1 ## <summary>Policy for user domains</summary>
3 #######################################
5 ## The template containing the most basic rules common to all users.
9 ## The template containing the most basic rules common to all users.
12 ## This template creates a user domain, types, and
13 ## rules for the user's tty and pty.
16 ## <param name="userdomain_prefix">
18 ## The prefix of the user domain (e.g., user
19 ## is the prefix for user_t).
24 template(`userdom_base_user_template',`
28 type user_devpts_t, user_tty_device_t;
29 class context contains;
32 attribute $1_file_type;
34 type $1_t, userdomain;
36 corecmd_shell_entry_type($1_t)
37 corecmd_bin_entry_type($1_t)
38 domain_user_exemption_target($1_t)
39 ubac_constrained($1_t)
43 term_user_pty($1_t, user_devpts_t)
45 term_user_tty($1_t, user_tty_device_t)
47 allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
48 allow $1_t self:fd use;
49 allow $1_t self:fifo_file rw_fifo_file_perms;
50 allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
51 allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
52 allow $1_t self:shm create_shm_perms;
53 allow $1_t self:sem create_sem_perms;
54 allow $1_t self:msgq create_msgq_perms;
55 allow $1_t self:msg { send receive };
56 allow $1_t self:context contains;
57 dontaudit $1_t self:socket create;
59 allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
60 term_create_pty($1_t, user_devpts_t)
61 # avoid annoying messages on terminal hangup on role change
62 dontaudit $1_t user_devpts_t:chr_file ioctl;
64 allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
65 # avoid annoying messages on terminal hangup on role change
66 dontaudit $1_t user_tty_device_t:chr_file ioctl;
68 kernel_read_kernel_sysctls($1_t)
69 kernel_dontaudit_list_unlabeled($1_t)
70 kernel_dontaudit_getattr_unlabeled_files($1_t)
71 kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
72 kernel_dontaudit_getattr_unlabeled_pipes($1_t)
73 kernel_dontaudit_getattr_unlabeled_sockets($1_t)
74 kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
75 kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
77 dev_dontaudit_getattr_all_blk_files($1_t)
78 dev_dontaudit_getattr_all_chr_files($1_t)
80 # When the user domain runs ps, there will be a number of access
81 # denials when ps tries to search /proc. Do not audit these denials.
82 domain_dontaudit_read_all_domains_state($1_t)
83 domain_dontaudit_getattr_all_domains($1_t)
84 domain_dontaudit_getsession_all_domains($1_t)
86 files_read_etc_files($1_t)
87 files_read_etc_runtime_files($1_t)
88 files_read_usr_files($1_t)
89 # Read directories and files with the readable_t type.
90 # This type is a general type for "world"-readable files.
91 files_list_world_readable($1_t)
92 files_read_world_readable_files($1_t)
93 files_read_world_readable_symlinks($1_t)
94 files_read_world_readable_pipes($1_t)
95 files_read_world_readable_sockets($1_t)
96 # old broswer_domain():
97 files_dontaudit_list_non_security($1_t)
98 files_dontaudit_getattr_non_security_files($1_t)
99 files_dontaudit_getattr_non_security_symlinks($1_t)
100 files_dontaudit_getattr_non_security_pipes($1_t)
101 files_dontaudit_getattr_non_security_sockets($1_t)
103 libs_exec_ld_so($1_t)
105 miscfiles_read_localization($1_t)
106 miscfiles_read_generic_certs($1_t)
108 sysnet_read_config($1_t)
110 tunable_policy(`allow_execmem',`
111 # Allow loading DSOs that require executable stack.
112 allow $1_t self:process execmem;
115 tunable_policy(`allow_execmem && allow_execstack',`
116 # Allow making the stack executable via mprotect.
117 allow $1_t self:process execstack;
121 #######################################
123 ## Allow a home directory for which the
124 ## role has read-only access.
128 ## Allow a home directory for which the
129 ## role has read-only access.
132 ## This does not allow execute access.
135 ## <param name="role">
140 ## <param name="userdomain">
147 interface(`userdom_ro_home_role',`
149 type user_home_t, user_home_dir_t;
152 ##############################
154 # Domain access to home dir
157 type_member $2 user_home_dir_t:dir user_home_dir_t;
159 # read-only home directory
160 allow $2 user_home_dir_t:dir list_dir_perms;
161 allow $2 user_home_t:dir list_dir_perms;
162 allow $2 user_home_t:file entrypoint;
163 read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
164 read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
165 read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
166 read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
169 tunable_policy(`use_nfs_home_dirs',`
171 fs_read_nfs_files($2)
172 fs_read_nfs_symlinks($2)
173 fs_read_nfs_named_sockets($2)
174 fs_read_nfs_named_pipes($2)
176 fs_dontaudit_list_nfs($2)
177 fs_dontaudit_read_nfs_files($2)
180 tunable_policy(`use_samba_home_dirs',`
182 fs_read_cifs_files($2)
183 fs_read_cifs_symlinks($2)
184 fs_read_cifs_named_sockets($2)
185 fs_read_cifs_named_pipes($2)
187 fs_dontaudit_list_cifs($2)
188 fs_dontaudit_read_cifs_files($2)
192 #######################################
194 ## Allow a home directory for which the
195 ## role has full access.
199 ## Allow a home directory for which the
200 ## role has full access.
203 ## This does not allow execute access.
206 ## <param name="role">
211 ## <param name="userdomain">
218 interface(`userdom_manage_home_role',`
220 type user_home_t, user_home_dir_t;
223 ##############################
225 # Domain access to home dir
228 type_member $2 user_home_dir_t:dir user_home_dir_t;
230 # full control of the home directory
231 allow $2 user_home_t:file entrypoint;
232 manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
233 manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
234 manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
235 manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
236 manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
237 relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
238 relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
239 relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
240 relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
241 relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
242 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
245 # cjp: this should probably be removed:
246 allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
248 tunable_policy(`use_nfs_home_dirs',`
249 fs_manage_nfs_dirs($2)
250 fs_manage_nfs_files($2)
251 fs_manage_nfs_symlinks($2)
252 fs_manage_nfs_named_sockets($2)
253 fs_manage_nfs_named_pipes($2)
255 fs_dontaudit_manage_nfs_dirs($2)
256 fs_dontaudit_manage_nfs_files($2)
259 tunable_policy(`use_samba_home_dirs',`
260 fs_manage_cifs_dirs($2)
261 fs_manage_cifs_files($2)
262 fs_manage_cifs_symlinks($2)
263 fs_manage_cifs_named_sockets($2)
264 fs_manage_cifs_named_pipes($2)
266 fs_dontaudit_manage_cifs_dirs($2)
267 fs_dontaudit_manage_cifs_files($2)
271 #######################################
273 ## Manage user temporary files
275 ## <param name="role">
277 ## Role allowed access.
280 ## <param name="domain">
282 ## Domain allowed access.
287 interface(`userdom_manage_tmp_role',`
292 files_poly_member_tmp($2, user_tmp_t)
294 manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
295 manage_files_pattern($2, user_tmp_t, user_tmp_t)
296 manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
297 manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
298 manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
299 files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
302 #######################################
304 ## The execute access user temporary files.
306 ## <param name="domain">
308 ## Domain allowed access.
313 interface(`userdom_exec_user_tmp_files',`
318 exec_files_pattern($1, user_tmp_t, user_tmp_t)
322 #######################################
324 ## Role access for the user tmpfs type
325 ## that the user has full access.
329 ## Role access for the user tmpfs type
330 ## that the user has full access.
333 ## This does not allow execute access.
336 ## <param name="role">
338 ## Role allowed access.
341 ## <param name="domain">
343 ## Domain allowed access.
