
788 pcmcia_read_pid($1_usertype)
792 pcscd_read_pub_files($1_usertype)
793 pcscd_stream_connect($1_usertype)
797 tunable_policy(`allow_user_postgresql_connect',`
798 postgresql_stream_connect($1_usertype)
799 postgresql_tcp_connect($1_usertype)
804 resmgr_stream_connect($1_usertype)
808 rpc_dontaudit_getattr_exports($1_usertype)
809 rpc_manage_nfs_rw_content($1_usertype)
813 rpcbind_stream_connect($1_usertype)
817 samba_stream_connect_winbind($1_usertype)
821 sandbox_transition($1_usertype, $1_r)
825 seunshare_role_template($1, $1_r, $1_t)
829 slrnpull_search_spool($1_usertype)
834 #######################################
836 ## The template for creating a login user.
840 ## This template creates a user domain, types, and
841 ## rules for the user's tty, pty, home directories,
842 ## tmp, and tmpfs files.
845 ## <param name="userdomain_prefix">
847 ## The prefix of the user domain (e.g., user
848 ## is the prefix for user_t).
852 template(`userdom_login_user_template', `
854 class context contains;
857 userdom_base_user_template($1)
859 userdom_manage_home_role($1_r, $1_usertype)
861 userdom_manage_tmp_role($1_r, $1_usertype)
862 userdom_manage_tmpfs_role($1_r, $1_usertype)
864 ifelse(`$1',`unconfined',`',`
865 gen_tunable(allow_$1_exec_content, true)
867 tunable_policy(`allow_$1_exec_content',`
868 userdom_exec_user_tmp_files($1_usertype)
869 userdom_exec_user_home_content_files($1_usertype)
871 tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
872 fs_exec_nfs_files($1_usertype)
875 tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
876 fs_exec_cifs_files($1_usertype)
880 userdom_change_password_template($1)
882 ##############################
884 # User domain Local policy
887 allow $1_t self:capability { setgid chown fowner };
888 dontaudit $1_t self:capability { sys_nice fsetid };
890 allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
891 dontaudit $1_t self:process setrlimit;
892 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
894 allow $1_t self:context contains;
896 kernel_dontaudit_read_system_state($1_usertype)
897 kernel_dontaudit_list_all_proc($1_usertype)
899 dev_read_sysfs($1_usertype)
900 dev_read_urand($1_usertype)
902 domain_use_interactive_fds($1_usertype)
903 # Command completion can fire hundreds of denials
904 domain_dontaudit_exec_all_entry_files($1_usertype)
906 files_dontaudit_list_default($1_usertype)
907 files_dontaudit_read_default_files($1_usertype)
909 files_getattr_lost_found_dirs($1_usertype)
911 fs_get_all_fs_quotas($1_usertype)
912 fs_getattr_all_fs($1_usertype)
913 fs_search_all($1_usertype)
914 fs_list_inotifyfs($1_usertype)
915 fs_rw_anon_inodefs_files($1_usertype)
917 auth_dontaudit_write_login_records($1_t)
920 # Stop warnings about access to /dev/console
921 init_dontaudit_use_fds($1_usertype)
922 init_dontaudit_use_script_fds($1_usertype)
924 libs_exec_lib_files($1_usertype)
926 logging_dontaudit_getattr_all_logs($1_usertype)
928 # for running TeX programs
929 miscfiles_read_tetex_data($1_usertype)
930 miscfiles_exec_tetex_data($1_usertype)
932 seutil_read_config($1_usertype)
935 cups_read_config($1_usertype)
936 cups_stream_connect($1_usertype)
937 cups_stream_connect_ptal($1_usertype)
941 kerberos_use($1_usertype)
942 kerberos_filetrans_home_content($1_usertype)
946 mta_dontaudit_read_spool_symlinks($1_usertype)
950 quota_dontaudit_getattr_db($1_usertype)
954 rpm_read_db($1_usertype)
955 rpm_dontaudit_manage_db($1_usertype)
956 rpm_read_cache($1_usertype)
960 oddjob_run_mkhomedir($1_t, $1_r)
964 #######################################
966 ## The template for creating a unprivileged login user.
970 ## This template creates a user domain, types, and
971 ## rules for the user's tty, pty, home directories,
972 ## tmp, and tmpfs files.
975 ## <param name="userdomain_prefix">
977 ## The prefix of the user domain (e.g., user
978 ## is the prefix for user_t).
982 template(`userdom_restricted_user_template',`
984 attribute unpriv_userdomain;
987 userdom_login_user_template($1)
989 typeattribute $1_t unpriv_userdomain;
990 domain_interactive_fd($1_t)
992 allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
993 dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
995 ##############################
1001 loadkeys_run($1_t,$1_r)
1005 #######################################
1007 ## The template for creating a unprivileged xwindows login user.
1011 ## The template for creating a unprivileged xwindows login user.
1014 ## This template creates a user domain, types, and
1015 ## rules for the user's tty, pty, home directories,
1016 ## tmp, and tmpfs files.
1019 ## <param name="userdomain_prefix">
1021 ## The prefix of the user domain (e.g., user
1022 ## is the prefix for user_t).
1026 template(`userdom_restricted_xwindows_user_template',`
1028 userdom_restricted_user_template($1)
1030 ##############################
1035 auth_role($1_r, $1_t)
1036 auth_search_pam_console_data($1_usertype)
1037 auth_dontaudit_read_login_records($1_usertype)
1039 dev_read_sound($1_usertype)
1040 dev_write_sound($1_usertype)
1041 # gnome keyring wants to read this.
1042 dev_dontaudit_read_rand($1_usertype)
1043 # temporarily allow since openoffice requires this
1044 dev_read_rand($1_usertype)
1046 dev_read_video_dev($1_usertype)
1047 dev_write_video_dev($1_usertype)
1048 dev_rw_wireless($1_usertype)
1050 libs_dontaudit_setattr_lib_files($1_usertype)
1052 tunable_policy(`user_rw_noexattrfile',`
1054 dev_rw_generic_usb_dev($1_usertype)
1056 fs_manage_noxattr_fs_files($1_usertype)
1057 fs_manage_noxattr_fs_dirs($1_usertype)
1058 fs_manage_dos_dirs($1_usertype)
1059 fs_manage_dos_files($1_usertype)
1060 storage_raw_read_removable_device($1_usertype)
1061 storage_raw_write_removable_device($1_usertype)
1064 logging_send_syslog_msg($1_usertype)
1065 logging_dontaudit_send_audit_msgs($1_t)
1067 # Need to to this just so screensaver will work. Should be moved to screensaver domain
1068 logging_send_audit_msgs($1_t)
1069 selinux_get_enforce_mode($1_t)
1070 seutil_exec_restorecond($1_t)
1071 seutil_read_file_contexts($1_t)
1072 seutil_read_default_contexts($1_t)
1074 xserver_restricted_role($1_r, $1_t)
1077 alsa_read_rw_config($1_usertype)
1080 # cjp: needed by KDE apps
1083 gnome_read_usr_config($1_usertype)
1087 dbus_role_template($1, $1_r, $1_usertype)
1088 dbus_system_bus_client($1_usertype)
1089 allow $1_usertype $1_usertype:dbus send_msg;
1092 abrt_dbus_chat($1_usertype)
1093 abrt_run_helper($1_usertype, $1_r)
1097 consolekit_dontaudit_read_log($1_usertype)
1098 consolekit_dbus_chat($1_usertype)
1102 cups_dbus_chat($1_usertype)
1103 cups_dbus_chat_config($1_usertype)
1107 devicekit_dbus_chat($1_usertype)
1108 devicekit_dbus_chat_disk($1_usertype)
1109 devicekit_dbus_chat_power($1_usertype)
1113 fprintd_dbus_chat($1_t)
1118 openoffice_role_template($1, $1_r, $1_usertype)
1122 policykit_role($1_r, $1_usertype)
1126 pulseaudio_role($1_r, $1_usertype)
1130 rtkit_scheduled($1_usertype)
1134 setroubleshoot_dontaudit_stream_connect($1_t)
1138 udev_read_db($1_usertype)
1142 wm_role_template($1, $1_r, $1_t)
1146 #######################################
1148 ## The template for creating a unprivileged user roughly
1149 ## equivalent to a regular linux user.
1153 ## The template for creating a unprivileged user roughly
1154 ## equivalent to a regular linux user.
1157 ## This template creates a user domain, types, and
1158 ## rules for the user's tty, pty, home directories,
1159 ## tmp, and tmpfs files.
1162 ## <param name="userdomain_prefix">
1164 ## The prefix of the user domain (e.g., user
1165 ## is the prefix for user_t).
1169 template(`userdom_unpriv_user_template', `
1171 ##############################
1176 # Inherit rules for ordinary users.
