]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/system/userdomain.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Eliminate some confined domains from being able to talk to abrt
[people/stevee/selinux-policy.git] / policy / modules / system / userdomain.if
1 ## <summary>Policy for user domains</summary>
2
3 #######################################
4 ## <summary>
5 ## The template containing the most basic rules common to all users.
6 ## </summary>
7 ## <desc>
8 ## <p>
9 ## The template containing the most basic rules common to all users.
10 ## </p>
11 ## <p>
12 ## This template creates a user domain, types, and
13 ## rules for the user's tty and pty.
14 ## </p>
15 ## </desc>
16 ## <param name="userdomain_prefix">
17 ## <summary>
18 ## The prefix of the user domain (e.g., user
19 ## is the prefix for user_t).
20 ## </summary>
21 ## </param>
22 ## <rolebase/>
23 #
24 template(`userdom_base_user_template',`
25
26 gen_require(`
27 attribute userdomain;
28 type user_devpts_t, user_tty_device_t;
29 class context contains;
30 ')
31
32 attribute $1_file_type;
33 attribute $1_usertype;
34
35 type $1_t, userdomain, $1_usertype;
36 domain_type($1_t)
37 corecmd_shell_entry_type($1_t)
38 corecmd_bin_entry_type($1_t)
39 domain_user_exemption_target($1_t)
40 ubac_constrained($1_t)
41 role $1_r types $1_t;
42 allow system_r $1_r;
43
44 term_user_pty($1_t, user_devpts_t)
45
46 term_user_tty($1_t, user_tty_device_t)
47 term_dontaudit_getattr_generic_ptys($1_t)
48
49 allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
50 allow $1_usertype $1_usertype:fd use;
51 allow $1_usertype $1_t:key { create view read write search link setattr };
52
53 allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
54 allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
55 allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
56 allow $1_usertype $1_usertype:shm create_shm_perms;
57 allow $1_usertype $1_usertype:sem create_sem_perms;
58 allow $1_usertype $1_usertype:msgq create_msgq_perms;
59 allow $1_usertype $1_usertype:msg { send receive };
60 allow $1_usertype $1_usertype:context contains;
61 dontaudit $1_usertype $1_usertype:socket create;
62
63 allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
64 term_create_pty($1_usertype, user_devpts_t)
65 # avoid annoying messages on terminal hangup on role change
66 dontaudit $1_usertype user_devpts_t:chr_file ioctl;
67
68 allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
69 # avoid annoying messages on terminal hangup on role change
70 dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
71
72 application_exec_all($1_usertype)
73
74 kernel_read_kernel_sysctls($1_usertype)
75 kernel_read_all_sysctls($1_usertype)
76 kernel_dontaudit_list_unlabeled($1_usertype)
77 kernel_dontaudit_getattr_unlabeled_files($1_usertype)
78 kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
79 kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
80 kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
81 kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
82 kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
83 kernel_dontaudit_list_proc($1_usertype)
84
85 dev_dontaudit_getattr_all_blk_files($1_usertype)
86 dev_dontaudit_getattr_all_chr_files($1_usertype)
87 dev_getattr_mtrr_dev($1_t)
88
89 # When the user domain runs ps, there will be a number of access
90 # denials when ps tries to search /proc. Do not audit these denials.
91 domain_dontaudit_read_all_domains_state($1_usertype)
92 domain_dontaudit_getattr_all_domains($1_usertype)
93 domain_dontaudit_getsession_all_domains($1_usertype)
94 dev_dontaudit_all_access_check($1_usertype)
95
96 files_read_etc_files($1_usertype)
97 files_list_mnt($1_usertype)
98 files_read_mnt_files($1_usertype)
99 files_dontaudit_access_check_mnt($1_usertype)
100 files_read_etc_runtime_files($1_usertype)
101 files_read_usr_files($1_usertype)
102 files_read_usr_src_files($1_usertype)
103 # Read directories and files with the readable_t type.
104 # This type is a general type for "world"-readable files.
105 files_list_world_readable($1_usertype)
106 files_read_world_readable_files($1_usertype)
107 files_read_world_readable_symlinks($1_usertype)
108 files_read_world_readable_pipes($1_usertype)
109 files_read_world_readable_sockets($1_usertype)
110 # old broswer_domain():
111 files_dontaudit_getattr_all_dirs($1_usertype)
112 files_dontaudit_list_non_security($1_usertype)
113 files_dontaudit_getattr_all_files($1_usertype)
114 files_dontaudit_getattr_non_security_symlinks($1_usertype)
115 files_dontaudit_getattr_non_security_pipes($1_usertype)
116 files_dontaudit_getattr_non_security_sockets($1_usertype)
117 files_dontaudit_setattr_etc_runtime_files($1_usertype)
118
119 files_exec_usr_files($1_t)
120
121 fs_list_cgroup_dirs($1_usertype)
122 fs_dontaudit_rw_cgroup_files($1_usertype)
123
124 storage_rw_fuse($1_usertype)
125
126 auth_use_nsswitch($1_usertype)
127
128 init_stream_connect($1_usertype)
129 # The library functions always try to open read-write first,
130 # then fall back to read-only if it fails.
131 init_dontaudit_rw_utmp($1_usertype)
132
133 libs_exec_ld_so($1_usertype)
134
135 logging_send_audit_msgs($1_t)
136
137 miscfiles_read_localization($1_t)
138 miscfiles_read_generic_certs($1_t)
139
140 miscfiles_read_all_certs($1_usertype)
141 miscfiles_read_localization($1_usertype)
142 miscfiles_read_man_pages($1_usertype)
143 miscfiles_read_public_files($1_usertype)
144
145 tunable_policy(`allow_execmem',`
146 # Allow loading DSOs that require executable stack.
147 allow $1_t self:process execmem;
148 ')
149
150 tunable_policy(`allow_execmem && allow_execstack',`
151 # Allow making the stack executable via mprotect.
152 allow $1_t self:process execstack;
153 ')
154
155 optional_policy(`
156 abrt_stream_connect($1_usertype)
157 ')
158
159 optional_policy(`
160 fs_list_cgroup_dirs($1_usertype)
161 ')
162
163 optional_policy(`
164 ssh_rw_stream_sockets($1_usertype)
165 ssh_delete_tmp($1_t)
166 ssh_signal($1_t)
167 ')
168 ')
169
170 #######################################
171 ## <summary>
172 ## Allow a home directory for which the
173 ## role has read-only access.
174 ## </summary>
175 ## <desc>
176 ## <p>
177 ## Allow a home directory for which the
178 ## role has read-only access.
179 ## </p>
180 ## <p>
181 ## This does not allow execute access.
182 ## </p>
183 ## </desc>
184 ## <param name="role">
185 ## <summary>
186 ## The user role
187 ## </summary>
188 ## </param>
189 ## <param name="userdomain">
190 ## <summary>
191 ## The user domain
192 ## </summary>
193 ## </param>
194 ## <rolebase/>
195 #
196 interface(`userdom_ro_home_role',`
197 gen_require(`
198 type user_home_t, user_home_dir_t;
199 ')
200
201 role $1 types { user_home_t user_home_dir_t };
202
203 ##############################
204 #
205 # Domain access to home dir
206 #
207
208 type_member $2 user_home_dir_t:dir user_home_dir_t;
209
210 # read-only home directory
211 allow $2 user_home_dir_t:dir list_dir_perms;
212 allow $2 user_home_t:dir list_dir_perms;
213 allow $2 user_home_t:file entrypoint;
214 read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
215 read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
216 read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
217 read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
218 files_list_home($2)
219
220 ')
221
222 #######################################
223 ## <summary>
224 ## Allow a home directory for which the
225 ## role has full access.
226 ## </summary>
227 ## <desc>
228 ## <p>
229 ## Allow a home directory for which the
230 ## role has full access.
231 ## </p>
232 ## <p>
233 ## This does not allow execute access.
234 ## </p>
235 ## </desc>
236 ## <param name="role">
237 ## <summary>
238 ## The user role
239 ## </summary>
240 ## </param>
241 ## <param name="userdomain">
242 ## <summary>
243 ## The user domain
244 ## </summary>
245 ## </param>
246 ## <rolebase/>
247 #
248 interface(`userdom_manage_home_role',`
249 gen_require(`
250 type user_home_t, user_home_dir_t;
251 attribute user_home_type;
252 ')
253
254 role $1 types { user_home_type user_home_dir_t };
255
256 ##############################
257 #
258 # Domain access to home dir
259 #
260
261 type_member $2 user_home_dir_t:dir user_home_dir_t;
262
263 # full control of the home directory
264 allow $2 user_home_t:dir mounton;
265 allow $2 user_home_t:file entrypoint;
266
267 allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
268 allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
269 manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
270 manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
271 manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
272 manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
273 manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
274 relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
275 relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
276 relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
277 relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
278 relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
279 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
280 files_list_home($2)
281
282 # cjp: this should probably be removed:
283 allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
284
285 tunable_policy(`use_nfs_home_dirs',`
286 fs_mount_nfs($2)
287 fs_mounton_nfs($2)
288 fs_manage_nfs_dirs($2)
289 fs_manage_nfs_files($2)
290 fs_manage_nfs_symlinks($2)
291 fs_manage_nfs_named_sockets($2)
292 fs_manage_nfs_named_pipes($2)
293 ')
294
295 tunable_policy(`use_samba_home_dirs',`
296 fs_mount_cifs($2)
297 fs_mounton_cifs($2)
298 fs_manage_cifs_dirs($2)
299 fs_manage_cifs_files($2)
300 fs_manage_cifs_symlinks($2)
301 fs_manage_cifs_named_sockets($2)
302 fs_manage_cifs_named_pipes($2)
303 ')
304 ')
305
306 #######################################
307 ## <summary>
308 ## Manage user temporary files
309 ## </summary>
310 ## <param name="role">
311 ## <summary>
312 ## Role allowed access.
313 ## </summary>
314 ## </param>
315 ## <param name="domain">
316 ## <summary>
317 ## Domain allowed access.
318 ## </summary>
319 ## </param>
320 ## <rolebase/>
321 #
322 interface(`userdom_manage_tmp_role',`
323 gen_require(`
324 attribute user_tmp_type;
325 type user_tmp_t;
326 ')
327
328 role $1 types user_tmp_t;
329
330 files_poly_member_tmp($2, user_tmp_t)
331
332 manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
333 manage_files_pattern($2, user_tmp_type, user_tmp_type)
334 manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
335 manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
336 manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
337 files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
338 relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
339 relabel_files_pattern($2, user_tmp_type, user_tmp_type)
340 relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
341 relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
342 relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
343 ')
344
345 #######################################
346 ## <summary>
347 ## Dontaudit search of user bin dirs.
348 ## </summary>
349 ## <param name="domain">
350 ## <summary>
351 ## Domain to not audit.
352 ## </summary>
353 ## </param>
354 #
355 interface(`userdom_dontaudit_search_user_bin_dirs',`
356 gen_require(`
357 type home_bin_t;
358 ')
359
360 dontaudit $1 home_bin_t:dir search_dir_perms;
361 ')
362
363 #######################################
364 ## <summary>
365 ## Execute user bin files.
366 ## </summary>
367 ## <param name="domain">
368 ## <summary>
369 ## Domain allowed access.
370 ## </summary>
371 ## </param>
372 #
373 interface(`userdom_exec_user_bin_files',`
374 gen_require(`
375 attribute user_home_type;
376 type home_bin_t, user_home_dir_t;
377 ')
378
379 exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
380 files_search_home($1)
381 ')
382
383 #######################################
384 ## <summary>
385 ## The execute access user temporary files.
386 ## </summary>
387 ## <param name="domain">
388 ## <summary>
389 ## Domain allowed access.
390 ## </summary>
391 ## </param>
392 ## <rolebase/>
393 #
394 interface(`userdom_exec_user_tmp_files',`
395 gen_require(`
396 type user_tmp_t;
397 ')
398
399 exec_files_pattern($1, user_tmp_t, user_tmp_t)
400 dontaudit $1 user_tmp_t:sock_file execute;
401 files_search_tmp($1)
402 ')
403
404 #######################################
405 ## <summary>
406 ## Role access for the user tmpfs type
407 ## that the user has full access.
408 ## </summary>
409 ## <desc>
410 ## <p>
411 ## Role access for the user tmpfs type
412 ## that the user has full access.
413 ## </p>
414 ## <p>
415 ## This does not allow execute access.