348 interface(`userdom_manage_tmpfs_role',`
353 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
354 manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
355 manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
356 manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
357 manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
358 fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
361 #######################################
363 ## The template allowing the user basic
364 ## network permissions
366 ## <param name="userdomain_prefix">
368 ## The prefix of the user domain (e.g., user
369 ## is the prefix for user_t).
374 template(`userdom_basic_networking_template',`
379 allow $1_t self:tcp_socket create_stream_socket_perms;
380 allow $1_t self:udp_socket create_socket_perms;
382 corenet_all_recvfrom_unlabeled($1_t)
383 corenet_all_recvfrom_netlabel($1_t)
384 corenet_tcp_sendrecv_generic_if($1_t)
385 corenet_udp_sendrecv_generic_if($1_t)
386 corenet_tcp_sendrecv_generic_node($1_t)
387 corenet_udp_sendrecv_generic_node($1_t)
388 corenet_tcp_sendrecv_all_ports($1_t)
389 corenet_udp_sendrecv_all_ports($1_t)
390 corenet_tcp_connect_all_ports($1_t)
391 corenet_sendrecv_all_client_packets($1_t)
393 corenet_all_recvfrom_labeled($1_t, $1_t)
396 init_tcp_recvfrom_all_daemons($1_t)
397 init_udp_recvfrom_all_daemons($1_t)
401 ipsec_match_default_spd($1_t)
405 #######################################
407 ## The template for creating a user xwindows client. (Deprecated)
409 ## <param name="userdomain_prefix">
411 ## The prefix of the user domain (e.g., user
412 ## is the prefix for user_t).
417 template(`userdom_xwindows_client_template',`
418 refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
420 type $1_t, user_tmpfs_t;
423 dev_rw_xserver_misc($1_t)
424 dev_rw_power_management($1_t)
428 # open office is looking for the following
429 dev_getattr_agp_dev($1_t)
430 dev_dontaudit_rw_dri($1_t)
431 # GNOME checks for usb and other devices:
434 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
435 xserver_xsession_entry_type($1_t)
436 xserver_dontaudit_write_log($1_t)
437 xserver_stream_connect_xdm($1_t)
438 # certain apps want to read xdm.pid file
439 xserver_read_xdm_pid($1_t)
440 # gnome-session creates socket under /tmp/.ICE-unix/
441 xserver_create_xdm_tmp_sockets($1_t)
442 # Needed for escd, remove if we get escd policy
443 xserver_manage_xdm_tmp_files($1_t)
446 #######################################
448 ## The template for allowing the user to change passwords.
450 ## <param name="userdomain_prefix">
452 ## The prefix of the user domain (e.g., user
453 ## is the prefix for user_t).
458 template(`userdom_change_password_template',`
465 usermanage_run_chfn($1_t, $1_r)
466 usermanage_run_passwd($1_t, $1_r)
470 #######################################
472 ## The template containing rules common to unprivileged
473 ## users and administrative users.
477 ## This template creates a user domain, types, and
478 ## rules for the user's tty, pty, tmp, and tmpfs files.
481 ## <param name="userdomain_prefix">
483 ## The prefix of the user domain (e.g., user
484 ## is the prefix for user_t).
488 template(`userdom_common_user_template',`
490 attribute unpriv_userdomain;
493 userdom_basic_networking_template($1)
495 ##############################
497 # User domain Local policy
500 # evolution and gnome-session try to create a netlink socket
501 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
502 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
504 allow $1_t unpriv_userdomain:fd use;
506 kernel_read_system_state($1_t)
507 kernel_read_network_state($1_t)
508 kernel_read_net_sysctls($1_t)
509 # Very permissive allowing every domain to see every type:
510 kernel_get_sysvipc_info($1_t)
511 # Find CDROM devices:
512 kernel_read_device_sysctls($1_t)
514 corecmd_exec_bin($1_t)
516 corenet_udp_bind_generic_node($1_t)
517 corenet_udp_bind_generic_port($1_t)
520 dev_write_sound($1_t)
522 dev_read_sound_mixer($1_t)
523 dev_write_sound_mixer($1_t)
525 files_exec_etc_files($1_t)
526 files_search_locks($1_t)
527 # Check to see if cdrom is mounted
528 files_search_mnt($1_t)
529 # cjp: perhaps should cut back on file reads:
530 files_read_var_files($1_t)
531 files_read_var_symlinks($1_t)
532 files_read_generic_spool($1_t)
533 files_read_var_lib_files($1_t)
535 files_getattr_lost_found_dirs($1_t)
537 fs_rw_cgroup_files($1_t)
539 # cjp: some of this probably can be removed
540 selinux_get_fs_mount($1_t)
541 selinux_validate_context($1_t)
542 selinux_compute_access_vector($1_t)
543 selinux_compute_create_context($1_t)
544 selinux_compute_relabel_context($1_t)
545 selinux_compute_user_contexts($1_t)
548 storage_getattr_fixed_disk_dev($1_t)
550 auth_use_nsswitch($1_t)
551 auth_read_login_records($1_t)
552 auth_search_pam_console_data($1_t)
553 auth_run_pam($1_t, $1_r)
554 auth_run_utempter($1_t, $1_r)
558 seutil_read_file_contexts($1_t)
559 seutil_read_default_contexts($1_t)
560 seutil_run_newrole($1_t, $1_r)
561 seutil_exec_checkpolicy($1_t)
562 seutil_exec_setfiles($1_t)
563 # for when the network connection is killed
564 # this is needed when a login role can change
566 seutil_dontaudit_signal_newrole($1_t)
568 tunable_policy(`user_direct_mouse',`
572 tunable_policy(`user_ttyfile_stat',`
573 term_getattr_all_ttys($1_t)
577 alsa_manage_home_files($1_t)
578 alsa_read_rw_config($1_t)
579 alsa_relabel_home_files($1_t)
583 # Allow graphical boot to check battery lifespan
584 apm_stream_connect($1_t)
588 canna_stream_connect($1_t)
592 dbus_system_bus_client($1_t)
595 bluetooth_dbus_chat($1_t)
599 evolution_dbus_chat($1_t)
600 evolution_alarm_dbus_chat($1_t)
604 cups_dbus_chat_config($1_t)
612 networkmanager_dbus_chat($1_t)
618 inetd_rw_tcp_sockets($1_t)
622 inn_read_config($1_t)
623 inn_read_news_lib($1_t)
624 inn_read_news_spool($1_t)
628 locate_read_lib_files($1_t)
631 # for running depmod as part of the kernel packaging process
633 modutils_read_module_config($1_t)
641 tunable_policy(`allow_user_mysql_connect',`
642 mysql_stream_connect($1_t)
647 oident_manage_user_content($1_t)
648 oident_relabel_user_content($1_t)
652 # to allow monitoring of pcmcia status
653 pcmcia_read_pid($1_t)
657 pcscd_read_pub_files($1_t)
658 pcscd_stream_connect($1_t)
662 tunable_policy(`allow_user_postgresql_connect',`
663 postgresql_stream_connect($1_t)
664 postgresql_tcp_connect($1_t)
669 resmgr_stream_connect($1_t)
673 rpc_dontaudit_getattr_exports($1_t)
674 rpc_manage_nfs_rw_content($1_t)
678 samba_stream_connect_winbind($1_t)
682 slrnpull_search_spool($1_t)
686 usernetctl_run($1_t, $1_r)
690 #######################################
692 ## The template for creating a login user.
696 ## This template creates a user domain, types, and
697 ## rules for the user's tty, pty, home directories,
698 ## tmp, and tmpfs files.
701 ## <param name="userdomain_prefix">
703 ## The prefix of the user domain (e.g., user
704 ## is the prefix for user_t).