1177 userdom_restricted_xwindows_user_template($1)
1178 userdom_common_user_template($1)
1180 ##############################
1185 # port access is audited even if dac would not have allowed it, so dontaudit it here
1186 # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
1187 # Need the following rule to allow users to run vpnc
1188 corenet_tcp_bind_xserver_port($1_t)
1189 corenet_tcp_bind_generic_node($1_usertype)
1191 storage_rw_fuse($1_t)
1193 miscfiles_read_hwdata($1_usertype)
1195 # Allow users to run TCP servers (bind to ports and accept connection from
1196 # the same domain and outside users) disabling this forces FTP passive mode
1197 # and may change other protocols
1199 tunable_policy(`user_share_music',`
1200 corenet_tcp_bind_daap_port($1_usertype)
1203 tunable_policy(`user_tcp_server',`
1204 corenet_tcp_bind_all_unreserved_ports($1_usertype)
1207 tunable_policy(`user_setrlimit',`
1208 allow $1_usertype self:process setrlimit;
1212 cdrecord_role($1_r, $1_t)
1216 cron_role($1_r, $1_t)
1220 games_rw_data($1_usertype)
1224 gpg_role($1_r, $1_usertype)
1228 gnomeclock_dbus_chat($1_t)
1232 gpm_stream_connect($1_usertype)
1236 execmem_role_template($1, $1_r, $1_t)
1240 java_role_template($1, $1_r, $1_t)
1244 mono_role_template($1, $1_r, $1_t)
1248 mount_run_fusermount($1_t, $1_r)
1249 mount_read_pid_files($1_t)
1253 wine_role_template($1, $1_r, $1_t)
1257 postfix_run_postdrop($1_t, $1_r)
1260 # Run pppd in pppd_t by default for user
1262 ppp_run_cond($1_t, $1_r)
1266 #######################################
1268 ## The template for creating an administrative user.
1272 ## This template creates a user domain, types, and
1273 ## rules for the user's tty, pty, home directories,
1274 ## tmp, and tmpfs files.
1277 ## The privileges given to administrative users are:
1279 ## <li>Raw disk access</li>
1280 ## <li>Set all sysctls</li>
1281 ## <li>All kernel ring buffer controls</li>
1282 ## <li>Create, read, write, and delete all files but shadow</li>
1283 ## <li>Manage source and binary format SELinux policy</li>
1284 ## <li>Run insmod</li>
1288 ## <param name="userdomain_prefix">
1290 ## The prefix of the user domain (e.g., sysadm
1291 ## is the prefix for sysadm_t).
1295 template(`userdom_admin_user_template',`
1297 attribute admindomain;
1298 class passwd { passwd chfn chsh rootok crontab };
1301 ##############################
1306 # Inherit rules for ordinary users.
1307 userdom_login_user_template($1)
1308 userdom_common_user_template($1)
1310 domain_obj_id_change_exemption($1_t)
1311 role system_r types $1_t;
1313 typeattribute $1_t admindomain;
1315 ifdef(`direct_sysadm_daemon',`
1316 domain_system_change_exemption($1_t)
1319 ##############################
1324 allow $1_t self:capability ~{ sys_module audit_control audit_write };
1325 allow $1_t self:capability2 syslog;
1326 allow $1_t self:process { setexec setfscreate };
1327 allow $1_t self:netlink_audit_socket nlmsg_readpriv;
1328 allow $1_t self:tun_socket create;
1329 # Set password information for other users.
1330 allow $1_t self:passwd { passwd chfn chsh };
1331 # Skip authentication when pam_rootok is specified.
1332 allow $1_t self:passwd rootok;
1334 # Manipulate other users crontab.
1335 allow $1_t self:passwd crontab;
1337 kernel_read_software_raid_state($1_t)
1338 kernel_getattr_core_if($1_t)
1339 kernel_getattr_message_if($1_t)
1340 kernel_change_ring_buffer_level($1_t)
1341 kernel_clear_ring_buffer($1_t)
1342 kernel_read_ring_buffer($1_t)
1343 kernel_get_sysvipc_info($1_t)
1344 kernel_rw_all_sysctls($1_t)
1345 # signal unlabeled processes:
1346 kernel_kill_unlabeled($1_t)
1347 kernel_signal_unlabeled($1_t)
1348 kernel_sigstop_unlabeled($1_t)
1349 kernel_signull_unlabeled($1_t)
1350 kernel_sigchld_unlabeled($1_t)
1353 corenet_tcp_bind_generic_port($1_t)
1354 # allow setting up tunnels
1355 corenet_rw_tun_tap_dev($1_t)
1357 dev_getattr_generic_blk_files($1_t)
1358 dev_getattr_generic_chr_files($1_t)
1360 dev_getattr_mtrr_dev($1_t)
1361 # Allow MAKEDEV to work
1362 dev_create_all_blk_files($1_t)
1363 dev_create_all_chr_files($1_t)
1364 dev_delete_all_blk_files($1_t)
1365 dev_delete_all_chr_files($1_t)
1366 dev_rename_all_blk_files($1_t)
1367 dev_rename_all_chr_files($1_t)
1368 dev_create_generic_symlinks($1_t)
1369 dev_rw_generic_usb_dev($1_t)
1372 domain_setpriority_all_domains($1_t)
1373 domain_read_all_domains_state($1_t)
1374 domain_getattr_all_domains($1_t)
1375 domain_getcap_all_domains($1_t)
1376 domain_dontaudit_ptrace_all_domains($1_t)
1377 # signal all domains:
1378 domain_kill_all_domains($1_t)
1379 domain_signal_all_domains($1_t)
1380 domain_signull_all_domains($1_t)
1381 domain_sigstop_all_domains($1_t)
1382 domain_sigstop_all_domains($1_t)
1383 domain_sigchld_all_domains($1_t)
1385 domain_getattr_all_sockets($1_t)
1386 domain_dontaudit_getattr_all_sockets($1_t)
1388 files_exec_usr_src_files($1_t)
1390 fs_getattr_all_fs($1_t)
1391 fs_getattr_all_files($1_t)
1393 fs_set_all_quotas($1_t)
1394 fs_exec_noxattr($1_t)
1396 storage_raw_read_removable_device($1_t)
1397 storage_raw_write_removable_device($1_t)
1398 storage_dontaudit_read_fixed_disk($1_t)
1400 term_use_all_inherited_terms($1_t)
1402 auth_getattr_shadow($1_t)
1403 # Manage almost all files
1404 auth_manage_all_files_except_shadow($1_t)
1405 # Relabel almost all files
1406 auth_relabel_all_files_except_shadow($1_t)
1410 logging_send_syslog_msg($1_t)
1413 modutils_domtrans_insmod($1_t)
1414 modutils_domtrans_depmod($1_t)
1417 # The following rule is temporary until such time that a complete
1418 # policy management infrastructure is in place so that an administrator
1419 # cannot directly manipulate policy files with arbitrary programs.
1420 seutil_manage_src_policy($1_t)
1421 # Violates the goal of limiting write access to checkpolicy.
1422 # But presently necessary for installing the file_contexts file.
1423 seutil_manage_bin_policy($1_t)
1425 userdom_manage_user_home_content_dirs($1_t)
1426 userdom_manage_user_home_content_files($1_t)
1427 userdom_manage_user_home_content_symlinks($1_t)
1428 userdom_manage_user_home_content_pipes($1_t)
1429 userdom_manage_user_home_content_sockets($1_t)
1430 userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
1432 tunable_policy(`user_rw_noexattrfile',`
1433 fs_manage_noxattr_fs_files($1_t)
1434 fs_manage_noxattr_fs_dirs($1_t)
1436 fs_read_noxattr_fs_files($1_t)
1440 postgresql_unconfined($1_t)
1444 userhelper_exec($1_t)
1448 ########################################
1450 ## Allow user to run as a secadm
1454 ## Create objects in a user home directory
1455 ## with an automatic type transition to
1456 ## a specified private type.
1459 ## This is a templated interface, and should only
1460 ## be called from a per-userdomain template.
1463 ## <param name="domain">
1465 ## Domain allowed access.
1468 ## <param name="role">
1470 ## The role of the object to create.