416 ## </p>
417 ## </desc>
418 ## <param name="role">
419 ## <summary>
420 ## Role allowed access.
421 ## </summary>
422 ## </param>
423 ## <param name="domain">
424 ## <summary>
425 ## Domain allowed access.
426 ## </summary>
427 ## </param>
428 ## <rolecap/>
429 #
430 interface(`userdom_manage_tmpfs_role',`
431 gen_require(`
432 attribute user_tmpfs_type;
433 type user_tmpfs_t;
434 ')
435
436 role $1 types user_tmpfs_t;
437
438 manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
439 manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
440 manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
441 manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
442 manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
443 fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
444 relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
445 relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
446 relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
447 relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
448 relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
449 ')
450
451 #######################################
452 ## <summary>
453 ## The interface allowing the user basic
454 ## network permissions
455 ## </summary>
456 ## <param name="userdomain">
457 ## <summary>
458 ## The user domain
459 ## </summary>
460 ## </param>
461 ## <rolebase/>
462 #
463 interface(`userdom_basic_networking',`
464
465 allow $1 self:tcp_socket create_stream_socket_perms;
466 allow $1 self:udp_socket create_socket_perms;
467
468 corenet_all_recvfrom_unlabeled($1)
469 corenet_all_recvfrom_netlabel($1)
470 corenet_tcp_sendrecv_generic_if($1)
471 corenet_udp_sendrecv_generic_if($1)
472 corenet_tcp_sendrecv_generic_node($1)
473 corenet_udp_sendrecv_generic_node($1)
474 corenet_tcp_sendrecv_all_ports($1)
475 corenet_udp_sendrecv_all_ports($1)
476 corenet_tcp_connect_all_ports($1)
477 corenet_sendrecv_all_client_packets($1)
478
479 optional_policy(`
480 init_tcp_recvfrom_all_daemons($1)
481 init_udp_recvfrom_all_daemons($1)
482 ')
483
484 optional_policy(`
485 ipsec_match_default_spd($1)
486 ')
487
488 ')
489
490 #######################################
491 ## <summary>
492 ## The template for creating a user xwindows client. (Deprecated)
493 ## </summary>
494 ## <param name="userdomain_prefix">
495 ## <summary>
496 ## The prefix of the user domain (e.g., user
497 ## is the prefix for user_t).
498 ## </summary>
499 ## </param>
500 ## <rolebase/>
501 #
502 template(`userdom_xwindows_client_template',`
503 refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
504 gen_require(`
505 type $1_t, user_tmpfs_t;
506 ')
507
508 dev_rw_xserver_misc($1_t)
509 dev_rw_power_management($1_t)
510 dev_read_input($1_t)
511 dev_read_misc($1_t)
512 dev_write_misc($1_t)
513 # open office is looking for the following
514 dev_getattr_agp_dev($1_t)
515 dev_dontaudit_rw_dri($1_t)
516 # GNOME checks for usb and other devices:
517 dev_rw_usbfs($1_t)
518 dev_rw_generic_usb_dev($1_t)
519
520 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
521 xserver_xsession_entry_type($1_t)
522 xserver_dontaudit_write_log($1_t)
523 xserver_stream_connect_xdm($1_t)
524 # certain apps want to read xdm.pid file
525 xserver_read_xdm_pid($1_t)
526 # gnome-session creates socket under /tmp/.ICE-unix/
527 xserver_create_xdm_tmp_sockets($1_t)
528 # Needed for escd, remove if we get escd policy
529 xserver_manage_xdm_tmp_files($1_t)
530 ')
531
532 #######################################
533 ## <summary>
534 ## The template for allowing the user to change passwords.
535 ## </summary>
536 ## <param name="userdomain_prefix">
537 ## <summary>
538 ## The prefix of the user domain (e.g., user
539 ## is the prefix for user_t).
540 ## </summary>
541 ## </param>
542 ## <rolebase/>
543 #
544 template(`userdom_change_password_template',`
545 gen_require(`
546 type $1_t;
547 role $1_r;
548 ')
549
550 optional_policy(`
551 usermanage_run_chfn($1_t,$1_r)
552 usermanage_run_passwd($1_t,$1_r)
553 ')
554 ')
555
556 #######################################
557 ## <summary>
558 ## The template containing rules common to unprivileged
559 ## users and administrative users.
560 ## </summary>
561 ## <desc>
562 ## <p>
563 ## This template creates a user domain, types, and
564 ## rules for the user's tty, pty, tmp, and tmpfs files.
565 ## </p>
566 ## </desc>
567 ## <param name="userdomain_prefix">
568 ## <summary>
569 ## The prefix of the user domain (e.g., user
570 ## is the prefix for user_t).
571 ## </summary>
572 ## </param>
573 #
574 template(`userdom_common_user_template',`
575 gen_require(`
576 attribute unpriv_userdomain;
577 ')
578
579 userdom_basic_networking($1_usertype)
580
581 ##############################
582 #
583 # User domain Local policy
584 #
585
586 # evolution and gnome-session try to create a netlink socket
587 dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
588 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
589 allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
590 allow $1_t self:socket create_socket_perms;
591
592 allow $1_usertype unpriv_userdomain:fd use;
593
594 kernel_read_system_state($1_usertype)
595 kernel_read_network_state($1_usertype)
596 kernel_read_software_raid_state($1_usertype)
597 kernel_read_net_sysctls($1_usertype)
598 # Very permissive allowing every domain to see every type:
599 kernel_get_sysvipc_info($1_usertype)
600 # Find CDROM devices:
601 kernel_read_device_sysctls($1_usertype)
602 kernel_request_load_module($1_usertype)
603
604 corenet_udp_bind_generic_node($1_usertype)
605 corenet_udp_bind_generic_port($1_usertype)
606
607 dev_read_rand($1_usertype)
608 dev_write_sound($1_usertype)
609 dev_read_sound($1_usertype)
610 dev_read_sound_mixer($1_usertype)
611 dev_write_sound_mixer($1_usertype)
612
613 files_exec_etc_files($1_usertype)
614 files_search_locks($1_usertype)
615 # Check to see if cdrom is mounted
616 files_search_mnt($1_usertype)
617 # cjp: perhaps should cut back on file reads:
618 files_read_var_files($1_usertype)
619 files_read_var_symlinks($1_usertype)
620 files_read_generic_spool($1_usertype)
621 files_read_var_lib_files($1_usertype)
622 # Stat lost+found.
623 files_getattr_lost_found_dirs($1_usertype)
624 files_read_config_files($1_usertype)
625 fs_read_noxattr_fs_files($1_usertype)
626 fs_read_noxattr_fs_symlinks($1_usertype)
627 fs_rw_cgroup_files($1_usertype)
628
629 application_getattr_socket($1_usertype)
630
631 logging_send_syslog_msg($1_usertype)
632 logging_send_audit_msgs($1_usertype)
633 selinux_get_enforce_mode($1_usertype)
634
635 # cjp: some of this probably can be removed
636 selinux_get_fs_mount($1_usertype)
637 selinux_validate_context($1_usertype)
638 selinux_compute_access_vector($1_usertype)
639 selinux_compute_create_context($1_usertype)
640 selinux_compute_relabel_context($1_usertype)
641 selinux_compute_user_contexts($1_usertype)
642
643 # for eject
644 storage_getattr_fixed_disk_dev($1_usertype)
645
646 auth_read_login_records($1_usertype)
647 auth_run_pam($1_t,$1_r)
648 auth_run_utempter($1_t,$1_r)
649
650 init_read_utmp($1_usertype)
651
652 seutil_read_file_contexts($1_usertype)
653 seutil_read_default_contexts($1_usertype)
654 seutil_run_newrole($1_t,$1_r)
655 seutil_exec_checkpolicy($1_t)
656 seutil_exec_setfiles($1_usertype)
657 # for when the network connection is killed
658 # this is needed when a login role can change
659 # to this one.
660 seutil_dontaudit_signal_newrole($1_t)
661
662 tunable_policy(`user_direct_mouse',`
663 dev_read_mouse($1_usertype)
664 ')
665
666 tunable_policy(`user_ttyfile_stat',`
667 term_getattr_all_ttys($1_t)
668 ')
669
670 optional_policy(`
671 alsa_read_rw_config($1_usertype)
672 alsa_manage_home_files($1_t)
673 alsa_relabel_home_files($1_t)
674 ')
675
676 optional_policy(`
677 # Allow graphical boot to check battery lifespan
678 apm_stream_connect($1_usertype)
679 ')
680
681 optional_policy(`
682 canna_stream_connect($1_usertype)
683 ')
684
685 optional_policy(`
686 chrome_role($1_r, $1_usertype)
687 ')
688
689 optional_policy(`
690 colord_read_lib_files($1_usertype)
691 ')
692
693 optional_policy(`
694 dbus_system_bus_client($1_usertype)
695
696 allow $1_usertype $1_usertype:dbus send_msg;
697
698 optional_policy(`
699 avahi_dbus_chat($1_usertype)
700 ')
701
702 optional_policy(`
703 policykit_dbus_chat($1_usertype)
704 ')
705
706 optional_policy(`
707 bluetooth_dbus_chat($1_usertype)
708 ')
709
710 optional_policy(`
711 consolekit_dbus_chat($1_usertype)
712 consolekit_read_log($1_usertype)
713 ')
714
715 optional_policy(`
716 devicekit_dbus_chat($1_usertype)
717 devicekit_dbus_chat_power($1_usertype)
718 devicekit_dbus_chat_disk($1_usertype)
719 ')
720
721 optional_policy(`
722 evolution_dbus_chat($1_usertype)
723 evolution_alarm_dbus_chat($1_usertype)
724 ')
725
726 optional_policy(`
727 gnome_dbus_chat_gconfdefault($1_usertype)
728 ')
729
730 optional_policy(`
731 hal_dbus_chat($1_usertype)
732 ')
733
734 optional_policy(`
735 kde_dbus_chat_backlighthelper($1_usertype)
736 ')
737
738 optional_policy(`
739 modemmanager_dbus_chat($1_usertype)
740 ')
741
742 optional_policy(`
743 networkmanager_dbus_chat($1_usertype)
744 networkmanager_read_lib_files($1_usertype)
745 ')
746
747 optional_policy(`
748 vpn_dbus_chat($1_usertype)
749 ')
750 ')
751
752 optional_policy(`
753 git_session_role($1_r, $1_usertype)
754 ')
755
756 optional_policy(`
757 inetd_use_fds($1_usertype)
758 inetd_rw_tcp_sockets($1_usertype)
759 ')
760
761 optional_policy(`
762 inn_read_config($1_usertype)
763 inn_read_news_lib($1_usertype)
764 inn_read_news_spool($1_usertype)
765 ')
766
767 optional_policy(`
768 lircd_stream_connect($1_usertype)
769 ')
770
771 optional_policy(`
772 locate_read_lib_files($1_usertype)
773 ')
774
775 # for running depmod as part of the kernel packaging process
776 optional_policy(`
777 modutils_read_module_config($1_usertype)
778 ')
779
780 optional_policy(`
781 mta_rw_spool($1_usertype)
782 mta_manage_queue($1_usertype)
783 mta_filetrans_home_content($1_usertype)
784 ')
785
786 optional_policy(`
787 nsplugin_role($1_r, $1_usertype)
788 ')
789
790 optional_policy(`
791 tunable_policy(`allow_user_mysql_connect',`
792 mysql_stream_connect($1_t)
793 ')
794 ')
795
796 optional_policy(`
797 oident_manage_user_content($1_t)
798 oident_relabel_user_content($1_t)
799 ')
800
801 optional_policy(`
802 # to allow monitoring of pcmcia status
803 pcmcia_read_pid($1_usertype)
804 ')
805
806 optional_policy(`
807 pcscd_read_pub_files($1_usertype)
808 pcscd_stream_connect($1_usertype)
809 ')
810
811 optional_policy(`
812 tunable_policy(`allow_user_postgresql_connect',`
813 postgresql_stream_connect($1_usertype)
814 postgresql_tcp_connect($1_usertype)
815 ')
816 ')
817
818 optional_policy(`
819 resmgr_stream_connect($1_usertype)
820 ')
821
822 optional_policy(`
823 rpc_dontaudit_getattr_exports($1_usertype)
824 rpc_manage_nfs_rw_content($1_usertype)
825 ')
826
827 optional_policy(`
828 rpcbind_stream_connect($1_usertype)
829 ')
830
831 optional_policy(`
832 samba_stream_connect_winbind($1_usertype)
833 ')
834
835 optional_policy(`
836 sandbox_transition($1_usertype, $1_r)
837 ')
838
839 optional_policy(`
840 seunshare_role_template($1, $1_r, $1_t)
841 ')
842
843 optional_policy(`
844 slrnpull_search_spool($1_usertype)
845 ')
846
847 ')
848
849 #######################################
850 ## <summary>
851 ## The template for creating a login user.