708 template(`userdom_login_user_template', `
710 class context contains;
713 userdom_base_user_template($1)
715 userdom_manage_home_role($1_r, $1_t)
717 userdom_manage_tmp_role($1_r, $1_t)
718 userdom_manage_tmpfs_role($1_r, $1_t)
720 userdom_exec_user_tmp_files($1_t)
721 userdom_exec_user_home_content_files($1_t)
723 userdom_change_password_template($1)
725 ##############################
727 # User domain Local policy
730 allow $1_t self:capability { setgid chown fowner };
731 dontaudit $1_t self:capability { sys_nice fsetid };
733 allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
734 dontaudit $1_t self:process setrlimit;
735 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
737 allow $1_t self:context contains;
739 kernel_dontaudit_read_system_state($1_t)
744 domain_use_interactive_fds($1_t)
745 # Command completion can fire hundreds of denials
746 domain_dontaudit_exec_all_entry_files($1_t)
748 files_dontaudit_list_default($1_t)
749 files_dontaudit_read_default_files($1_t)
751 files_getattr_lost_found_dirs($1_t)
753 fs_get_all_fs_quotas($1_t)
754 fs_getattr_all_fs($1_t)
755 fs_getattr_all_dirs($1_t)
756 fs_search_auto_mountpoints($1_t)
757 fs_list_cgroup_dirs($1_t)
758 fs_list_inotifyfs($1_t)
759 fs_rw_anon_inodefs_files($1_t)
760 fs_dontaudit_rw_cgroup_files($1_t)
762 auth_dontaudit_write_login_records($1_t)
764 application_exec_all($1_t)
766 # The library functions always try to open read-write first,
767 # then fall back to read-only if it fails.
768 init_dontaudit_rw_utmp($1_t)
769 # Stop warnings about access to /dev/console
770 init_dontaudit_use_fds($1_t)
771 init_dontaudit_use_script_fds($1_t)
773 libs_exec_lib_files($1_t)
775 logging_dontaudit_getattr_all_logs($1_t)
777 miscfiles_read_man_pages($1_t)
778 # for running TeX programs
779 miscfiles_read_tetex_data($1_t)
780 miscfiles_exec_tetex_data($1_t)
782 seutil_read_config($1_t)
785 cups_read_config($1_t)
786 cups_stream_connect($1_t)
787 cups_stream_connect_ptal($1_t)
795 mta_dontaudit_read_spool_symlinks($1_t)
799 quota_dontaudit_getattr_db($1_t)
804 rpm_dontaudit_manage_db($1_t)
808 #######################################
810 ## The template for creating a unprivileged login user.
814 ## This template creates a user domain, types, and
815 ## rules for the user's tty, pty, home directories,
816 ## tmp, and tmpfs files.
819 ## <param name="userdomain_prefix">
821 ## The prefix of the user domain (e.g., user
822 ## is the prefix for user_t).
826 template(`userdom_restricted_user_template',`
828 attribute unpriv_userdomain;
831 userdom_login_user_template($1)
833 typeattribute $1_t unpriv_userdomain;
834 domain_interactive_fd($1_t)
836 ##############################
842 loadkeys_run($1_t, $1_r)
846 #######################################
848 ## The template for creating a unprivileged xwindows login user.
852 ## The template for creating a unprivileged xwindows login user.
855 ## This template creates a user domain, types, and
856 ## rules for the user's tty, pty, home directories,
857 ## tmp, and tmpfs files.
860 ## <param name="userdomain_prefix">
862 ## The prefix of the user domain (e.g., user
863 ## is the prefix for user_t).
867 template(`userdom_restricted_xwindows_user_template',`
869 userdom_restricted_user_template($1)
871 ##############################
876 auth_role($1_r, $1_t)
877 auth_search_pam_console_data($1_t)
880 dev_write_sound($1_t)
881 # gnome keyring wants to read this.
882 dev_dontaudit_read_rand($1_t)
884 logging_send_syslog_msg($1_t)
885 logging_dontaudit_send_audit_msgs($1_t)
887 # Need to to this just so screensaver will work. Should be moved to screensaver domain
888 logging_send_audit_msgs($1_t)
889 selinux_get_enforce_mode($1_t)
891 xserver_restricted_role($1_r, $1_t)
894 alsa_read_rw_config($1_t)
898 dbus_role_template($1, $1_r, $1_t)
899 dbus_system_bus_client($1_t)
902 consolekit_dbus_chat($1_t)
911 java_role($1_r, $1_t)
915 setroubleshoot_dontaudit_stream_connect($1_t)
919 #######################################
921 ## The template for creating a unprivileged user roughly
922 ## equivalent to a regular linux user.
926 ## The template for creating a unprivileged user roughly
927 ## equivalent to a regular linux user.
930 ## This template creates a user domain, types, and
931 ## rules for the user's tty, pty, home directories,
932 ## tmp, and tmpfs files.
935 ## <param name="userdomain_prefix">
937 ## The prefix of the user domain (e.g., user
938 ## is the prefix for user_t).
942 template(`userdom_unpriv_user_template', `
944 ##############################
949 # Inherit rules for ordinary users.
950 userdom_restricted_user_template($1)
951 userdom_common_user_template($1)
953 ##############################
958 # port access is audited even if dac would not have allowed it, so dontaudit it here
959 corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
960 # Need the following rule to allow users to run vpnc
961 corenet_tcp_bind_xserver_port($1_t)
963 files_exec_usr_files($1_t)
965 files_read_kernel_symbol_table($1_t)
967 ifndef(`enable_mls',`
968 fs_exec_noxattr($1_t)
970 tunable_policy(`user_rw_noexattrfile',`
971 fs_manage_noxattr_fs_files($1_t)
972 fs_manage_noxattr_fs_dirs($1_t)
974 storage_raw_read_removable_device($1_t)
975 storage_raw_write_removable_device($1_t)
977 storage_raw_read_removable_device($1_t)
981 tunable_policy(`user_dmesg',`
982 kernel_read_ring_buffer($1_t)
984 kernel_dontaudit_read_ring_buffer($1_t)
987 # Allow users to run TCP servers (bind to ports and accept connection from
988 # the same domain and outside users) disabling this forces FTP passive mode
989 # and may change other protocols
990 tunable_policy(`user_tcp_server',`
991 corenet_tcp_bind_generic_node($1_t)
992 corenet_tcp_bind_generic_port($1_t)
996 netutils_run_ping_cond($1_t, $1_r)
997 netutils_run_traceroute_cond($1_t, $1_r)
1000 # Run pppd in pppd_t by default for user
1002 ppp_run_cond($1_t, $1_r)
1006 setroubleshoot_stream_connect($1_t)
1010 #######################################
1012 ## The template for creating an administrative user.
1016 ## This template creates a user domain, types, and
1017 ## rules for the user's tty, pty, home directories,
1018 ## tmp, and tmpfs files.
1021 ## The privileges given to administrative users are:
1023 ## <li>Raw disk access</li>
1024 ## <li>Set all sysctls</li>
1025 ## <li>All kernel ring buffer controls</li>
1026 ## <li>Create, read, write, and delete all files but shadow</li>
1027 ## <li>Manage source and binary format SELinux policy</li>
1028 ## <li>Run insmod</li>
1032 ## <param name="userdomain_prefix">
1034 ## The prefix of the user domain (e.g., sysadm
1035 ## is the prefix for sysadm_t).
1039 template(`userdom_admin_user_template',`
1041 attribute admindomain;
1042 class passwd { passwd chfn chsh rootok };
1045 ##############################
1050 # Inherit rules for ordinary users.
1051 userdom_login_user_template($1)
1052 userdom_common_user_template($1)
1054 domain_obj_id_change_exemption($1_t)
1055 role system_r types $1_t;
1057 typeattribute $1_t admindomain;
1059 ifdef(`direct_sysadm_daemon',`
1060 domain_system_change_exemption($1_t)
1063 ##############################
1068 allow $1_t self:capability ~{ sys_module audit_control audit_write };
1069 allow $1_t self:process { setexec setfscreate };
1070 allow $1_t self:netlink_audit_socket nlmsg_readpriv;
1071 allow $1_t self:tun_socket create;
1072 # Set password information for other users.