1474 template(`userdom_security_admin_template',`
1475 allow $1 self:capability { dac_read_search dac_override };
1477 corecmd_exec_shell($1)
1479 domain_obj_id_change_exemption($1)
1481 dev_relabel_all_dev_nodes($1)
1483 files_create_boot_flag($1)
1484 files_create_default_dir($1)
1485 files_root_filetrans_default($1, dir)
1487 # Necessary for managing /boot/efi
1488 fs_manage_dos_files($1)
1490 mls_process_read_up($1)
1491 mls_file_read_all_levels($1)
1492 mls_file_upgrade($1)
1493 mls_file_downgrade($1)
1495 selinux_set_enforce_mode($1)
1496 selinux_set_all_booleans($1)
1497 selinux_set_parameters($1)
1498 selinux_read_policy($1)
1500 auth_relabel_all_files_except_shadow($1)
1501 auth_relabel_shadow($1)
1505 logging_send_syslog_msg($1)
1506 logging_read_audit_log($1)
1507 logging_read_generic_logs($1)
1508 logging_read_audit_config($1)
1510 seutil_manage_bin_policy($1)
1511 seutil_run_checkpolicy($1,$2)
1512 seutil_run_loadpolicy($1,$2)
1513 seutil_run_semanage($1,$2)
1514 seutil_run_setsebool($1,$2)
1515 seutil_run_setfiles($1, $2)
1522 consoletype_exec($1)
1530 ipsec_run_setkey($1,$2)
1534 netlabel_run_mgmt($1,$2)
1542 ########################################
1544 ## Make the specified type usable in a
1545 ## user home directory.
1547 ## <param name="type">
1549 ## Type to be used as a file in the
1550 ## user home directory.
1554 interface(`userdom_user_home_content',`
1557 attribute user_home_type;
1560 allow $1 user_home_t:filesystem associate;
1562 ubac_constrained($1)
1564 files_poly_member($1)
1565 typeattribute $1 user_home_type;
1568 ########################################
1570 ## Make the specified type usable in a
1571 ## generic temporary directory.
1573 ## <param name="type">
1575 ## Type to be used as a file in the
1576 ## generic temporary directory.
1580 interface(`userdom_user_tmp_content',`
1582 attribute user_tmp_type;
1585 typeattribute $1 user_tmp_type;
1588 ubac_constrained($1)
1591 ########################################
1593 ## Allow domain to attach to TUN devices created by administrative users.
1595 ## <param name="domain">
1597 ## Domain allowed access.
1601 interface(`userdom_attach_admin_tun_iface',`
1603 attribute admindomain;
1606 allow $1 admindomain:tun_socket relabelfrom;
1607 allow $1 self:tun_socket relabelto;
1610 ########################################
1612 ## Set the attributes of a user pty.
1614 ## <param name="domain">
1616 ## Domain allowed access.
1620 interface(`userdom_setattr_user_ptys',`
1625 allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
1628 ########################################
1630 ## Create a user pty.
1632 ## <param name="domain">
1634 ## Domain allowed access.
1638 interface(`userdom_create_user_pty',`
1643 term_create_pty($1, user_devpts_t)
1646 ########################################
1648 ## Get the attributes of user home directories.
1650 ## <param name="domain">
1652 ## Domain allowed access.
1656 interface(`userdom_getattr_user_home_dirs',`
1658 type user_home_dir_t;
1661 allow $1 user_home_dir_t:dir getattr_dir_perms;
1662 files_search_home($1)
1665 ########################################
1667 ## Do not audit attempts to get the attributes of user home directories.
1669 ## <param name="domain">
1671 ## Domain to not audit.
1675 interface(`userdom_dontaudit_getattr_user_home_dirs',`
1677 type user_home_dir_t;
1680 dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
1683 ########################################
1685 ## Search user home directories.
1687 ## <param name="domain">
1689 ## Domain allowed access.
1693 interface(`userdom_search_user_home_dirs',`
1695 type user_home_dir_t;
1698 allow $1 user_home_dir_t:dir search_dir_perms;
1699 allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
1700 files_search_home($1)
1703 ########################################
1705 ## Do not audit attempts to search user home directories.
1709 ## Do not audit attempts to search user home directories.
1710 ## This will supress SELinux denial messages when the specified
1711 ## domain is denied the permission to search these directories.
1714 ## <param name="domain">
1716 ## Domain to not audit.
1719 ## <infoflow type="none"/>
1721 interface(`userdom_dontaudit_search_user_home_dirs',`
1723 type user_home_dir_t;
1726 dontaudit $1 user_home_dir_t:dir search_dir_perms;
1729 ########################################
1731 ## List user home directories.
1733 ## <param name="domain">
1735 ## Domain allowed access.
1739 interface(`userdom_list_user_home_dirs',`
1741 type user_home_dir_t;
1744 allow $1 user_home_dir_t:dir list_dir_perms;
1745 files_search_home($1)
1747 tunable_policy(`use_nfs_home_dirs',`
1751 tunable_policy(`use_samba_home_dirs',`
1756 ########################################
1758 ## Do not audit attempts to list user home subdirectories.
1760 ## <param name="domain">
1762 ## Domain to not audit.
1766 interface(`userdom_dontaudit_list_user_home_dirs',`
1768 type user_home_dir_t;
1772 dontaudit $1 user_home_dir_t:dir list_dir_perms;
1773 dontaudit $1 user_home_t:dir list_dir_perms;
1776 ########################################
1778 ## Create user home directories.
1780 ## <param name="domain">
1782 ## Domain allowed access.
1786 interface(`userdom_create_user_home_dirs',`
1788 type user_home_dir_t;
1791 allow $1 user_home_dir_t:dir create_dir_perms;
1794 ########################################
1796 ## Create user home directories.
1798 ## <param name="domain">
1800 ## Domain allowed access.
1804 interface(`userdom_manage_user_home_dirs',`
1806 type user_home_dir_t;
1809 allow $1 user_home_dir_t:dir manage_dir_perms;
1812 ########################################
1814 ## Relabel to user home directories.
1816 ## <param name="domain">
1818 ## Domain allowed access.
1822 interface(`userdom_relabelto_user_home_dirs',`
1824 type user_home_dir_t;
1827 allow $1 user_home_dir_t:dir relabelto;
1831 ########################################
1833 ## Relabel to user home files.
1835 ## <param name="domain">
1837 ## Domain allowed access.
1841 interface(`userdom_relabelto_user_home_files',`
1846 allow $1 user_home_t:file relabelto;
1848 ########################################
1850 ## Relabel user home files.
1852 ## <param name="domain">
1854 ## Domain allowed access.
1858 interface(`userdom_relabel_user_home_files',`
1863 allow $1 user_home_t:file relabel_file_perms;
1866 ########################################
1868 ## Create directories in the home dir root with
1869 ## the user home directory type.
1871 ## <param name="domain">
1873 ## Domain allowed access.
1877 interface(`userdom_home_filetrans_user_home_dir',`
1879 type user_home_dir_t;
1882 files_home_filetrans($1, user_home_dir_t, dir)
1885 ########################################
1887 ## Do a domain transition to the specified
1888 ## domain when executing a program in the
1889 ## user home directory.
1893 ## Do a domain transition to the specified
1894 ## domain when executing a program in the
1895 ## user home directory.
1898 ## No interprocess communication (signals, pipes,
1899 ## etc.) is provided by this interface since
1900 ## the domains are not owned by this module.
1903 ## <param name="source_domain">
1905 ## Domain allowed to transition.
1908 ## <param name="target_domain">
1910 ## Domain to transition to.
1914 interface(`userdom_user_home_domtrans',`
1916 type user_home_dir_t, user_home_t;
1919 domain_auto_trans($1, user_home_t, $2)
1920 allow $1 user_home_dir_t:dir search_dir_perms;
1921 files_search_home($1)
1924 ########################################
1926 ## Do not audit attempts to search user home content directories.
1928 ## <param name="domain">
1930 ## Domain to not audit.
1934 interface(`userdom_dontaudit_search_user_home_content',`
1939 dontaudit $1 user_home_t:dir search_dir_perms;
1940 fs_dontaudit_list_nfs($1)
1941 fs_dontaudit_list_cifs($1)
1944 ########################################
1946 ## List contents of users home directory.
1948 ## <param name="domain">
1950 ## Domain allowed access.
1954 interface(`userdom_list_user_home_content',`
1956 type user_home_dir_t;
1957 attribute user_home_type;
1961 allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
1964 ########################################
1966 ## Create, read, write, and delete directories
1967 ## in a user home subdirectory.
1969 ## <param name="domain">
1971 ## Domain allowed access.
1975 interface(`userdom_manage_user_home_content_dirs',`
1977 type user_home_dir_t, user_home_t;
1980 manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1981 files_search_home($1)
1984 ########################################
1986 ## Delete directories in a user home subdirectory.
1988 ## <param name="domain">
1990 ## Domain allowed access.
1994 interface(`userdom_delete_user_home_content_dirs',`
1999 allow $1 user_home_t:dir delete_dir_perms;
2002 ########################################
2004 ## Set the attributes of user home files.
2006 ## <param name="domain">
2008 ## Domain allowed access.
2013 interface(`userdom_setattr_user_home_content_files',`
2018 allow $1 user_home_t:file setattr;
2021 ########################################
2023 ## Do not audit attempts to set the
2024 ## attributes of user home files.
2026 ## <param name="domain">
2028 ## Domain to not audit.