852 ## </summary>
853 ## <desc>
854 ## <p>
855 ## This template creates a user domain, types, and
856 ## rules for the user's tty, pty, home directories,
857 ## tmp, and tmpfs files.
858 ## </p>
859 ## </desc>
860 ## <param name="userdomain_prefix">
861 ## <summary>
862 ## The prefix of the user domain (e.g., user
863 ## is the prefix for user_t).
864 ## </summary>
865 ## </param>
866 #
867 template(`userdom_login_user_template', `
868 gen_require(`
869 class context contains;
870 ')
871
872 userdom_base_user_template($1)
873
874 userdom_manage_home_role($1_r, $1_usertype)
875
876 userdom_manage_tmp_role($1_r, $1_usertype)
877 userdom_manage_tmpfs_role($1_r, $1_usertype)
878
879 ifelse(`$1',`unconfined',`',`
880 gen_tunable(allow_$1_exec_content, true)
881
882 tunable_policy(`allow_$1_exec_content',`
883 userdom_exec_user_tmp_files($1_usertype)
884 userdom_exec_user_home_content_files($1_usertype)
885 ')
886 tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
887 fs_exec_nfs_files($1_usertype)
888 ')
889
890 tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
891 fs_exec_cifs_files($1_usertype)
892 ')
893 ')
894
895 userdom_change_password_template($1)
896
897 ##############################
898 #
899 # User domain Local policy
900 #
901
902 allow $1_t self:capability { setgid chown fowner };
903 dontaudit $1_t self:capability { sys_nice fsetid };
904
905 allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
906 dontaudit $1_t self:process setrlimit;
907 dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
908
909 allow $1_t self:context contains;
910
911 kernel_dontaudit_read_system_state($1_usertype)
912 kernel_dontaudit_list_all_proc($1_usertype)
913
914 dev_read_sysfs($1_usertype)
915 dev_read_urand($1_usertype)
916
917 domain_use_interactive_fds($1_usertype)
918 # Command completion can fire hundreds of denials
919 domain_dontaudit_exec_all_entry_files($1_usertype)
920
921 files_dontaudit_list_default($1_usertype)
922 files_dontaudit_read_default_files($1_usertype)
923 # Stat lost+found.
924 files_getattr_lost_found_dirs($1_usertype)
925
926 fs_get_all_fs_quotas($1_usertype)
927 fs_getattr_all_fs($1_usertype)
928 fs_search_all($1_usertype)
929 fs_list_inotifyfs($1_usertype)
930 fs_rw_anon_inodefs_files($1_usertype)
931
932 auth_dontaudit_write_login_records($1_t)
933 auth_rw_cache($1_t)
934
935 # Stop warnings about access to /dev/console
936 init_dontaudit_use_fds($1_usertype)
937 init_dontaudit_use_script_fds($1_usertype)
938
939 libs_exec_lib_files($1_usertype)
940
941 logging_dontaudit_getattr_all_logs($1_usertype)
942
943 # for running TeX programs
944 miscfiles_read_tetex_data($1_usertype)
945 miscfiles_exec_tetex_data($1_usertype)
946
947 seutil_read_config($1_usertype)
948
949 optional_policy(`
950 cups_read_config($1_usertype)
951 cups_stream_connect($1_usertype)
952 cups_stream_connect_ptal($1_usertype)
953 ')
954
955 optional_policy(`
956 kerberos_use($1_usertype)
957 kerberos_filetrans_home_content($1_usertype)
958 ')
959
960 optional_policy(`
961 mta_dontaudit_read_spool_symlinks($1_usertype)
962 ')
963
964 optional_policy(`
965 quota_dontaudit_getattr_db($1_usertype)
966 ')
967
968 optional_policy(`
969 rpm_read_db($1_usertype)
970 rpm_dontaudit_manage_db($1_usertype)
971 rpm_read_cache($1_usertype)
972 ')
973
974 optional_policy(`
975 oddjob_run_mkhomedir($1_t, $1_r)
976 ')
977 ')
978
979 #######################################
980 ## <summary>
981 ## The template for creating a unprivileged login user.
982 ## </summary>
983 ## <desc>
984 ## <p>
985 ## This template creates a user domain, types, and
986 ## rules for the user's tty, pty, home directories,
987 ## tmp, and tmpfs files.
988 ## </p>
989 ## </desc>
990 ## <param name="userdomain_prefix">
991 ## <summary>
992 ## The prefix of the user domain (e.g., user
993 ## is the prefix for user_t).
994 ## </summary>
995 ## </param>
996 #
997 template(`userdom_restricted_user_template',`
998 gen_require(`
999 attribute unpriv_userdomain;
1000 ')
1001
1002 userdom_login_user_template($1)
1003
1004 typeattribute $1_t unpriv_userdomain;
1005 domain_interactive_fd($1_t)
1006
1007 allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
1008 dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
1009
1010 ##############################
1011 #
1012 # Local policy
1013 #
1014
1015 optional_policy(`
1016 loadkeys_run($1_t,$1_r)
1017 ')
1018 ')
1019
1020 #######################################
1021 ## <summary>
1022 ## The template for creating a unprivileged xwindows login user.
1023 ## </summary>
1024 ## <desc>
1025 ## <p>
1026 ## The template for creating a unprivileged xwindows login user.
1027 ## </p>
1028 ## <p>
1029 ## This template creates a user domain, types, and
1030 ## rules for the user's tty, pty, home directories,
1031 ## tmp, and tmpfs files.
1032 ## </p>
1033 ## </desc>
1034 ## <param name="userdomain_prefix">
1035 ## <summary>
1036 ## The prefix of the user domain (e.g., user
1037 ## is the prefix for user_t).
1038 ## </summary>
1039 ## </param>
1040 #
1041 template(`userdom_restricted_xwindows_user_template',`
1042
1043 userdom_restricted_user_template($1)
1044
1045 ##############################
1046 #
1047 # Local policy
1048 #
1049
1050 auth_role($1_r, $1_t)
1051 auth_search_pam_console_data($1_usertype)
1052 auth_dontaudit_read_login_records($1_usertype)
1053
1054 dev_read_sound($1_usertype)
1055 dev_write_sound($1_usertype)
1056 # gnome keyring wants to read this.
1057 dev_dontaudit_read_rand($1_usertype)
1058 # temporarily allow since openoffice requires this
1059 dev_read_rand($1_usertype)
1060
1061 dev_read_video_dev($1_usertype)
1062 dev_write_video_dev($1_usertype)
1063 dev_rw_wireless($1_usertype)
1064
1065 libs_dontaudit_setattr_lib_files($1_usertype)
1066
1067 tunable_policy(`user_rw_noexattrfile',`
1068 dev_rw_usbfs($1_t)
1069 dev_rw_generic_usb_dev($1_usertype)
1070
1071 fs_manage_noxattr_fs_files($1_usertype)
1072 fs_manage_noxattr_fs_dirs($1_usertype)
1073 fs_manage_dos_dirs($1_usertype)
1074 fs_manage_dos_files($1_usertype)
1075 storage_raw_read_removable_device($1_usertype)
1076 storage_raw_write_removable_device($1_usertype)
1077 ')
1078
1079 logging_send_syslog_msg($1_usertype)
1080 logging_dontaudit_send_audit_msgs($1_t)
1081
1082 # Need to to this just so screensaver will work. Should be moved to screensaver domain
1083 logging_send_audit_msgs($1_t)
1084 selinux_get_enforce_mode($1_t)
1085 seutil_exec_restorecond($1_t)
1086 seutil_read_file_contexts($1_t)
1087 seutil_read_default_contexts($1_t)
1088
1089 xserver_restricted_role($1_r, $1_t)
1090
1091 optional_policy(`
1092 alsa_read_rw_config($1_usertype)
1093 ')
1094
1095 # cjp: needed by KDE apps
1096 # bug: #682499
1097 optional_policy(`
1098 gnome_read_usr_config($1_usertype)
1099 gnome_role_gkeyringd($1, $1_r, $1_t)
1100 # cjp: telepathy F15 bugs
1101 telepathy_dbus_session_role($1_r, $1_t, $1)
1102 ')
1103
1104 optional_policy(`
1105 dbus_role_template($1, $1_r, $1_usertype)
1106 dbus_system_bus_client($1_usertype)
1107 allow $1_usertype $1_usertype:dbus send_msg;
1108
1109 optional_policy(`
1110 abrt_dbus_chat($1_usertype)
1111 abrt_run_helper($1_usertype, $1_r)
1112 ')
1113
1114 optional_policy(`
1115 consolekit_dontaudit_read_log($1_usertype)
1116 consolekit_dbus_chat($1_usertype)
1117 ')
1118
1119 optional_policy(`
1120 cups_dbus_chat($1_usertype)
1121 cups_dbus_chat_config($1_usertype)
1122 ')
1123
1124 optional_policy(`
1125 devicekit_dbus_chat($1_usertype)
1126 devicekit_dbus_chat_disk($1_usertype)
1127 devicekit_dbus_chat_power($1_usertype)
1128 ')
1129
1130 optional_policy(`
1131 fprintd_dbus_chat($1_t)
1132 ')
1133 ')
1134
1135 optional_policy(`
1136 openoffice_role_template($1, $1_r, $1_usertype)
1137 ')
1138
1139 optional_policy(`
1140 policykit_role($1_r, $1_usertype)
1141 ')
1142
1143 optional_policy(`
1144 pulseaudio_role($1_r, $1_usertype)
1145 pulseaudio_filetrans_admin_home_content($1_usertype)
1146 pulseaudio_filetrans_home_content($1_usertype)
1147 ')
1148
1149 optional_policy(`
1150 rtkit_scheduled($1_usertype)
1151 ')
1152
1153 optional_policy(`
1154 setroubleshoot_dontaudit_stream_connect($1_t)
1155 ')
1156
1157 optional_policy(`
1158 udev_read_db($1_usertype)
1159 ')
1160
1161 optional_policy(`
1162 wm_role_template($1, $1_r, $1_t)
1163 ')
1164 ')
1165
1166 #######################################
1167 ## <summary>
1168 ## The template for creating a unprivileged user roughly
1169 ## equivalent to a regular linux user.
1170 ## </summary>
1171 ## <desc>
1172 ## <p>
1173 ## The template for creating a unprivileged user roughly
1174 ## equivalent to a regular linux user.
1175 ## </p>
1176 ## <p>
1177 ## This template creates a user domain, types, and
1178 ## rules for the user's tty, pty, home directories,
1179 ## tmp, and tmpfs files.
1180 ## </p>
1181 ## </desc>
1182 ## <param name="userdomain_prefix">
1183 ## <summary>
1184 ## The prefix of the user domain (e.g., user
1185 ## is the prefix for user_t).
1186 ## </summary>
1187 ## </param>
1188 #
1189 template(`userdom_unpriv_user_template', `
1190
1191 ##############################
1192 #
1193 # Declarations
1194 #
1195
1196 # Inherit rules for ordinary users.
