]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/system/userdomain.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
More filetrans named rules
[people/stevee/selinux-policy.git] / policy / modules / system / userdomain.if
1 ## <summary>Policy for user domains</summary>
2
3 #######################################
4 ## <summary>
5 ## The template containing the most basic rules common to all users.
6 ## </summary>
7 ## <desc>
8 ## <p>
9 ## The template containing the most basic rules common to all users.
10 ## </p>
11 ## <p>
12 ## This template creates a user domain, types, and
13 ## rules for the user's tty and pty.
14 ## </p>
15 ## </desc>
16 ## <param name="userdomain_prefix">
17 ## <summary>
18 ## The prefix of the user domain (e.g., user
19 ## is the prefix for user_t).
20 ## </summary>
21 ## </param>
22 ## <rolebase/>
23 #
24 template(`userdom_base_user_template',`
25
26 gen_require(`
27 attribute userdomain;
28 type user_devpts_t, user_tty_device_t;
29 class context contains;
30 ')
31
32 attribute $1_file_type;
33 attribute $1_usertype;
34
35 type $1_t, userdomain, $1_usertype;
36 domain_type($1_t)
37 corecmd_shell_entry_type($1_t)
38 corecmd_bin_entry_type($1_t)
39 domain_user_exemption_target($1_t)
40 ubac_constrained($1_t)
41 role $1_r types $1_t;
42 allow system_r $1_r;
43
44 term_user_pty($1_t, user_devpts_t)
45
46 term_user_tty($1_t, user_tty_device_t)
47 term_dontaudit_getattr_generic_ptys($1_t)
48
49 allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
50 allow $1_usertype $1_usertype:fd use;
51 allow $1_usertype $1_t:key { create view read write search link setattr };
52
53 allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
54 allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
55 allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
56 allow $1_usertype $1_usertype:shm create_shm_perms;
57 allow $1_usertype $1_usertype:sem create_sem_perms;
58 allow $1_usertype $1_usertype:msgq create_msgq_perms;
59 allow $1_usertype $1_usertype:msg { send receive };
60 allow $1_usertype $1_usertype:context contains;
61 dontaudit $1_usertype $1_usertype:socket create;
62
63 allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
64 term_create_pty($1_usertype, user_devpts_t)
65 # avoid annoying messages on terminal hangup on role change
66 dontaudit $1_usertype user_devpts_t:chr_file ioctl;
67
68 allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
69 # avoid annoying messages on terminal hangup on role change
70 dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
71
72 application_exec_all($1_usertype)
73
74 kernel_read_kernel_sysctls($1_usertype)
75 kernel_read_all_sysctls($1_usertype)
76 kernel_dontaudit_list_unlabeled($1_usertype)
77 kernel_dontaudit_getattr_unlabeled_files($1_usertype)
78 kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
79 kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
80 kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
81 kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
82 kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
83 kernel_dontaudit_list_proc($1_usertype)
84
85 dev_dontaudit_getattr_all_blk_files($1_usertype)
86 dev_dontaudit_getattr_all_chr_files($1_usertype)
87 dev_getattr_mtrr_dev($1_t)
88
89 # When the user domain runs ps, there will be a number of access
90 # denials when ps tries to search /proc. Do not audit these denials.
91 domain_dontaudit_read_all_domains_state($1_usertype)
92 domain_dontaudit_getattr_all_domains($1_usertype)
93 domain_dontaudit_getsession_all_domains($1_usertype)
94 dev_dontaudit_all_access_check($1_usertype)
95
96 files_read_etc_files($1_usertype)
97 files_list_mnt($1_usertype)
98 files_read_mnt_files($1_usertype)
99 files_dontaudit_access_check_mnt($1_usertype)
100 files_read_etc_runtime_files($1_usertype)
101 files_read_usr_files($1_usertype)
102 files_read_usr_src_files($1_usertype)
103 # Read directories and files with the readable_t type.
104 # This type is a general type for "world"-readable files.
105 files_list_world_readable($1_usertype)
106 files_read_world_readable_files($1_usertype)
107 files_read_world_readable_symlinks($1_usertype)
108 files_read_world_readable_pipes($1_usertype)
109 files_read_world_readable_sockets($1_usertype)
110 # old broswer_domain():
111 files_dontaudit_getattr_all_dirs($1_usertype)
112 files_dontaudit_list_non_security($1_usertype)
113 files_dontaudit_getattr_all_files($1_usertype)
114 files_dontaudit_getattr_non_security_symlinks($1_usertype)
115 files_dontaudit_getattr_non_security_pipes($1_usertype)
116 files_dontaudit_getattr_non_security_sockets($1_usertype)
117 files_dontaudit_setattr_etc_runtime_files($1_usertype)
118
119 files_exec_usr_files($1_t)
120
121 fs_list_cgroup_dirs($1_usertype)
122 fs_dontaudit_rw_cgroup_files($1_usertype)
123
124 storage_rw_fuse($1_usertype)
125
126 auth_use_nsswitch($1_usertype)
127
128 init_stream_connect($1_usertype)
129 # The library functions always try to open read-write first,
130 # then fall back to read-only if it fails.
131 init_dontaudit_rw_utmp($1_usertype)
132
133 libs_exec_ld_so($1_usertype)
134
135 logging_send_audit_msgs($1_t)
136
137 miscfiles_read_localization($1_t)
138 miscfiles_read_generic_certs($1_t)
139
140 miscfiles_read_all_certs($1_usertype)
141 miscfiles_read_localization($1_usertype)
142 miscfiles_read_man_pages($1_usertype)
143 miscfiles_read_public_files($1_usertype)
144
145 tunable_policy(`allow_execmem',`
146 # Allow loading DSOs that require executable stack.
147 allow $1_t self:process execmem;
148 ')
149
150 tunable_policy(`allow_execmem && allow_execstack',`
151 # Allow making the stack executable via mprotect.
152 allow $1_t self:process execstack;
153 ')
154
155 optional_policy(`
156 fs_list_cgroup_dirs($1_usertype)
157 ')
158
159 optional_policy(`
160 ssh_rw_stream_sockets($1_usertype)
161 ssh_delete_tmp($1_t)
162 ssh_signal($1_t)
163 ')
164 ')
165
166 #######################################
167 ## <summary>
168 ## Allow a home directory for which the
169 ## role has read-only access.
170 ## </summary>
171 ## <desc>
172 ## <p>
173 ## Allow a home directory for which the
174 ## role has read-only access.
175 ## </p>
176 ## <p>
177 ## This does not allow execute access.
178 ## </p>
179 ## </desc>
180 ## <param name="role">
181 ## <summary>
182 ## The user role
183 ## </summary>
184 ## </param>
185 ## <param name="userdomain">
186 ## <summary>
187 ## The user domain
188 ## </summary>
189 ## </param>
190 ## <rolebase/>
191 #
192 interface(`userdom_ro_home_role',`
193 gen_require(`
194 type user_home_t, user_home_dir_t;
195 ')
196
197 role $1 types { user_home_t user_home_dir_t };
198
199 ##############################
200 #
201 # Domain access to home dir
202 #
203
204 type_member $2 user_home_dir_t:dir user_home_dir_t;
205
206 # read-only home directory
207 allow $2 user_home_dir_t:dir list_dir_perms;
208 allow $2 user_home_t:dir list_dir_perms;
209 allow $2 user_home_t:file entrypoint;
210 read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
211 read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
212 read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
213 read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
214 files_list_home($2)
215
216 ')
217
218 #######################################
219 ## <summary>
220 ## Allow a home directory for which the
221 ## role has full access.
222 ## </summary>
223 ## <desc>
224 ## <p>
225 ## Allow a home directory for which the
226 ## role has full access.
227 ## </p>
228 ## <p>
229 ## This does not allow execute access.
230 ## </p>
231 ## </desc>
232 ## <param name="role">
233 ## <summary>
234 ## The user role
235 ## </summary>
236 ## </param>
237 ## <param name="userdomain">
238 ## <summary>
239 ## The user domain
240 ## </summary>
241 ## </param>
242 ## <rolebase/>
243 #
244 interface(`userdom_manage_home_role',`
245 gen_require(`
246 type user_home_t, user_home_dir_t;
247 attribute user_home_type;
248 ')
249
250 role $1 types { user_home_type user_home_dir_t };
251
252 ##############################
253 #
254 # Domain access to home dir
255 #
256
257 type_member $2 user_home_dir_t:dir user_home_dir_t;
258
259 # full control of the home directory
260 allow $2 user_home_t:dir mounton;
261 allow $2 user_home_t:file entrypoint;
262
263 allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
264 allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
265 manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
266 manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
267 manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
268 manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
269 manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
270 relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
271 relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
272 relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
273 relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
274 relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
275 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
276 files_list_home($2)
277
278 # cjp: this should probably be removed:
279 allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
280
281 tunable_policy(`use_nfs_home_dirs',`
282 fs_mount_nfs($2)
283 fs_mounton_nfs($2)
284 fs_manage_nfs_dirs($2)
285 fs_manage_nfs_files($2)
286 fs_manage_nfs_symlinks($2)
287 fs_manage_nfs_named_sockets($2)
288 fs_manage_nfs_named_pipes($2)
289 ')
290
291 tunable_policy(`use_samba_home_dirs',`
292 fs_mount_cifs($2)
293 fs_mounton_cifs($2)
294 fs_manage_cifs_dirs($2)
295 fs_manage_cifs_files($2)
296 fs_manage_cifs_symlinks($2)
297 fs_manage_cifs_named_sockets($2)
298 fs_manage_cifs_named_pipes($2)
299 ')
300 ')
301
302 #######################################
303 ## <summary>
304 ## Manage user temporary files
305 ## </summary>
306 ## <param name="role">
307 ## <summary>
308 ## Role allowed access.
309 ## </summary>
310 ## </param>
311 ## <param name="domain">
312 ## <summary>
313 ## Domain allowed access.
314 ## </summary>
315 ## </param>
316 ## <rolebase/>
317 #
318 interface(`userdom_manage_tmp_role',`
319 gen_require(`
320 type user_tmp_t;
321 ')
322
323 role $1 types user_tmp_t;
324
325 files_poly_member_tmp($2, user_tmp_t)
326
327 manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
328 manage_files_pattern($2, user_tmp_t, user_tmp_t)
329 manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
330 manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
331 manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
332 files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
333 relabel_files_pattern($2, user_tmp_t, user_tmp_t)
334 ')
335
336 #######################################
337 ## <summary>
338 ## Dontaudit search of user bin dirs.
339 ## </summary>
340 ## <param name="domain">
341 ## <summary>
342 ## Domain to not audit.
343 ## </summary>
344 ## </param>
345 #
346 interface(`userdom_dontaudit_search_user_bin_dirs',`
347 gen_require(`
348 type home_bin_t;
349 ')
350
351 dontaudit $1 home_bin_t:dir search_dir_perms;
352 ')
353
354 #######################################
355 ## <summary>
356 ## Execute user bin files.
357 ## </summary>
358 ## <param name="domain">
359 ## <summary>
360 ## Domain allowed access.
361 ## </summary>
362 ## </param>
363 #
364 interface(`userdom_exec_user_bin_files',`
365 gen_require(`
366 attribute user_home_type;
367 type home_bin_t, user_home_dir_t;
368 ')
369
370 exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
371 files_search_home($1)
372 ')
373
374 #######################################
375 ## <summary>
376 ## The execute access user temporary files.
377 ## </summary>
378 ## <param name="domain">
379 ## <summary>
380 ## Domain allowed access.
381 ## </summary>
382 ## </param>
383 ## <rolebase/>
384 #
385 interface(`userdom_exec_user_tmp_files',`
386 gen_require(`
387 type user_tmp_t;
388 ')
389
390 exec_files_pattern($1, user_tmp_t, user_tmp_t)
391 dontaudit $1 user_tmp_t:sock_file execute;
392 files_search_tmp($1)
393 ')
394
395 #######################################
396 ## <summary>
397 ## Role access for the user tmpfs type
398 ## that the user has full access.
399 ## </summary>
400 ## <desc>
401 ## <p>
402 ## Role access for the user tmpfs type
403 ## that the user has full access.
404 ## </p>
405 ## <p>
406 ## This does not allow execute access.
407 ## </p>
408 ## </desc>
409 ## <param name="role">
410 ## <summary>
411 ## Role allowed access.
412 ## </summary>
413 ## </param>
414 ## <param name="domain">
415 ## <summary>
416 ## Domain allowed access.
417 ## </summary>
418 ## </param>
419 ## <rolecap/>
420 #
421 interface(`userdom_manage_tmpfs_role',`
422 gen_require(`
423 type user_tmpfs_t;
424 ')
425
426 role $1 types user_tmpfs_t;
427
428 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
429 manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
430 manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
431 manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
432 manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
433 fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
434 ')
435
436 #######################################
437 ## <summary>
438 ## The interface allowing the user basic
439 ## network permissions
440 ## </summary>
441 ## <param name="userdomain">
442 ## <summary>
443 ## The user domain
444 ## </summary>
445 ## </param>
446 ## <rolebase/>
447 #
448 interface(`userdom_basic_networking',`
449
450 allow $1 self:tcp_socket create_stream_socket_perms;
451 allow $1 self:udp_socket create_socket_perms;
452
453 corenet_all_recvfrom_unlabeled($1)
454 corenet_all_recvfrom_netlabel($1)
455 corenet_tcp_sendrecv_generic_if($1)
456 corenet_udp_sendrecv_generic_if($1)
457 corenet_tcp_sendrecv_generic_node($1)
458 corenet_udp_sendrecv_generic_node($1)
459 corenet_tcp_sendrecv_all_ports($1)
460 corenet_udp_sendrecv_all_ports($1)
461 corenet_tcp_connect_all_ports($1)
462 corenet_sendrecv_all_client_packets($1)
463
464 optional_policy(`
465 init_tcp_recvfrom_all_daemons($1)
466 init_udp_recvfrom_all_daemons($1)
467 ')
468
469 optional_policy(`
470 ipsec_match_default_spd($1)
471 ')
472
473 ')
474
475 #######################################
476 ## <summary>
477 ## The template for creating a user xwindows client. (Deprecated)
478 ## </summary>
479 ## <param name="userdomain_prefix">
480 ## <summary>
481 ## The prefix of the user domain (e.g., user
482 ## is the prefix for user_t).
483 ## </summary>
484 ## </param>
485 ## <rolebase/>
486 #
487 template(`userdom_xwindows_client_template',`
488 refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
489 gen_require(`
490 type $1_t, user_tmpfs_t;
491 ')
492
493 dev_rw_xserver_misc($1_t)
494 dev_rw_power_management($1_t)
495 dev_read_input($1_t)
496 dev_read_misc($1_t)
497 dev_write_misc($1_t)
498 # open office is looking for the following
499 dev_getattr_agp_dev($1_t)
500 dev_dontaudit_rw_dri($1_t)
501 # GNOME checks for usb and other devices:
502 dev_rw_usbfs($1_t)
503 dev_rw_generic_usb_dev($1_t)
504
505 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
506 xserver_xsession_entry_type($1_t)
507 xserver_dontaudit_write_log($1_t)
508 xserver_stream_connect_xdm($1_t)
509 # certain apps want to read xdm.pid file
510 xserver_read_xdm_pid($1_t)
511 # gnome-session creates socket under /tmp/.ICE-unix/
512 xserver_create_xdm_tmp_sockets($1_t)
513 # Needed for escd, remove if we get escd policy
514 xserver_manage_xdm_tmp_files($1_t)
515 ')
516
517 #######################################
518 ## <summary>
519 ## The template for allowing the user to change passwords.
520 ## </summary>
521 ## <param name="userdomain_prefix">
522 ## <summary>
523 ## The prefix of the user domain (e.g., user
524 ## is the prefix for user_t).
525 ## </summary>
526 ## </param>
527 ## <rolebase/>
528 #
529 template(`userdom_change_password_template',`
530 gen_require(`
531 type $1_t;
532 role $1_r;
533 ')
534
535 optional_policy(`
536 usermanage_run_chfn($1_t,$1_r)
537 usermanage_run_passwd($1_t,$1_r)
538 ')
539 ')
540
541 #######################################
542 ## <summary>
543 ## The template containing rules common to unprivileged
544 ## users and administrative users.
545 ## </summary>
546 ## <desc>
547 ## <p>
548 ## This template creates a user domain, types, and
549 ## rules for the user's tty, pty, tmp, and tmpfs files.
550 ## </p>
551 ## </desc>
552 ## <param name="userdomain_prefix">
553 ## <summary>
554 ## The prefix of the user domain (e.g., user
555 ## is the prefix for user_t).