1073 allow $1_t self:passwd { passwd chfn chsh };
1074 # Skip authentication when pam_rootok is specified.
1075 allow $1_t self:passwd rootok;
1077 kernel_read_software_raid_state($1_t)
1078 kernel_getattr_core_if($1_t)
1079 kernel_getattr_message_if($1_t)
1080 kernel_change_ring_buffer_level($1_t)
1081 kernel_clear_ring_buffer($1_t)
1082 kernel_read_ring_buffer($1_t)
1083 kernel_get_sysvipc_info($1_t)
1084 kernel_rw_all_sysctls($1_t)
1085 # signal unlabeled processes:
1086 kernel_kill_unlabeled($1_t)
1087 kernel_signal_unlabeled($1_t)
1088 kernel_sigstop_unlabeled($1_t)
1089 kernel_signull_unlabeled($1_t)
1090 kernel_sigchld_unlabeled($1_t)
1092 corenet_tcp_bind_generic_port($1_t)
1093 # allow setting up tunnels
1094 corenet_rw_tun_tap_dev($1_t)
1096 dev_getattr_generic_blk_files($1_t)
1097 dev_getattr_generic_chr_files($1_t)
1099 dev_getattr_mtrr_dev($1_t)
1100 # Allow MAKEDEV to work
1101 dev_create_all_blk_files($1_t)
1102 dev_create_all_chr_files($1_t)
1103 dev_delete_all_blk_files($1_t)
1104 dev_delete_all_chr_files($1_t)
1105 dev_rename_all_blk_files($1_t)
1106 dev_rename_all_chr_files($1_t)
1107 dev_create_generic_symlinks($1_t)
1109 domain_setpriority_all_domains($1_t)
1110 domain_read_all_domains_state($1_t)
1111 domain_getattr_all_domains($1_t)
1112 domain_dontaudit_ptrace_all_domains($1_t)
1113 # signal all domains:
1114 domain_kill_all_domains($1_t)
1115 domain_signal_all_domains($1_t)
1116 domain_signull_all_domains($1_t)
1117 domain_sigstop_all_domains($1_t)
1118 domain_sigstop_all_domains($1_t)
1119 domain_sigchld_all_domains($1_t)
1121 domain_getattr_all_sockets($1_t)
1123 files_exec_usr_src_files($1_t)
1125 fs_getattr_all_fs($1_t)
1126 fs_set_all_quotas($1_t)
1127 fs_exec_noxattr($1_t)
1129 storage_raw_read_removable_device($1_t)
1130 storage_raw_write_removable_device($1_t)
1132 term_use_all_terms($1_t)
1134 auth_getattr_shadow($1_t)
1135 # Manage almost all files
1136 auth_manage_all_files_except_shadow($1_t)
1137 # Relabel almost all files
1138 auth_relabel_all_files_except_shadow($1_t)
1142 logging_send_syslog_msg($1_t)
1144 modutils_domtrans_insmod($1_t)
1146 # The following rule is temporary until such time that a complete
1147 # policy management infrastructure is in place so that an administrator
1148 # cannot directly manipulate policy files with arbitrary programs.
1149 seutil_manage_src_policy($1_t)
1150 # Violates the goal of limiting write access to checkpolicy.
1151 # But presently necessary for installing the file_contexts file.
1152 seutil_manage_bin_policy($1_t)
1154 userdom_manage_user_home_content_dirs($1_t)
1155 userdom_manage_user_home_content_files($1_t)
1156 userdom_manage_user_home_content_symlinks($1_t)
1157 userdom_manage_user_home_content_pipes($1_t)
1158 userdom_manage_user_home_content_sockets($1_t)
1159 userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
1161 tunable_policy(`user_rw_noexattrfile',`
1162 fs_manage_noxattr_fs_files($1_t)
1163 fs_manage_noxattr_fs_dirs($1_t)
1165 fs_read_noxattr_fs_files($1_t)
1169 postgresql_unconfined($1_t)
1173 userhelper_exec($1_t)
1177 ########################################
1179 ## Allow user to run as a secadm
1183 ## Create objects in a user home directory
1184 ## with an automatic type transition to
1185 ## a specified private type.
1188 ## This is a templated interface, and should only
1189 ## be called from a per-userdomain template.
1192 ## <param name="domain">
1194 ## Domain allowed access.
1197 ## <param name="role">
1199 ## The role of the object to create.
1203 template(`userdom_security_admin_template',`
1204 allow $1 self:capability { dac_read_search dac_override };
1206 corecmd_exec_shell($1)
1208 domain_obj_id_change_exemption($1)
1210 dev_relabel_all_dev_nodes($1)
1212 files_create_boot_flag($1)
1214 # Necessary for managing /boot/efi
1215 fs_manage_dos_files($1)
1217 mls_process_read_up($1)
1218 mls_file_read_all_levels($1)
1219 mls_file_upgrade($1)
1220 mls_file_downgrade($1)
1222 selinux_set_enforce_mode($1)
1223 selinux_set_all_booleans($1)
1224 selinux_set_parameters($1)
1226 auth_relabel_all_files_except_shadow($1)
1227 auth_relabel_shadow($1)
1231 logging_send_syslog_msg($1)
1232 logging_read_audit_log($1)
1233 logging_read_generic_logs($1)
1234 logging_read_audit_config($1)
1236 seutil_manage_bin_policy($1)
1237 seutil_run_checkpolicy($1, $2)
1238 seutil_run_loadpolicy($1, $2)
1239 seutil_run_semanage($1, $2)
1240 seutil_run_setfiles($1, $2)
1247 consoletype_exec($1)
1255 ipsec_run_setkey($1, $2)
1259 netlabel_run_mgmt($1, $2)
1267 ########################################
1269 ## Make the specified type usable in a
1270 ## user home directory.
1272 ## <param name="type">
1274 ## Type to be used as a file in the
1275 ## user home directory.
1279 interface(`userdom_user_home_content',`
1284 allow $1 user_home_t:filesystem associate;
1286 files_poly_member($1)
1287 ubac_constrained($1)
1290 ########################################
1292 ## Allow domain to attach to TUN devices created by administrative users.
1294 ## <param name="domain">
1296 ## Domain allowed access.
1300 interface(`userdom_attach_admin_tun_iface',`
1302 attribute admindomain;
1305 allow $1 admindomain:tun_socket relabelfrom;
1306 allow $1 self:tun_socket relabelto;
1309 ########################################
1311 ## Set the attributes of a user pty.
1313 ## <param name="domain">
1315 ## Domain allowed access.
1319 interface(`userdom_setattr_user_ptys',`
1324 allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
1327 ########################################
1329 ## Create a user pty.
1331 ## <param name="domain">
1333 ## Domain allowed access.
1337 interface(`userdom_create_user_pty',`
1342 term_create_pty($1, user_devpts_t)
1345 ########################################
1347 ## Get the attributes of user home directories.
1349 ## <param name="domain">
1351 ## Domain allowed access.
1355 interface(`userdom_getattr_user_home_dirs',`
1357 type user_home_dir_t;
1360 allow $1 user_home_dir_t:dir getattr_dir_perms;
1361 files_search_home($1)
1364 ########################################
1366 ## Do not audit attempts to get the attributes of user home directories.
1368 ## <param name="domain">
1370 ## Domain to not audit.
1374 interface(`userdom_dontaudit_getattr_user_home_dirs',`
1376 type user_home_dir_t;
1379 dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
1382 ########################################
1384 ## Search user home directories.
1386 ## <param name="domain">
1388 ## Domain allowed access.