1197 userdom_restricted_xwindows_user_template($1)
1198 userdom_common_user_template($1)
1199
1200 ##############################
1201 #
1202 # Local policy
1203 #
1204
1205 # port access is audited even if dac would not have allowed it, so dontaudit it here
1206 # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
1207 # Need the following rule to allow users to run vpnc
1208 corenet_tcp_bind_xserver_port($1_t)
1209 corenet_tcp_bind_generic_node($1_usertype)
1210
1211 storage_rw_fuse($1_t)
1212
1213 miscfiles_read_hwdata($1_usertype)
1214
1215 # Allow users to run TCP servers (bind to ports and accept connection from
1216 # the same domain and outside users) disabling this forces FTP passive mode
1217 # and may change other protocols
1218
1219 tunable_policy(`user_share_music',`
1220 corenet_tcp_bind_daap_port($1_usertype)
1221 ')
1222
1223 tunable_policy(`user_tcp_server',`
1224 corenet_tcp_bind_all_unreserved_ports($1_usertype)
1225 ')
1226
1227 tunable_policy(`user_setrlimit',`
1228 allow $1_usertype self:process setrlimit;
1229 ')
1230
1231 optional_policy(`
1232 cdrecord_role($1_r, $1_t)
1233 ')
1234
1235 optional_policy(`
1236 cron_role($1_r, $1_t)
1237 ')
1238
1239 optional_policy(`
1240 games_rw_data($1_usertype)
1241 ')
1242
1243 optional_policy(`
1244 gpg_role($1_r, $1_usertype)
1245 ')
1246
1247 optional_policy(`
1248 gnomeclock_dbus_chat($1_t)
1249 ')
1250
1251 optional_policy(`
1252 gpm_stream_connect($1_usertype)
1253 ')
1254
1255 optional_policy(`
1256 execmem_role_template($1, $1_r, $1_t)
1257 ')
1258
1259 optional_policy(`
1260 java_role_template($1, $1_r, $1_t)
1261 ')
1262
1263 optional_policy(`
1264 mono_role_template($1, $1_r, $1_t)
1265 ')
1266
1267 optional_policy(`
1268 mount_run_fusermount($1_t, $1_r)
1269 mount_read_pid_files($1_t)
1270 ')
1271
1272 optional_policy(`
1273 wine_role_template($1, $1_r, $1_t)
1274 ')
1275
1276 optional_policy(`
1277 postfix_run_postdrop($1_t, $1_r)
1278 ')
1279
1280 # Run pppd in pppd_t by default for user
1281 optional_policy(`
1282 ppp_run_cond($1_t, $1_r)
1283 ')
1284 ')
1285
1286 #######################################
1287 ## <summary>
1288 ## The template for creating an administrative user.
1289 ## </summary>
1290 ## <desc>
1291 ## <p>
1292 ## This template creates a user domain, types, and
1293 ## rules for the user's tty, pty, home directories,
1294 ## tmp, and tmpfs files.
1295 ## </p>
1296 ## <p>
1297 ## The privileges given to administrative users are:
1298 ## <ul>
1299 ## <li>Raw disk access</li>
1300 ## <li>Set all sysctls</li>
1301 ## <li>All kernel ring buffer controls</li>
1302 ## <li>Create, read, write, and delete all files but shadow</li>
1303 ## <li>Manage source and binary format SELinux policy</li>
1304 ## <li>Run insmod</li>
1305 ## </ul>
1306 ## </p>
1307 ## </desc>
1308 ## <param name="userdomain_prefix">
1309 ## <summary>
1310 ## The prefix of the user domain (e.g., sysadm
1311 ## is the prefix for sysadm_t).
1312 ## </summary>
1313 ## </param>
1314 #
1315 template(`userdom_admin_user_template',`
1316 gen_require(`
1317 attribute admindomain;
1318 class passwd { passwd chfn chsh rootok crontab };
1319 ')
1320
1321 ##############################
1322 #
1323 # Declarations
1324 #
1325
1326 # Inherit rules for ordinary users.
1327 userdom_login_user_template($1)
1328 userdom_common_user_template($1)
1329
1330 domain_obj_id_change_exemption($1_t)
1331 role system_r types $1_t;
1332
1333 typeattribute $1_t admindomain;
1334
1335 ifdef(`direct_sysadm_daemon',`
1336 domain_system_change_exemption($1_t)
1337 ')
1338
1339 ##############################
1340 #
1341 # $1_t local policy
1342 #
1343
1344 allow $1_t self:capability ~{ sys_module audit_control audit_write };
1345 allow $1_t self:capability2 syslog;
1346 allow $1_t self:process { setexec setfscreate };
1347 allow $1_t self:netlink_audit_socket nlmsg_readpriv;
1348 allow $1_t self:tun_socket create;
1349 # Set password information for other users.
1350 allow $1_t self:passwd { passwd chfn chsh };
1351 # Skip authentication when pam_rootok is specified.
1352 allow $1_t self:passwd rootok;
1353
1354 # Manipulate other users crontab.
1355 allow $1_t self:passwd crontab;
1356
1357 kernel_read_software_raid_state($1_t)
1358 kernel_getattr_core_if($1_t)
1359 kernel_getattr_message_if($1_t)
1360 kernel_change_ring_buffer_level($1_t)
1361 kernel_clear_ring_buffer($1_t)
1362 kernel_read_ring_buffer($1_t)
1363 kernel_get_sysvipc_info($1_t)
1364 kernel_rw_all_sysctls($1_t)
1365 # signal unlabeled processes:
1366 kernel_kill_unlabeled($1_t)
1367 kernel_signal_unlabeled($1_t)
1368 kernel_sigstop_unlabeled($1_t)
1369 kernel_signull_unlabeled($1_t)
1370 kernel_sigchld_unlabeled($1_t)
1371 kernel_signal($1_t)
1372
1373 corenet_tcp_bind_generic_port($1_t)
1374 # allow setting up tunnels
1375 corenet_rw_tun_tap_dev($1_t)
1376
1377 dev_getattr_generic_blk_files($1_t)
1378 dev_getattr_generic_chr_files($1_t)
1379 # for lsof
1380 dev_getattr_mtrr_dev($1_t)
1381 # Allow MAKEDEV to work
1382 dev_create_all_blk_files($1_t)
1383 dev_create_all_chr_files($1_t)
1384 dev_delete_all_blk_files($1_t)
1385 dev_delete_all_chr_files($1_t)
1386 dev_rename_all_blk_files($1_t)
1387 dev_rename_all_chr_files($1_t)
1388 dev_create_generic_symlinks($1_t)
1389 dev_rw_generic_usb_dev($1_t)
1390 dev_rw_usbfs($1_t)
1391
1392 domain_setpriority_all_domains($1_t)
1393 domain_read_all_domains_state($1_t)
1394 domain_getattr_all_domains($1_t)
1395 domain_getcap_all_domains($1_t)
1396 domain_dontaudit_ptrace_all_domains($1_t)
1397 # signal all domains:
1398 domain_kill_all_domains($1_t)
1399 domain_signal_all_domains($1_t)
1400 domain_signull_all_domains($1_t)
1401 domain_sigstop_all_domains($1_t)
1402 domain_sigstop_all_domains($1_t)
1403 domain_sigchld_all_domains($1_t)
1404 # for lsof
1405 domain_getattr_all_sockets($1_t)
1406 domain_dontaudit_getattr_all_sockets($1_t)
1407
1408 files_exec_usr_src_files($1_t)
1409
1410 fs_getattr_all_fs($1_t)
1411 fs_getattr_all_files($1_t)
1412 fs_list_all($1_t)
1413 fs_set_all_quotas($1_t)
1414 fs_exec_noxattr($1_t)
1415
1416 storage_raw_read_removable_device($1_t)
1417 storage_raw_write_removable_device($1_t)
1418 storage_dontaudit_read_fixed_disk($1_t)
1419
1420 term_use_all_inherited_terms($1_t)
1421 term_use_unallocated_ttys($1_t)
1422
1423 auth_getattr_shadow($1_t)
1424 # Manage almost all files
1425 auth_manage_all_files_except_shadow($1_t)
1426 # Relabel almost all files
1427 auth_relabel_all_files_except_shadow($1_t)
1428
1429 init_telinit($1_t)
1430
1431 logging_send_syslog_msg($1_t)
1432
1433 optional_policy(`
1434 modutils_domtrans_insmod($1_t)
1435 modutils_domtrans_depmod($1_t)
1436 ')
1437
1438 # The following rule is temporary until such time that a complete
1439 # policy management infrastructure is in place so that an administrator
1440 # cannot directly manipulate policy files with arbitrary programs.
1441 seutil_manage_src_policy($1_t)
1442 # Violates the goal of limiting write access to checkpolicy.
1443 # But presently necessary for installing the file_contexts file.
1444 seutil_manage_bin_policy($1_t)
1445
1446 userdom_manage_user_home_content_dirs($1_t)
1447 userdom_manage_user_home_content_files($1_t)
1448 userdom_manage_user_home_content_symlinks($1_t)
1449 userdom_manage_user_home_content_pipes($1_t)
1450 userdom_manage_user_home_content_sockets($1_t)
1451 userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
1452
1453 tunable_policy(`user_rw_noexattrfile',`
1454 fs_manage_noxattr_fs_files($1_t)
1455 fs_manage_noxattr_fs_dirs($1_t)
1456 ',`
1457 fs_read_noxattr_fs_files($1_t)
1458 ')
1459
1460 optional_policy(`
1461 postgresql_unconfined($1_t)
1462 ')
1463
1464 optional_policy(`
1465 userhelper_exec($1_t)
1466 ')
1467 ')
1468
1469 ########################################
1470 ## <summary>
1471 ## Allow user to run as a secadm
1472 ## </summary>
1473 ## <desc>
1474 ## <p>
1475 ## Create objects in a user home directory
1476 ## with an automatic type transition to
1477 ## a specified private type.
1478 ## </p>
1479 ## <p>
1480 ## This is a templated interface, and should only
1481 ## be called from a per-userdomain template.
1482 ## </p>
1483 ## </desc>
1484 ## <param name="domain">
1485 ## <summary>
1486 ## Domain allowed access.
1487 ## </summary>
1488 ## </param>
1489 ## <param name="role">
1490 ## <summary>
1491 ## The role of the object to create.
1492 ## </summary>
1493 ## </param>
1494 #
1495 template(`userdom_security_admin_template',`
1496 allow $1 self:capability { dac_read_search dac_override };
1497
1498 corecmd_exec_shell($1)
1499
1500 domain_obj_id_change_exemption($1)
1501
1502 dev_relabel_all_dev_nodes($1)
1503
1504 files_create_boot_flag($1)
1505 files_create_default_dir($1)
1506 files_root_filetrans_default($1, dir)
1507
1508 # Necessary for managing /boot/efi
1509 fs_manage_dos_files($1)
1510
1511 mls_process_read_up($1)
1512 mls_file_read_all_levels($1)
1513 mls_file_upgrade($1)
1514 mls_file_downgrade($1)
1515
1516 selinux_set_enforce_mode($1)
1517 selinux_set_all_booleans($1)
1518 selinux_set_parameters($1)
1519 selinux_read_policy($1)
1520
1521 auth_relabel_all_files_except_shadow($1)
1522 auth_relabel_shadow($1)
1523
1524 init_exec($1)
1525
1526 logging_send_syslog_msg($1)
1527 logging_read_audit_log($1)
1528 logging_read_generic_logs($1)
1529 logging_read_audit_config($1)
1530
1531 seutil_manage_bin_policy($1)
1532 seutil_manage_default_contexts($1)
1533 seutil_manage_file_contexts($1)
1534 seutil_manage_module_store($1)
1535 seutil_manage_config($1)
1536 seutil_run_checkpolicy($1,$2)
1537 seutil_run_loadpolicy($1,$2)
1538 seutil_run_semanage($1,$2)
1539 seutil_run_setsebool($1,$2)
1540 seutil_run_setfiles($1, $2)
1541
1542 seutil_manage_bin_policy($1)
1543 seutil_manage_default_contexts($1)
1544 seutil_manage_file_contexts($1)
1545 seutil_manage_module_store($1)
1546 seutil_manage_config($1)
1547
1548 optional_policy(`
1549 aide_run($1,$2)
1550 ')
1551
1552 optional_policy(`
1553 consoletype_exec($1)
1554 ')
1555
1556 optional_policy(`
1557 dmesg_exec($1)
1558 ')
1559
1560 optional_policy(`
1561 ipsec_run_setkey($1,$2)
1562 ')
1563
1564 optional_policy(`
1565 netlabel_run_mgmt($1,$2)
1566 ')
1567
1568 optional_policy(`
1569 samhain_run($1, $2)
1570 ')
1571 ')
1572
1573 ########################################
1574 ## <summary>
1575 ## Make the specified type usable in a
1576 ## user home directory.
1577 ## </summary>
1578 ## <param name="type">
1579 ## <summary>
1580 ## Type to be used as a file in the
1581 ## user home directory.
1582 ## </summary>
1583 ## </param>
1584 #
1585 interface(`userdom_user_home_content',`
1586 gen_require(`
1587 type user_home_t;
1588 attribute user_home_type;
1589 ')
1590
1591 allow $1 user_home_t:filesystem associate;
1592 files_type($1)
1593 ubac_constrained($1)
1594
1595 files_poly_member($1)
1596 typeattribute $1 user_home_type;
1597 ')
1598
1599 ########################################
1600 ## <summary>
1601 ## Make the specified type usable in a
1602 ## generic temporary directory.