556 ## </summary>
557 ## </param>
558 #
559 template(`userdom_common_user_template',`
560 gen_require(`
561 attribute unpriv_userdomain;
562 ')
563
564 userdom_basic_networking($1_usertype)
565
566 ##############################
567 #
568 # User domain Local policy
569 #
570
571 # evolution and gnome-session try to create a netlink socket
572 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
573 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
574 allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
575 allow $1_t self:socket create_socket_perms;
576
577 allow $1_usertype unpriv_userdomain:fd use;
578
579 kernel_read_system_state($1_usertype)
580 kernel_read_network_state($1_usertype)
581 kernel_read_software_raid_state($1_usertype)
582 kernel_read_net_sysctls($1_usertype)
583 # Very permissive allowing every domain to see every type:
584 kernel_get_sysvipc_info($1_usertype)
585 # Find CDROM devices:
586 kernel_read_device_sysctls($1_usertype)
587 kernel_request_load_module($1_usertype)
588
589 corenet_udp_bind_generic_node($1_usertype)
590 corenet_udp_bind_generic_port($1_usertype)
591
592 dev_read_rand($1_usertype)
593 dev_write_sound($1_usertype)
594 dev_read_sound($1_usertype)
595 dev_read_sound_mixer($1_usertype)
596 dev_write_sound_mixer($1_usertype)
597
598 files_exec_etc_files($1_usertype)
599 files_search_locks($1_usertype)
600 # Check to see if cdrom is mounted
601 files_search_mnt($1_usertype)
602 # cjp: perhaps should cut back on file reads:
603 files_read_var_files($1_usertype)
604 files_read_var_symlinks($1_usertype)
605 files_read_generic_spool($1_usertype)
606 files_read_var_lib_files($1_usertype)
607 # Stat lost+found.
608 files_getattr_lost_found_dirs($1_usertype)
609 files_read_config_files($1_usertype)
610 fs_read_noxattr_fs_files($1_usertype)
611 fs_read_noxattr_fs_symlinks($1_usertype)
612 fs_rw_cgroup_files($1_usertype)
613
614 application_getattr_socket($1_usertype)
615
616 logging_send_syslog_msg($1_usertype)
617 logging_send_audit_msgs($1_usertype)
618 selinux_get_enforce_mode($1_usertype)
619
620 # cjp: some of this probably can be removed
621 selinux_get_fs_mount($1_usertype)
622 selinux_validate_context($1_usertype)
623 selinux_compute_access_vector($1_usertype)
624 selinux_compute_create_context($1_usertype)
625 selinux_compute_relabel_context($1_usertype)
626 selinux_compute_user_contexts($1_usertype)
627
628 # for eject
629 storage_getattr_fixed_disk_dev($1_usertype)
630
631 auth_read_login_records($1_usertype)
632 auth_run_pam($1_t,$1_r)
633 auth_run_utempter($1_t,$1_r)
634
635 init_read_utmp($1_usertype)
636
637 seutil_read_file_contexts($1_usertype)
638 seutil_read_default_contexts($1_usertype)
639 seutil_run_newrole($1_t,$1_r)
640 seutil_exec_checkpolicy($1_t)
641 seutil_exec_setfiles($1_usertype)
642 # for when the network connection is killed
643 # this is needed when a login role can change
644 # to this one.
645 seutil_dontaudit_signal_newrole($1_t)
646
647 tunable_policy(`user_direct_mouse',`
648 dev_read_mouse($1_usertype)
649 ')
650
651 tunable_policy(`user_ttyfile_stat',`
652 term_getattr_all_ttys($1_t)
653 ')
654
655 optional_policy(`
656 alsa_read_rw_config($1_usertype)
657 alsa_manage_home_files($1_t)
658 alsa_relabel_home_files($1_t)
659 ')
660
661 optional_policy(`
662 # Allow graphical boot to check battery lifespan
663 apm_stream_connect($1_usertype)
664 ')
665
666 optional_policy(`
667 canna_stream_connect($1_usertype)
668 ')
669
670 optional_policy(`
671 chrome_role($1_r, $1_usertype)
672 ')
673
674 optional_policy(`
675 colord_read_lib_files($1_usertype)
676 ')
677
678 optional_policy(`
679 dbus_system_bus_client($1_usertype)
680
681 allow $1_usertype $1_usertype:dbus send_msg;
682
683 optional_policy(`
684 avahi_dbus_chat($1_usertype)
685 ')
686
687 optional_policy(`
688 policykit_dbus_chat($1_usertype)
689 ')
690
691 optional_policy(`
692 bluetooth_dbus_chat($1_usertype)
693 ')
694
695 optional_policy(`
696 consolekit_dbus_chat($1_usertype)
697 consolekit_read_log($1_usertype)
698 ')
699
700 optional_policy(`
701 devicekit_dbus_chat($1_usertype)
702 devicekit_dbus_chat_power($1_usertype)
703 devicekit_dbus_chat_disk($1_usertype)
704 ')
705
706 optional_policy(`
707 evolution_dbus_chat($1_usertype)
708 evolution_alarm_dbus_chat($1_usertype)
709 ')
710
711 optional_policy(`
712 gnome_dbus_chat_gconfdefault($1_usertype)
713 ')
714
715 optional_policy(`
716 hal_dbus_chat($1_usertype)
717 ')
718
719 optional_policy(`
720 kde_dbus_chat_backlighthelper($1_usertype)
721 ')
722
723 optional_policy(`
724 modemmanager_dbus_chat($1_usertype)
725 ')
726
727 optional_policy(`
728 networkmanager_dbus_chat($1_usertype)
729 networkmanager_read_lib_files($1_usertype)
730 ')
731
732 optional_policy(`
733 vpn_dbus_chat($1_usertype)
734 ')
735 ')
736
737 optional_policy(`
738 git_session_role($1_r, $1_usertype)
739 ')
740
741 optional_policy(`
742 inetd_use_fds($1_usertype)
743 inetd_rw_tcp_sockets($1_usertype)
744 ')
745
746 optional_policy(`
747 inn_read_config($1_usertype)
748 inn_read_news_lib($1_usertype)
749 inn_read_news_spool($1_usertype)
750 ')
751
752 optional_policy(`
753 lircd_stream_connect($1_usertype)
754 ')
755
756 optional_policy(`
757 locate_read_lib_files($1_usertype)
758 ')
759
760 # for running depmod as part of the kernel packaging process
761 optional_policy(`
762 modutils_read_module_config($1_usertype)
763 ')
764
765 optional_policy(`
766 mta_rw_spool($1_usertype)
767 mta_manage_queue($1_usertype)
768 mta_filetrans_home_content($1_usertype)
769 ')
770
771 optional_policy(`
772 nsplugin_role($1_r, $1_usertype)
773 ')
774
775 optional_policy(`
776 tunable_policy(`allow_user_mysql_connect',`
777 mysql_stream_connect($1_t)
778 ')
779 ')
780
781 optional_policy(`
782 oident_manage_user_content($1_t)
783 oident_relabel_user_content($1_t)
784 ')
785
786 optional_policy(`
787 # to allow monitoring of pcmcia status
788 pcmcia_read_pid($1_usertype)
789 ')
790
791 optional_policy(`
792 pcscd_read_pub_files($1_usertype)
793 pcscd_stream_connect($1_usertype)
794 ')
795
796 optional_policy(`
797 tunable_policy(`allow_user_postgresql_connect',`
798 postgresql_stream_connect($1_usertype)
799 postgresql_tcp_connect($1_usertype)
800 ')
801 ')
802
803 optional_policy(`
804 resmgr_stream_connect($1_usertype)
805 ')
806
807 optional_policy(`
808 rpc_dontaudit_getattr_exports($1_usertype)
809 rpc_manage_nfs_rw_content($1_usertype)
810 ')
811
812 optional_policy(`
813 rpcbind_stream_connect($1_usertype)
814 ')
815
816 optional_policy(`
817 samba_stream_connect_winbind($1_usertype)
818 ')
819
820 optional_policy(`
821 sandbox_transition($1_usertype, $1_r)
822 ')
823
824 optional_policy(`
825 seunshare_role_template($1, $1_r, $1_t)
826 ')
827
828 optional_policy(`
829 slrnpull_search_spool($1_usertype)
830 ')
831
832 ')
833
834 #######################################
835 ## <summary>
836 ## The template for creating a login user.
837 ## </summary>
838 ## <desc>
839 ## <p>
840 ## This template creates a user domain, types, and
841 ## rules for the user's tty, pty, home directories,
842 ## tmp, and tmpfs files.
843 ## </p>
844 ## </desc>
845 ## <param name="userdomain_prefix">
846 ## <summary>
847 ## The prefix of the user domain (e.g., user
848 ## is the prefix for user_t).
849 ## </summary>
850 ## </param>
851 #
852 template(`userdom_login_user_template', `
853 gen_require(`
854 class context contains;
855 ')
856
857 userdom_base_user_template($1)
858
859 userdom_manage_home_role($1_r, $1_usertype)
860
861 userdom_manage_tmp_role($1_r, $1_usertype)
862 userdom_manage_tmpfs_role($1_r, $1_usertype)
863
864 ifelse(`$1',`unconfined',`',`
865 gen_tunable(allow_$1_exec_content, true)
866
867 tunable_policy(`allow_$1_exec_content',`
868 userdom_exec_user_tmp_files($1_usertype)
869 userdom_exec_user_home_content_files($1_usertype)
870 ')
871 tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
872 fs_exec_nfs_files($1_usertype)
873 ')
874
875 tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
876 fs_exec_cifs_files($1_usertype)
877 ')
878 ')
879
880 userdom_change_password_template($1)
881
882 ##############################
883 #
884 # User domain Local policy
885 #
886
887 allow $1_t self:capability { setgid chown fowner };
888 dontaudit $1_t self:capability { sys_nice fsetid };
889
890 allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
891 dontaudit $1_t self:process setrlimit;
892 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
893
894 allow $1_t self:context contains;
895
896 kernel_dontaudit_read_system_state($1_usertype)
897 kernel_dontaudit_list_all_proc($1_usertype)
898
899 dev_read_sysfs($1_usertype)
900 dev_read_urand($1_usertype)
901
902 domain_use_interactive_fds($1_usertype)
903 # Command completion can fire hundreds of denials
904 domain_dontaudit_exec_all_entry_files($1_usertype)
905
906 files_dontaudit_list_default($1_usertype)
907 files_dontaudit_read_default_files($1_usertype)
908 # Stat lost+found.
909 files_getattr_lost_found_dirs($1_usertype)
910
911 fs_get_all_fs_quotas($1_usertype)
912 fs_getattr_all_fs($1_usertype)
913 fs_search_all($1_usertype)
914 fs_list_inotifyfs($1_usertype)
915 fs_rw_anon_inodefs_files($1_usertype)
916
917 auth_dontaudit_write_login_records($1_t)
918 auth_rw_cache($1_t)
919
920 # Stop warnings about access to /dev/console
921 init_dontaudit_use_fds($1_usertype)
922 init_dontaudit_use_script_fds($1_usertype)
923
924 libs_exec_lib_files($1_usertype)
925
926 logging_dontaudit_getattr_all_logs($1_usertype)
927
928 # for running TeX programs
929 miscfiles_read_tetex_data($1_usertype)
930 miscfiles_exec_tetex_data($1_usertype)
931
932 seutil_read_config($1_usertype)
933
934 optional_policy(`
935 cups_read_config($1_usertype)
936 cups_stream_connect($1_usertype)
937 cups_stream_connect_ptal($1_usertype)
938 ')
939
940 optional_policy(`
941 kerberos_use($1_usertype)
942 kerberos_filetrans_home_content($1_usertype)
943 ')
944
945 optional_policy(`
946 mta_dontaudit_read_spool_symlinks($1_usertype)
947 ')
948
949 optional_policy(`
950 quota_dontaudit_getattr_db($1_usertype)
951 ')
952
953 optional_policy(`
954 rpm_read_db($1_usertype)
955 rpm_dontaudit_manage_db($1_usertype)
956 rpm_read_cache($1_usertype)
957 ')
958
959 optional_policy(`
960 oddjob_run_mkhomedir($1_t, $1_r)
961 ')
962 ')
963
964 #######################################
965 ## <summary>
966 ## The template for creating a unprivileged login user.
967 ## </summary>
968 ## <desc>
969 ## <p>
970 ## This template creates a user domain, types, and
971 ## rules for the user's tty, pty, home directories,
972 ## tmp, and tmpfs files.
973 ## </p>
974 ## </desc>
975 ## <param name="userdomain_prefix">
976 ## <summary>
977 ## The prefix of the user domain (e.g., user
978 ## is the prefix for user_t).
979 ## </summary>
980 ## </param>
981 #
982 template(`userdom_restricted_user_template',`
983 gen_require(`
984 attribute unpriv_userdomain;
985 ')
986
987 userdom_login_user_template($1)
988
989 typeattribute $1_t unpriv_userdomain;
990 domain_interactive_fd($1_t)
991
992 allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
993 dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
994
995 ##############################
996 #
997 # Local policy
998 #
999
1000 optional_policy(`
1001 loadkeys_run($1_t,$1_r)
1002 ')
1003 ')
1004
1005 #######################################
1006 ## <summary>
1007 ## The template for creating a unprivileged xwindows login user.
1008 ## </summary>
1009 ## <desc>
1010 ## <p>
1011 ## The template for creating a unprivileged xwindows login user.
1012 ## </p>
1013 ## <p>
1014 ## This template creates a user domain, types, and
1015 ## rules for the user's tty, pty, home directories,
1016 ## tmp, and tmpfs files.
1017 ## </p>
1018 ## </desc>
1019 ## <param name="userdomain_prefix">
1020 ## <summary>
1021 ## The prefix of the user domain (e.g., user
1022 ## is the prefix for user_t).
1023 ## </summary>
1024 ## </param>
1025 #
1026 template(`userdom_restricted_xwindows_user_template',`
1027
1028 userdom_restricted_user_template($1)
1029
1030 ##############################
1031 #
1032 # Local policy
1033 #
1034
1035 auth_role($1_r, $1_t)
1036 auth_search_pam_console_data($1_usertype)
1037 auth_dontaudit_read_login_records($1_usertype)
1038
1039 dev_read_sound($1_usertype)
1040 dev_write_sound($1_usertype)
1041 # gnome keyring wants to read this.
1042 dev_dontaudit_read_rand($1_usertype)
1043 # temporarily allow since openoffice requires this
1044 dev_read_rand($1_usertype)
1045
1046 dev_read_video_dev($1_usertype)
1047 dev_write_video_dev($1_usertype)
1048 dev_rw_wireless($1_usertype)
1049
1050 libs_dontaudit_setattr_lib_files($1_usertype)
1051
1052 tunable_policy(`user_rw_noexattrfile',`
1053 dev_rw_usbfs($1_t)
1054 dev_rw_generic_usb_dev($1_usertype)
1055
1056 fs_manage_noxattr_fs_files($1_usertype)
1057 fs_manage_noxattr_fs_dirs($1_usertype)
1058 fs_manage_dos_dirs($1_usertype)
1059 fs_manage_dos_files($1_usertype)
1060 storage_raw_read_removable_device($1_usertype)
1061 storage_raw_write_removable_device($1_usertype)
1062 ')
1063
1064 logging_send_syslog_msg($1_usertype)
1065 logging_dontaudit_send_audit_msgs($1_t)
1066
1067 # Need to to this just so screensaver will work. Should be moved to screensaver domain
1068 logging_send_audit_msgs($1_t)
1069 selinux_get_enforce_mode($1_t)
1070 seutil_exec_restorecond($1_t)
1071 seutil_read_file_contexts($1_t)
1072 seutil_read_default_contexts($1_t)
1073
1074 xserver_restricted_role($1_r, $1_t)
1075
1076 optional_policy(`
1077 alsa_read_rw_config($1_usertype)
1078 ')
1079
1080 # cjp: needed by KDE apps
1081 # bug: #682499
1082 optional_policy(`
1083 gnome_read_usr_config($1_usertype)
1084 ')
1085
1086 optional_policy(`
1087 dbus_role_template($1, $1_r, $1_usertype)
1088 dbus_system_bus_client($1_usertype)
1089 allow $1_usertype $1_usertype:dbus send_msg;
1090
1091 optional_policy(`
1092 abrt_dbus_chat($1_usertype)
1093 abrt_run_helper($1_usertype, $1_r)
1094 ')
1095
1096 optional_policy(`
1097 consolekit_dontaudit_read_log($1_usertype)
1098 consolekit_dbus_chat($1_usertype)
1099 ')
1100
1101 optional_policy(`
1102 cups_dbus_chat($1_usertype)
1103 cups_dbus_chat_config($1_usertype)
1104 ')
1105
1106 optional_policy(`
1107 devicekit_dbus_chat($1_usertype)
1108 devicekit_dbus_chat_disk($1_usertype)
1109 devicekit_dbus_chat_power($1_usertype)
1110 ')
1111
1112 optional_policy(`
1113 fprintd_dbus_chat($1_t)
1114 ')
1115 ')
1116
1117 optional_policy(`
1118 openoffice_role_template($1, $1_r, $1_usertype)
1119 ')
1120
1121 optional_policy(`
1122 policykit_role($1_r, $1_usertype)
1123 ')
1124
1125 optional_policy(`
1126 pulseaudio_role($1_r, $1_usertype)
1127 ')
1128
1129 optional_policy(`
1130 rtkit_scheduled($1_usertype)
1131 ')
1132
1133 optional_policy(`
1134 setroubleshoot_dontaudit_stream_connect($1_t)
1135 ')
1136
1137 optional_policy(`
1138 udev_read_db($1_usertype)
1139 ')
1140
1141 optional_policy(`
1142 wm_role_template($1, $1_r, $1_t)
1143 ')
1144 ')
1145
1146 #######################################
1147 ## <summary>
1148 ## The template for creating a unprivileged user roughly
1149 ## equivalent to a regular linux user.