1392 interface(`userdom_search_user_home_dirs',`
1394 type user_home_dir_t;
1397 allow $1 user_home_dir_t:dir search_dir_perms;
1398 files_search_home($1)
1401 ########################################
1403 ## Do not audit attempts to search user home directories.
1407 ## Do not audit attempts to search user home directories.
1408 ## This will supress SELinux denial messages when the specified
1409 ## domain is denied the permission to search these directories.
1412 ## <param name="domain">
1414 ## Domain to not audit.
1417 ## <infoflow type="none"/>
1419 interface(`userdom_dontaudit_search_user_home_dirs',`
1421 type user_home_dir_t;
1424 dontaudit $1 user_home_dir_t:dir search_dir_perms;
1427 ########################################
1429 ## List user home directories.
1431 ## <param name="domain">
1433 ## Domain allowed access.
1437 interface(`userdom_list_user_home_dirs',`
1439 type user_home_dir_t;
1442 allow $1 user_home_dir_t:dir list_dir_perms;
1443 files_search_home($1)
1446 ########################################
1448 ## Do not audit attempts to list user home subdirectories.
1450 ## <param name="domain">
1452 ## Domain to not audit.
1456 interface(`userdom_dontaudit_list_user_home_dirs',`
1458 type user_home_dir_t;
1461 dontaudit $1 user_home_dir_t:dir list_dir_perms;
1464 ########################################
1466 ## Create user home directories.
1468 ## <param name="domain">
1470 ## Domain allowed access.
1474 interface(`userdom_create_user_home_dirs',`
1476 type user_home_dir_t;
1479 allow $1 user_home_dir_t:dir create_dir_perms;
1482 ########################################
1484 ## Create user home directories.
1486 ## <param name="domain">
1488 ## Domain allowed access.
1492 interface(`userdom_manage_user_home_dirs',`
1494 type user_home_dir_t;
1497 allow $1 user_home_dir_t:dir manage_dir_perms;
1500 ########################################
1502 ## Relabel to user home directories.
1504 ## <param name="domain">
1506 ## Domain allowed access.
1510 interface(`userdom_relabelto_user_home_dirs',`
1512 type user_home_dir_t;
1515 allow $1 user_home_dir_t:dir relabelto;
1518 ########################################
1520 ## Create directories in the home dir root with
1521 ## the user home directory type.
1523 ## <param name="domain">
1525 ## Domain allowed access.
1529 interface(`userdom_home_filetrans_user_home_dir',`
1531 type user_home_dir_t;
1534 files_home_filetrans($1, user_home_dir_t, dir)
1537 ########################################
1539 ## Do a domain transition to the specified
1540 ## domain when executing a program in the
1541 ## user home directory.
1545 ## Do a domain transition to the specified
1546 ## domain when executing a program in the
1547 ## user home directory.
1550 ## No interprocess communication (signals, pipes,
1551 ## etc.) is provided by this interface since
1552 ## the domains are not owned by this module.
1555 ## <param name="source_domain">
1557 ## Domain allowed to transition.
1560 ## <param name="target_domain">
1562 ## Domain to transition to.
1566 interface(`userdom_user_home_domtrans',`
1568 type user_home_dir_t, user_home_t;
1571 domain_auto_trans($1, user_home_t, $2)
1572 allow $1 user_home_dir_t:dir search_dir_perms;
1573 files_search_home($1)
1576 ########################################
1578 ## Do not audit attempts to search user home content directories.
1580 ## <param name="domain">
1582 ## Domain to not audit.
1586 interface(`userdom_dontaudit_search_user_home_content',`
1591 dontaudit $1 user_home_t:dir search_dir_perms;
1594 ########################################
1596 ## List contents of users home directory.
1598 ## <param name="domain">
1600 ## Domain allowed access.
1604 interface(`userdom_list_user_home_content',`
1609 allow $1 user_home_t:dir list_dir_perms;
1612 ########################################
1614 ## Create, read, write, and delete directories
1615 ## in a user home subdirectory.
1617 ## <param name="domain">
1619 ## Domain allowed access.
1623 interface(`userdom_manage_user_home_content_dirs',`
1625 type user_home_dir_t, user_home_t;
1628 manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1629 files_search_home($1)
1632 ########################################
1634 ## Delete directories in a user home subdirectory.
1636 ## <param name="domain">
1638 ## Domain allowed access.
1642 interface(`userdom_delete_user_home_content_dirs',`
1647 allow $1 user_home_t:dir delete_dir_perms;
1650 ########################################
1652 ## Do not audit attempts to set the
1653 ## attributes of user home files.
1655 ## <param name="domain">
1657 ## Domain to not audit.
1661 interface(`userdom_dontaudit_setattr_user_home_content_files',`
1666 dontaudit $1 user_home_t:file setattr_file_perms;
1669 ########################################
1671 ## Mmap user home files.
1673 ## <param name="domain">
1675 ## Domain allowed access.
1679 interface(`userdom_mmap_user_home_content_files',`
1681 type user_home_dir_t, user_home_t;
1684 mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1685 files_search_home($1)
1688 ########################################
1690 ## Read user home files.
1692 ## <param name="domain">
1694 ## Domain allowed access.
1698 interface(`userdom_read_user_home_content_files',`
1700 type user_home_dir_t, user_home_t;
1703 read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1704 files_search_home($1)
1707 ########################################
1709 ## Do not audit attempts to read user home files.
1711 ## <param name="domain">
1713 ## Domain to not audit.
1717 interface(`userdom_dontaudit_read_user_home_content_files',`
1722 dontaudit $1 user_home_t:dir list_dir_perms;
1723 dontaudit $1 user_home_t:file read_file_perms;
1726 ########################################
1728 ## Do not audit attempts to append user home files.
1730 ## <param name="domain">
1732 ## Domain to not audit.
1736 interface(`userdom_dontaudit_append_user_home_content_files',`
1741 dontaudit $1 user_home_t:file append_file_perms;
1744 ########################################
1746 ## Do not audit attempts to write user home files.
1748 ## <param name="domain">
1750 ## Domain to not audit.
1754 interface(`userdom_dontaudit_write_user_home_content_files',`
1759 dontaudit $1 user_home_t:file write_file_perms;
1762 ########################################
1764 ## Delete files in a user home subdirectory.
1766 ## <param name="domain">
1768 ## Domain allowed access.
1772 interface(`userdom_delete_user_home_content_files',`
1777 allow $1 user_home_t:file delete_file_perms;
1780 ########################################
1782 ## Do not audit attempts to write user home files.
1784 ## <param name="domain">
1786 ## Domain to not audit.
1790 interface(`userdom_dontaudit_relabel_user_home_content_files',`
1795 dontaudit $1 user_home_t:file relabel_file_perms;
1798 ########################################
1800 ## Read user home subdirectory symbolic links.
1802 ## <param name="domain">
1804 ## Domain allowed access.
1808 interface(`userdom_read_user_home_content_symlinks',`
1810 type user_home_dir_t, user_home_t;
1813 read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1814 files_search_home($1)
1817 ########################################
1819 ## Execute user home files.
1821 ## <param name="domain">
1823 ## Domain allowed access.
1828 interface(`userdom_exec_user_home_content_files',`
1830 type user_home_dir_t, user_home_t;
1833 files_search_home($1)
1834 exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
1836 tunable_policy(`use_nfs_home_dirs',`
1837 fs_exec_nfs_files($1)
1840 tunable_policy(`use_samba_home_dirs',`
1841 fs_exec_cifs_files($1)
1845 ########################################
1847 ## Do not audit attempts to execute user home files.
1849 ## <param name="domain">
1851 ## Domain to not audit.
1855 interface(`userdom_dontaudit_exec_user_home_content_files',`
1860 dontaudit $1 user_home_t:file exec_file_perms;
1863 ########################################
1865 ## Create, read, write, and delete files
1866 ## in a user home subdirectory.