1603 ## </summary>
1604 ## <param name="type">
1605 ## <summary>
1606 ## Type to be used as a file in the
1607 ## generic temporary directory.
1608 ## </summary>
1609 ## </param>
1610 #
1611 interface(`userdom_user_tmp_content',`
1612 gen_require(`
1613 attribute user_tmp_type;
1614 ')
1615
1616 typeattribute $1 user_tmp_type;
1617
1618 files_tmp_file($1)
1619 ubac_constrained($1)
1620 ')
1621
1622 ########################################
1623 ## <summary>
1624 ## Make the specified type usable in a
1625 ## generic tmpfs_t directory.
1626 ## </summary>
1627 ## <param name="type">
1628 ## <summary>
1629 ## Type to be used as a file in the
1630 ## generic temporary directory.
1631 ## </summary>
1632 ## </param>
1633 #
1634 interface(`userdom_user_tmpfs_content',`
1635 gen_require(`
1636 attribute user_tmpfs_type;
1637 ')
1638
1639 typeattribute $1 user_tmpfs_type;
1640
1641 files_tmpfs_file($1)
1642 ubac_constrained($1)
1643 ')
1644
1645 ########################################
1646 ## <summary>
1647 ## Allow domain to attach to TUN devices created by administrative users.
1648 ## </summary>
1649 ## <param name="domain">
1650 ## <summary>
1651 ## Domain allowed access.
1652 ## </summary>
1653 ## </param>
1654 #
1655 interface(`userdom_attach_admin_tun_iface',`
1656 gen_require(`
1657 attribute admindomain;
1658 ')
1659
1660 allow $1 admindomain:tun_socket relabelfrom;
1661 allow $1 self:tun_socket relabelto;
1662 ')
1663
1664 ########################################
1665 ## <summary>
1666 ## Set the attributes of a user pty.
1667 ## </summary>
1668 ## <param name="domain">
1669 ## <summary>
1670 ## Domain allowed access.
1671 ## </summary>
1672 ## </param>
1673 #
1674 interface(`userdom_setattr_user_ptys',`
1675 gen_require(`
1676 type user_devpts_t;
1677 ')
1678
1679 allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
1680 ')
1681
1682 ########################################
1683 ## <summary>
1684 ## Create a user pty.
1685 ## </summary>
1686 ## <param name="domain">
1687 ## <summary>
1688 ## Domain allowed access.
1689 ## </summary>
1690 ## </param>
1691 #
1692 interface(`userdom_create_user_pty',`
1693 gen_require(`
1694 type user_devpts_t;
1695 ')
1696
1697 term_create_pty($1, user_devpts_t)
1698 ')
1699
1700 ########################################
1701 ## <summary>
1702 ## Get the attributes of user home directories.
1703 ## </summary>
1704 ## <param name="domain">
1705 ## <summary>
1706 ## Domain allowed access.
1707 ## </summary>
1708 ## </param>
1709 #
1710 interface(`userdom_getattr_user_home_dirs',`
1711 gen_require(`
1712 type user_home_dir_t;
1713 ')
1714
1715 allow $1 user_home_dir_t:dir getattr_dir_perms;
1716 files_search_home($1)
1717 ')
1718
1719 ########################################
1720 ## <summary>
1721 ## Do not audit attempts to get the attributes of user home directories.
1722 ## </summary>
1723 ## <param name="domain">
1724 ## <summary>
1725 ## Domain to not audit.
1726 ## </summary>
1727 ## </param>
1728 #
1729 interface(`userdom_dontaudit_getattr_user_home_dirs',`
1730 gen_require(`
1731 type user_home_dir_t;
1732 ')
1733
1734 dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
1735 ')
1736
1737 ########################################
1738 ## <summary>
1739 ## Search user home directories.
1740 ## </summary>
1741 ## <param name="domain">
1742 ## <summary>
1743 ## Domain allowed access.
1744 ## </summary>
1745 ## </param>
1746 #
1747 interface(`userdom_search_user_home_dirs',`
1748 gen_require(`
1749 type user_home_dir_t;
1750 ')
1751
1752 allow $1 user_home_dir_t:dir search_dir_perms;
1753 allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
1754 files_search_home($1)
1755 ')
1756
1757 ########################################
1758 ## <summary>
1759 ## Do not audit attempts to search user home directories.
1760 ## </summary>
1761 ## <desc>
1762 ## <p>
1763 ## Do not audit attempts to search user home directories.
1764 ## This will supress SELinux denial messages when the specified
1765 ## domain is denied the permission to search these directories.
1766 ## </p>
1767 ## </desc>
1768 ## <param name="domain">
1769 ## <summary>
1770 ## Domain to not audit.
1771 ## </summary>
1772 ## </param>
1773 ## <infoflow type="none"/>
1774 #
1775 interface(`userdom_dontaudit_search_user_home_dirs',`
1776 gen_require(`
1777 type user_home_dir_t;
1778 ')
1779
1780 dontaudit $1 user_home_dir_t:dir search_dir_perms;
1781 ')
1782
1783 ########################################
1784 ## <summary>
1785 ## List user home directories.
1786 ## </summary>
1787 ## <param name="domain">
1788 ## <summary>
1789 ## Domain allowed access.
1790 ## </summary>
1791 ## </param>
1792 #
1793 interface(`userdom_list_user_home_dirs',`
1794 gen_require(`
1795 type user_home_dir_t;
1796 ')
1797
1798 allow $1 user_home_dir_t:dir list_dir_perms;
1799 files_search_home($1)
1800
1801 tunable_policy(`use_nfs_home_dirs',`
1802 fs_list_nfs($1)
1803 ')
1804
1805 tunable_policy(`use_samba_home_dirs',`
1806 fs_list_cifs($1)
1807 ')
1808 ')
1809
1810 ########################################
1811 ## <summary>
1812 ## Do not audit attempts to list user home subdirectories.
1813 ## </summary>
1814 ## <param name="domain">
1815 ## <summary>
1816 ## Domain to not audit.
1817 ## </summary>
1818 ## </param>
1819 #
1820 interface(`userdom_dontaudit_list_user_home_dirs',`
1821 gen_require(`
1822 type user_home_dir_t;
1823 type user_home_t;
1824 ')
1825
1826 dontaudit $1 user_home_dir_t:dir list_dir_perms;
1827 dontaudit $1 user_home_t:dir list_dir_perms;
1828 ')
1829
1830 ########################################
1831 ## <summary>
1832 ## Create user home directories.
1833 ## </summary>
1834 ## <param name="domain">
1835 ## <summary>
1836 ## Domain allowed access.
1837 ## </summary>
1838 ## </param>
1839 #
1840 interface(`userdom_create_user_home_dirs',`
1841 gen_require(`
1842 type user_home_dir_t;
1843 ')
1844
1845 allow $1 user_home_dir_t:dir create_dir_perms;
1846 ')
1847
1848 ########################################
1849 ## <summary>
1850 ## Create user home directories.
1851 ## </summary>
1852 ## <param name="domain">
1853 ## <summary>
1854 ## Domain allowed access.
1855 ## </summary>
1856 ## </param>
1857 #
1858 interface(`userdom_manage_user_home_dirs',`
1859 gen_require(`
1860 type user_home_dir_t;
1861 ')
1862
1863 allow $1 user_home_dir_t:dir manage_dir_perms;
1864 ')
1865
1866 ########################################
1867 ## <summary>
1868 ## Relabel to user home directories.
1869 ## </summary>
1870 ## <param name="domain">
1871 ## <summary>
1872 ## Domain allowed access.
1873 ## </summary>
1874 ## </param>
1875 #
1876 interface(`userdom_relabelto_user_home_dirs',`
1877 gen_require(`
1878 type user_home_dir_t;
1879 ')
1880
1881 allow $1 user_home_dir_t:dir relabelto;
1882 ')
1883
1884
1885 ########################################
1886 ## <summary>
1887 ## Relabel to user home files.
1888 ## </summary>
1889 ## <param name="domain">
1890 ## <summary>
1891 ## Domain allowed access.
1892 ## </summary>
1893 ## </param>
1894 #
1895 interface(`userdom_relabelto_user_home_files',`
1896 gen_require(`
1897 type user_home_t;
1898 ')
1899
1900 allow $1 user_home_t:file relabelto;
1901 ')
1902 ########################################
1903 ## <summary>
1904 ## Relabel user home files.
1905 ## </summary>
1906 ## <param name="domain">
1907 ## <summary>
1908 ## Domain allowed access.
1909 ## </summary>
1910 ## </param>
1911 #
1912 interface(`userdom_relabel_user_home_files',`
1913 gen_require(`
1914 type user_home_t;
1915 ')
1916
1917 allow $1 user_home_t:file relabel_file_perms;
1918 ')
1919
1920 ########################################
1921 ## <summary>
1922 ## Create directories in the home dir root with
1923 ## the user home directory type.
1924 ## </summary>
1925 ## <param name="domain">
1926 ## <summary>
1927 ## Domain allowed access.
1928 ## </summary>
1929 ## </param>
1930 #
1931 interface(`userdom_home_filetrans_user_home_dir',`
1932 gen_require(`
1933 type user_home_dir_t;
1934 ')
1935
1936 files_home_filetrans($1, user_home_dir_t, dir)
1937 ')
1938
1939 ########################################
1940 ## <summary>
1941 ## Do a domain transition to the specified
1942 ## domain when executing a program in the
1943 ## user home directory.
1944 ## </summary>
1945 ## <desc>
1946 ## <p>
1947 ## Do a domain transition to the specified
1948 ## domain when executing a program in the
1949 ## user home directory.
1950 ## </p>
1951 ## <p>
1952 ## No interprocess communication (signals, pipes,
1953 ## etc.) is provided by this interface since
1954 ## the domains are not owned by this module.
1955 ## </p>
1956 ## </desc>
1957 ## <param name="source_domain">
1958 ## <summary>
1959 ## Domain allowed to transition.
1960 ## </summary>
1961 ## </param>
1962 ## <param name="target_domain">
1963 ## <summary>
1964 ## Domain to transition to.
1965 ## </summary>
1966 ## </param>
1967 #
1968 interface(`userdom_user_home_domtrans',`
1969 gen_require(`
1970 type user_home_dir_t, user_home_t;
1971 ')
1972
1973 domain_auto_trans($1, user_home_t, $2)
1974 allow $1 user_home_dir_t:dir search_dir_perms;
1975 files_search_home($1)
1976 ')
1977
1978 ########################################
1979 ## <summary>
1980 ## Do not audit attempts to search user home content directories.
1981 ## </summary>
1982 ## <param name="domain">
1983 ## <summary>
1984 ## Domain to not audit.
1985 ## </summary>
1986 ## </param>
1987 #
1988 interface(`userdom_dontaudit_search_user_home_content',`
1989 gen_require(`
1990 type user_home_t;
1991 ')
1992
1993 dontaudit $1 user_home_t:dir search_dir_perms;
1994 fs_dontaudit_list_nfs($1)
1995 fs_dontaudit_list_cifs($1)
1996 ')
1997
1998 ########################################
1999 ## <summary>
2000 ## List contents of users home directory.
2001 ## </summary>
2002 ## <param name="domain">
2003 ## <summary>
2004 ## Domain allowed access.
2005 ## </summary>
2006 ## </param>
2007 #
2008 interface(`userdom_list_user_home_content',`
2009 gen_require(`
2010 type user_home_dir_t;
2011 attribute user_home_type;
2012 ')
2013
2014 files_list_home($1)
2015 allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
2016 ')
2017
2018 ########################################
2019 ## <summary>
2020 ## Create, read, write, and delete directories
2021 ## in a user home subdirectory.
2022 ## </summary>
2023 ## <param name="domain">
2024 ## <summary>
2025 ## Domain allowed access.
2026 ## </summary>
2027 ## </param>
2028 #
2029 interface(`userdom_manage_user_home_content_dirs',`
2030 gen_require(`
2031 type user_home_dir_t, user_home_t;
2032 ')
2033
2034 manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2035 files_search_home($1)
2036 ')
2037
2038 ########################################
2039 ## <summary>
2040 ## Delete directories in a user home subdirectory.
2041 ## </summary>
2042 ## <param name="domain">
2043 ## <summary>
2044 ## Domain allowed access.