1150 ## </summary>
1151 ## <desc>
1152 ## <p>
1153 ## The template for creating a unprivileged user roughly
1154 ## equivalent to a regular linux user.
1155 ## </p>
1156 ## <p>
1157 ## This template creates a user domain, types, and
1158 ## rules for the user's tty, pty, home directories,
1159 ## tmp, and tmpfs files.
1160 ## </p>
1161 ## </desc>
1162 ## <param name="userdomain_prefix">
1163 ## <summary>
1164 ## The prefix of the user domain (e.g., user
1165 ## is the prefix for user_t).
1166 ## </summary>
1167 ## </param>
1168 #
1169 template(`userdom_unpriv_user_template', `
1170
1171 ##############################
1172 #
1173 # Declarations
1174 #
1175
1176 # Inherit rules for ordinary users.
1177 userdom_restricted_xwindows_user_template($1)
1178 userdom_common_user_template($1)
1179
1180 ##############################
1181 #
1182 # Local policy
1183 #
1184
1185 # port access is audited even if dac would not have allowed it, so dontaudit it here
1186 # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
1187 # Need the following rule to allow users to run vpnc
1188 corenet_tcp_bind_xserver_port($1_t)
1189 corenet_tcp_bind_generic_node($1_usertype)
1190
1191 storage_rw_fuse($1_t)
1192
1193 miscfiles_read_hwdata($1_usertype)
1194
1195 # Allow users to run TCP servers (bind to ports and accept connection from
1196 # the same domain and outside users) disabling this forces FTP passive mode
1197 # and may change other protocols
1198
1199 tunable_policy(`user_share_music',`
1200 corenet_tcp_bind_daap_port($1_usertype)
1201 ')
1202
1203 tunable_policy(`user_tcp_server',`
1204 corenet_tcp_bind_all_unreserved_ports($1_usertype)
1205 ')
1206
1207 tunable_policy(`user_setrlimit',`
1208 allow $1_usertype self:process setrlimit;
1209 ')
1210
1211 optional_policy(`
1212 cdrecord_role($1_r, $1_t)
1213 ')
1214
1215 optional_policy(`
1216 cron_role($1_r, $1_t)
1217 ')
1218
1219 optional_policy(`
1220 games_rw_data($1_usertype)
1221 ')
1222
1223 optional_policy(`
1224 gpg_role($1_r, $1_usertype)
1225 ')
1226
1227 optional_policy(`
1228 gnomeclock_dbus_chat($1_t)
1229 ')
1230
1231 optional_policy(`
1232 gpm_stream_connect($1_usertype)
1233 ')
1234
1235 optional_policy(`
1236 execmem_role_template($1, $1_r, $1_t)
1237 ')
1238
1239 optional_policy(`
1240 java_role_template($1, $1_r, $1_t)
1241 ')
1242
1243 optional_policy(`
1244 mono_role_template($1, $1_r, $1_t)
1245 ')
1246
1247 optional_policy(`
1248 mount_run_fusermount($1_t, $1_r)
1249 mount_read_pid_files($1_t)
1250 ')
1251
1252 optional_policy(`
1253 wine_role_template($1, $1_r, $1_t)
1254 ')
1255
1256 optional_policy(`
1257 postfix_run_postdrop($1_t, $1_r)
1258 ')
1259
1260 # Run pppd in pppd_t by default for user
1261 optional_policy(`
1262 ppp_run_cond($1_t, $1_r)
1263 ')
1264 ')
1265
1266 #######################################
1267 ## <summary>
1268 ## The template for creating an administrative user.
1269 ## </summary>
1270 ## <desc>
1271 ## <p>
1272 ## This template creates a user domain, types, and
1273 ## rules for the user's tty, pty, home directories,
1274 ## tmp, and tmpfs files.
1275 ## </p>
1276 ## <p>
1277 ## The privileges given to administrative users are:
1278 ## <ul>
1279 ## <li>Raw disk access</li>
1280 ## <li>Set all sysctls</li>
1281 ## <li>All kernel ring buffer controls</li>
1282 ## <li>Create, read, write, and delete all files but shadow</li>
1283 ## <li>Manage source and binary format SELinux policy</li>
1284 ## <li>Run insmod</li>
1285 ## </ul>
1286 ## </p>
1287 ## </desc>
1288 ## <param name="userdomain_prefix">
1289 ## <summary>
1290 ## The prefix of the user domain (e.g., sysadm
1291 ## is the prefix for sysadm_t).
1292 ## </summary>
1293 ## </param>
1294 #
1295 template(`userdom_admin_user_template',`
1296 gen_require(`
1297 attribute admindomain;
1298 class passwd { passwd chfn chsh rootok crontab };
1299 ')
1300
1301 ##############################
1302 #
1303 # Declarations
1304 #
1305
1306 # Inherit rules for ordinary users.
1307 userdom_login_user_template($1)
1308 userdom_common_user_template($1)
1309
1310 domain_obj_id_change_exemption($1_t)
1311 role system_r types $1_t;
1312
1313 typeattribute $1_t admindomain;
1314
1315 ifdef(`direct_sysadm_daemon',`
1316 domain_system_change_exemption($1_t)
1317 ')
1318
1319 ##############################
1320 #
1321 # $1_t local policy
1322 #
1323
1324 allow $1_t self:capability ~{ sys_module audit_control audit_write };
1325 allow $1_t self:capability2 syslog;
1326 allow $1_t self:process { setexec setfscreate };
1327 allow $1_t self:netlink_audit_socket nlmsg_readpriv;
1328 allow $1_t self:tun_socket create;
1329 # Set password information for other users.
1330 allow $1_t self:passwd { passwd chfn chsh };
1331 # Skip authentication when pam_rootok is specified.
1332 allow $1_t self:passwd rootok;
1333
1334 # Manipulate other users crontab.
1335 allow $1_t self:passwd crontab;
1336
1337 kernel_read_software_raid_state($1_t)
1338 kernel_getattr_core_if($1_t)
1339 kernel_getattr_message_if($1_t)
1340 kernel_change_ring_buffer_level($1_t)
1341 kernel_clear_ring_buffer($1_t)
1342 kernel_read_ring_buffer($1_t)
1343 kernel_get_sysvipc_info($1_t)
1344 kernel_rw_all_sysctls($1_t)
1345 # signal unlabeled processes:
1346 kernel_kill_unlabeled($1_t)
1347 kernel_signal_unlabeled($1_t)
1348 kernel_sigstop_unlabeled($1_t)
1349 kernel_signull_unlabeled($1_t)
1350 kernel_sigchld_unlabeled($1_t)
1351 kernel_signal($1_t)
1352
1353 corenet_tcp_bind_generic_port($1_t)
1354 # allow setting up tunnels
1355 corenet_rw_tun_tap_dev($1_t)
1356
1357 dev_getattr_generic_blk_files($1_t)
1358 dev_getattr_generic_chr_files($1_t)
1359 # for lsof
1360 dev_getattr_mtrr_dev($1_t)
1361 # Allow MAKEDEV to work
1362 dev_create_all_blk_files($1_t)
1363 dev_create_all_chr_files($1_t)
1364 dev_delete_all_blk_files($1_t)
1365 dev_delete_all_chr_files($1_t)
1366 dev_rename_all_blk_files($1_t)
1367 dev_rename_all_chr_files($1_t)
1368 dev_create_generic_symlinks($1_t)
1369 dev_rw_generic_usb_dev($1_t)
1370 dev_rw_usbfs($1_t)
1371
1372 domain_setpriority_all_domains($1_t)
1373 domain_read_all_domains_state($1_t)
1374 domain_getattr_all_domains($1_t)
1375 domain_getcap_all_domains($1_t)
1376 domain_dontaudit_ptrace_all_domains($1_t)
1377 # signal all domains:
1378 domain_kill_all_domains($1_t)
1379 domain_signal_all_domains($1_t)
1380 domain_signull_all_domains($1_t)
1381 domain_sigstop_all_domains($1_t)
1382 domain_sigstop_all_domains($1_t)
1383 domain_sigchld_all_domains($1_t)
1384 # for lsof
1385 domain_getattr_all_sockets($1_t)
1386 domain_dontaudit_getattr_all_sockets($1_t)
1387
1388 files_exec_usr_src_files($1_t)
1389
1390 fs_getattr_all_fs($1_t)
1391 fs_getattr_all_files($1_t)
1392 fs_list_all($1_t)
1393 fs_set_all_quotas($1_t)
1394 fs_exec_noxattr($1_t)
1395
1396 storage_raw_read_removable_device($1_t)
1397 storage_raw_write_removable_device($1_t)
1398 storage_dontaudit_read_fixed_disk($1_t)
1399
1400 term_use_all_inherited_terms($1_t)
1401
1402 auth_getattr_shadow($1_t)
1403 # Manage almost all files
1404 auth_manage_all_files_except_shadow($1_t)
1405 # Relabel almost all files
1406 auth_relabel_all_files_except_shadow($1_t)
1407
1408 init_telinit($1_t)
1409
1410 logging_send_syslog_msg($1_t)
1411
1412 optional_policy(`
1413 modutils_domtrans_insmod($1_t)
1414 modutils_domtrans_depmod($1_t)
1415 ')
1416
1417 # The following rule is temporary until such time that a complete
1418 # policy management infrastructure is in place so that an administrator
1419 # cannot directly manipulate policy files with arbitrary programs.
1420 seutil_manage_src_policy($1_t)
1421 # Violates the goal of limiting write access to checkpolicy.
1422 # But presently necessary for installing the file_contexts file.
1423 seutil_manage_bin_policy($1_t)
1424
1425 userdom_manage_user_home_content_dirs($1_t)
1426 userdom_manage_user_home_content_files($1_t)
1427 userdom_manage_user_home_content_symlinks($1_t)
1428 userdom_manage_user_home_content_pipes($1_t)
1429 userdom_manage_user_home_content_sockets($1_t)
1430 userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
1431
1432 tunable_policy(`user_rw_noexattrfile',`
1433 fs_manage_noxattr_fs_files($1_t)
1434 fs_manage_noxattr_fs_dirs($1_t)
1435 ',`
1436 fs_read_noxattr_fs_files($1_t)
1437 ')
1438
1439 optional_policy(`
1440 postgresql_unconfined($1_t)
1441 ')
1442
1443 optional_policy(`
1444 userhelper_exec($1_t)
1445 ')
1446 ')
1447
1448 ########################################
1449 ## <summary>
1450 ## Allow user to run as a secadm
1451 ## </summary>
1452 ## <desc>
1453 ## <p>
1454 ## Create objects in a user home directory
1455 ## with an automatic type transition to
1456 ## a specified private type.
1457 ## </p>
1458 ## <p>
1459 ## This is a templated interface, and should only
1460 ## be called from a per-userdomain template.
1461 ## </p>
1462 ## </desc>
1463 ## <param name="domain">
1464 ## <summary>
1465 ## Domain allowed access.
1466 ## </summary>
1467 ## </param>
1468 ## <param name="role">
1469 ## <summary>
1470 ## The role of the object to create.
1471 ## </summary>
1472 ## </param>
1473 #
1474 template(`userdom_security_admin_template',`
1475 allow $1 self:capability { dac_read_search dac_override };
1476
1477 corecmd_exec_shell($1)
1478
1479 domain_obj_id_change_exemption($1)
1480
1481 dev_relabel_all_dev_nodes($1)
1482
1483 files_create_boot_flag($1)
1484 files_create_default_dir($1)
1485 files_root_filetrans_default($1, dir)
1486
1487 # Necessary for managing /boot/efi
1488 fs_manage_dos_files($1)
1489
1490 mls_process_read_up($1)
1491 mls_file_read_all_levels($1)
1492 mls_file_upgrade($1)
1493 mls_file_downgrade($1)
1494
1495 selinux_set_enforce_mode($1)
1496 selinux_set_all_booleans($1)
1497 selinux_set_parameters($1)
1498 selinux_read_policy($1)
1499
1500 auth_relabel_all_files_except_shadow($1)
1501 auth_relabel_shadow($1)
1502
1503 init_exec($1)
1504
1505 logging_send_syslog_msg($1)
1506 logging_read_audit_log($1)
1507 logging_read_generic_logs($1)
1508 logging_read_audit_config($1)
1509
1510 seutil_manage_bin_policy($1)
1511 seutil_run_checkpolicy($1,$2)
1512 seutil_run_loadpolicy($1,$2)
1513 seutil_run_semanage($1,$2)
1514 seutil_run_setsebool($1,$2)
1515 seutil_run_setfiles($1, $2)
1516
1517 optional_policy(`
1518 aide_run($1,$2)
1519 ')
1520
1521 optional_policy(`
1522 consoletype_exec($1)
1523 ')
1524
1525 optional_policy(`
1526 dmesg_exec($1)
1527 ')
1528
1529 optional_policy(`
1530 ipsec_run_setkey($1,$2)
1531 ')
1532
1533 optional_policy(`
1534 netlabel_run_mgmt($1,$2)
1535 ')
1536
1537 optional_policy(`
1538 samhain_run($1, $2)
1539 ')
1540 ')
1541
1542 ########################################
1543 ## <summary>
1544 ## Make the specified type usable in a
1545 ## user home directory.
1546 ## </summary>
1547 ## <param name="type">
1548 ## <summary>
1549 ## Type to be used as a file in the
1550 ## user home directory.
1551 ## </summary>
1552 ## </param>
1553 #
1554 interface(`userdom_user_home_content',`
1555 gen_require(`
1556 type user_home_t;
1557 attribute user_home_type;
1558 ')
1559
1560 allow $1 user_home_t:filesystem associate;
1561 files_type($1)
1562 ubac_constrained($1)
1563
1564 files_poly_member($1)
1565 typeattribute $1 user_home_type;
1566 ')
1567
1568 ########################################
1569 ## <summary>
1570 ## Make the specified type usable in a
1571 ## generic temporary directory.
1572 ## </summary>
1573 ## <param name="type">
1574 ## <summary>
1575 ## Type to be used as a file in the
1576 ## generic temporary directory.
1577 ## </summary>
1578 ## </param>
1579 #
1580 interface(`userdom_user_tmp_content',`
1581 gen_require(`
1582 attribute user_tmp_type;
1583 ')
1584
1585 typeattribute $1 user_tmp_type;
1586
1587 files_tmp_file($1)
1588 ubac_constrained($1)
1589 ')
1590
1591 ########################################
1592 ## <summary>
1593 ## Allow domain to attach to TUN devices created by administrative users.
1594 ## </summary>
1595 ## <param name="domain">
1596 ## <summary>
1597 ## Domain allowed access.
1598 ## </summary>
1599 ## </param>
1600 #
1601 interface(`userdom_attach_admin_tun_iface',`
1602 gen_require(`
1603 attribute admindomain;
1604 ')
1605
1606 allow $1 admindomain:tun_socket relabelfrom;
1607 allow $1 self:tun_socket relabelto;
1608 ')
1609
1610 ########################################
1611 ## <summary>
1612 ## Set the attributes of a user pty.
1613 ## </summary>
1614 ## <param name="domain">
1615 ## <summary>
1616 ## Domain allowed access.
1617 ## </summary>
1618 ## </param>
1619 #
1620 interface(`userdom_setattr_user_ptys',`
1621 gen_require(`
1622 type user_devpts_t;
1623 ')
1624
1625 allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
1626 ')
1627
1628 ########################################
1629 ## <summary>
1630 ## Create a user pty.
1631 ## </summary>
1632 ## <param name="domain">
1633 ## <summary>
1634 ## Domain allowed access.
1635 ## </summary>
1636 ## </param>
1637 #
1638 interface(`userdom_create_user_pty',`
1639 gen_require(`
1640 type user_devpts_t;
1641 ')
1642
1643 term_create_pty($1, user_devpts_t)
1644 ')
1645
1646 ########################################
1647 ## <summary>
1648 ## Get the attributes of user home directories.
1649 ## </summary>
1650 ## <param name="domain">
1651 ## <summary>
1652 ## Domain allowed access.