2032 interface(`userdom_dontaudit_setattr_user_home_content_files',`
2037 dontaudit $1 user_home_t:file setattr_file_perms;
2040 ########################################
2042 ## Mmap user home files.
2044 ## <param name="domain">
2046 ## Domain allowed access.
2050 interface(`userdom_mmap_user_home_content_files',`
2052 type user_home_dir_t, user_home_t;
2055 mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2056 files_search_home($1)
2059 ########################################
2061 ## Read user home files.
2063 ## <param name="domain">
2065 ## Domain allowed access.
2069 interface(`userdom_read_user_home_content_files',`
2071 type user_home_dir_t, user_home_t;
2074 list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
2075 read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2076 files_search_home($1)
2079 ########################################
2081 ## Do not audit attempts to getattr user home files.
2083 ## <param name="domain">
2085 ## Domain to not audit.
2089 interface(`userdom_dontaudit_getattr_user_home_content',`
2091 attribute user_home_type;
2094 dontaudit $1 user_home_type:dir getattr;
2095 dontaudit $1 user_home_type:file getattr;
2098 ########################################
2100 ## Do not audit attempts to read user home files.
2102 ## <param name="domain">
2104 ## Domain to not audit.
2108 interface(`userdom_dontaudit_read_user_home_content_files',`
2110 attribute user_home_type;
2111 type user_home_dir_t;
2114 dontaudit $1 user_home_dir_t:dir list_dir_perms;
2115 dontaudit $1 user_home_type:dir list_dir_perms;
2116 dontaudit $1 user_home_type:file read_file_perms;
2117 dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
2120 ########################################
2122 ## Do not audit attempts to append user home files.
2124 ## <param name="domain">
2126 ## Domain to not audit.
2130 interface(`userdom_dontaudit_append_user_home_content_files',`
2135 dontaudit $1 user_home_t:file append_file_perms;
2138 ########################################
2140 ## Do not audit attempts to write user home files.
2142 ## <param name="domain">
2144 ## Domain to not audit.
2148 interface(`userdom_dontaudit_write_user_home_content_files',`
2153 dontaudit $1 user_home_t:file write_file_perms;
2156 ########################################
2158 ## Delete files in a user home subdirectory.
2160 ## <param name="domain">
2162 ## Domain allowed access.
2166 interface(`userdom_delete_user_home_content_files',`
2171 allow $1 user_home_t:file delete_file_perms;
2174 ########################################
2176 ## Delete sock files in a user home subdirectory.
2178 ## <param name="domain">
2180 ## Domain allowed access.
2184 interface(`userdom_delete_user_home_content_sock_files',`
2189 allow $1 user_home_t:sock_file delete_file_perms;
2192 ########################################
2194 ## Do not audit attempts to write user home files.
2196 ## <param name="domain">
2198 ## Domain to not audit.
2202 interface(`userdom_dontaudit_relabel_user_home_content_files',`
2207 dontaudit $1 user_home_t:file relabel_file_perms;
2210 ########################################
2212 ## Read user home subdirectory symbolic links.
2214 ## <param name="domain">
2216 ## Domain allowed access.
2220 interface(`userdom_read_user_home_content_symlinks',`
2222 type user_home_dir_t, user_home_t;
2225 allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
2228 ########################################
2230 ## Execute user home files.
2232 ## <param name="domain">
2234 ## Domain allowed access.
2239 interface(`userdom_exec_user_home_content_files',`
2241 type user_home_dir_t;
2242 attribute user_home_type;
2245 files_search_home($1)
2246 exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
2247 dontaudit $1 user_home_type:sock_file execute;
2250 ########################################
2252 ## Do not audit attempts to execute user home files.
2254 ## <param name="domain">
2256 ## Domain to not audit.
2260 interface(`userdom_dontaudit_exec_user_home_content_files',`
2265 dontaudit $1 user_home_t:file exec_file_perms;
2268 ########################################
2270 ## Create, read, write, and delete files
2271 ## in a user home subdirectory.
2273 ## <param name="domain">
2275 ## Domain allowed access.
2279 interface(`userdom_manage_user_home_content_files',`
2281 type user_home_dir_t, user_home_t;
2284 manage_files_pattern($1, user_home_t, user_home_t)
2285 allow $1 user_home_dir_t:dir search_dir_perms;
2286 files_search_home($1)
2289 ########################################
2291 ## Do not audit attempts to create, read, write, and delete directories
2292 ## in a user home subdirectory.
2294 ## <param name="domain">
2296 ## Domain to not audit.
2300 interface(`userdom_dontaudit_manage_user_home_content_dirs',`
2302 type user_home_dir_t, user_home_t;
2305 dontaudit $1 user_home_t:dir manage_dir_perms;
2308 ########################################
2310 ## Create, read, write, and delete symbolic links
2311 ## in a user home subdirectory.
2313 ## <param name="domain">
2315 ## Domain allowed access.
2319 interface(`userdom_manage_user_home_content_symlinks',`
2321 type user_home_dir_t, user_home_t;
2324 manage_lnk_files_pattern($1, user_home_t, user_home_t)
2325 allow $1 user_home_dir_t:dir search_dir_perms;
2326 files_search_home($1)
2329 ########################################
2331 ## Delete symbolic links in a user home directory.
2333 ## <param name="domain">
2335 ## Domain allowed access.
2339 interface(`userdom_delete_user_home_content_symlinks',`
2344 allow $1 user_home_t:lnk_file delete_lnk_file_perms;
2347 ########################################
2349 ## Create, read, write, and delete named pipes
2350 ## in a user home subdirectory.
2352 ## <param name="domain">
2354 ## Domain allowed access.
2358 interface(`userdom_manage_user_home_content_pipes',`
2360 type user_home_dir_t, user_home_t;
2363 manage_fifo_files_pattern($1, user_home_t, user_home_t)
2364 allow $1 user_home_dir_t:dir search_dir_perms;
2365 files_search_home($1)
2368 ########################################
2370 ## Create, read, write, and delete named sockets
2371 ## in a user home subdirectory.
2373 ## <param name="domain">
2375 ## Domain allowed access.
2379 interface(`userdom_manage_user_home_content_sockets',`
2381 type user_home_dir_t, user_home_t;
2384 allow $1 user_home_dir_t:dir search_dir_perms;
2385 manage_sock_files_pattern($1, user_home_t, user_home_t)
2386 files_search_home($1)
2389 ########################################
2391 ## Create objects in a user home directory
2392 ## with an automatic type transition to
2393 ## a specified private type.
2395 ## <param name="domain">
2397 ## Domain allowed access.
2400 ## <param name="private_type">
2402 ## The type of the object to create.
2405 ## <param name="object_class">
2407 ## The class of the object to be created.
2411 interface(`userdom_user_home_dir_filetrans',`
2413 type user_home_dir_t;
2416 filetrans_pattern($1, user_home_dir_t, $2, $3, $4)
2417 files_search_home($1)
2420 ########################################
2422 ## Create objects in a user home directory
2423 ## with an automatic type transition to
2424 ## a specified private type.
2426 ## <param name="domain">
2428 ## Domain allowed access.
2431 ## <param name="private_type">
2433 ## The type of the object to create.
2436 ## <param name="object_class">
2438 ## The class of the object to be created.
2442 interface(`userdom_user_home_content_filetrans',`
2444 type user_home_dir_t, user_home_t;
2447 filetrans_pattern($1, user_home_t, $2, $3)
2448 allow $1 user_home_dir_t:dir search_dir_perms;
2449 files_search_home($1)
2452 ########################################
2454 ## Create objects in a user home directory
2455 ## with an automatic type transition to
2456 ## the user home file type.
2458 ## <param name="domain">
2460 ## Domain allowed access.
2463 ## <param name="object_class">
2465 ## The class of the object to be created.
2469 interface(`userdom_user_home_dir_filetrans_user_home_content',`
2471 type user_home_dir_t, user_home_t;
2474 filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
2475 files_search_home($1)
2478 ########################################
2480 ## Write to user temporary named sockets.
2482 ## <param name="domain">
2484 ## Domain allowed access.
2488 interface(`userdom_write_user_tmp_sockets',`
2493 allow $1 user_tmp_t:sock_file write_sock_file_perms;
2494 files_search_tmp($1)
2497 ########################################
2499 ## List user temporary directories.
2501 ## <param name="domain">
2503 ## Domain allowed access.
2507 interface(`userdom_list_user_tmp',`
2512 allow $1 user_tmp_t:dir list_dir_perms;
2513 files_search_tmp($1)
2516 ########################################
2518 ## Do not audit attempts to list user
2519 ## temporary directories.
2521 ## <param name="domain">
2523 ## Domain to not audit.