2045 ## </summary>
2046 ## </param>
2047 #
2048 interface(`userdom_delete_user_home_content_dirs',`
2049 gen_require(`
2050 type user_home_t;
2051 ')
2052
2053 allow $1 user_home_t:dir delete_dir_perms;
2054 ')
2055
2056 ########################################
2057 ## <summary>
2058 ## Delete all directories in a user home subdirectory.
2059 ## </summary>
2060 ## <param name="domain">
2061 ## <summary>
2062 ## Domain allowed access.
2063 ## </summary>
2064 ## </param>
2065 #
2066 interface(`userdom_delete_all_user_home_content_dirs',`
2067 gen_require(`
2068 attribute user_home_type;
2069 ')
2070
2071 allow $1 user_home_type:dir delete_dir_perms;
2072 ')
2073
2074 ########################################
2075 ## <summary>
2076 ## Set the attributes of user home files.
2077 ## </summary>
2078 ## <param name="domain">
2079 ## <summary>
2080 ## Domain allowed access.
2081 ## </summary>
2082 ## </param>
2083 ## <rolecap/>
2084 #
2085 interface(`userdom_setattr_user_home_content_files',`
2086 gen_require(`
2087 type user_home_t;
2088 ')
2089
2090 allow $1 user_home_t:file setattr;
2091 ')
2092
2093 ########################################
2094 ## <summary>
2095 ## Do not audit attempts to set the
2096 ## attributes of user home files.
2097 ## </summary>
2098 ## <param name="domain">
2099 ## <summary>
2100 ## Domain to not audit.
2101 ## </summary>
2102 ## </param>
2103 #
2104 interface(`userdom_dontaudit_setattr_user_home_content_files',`
2105 gen_require(`
2106 type user_home_t;
2107 ')
2108
2109 dontaudit $1 user_home_t:file setattr_file_perms;
2110 ')
2111
2112 ########################################
2113 ## <summary>
2114 ## Set the attributes of all user home directories.
2115 ## </summary>
2116 ## <param name="domain">
2117 ## <summary>
2118 ## Domain allowed access.
2119 ## </summary>
2120 ## </param>
2121 ## <rolecap/>
2122 #
2123 interface(`userdom_setattr_all_user_home_content_dirs',`
2124 gen_require(`
2125 attribute user_home_type;
2126 ')
2127
2128 allow $1 user_home_type:dir setattr_dir_perms;
2129 ')
2130
2131 ########################################
2132 ## <summary>
2133 ## Mmap user home files.
2134 ## </summary>
2135 ## <param name="domain">
2136 ## <summary>
2137 ## Domain allowed access.
2138 ## </summary>
2139 ## </param>
2140 #
2141 interface(`userdom_mmap_user_home_content_files',`
2142 gen_require(`
2143 type user_home_dir_t, user_home_t;
2144 ')
2145
2146 mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2147 files_search_home($1)
2148 ')
2149
2150 ########################################
2151 ## <summary>
2152 ## Read user home files.
2153 ## </summary>
2154 ## <param name="domain">
2155 ## <summary>
2156 ## Domain allowed access.
2157 ## </summary>
2158 ## </param>
2159 #
2160 interface(`userdom_read_user_home_content_files',`
2161 gen_require(`
2162 type user_home_dir_t, user_home_t;
2163 ')
2164
2165 list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
2166 read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
2167 files_search_home($1)
2168 ')
2169
2170 ########################################
2171 ## <summary>
2172 ## Do not audit attempts to getattr user home files.
2173 ## </summary>
2174 ## <param name="domain">
2175 ## <summary>
2176 ## Domain to not audit.
2177 ## </summary>
2178 ## </param>
2179 #
2180 interface(`userdom_dontaudit_getattr_user_home_content',`
2181 gen_require(`
2182 attribute user_home_type;
2183 ')
2184
2185 dontaudit $1 user_home_type:dir getattr;
2186 dontaudit $1 user_home_type:file getattr;
2187 ')
2188
2189 ########################################
2190 ## <summary>
2191 ## Do not audit attempts to read user home files.
2192 ## </summary>
2193 ## <param name="domain">
2194 ## <summary>
2195 ## Domain to not audit.
2196 ## </summary>
2197 ## </param>
2198 #
2199 interface(`userdom_dontaudit_read_user_home_content_files',`
2200 gen_require(`
2201 attribute user_home_type;
2202 type user_home_dir_t;
2203 ')
2204
2205 dontaudit $1 user_home_dir_t:dir list_dir_perms;
2206 dontaudit $1 user_home_type:dir list_dir_perms;
2207 dontaudit $1 user_home_type:file read_file_perms;
2208 dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
2209 ')
2210
2211 ########################################
2212 ## <summary>
2213 ## Do not audit attempts to append user home files.
2214 ## </summary>
2215 ## <param name="domain">
2216 ## <summary>
2217 ## Domain to not audit.
2218 ## </summary>
2219 ## </param>
2220 #
2221 interface(`userdom_dontaudit_append_user_home_content_files',`
2222 gen_require(`
2223 type user_home_t;
2224 ')
2225
2226 dontaudit $1 user_home_t:file append_file_perms;
2227 ')
2228
2229 ########################################
2230 ## <summary>
2231 ## Do not audit attempts to write user home files.
2232 ## </summary>
2233 ## <param name="domain">
2234 ## <summary>
2235 ## Domain to not audit.
2236 ## </summary>
2237 ## </param>
2238 #
2239 interface(`userdom_dontaudit_write_user_home_content_files',`
2240 gen_require(`
2241 type user_home_t;
2242 ')
2243
2244 dontaudit $1 user_home_t:file write_file_perms;
2245 ')
2246
2247 ########################################
2248 ## <summary>
2249 ## Delete files in a user home subdirectory.
2250 ## </summary>
2251 ## <param name="domain">
2252 ## <summary>
2253 ## Domain allowed access.
2254 ## </summary>
2255 ## </param>
2256 #
2257 interface(`userdom_delete_user_home_content_files',`
2258 gen_require(`
2259 type user_home_t;
2260 ')
2261
2262 allow $1 user_home_t:file delete_file_perms;
2263 ')
2264
2265 ########################################
2266 ## <summary>
2267 ## Delete all files in a user home subdirectory.
2268 ## </summary>
2269 ## <param name="domain">
2270 ## <summary>
2271 ## Domain allowed access.
2272 ## </summary>
2273 ## </param>
2274 #
2275 interface(`userdom_delete_all_user_home_content_files',`
2276 gen_require(`
2277 attribute user_home_type;
2278 ')
2279
2280 allow $1 user_home_type:file delete_file_perms;
2281 ')
2282
2283 ########################################
2284 ## <summary>
2285 ## Delete sock files in a user home subdirectory.
2286 ## </summary>
2287 ## <param name="domain">
2288 ## <summary>
2289 ## Domain allowed access.
2290 ## </summary>
2291 ## </param>
2292 #
2293 interface(`userdom_delete_user_home_content_sock_files',`
2294 gen_require(`
2295 type user_home_t;
2296 ')
2297
2298 allow $1 user_home_t:sock_file delete_file_perms;
2299 ')
2300
2301 ########################################
2302 ## <summary>
2303 ## Delete all sock files in a user home subdirectory.
2304 ## </summary>
2305 ## <param name="domain">
2306 ## <summary>
2307 ## Domain allowed access.
2308 ## </summary>
2309 ## </param>
2310 #
2311 interface(`userdom_delete_all_user_home_content_sock_files',`
2312 gen_require(`
2313 attribute user_home_type;
2314 ')
2315
2316 allow $1 user_home_type:sock_file delete_file_perms;
2317 ')
2318
2319 ########################################
2320 ## <summary>
2321 ## Do not audit attempts to write user home files.
2322 ## </summary>
2323 ## <param name="domain">
2324 ## <summary>
2325 ## Domain to not audit.
2326 ## </summary>
2327 ## </param>
2328 #
2329 interface(`userdom_dontaudit_relabel_user_home_content_files',`
2330 gen_require(`
2331 type user_home_t;
2332 ')
2333
2334 dontaudit $1 user_home_t:file relabel_file_perms;
2335 ')
2336
2337 ########################################
2338 ## <summary>
2339 ## Read user home subdirectory symbolic links.
2340 ## </summary>
2341 ## <param name="domain">
2342 ## <summary>
2343 ## Domain allowed access.
2344 ## </summary>
2345 ## </param>
2346 #
2347 interface(`userdom_read_user_home_content_symlinks',`
2348 gen_require(`
2349 type user_home_dir_t, user_home_t;
2350 ')
2351
2352 allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
2353 ')
2354
2355 ########################################
2356 ## <summary>
2357 ## Execute user home files.
2358 ## </summary>
2359 ## <param name="domain">
2360 ## <summary>
2361 ## Domain allowed access.
2362 ## </summary>
2363 ## </param>
2364 ## <rolecap/>
2365 #
2366 interface(`userdom_exec_user_home_content_files',`
2367 gen_require(`
2368 type user_home_dir_t;
2369 attribute user_home_type;
2370 ')
2371
2372 files_search_home($1)
2373 exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
2374 dontaudit $1 user_home_type:sock_file execute;
2375 ')
2376
2377 ########################################
2378 ## <summary>
2379 ## Do not audit attempts to execute user home files.
2380 ## </summary>
2381 ## <param name="domain">
2382 ## <summary>
2383 ## Domain to not audit.
2384 ## </summary>
2385 ## </param>
2386 #
2387 interface(`userdom_dontaudit_exec_user_home_content_files',`
2388 gen_require(`
2389 type user_home_t;
2390 ')
2391
2392 dontaudit $1 user_home_t:file exec_file_perms;
2393 ')
2394
2395 ########################################
2396 ## <summary>
2397 ## Create, read, write, and delete files
2398 ## in a user home subdirectory.
2399 ## </summary>
2400 ## <param name="domain">
2401 ## <summary>
2402 ## Domain allowed access.
2403 ## </summary>
2404 ## </param>
2405 #
2406 interface(`userdom_manage_user_home_content_files',`
2407 gen_require(`
2408 type user_home_dir_t, user_home_t;
2409 ')
2410
2411 manage_files_pattern($1, user_home_t, user_home_t)
2412 allow $1 user_home_dir_t:dir search_dir_perms;
2413 files_search_home($1)
2414 ')
2415
2416 ########################################
2417 ## <summary>
2418 ## Do not audit attempts to create, read, write, and delete directories
2419 ## in a user home subdirectory.
2420 ## </summary>
2421 ## <param name="domain">
2422 ## <summary>
2423 ## Domain to not audit.
2424 ## </summary>
2425 ## </param>
2426 #
2427 interface(`userdom_dontaudit_manage_user_home_content_dirs',`
2428 gen_require(`
2429 type user_home_dir_t, user_home_t;
2430 ')
2431
2432 dontaudit $1 user_home_t:dir manage_dir_perms;
2433 ')
2434
2435 ########################################
2436 ## <summary>
2437 ## Create, read, write, and delete symbolic links
2438 ## in a user home subdirectory.
2439 ## </summary>
2440 ## <param name="domain">
2441 ## <summary>
2442 ## Domain allowed access.
2443 ## </summary>
2444 ## </param>
2445 #
2446 interface(`userdom_manage_user_home_content_symlinks',`
2447 gen_require(`
2448 type user_home_dir_t, user_home_t;
2449 ')
2450
2451 manage_lnk_files_pattern($1, user_home_t, user_home_t)
2452 allow $1 user_home_dir_t:dir search_dir_perms;
2453 files_search_home($1)
2454 ')
2455
2456 ########################################
2457 ## <summary>
2458 ## Delete symbolic links in a user home directory.
2459 ## </summary>
2460 ## <param name="domain">
2461 ## <summary>
2462 ## Domain allowed access.
2463 ## </summary>
2464 ## </param>
2465 #
2466 interface(`userdom_delete_user_home_content_symlinks',`
2467 gen_require(`
2468 type user_home_t;
2469 ')
2470
2471 allow $1 user_home_t:lnk_file delete_lnk_file_perms;
2472 ')
2473
2474 ########################################
2475 ## <summary>
2476 ## Delete all symbolic links in a user home directory.
2477 ## </summary>
2478 ## <param name="domain">
2479 ## <summary>
2480 ## Domain allowed access.
2481 ## </summary>
2482 ## </param>
2483 #
2484 interface(`userdom_delete_all_user_home_content_symlinks',`
2485 gen_require(`
2486 attribute user_home_type;
2487 ')
2488
2489 allow $1 user_home_type:lnk_file delete_lnk_file_perms;
2490 ')
2491
2492 ########################################
2493 ## <summary>
2494 ## Create, read, write, and delete named pipes
2495 ## in a user home subdirectory.