1653 ## </summary>
1654 ## </param>
1655 #
1656 interface(`userdom_getattr_user_home_dirs',`
1657 gen_require(`
1658 type user_home_dir_t;
1659 ')
1660
1661 allow $1 user_home_dir_t:dir getattr_dir_perms;
1662 files_search_home($1)
1663 ')
1664
1665 ########################################
1666 ## <summary>
1667 ## Do not audit attempts to get the attributes of user home directories.
1668 ## </summary>
1669 ## <param name="domain">
1670 ## <summary>
1671 ## Domain to not audit.
1672 ## </summary>
1673 ## </param>
1674 #
1675 interface(`userdom_dontaudit_getattr_user_home_dirs',`
1676 gen_require(`
1677 type user_home_dir_t;
1678 ')
1679
1680 dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
1681 ')
1682
1683 ########################################
1684 ## <summary>
1685 ## Search user home directories.
1686 ## </summary>
1687 ## <param name="domain">
1688 ## <summary>
1689 ## Domain allowed access.
1690 ## </summary>
1691 ## </param>
1692 #
1693 interface(`userdom_search_user_home_dirs',`
1694 gen_require(`
1695 type user_home_dir_t;
1696 ')
1697
1698 allow $1 user_home_dir_t:dir search_dir_perms;
1699 allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
1700 files_search_home($1)
1701 ')
1702
1703 ########################################
1704 ## <summary>
1705 ## Do not audit attempts to search user home directories.
1706 ## </summary>
1707 ## <desc>
1708 ## <p>
1709 ## Do not audit attempts to search user home directories.
1710 ## This will supress SELinux denial messages when the specified
1711 ## domain is denied the permission to search these directories.
1712 ## </p>
1713 ## </desc>
1714 ## <param name="domain">
1715 ## <summary>
1716 ## Domain to not audit.
1717 ## </summary>
1718 ## </param>
1719 ## <infoflow type="none"/>
1720 #
1721 interface(`userdom_dontaudit_search_user_home_dirs',`
1722 gen_require(`
1723 type user_home_dir_t;
1724 ')
1725
1726 dontaudit $1 user_home_dir_t:dir search_dir_perms;
1727 ')
1728
1729 ########################################
1730 ## <summary>
1731 ## List user home directories.
1732 ## </summary>
1733 ## <param name="domain">
1734 ## <summary>
1735 ## Domain allowed access.
1736 ## </summary>
1737 ## </param>
1738 #
1739 interface(`userdom_list_user_home_dirs',`
1740 gen_require(`
1741 type user_home_dir_t;
1742 ')
1743
1744 allow $1 user_home_dir_t:dir list_dir_perms;
1745 files_search_home($1)
1746
1747 tunable_policy(`use_nfs_home_dirs',`
1748 fs_list_nfs($1)
1749 ')
1750
1751 tunable_policy(`use_samba_home_dirs',`
1752 fs_list_cifs($1)
1753 ')
1754 ')
1755
1756 ########################################
1757 ## <summary>
1758 ## Do not audit attempts to list user home subdirectories.
1759 ## </summary>
1760 ## <param name="domain">
1761 ## <summary>
1762 ## Domain to not audit.
1763 ## </summary>
1764 ## </param>
1765 #
1766 interface(`userdom_dontaudit_list_user_home_dirs',`
1767 gen_require(`
1768 type user_home_dir_t;
1769 type user_home_t;
1770 ')
1771
1772 dontaudit $1 user_home_dir_t:dir list_dir_perms;
1773 dontaudit $1 user_home_t:dir list_dir_perms;
1774 ')
1775
1776 ########################################
1777 ## <summary>
1778 ## Create user home directories.
1779 ## </summary>
1780 ## <param name="domain">
1781 ## <summary>
1782 ## Domain allowed access.
1783 ## </summary>
1784 ## </param>
1785 #
1786 interface(`userdom_create_user_home_dirs',`
1787 gen_require(`
1788 type user_home_dir_t;
1789 ')
1790
1791 allow $1 user_home_dir_t:dir create_dir_perms;
1792 ')
1793
1794 ########################################
1795 ## <summary>
1796 ## Create user home directories.
1797 ## </summary>
1798 ## <param name="domain">
1799 ## <summary>
1800 ## Domain allowed access.
1801 ## </summary>
1802 ## </param>
1803 #
1804 interface(`userdom_manage_user_home_dirs',`
1805 gen_require(`
1806 type user_home_dir_t;
1807 ')
1808
1809 allow $1 user_home_dir_t:dir manage_dir_perms;
1810 ')
1811
1812 ########################################
1813 ## <summary>
1814 ## Relabel to user home directories.
1815 ## </summary>
1816 ## <param name="domain">
1817 ## <summary>
1818 ## Domain allowed access.
1819 ## </summary>
1820 ## </param>
1821 #
1822 interface(`userdom_relabelto_user_home_dirs',`
1823 gen_require(`
1824 type user_home_dir_t;
1825 ')
1826
1827 allow $1 user_home_dir_t:dir relabelto;
1828 ')
1829
1830
1831 ########################################
1832 ## <summary>
1833 ## Relabel to user home files.
1834 ## </summary>
1835 ## <param name="domain">
1836 ## <summary>
1837 ## Domain allowed access.
1838 ## </summary>
1839 ## </param>
1840 #
1841 interface(`userdom_relabelto_user_home_files',`
1842 gen_require(`
1843 type user_home_t;
1844 ')
1845
1846 allow $1 user_home_t:file relabelto;
1847 ')
1848 ########################################
1849 ## <summary>
1850 ## Relabel user home files.
1851 ## </summary>
1852 ## <param name="domain">
1853 ## <summary>
1854 ## Domain allowed access.
1855 ## </summary>
1856 ## </param>
1857 #
1858 interface(`userdom_relabel_user_home_files',`
1859 gen_require(`
1860 type user_home_t;
1861 ')
1862
1863 allow $1 user_home_t:file relabel_file_perms;
1864 ')
1865
1866 ########################################
1867 ## <summary>
1868 ## Create directories in the home dir root with
1869 ## the user home directory type.
1870 ## </summary>
1871 ## <param name="domain">
1872 ## <summary>
1873 ## Domain allowed access.
1874 ## </summary>
1875 ## </param>
1876 #
1877 interface(`userdom_home_filetrans_user_home_dir',`
1878 gen_require(`
1879 type user_home_dir_t;
1880 ')
1881
1882 files_home_filetrans($1, user_home_dir_t, dir)
1883 ')
1884
1885 ########################################
1886 ## <summary>
1887 ## Do a domain transition to the specified
1888 ## domain when executing a program in the
1889 ## user home directory.
1890 ## </summary>
1891 ## <desc>
1892 ## <p>
1893 ## Do a domain transition to the specified
1894 ## domain when executing a program in the
1895 ## user home directory.
1896 ## </p>
1897 ## <p>
1898 ## No interprocess communication (signals, pipes,
1899 ## etc.) is provided by this interface since
1900 ## the domains are not owned by this module.
1901 ## </p>
1902 ## </desc>
1903 ## <param name="source_domain">
1904 ## <summary>
1905 ## Domain allowed to transition.
1906 ## </summary>
1907 ## </param>
1908 ## <param name="target_domain">
1909 ## <summary>
1910 ## Domain to transition to.
1911 ## </summary>
1912 ## </param>
1913 #
1914 interface(`userdom_user_home_domtrans',`
1915 gen_require(`
1916 type user_home_dir_t, user_home_t;
1917 ')
1918
1919 domain_auto_trans($1, user_home_t, $2)
1920 allow $1 user_home_dir_t:dir search_dir_perms;
1921 files_search_home($1)
1922 ')
1923
1924 ########################################
1925 ## <summary>
1926 ## Do not audit attempts to search user home content directories.
1927 ## </summary>
1928 ## <param name="domain">
1929 ## <summary>
1930 ## Domain to not audit.
1931 ## </summary>
1932 ## </param>
1933 #
1934 interface(`userdom_dontaudit_search_user_home_content',`
1935 gen_require(`
1936 type user_home_t;
1937 ')
1938
1939 dontaudit $1 user_home_t:dir search_dir_perms;
1940 fs_dontaudit_list_nfs($1)
1941 fs_dontaudit_list_cifs($1)
1942 ')
1943
1944 ########################################
1945 ## <summary>
1946 ## List contents of users home directory.
1947 ## </summary>
1948 ## <param name="domain">
1949 ## <summary>
1950 ## Domain allowed access.
1951 ## </summary>
1952 ## </param>
1953 #
1954 interface(`userdom_list_user_home_content',`
1955 gen_require(`
1956 type user_home_dir_t;
1957 attribute user_home_type;
1958 ')
1959
1960 files_list_home($1)
1961 allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
1962 ')
1963
1964 ########################################
1965 ## <summary>
1966 ## Create, read, write, and delete directories
1967 ## in a user home subdirectory.
1968 ## </summary>
1969 ## <param name="domain">
1970 ## <summary>
1971 ## Domain allowed access.
1972 ## </summary>
1973 ## </param>
1974 #
1975 interface(`userdom_manage_user_home_content_dirs',`
1976 gen_require(`
1977 type user_home_dir_t, user_home_t;
1978 ')
1979
1980 manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1981 files_search_home($1)
1982 ')
1983
1984 ########################################
1985 ## <summary>
1986 ## Delete directories in a user home subdirectory.
1987 ## </summary>
1988 ## <param name="domain">
1989 ## <summary>
1990 ## Domain allowed access.
1991 ## </summary>
1992 ## </param>
1993 #
1994 interface(`userdom_delete_user_home_content_dirs',`
1995 gen_require(`
1996 type user_home_t;
1997 ')
1998
1999 allow $1 user_home_t:dir delete_dir_perms;
2000 ')
2001
2002 ########################################
2003 ## <summary>
2004 ## Set the attributes of user home files.
2005 ## </summary>
2006 ## <param name="domain">
2007 ## <summary>
2008 ## Domain allowed access.
2009 ## </summary>
2010 ## </param>
2011 ## <rolecap/>
2012 #
2013 interface(`userdom_setattr_user_home_content_files',`
2014 gen_require(`
2015 type user_home_t;
2016 ')
2017
2018 allow $1 user_home_t:file setattr;
2019 ')
2020
2021 ########################################
2022 ## <summary>
2023 ## Do not audit attempts to set the
2024 ## attributes of user home files.
2025 ## </summary>
2026 ## <param name="domain">
2027 ## <summary>
2028 ## Domain to not audit.
2029 ## </summary>
2030 ## </param>
2031 #
2032 interface(`userdom_dontaudit_setattr_user_home_content_files',`
2033 gen_require(`
2034 type user_home_t;
2035 ')
2036
2037 dontaudit $1 user_home_t:file setattr_file_perms;
2038 ')
2039
2040 ########################################
2041 ## <summary>
2042 ## Mmap user home files.
2043 ## </summary>
2044 ## <param name="domain">
2045 ## <summary>
2046 ## Domain allowed access.
2047 ## </summary>
2048 ## </param>
2049 #
2050 interface(`userdom_mmap_user_home_content_files',`
2051 gen_require(`
2052 type user_home_dir_t, user_home_t;
2053 ')
2054
2055 mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2056 files_search_home($1)
2057 ')
2058
2059 ########################################
2060 ## <summary>
2061 ## Read user home files.
2062 ## </summary>
2063 ## <param name="domain">
2064 ## <summary>
2065 ## Domain allowed access.
2066 ## </summary>
2067 ## </param>
2068 #
2069 interface(`userdom_read_user_home_content_files',`
2070 gen_require(`
2071 type user_home_dir_t, user_home_t;
2072 ')
2073
2074 list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
2075 read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2076 files_search_home($1)
2077 ')
2078
2079 ########################################
2080 ## <summary>
2081 ## Do not audit attempts to getattr user home files.
2082 ## </summary>
2083 ## <param name="domain">
2084 ## <summary>
2085 ## Domain to not audit.
2086 ## </summary>
2087 ## </param>
2088 #
2089 interface(`userdom_dontaudit_getattr_user_home_content',`
2090 gen_require(`
2091 attribute user_home_type;
2092 ')
2093
2094 dontaudit $1 user_home_type:dir getattr;
2095 dontaudit $1 user_home_type:file getattr;
2096 ')
2097
2098 ########################################
2099 ## <summary>
2100 ## Do not audit attempts to read user home files.
2101 ## </summary>
2102 ## <param name="domain">
2103 ## <summary>
2104 ## Domain to not audit.
2105 ## </summary>
2106 ## </param>
2107 #
2108 interface(`userdom_dontaudit_read_user_home_content_files',`
2109 gen_require(`
2110 attribute user_home_type;
2111 type user_home_dir_t;
2112 ')
2113
2114 dontaudit $1 user_home_dir_t:dir list_dir_perms;
2115 dontaudit $1 user_home_type:dir list_dir_perms;
2116 dontaudit $1 user_home_type:file read_file_perms;
2117 dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
2118 ')
2119
2120 ########################################
2121 ## <summary>
2122 ## Do not audit attempts to append user home files.
2123 ## </summary>
2124 ## <param name="domain">
2125 ## <summary>
2126 ## Domain to not audit.
2127 ## </summary>
2128 ## </param>
2129 #
2130 interface(`userdom_dontaudit_append_user_home_content_files',`
2131 gen_require(`
2132 type user_home_t;
2133 ')
2134
2135 dontaudit $1 user_home_t:file append_file_perms;
2136 ')
2137
2138 ########################################
2139 ## <summary>
2140 ## Do not audit attempts to write user home files.
2141 ## </summary>
2142 ## <param name="domain">
2143 ## <summary>
2144 ## Domain to not audit.
2145 ## </summary>
2146 ## </param>
2147 #
2148 interface(`userdom_dontaudit_write_user_home_content_files',`
2149 gen_require(`
2150 type user_home_t;
2151 ')
2152
2153 dontaudit $1 user_home_t:file write_file_perms;
2154 ')
2155
2156 ########################################
2157 ## <summary>
2158 ## Delete files in a user home subdirectory.
2159 ## </summary>
2160 ## <param name="domain">
2161 ## <summary>
2162 ## Domain allowed access.
2163 ## </summary>
2164 ## </param>
2165 #
2166 interface(`userdom_delete_user_home_content_files',`
2167 gen_require(`
2168 type user_home_t;
2169 ')
2170
2171 allow $1 user_home_t:file delete_file_perms;
2172 ')
2173
2174 ########################################
2175 ## <summary>
2176 ## Delete sock files in a user home subdirectory.
2177 ## </summary>
2178 ## <param name="domain">
2179 ## <summary>
2180 ## Domain allowed access.
2181 ## </summary>
2182 ## </param>
2183 #
2184 interface(`userdom_delete_user_home_content_sock_files',`
2185 gen_require(`
2186 type user_home_t;
2187 ')
2188
2189 allow $1 user_home_t:sock_file delete_file_perms;
2190 ')
2191
2192 ########################################
2193 ## <summary>
2194 ## Do not audit attempts to write user home files.
2195 ## </summary>
2196 ## <param name="domain">
2197 ## <summary>
2198 ## Domain to not audit.
2199 ## </summary>
2200 ## </param>
2201 #
2202 interface(`userdom_dontaudit_relabel_user_home_content_files',`
2203 gen_require(`
2204 type user_home_t;
2205 ')
2206
2207 dontaudit $1 user_home_t:file relabel_file_perms;
2208 ')
2209
2210 ########################################
2211 ## <summary>
2212 ## Read user home subdirectory symbolic links.
2213 ## </summary>
2214 ## <param name="domain">
2215 ## <summary>
2216 ## Domain allowed access.
2217 ## </summary>
2218 ## </param>
2219 #
2220 interface(`userdom_read_user_home_content_symlinks',`
2221 gen_require(`
2222 type user_home_dir_t, user_home_t;
2223 ')
2224
2225 allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
2226 ')
2227
2228 ########################################
2229 ## <summary>
2230 ## Execute user home files.
2231 ## </summary>
2232 ## <param name="domain">
2233 ## <summary>
2234 ## Domain allowed access.
2235 ## </summary>
2236 ## </param>
2237 ## <rolecap/>
2238 #
2239 interface(`userdom_exec_user_home_content_files',`
2240 gen_require(`
2241 type user_home_dir_t;
2242 attribute user_home_type;
2243 ')
2244
2245 files_search_home($1)
2246 exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
2247 dontaudit $1 user_home_type:sock_file execute;
2248 ')
2249
2250 ########################################
2251 ## <summary>
2252 ## Do not audit attempts to execute user home files.
2253 ## </summary>
2254 ## <param name="domain">
2255 ## <summary>
2256 ## Domain to not audit.