1868 ## <param name="domain">
1870 ## Domain allowed access.
1874 interface(`userdom_manage_user_home_content_files',`
1876 type user_home_dir_t, user_home_t;
1879 manage_files_pattern($1, user_home_t, user_home_t)
1880 allow $1 user_home_dir_t:dir search_dir_perms;
1881 files_search_home($1)
1884 ########################################
1886 ## Do not audit attempts to create, read, write, and delete directories
1887 ## in a user home subdirectory.
1889 ## <param name="domain">
1891 ## Domain to not audit.
1895 interface(`userdom_dontaudit_manage_user_home_content_dirs',`
1897 type user_home_dir_t, user_home_t;
1900 dontaudit $1 user_home_t:dir manage_dir_perms;
1903 ########################################
1905 ## Create, read, write, and delete symbolic links
1906 ## in a user home subdirectory.
1908 ## <param name="domain">
1910 ## Domain allowed access.
1914 interface(`userdom_manage_user_home_content_symlinks',`
1916 type user_home_dir_t, user_home_t;
1919 manage_lnk_files_pattern($1, user_home_t, user_home_t)
1920 allow $1 user_home_dir_t:dir search_dir_perms;
1921 files_search_home($1)
1924 ########################################
1926 ## Delete symbolic links in a user home directory.
1928 ## <param name="domain">
1930 ## Domain allowed access.
1934 interface(`userdom_delete_user_home_content_symlinks',`
1939 allow $1 user_home_t:lnk_file delete_lnk_file_perms;
1942 ########################################
1944 ## Create, read, write, and delete named pipes
1945 ## in a user home subdirectory.
1947 ## <param name="domain">
1949 ## Domain allowed access.
1953 interface(`userdom_manage_user_home_content_pipes',`
1955 type user_home_dir_t, user_home_t;
1958 manage_fifo_files_pattern($1, user_home_t, user_home_t)
1959 allow $1 user_home_dir_t:dir search_dir_perms;
1960 files_search_home($1)
1963 ########################################
1965 ## Create, read, write, and delete named sockets
1966 ## in a user home subdirectory.
1968 ## <param name="domain">
1970 ## Domain allowed access.
1974 interface(`userdom_manage_user_home_content_sockets',`
1976 type user_home_dir_t, user_home_t;
1979 allow $1 user_home_dir_t:dir search_dir_perms;
1980 manage_sock_files_pattern($1, user_home_t, user_home_t)
1981 files_search_home($1)
1984 ########################################
1986 ## Create objects in a user home directory
1987 ## with an automatic type transition to
1988 ## a specified private type.
1990 ## <param name="domain">
1992 ## Domain allowed access.
1995 ## <param name="private_type">
1997 ## The type of the object to create.
2000 ## <param name="object_class">
2002 ## The class of the object to be created.
2006 interface(`userdom_user_home_dir_filetrans',`
2008 type user_home_dir_t;
2011 filetrans_pattern($1, user_home_dir_t, $2, $3)
2012 files_search_home($1)
2015 ########################################
2017 ## Create objects in a user home directory
2018 ## with an automatic type transition to
2019 ## a specified private type.
2021 ## <param name="domain">
2023 ## Domain allowed access.
2026 ## <param name="private_type">
2028 ## The type of the object to create.
2031 ## <param name="object_class">
2033 ## The class of the object to be created.
2037 interface(`userdom_user_home_content_filetrans',`
2039 type user_home_dir_t, user_home_t;
2042 filetrans_pattern($1, user_home_t, $2, $3)
2043 allow $1 user_home_dir_t:dir search_dir_perms;
2044 files_search_home($1)
2047 ########################################
2049 ## Create objects in a user home directory
2050 ## with an automatic type transition to
2051 ## the user home file type.
2053 ## <param name="domain">
2055 ## Domain allowed access.
2058 ## <param name="object_class">
2060 ## The class of the object to be created.
2064 interface(`userdom_user_home_dir_filetrans_user_home_content',`
2066 type user_home_dir_t, user_home_t;
2069 filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
2070 files_search_home($1)
2073 ########################################
2075 ## Write to user temporary named sockets.
2077 ## <param name="domain">
2079 ## Domain allowed access.
2083 interface(`userdom_write_user_tmp_sockets',`
2088 allow $1 user_tmp_t:sock_file write_sock_file_perms;
2089 files_search_tmp($1)
2092 ########################################
2094 ## List user temporary directories.
2096 ## <param name="domain">
2098 ## Domain allowed access.
2102 interface(`userdom_list_user_tmp',`
2107 allow $1 user_tmp_t:dir list_dir_perms;
2108 files_search_tmp($1)
2111 ########################################
2113 ## Do not audit attempts to list user
2114 ## temporary directories.
2116 ## <param name="domain">
2118 ## Domain to not audit.
2122 interface(`userdom_dontaudit_list_user_tmp',`
2127 dontaudit $1 user_tmp_t:dir list_dir_perms;
2130 ########################################
2132 ## Do not audit attempts to manage users
2133 ## temporary directories.
2135 ## <param name="domain">
2137 ## Domain to not audit.
2141 interface(`userdom_dontaudit_manage_user_tmp_dirs',`
2146 dontaudit $1 user_tmp_t:dir manage_dir_perms;
2149 ########################################
2151 ## Read user temporary files.
2153 ## <param name="domain">
2155 ## Domain allowed access.
2159 interface(`userdom_read_user_tmp_files',`
2164 read_files_pattern($1, user_tmp_t, user_tmp_t)
2165 allow $1 user_tmp_t:dir list_dir_perms;
2166 files_search_tmp($1)
2169 ########################################
2171 ## Do not audit attempts to read users
2174 ## <param name="domain">
2176 ## Domain to not audit.
2180 interface(`userdom_dontaudit_read_user_tmp_files',`
2185 dontaudit $1 user_tmp_t:file read_file_perms;
2188 ########################################
2190 ## Do not audit attempts to append users
2193 ## <param name="domain">
2195 ## Domain to not audit.
2199 interface(`userdom_dontaudit_append_user_tmp_files',`
2204 dontaudit $1 user_tmp_t:file append_file_perms;
2207 ########################################
2209 ## Read and write user temporary files.
2211 ## <param name="domain">
2213 ## Domain allowed access.
2217 interface(`userdom_rw_user_tmp_files',`
2222 allow $1 user_tmp_t:dir list_dir_perms;
2223 rw_files_pattern($1, user_tmp_t, user_tmp_t)
2224 files_search_tmp($1)
2227 ########################################
2229 ## Do not audit attempts to manage users
2232 ## <param name="domain">
2234 ## Domain to not audit.
2238 interface(`userdom_dontaudit_manage_user_tmp_files',`
2243 dontaudit $1 user_tmp_t:file manage_file_perms;
2246 ########################################
2248 ## Read user temporary symbolic links.
2250 ## <param name="domain">
2252 ## Domain allowed access.
2256 interface(`userdom_read_user_tmp_symlinks',`
2261 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2262 allow $1 user_tmp_t:dir list_dir_perms;
2263 files_search_tmp($1)
2266 ########################################
2268 ## Create, read, write, and delete user
2269 ## temporary directories.
2271 ## <param name="domain">
2273 ## Domain allowed access.
2277 interface(`userdom_manage_user_tmp_dirs',`
2282 manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
2283 files_search_tmp($1)
2286 ########################################
2288 ## Create, read, write, and delete user
2291 ## <param name="domain">
2293 ## Domain allowed access.
2297 interface(`userdom_manage_user_tmp_files',`
2302 manage_files_pattern($1, user_tmp_t, user_tmp_t)
2303 files_search_tmp($1)
2306 ########################################
2308 ## Create, read, write, and delete user
2309 ## temporary symbolic links.
2311 ## <param name="domain">
2313 ## Domain allowed access.