2496 ## </summary>
2497 ## <param name="domain">
2498 ## <summary>
2499 ## Domain allowed access.
2500 ## </summary>
2501 ## </param>
2502 #
2503 interface(`userdom_manage_user_home_content_pipes',`
2504 gen_require(`
2505 type user_home_dir_t, user_home_t;
2506 ')
2507
2508 manage_fifo_files_pattern($1, user_home_t, user_home_t)
2509 allow $1 user_home_dir_t:dir search_dir_perms;
2510 files_search_home($1)
2511 ')
2512
2513 ########################################
2514 ## <summary>
2515 ## Create, read, write, and delete named sockets
2516 ## in a user home subdirectory.
2517 ## </summary>
2518 ## <param name="domain">
2519 ## <summary>
2520 ## Domain allowed access.
2521 ## </summary>
2522 ## </param>
2523 #
2524 interface(`userdom_manage_user_home_content_sockets',`
2525 gen_require(`
2526 type user_home_dir_t, user_home_t;
2527 ')
2528
2529 allow $1 user_home_dir_t:dir search_dir_perms;
2530 manage_sock_files_pattern($1, user_home_t, user_home_t)
2531 files_search_home($1)
2532 ')
2533
2534 ########################################
2535 ## <summary>
2536 ## Create objects in a user home directory
2537 ## with an automatic type transition to
2538 ## a specified private type.
2539 ## </summary>
2540 ## <param name="domain">
2541 ## <summary>
2542 ## Domain allowed access.
2543 ## </summary>
2544 ## </param>
2545 ## <param name="private_type">
2546 ## <summary>
2547 ## The type of the object to create.
2548 ## </summary>
2549 ## </param>
2550 ## <param name="object_class">
2551 ## <summary>
2552 ## The class of the object to be created.
2553 ## </summary>
2554 ## </param>
2555 #
2556 interface(`userdom_user_home_dir_filetrans',`
2557 gen_require(`
2558 type user_home_dir_t;
2559 ')
2560
2561 filetrans_pattern($1, user_home_dir_t, $2, $3, $4)
2562 files_search_home($1)
2563 ')
2564
2565 ########################################
2566 ## <summary>
2567 ## Create objects in a user home directory
2568 ## with an automatic type transition to
2569 ## a specified private type.
2570 ## </summary>
2571 ## <param name="domain">
2572 ## <summary>
2573 ## Domain allowed access.
2574 ## </summary>
2575 ## </param>
2576 ## <param name="private_type">
2577 ## <summary>
2578 ## The type of the object to create.
2579 ## </summary>
2580 ## </param>
2581 ## <param name="object_class">
2582 ## <summary>
2583 ## The class of the object to be created.
2584 ## </summary>
2585 ## </param>
2586 #
2587 interface(`userdom_user_home_content_filetrans',`
2588 gen_require(`
2589 type user_home_dir_t, user_home_t;
2590 ')
2591
2592 filetrans_pattern($1, user_home_t, $2, $3)
2593 allow $1 user_home_dir_t:dir search_dir_perms;
2594 files_search_home($1)
2595 ')
2596
2597 ########################################
2598 ## <summary>
2599 ## Create objects in a user home directory
2600 ## with an automatic type transition to
2601 ## the user home file type.
2602 ## </summary>
2603 ## <param name="domain">
2604 ## <summary>
2605 ## Domain allowed access.
2606 ## </summary>
2607 ## </param>
2608 ## <param name="object_class">
2609 ## <summary>
2610 ## The class of the object to be created.
2611 ## </summary>
2612 ## </param>
2613 #
2614 interface(`userdom_user_home_dir_filetrans_user_home_content',`
2615 gen_require(`
2616 type user_home_dir_t, user_home_t;
2617 ')
2618
2619 filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
2620 files_search_home($1)
2621 ')
2622
2623 ########################################
2624 ## <summary>
2625 ## Write to user temporary named sockets.
2626 ## </summary>
2627 ## <param name="domain">
2628 ## <summary>
2629 ## Domain allowed access.
2630 ## </summary>
2631 ## </param>
2632 #
2633 interface(`userdom_write_user_tmp_sockets',`
2634 gen_require(`
2635 type user_tmp_t;
2636 ')
2637
2638 allow $1 user_tmp_t:sock_file write_sock_file_perms;
2639 files_search_tmp($1)
2640 ')
2641
2642 ########################################
2643 ## <summary>
2644 ## List user temporary directories.
2645 ## </summary>
2646 ## <param name="domain">
2647 ## <summary>
2648 ## Domain allowed access.
2649 ## </summary>
2650 ## </param>
2651 #
2652 interface(`userdom_list_user_tmp',`
2653 gen_require(`
2654 type user_tmp_t;
2655 ')
2656
2657 allow $1 user_tmp_t:dir list_dir_perms;
2658 files_search_tmp($1)
2659 ')
2660
2661 ########################################
2662 ## <summary>
2663 ## Do not audit attempts to list user
2664 ## temporary directories.
2665 ## </summary>
2666 ## <param name="domain">
2667 ## <summary>
2668 ## Domain to not audit.
2669 ## </summary>
2670 ## </param>
2671 #
2672 interface(`userdom_dontaudit_list_user_tmp',`
2673 gen_require(`
2674 type user_tmp_t;
2675 ')
2676
2677 dontaudit $1 user_tmp_t:dir list_dir_perms;
2678 ')
2679
2680 ########################################
2681 ## <summary>
2682 ## Do not audit attempts to manage users
2683 ## temporary directories.
2684 ## </summary>
2685 ## <param name="domain">
2686 ## <summary>
2687 ## Domain to not audit.
2688 ## </summary>
2689 ## </param>
2690 #
2691 interface(`userdom_dontaudit_manage_user_tmp_dirs',`
2692 gen_require(`
2693 type user_tmp_t;
2694 ')
2695
2696 dontaudit $1 user_tmp_t:dir manage_dir_perms;
2697 ')
2698
2699 ########################################
2700 ## <summary>
2701 ## Read user temporary files.
2702 ## </summary>
2703 ## <param name="domain">
2704 ## <summary>
2705 ## Domain allowed access.
2706 ## </summary>
2707 ## </param>
2708 #
2709 interface(`userdom_read_user_tmp_files',`
2710 gen_require(`
2711 type user_tmp_t;
2712 ')
2713
2714 read_files_pattern($1, user_tmp_t, user_tmp_t)
2715 allow $1 user_tmp_t:dir list_dir_perms;
2716 files_search_tmp($1)
2717 ')
2718
2719 ########################################
2720 ## <summary>
2721 ## Do not audit attempts to read users
2722 ## temporary files.
2723 ## </summary>
2724 ## <param name="domain">
2725 ## <summary>
2726 ## Domain to not audit.
2727 ## </summary>
2728 ## </param>
2729 #
2730 interface(`userdom_dontaudit_read_user_tmp_files',`
2731 gen_require(`
2732 type user_tmp_t;
2733 ')
2734
2735 dontaudit $1 user_tmp_t:file read_inherited_file_perms;
2736 ')
2737
2738 ########################################
2739 ## <summary>
2740 ## Do not audit attempts to append users
2741 ## temporary files.
2742 ## </summary>
2743 ## <param name="domain">
2744 ## <summary>
2745 ## Domain to not audit.
2746 ## </summary>
2747 ## </param>
2748 #
2749 interface(`userdom_dontaudit_append_user_tmp_files',`
2750 gen_require(`
2751 type user_tmp_t;
2752 ')
2753
2754 dontaudit $1 user_tmp_t:file append_file_perms;
2755 ')
2756
2757 ########################################
2758 ## <summary>
2759 ## Read and write user temporary files.
2760 ## </summary>
2761 ## <param name="domain">
2762 ## <summary>
2763 ## Domain allowed access.
2764 ## </summary>
2765 ## </param>
2766 #
2767 interface(`userdom_rw_user_tmp_files',`
2768 gen_require(`
2769 type user_tmp_t;
2770 ')
2771
2772 allow $1 user_tmp_t:dir list_dir_perms;
2773 rw_files_pattern($1, user_tmp_t, user_tmp_t)
2774 files_search_tmp($1)
2775 ')
2776
2777 ########################################
2778 ## <summary>
2779 ## Do not audit attempts to manage users
2780 ## temporary files.
2781 ## </summary>
2782 ## <param name="domain">
2783 ## <summary>
2784 ## Domain to not audit.
2785 ## </summary>
2786 ## </param>
2787 #
2788 interface(`userdom_dontaudit_manage_user_tmp_files',`
2789 gen_require(`
2790 type user_tmp_t;
2791 ')
2792
2793 dontaudit $1 user_tmp_t:file manage_file_perms;
2794 ')
2795
2796 ########################################
2797 ## <summary>
2798 ## Read user temporary symbolic links.
2799 ## </summary>
2800 ## <param name="domain">
2801 ## <summary>
2802 ## Domain allowed access.
2803 ## </summary>
2804 ## </param>
2805 #
2806 interface(`userdom_read_user_tmp_symlinks',`
2807 gen_require(`
2808 type user_tmp_t;
2809 ')
2810
2811 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2812 allow $1 user_tmp_t:dir list_dir_perms;
2813 files_search_tmp($1)
2814 ')
2815
2816 ########################################
2817 ## <summary>
2818 ## Create, read, write, and delete user
2819 ## temporary directories.
2820 ## </summary>
2821 ## <param name="domain">
2822 ## <summary>
2823 ## Domain allowed access.
2824 ## </summary>
2825 ## </param>
2826 #
2827 interface(`userdom_manage_user_tmp_dirs',`
2828 gen_require(`
2829 type user_tmp_t;
2830 ')
2831
2832 manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
2833 files_search_tmp($1)
2834 ')
2835
2836 ########################################
2837 ## <summary>
2838 ## Create, read, write, and delete user
2839 ## temporary files.
2840 ## </summary>
2841 ## <param name="domain">
2842 ## <summary>
2843 ## Domain allowed access.
2844 ## </summary>
2845 ## </param>
2846 #
2847 interface(`userdom_manage_user_tmp_files',`
2848 gen_require(`
2849 type user_tmp_t;
2850 ')
2851
2852 manage_files_pattern($1, user_tmp_t, user_tmp_t)
2853 files_search_tmp($1)
2854 ')
2855
2856 ########################################
2857 ## <summary>
2858 ## Create, read, write, and delete user
2859 ## temporary symbolic links.
2860 ## </summary>
2861 ## <param name="domain">
2862 ## <summary>
2863 ## Domain allowed access.
2864 ## </summary>
2865 ## </param>
2866 #
2867 interface(`userdom_manage_user_tmp_symlinks',`
2868 gen_require(`
2869 type user_tmp_t;
2870 ')
2871
2872 manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
2873 files_search_tmp($1)
2874 ')
2875
2876 ########################################
2877 ## <summary>
2878 ## Create, read, write, and delete user
2879 ## temporary named pipes.
2880 ## </summary>
2881 ## <param name="domain">
2882 ## <summary>
2883 ## Domain allowed access.
2884 ## </summary>
2885 ## </param>
2886 #
2887 interface(`userdom_manage_user_tmp_pipes',`
2888 gen_require(`
2889 type user_tmp_t;
2890 ')
2891
2892 manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
2893 files_search_tmp($1)
2894 ')
2895
2896 ########################################
2897 ## <summary>
2898 ## Create, read, write, and delete user
2899 ## temporary named sockets.
2900 ## </summary>
2901 ## <param name="domain">
2902 ## <summary>
2903 ## Domain allowed access.
2904 ## </summary>
2905 ## </param>
2906 #
2907 interface(`userdom_manage_user_tmp_sockets',`
2908 gen_require(`
2909 type user_tmp_t;
2910 ')
2911
2912 manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
2913 files_search_tmp($1)
2914 ')
2915
2916 ########################################
2917 ## <summary>
2918 ## Create objects in a user temporary directory
2919 ## with an automatic type transition to
2920 ## a specified private type.
2921 ## </summary>
2922 ## <param name="domain">
2923 ## <summary>
2924 ## Domain allowed access.
2925 ## </summary>
2926 ## </param>
2927 ## <param name="private_type">
2928 ## <summary>
2929 ## The type of the object to create.