2257 ## </summary>
2258 ## </param>
2259 #
2260 interface(`userdom_dontaudit_exec_user_home_content_files',`
2261 gen_require(`
2262 type user_home_t;
2263 ')
2264
2265 dontaudit $1 user_home_t:file exec_file_perms;
2266 ')
2267
2268 ########################################
2269 ## <summary>
2270 ## Create, read, write, and delete files
2271 ## in a user home subdirectory.
2272 ## </summary>
2273 ## <param name="domain">
2274 ## <summary>
2275 ## Domain allowed access.
2276 ## </summary>
2277 ## </param>
2278 #
2279 interface(`userdom_manage_user_home_content_files',`
2280 gen_require(`
2281 type user_home_dir_t, user_home_t;
2282 ')
2283
2284 manage_files_pattern($1, user_home_t, user_home_t)
2285 allow $1 user_home_dir_t:dir search_dir_perms;
2286 files_search_home($1)
2287 ')
2288
2289 ########################################
2290 ## <summary>
2291 ## Do not audit attempts to create, read, write, and delete directories
2292 ## in a user home subdirectory.
2293 ## </summary>
2294 ## <param name="domain">
2295 ## <summary>
2296 ## Domain to not audit.
2297 ## </summary>
2298 ## </param>
2299 #
2300 interface(`userdom_dontaudit_manage_user_home_content_dirs',`
2301 gen_require(`
2302 type user_home_dir_t, user_home_t;
2303 ')
2304
2305 dontaudit $1 user_home_t:dir manage_dir_perms;
2306 ')
2307
2308 ########################################
2309 ## <summary>
2310 ## Create, read, write, and delete symbolic links
2311 ## in a user home subdirectory.
2312 ## </summary>
2313 ## <param name="domain">
2314 ## <summary>
2315 ## Domain allowed access.
2316 ## </summary>
2317 ## </param>
2318 #
2319 interface(`userdom_manage_user_home_content_symlinks',`
2320 gen_require(`
2321 type user_home_dir_t, user_home_t;
2322 ')
2323
2324 manage_lnk_files_pattern($1, user_home_t, user_home_t)
2325 allow $1 user_home_dir_t:dir search_dir_perms;
2326 files_search_home($1)
2327 ')
2328
2329 ########################################
2330 ## <summary>
2331 ## Delete symbolic links in a user home directory.
2332 ## </summary>
2333 ## <param name="domain">
2334 ## <summary>
2335 ## Domain allowed access.
2336 ## </summary>
2337 ## </param>
2338 #
2339 interface(`userdom_delete_user_home_content_symlinks',`
2340 gen_require(`
2341 type user_home_t;
2342 ')
2343
2344 allow $1 user_home_t:lnk_file delete_lnk_file_perms;
2345 ')
2346
2347 ########################################
2348 ## <summary>
2349 ## Create, read, write, and delete named pipes
2350 ## in a user home subdirectory.
2351 ## </summary>
2352 ## <param name="domain">
2353 ## <summary>
2354 ## Domain allowed access.
2355 ## </summary>
2356 ## </param>
2357 #
2358 interface(`userdom_manage_user_home_content_pipes',`
2359 gen_require(`
2360 type user_home_dir_t, user_home_t;
2361 ')
2362
2363 manage_fifo_files_pattern($1, user_home_t, user_home_t)
2364 allow $1 user_home_dir_t:dir search_dir_perms;
2365 files_search_home($1)
2366 ')
2367
2368 ########################################
2369 ## <summary>
2370 ## Create, read, write, and delete named sockets
2371 ## in a user home subdirectory.
2372 ## </summary>
2373 ## <param name="domain">
2374 ## <summary>
2375 ## Domain allowed access.
2376 ## </summary>
2377 ## </param>
2378 #
2379 interface(`userdom_manage_user_home_content_sockets',`
2380 gen_require(`
2381 type user_home_dir_t, user_home_t;
2382 ')
2383
2384 allow $1 user_home_dir_t:dir search_dir_perms;
2385 manage_sock_files_pattern($1, user_home_t, user_home_t)
2386 files_search_home($1)
2387 ')
2388
2389 ########################################
2390 ## <summary>
2391 ## Create objects in a user home directory
2392 ## with an automatic type transition to
2393 ## a specified private type.
2394 ## </summary>
2395 ## <param name="domain">
2396 ## <summary>
2397 ## Domain allowed access.
2398 ## </summary>
2399 ## </param>
2400 ## <param name="private_type">
2401 ## <summary>
2402 ## The type of the object to create.
2403 ## </summary>
2404 ## </param>
2405 ## <param name="object_class">
2406 ## <summary>
2407 ## The class of the object to be created.
2408 ## </summary>
2409 ## </param>
2410 #
2411 interface(`userdom_user_home_dir_filetrans',`
2412 gen_require(`
2413 type user_home_dir_t;
2414 ')
2415
2416 filetrans_pattern($1, user_home_dir_t, $2, $3, $4)
2417 files_search_home($1)
2418 ')
2419
2420 ########################################
2421 ## <summary>
2422 ## Create objects in a user home directory
2423 ## with an automatic type transition to
2424 ## a specified private type.
2425 ## </summary>
2426 ## <param name="domain">
2427 ## <summary>
2428 ## Domain allowed access.
2429 ## </summary>
2430 ## </param>
2431 ## <param name="private_type">
2432 ## <summary>
2433 ## The type of the object to create.
2434 ## </summary>
2435 ## </param>
2436 ## <param name="object_class">
2437 ## <summary>
2438 ## The class of the object to be created.
2439 ## </summary>
2440 ## </param>
2441 #
2442 interface(`userdom_user_home_content_filetrans',`
2443 gen_require(`
2444 type user_home_dir_t, user_home_t;
2445 ')
2446
2447 filetrans_pattern($1, user_home_t, $2, $3)
2448 allow $1 user_home_dir_t:dir search_dir_perms;
2449 files_search_home($1)
2450 ')
2451
2452 ########################################
2453 ## <summary>
2454 ## Create objects in a user home directory
2455 ## with an automatic type transition to
2456 ## the user home file type.
2457 ## </summary>
2458 ## <param name="domain">
2459 ## <summary>
2460 ## Domain allowed access.
2461 ## </summary>
2462 ## </param>
2463 ## <param name="object_class">
2464 ## <summary>
2465 ## The class of the object to be created.
2466 ## </summary>
2467 ## </param>
2468 #
2469 interface(`userdom_user_home_dir_filetrans_user_home_content',`
2470 gen_require(`
2471 type user_home_dir_t, user_home_t;
2472 ')
2473
2474 filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
2475 files_search_home($1)
2476 ')
2477
2478 ########################################
2479 ## <summary>
2480 ## Write to user temporary named sockets.
2481 ## </summary>
2482 ## <param name="domain">
2483 ## <summary>
2484 ## Domain allowed access.
2485 ## </summary>
2486 ## </param>
2487 #
2488 interface(`userdom_write_user_tmp_sockets',`
2489 gen_require(`
2490 type user_tmp_t;
2491 ')
2492
2493 allow $1 user_tmp_t:sock_file write_sock_file_perms;
2494 files_search_tmp($1)
2495 ')
2496
2497 ########################################
2498 ## <summary>
2499 ## List user temporary directories.
2500 ## </summary>
2501 ## <param name="domain">
2502 ## <summary>
2503 ## Domain allowed access.
2504 ## </summary>
2505 ## </param>
2506 #
2507 interface(`userdom_list_user_tmp',`
2508 gen_require(`
2509 type user_tmp_t;
2510 ')
2511
2512 allow $1 user_tmp_t:dir list_dir_perms;
2513 files_search_tmp($1)
2514 ')
2515
2516 ########################################
2517 ## <summary>
2518 ## Do not audit attempts to list user
2519 ## temporary directories.
2520 ## </summary>
2521 ## <param name="domain">
2522 ## <summary>
2523 ## Domain to not audit.
2524 ## </summary>
2525 ## </param>
2526 #
2527 interface(`userdom_dontaudit_list_user_tmp',`
2528 gen_require(`
2529 type user_tmp_t;
2530 ')
2531
2532 dontaudit $1 user_tmp_t:dir list_dir_perms;
2533 ')
2534
2535 ########################################
2536 ## <summary>
2537 ## Do not audit attempts to manage users
2538 ## temporary directories.
2539 ## </summary>
2540 ## <param name="domain">
2541 ## <summary>
2542 ## Domain to not audit.
2543 ## </summary>
2544 ## </param>
2545 #
2546 interface(`userdom_dontaudit_manage_user_tmp_dirs',`
2547 gen_require(`
2548 type user_tmp_t;
2549 ')
2550
2551 dontaudit $1 user_tmp_t:dir manage_dir_perms;
2552 ')
2553
2554 ########################################
2555 ## <summary>
2556 ## Read user temporary files.
2557 ## </summary>
2558 ## <param name="domain">
2559 ## <summary>
2560 ## Domain allowed access.
2561 ## </summary>
2562 ## </param>
2563 #
2564 interface(`userdom_read_user_tmp_files',`
2565 gen_require(`
2566 type user_tmp_t;
2567 ')
2568
2569 read_files_pattern($1, user_tmp_t, user_tmp_t)
2570 allow $1 user_tmp_t:dir list_dir_perms;
2571 files_search_tmp($1)
2572 ')
2573
2574 ########################################
2575 ## <summary>
2576 ## Do not audit attempts to read users
2577 ## temporary files.
2578 ## </summary>
2579 ## <param name="domain">
2580 ## <summary>
2581 ## Domain to not audit.
2582 ## </summary>
2583 ## </param>
2584 #
2585 interface(`userdom_dontaudit_read_user_tmp_files',`
2586 gen_require(`
2587 type user_tmp_t;
2588 ')
2589
2590 dontaudit $1 user_tmp_t:file read_inherited_file_perms;
2591 ')
2592
2593 ########################################
2594 ## <summary>
2595 ## Do not audit attempts to append users
2596 ## temporary files.
2597 ## </summary>
2598 ## <param name="domain">
2599 ## <summary>
2600 ## Domain to not audit.
2601 ## </summary>
2602 ## </param>
2603 #
2604 interface(`userdom_dontaudit_append_user_tmp_files',`
2605 gen_require(`
2606 type user_tmp_t;
2607 ')
2608
2609 dontaudit $1 user_tmp_t:file append_file_perms;
2610 ')
2611
2612 ########################################
2613 ## <summary>
2614 ## Read and write user temporary files.
2615 ## </summary>
2616 ## <param name="domain">
2617 ## <summary>
2618 ## Domain allowed access.
2619 ## </summary>
2620 ## </param>
2621 #
2622 interface(`userdom_rw_user_tmp_files',`
2623 gen_require(`
2624 type user_tmp_t;
2625 ')
2626
2627 allow $1 user_tmp_t:dir list_dir_perms;
2628 rw_files_pattern($1, user_tmp_t, user_tmp_t)
2629 files_search_tmp($1)
2630 ')
2631
2632 ########################################
2633 ## <summary>
2634 ## Do not audit attempts to manage users
2635 ## temporary files.
2636 ## </summary>
2637 ## <param name="domain">
2638 ## <summary>
2639 ## Domain to not audit.
2640 ## </summary>
2641 ## </param>
2642 #
2643 interface(`userdom_dontaudit_manage_user_tmp_files',`
2644 gen_require(`
2645 type user_tmp_t;
2646 ')
2647
2648 dontaudit $1 user_tmp_t:file manage_file_perms;
2649 ')
2650
2651 ########################################
2652 ## <summary>
2653 ## Read user temporary symbolic links.
2654 ## </summary>
2655 ## <param name="domain">
2656 ## <summary>
2657 ## Domain allowed access.
2658 ## </summary>
2659 ## </param>
2660 #
2661 interface(`userdom_read_user_tmp_symlinks',`
2662 gen_require(`
2663 type user_tmp_t;
2664 ')
2665
2666 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2667 allow $1 user_tmp_t:dir list_dir_perms;
2668 files_search_tmp($1)
2669 ')
2670
2671 ########################################
2672 ## <summary>
2673 ## Create, read, write, and delete user
2674 ## temporary directories.
2675 ## </summary>
2676 ## <param name="domain">
2677 ## <summary>
2678 ## Domain allowed access.
2679 ## </summary>
2680 ## </param>
2681 #
2682 interface(`userdom_manage_user_tmp_dirs',`
2683 gen_require(`
2684 type user_tmp_t;
2685 ')
2686
2687 manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
2688 files_search_tmp($1)
2689 ')
2690
2691 ########################################
2692 ## <summary>
2693 ## Create, read, write, and delete user
2694 ## temporary files.
2695 ## </summary>
2696 ## <param name="domain">
2697 ## <summary>
2698 ## Domain allowed access.
2699 ## </summary>
2700 ## </param>
2701 #
2702 interface(`userdom_manage_user_tmp_files',`
2703 gen_require(`
2704 type user_tmp_t;
2705 ')
2706
2707 manage_files_pattern($1, user_tmp_t, user_tmp_t)
2708 files_search_tmp($1)
2709 ')
2710
2711 ########################################
2712 ## <summary>
2713 ## Create, read, write, and delete user
2714 ## temporary symbolic links.
2715 ## </summary>
2716 ## <param name="domain">
2717 ## <summary>
2718 ## Domain allowed access.
2719 ## </summary>
2720 ## </param>
2721 #
2722 interface(`userdom_manage_user_tmp_symlinks',`
2723 gen_require(`
2724 type user_tmp_t;
2725 ')
2726
2727 manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2728 files_search_tmp($1)
2729 ')
2730
2731 ########################################
2732 ## <summary>
2733 ## Create, read, write, and delete user
2734 ## temporary named pipes.
2735 ## </summary>
2736 ## <param name="domain">
2737 ## <summary>
2738 ## Domain allowed access.
2739 ## </summary>
2740 ## </param>
2741 #
2742 interface(`userdom_manage_user_tmp_pipes',`
2743 gen_require(`
2744 type user_tmp_t;
2745 ')
2746
2747 manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
2748 files_search_tmp($1)
2749 ')
2750
2751 ########################################
2752 ## <summary>
2753 ## Create, read, write, and delete user
2754 ## temporary named sockets.
2755 ## </summary>
2756 ## <param name="domain">
2757 ## <summary>
2758 ## Domain allowed access.
2759 ## </summary>
2760 ## </param>
2761 #
2762 interface(`userdom_manage_user_tmp_sockets',`
2763 gen_require(`
2764 type user_tmp_t;
2765 ')
2766
2767 manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
2768 files_search_tmp($1)
2769 ')
2770
2771 ########################################
2772 ## <summary>
2773 ## Create objects in a user temporary directory
2774 ## with an automatic type transition to
2775 ## a specified private type.
2776 ## </summary>
2777 ## <param name="domain">
2778 ## <summary>
2779 ## Domain allowed access.
2780 ## </summary>
2781 ## </param>
2782 ## <param name="private_type">
2783 ## <summary>
2784 ## The type of the object to create.
2785 ## </summary>
2786 ## </param>
2787 ## <param name="object_class">
2788 ## <summary>
2789 ## The class of the object to be created.
2790 ## </summary>
2791 ## </param>
2792 #
2793 interface(`userdom_user_tmp_filetrans',`
2794 gen_require(`
2795 type user_tmp_t;
2796 ')
2797
2798 filetrans_pattern($1, user_tmp_t, $2, $3)
2799 files_search_tmp($1)
2800 ')
2801
2802 ########################################
2803 ## <summary>
2804 ## Create objects in the temporary directory
2805 ## with an automatic type transition to
2806 ## the user temporary type.
2807 ## </summary>
2808 ## <param name="domain">
2809 ## <summary>
2810 ## Domain allowed access.
2811 ## </summary>
2812 ## </param>
2813 ## <param name="object_class">
2814 ## <summary>
2815 ## The class of the object to be created.
2816 ## </summary>
2817 ## </param>
2818 #
2819 interface(`userdom_tmp_filetrans_user_tmp',`
2820 gen_require(`
2821 type user_tmp_t;
2822 ')
2823
2824 files_tmp_filetrans($1, user_tmp_t, $2)
2825 ')
2826
2827 ########################################
2828 ## <summary>
2829 ## Read user tmpfs files.
2830 ## </summary>
2831 ## <param name="domain">
2832 ## <summary>
2833 ## Domain allowed access.
2834 ## </summary>
2835 ## </param>
2836 #
2837 interface(`userdom_read_user_tmpfs_files',`
2838 gen_require(`
2839 type user_tmpfs_t;
2840 ')
2841
2842 read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2843 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2844 allow $1 user_tmpfs_t:dir list_dir_perms;
2845 fs_search_tmpfs($1)
2846 ')
2847
2848 ########################################
2849 ## <summary>
2850 ## Read/Write user tmpfs files.
2851 ## </summary>
2852 ## <param name="domain">
2853 ## <summary>
2854 ## Domain allowed access.