2527 interface(`userdom_dontaudit_list_user_tmp',`
2532 dontaudit $1 user_tmp_t:dir list_dir_perms;
2535 ########################################
2537 ## Do not audit attempts to manage users
2538 ## temporary directories.
2540 ## <param name="domain">
2542 ## Domain to not audit.
2546 interface(`userdom_dontaudit_manage_user_tmp_dirs',`
2551 dontaudit $1 user_tmp_t:dir manage_dir_perms;
2554 ########################################
2556 ## Read user temporary files.
2558 ## <param name="domain">
2560 ## Domain allowed access.
2564 interface(`userdom_read_user_tmp_files',`
2569 read_files_pattern($1, user_tmp_t, user_tmp_t)
2570 allow $1 user_tmp_t:dir list_dir_perms;
2571 files_search_tmp($1)
2574 ########################################
2576 ## Do not audit attempts to read users
2579 ## <param name="domain">
2581 ## Domain to not audit.
2585 interface(`userdom_dontaudit_read_user_tmp_files',`
2590 dontaudit $1 user_tmp_t:file read_inherited_file_perms;
2593 ########################################
2595 ## Do not audit attempts to append users
2598 ## <param name="domain">
2600 ## Domain to not audit.
2604 interface(`userdom_dontaudit_append_user_tmp_files',`
2609 dontaudit $1 user_tmp_t:file append_file_perms;
2612 ########################################
2614 ## Read and write user temporary files.
2616 ## <param name="domain">
2618 ## Domain allowed access.
2622 interface(`userdom_rw_user_tmp_files',`
2627 allow $1 user_tmp_t:dir list_dir_perms;
2628 rw_files_pattern($1, user_tmp_t, user_tmp_t)
2629 files_search_tmp($1)
2632 ########################################
2634 ## Do not audit attempts to manage users
2637 ## <param name="domain">
2639 ## Domain to not audit.
2643 interface(`userdom_dontaudit_manage_user_tmp_files',`
2648 dontaudit $1 user_tmp_t:file manage_file_perms;
2651 ########################################
2653 ## Read user temporary symbolic links.
2655 ## <param name="domain">
2657 ## Domain allowed access.
2661 interface(`userdom_read_user_tmp_symlinks',`
2666 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2667 allow $1 user_tmp_t:dir list_dir_perms;
2668 files_search_tmp($1)
2671 ########################################
2673 ## Create, read, write, and delete user
2674 ## temporary directories.
2676 ## <param name="domain">
2678 ## Domain allowed access.
2682 interface(`userdom_manage_user_tmp_dirs',`
2687 manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
2688 files_search_tmp($1)
2691 ########################################
2693 ## Create, read, write, and delete user
2696 ## <param name="domain">
2698 ## Domain allowed access.
2702 interface(`userdom_manage_user_tmp_files',`
2707 manage_files_pattern($1, user_tmp_t, user_tmp_t)
2708 files_search_tmp($1)
2711 ########################################
2713 ## Create, read, write, and delete user
2714 ## temporary symbolic links.
2716 ## <param name="domain">
2718 ## Domain allowed access.
2722 interface(`userdom_manage_user_tmp_symlinks',`
2727 manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2728 files_search_tmp($1)
2731 ########################################
2733 ## Create, read, write, and delete user
2734 ## temporary named pipes.
2736 ## <param name="domain">
2738 ## Domain allowed access.
2742 interface(`userdom_manage_user_tmp_pipes',`
2747 manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
2748 files_search_tmp($1)
2751 ########################################
2753 ## Create, read, write, and delete user
2754 ## temporary named sockets.
2756 ## <param name="domain">
2758 ## Domain allowed access.
2762 interface(`userdom_manage_user_tmp_sockets',`
2767 manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
2768 files_search_tmp($1)
2771 ########################################
2773 ## Create objects in a user temporary directory
2774 ## with an automatic type transition to
2775 ## a specified private type.
2777 ## <param name="domain">
2779 ## Domain allowed access.
2782 ## <param name="private_type">
2784 ## The type of the object to create.
2787 ## <param name="object_class">
2789 ## The class of the object to be created.
2793 interface(`userdom_user_tmp_filetrans',`
2798 filetrans_pattern($1, user_tmp_t, $2, $3)
2799 files_search_tmp($1)
2802 ########################################
2804 ## Create objects in the temporary directory
2805 ## with an automatic type transition to
2806 ## the user temporary type.
2808 ## <param name="domain">
2810 ## Domain allowed access.
2813 ## <param name="object_class">
2815 ## The class of the object to be created.
2819 interface(`userdom_tmp_filetrans_user_tmp',`
2824 files_tmp_filetrans($1, user_tmp_t, $2)
2827 ########################################
2829 ## Read user tmpfs files.
2831 ## <param name="domain">
2833 ## Domain allowed access.
2837 interface(`userdom_read_user_tmpfs_files',`
2842 read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2843 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2844 allow $1 user_tmpfs_t:dir list_dir_perms;
2848 ########################################
2850 ## Read/Write user tmpfs files.
2852 ## <param name="domain">
2854 ## Domain allowed access.
2858 interface(`userdom_rw_user_tmpfs_files',`
2863 rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2864 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2865 allow $1 user_tmpfs_t:dir list_dir_perms;
2869 ########################################
2871 ## Get the attributes of a user domain tty.
2873 ## <param name="domain">
2875 ## Domain allowed access.
2879 interface(`userdom_getattr_user_ttys',`
2881 type user_tty_device_t;
2884 allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
2887 ########################################
2889 ## Do not audit attempts to get the attributes of a user domain tty.
2891 ## <param name="domain">
2893 ## Domain to not audit.
2897 interface(`userdom_dontaudit_getattr_user_ttys',`
2899 type user_tty_device_t;
2902 dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
2905 ########################################
2907 ## Set the attributes of a user domain tty.
2909 ## <param name="domain">
2911 ## Domain allowed access.
2915 interface(`userdom_setattr_user_ttys',`
2917 type user_tty_device_t;
2920 allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
2923 ########################################
2925 ## Do not audit attempts to set the attributes of a user domain tty.
2927 ## <param name="domain">
2929 ## Domain to not audit.
2933 interface(`userdom_dontaudit_setattr_user_ttys',`
2935 type user_tty_device_t;
2938 dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
2941 ########################################
2943 ## Read and write a user domain tty.
2945 ## <param name="domain">
2947 ## Domain allowed access.
2951 interface(`userdom_use_user_ttys',`
2953 type user_tty_device_t;
2956 allow $1 user_tty_device_t:chr_file rw_term_perms;
2959 ########################################
2961 ## Read and write a inherited user domain tty.
2963 ## <param name="domain">
2965 ## Domain allowed access.
2969 interface(`userdom_use_inherited_user_ttys',`
2971 type user_tty_device_t;
2974 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
2977 ########################################
2979 ## Read and write a user domain pty.
2981 ## <param name="domain">
2983 ## Domain allowed access.
2987 interface(`userdom_use_user_ptys',`
2992 allow $1 user_devpts_t:chr_file rw_term_perms;
2995 ########################################
2997 ## Read and write a inherited user domain pty.
2999 ## <param name="domain">
3001 ## Domain allowed access.
3005 interface(`userdom_use_inherited_user_ptys',`
3010 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3013 ########################################
3015 ## Read and write a inherited user TTYs and PTYs.
3019 ## Allow the specified domain to read and write inherited user
3020 ## TTYs and PTYs. This will allow the domain to
3021 ## interact with the user via the terminal. Typically
3022 ## all interactive applications will require this
3026 ## <param name="domain">
3028 ## Domain allowed access.
3031 ## <infoflow type="both" weight="10"/>
3033 interface(`userdom_use_inherited_user_terminals',`
3035 type user_tty_device_t, user_devpts_t;
3038 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
3039 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3042 #######################################
3044 ## Allow attempts to read and write
3045 ## a user domain tty and pty.
3047 ## <param name="domain">
3049 ## Domain to not audit.
3053 interface(`userdom_use_user_terminals',`
3055 type user_tty_device_t, user_devpts_t;
3058 allow $1 user_tty_device_t:chr_file rw_term_perms;
3059 allow $1 user_devpts_t:chr_file rw_term_perms;
3062 ########################################
3064 ## Do not audit attempts to read and write
3065 ## a user domain tty and pty.
3067 ## <param name="domain">
3069 ## Domain to not audit.
3073 interface(`userdom_dontaudit_use_user_terminals',`
3075 type user_tty_device_t, user_devpts_t;
3078 dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
3079 dontaudit $1 user_devpts_t:chr_file rw_term_perms;
3082 ########################################
3084 ## Execute a shell in all user domains. This
3085 ## is an explicit transition, requiring the
3086 ## caller to use setexeccon().
3088 ## <param name="domain">
3090 ## Domain allowed to transition.