2317 interface(`userdom_manage_user_tmp_symlinks',`
2322 manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2323 files_search_tmp($1)
2326 ########################################
2328 ## Create, read, write, and delete user
2329 ## temporary named pipes.
2331 ## <param name="domain">
2333 ## Domain allowed access.
2337 interface(`userdom_manage_user_tmp_pipes',`
2342 manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
2343 files_search_tmp($1)
2346 ########################################
2348 ## Create, read, write, and delete user
2349 ## temporary named sockets.
2351 ## <param name="domain">
2353 ## Domain allowed access.
2357 interface(`userdom_manage_user_tmp_sockets',`
2362 manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
2363 files_search_tmp($1)
2366 ########################################
2368 ## Create objects in a user temporary directory
2369 ## with an automatic type transition to
2370 ## a specified private type.
2372 ## <param name="domain">
2374 ## Domain allowed access.
2377 ## <param name="private_type">
2379 ## The type of the object to create.
2382 ## <param name="object_class">
2384 ## The class of the object to be created.
2388 interface(`userdom_user_tmp_filetrans',`
2393 filetrans_pattern($1, user_tmp_t, $2, $3)
2394 files_search_tmp($1)
2397 ########################################
2399 ## Create objects in the temporary directory
2400 ## with an automatic type transition to
2401 ## the user temporary type.
2403 ## <param name="domain">
2405 ## Domain allowed access.
2408 ## <param name="object_class">
2410 ## The class of the object to be created.
2414 interface(`userdom_tmp_filetrans_user_tmp',`
2419 files_tmp_filetrans($1, user_tmp_t, $2)
2422 ########################################
2424 ## Read user tmpfs files.
2426 ## <param name="domain">
2428 ## Domain allowed access.
2432 interface(`userdom_read_user_tmpfs_files',`
2437 read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2438 allow $1 user_tmpfs_t:dir list_dir_perms;
2442 ########################################
2444 ## Read user tmpfs files.
2446 ## <param name="domain">
2448 ## Domain allowed access.
2452 interface(`userdom_rw_user_tmpfs_files',`
2457 rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2458 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2459 allow $1 user_tmpfs_t:dir list_dir_perms;
2463 ########################################
2465 ## Create, read, write, and delete user tmpfs files.
2467 ## <param name="domain">
2469 ## Domain allowed access.
2473 interface(`userdom_manage_user_tmpfs_files',`
2478 manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2479 allow $1 user_tmpfs_t:dir list_dir_perms;
2483 ########################################
2485 ## Get the attributes of a user domain tty.
2487 ## <param name="domain">
2489 ## Domain allowed access.
2493 interface(`userdom_getattr_user_ttys',`
2495 type user_tty_device_t;
2498 allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
2501 ########################################
2503 ## Do not audit attempts to get the attributes of a user domain tty.
2505 ## <param name="domain">
2507 ## Domain to not audit.
2511 interface(`userdom_dontaudit_getattr_user_ttys',`
2513 type user_tty_device_t;
2516 dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
2519 ########################################
2521 ## Set the attributes of a user domain tty.
2523 ## <param name="domain">
2525 ## Domain allowed access.
2529 interface(`userdom_setattr_user_ttys',`
2531 type user_tty_device_t;
2534 allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
2537 ########################################
2539 ## Do not audit attempts to set the attributes of a user domain tty.
2541 ## <param name="domain">
2543 ## Domain to not audit.
2547 interface(`userdom_dontaudit_setattr_user_ttys',`
2549 type user_tty_device_t;
2552 dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
2555 ########################################
2557 ## Read and write a user domain tty.
2559 ## <param name="domain">
2561 ## Domain allowed access.
2565 interface(`userdom_use_user_ttys',`
2567 type user_tty_device_t;
2570 allow $1 user_tty_device_t:chr_file rw_term_perms;
2573 ########################################
2575 ## Read and write a user domain pty.
2577 ## <param name="domain">
2579 ## Domain allowed access.
2583 interface(`userdom_use_user_ptys',`
2588 allow $1 user_devpts_t:chr_file rw_term_perms;
2591 ########################################
2593 ## Read and write a user TTYs and PTYs.
2597 ## Allow the specified domain to read and write user
2598 ## TTYs and PTYs. This will allow the domain to
2599 ## interact with the user via the terminal. Typically
2600 ## all interactive applications will require this
2604 ## However, this also allows the applications to spy
2605 ## on user sessions or inject information into the
2606 ## user session. Thus, this access should likely
2607 ## not be allowed for non-interactive domains.
2610 ## <param name="domain">
2612 ## Domain allowed access.
2615 ## <infoflow type="both" weight="10"/>
2617 interface(`userdom_use_user_terminals',`
2619 type user_tty_device_t, user_devpts_t;
2622 allow $1 user_tty_device_t:chr_file rw_term_perms;
2623 allow $1 user_devpts_t:chr_file rw_term_perms;
2627 ########################################
2629 ## Do not audit attempts to read and write
2630 ## a user domain tty and pty.
2632 ## <param name="domain">
2634 ## Domain to not audit.
2638 interface(`userdom_dontaudit_use_user_terminals',`
2640 type user_tty_device_t, user_devpts_t;
2643 dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
2644 dontaudit $1 user_devpts_t:chr_file rw_term_perms;
2647 ########################################
2649 ## Execute a shell in all user domains. This
2650 ## is an explicit transition, requiring the
2651 ## caller to use setexeccon().
2653 ## <param name="domain">
2655 ## Domain allowed to transition.
2659 interface(`userdom_spec_domtrans_all_users',`
2661 attribute userdomain;
2664 corecmd_shell_spec_domtrans($1, userdomain)
2665 allow userdomain $1:fd use;
2666 allow userdomain $1:fifo_file rw_file_perms;
2667 allow userdomain $1:process sigchld;
2670 ########################################
2672 ## Execute an Xserver session in all unprivileged user domains. This
2673 ## is an explicit transition, requiring the
2674 ## caller to use setexeccon().
2676 ## <param name="domain">
2678 ## Domain allowed to transition.
2682 interface(`userdom_xsession_spec_domtrans_all_users',`
2684 attribute userdomain;
2687 xserver_xsession_spec_domtrans($1, userdomain)
2688 allow userdomain $1:fd use;
2689 allow userdomain $1:fifo_file rw_file_perms;
2690 allow userdomain $1:process sigchld;
2693 ########################################
2695 ## Execute a shell in all unprivileged user domains. This
2696 ## is an explicit transition, requiring the
2697 ## caller to use setexeccon().
2699 ## <param name="domain">
2701 ## Domain allowed to transition.
2705 interface(`userdom_spec_domtrans_unpriv_users',`
2707 attribute unpriv_userdomain;
2710 corecmd_shell_spec_domtrans($1, unpriv_userdomain)
2711 allow unpriv_userdomain $1:fd use;
2712 allow unpriv_userdomain $1:fifo_file rw_file_perms;
2713 allow unpriv_userdomain $1:process sigchld;
2716 ########################################
2718 ## Execute an Xserver session in all unprivileged user domains. This
2719 ## is an explicit transition, requiring the
2720 ## caller to use setexeccon().
2722 ## <param name="domain">
2724 ## Domain allowed to transition.
2728 interface(`userdom_xsession_spec_domtrans_unpriv_users',`
2730 attribute unpriv_userdomain;
2733 xserver_xsession_spec_domtrans($1, unpriv_userdomain)
2734 allow unpriv_userdomain $1:fd use;
2735 allow unpriv_userdomain $1:fifo_file rw_file_perms;
2736 allow unpriv_userdomain $1:process sigchld;
2739 #######################################
2741 ## Read and write unpriviledged user SysV sempaphores.
2743 ## <param name="domain">
2745 ## Domain allowed access.