2855 ## </summary>
2856 ## </param>
2857 #
2858 interface(`userdom_rw_user_tmpfs_files',`
2859 gen_require(`
2860 type user_tmpfs_t;
2861 ')
2862
2863 rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2864 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2865 allow $1 user_tmpfs_t:dir list_dir_perms;
2866 fs_search_tmpfs($1)
2867 ')
2868
2869 ########################################
2870 ## <summary>
2871 ## Get the attributes of a user domain tty.
2872 ## </summary>
2873 ## <param name="domain">
2874 ## <summary>
2875 ## Domain allowed access.
2876 ## </summary>
2877 ## </param>
2878 #
2879 interface(`userdom_getattr_user_ttys',`
2880 gen_require(`
2881 type user_tty_device_t;
2882 ')
2883
2884 allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
2885 ')
2886
2887 ########################################
2888 ## <summary>
2889 ## Do not audit attempts to get the attributes of a user domain tty.
2890 ## </summary>
2891 ## <param name="domain">
2892 ## <summary>
2893 ## Domain to not audit.
2894 ## </summary>
2895 ## </param>
2896 #
2897 interface(`userdom_dontaudit_getattr_user_ttys',`
2898 gen_require(`
2899 type user_tty_device_t;
2900 ')
2901
2902 dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
2903 ')
2904
2905 ########################################
2906 ## <summary>
2907 ## Set the attributes of a user domain tty.
2908 ## </summary>
2909 ## <param name="domain">
2910 ## <summary>
2911 ## Domain allowed access.
2912 ## </summary>
2913 ## </param>
2914 #
2915 interface(`userdom_setattr_user_ttys',`
2916 gen_require(`
2917 type user_tty_device_t;
2918 ')
2919
2920 allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
2921 ')
2922
2923 ########################################
2924 ## <summary>
2925 ## Do not audit attempts to set the attributes of a user domain tty.
2926 ## </summary>
2927 ## <param name="domain">
2928 ## <summary>
2929 ## Domain to not audit.
2930 ## </summary>
2931 ## </param>
2932 #
2933 interface(`userdom_dontaudit_setattr_user_ttys',`
2934 gen_require(`
2935 type user_tty_device_t;
2936 ')
2937
2938 dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
2939 ')
2940
2941 ########################################
2942 ## <summary>
2943 ## Read and write a user domain tty.
2944 ## </summary>
2945 ## <param name="domain">
2946 ## <summary>
2947 ## Domain allowed access.
2948 ## </summary>
2949 ## </param>
2950 #
2951 interface(`userdom_use_user_ttys',`
2952 gen_require(`
2953 type user_tty_device_t;
2954 ')
2955
2956 allow $1 user_tty_device_t:chr_file rw_term_perms;
2957 ')
2958
2959 ########################################
2960 ## <summary>
2961 ## Read and write a inherited user domain tty.
2962 ## </summary>
2963 ## <param name="domain">
2964 ## <summary>
2965 ## Domain allowed access.
2966 ## </summary>
2967 ## </param>
2968 #
2969 interface(`userdom_use_inherited_user_ttys',`
2970 gen_require(`
2971 type user_tty_device_t;
2972 ')
2973
2974 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
2975 ')
2976
2977 ########################################
2978 ## <summary>
2979 ## Read and write a user domain pty.
2980 ## </summary>
2981 ## <param name="domain">
2982 ## <summary>
2983 ## Domain allowed access.
2984 ## </summary>
2985 ## </param>
2986 #
2987 interface(`userdom_use_user_ptys',`
2988 gen_require(`
2989 type user_devpts_t;
2990 ')
2991
2992 allow $1 user_devpts_t:chr_file rw_term_perms;
2993 ')
2994
2995 ########################################
2996 ## <summary>
2997 ## Read and write a inherited user domain pty.
2998 ## </summary>
2999 ## <param name="domain">
3000 ## <summary>
3001 ## Domain allowed access.
3002 ## </summary>
3003 ## </param>
3004 #
3005 interface(`userdom_use_inherited_user_ptys',`
3006 gen_require(`
3007 type user_devpts_t;
3008 ')
3009
3010 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3011 ')
3012
3013 ########################################
3014 ## <summary>
3015 ## Read and write a inherited user TTYs and PTYs.
3016 ## </summary>
3017 ## <desc>
3018 ## <p>
3019 ## Allow the specified domain to read and write inherited user
3020 ## TTYs and PTYs. This will allow the domain to
3021 ## interact with the user via the terminal. Typically
3022 ## all interactive applications will require this
3023 ## access.
3024 ## </p>
3025 ## </desc>
3026 ## <param name="domain">
3027 ## <summary>
3028 ## Domain allowed access.
3029 ## </summary>
3030 ## </param>
3031 ## <infoflow type="both" weight="10"/>
3032 #
3033 interface(`userdom_use_inherited_user_terminals',`
3034 gen_require(`
3035 type user_tty_device_t, user_devpts_t;
3036 ')
3037
3038 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
3039 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3040 ')
3041
3042 #######################################
3043 ## <summary>
3044 ## Allow attempts to read and write
3045 ## a user domain tty and pty.
3046 ## </summary>
3047 ## <param name="domain">
3048 ## <summary>
3049 ## Domain to not audit.
3050 ## </summary>
3051 ## </param>
3052 #
3053 interface(`userdom_use_user_terminals',`
3054 gen_require(`
3055 type user_tty_device_t, user_devpts_t;
3056 ')
3057
3058 allow $1 user_tty_device_t:chr_file rw_term_perms;
3059 allow $1 user_devpts_t:chr_file rw_term_perms;
3060 ')
3061
3062 ########################################
3063 ## <summary>
3064 ## Do not audit attempts to read and write
3065 ## a user domain tty and pty.
3066 ## </summary>
3067 ## <param name="domain">
3068 ## <summary>
3069 ## Domain to not audit.
3070 ## </summary>
3071 ## </param>
3072 #
3073 interface(`userdom_dontaudit_use_user_terminals',`
3074 gen_require(`
3075 type user_tty_device_t, user_devpts_t;
3076 ')
3077
3078 dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
3079 dontaudit $1 user_devpts_t:chr_file rw_term_perms;
3080 ')
3081
3082 ########################################
3083 ## <summary>
3084 ## Execute a shell in all user domains. This
3085 ## is an explicit transition, requiring the
3086 ## caller to use setexeccon().
3087 ## </summary>
3088 ## <param name="domain">
3089 ## <summary>
3090 ## Domain allowed to transition.
3091 ## </summary>
3092 ## </param>
3093 #
3094 interface(`userdom_spec_domtrans_all_users',`
3095 gen_require(`
3096 attribute userdomain;
3097 ')
3098
3099 corecmd_shell_spec_domtrans($1, userdomain)
3100 allow userdomain $1:fd use;
3101 allow userdomain $1:fifo_file rw_file_perms;
3102 allow userdomain $1:process sigchld;
3103 ')
3104
3105 ########################################
3106 ## <summary>
3107 ## Execute an Xserver session in all unprivileged user domains. This
3108 ## is an explicit transition, requiring the
3109 ## caller to use setexeccon().
3110 ## </summary>
3111 ## <param name="domain">
3112 ## <summary>
3113 ## Domain allowed to transition.
3114 ## </summary>
3115 ## </param>
3116 #
3117 interface(`userdom_xsession_spec_domtrans_all_users',`
3118 gen_require(`
3119 attribute userdomain;
3120 ')
3121
3122 xserver_xsession_spec_domtrans($1, userdomain)
3123 allow userdomain $1:fd use;
3124 allow userdomain $1:fifo_file rw_file_perms;
3125 allow userdomain $1:process sigchld;
3126 ')
3127
3128 ########################################
3129 ## <summary>
3130 ## Execute a shell in all unprivileged user domains. This
3131 ## is an explicit transition, requiring the
3132 ## caller to use setexeccon().
3133 ## </summary>
3134 ## <param name="domain">
3135 ## <summary>
3136 ## Domain allowed to transition.
3137 ## </summary>
3138 ## </param>
3139 #
3140 interface(`userdom_spec_domtrans_unpriv_users',`
3141 gen_require(`
3142 attribute unpriv_userdomain;
3143 ')
3144
3145 corecmd_shell_spec_domtrans($1, unpriv_userdomain)
3146 allow unpriv_userdomain $1:fd use;
3147 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3148 allow unpriv_userdomain $1:process sigchld;
3149 ')
3150
3151 ########################################
3152 ## <summary>
3153 ## Execute an Xserver session in all unprivileged user domains. This
3154 ## is an explicit transition, requiring the
3155 ## caller to use setexeccon().
3156 ## </summary>
3157 ## <param name="domain">
3158 ## <summary>
3159 ## Domain allowed to transition.
3160 ## </summary>
3161 ## </param>
3162 #
3163 interface(`userdom_xsession_spec_domtrans_unpriv_users',`
3164 gen_require(`
3165 attribute unpriv_userdomain;
3166 ')
3167
3168 xserver_xsession_spec_domtrans($1, unpriv_userdomain)
3169 allow unpriv_userdomain $1:fd use;
3170 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3171 allow unpriv_userdomain $1:process sigchld;
3172 ')
3173
3174 ########################################
3175 ## <summary>
3176 ## Manage unpriviledged user SysV sempaphores.
3177 ## </summary>
3178 ## <param name="domain">
3179 ## <summary>
3180 ## Domain allowed access.
3181 ## </summary>
3182 ## </param>
3183 #
3184 interface(`userdom_manage_unpriv_user_semaphores',`
3185 gen_require(`
3186 attribute unpriv_userdomain;
3187 ')
3188
3189 allow $1 unpriv_userdomain:sem create_sem_perms;
3190 ')
3191
3192 ########################################
3193 ## <summary>
3194 ## Manage unpriviledged user SysV shared
3195 ## memory segments.
3196 ## </summary>
3197 ## <param name="domain">
3198 ## <summary>
3199 ## Domain allowed access.
3200 ## </summary>
3201 ## </param>
3202 #
3203 interface(`userdom_manage_unpriv_user_shared_mem',`
3204 gen_require(`
3205 attribute unpriv_userdomain;
3206 ')
3207
3208 allow $1 unpriv_userdomain:shm create_shm_perms;
3209 ')
3210
3211 ########################################
3212 ## <summary>
3213 ## Execute bin_t in the unprivileged user domains. This
3214 ## is an explicit transition, requiring the
3215 ## caller to use setexeccon().
3216 ## </summary>
3217 ## <param name="domain">
3218 ## <summary>
3219 ## Domain allowed to transition.
3220 ## </summary>
3221 ## </param>
3222 #
3223 interface(`userdom_bin_spec_domtrans_unpriv_users',`
3224 gen_require(`
3225 attribute unpriv_userdomain;
3226 ')
3227
3228 corecmd_bin_spec_domtrans($1, unpriv_userdomain)
3229 allow unpriv_userdomain $1:fd use;
3230 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3231 allow unpriv_userdomain $1:process sigchld;
3232 ')
3233
3234 ########################################
3235 ## <summary>
3236 ## Execute all entrypoint files in unprivileged user
3237 ## domains. This is an explicit transition, requiring the
3238 ## caller to use setexeccon().
3239 ## </summary>
3240 ## <param name="domain">
3241 ## <summary>
3242 ## Domain allowed access.
3243 ## </summary>
3244 ## </param>
3245 #
3246 interface(`userdom_entry_spec_domtrans_unpriv_users',`
3247 gen_require(`
3248 attribute unpriv_userdomain;
3249 ')
3250
3251 domain_entry_file_spec_domtrans($1, unpriv_userdomain)
3252 allow unpriv_userdomain $1:fd use;
3253 allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
3254 allow unpriv_userdomain $1:process sigchld;
3255 ')
3256
3257 ########################################
3258 ## <summary>
3259 ## Search users home directories.
3260 ## </summary>
3261 ## <param name="domain">
3262 ## <summary>
3263 ## Domain allowed access.
3264 ## </summary>
3265 ## </param>
3266 #
3267 interface(`userdom_search_user_home_content',`
3268 gen_require(`
3269 type user_home_dir_t;
3270 attribute user_home_type;
3271 ')
3272
3273 files_list_home($1)
3274 allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
3275 allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
3276 ')
3277
3278 ########################################
3279 ## <summary>
3280 ## Send general signals to unprivileged user domains.
3281 ## </summary>
3282 ## <param name="domain">
3283 ## <summary>
3284 ## Domain allowed access.
3285 ## </summary>
3286 ## </param>
3287 #
3288 interface(`userdom_signal_unpriv_users',`
3289 gen_require(`
3290 attribute unpriv_userdomain;
3291 ')
3292
3293 allow $1 unpriv_userdomain:process signal;
3294 ')
3295
3296 ########################################
3297 ## <summary>
3298 ## Inherit the file descriptors from unprivileged user domains.
3299 ## </summary>
3300 ## <param name="domain">
3301 ## <summary>
3302 ## Domain allowed access.
3303 ## </summary>
3304 ## </param>
3305 #
3306 interface(`userdom_use_unpriv_users_fds',`
3307 gen_require(`
3308 attribute unpriv_userdomain;
3309 ')
3310
3311 allow $1 unpriv_userdomain:fd use;
3312 ')
3313
3314 ########################################
3315 ## <summary>
3316 ## Do not audit attempts to inherit the file descriptors
3317 ## from unprivileged user domains.
3318 ## </summary>
3319 ## <desc>
3320 ## <p>
3321 ## Do not audit attempts to inherit the file descriptors
3322 ## from unprivileged user domains. This will supress
3323 ## SELinux denial messages when the specified domain is denied
3324 ## the permission to inherit these file descriptors.
3325 ## </p>
3326 ## </desc>
3327 ## <param name="domain">
3328 ## <summary>
3329 ## Domain to not audit.
3330 ## </summary>
3331 ## </param>
3332 ## <infoflow type="none"/>
3333 #
3334 interface(`userdom_dontaudit_use_unpriv_user_fds',`
3335 gen_require(`
3336 attribute unpriv_userdomain;
3337 ')
3338
3339 dontaudit $1 unpriv_userdomain:fd use;
3340 ')
3341
3342 ########################################
3343 ## <summary>
3344 ## Do not audit attempts to use user ptys.
3345 ## </summary>
3346 ## <param name="domain">
3347 ## <summary>
3348 ## Domain to not audit.
3349 ## </summary>
3350 ## </param>
3351 #
3352 interface(`userdom_dontaudit_use_user_ptys',`
3353 gen_require(`
3354 type user_devpts_t;
3355 ')
3356
3357 dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
3358 ')
3359
3360 ########################################
3361 ## <summary>
3362 ## Relabel files to unprivileged user pty types.
3363 ## </summary>
3364 ## <param name="domain">
3365 ## <summary>
3366 ## Domain allowed access.
3367 ## </summary>
3368 ## </param>
3369 #
3370 interface(`userdom_relabelto_user_ptys',`
3371 gen_require(`
3372 type user_devpts_t;
3373 ')
3374
3375 allow $1 user_devpts_t:chr_file relabelto;
3376 ')
3377
3378 ########################################
3379 ## <summary>
3380 ## Do not audit attempts to relabel files from
3381 ## user pty types.
3382 ## </summary>
3383 ## <param name="domain">
3384 ## <summary>
3385 ## Domain to not audit.
3386 ## </summary>
3387 ## </param>
3388 #
3389 interface(`userdom_dontaudit_relabelfrom_user_ptys',`
3390 gen_require(`
3391 type user_devpts_t;
3392 ')
3393
3394 dontaudit $1 user_devpts_t:chr_file relabelfrom;
3395 ')
3396
3397 ########################################
3398 ## <summary>
3399 ## Write all users files in /tmp
3400 ## </summary>
3401 ## <param name="domain">
3402 ## <summary>
3403 ## Domain allowed access.
3404 ## </summary>
3405 ## </param>
3406 #
3407 interface(`userdom_write_user_tmp_files',`
3408 gen_require(`
3409 type user_tmp_t;
3410 ')
3411
3412 write_files_pattern($1, user_tmp_t, user_tmp_t)
3413 ')
3414
3415 ########################################
3416 ## <summary>
3417 ## Do not audit attempts to write users
3418 ## temporary files.
3419 ## </summary>
3420 ## <param name="domain">
3421 ## <summary>
3422 ## Domain to not audit.
3423 ## </summary>
3424 ## </param>
3425 #
3426 interface(`userdom_dontaudit_write_user_tmp_files',`
3427 gen_require(`
3428 type user_tmp_t;
3429 ')
3430
3431 dontaudit $1 user_tmp_t:file write;
3432 ')
3433
3434 ########################################
3435 ## <summary>
3436 ## Do not audit attempts to read/write users
3437 ## temporary fifo files.
3438 ## </summary>
3439 ## <param name="domain">
3440 ## <summary>
3441 ## Domain to not audit.
3442 ## </summary>
3443 ## </param>
3444 #
3445 interface(`userdom_dontaudit_rw_user_tmp_pipes',`
3446 gen_require(`
3447 type user_tmp_t;
3448 ')
3449
3450 dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
3451 ')
3452
3453 ########################################
3454 ## <summary>
3455 ## Do not audit attempts to use user ttys.