3094 interface(`userdom_spec_domtrans_all_users',`
3096 attribute userdomain;
3099 corecmd_shell_spec_domtrans($1, userdomain)
3100 allow userdomain $1:fd use;
3101 allow userdomain $1:fifo_file rw_file_perms;
3102 allow userdomain $1:process sigchld;
3105 ########################################
3107 ## Execute an Xserver session in all unprivileged user domains. This
3108 ## is an explicit transition, requiring the
3109 ## caller to use setexeccon().
3111 ## <param name="domain">
3113 ## Domain allowed to transition.
3117 interface(`userdom_xsession_spec_domtrans_all_users',`
3119 attribute userdomain;
3122 xserver_xsession_spec_domtrans($1, userdomain)
3123 allow userdomain $1:fd use;
3124 allow userdomain $1:fifo_file rw_file_perms;
3125 allow userdomain $1:process sigchld;
3128 ########################################
3130 ## Execute a shell in all unprivileged user domains. This
3131 ## is an explicit transition, requiring the
3132 ## caller to use setexeccon().
3134 ## <param name="domain">
3136 ## Domain allowed to transition.
3140 interface(`userdom_spec_domtrans_unpriv_users',`
3142 attribute unpriv_userdomain;
3145 corecmd_shell_spec_domtrans($1, unpriv_userdomain)
3146 allow unpriv_userdomain $1:fd use;
3147 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3148 allow unpriv_userdomain $1:process sigchld;
3151 ########################################
3153 ## Execute an Xserver session in all unprivileged user domains. This
3154 ## is an explicit transition, requiring the
3155 ## caller to use setexeccon().
3157 ## <param name="domain">
3159 ## Domain allowed to transition.
3163 interface(`userdom_xsession_spec_domtrans_unpriv_users',`
3165 attribute unpriv_userdomain;
3168 xserver_xsession_spec_domtrans($1, unpriv_userdomain)
3169 allow unpriv_userdomain $1:fd use;
3170 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3171 allow unpriv_userdomain $1:process sigchld;
3174 ########################################
3176 ## Manage unpriviledged user SysV sempaphores.
3178 ## <param name="domain">
3180 ## Domain allowed access.
3184 interface(`userdom_manage_unpriv_user_semaphores',`
3186 attribute unpriv_userdomain;
3189 allow $1 unpriv_userdomain:sem create_sem_perms;
3192 ########################################
3194 ## Manage unpriviledged user SysV shared
3197 ## <param name="domain">
3199 ## Domain allowed access.
3203 interface(`userdom_manage_unpriv_user_shared_mem',`
3205 attribute unpriv_userdomain;
3208 allow $1 unpriv_userdomain:shm create_shm_perms;
3211 ########################################
3213 ## Execute bin_t in the unprivileged user domains. This
3214 ## is an explicit transition, requiring the
3215 ## caller to use setexeccon().
3217 ## <param name="domain">
3219 ## Domain allowed to transition.
3223 interface(`userdom_bin_spec_domtrans_unpriv_users',`
3225 attribute unpriv_userdomain;
3228 corecmd_bin_spec_domtrans($1, unpriv_userdomain)
3229 allow unpriv_userdomain $1:fd use;
3230 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3231 allow unpriv_userdomain $1:process sigchld;
3234 ########################################
3236 ## Execute all entrypoint files in unprivileged user
3237 ## domains. This is an explicit transition, requiring the
3238 ## caller to use setexeccon().
3240 ## <param name="domain">
3242 ## Domain allowed access.
3246 interface(`userdom_entry_spec_domtrans_unpriv_users',`
3248 attribute unpriv_userdomain;
3251 domain_entry_file_spec_domtrans($1, unpriv_userdomain)
3252 allow unpriv_userdomain $1:fd use;
3253 allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
3254 allow unpriv_userdomain $1:process sigchld;
3257 ########################################
3259 ## Search users home directories.
3261 ## <param name="domain">
3263 ## Domain allowed access.
3267 interface(`userdom_search_user_home_content',`
3269 type user_home_dir_t;
3270 attribute user_home_type;
3274 allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
3275 allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
3278 ########################################
3280 ## Send general signals to unprivileged user domains.
3282 ## <param name="domain">
3284 ## Domain allowed access.
3288 interface(`userdom_signal_unpriv_users',`
3290 attribute unpriv_userdomain;
3293 allow $1 unpriv_userdomain:process signal;
3296 ########################################
3298 ## Inherit the file descriptors from unprivileged user domains.
3300 ## <param name="domain">
3302 ## Domain allowed access.
3306 interface(`userdom_use_unpriv_users_fds',`
3308 attribute unpriv_userdomain;
3311 allow $1 unpriv_userdomain:fd use;
3314 ########################################
3316 ## Do not audit attempts to inherit the file descriptors
3317 ## from unprivileged user domains.
3321 ## Do not audit attempts to inherit the file descriptors
3322 ## from unprivileged user domains. This will supress
3323 ## SELinux denial messages when the specified domain is denied
3324 ## the permission to inherit these file descriptors.
3327 ## <param name="domain">
3329 ## Domain to not audit.
3332 ## <infoflow type="none"/>
3334 interface(`userdom_dontaudit_use_unpriv_user_fds',`
3336 attribute unpriv_userdomain;
3339 dontaudit $1 unpriv_userdomain:fd use;
3342 ########################################
3344 ## Do not audit attempts to use user ptys.
3346 ## <param name="domain">
3348 ## Domain to not audit.
3352 interface(`userdom_dontaudit_use_user_ptys',`
3357 dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
3360 ########################################
3362 ## Relabel files to unprivileged user pty types.
3364 ## <param name="domain">
3366 ## Domain allowed access.
3370 interface(`userdom_relabelto_user_ptys',`
3375 allow $1 user_devpts_t:chr_file relabelto;
3378 ########################################
3380 ## Do not audit attempts to relabel files from
3383 ## <param name="domain">
3385 ## Domain to not audit.
3389 interface(`userdom_dontaudit_relabelfrom_user_ptys',`
3394 dontaudit $1 user_devpts_t:chr_file relabelfrom;
3397 ########################################
3399 ## Write all users files in /tmp
3401 ## <param name="domain">
3403 ## Domain allowed access.
3407 interface(`userdom_write_user_tmp_files',`
3412 write_files_pattern($1, user_tmp_t, user_tmp_t)
3415 ########################################
3417 ## Do not audit attempts to write users
3420 ## <param name="domain">
3422 ## Domain to not audit.
3426 interface(`userdom_dontaudit_write_user_tmp_files',`
3431 dontaudit $1 user_tmp_t:file write;
3434 ########################################
3436 ## Do not audit attempts to read/write users
3437 ## temporary fifo files.
3439 ## <param name="domain">
3441 ## Domain to not audit.
3445 interface(`userdom_dontaudit_rw_user_tmp_pipes',`
3450 dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
3453 ########################################
3455 ## Do not audit attempts to use user ttys.
3457 ## <param name="domain">
3459 ## Domain to not audit.
3463 interface(`userdom_dontaudit_use_user_ttys',`
3465 type user_tty_device_t;
3468 dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
3471 ########################################
3473 ## Read the process state of all user domains.
3475 ## <param name="domain">
3477 ## Domain allowed access.
3481 interface(`userdom_read_all_users_state',`
3483 attribute userdomain;
3486 read_files_pattern($1, userdomain, userdomain)
3487 read_lnk_files_pattern($1,userdomain,userdomain)
3488 kernel_search_proc($1)
3491 ########################################
3493 ## Get the attributes of all user domains.
3495 ## <param name="domain">
3497 ## Domain allowed access.
3501 interface(`userdom_getattr_all_users',`
3503 attribute userdomain;
3506 allow $1 userdomain:process getattr;
3509 ########################################
3511 ## Inherit the file descriptors from all user domains
3513 ## <param name="domain">
3515 ## Domain allowed access.
3519 interface(`userdom_use_all_users_fds',`
3521 attribute userdomain;
3524 allow $1 userdomain:fd use;
3527 ########################################
3529 ## Do not audit attempts to inherit the file
3530 ## descriptors from any user domains.
3532 ## <param name="domain">
3534 ## Domain to not audit.
3538 interface(`userdom_dontaudit_use_all_users_fds',`
3540 attribute userdomain;
3543 dontaudit $1 userdomain:fd use;
3546 ########################################
3548 ## Send general signals to all user domains.
3550 ## <param name="domain">
3552 ## Domain allowed access.
3556 interface(`userdom_signal_all_users',`
3558 attribute userdomain;
3561 allow $1 userdomain:process signal;
3564 ########################################
3566 ## Send kill signals to all user domains.
3568 ## <param name="domain">
3570 ## Domain allowed access.
3574 interface(`userdom_kill_all_users',`
3576 attribute userdomain;
3579 allow $1 userdomain:process sigkill;
3582 ########################################
3584 ## Send a SIGCHLD signal to all user domains.