2749 interface(`userdom_rw_unpriv_user_semaphores',`
2751 attribute unpriv_userdomain;
2754 allow $1 unpriv_userdomain:sem rw_sem_perms;
2757 ########################################
2759 ## Manage unpriviledged user SysV sempaphores.
2761 ## <param name="domain">
2763 ## Domain allowed access.
2767 interface(`userdom_manage_unpriv_user_semaphores',`
2769 attribute unpriv_userdomain;
2772 allow $1 unpriv_userdomain:sem create_sem_perms;
2775 #######################################
2777 ## Read and write unpriviledged user SysV shared
2780 ## <param name="domain">
2782 ## Domain allowed access.
2786 interface(`userdom_rw_unpriv_user_shared_mem',`
2788 attribute unpriv_userdomain;
2791 allow $1 unpriv_userdomain:shm rw_shm_perms;
2794 ########################################
2796 ## Manage unpriviledged user SysV shared
2799 ## <param name="domain">
2801 ## Domain allowed access.
2805 interface(`userdom_manage_unpriv_user_shared_mem',`
2807 attribute unpriv_userdomain;
2810 allow $1 unpriv_userdomain:shm create_shm_perms;
2813 ########################################
2815 ## Execute bin_t in the unprivileged user domains. This
2816 ## is an explicit transition, requiring the
2817 ## caller to use setexeccon().
2819 ## <param name="domain">
2821 ## Domain allowed to transition.
2825 interface(`userdom_bin_spec_domtrans_unpriv_users',`
2827 attribute unpriv_userdomain;
2830 corecmd_bin_spec_domtrans($1, unpriv_userdomain)
2831 allow unpriv_userdomain $1:fd use;
2832 allow unpriv_userdomain $1:fifo_file rw_file_perms;
2833 allow unpriv_userdomain $1:process sigchld;
2836 ########################################
2838 ## Execute all entrypoint files in unprivileged user
2839 ## domains. This is an explicit transition, requiring the
2840 ## caller to use setexeccon().
2842 ## <param name="domain">
2844 ## Domain allowed access.
2848 interface(`userdom_entry_spec_domtrans_unpriv_users',`
2850 attribute unpriv_userdomain;
2853 domain_entry_file_spec_domtrans($1, unpriv_userdomain)
2854 allow unpriv_userdomain $1:fd use;
2855 allow unpriv_userdomain $1:fifo_file rw_file_perms;
2856 allow unpriv_userdomain $1:process sigchld;
2859 ########################################
2861 ## Search users home directories.
2863 ## <param name="domain">
2865 ## Domain allowed access.
2869 interface(`userdom_search_user_home_content',`
2871 type user_home_dir_t, user_home_t;
2875 allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
2878 ########################################
2880 ## Send signull to unprivileged user domains.
2882 ## <param name="domain">
2884 ## Domain allowed access.
2888 interface(`userdom_signull_unpriv_users',`
2890 attribute unpriv_userdomain;
2893 allow $1 unpriv_userdomain:process signull;
2896 ########################################
2898 ## Send general signals to unprivileged user domains.
2900 ## <param name="domain">
2902 ## Domain allowed access.
2906 interface(`userdom_signal_unpriv_users',`
2908 attribute unpriv_userdomain;
2911 allow $1 unpriv_userdomain:process signal;
2914 ########################################
2916 ## Inherit the file descriptors from unprivileged user domains.
2918 ## <param name="domain">
2920 ## Domain allowed access.
2924 interface(`userdom_use_unpriv_users_fds',`
2926 attribute unpriv_userdomain;
2929 allow $1 unpriv_userdomain:fd use;
2932 ########################################
2934 ## Do not audit attempts to inherit the file descriptors
2935 ## from unprivileged user domains.
2939 ## Do not audit attempts to inherit the file descriptors
2940 ## from unprivileged user domains. This will supress
2941 ## SELinux denial messages when the specified domain is denied
2942 ## the permission to inherit these file descriptors.
2945 ## <param name="domain">
2947 ## Domain to not audit.
2950 ## <infoflow type="none"/>
2952 interface(`userdom_dontaudit_use_unpriv_user_fds',`
2954 attribute unpriv_userdomain;
2957 dontaudit $1 unpriv_userdomain:fd use;
2960 ########################################
2962 ## Do not audit attempts to use user ptys.
2964 ## <param name="domain">
2966 ## Domain to not audit.
2970 interface(`userdom_dontaudit_use_user_ptys',`
2975 dontaudit $1 user_devpts_t:chr_file rw_file_perms;
2978 ########################################
2980 ## Relabel files to unprivileged user pty types.
2982 ## <param name="domain">
2984 ## Domain allowed access.
2988 interface(`userdom_relabelto_user_ptys',`
2993 allow $1 user_devpts_t:chr_file relabelto;
2996 ########################################
2998 ## Do not audit attempts to relabel files from
3001 ## <param name="domain">
3003 ## Domain to not audit.
3007 interface(`userdom_dontaudit_relabelfrom_user_ptys',`
3012 dontaudit $1 user_devpts_t:chr_file relabelfrom;
3015 ########################################
3017 ## Write all users files in /tmp
3019 ## <param name="domain">
3021 ## Domain allowed access.
3025 interface(`userdom_write_user_tmp_files',`
3030 allow $1 user_tmp_t:file write_file_perms;
3033 ########################################
3035 ## Do not audit attempts to use user ttys.
3037 ## <param name="domain">
3039 ## Domain to not audit.
3043 interface(`userdom_dontaudit_use_user_ttys',`
3045 type user_tty_device_t;
3048 dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
3051 ########################################
3053 ## Read the process state of all user domains.
3055 ## <param name="domain">
3057 ## Domain allowed access.
3061 interface(`userdom_read_all_users_state',`
3063 attribute userdomain;
3066 read_files_pattern($1, userdomain, userdomain)
3067 kernel_search_proc($1)
3070 ########################################
3072 ## Get the attributes of all user domains.
3074 ## <param name="domain">
3076 ## Domain allowed access.
3080 interface(`userdom_getattr_all_users',`
3082 attribute userdomain;
3085 allow $1 userdomain:process getattr;
3088 ########################################
3090 ## Inherit the file descriptors from all user domains
3092 ## <param name="domain">
3094 ## Domain allowed access.
3098 interface(`userdom_use_all_users_fds',`
3100 attribute userdomain;
3103 allow $1 userdomain:fd use;
3106 ########################################
3108 ## Do not audit attempts to inherit the file
3109 ## descriptors from any user domains.
3111 ## <param name="domain">
3113 ## Domain to not audit.
3117 interface(`userdom_dontaudit_use_all_users_fds',`
3119 attribute userdomain;
3122 dontaudit $1 userdomain:fd use;
3125 ########################################
3127 ## Send general signals to all user domains.
3129 ## <param name="domain">
3131 ## Domain allowed access.
3135 interface(`userdom_signal_all_users',`
3137 attribute userdomain;
3140 allow $1 userdomain:process signal;
3143 ########################################
3145 ## Send a SIGCHLD signal to all user domains.
3147 ## <param name="domain">
3149 ## Domain allowed access.
3153 interface(`userdom_sigchld_all_users',`
3155 attribute userdomain;
3158 allow $1 userdomain:process sigchld;
3161 ########################################
3163 ## Create keys for all user domains.
3165 ## <param name="domain">
3167 ## Domain allowed access.
3171 interface(`userdom_create_all_users_keys',`
3173 attribute userdomain;
3176 allow $1 userdomain:key create;
3179 ########################################
3181 ## Send a dbus message to all user domains.
3183 ## <param name="domain">
3185 ## Domain allowed access.
3189 interface(`userdom_dbus_send_all_users',`
3191 attribute userdomain;
3192 class dbus send_msg;
3195 allow $1 userdomain:dbus send_msg;