3456 ## </summary>
3457 ## <param name="domain">
3458 ## <summary>
3459 ## Domain to not audit.
3460 ## </summary>
3461 ## </param>
3462 #
3463 interface(`userdom_dontaudit_use_user_ttys',`
3464 gen_require(`
3465 type user_tty_device_t;
3466 ')
3467
3468 dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
3469 ')
3470
3471 ########################################
3472 ## <summary>
3473 ## Read the process state of all user domains.
3474 ## </summary>
3475 ## <param name="domain">
3476 ## <summary>
3477 ## Domain allowed access.
3478 ## </summary>
3479 ## </param>
3480 #
3481 interface(`userdom_read_all_users_state',`
3482 gen_require(`
3483 attribute userdomain;
3484 ')
3485
3486 read_files_pattern($1, userdomain, userdomain)
3487 read_lnk_files_pattern($1,userdomain,userdomain)
3488 kernel_search_proc($1)
3489 ')
3490
3491 ########################################
3492 ## <summary>
3493 ## Get the attributes of all user domains.
3494 ## </summary>
3495 ## <param name="domain">
3496 ## <summary>
3497 ## Domain allowed access.
3498 ## </summary>
3499 ## </param>
3500 #
3501 interface(`userdom_getattr_all_users',`
3502 gen_require(`
3503 attribute userdomain;
3504 ')
3505
3506 allow $1 userdomain:process getattr;
3507 ')
3508
3509 ########################################
3510 ## <summary>
3511 ## Inherit the file descriptors from all user domains
3512 ## </summary>
3513 ## <param name="domain">
3514 ## <summary>
3515 ## Domain allowed access.
3516 ## </summary>
3517 ## </param>
3518 #
3519 interface(`userdom_use_all_users_fds',`
3520 gen_require(`
3521 attribute userdomain;
3522 ')
3523
3524 allow $1 userdomain:fd use;
3525 ')
3526
3527 ########################################
3528 ## <summary>
3529 ## Do not audit attempts to inherit the file
3530 ## descriptors from any user domains.
3531 ## </summary>
3532 ## <param name="domain">
3533 ## <summary>
3534 ## Domain to not audit.
3535 ## </summary>
3536 ## </param>
3537 #
3538 interface(`userdom_dontaudit_use_all_users_fds',`
3539 gen_require(`
3540 attribute userdomain;
3541 ')
3542
3543 dontaudit $1 userdomain:fd use;
3544 ')
3545
3546 ########################################
3547 ## <summary>
3548 ## Send general signals to all user domains.
3549 ## </summary>
3550 ## <param name="domain">
3551 ## <summary>
3552 ## Domain allowed access.
3553 ## </summary>
3554 ## </param>
3555 #
3556 interface(`userdom_signal_all_users',`
3557 gen_require(`
3558 attribute userdomain;
3559 ')
3560
3561 allow $1 userdomain:process signal;
3562 ')
3563
3564 ########################################
3565 ## <summary>
3566 ## Send kill signals to all user domains.
3567 ## </summary>
3568 ## <param name="domain">
3569 ## <summary>
3570 ## Domain allowed access.
3571 ## </summary>
3572 ## </param>
3573 #
3574 interface(`userdom_kill_all_users',`
3575 gen_require(`
3576 attribute userdomain;
3577 ')
3578
3579 allow $1 userdomain:process sigkill;
3580 ')
3581
3582 ########################################
3583 ## <summary>
3584 ## Send a SIGCHLD signal to all user domains.
3585 ## </summary>
3586 ## <param name="domain">
3587 ## <summary>
3588 ## Domain allowed access.
3589 ## </summary>
3590 ## </param>
3591 #
3592 interface(`userdom_sigchld_all_users',`
3593 gen_require(`
3594 attribute userdomain;
3595 ')
3596
3597 allow $1 userdomain:process sigchld;
3598 ')
3599
3600 ########################################
3601 ## <summary>
3602 ## Create keys for all user domains.
3603 ## </summary>
3604 ## <param name="domain">
3605 ## <summary>
3606 ## Domain allowed access.
3607 ## </summary>
3608 ## </param>
3609 #
3610 interface(`userdom_create_all_users_keys',`
3611 gen_require(`
3612 attribute userdomain;
3613 ')
3614
3615 allow $1 userdomain:key create;
3616 ')
3617
3618 ########################################
3619 ## <summary>
3620 ## Send a dbus message to all user domains.
3621 ## </summary>
3622 ## <param name="domain">
3623 ## <summary>
3624 ## Domain allowed access.
3625 ## </summary>
3626 ## </param>
3627 #
3628 interface(`userdom_dbus_send_all_users',`
3629 gen_require(`
3630 attribute userdomain;
3631 class dbus send_msg;
3632 ')
3633
3634 allow $1 userdomain:dbus send_msg;
3635 ')
3636
3637 ########################################
3638 ## <summary>
3639 ## Allow apps to set rlimits on userdomain
3640 ## </summary>
3641 ## <param name="domain">
3642 ## <summary>
3643 ## Domain allowed access.
3644 ## </summary>
3645 ## </param>
3646 #
3647 interface(`userdom_set_rlimitnh',`
3648 gen_require(`
3649 attribute userdomain;
3650 ')
3651
3652 allow $1 userdomain:process rlimitinh;
3653 ')
3654
3655 ########################################
3656 ## <summary>
3657 ## Define this type as a Allow apps to set rlimits on userdomain
3658 ## </summary>
3659 ## <param name="domain">
3660 ## <summary>
3661 ## Domain allowed access.
3662 ## </summary>
3663 ## </param>
3664 ## <param name="userdomain_prefix">
3665 ## <summary>
3666 ## The prefix of the user domain (e.g., user
3667 ## is the prefix for user_t).
3668 ## </summary>
3669 ## </param>
3670 ## <param name="domain">
3671 ## <summary>
3672 ## Domain allowed access.
3673 ## </summary>
3674 ## </param>
3675 #
3676 template(`userdom_unpriv_usertype',`
3677 gen_require(`
3678 attribute unpriv_userdomain, userdomain;
3679 attribute $1_usertype;
3680 ')
3681 typeattribute $2 $1_usertype;
3682 typeattribute $2 unpriv_userdomain;
3683 typeattribute $2 userdomain;
3684
3685 ubac_constrained($2)
3686 ')
3687
3688 ########################################
3689 ## <summary>
3690 ## Connect to users over an unix stream socket.
3691 ## </summary>
3692 ## <param name="domain">
3693 ## <summary>
3694 ## Domain allowed access.
3695 ## </summary>
3696 ## </param>
3697 #
3698 interface(`userdom_stream_connect',`
3699 gen_require(`
3700 type user_tmp_t;
3701 attribute userdomain;
3702 ')
3703
3704 stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
3705 ')
3706
3707 ########################################
3708 ## <summary>
3709 ## Ptrace user domains.
3710 ## </summary>
3711 ## <param name="domain">
3712 ## <summary>
3713 ## Domain allowed access.
3714 ## </summary>
3715 ## </param>
3716 #
3717 interface(`userdom_ptrace_all_users',`
3718 gen_require(`
3719 attribute userdomain;
3720 ')
3721
3722 allow $1 userdomain:process ptrace;
3723 ')
3724
3725 ########################################
3726 ## <summary>
3727 ## dontaudit Search /root
3728 ## </summary>
3729 ## <param name="domain">
3730 ## <summary>
3731 ## Domain to not audit.
3732 ## </summary>
3733 ## </param>
3734 #
3735 interface(`userdom_dontaudit_search_admin_dir',`
3736 gen_require(`
3737 type admin_home_t;
3738 ')
3739
3740 dontaudit $1 admin_home_t:dir search_dir_perms;
3741 ')
3742
3743 ########################################
3744 ## <summary>
3745 ## dontaudit list /root
3746 ## </summary>
3747 ## <param name="domain">
3748 ## <summary>
3749 ## Domain to not audit.
3750 ## </summary>
3751 ## </param>
3752 #
3753 interface(`userdom_dontaudit_list_admin_dir',`
3754 gen_require(`
3755 type admin_home_t;
3756 ')
3757
3758 dontaudit $1 admin_home_t:dir list_dir_perms;
3759 ')
3760
3761 ########################################
3762 ## <summary>
3763 ## Allow domain to list /root
3764 ## </summary>
3765 ## <param name="domain">
3766 ## <summary>
3767 ## Domain allowed access.
3768 ## </summary>
3769 ## </param>
3770 #
3771 interface(`userdom_list_admin_dir',`
3772 gen_require(`
3773 type admin_home_t;
3774 ')
3775
3776 allow $1 admin_home_t:dir list_dir_perms;
3777 ')
3778
3779 ########################################
3780 ## <summary>
3781 ## Allow Search /root
3782 ## </summary>
3783 ## <param name="domain">
3784 ## <summary>
3785 ## Domain allowed access.
3786 ## </summary>
3787 ## </param>
3788 #
3789 interface(`userdom_search_admin_dir',`
3790 gen_require(`
3791 type admin_home_t;
3792 ')
3793
3794 allow $1 admin_home_t:dir search_dir_perms;
3795 ')
3796
3797 ########################################
3798 ## <summary>
3799 ## RW unpriviledged user SysV sempaphores.
3800 ## </summary>
3801 ## <param name="domain">
3802 ## <summary>
3803 ## Domain allowed access.
3804 ## </summary>
3805 ## </param>
3806 #
3807 interface(`userdom_rw_semaphores',`
3808 gen_require(`
3809 attribute unpriv_userdomain;
3810 ')
3811
3812 allow $1 unpriv_userdomain:sem rw_sem_perms;
3813 ')
3814
3815 ########################################
3816 ## <summary>
3817 ## Send a message to unpriv users over a unix domain
3818 ## datagram socket.
3819 ## </summary>
3820 ## <param name="domain">
3821 ## <summary>
3822 ## Domain allowed access.
3823 ## </summary>
3824 ## </param>
3825 #
3826 interface(`userdom_dgram_send',`
3827 gen_require(`
3828 attribute unpriv_userdomain;
3829 ')
3830
3831 allow $1 unpriv_userdomain:unix_dgram_socket sendto;
3832 ')
3833
3834 ######################################
3835 ## <summary>
3836 ## Send a message to users over a unix domain
3837 ## datagram socket.
3838 ## </summary>
3839 ## <param name="domain">
3840 ## <summary>
3841 ## Domain allowed access.
3842 ## </summary>
3843 ## </param>
3844 #
3845 interface(`userdom_users_dgram_send',`
3846 gen_require(`
3847 attribute userdomain;
3848 ')
3849
3850 allow $1 userdomain:unix_dgram_socket sendto;
3851 ')
3852
3853 #######################################
3854 ## <summary>
3855 ## Allow execmod on files in homedirectory
3856 ## </summary>
3857 ## <param name="domain">
3858 ## <summary>
3859 ## Domain allowed access.
3860 ## </summary>
3861 ## </param>
3862 ## <rolebase/>
3863 #
3864 interface(`userdom_execmod_user_home_files',`
3865 gen_require(`
3866 type user_home_type;
3867 ')
3868
3869 allow $1 user_home_type:file execmod;
3870 ')
3871
3872 ########################################
3873 ## <summary>
3874 ## Read admin home files.
3875 ## </summary>
3876 ## <param name="domain">
3877 ## <summary>
3878 ## Domain allowed access.
3879 ## </summary>
3880 ## </param>
3881 ## <rolecap/>
3882 #
3883 interface(`userdom_read_admin_home_files',`
3884 gen_require(`
3885 type admin_home_t;
3886 ')
3887
3888 read_files_pattern($1, admin_home_t, admin_home_t)
3889 ')
3890
3891 ########################################
3892 ## <summary>
3893 ## Execute admin home files.
3894 ## </summary>
3895 ## <param name="domain">
3896 ## <summary>
3897 ## Domain allowed access.
3898 ## </summary>
3899 ## </param>
3900 ## <rolecap/>
3901 #
3902 interface(`userdom_exec_admin_home_files',`
3903 gen_require(`
3904 type admin_home_t;
3905 ')
3906
3907 exec_files_pattern($1, admin_home_t, admin_home_t)
3908 ')
3909
3910 ########################################
3911 ## <summary>
3912 ## Append files inherited
3913 ## in the /root directory.
3914 ## </summary>
3915 ## <param name="domain">
3916 ## <summary>
3917 ## Domain allowed access.
3918 ## </summary>
3919 ## </param>
3920 #
3921 interface(`userdom_inherit_append_admin_home_files',`
3922 gen_require(`
3923 type admin_home_t;
3924 ')
3925
3926 allow $1 admin_home_t:file { getattr append };
3927 ')
3928
3929
3930 #######################################
3931 ## <summary>
3932 ## Manage all files/directories in the homedir
3933 ## </summary>
3934 ## <param name="userdomain">
3935 ## <summary>
3936 ## The user domain
3937 ## </summary>
3938 ## </param>
3939 ## <rolebase/>
3940 #
3941 interface(`userdom_manage_user_home_content',`
3942 gen_require(`
3943 type user_home_dir_t, user_home_t;
3944 attribute user_home_type;
3945 ')
3946
3947 files_list_home($1)
3948 manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3949 manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3950 manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3951 manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3952 manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
3953 filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
3954
3955 ')
3956
3957
3958 ########################################
3959 ## <summary>
3960 ## Create objects in a user home directory
3961 ## with an automatic type transition to
3962 ## the user home file type.
3963 ## </summary>
3964 ## <param name="domain">
3965 ## <summary>
3966 ## Domain allowed access.
3967 ## </summary>
3968 ## </param>
3969 ## <param name="object_class">
3970 ## <summary>
3971 ## The class of the object to be created.
3972 ## </summary>
3973 ## </param>
3974 #
3975 interface(`userdom_user_home_dir_filetrans_pattern',`
3976 gen_require(`
3977 type user_home_dir_t, user_home_t;
3978 ')
3979
3980 type_transition $1 user_home_dir_t:$2 user_home_t;
3981 ')
3982
3983 ########################################
3984 ## <summary>
3985 ## Create objects in the /root directory
3986 ## with an automatic type transition to
3987 ## a specified private type.
3988 ## </summary>
3989 ## <param name="domain">
3990 ## <summary>
3991 ## Domain allowed access.
3992 ## </summary>
3993 ## </param>
3994 ## <param name="private_type">
3995 ## <summary>
3996 ## The type of the object to create.
3997 ## </summary>
3998 ## </param>
3999 ## <param name="object_class">
4000 ## <summary>
4001 ## The class of the object to be created.
4002 ## </summary>
4003 ## </param>
4004 #
4005 interface(`userdom_admin_home_dir_filetrans',`
4006 gen_require(`
4007 type admin_home_t;
4008 ')
4009
4010 filetrans_pattern($1, admin_home_t, $2, $3, $4)
4011 ')
4012
4013 ########################################
4014 ## <summary>
4015 ## Send signull to unprivileged user domains.
4016 ## </summary>
4017 ## <param name="domain">
4018 ## <summary>
4019 ## Domain allowed access.
4020 ## </summary>
4021 ## </param>
4022 #
4023 interface(`userdom_signull_unpriv_users',`
4024 gen_require(`
4025 attribute unpriv_userdomain;
4026 ')
4027
4028 allow $1 unpriv_userdomain:process signull;
4029 ')
4030
4031 ########################################
4032 ## <summary>
4033 ## Write all users files in /tmp
4034 ## </summary>
4035 ## <param name="domain">
4036 ## <summary>
4037 ## Domain allowed access.
4038 ## </summary>
4039 ## </param>
4040 #
4041 interface(`userdom_write_user_tmp_dirs',`
4042 gen_require(`
4043 type user_tmp_t;
4044 ')
4045
4046 write_files_pattern($1, user_tmp_t, user_tmp_t)
4047 ')
4048
4049 ########################################
4050 ## <summary>
4051 ## Manage keys for all user domains.
4052 ## </summary>
4053 ## <param name="domain">
4054 ## <summary>
4055 ## Domain allowed access.
4056 ## </summary>
4057 ## </param>
4058 #
4059 interface(`userdom_manage_all_users_keys',`
4060 gen_require(`
4061 attribute userdomain;
4062 ')
4063
4064 allow $1 userdomain:key manage_key_perms;
4065 ')
4066
4067
4068 ########################################
4069 ## <summary>
4070 ## Do not audit attempts to read and write
4071 ## unserdomain stream.
4072 ## </summary>
4073 ## <param name="domain">
4074 ## <summary>
4075 ## Domain to not audit.
4076 ## </summary>
4077 ## </param>
4078 #
4079 interface(`userdom_dontaudit_rw_stream',`
4080 gen_require(`
4081 attribute userdomain;
4082 ')
4083
4084 dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
4085 ')
4086
4087 ########################################
4088 ## <summary>
4089 ## Do not audit attempts to read and write
4090 ## unserdomain datagram socket.