3586 ## <param name="domain">
3588 ## Domain allowed access.
3592 interface(`userdom_sigchld_all_users',`
3594 attribute userdomain;
3597 allow $1 userdomain:process sigchld;
3600 ########################################
3602 ## Create keys for all user domains.
3604 ## <param name="domain">
3606 ## Domain allowed access.
3610 interface(`userdom_create_all_users_keys',`
3612 attribute userdomain;
3615 allow $1 userdomain:key create;
3618 ########################################
3620 ## Send a dbus message to all user domains.
3622 ## <param name="domain">
3624 ## Domain allowed access.
3628 interface(`userdom_dbus_send_all_users',`
3630 attribute userdomain;
3631 class dbus send_msg;
3634 allow $1 userdomain:dbus send_msg;
3637 ########################################
3639 ## Allow apps to set rlimits on userdomain
3641 ## <param name="domain">
3643 ## Domain allowed access.
3647 interface(`userdom_set_rlimitnh',`
3649 attribute userdomain;
3652 allow $1 userdomain:process rlimitinh;
3655 ########################################
3657 ## Define this type as a Allow apps to set rlimits on userdomain
3659 ## <param name="domain">
3661 ## Domain allowed access.
3664 ## <param name="userdomain_prefix">
3666 ## The prefix of the user domain (e.g., user
3667 ## is the prefix for user_t).
3670 ## <param name="domain">
3672 ## Domain allowed access.
3676 template(`userdom_unpriv_usertype',`
3678 attribute unpriv_userdomain, userdomain;
3679 attribute $1_usertype;
3681 typeattribute $2 $1_usertype;
3682 typeattribute $2 unpriv_userdomain;
3683 typeattribute $2 userdomain;
3685 ubac_constrained($2)
3688 ########################################
3690 ## Connect to users over an unix stream socket.
3692 ## <param name="domain">
3694 ## Domain allowed access.
3698 interface(`userdom_stream_connect',`
3701 attribute userdomain;
3704 stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
3707 ########################################
3709 ## Ptrace user domains.
3711 ## <param name="domain">
3713 ## Domain allowed access.
3717 interface(`userdom_ptrace_all_users',`
3719 attribute userdomain;
3722 allow $1 userdomain:process ptrace;
3725 ########################################
3727 ## dontaudit Search /root
3729 ## <param name="domain">
3731 ## Domain to not audit.
3735 interface(`userdom_dontaudit_search_admin_dir',`
3740 dontaudit $1 admin_home_t:dir search_dir_perms;
3743 ########################################
3745 ## dontaudit list /root
3747 ## <param name="domain">
3749 ## Domain to not audit.
3753 interface(`userdom_dontaudit_list_admin_dir',`
3758 dontaudit $1 admin_home_t:dir list_dir_perms;
3761 ########################################
3763 ## Allow domain to list /root
3765 ## <param name="domain">
3767 ## Domain allowed access.
3771 interface(`userdom_list_admin_dir',`
3776 allow $1 admin_home_t:dir list_dir_perms;
3779 ########################################
3781 ## Allow Search /root
3783 ## <param name="domain">
3785 ## Domain allowed access.
3789 interface(`userdom_search_admin_dir',`
3794 allow $1 admin_home_t:dir search_dir_perms;
3797 ########################################
3799 ## RW unpriviledged user SysV sempaphores.
3801 ## <param name="domain">
3803 ## Domain allowed access.
3807 interface(`userdom_rw_semaphores',`
3809 attribute unpriv_userdomain;
3812 allow $1 unpriv_userdomain:sem rw_sem_perms;
3815 ########################################
3817 ## Send a message to unpriv users over a unix domain
3820 ## <param name="domain">
3822 ## Domain allowed access.
3826 interface(`userdom_dgram_send',`
3828 attribute unpriv_userdomain;
3831 allow $1 unpriv_userdomain:unix_dgram_socket sendto;
3834 ######################################
3836 ## Send a message to users over a unix domain
3839 ## <param name="domain">
3841 ## Domain allowed access.
3845 interface(`userdom_users_dgram_send',`
3847 attribute userdomain;
3850 allow $1 userdomain:unix_dgram_socket sendto;
3853 #######################################
3855 ## Allow execmod on files in homedirectory
3857 ## <param name="domain">
3859 ## Domain allowed access.
3864 interface(`userdom_execmod_user_home_files',`
3866 type user_home_type;
3869 allow $1 user_home_type:file execmod;
3872 ########################################
3874 ## Read admin home files.
3876 ## <param name="domain">
3878 ## Domain allowed access.
3883 interface(`userdom_read_admin_home_files',`
3888 read_files_pattern($1, admin_home_t, admin_home_t)
3891 ########################################
3893 ## Execute admin home files.
3895 ## <param name="domain">
3897 ## Domain allowed access.
3902 interface(`userdom_exec_admin_home_files',`
3907 exec_files_pattern($1, admin_home_t, admin_home_t)
3910 ########################################
3912 ## Append files inherited
3913 ## in the /root directory.
3915 ## <param name="domain">
3917 ## Domain allowed access.
3921 interface(`userdom_inherit_append_admin_home_files',`
3926 allow $1 admin_home_t:file { getattr append };
3930 #######################################
3932 ## Manage all files/directories in the homedir
3934 ## <param name="userdomain">
3941 interface(`userdom_manage_user_home_content',`
3943 type user_home_dir_t, user_home_t;
3944 attribute user_home_type;
3948 manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3949 manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3950 manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3951 manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3952 manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3953 filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
3958 ########################################
3960 ## Create objects in a user home directory
3961 ## with an automatic type transition to
3962 ## the user home file type.
3964 ## <param name="domain">
3966 ## Domain allowed access.
3969 ## <param name="object_class">
3971 ## The class of the object to be created.
3975 interface(`userdom_user_home_dir_filetrans_pattern',`
3977 type user_home_dir_t, user_home_t;
3980 type_transition $1 user_home_dir_t:$2 user_home_t;
3983 ########################################
3985 ## Create objects in the /root directory
3986 ## with an automatic type transition to
3987 ## a specified private type.
3989 ## <param name="domain">
3991 ## Domain allowed access.
3994 ## <param name="private_type">
3996 ## The type of the object to create.
3999 ## <param name="object_class">
4001 ## The class of the object to be created.
4005 interface(`userdom_admin_home_dir_filetrans',`
4010 filetrans_pattern($1, admin_home_t, $2, $3, $4)
4013 ########################################
4015 ## Send signull to unprivileged user domains.
4017 ## <param name="domain">
4019 ## Domain allowed access.
4023 interface(`userdom_signull_unpriv_users',`
4025 attribute unpriv_userdomain;
4028 allow $1 unpriv_userdomain:process signull;
4031 ########################################
4033 ## Write all users files in /tmp
4035 ## <param name="domain">
4037 ## Domain allowed access.
4041 interface(`userdom_write_user_tmp_dirs',`
4046 write_files_pattern($1, user_tmp_t, user_tmp_t)
4049 ########################################
4051 ## Manage keys for all user domains.
4053 ## <param name="domain">
4055 ## Domain allowed access.
4059 interface(`userdom_manage_all_users_keys',`
4061 attribute userdomain;
4064 allow $1 userdomain:key manage_key_perms;
4068 ########################################
4070 ## Do not audit attempts to read and write
4071 ## unserdomain stream.
4073 ## <param name="domain">
4075 ## Domain to not audit.
4079 interface(`userdom_dontaudit_rw_stream',`
4081 attribute userdomain;
4084 dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
4087 ########################################
4089 ## Do not audit attempts to read and write
4090 ## unserdomain datagram socket.
4092 ## <param name="domain">
4094 ## Domain to not audit.
4098 interface(`userdom_dontaudit_rw_dgram_socket',`
4100 attribute userdomain;
4103 dontaudit $1 userdomain:unix_dgram_socket { read write };
4106 ########################################
4109 ## in a user home subdirectory.
4111 ## <param name="domain">
4113 ## Domain allowed access.
4117 interface(`userdom_append_user_home_content_files',`
4119 type user_home_dir_t, user_home_t;
4122 append_files_pattern($1, user_home_t, user_home_t)
4123 allow $1 user_home_dir_t:dir search_dir_perms;
4124 files_search_home($1)
4127 ########################################
4129 ## Read files inherited
4130 ## in a user home subdirectory.
4132 ## <param name="domain">
4134 ## Domain allowed access.
4138 interface(`userdom_read_inherited_user_home_content_files',`
4140 attribute user_home_type;
4143 allow $1 user_home_type:file { getattr read };
4146 ########################################
4148 ## Append files inherited
4149 ## in a user home subdirectory.
4151 ## <param name="domain">
4153 ## Domain allowed access.