4091 ## </summary>
4092 ## <param name="domain">
4093 ## <summary>
4094 ## Domain to not audit.
4095 ## </summary>
4096 ## </param>
4097 #
4098 interface(`userdom_dontaudit_rw_dgram_socket',`
4099 gen_require(`
4100 attribute userdomain;
4101 ')
4102
4103 dontaudit $1 userdomain:unix_dgram_socket { read write };
4104 ')
4105
4106 ########################################
4107 ## <summary>
4108 ## Append files
4109 ## in a user home subdirectory.
4110 ## </summary>
4111 ## <param name="domain">
4112 ## <summary>
4113 ## Domain allowed access.
4114 ## </summary>
4115 ## </param>
4116 #
4117 interface(`userdom_append_user_home_content_files',`
4118 gen_require(`
4119 type user_home_dir_t, user_home_t;
4120 ')
4121
4122 append_files_pattern($1, user_home_t, user_home_t)
4123 allow $1 user_home_dir_t:dir search_dir_perms;
4124 files_search_home($1)
4125 ')
4126
4127 ########################################
4128 ## <summary>
4129 ## Read files inherited
4130 ## in a user home subdirectory.
4131 ## </summary>
4132 ## <param name="domain">
4133 ## <summary>
4134 ## Domain allowed access.
4135 ## </summary>
4136 ## </param>
4137 #
4138 interface(`userdom_read_inherited_user_home_content_files',`
4139 gen_require(`
4140 attribute user_home_type;
4141 ')
4142
4143 allow $1 user_home_type:file { getattr read };
4144 ')
4145
4146 ########################################
4147 ## <summary>
4148 ## Append files inherited
4149 ## in a user home subdirectory.
4150 ## </summary>
4151 ## <param name="domain">
4152 ## <summary>
4153 ## Domain allowed access.
4154 ## </summary>
4155 ## </param>
4156 #
4157 interface(`userdom_inherit_append_user_home_content_files',`
4158 gen_require(`
4159 type user_home_t;
4160 ')
4161
4162 allow $1 user_home_t:file { getattr append };
4163 ')
4164
4165 ########################################
4166 ## <summary>
4167 ## Append files inherited
4168 ## in a user tmp files.
4169 ## </summary>
4170 ## <param name="domain">
4171 ## <summary>
4172 ## Domain allowed access.
4173 ## </summary>
4174 ## </param>
4175 #
4176 interface(`userdom_inherit_append_user_tmp_files',`
4177 gen_require(`
4178 type user_tmp_t;
4179 ')
4180
4181 allow $1 user_tmp_t:file { getattr append };
4182 ')
4183
4184 ######################################
4185 ## <summary>
4186 ## Read audio files in the users homedir.
4187 ## </summary>
4188 ## <param name="domain">
4189 ## <summary>
4190 ## Domain allowed access.
4191 ## </summary>
4192 ## </param>
4193 ## <rolecap/>
4194 #
4195 interface(`userdom_read_home_audio_files',`
4196 gen_require(`
4197 type audio_home_t;
4198 ')
4199
4200 userdom_search_user_home_dirs($1)
4201 allow $1 audio_home_t:dir list_dir_perms;
4202 read_files_pattern($1, audio_home_t, audio_home_t)
4203 read_lnk_files_pattern($1, audio_home_t, audio_home_t)
4204 ')
4205
4206 ########################################
4207 ## <summary>
4208 ## Do not audit attempts to write all user home content files.
4209 ## </summary>
4210 ## <param name="domain">
4211 ## <summary>
4212 ## Domain to not audit.
4213 ## </summary>
4214 ## </param>
4215 #
4216 interface(`userdom_dontaudit_write_all_user_home_content_files',`
4217 gen_require(`
4218 attribute user_home_type;
4219 ')
4220
4221 dontaudit $1 user_home_type:file write_file_perms;
4222 ')
4223
4224 ########################################
4225 ## <summary>
4226 ## Do not audit attempts to write all user tmp content files.
4227 ## </summary>
4228 ## <param name="domain">
4229 ## <summary>
4230 ## Domain to not audit.
4231 ## </summary>
4232 ## </param>
4233 #
4234 interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
4235 gen_require(`
4236 attribute user_tmp_type;
4237 ')
4238
4239 dontaudit $1 user_tmp_type:file write_file_perms;
4240 ')
4241
4242 ########################################
4243 ## <summary>
4244 ## Manage all user temporary content.
4245 ## </summary>
4246 ## <param name="domain">
4247 ## <summary>
4248 ## Domain allowed access.
4249 ## </summary>
4250 ## </param>
4251 #
4252 interface(`userdom_manage_all_user_tmp_content',`
4253 gen_require(`
4254 attribute user_tmp_type;
4255 ')
4256
4257 manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
4258 manage_files_pattern($1, user_tmp_type, user_tmp_type)
4259 manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4260 manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4261 manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4262 files_search_tmp($1)
4263 ')
4264
4265 ########################################
4266 ## <summary>
4267 ## List all user temporary content.
4268 ## </summary>
4269 ## <param name="domain">
4270 ## <summary>
4271 ## Domain allowed access.
4272 ## </summary>
4273 ## </param>
4274 #
4275 interface(`userdom_list_all_user_tmp_content',`
4276 gen_require(`
4277 attribute user_tmp_type;
4278 ')
4279
4280 list_dirs_pattern($1, user_tmp_type, user_tmp_type)
4281 getattr_files_pattern($1, user_tmp_type, user_tmp_type)
4282 read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4283 getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4284 getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4285 files_search_var($1)
4286 files_search_tmp($1)
4287 ')
4288
4289 ########################################
4290 ## <summary>
4291 ## Manage all user tmpfs content.
4292 ## </summary>
4293 ## <param name="domain">
4294 ## <summary>
4295 ## Domain allowed access.
4296 ## </summary>
4297 ## </param>
4298 #
4299 interface(`userdom_manage_all_user_tmpfs_content',`
4300 gen_require(`
4301 attribute user_tmpfs_type;
4302 ')
4303
4304 manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
4305 manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4306 manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4307 manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4308 manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4309 fs_search_tmpfs($1)
4310 ')
4311
4312 ########################################
4313 ## <summary>
4314 ## Delete all user temporary content.
4315 ## </summary>
4316 ## <param name="domain">
4317 ## <summary>
4318 ## Domain allowed access.
4319 ## </summary>
4320 ## </param>
4321 #
4322 interface(`userdom_delete_all_user_tmp_content',`
4323 gen_require(`
4324 attribute user_tmp_type;
4325 ')
4326
4327 delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
4328 delete_files_pattern($1, user_tmp_type, user_tmp_type)
4329 delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4330 delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4331 delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4332 # /var/tmp
4333 files_search_var($1)
4334 files_delete_tmp_dir_entry($1)
4335 ')
4336
4337 ########################################
4338 ## <summary>
4339 ## Read system SSL certificates in the users homedir.
4340 ## </summary>
4341 ## <param name="domain">
4342 ## <summary>
4343 ## Domain allowed access.
4344 ## </summary>
4345 ## </param>
4346 #
4347 interface(`userdom_read_home_certs',`
4348 gen_require(`
4349 type home_cert_t;
4350 ')
4351
4352 userdom_search_user_home_content($1)
4353 allow $1 home_cert_t:dir list_dir_perms;
4354 read_files_pattern($1, home_cert_t, home_cert_t)
4355 read_lnk_files_pattern($1, home_cert_t, home_cert_t)
4356 ')
4357
4358 #######################################
4359 ## <summary>
4360 ## Dontaudit Write system SSL certificates in the users homedir.
4361 ## </summary>
4362 ## <param name="domain">
4363 ## <summary>
4364 ## Domain to not audit.
4365 ## </summary>
4366 ## </param>
4367 #
4368 interface(`userdom_dontaudit_write_home_certs',`
4369 gen_require(`
4370 type home_cert_t;
4371 ')
4372
4373 dontaudit $1 home_cert_t:file write;
4374 ')
4375
4376 ########################################
4377 ## <summary>
4378 ## dontaudit Search getatrr /root files
4379 ## </summary>
4380 ## <param name="domain">
4381 ## <summary>
4382 ## Domain to not audit.
4383 ## </summary>
4384 ## </param>
4385 #
4386 interface(`userdom_dontaudit_getattr_admin_home_files',`
4387 gen_require(`
4388 type admin_home_t;
4389 ')
4390
4391 dontaudit $1 admin_home_t:file getattr;
4392 ')
4393
4394 ########################################
4395 ## <summary>
4396 ## dontaudit read /root lnk files
4397 ## </summary>
4398 ## <param name="domain">
4399 ## <summary>
4400 ## Domain to not audit.
4401 ## </summary>
4402 ## </param>
4403 #
4404 interface(`userdom_dontaudit_read_admin_home_lnk_files',`
4405 gen_require(`
4406 type admin_home_t;
4407 ')
4408
4409 dontaudit $1 admin_home_t:lnk_file read;
4410 ')
4411
4412 ########################################
4413 ## <summary>
4414 ## dontaudit read /root files
4415 ## </summary>
4416 ## <param name="domain">
4417 ## <summary>
4418 ## Domain to not audit.
4419 ## </summary>
4420 ## </param>
4421 #
4422 interface(`userdom_dontaudit_read_admin_home_files',`
4423 gen_require(`
4424 type admin_home_t;
4425 ')
4426
4427 dontaudit $1 admin_home_t:file read_file_perms;
4428 ')
4429
4430 ########################################
4431 ## <summary>
4432 ## Create, read, write, and delete user
4433 ## temporary chr files.
4434 ## </summary>
4435 ## <param name="domain">
4436 ## <summary>
4437 ## Domain allowed access.
4438 ## </summary>
4439 ## </param>
4440 #
4441 interface(`userdom_manage_user_tmp_chr_files',`
4442 gen_require(`
4443 type user_tmp_t;
4444 ')
4445
4446 manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
4447 files_search_tmp($1)
4448 ')
4449
4450 ########################################
4451 ## <summary>
4452 ## Create, read, write, and delete user
4453 ## temporary blk files.
4454 ## </summary>
4455 ## <param name="domain">
4456 ## <summary>
4457 ## Domain allowed access.
4458 ## </summary>
4459 ## </param>
4460 #
4461 interface(`userdom_manage_user_tmp_blk_files',`
4462 gen_require(`
4463 type user_tmp_t;
4464 ')
4465
4466 manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
4467 files_search_tmp($1)
4468 ')
4469
4470 ########################################
4471 ## <summary>
4472 ## Dontaudit attempt to set attributes on user temporary directories.
4473 ## </summary>
4474 ## <param name="domain">
4475 ## <summary>
4476 ## Domain to not audit.
4477 ## </summary>
4478 ## </param>
4479 #
4480 interface(`userdom_dontaudit_setattr_user_tmp',`
4481 gen_require(`
4482 type user_tmp_t;
4483 ')
4484
4485 dontaudit $1 user_tmp_t:dir setattr;
4486 ')
4487
4488 ########################################
4489 ## <summary>
4490 ## Write all inherited users files in /tmp
4491 ## </summary>
4492 ## <param name="domain">
4493 ## <summary>
4494 ## Domain allowed access.
4495 ## </summary>
4496 ## </param>
4497 #
4498 interface(`userdom_write_inherited_user_tmp_files',`
4499 gen_require(`
4500 type user_tmp_t;
4501 ')
4502
4503 allow $1 user_tmp_t:file write;
4504 ')
4505
4506 ########################################
4507 ## <summary>
4508 ## Delete all users files in /tmp
4509 ## </summary>
4510 ## <param name="domain">
4511 ## <summary>
4512 ## Domain allowed access.
4513 ## </summary>
4514 ## </param>
4515 #
4516 interface(`userdom_delete_user_tmp_files',`
4517 gen_require(`
4518 type user_tmp_t;
4519 ')
4520
4521 allow $1 user_tmp_t:file delete_file_perms;
4522 ')
4523
4524 ########################################
4525 ## <summary>
4526 ## Delete user tmpfs files.
4527 ## </summary>
4528 ## <param name="domain">
4529 ## <summary>
4530 ## Domain allowed access.
4531 ## </summary>
4532 ## </param>
4533 #
4534 interface(`userdom_delete_user_tmpfs_files',`
4535 gen_require(`
4536 type user_tmpfs_t;
4537 ')
4538
4539 allow $1 user_tmpfs_t:file delete_file_perms;
4540 ')
4541
4542 ########################################
4543 ## <summary>
4544 ## Read/Write unpriviledged user SysV shared
4545 ## memory segments.
4546 ## </summary>
4547 ## <param name="domain">
4548 ## <summary>
4549 ## Domain allowed access.
4550 ## </summary>
4551 ## </param>
4552 #
4553 interface(`userdom_rw_unpriv_user_shared_mem',`
4554 gen_require(`
4555 attribute unpriv_userdomain;
4556 ')
4557
4558 allow $1 unpriv_userdomain:shm rw_shm_perms;
4559 ')
4560
4561 ########################################
4562 ## <summary>
4563 ## Do not audit attempts to search user
4564 ## temporary directories.
4565 ## </summary>
4566 ## <param name="domain">
4567 ## <summary>
4568 ## Domain to not audit.
4569 ## </summary>
4570 ## </param>
4571 #
4572 interface(`userdom_dontaudit_search_user_tmp',`
4573 gen_require(`
4574 type user_tmp_t;
4575 ')
4576
4577 dontaudit $1 user_tmp_t:dir search_dir_perms;
4578 ')
4579
4580 ########################################
4581 ## <summary>
4582 ## Execute a file in a user home directory
4583 ## in the specified domain.
4584 ## </summary>
4585 ## <desc>
4586 ## <p>
4587 ## Execute a file in a user home directory
4588 ## in the specified domain.
4589 ## </p>
4590 ## <p>
4591 ## No interprocess communication (signals, pipes,
4592 ## etc.) is provided by this interface since
4593 ## the domains are not owned by this module.
4594 ## </p>
4595 ## </desc>
4596 ## <param name="domain">
4597 ## <summary>
4598 ## Domain allowed access.
4599 ## </summary>
4600 ## </param>
4601 ## <param name="target_domain">
4602 ## <summary>
4603 ## The type of the new process.
4604 ## </summary>
4605 ## </param>
4606 #
4607 interface(`userdom_domtrans_user_home',`
4608 gen_require(`
4609 type user_home_t;
4610 ')
4611
4612 read_lnk_files_pattern($1, user_home_t, user_home_t)
4613 domain_transition_pattern($1, user_home_t, $2)
4614 type_transition $1 user_home_t:process $2;
4615 ')
4616
4617 ########################################
4618 ## <summary>
4619 ## Execute a file in a user tmp directory
4620 ## in the specified domain.
4621 ## </summary>
4622 ## <desc>
4623 ## <p>
4624 ## Execute a file in a user tmp directory
4625 ## in the specified domain.
4626 ## </p>
4627 ## <p>
4628 ## No interprocess communication (signals, pipes,
4629 ## etc.) is provided by this interface since
4630 ## the domains are not owned by this module.
4631 ## </p>
4632 ## </desc>
4633 ## <param name="domain">
4634 ## <summary>
4635 ## Domain allowed access.
4636 ## </summary>
4637 ## </param>
4638 ## <param name="target_domain">
4639 ## <summary>
4640 ## The type of the new process.
4641 ## </summary>
4642 ## </param>
4643 #
4644 interface(`userdom_domtrans_user_tmp',`
4645 gen_require(`
4646 type user_tmp_t;
4647 ')
4648
4649 files_search_tmp($1)
4650 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
4651 domain_transition_pattern($1, user_tmp_t, $2)
4652 type_transition $1 user_tmp_t:process $2;
4653 ')
4654
4655 ########################################
4656 ## <summary>
4657 ## Do not audit attempts to read all user home content files.
4658 ## </summary>
4659 ## <param name="domain">
4660 ## <summary>
4661 ## Domain to not audit.
4662 ## </summary>
4663 ## </param>
4664 #
4665 interface(`userdom_dontaudit_read_all_user_home_content_files',`
4666 gen_require(`
4667 attribute user_home_type;
4668 ')
4669
4670 dontaudit $1 user_home_type:file read_file_perms;
4671 ')
4672
4673 ########################################
4674 ## <summary>
4675 ## Do not audit attempts to read all user tmp content files.
4676 ## </summary>
4677 ## <param name="domain">
4678 ## <summary>
4679 ## Domain to not audit.
4680 ## </summary>
4681 ## </param>
4682 #
4683 interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
4684 gen_require(`
4685 attribute user_tmp_type;
4686 ')
4687
4688 dontaudit $1 user_tmp_type:file read_file_perms;
4689 ')
4690
The IPFire selinux policy.