4157 interface(`userdom_inherit_append_user_home_content_files',`
4162 allow $1 user_home_t:file { getattr append };
4165 ########################################
4167 ## Append files inherited
4168 ## in a user tmp files.
4170 ## <param name="domain">
4172 ## Domain allowed access.
4176 interface(`userdom_inherit_append_user_tmp_files',`
4181 allow $1 user_tmp_t:file { getattr append };
4184 ######################################
4186 ## Read audio files in the users homedir.
4188 ## <param name="domain">
4190 ## Domain allowed access.
4195 interface(`userdom_read_home_audio_files',`
4200 userdom_search_user_home_dirs($1)
4201 allow $1 audio_home_t:dir list_dir_perms;
4202 read_files_pattern($1, audio_home_t, audio_home_t)
4203 read_lnk_files_pattern($1, audio_home_t, audio_home_t)
4206 ########################################
4208 ## Do not audit attempts to write all user home content files.
4210 ## <param name="domain">
4212 ## Domain to not audit.
4216 interface(`userdom_dontaudit_write_all_user_home_content_files',`
4218 attribute user_home_type;
4221 dontaudit $1 user_home_type:file write_file_perms;
4224 ########################################
4226 ## Do not audit attempts to write all user tmp content files.
4228 ## <param name="domain">
4230 ## Domain to not audit.
4234 interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
4236 attribute user_tmp_type;
4239 dontaudit $1 user_tmp_type:file write_file_perms;
4242 ########################################
4244 ## Manage all user temporary content.
4246 ## <param name="domain">
4248 ## Domain allowed access.
4252 interface(`userdom_manage_all_user_tmp_content',`
4254 attribute user_tmp_type;
4257 manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
4258 manage_files_pattern($1, user_tmp_type, user_tmp_type)
4259 manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4260 manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4261 manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4262 files_search_tmp($1)
4265 ########################################
4267 ## List all user temporary content.
4269 ## <param name="domain">
4271 ## Domain allowed access.
4275 interface(`userdom_list_all_user_tmp_content',`
4277 attribute user_tmp_type;
4280 list_dirs_pattern($1, user_tmp_type, user_tmp_type)
4281 getattr_files_pattern($1, user_tmp_type, user_tmp_type)
4282 read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4283 getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4284 getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4285 files_search_var($1)
4286 files_search_tmp($1)
4289 ########################################
4291 ## Manage all user tmpfs content.
4293 ## <param name="domain">
4295 ## Domain allowed access.
4299 interface(`userdom_manage_all_user_tmpfs_content',`
4301 attribute user_tmpfs_type;
4304 manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
4305 manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4306 manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4307 manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4308 manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4312 ########################################
4314 ## Delete all user temporary content.
4316 ## <param name="domain">
4318 ## Domain allowed access.
4322 interface(`userdom_delete_all_user_tmp_content',`
4324 attribute user_tmp_type;
4327 delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
4328 delete_files_pattern($1, user_tmp_type, user_tmp_type)
4329 delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4330 delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4331 delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4333 files_search_var($1)
4334 files_delete_tmp_dir_entry($1)
4337 ########################################
4339 ## Read system SSL certificates in the users homedir.
4341 ## <param name="domain">
4343 ## Domain allowed access.
4347 interface(`userdom_read_home_certs',`
4352 userdom_search_user_home_content($1)
4353 allow $1 home_cert_t:dir list_dir_perms;
4354 read_files_pattern($1, home_cert_t, home_cert_t)
4355 read_lnk_files_pattern($1, home_cert_t, home_cert_t)
4358 #######################################
4360 ## Dontaudit Write system SSL certificates in the users homedir.
4362 ## <param name="domain">
4364 ## Domain to not audit.
4368 interface(`userdom_dontaudit_write_home_certs',`
4373 dontaudit $1 home_cert_t:file write;
4376 ########################################
4378 ## dontaudit Search getatrr /root files
4380 ## <param name="domain">
4382 ## Domain to not audit.
4386 interface(`userdom_dontaudit_getattr_admin_home_files',`
4391 dontaudit $1 admin_home_t:file getattr;
4394 ########################################
4396 ## dontaudit read /root lnk files
4398 ## <param name="domain">
4400 ## Domain to not audit.
4404 interface(`userdom_dontaudit_read_admin_home_lnk_files',`
4409 dontaudit $1 admin_home_t:lnk_file read;
4412 ########################################
4414 ## dontaudit read /root files
4416 ## <param name="domain">
4418 ## Domain to not audit.
4422 interface(`userdom_dontaudit_read_admin_home_files',`
4427 dontaudit $1 admin_home_t:file read_file_perms;
4430 ########################################
4432 ## Create, read, write, and delete user
4433 ## temporary chr files.
4435 ## <param name="domain">
4437 ## Domain allowed access.
4441 interface(`userdom_manage_user_tmp_chr_files',`
4446 manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
4447 files_search_tmp($1)
4450 ########################################
4452 ## Create, read, write, and delete user
4453 ## temporary blk files.
4455 ## <param name="domain">
4457 ## Domain allowed access.
4461 interface(`userdom_manage_user_tmp_blk_files',`
4466 manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
4467 files_search_tmp($1)
4470 ########################################
4472 ## Dontaudit attempt to set attributes on user temporary directories.
4474 ## <param name="domain">
4476 ## Domain to not audit.
4480 interface(`userdom_dontaudit_setattr_user_tmp',`
4485 dontaudit $1 user_tmp_t:dir setattr;
4488 ########################################
4490 ## Write all inherited users files in /tmp
4492 ## <param name="domain">
4494 ## Domain allowed access.
4498 interface(`userdom_write_inherited_user_tmp_files',`
4503 allow $1 user_tmp_t:file write;
4506 ########################################
4508 ## Delete all users files in /tmp
4510 ## <param name="domain">
4512 ## Domain allowed access.
4516 interface(`userdom_delete_user_tmp_files',`
4521 allow $1 user_tmp_t:file delete_file_perms;
4524 ########################################
4526 ## Delete user tmpfs files.
4528 ## <param name="domain">
4530 ## Domain allowed access.
4534 interface(`userdom_delete_user_tmpfs_files',`
4539 allow $1 user_tmpfs_t:file delete_file_perms;
4542 ########################################
4544 ## Read/Write unpriviledged user SysV shared
4547 ## <param name="domain">
4549 ## Domain allowed access.
4553 interface(`userdom_rw_unpriv_user_shared_mem',`
4555 attribute unpriv_userdomain;
4558 allow $1 unpriv_userdomain:shm rw_shm_perms;
4561 ########################################
4563 ## Do not audit attempts to search user
4564 ## temporary directories.
4566 ## <param name="domain">
4568 ## Domain to not audit.
4572 interface(`userdom_dontaudit_search_user_tmp',`
4577 dontaudit $1 user_tmp_t:dir search_dir_perms;
4580 ########################################
4582 ## Execute a file in a user home directory
4583 ## in the specified domain.
4587 ## Execute a file in a user home directory
4588 ## in the specified domain.
4591 ## No interprocess communication (signals, pipes,
4592 ## etc.) is provided by this interface since
4593 ## the domains are not owned by this module.
4596 ## <param name="domain">
4598 ## Domain allowed access.
4601 ## <param name="target_domain">
4603 ## The type of the new process.
4607 interface(`userdom_domtrans_user_home',`
4612 read_lnk_files_pattern($1, user_home_t, user_home_t)
4613 domain_transition_pattern($1, user_home_t, $2)
4614 type_transition $1 user_home_t:process $2;
4617 ########################################
4619 ## Execute a file in a user tmp directory
4620 ## in the specified domain.
4624 ## Execute a file in a user tmp directory
4625 ## in the specified domain.
4628 ## No interprocess communication (signals, pipes,
4629 ## etc.) is provided by this interface since
4630 ## the domains are not owned by this module.
4633 ## <param name="domain">
4635 ## Domain allowed access.
4638 ## <param name="target_domain">
4640 ## The type of the new process.
4644 interface(`userdom_domtrans_user_tmp',`
4649 files_search_tmp($1)
4650 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
4651 domain_transition_pattern($1, user_tmp_t, $2)
4652 type_transition $1 user_tmp_t:process $2;
4655 ########################################
4657 ## Do not audit attempts to read all user home content files.
4659 ## <param name="domain">
4661 ## Domain to not audit.
4665 interface(`userdom_dontaudit_read_all_user_home_content_files',`
4667 attribute user_home_type;
4670 dontaudit $1 user_home_type:file read_file_perms;
4673 ########################################
4675 ## Do not audit attempts to read all user tmp content files.
4677 ## <param name="domain">
4679 ## Domain to not audit.
4683 interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
4685 attribute user_tmp_type;
4688 dontaudit $1 user_tmp_type:file read_file_perms;