2930 ## </summary>
2931 ## </param>
2932 ## <param name="object_class">
2933 ## <summary>
2934 ## The class of the object to be created.
2935 ## </summary>
2936 ## </param>
2937 #
2938 interface(`userdom_user_tmp_filetrans',`
2939 gen_require(`
2940 type user_tmp_t;
2941 ')
2942
2943 filetrans_pattern($1, user_tmp_t, $2, $3)
2944 files_search_tmp($1)
2945 ')
2946
2947 ########################################
2948 ## <summary>
2949 ## Create objects in the temporary directory
2950 ## with an automatic type transition to
2951 ## the user temporary type.
2952 ## </summary>
2953 ## <param name="domain">
2954 ## <summary>
2955 ## Domain allowed access.
2956 ## </summary>
2957 ## </param>
2958 ## <param name="object_class">
2959 ## <summary>
2960 ## The class of the object to be created.
2961 ## </summary>
2962 ## </param>
2963 #
2964 interface(`userdom_tmp_filetrans_user_tmp',`
2965 gen_require(`
2966 type user_tmp_t;
2967 ')
2968
2969 files_tmp_filetrans($1, user_tmp_t, $2)
2970 ')
2971
2972 ########################################
2973 ## <summary>
2974 ## Read user tmpfs files.
2975 ## </summary>
2976 ## <param name="domain">
2977 ## <summary>
2978 ## Domain allowed access.
2979 ## </summary>
2980 ## </param>
2981 #
2982 interface(`userdom_read_user_tmpfs_files',`
2983 gen_require(`
2984 type user_tmpfs_t;
2985 ')
2986
2987 read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2988 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
2989 allow $1 user_tmpfs_t:dir list_dir_perms;
2990 fs_search_tmpfs($1)
2991 ')
2992
2993 ########################################
2994 ## <summary>
2995 ## Read/Write user tmpfs files.
2996 ## </summary>
2997 ## <param name="domain">
2998 ## <summary>
2999 ## Domain allowed access.
3000 ## </summary>
3001 ## </param>
3002 #
3003 interface(`userdom_rw_user_tmpfs_files',`
3004 gen_require(`
3005 type user_tmpfs_t;
3006 ')
3007
3008 rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3009 read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
3010 allow $1 user_tmpfs_t:dir list_dir_perms;
3011 fs_search_tmpfs($1)
3012 ')
3013
3014 ########################################
3015 ## <summary>
3016 ## Get the attributes of a user domain tty.
3017 ## </summary>
3018 ## <param name="domain">
3019 ## <summary>
3020 ## Domain allowed access.
3021 ## </summary>
3022 ## </param>
3023 #
3024 interface(`userdom_getattr_user_ttys',`
3025 gen_require(`
3026 type user_tty_device_t;
3027 ')
3028
3029 allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
3030 ')
3031
3032 ########################################
3033 ## <summary>
3034 ## Do not audit attempts to get the attributes of a user domain tty.
3035 ## </summary>
3036 ## <param name="domain">
3037 ## <summary>
3038 ## Domain to not audit.
3039 ## </summary>
3040 ## </param>
3041 #
3042 interface(`userdom_dontaudit_getattr_user_ttys',`
3043 gen_require(`
3044 type user_tty_device_t;
3045 ')
3046
3047 dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
3048 ')
3049
3050 ########################################
3051 ## <summary>
3052 ## Set the attributes of a user domain tty.
3053 ## </summary>
3054 ## <param name="domain">
3055 ## <summary>
3056 ## Domain allowed access.
3057 ## </summary>
3058 ## </param>
3059 #
3060 interface(`userdom_setattr_user_ttys',`
3061 gen_require(`
3062 type user_tty_device_t;
3063 ')
3064
3065 allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
3066 ')
3067
3068 ########################################
3069 ## <summary>
3070 ## Do not audit attempts to set the attributes of a user domain tty.
3071 ## </summary>
3072 ## <param name="domain">
3073 ## <summary>
3074 ## Domain to not audit.
3075 ## </summary>
3076 ## </param>
3077 #
3078 interface(`userdom_dontaudit_setattr_user_ttys',`
3079 gen_require(`
3080 type user_tty_device_t;
3081 ')
3082
3083 dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
3084 ')
3085
3086 ########################################
3087 ## <summary>
3088 ## Read and write a user domain tty.
3089 ## </summary>
3090 ## <param name="domain">
3091 ## <summary>
3092 ## Domain allowed access.
3093 ## </summary>
3094 ## </param>
3095 #
3096 interface(`userdom_use_user_ttys',`
3097 gen_require(`
3098 type user_tty_device_t;
3099 ')
3100
3101 allow $1 user_tty_device_t:chr_file rw_term_perms;
3102 ')
3103
3104 ########################################
3105 ## <summary>
3106 ## Read and write a inherited user domain tty.
3107 ## </summary>
3108 ## <param name="domain">
3109 ## <summary>
3110 ## Domain allowed access.
3111 ## </summary>
3112 ## </param>
3113 #
3114 interface(`userdom_use_inherited_user_ttys',`
3115 gen_require(`
3116 type user_tty_device_t;
3117 ')
3118
3119 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
3120 ')
3121
3122 ########################################
3123 ## <summary>
3124 ## Read and write a user domain pty.
3125 ## </summary>
3126 ## <param name="domain">
3127 ## <summary>
3128 ## Domain allowed access.
3129 ## </summary>
3130 ## </param>
3131 #
3132 interface(`userdom_use_user_ptys',`
3133 gen_require(`
3134 type user_devpts_t;
3135 ')
3136
3137 allow $1 user_devpts_t:chr_file rw_term_perms;
3138 ')
3139
3140 ########################################
3141 ## <summary>
3142 ## Read and write a inherited user domain pty.
3143 ## </summary>
3144 ## <param name="domain">
3145 ## <summary>
3146 ## Domain allowed access.
3147 ## </summary>
3148 ## </param>
3149 #
3150 interface(`userdom_use_inherited_user_ptys',`
3151 gen_require(`
3152 type user_devpts_t;
3153 ')
3154
3155 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3156 ')
3157
3158 ########################################
3159 ## <summary>
3160 ## Read and write a inherited user TTYs and PTYs.
3161 ## </summary>
3162 ## <desc>
3163 ## <p>
3164 ## Allow the specified domain to read and write inherited user
3165 ## TTYs and PTYs. This will allow the domain to
3166 ## interact with the user via the terminal. Typically
3167 ## all interactive applications will require this
3168 ## access.
3169 ## </p>
3170 ## </desc>
3171 ## <param name="domain">
3172 ## <summary>
3173 ## Domain allowed access.
3174 ## </summary>
3175 ## </param>
3176 ## <infoflow type="both" weight="10"/>
3177 #
3178 interface(`userdom_use_inherited_user_terminals',`
3179 gen_require(`
3180 type user_tty_device_t, user_devpts_t;
3181 ')
3182
3183 allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
3184 allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
3185 ')
3186
3187 #######################################
3188 ## <summary>
3189 ## Allow attempts to read and write
3190 ## a user domain tty and pty.
3191 ## </summary>
3192 ## <param name="domain">
3193 ## <summary>
3194 ## Domain to not audit.
3195 ## </summary>
3196 ## </param>
3197 #
3198 interface(`userdom_use_user_terminals',`
3199 gen_require(`
3200 type user_tty_device_t, user_devpts_t;
3201 ')
3202
3203 allow $1 user_tty_device_t:chr_file rw_term_perms;
3204 allow $1 user_devpts_t:chr_file rw_term_perms;
3205 ')
3206
3207 ########################################
3208 ## <summary>
3209 ## Do not audit attempts to read and write
3210 ## a user domain tty and pty.
3211 ## </summary>
3212 ## <param name="domain">
3213 ## <summary>
3214 ## Domain to not audit.
3215 ## </summary>
3216 ## </param>
3217 #
3218 interface(`userdom_dontaudit_use_user_terminals',`
3219 gen_require(`
3220 type user_tty_device_t, user_devpts_t;
3221 ')
3222
3223 dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
3224 dontaudit $1 user_devpts_t:chr_file rw_term_perms;
3225 ')
3226
3227
3228 ########################################
3229 ## <summary>
3230 ## Get attributes of user domain tty and pty.
3231 ## </summary>
3232 ## <param name="domain">
3233 ## <summary>
3234 ## Domain allowed access.
3235 ## </summary>
3236 ## </param>
3237 #
3238 interface(`userdom_getattr_user_terminals',`
3239 gen_require(`
3240 type user_tty_device_t, user_devpts_t;
3241 ')
3242
3243 allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
3244 ')
3245
3246 ########################################
3247 ## <summary>
3248 ## Execute a shell in all user domains. This
3249 ## is an explicit transition, requiring the
3250 ## caller to use setexeccon().
3251 ## </summary>
3252 ## <param name="domain">
3253 ## <summary>
3254 ## Domain allowed to transition.
3255 ## </summary>
3256 ## </param>
3257 #
3258 interface(`userdom_spec_domtrans_all_users',`
3259 gen_require(`
3260 attribute userdomain;
3261 ')
3262
3263 corecmd_shell_spec_domtrans($1, userdomain)
3264 allow userdomain $1:fd use;
3265 allow userdomain $1:fifo_file rw_file_perms;
3266 allow userdomain $1:process sigchld;
3267 ')
3268
3269 ########################################
3270 ## <summary>
3271 ## Execute an Xserver session in all unprivileged user domains. This
3272 ## is an explicit transition, requiring the
3273 ## caller to use setexeccon().
3274 ## </summary>
3275 ## <param name="domain">
3276 ## <summary>
3277 ## Domain allowed to transition.
3278 ## </summary>
3279 ## </param>
3280 #
3281 interface(`userdom_xsession_spec_domtrans_all_users',`
3282 gen_require(`
3283 attribute userdomain;
3284 ')
3285
3286 xserver_xsession_spec_domtrans($1, userdomain)
3287 allow userdomain $1:fd use;
3288 allow userdomain $1:fifo_file rw_file_perms;
3289 allow userdomain $1:process sigchld;
3290 ')
3291
3292 ########################################
3293 ## <summary>
3294 ## Execute a shell in all unprivileged user domains. This
3295 ## is an explicit transition, requiring the
3296 ## caller to use setexeccon().
3297 ## </summary>
3298 ## <param name="domain">
3299 ## <summary>
3300 ## Domain allowed to transition.
3301 ## </summary>
3302 ## </param>
3303 #
3304 interface(`userdom_spec_domtrans_unpriv_users',`
3305 gen_require(`
3306 attribute unpriv_userdomain;
3307 ')
3308
3309 corecmd_shell_spec_domtrans($1, unpriv_userdomain)
3310 allow unpriv_userdomain $1:fd use;
3311 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3312 allow unpriv_userdomain $1:process sigchld;
3313 ')
3314
3315 ########################################
3316 ## <summary>
3317 ## Execute an Xserver session in all unprivileged user domains. This
3318 ## is an explicit transition, requiring the
3319 ## caller to use setexeccon().
3320 ## </summary>
3321 ## <param name="domain">
3322 ## <summary>
3323 ## Domain allowed to transition.
3324 ## </summary>
3325 ## </param>
3326 #
3327 interface(`userdom_xsession_spec_domtrans_unpriv_users',`
3328 gen_require(`
3329 attribute unpriv_userdomain;
3330 ')
3331
3332 xserver_xsession_spec_domtrans($1, unpriv_userdomain)
3333 allow unpriv_userdomain $1:fd use;
3334 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3335 allow unpriv_userdomain $1:process sigchld;
3336 ')
3337
3338 ########################################
3339 ## <summary>
3340 ## Manage unpriviledged user SysV sempaphores.
3341 ## </summary>
3342 ## <param name="domain">
3343 ## <summary>
3344 ## Domain allowed access.
3345 ## </summary>
3346 ## </param>
3347 #
3348 interface(`userdom_manage_unpriv_user_semaphores',`
3349 gen_require(`
3350 attribute unpriv_userdomain;
3351 ')
3352
3353 allow $1 unpriv_userdomain:sem create_sem_perms;
3354 ')
3355
3356 ########################################
3357 ## <summary>
3358 ## Manage unpriviledged user SysV shared
3359 ## memory segments.
3360 ## </summary>
3361 ## <param name="domain">
3362 ## <summary>
3363 ## Domain allowed access.
3364 ## </summary>
3365 ## </param>
3366 #
3367 interface(`userdom_manage_unpriv_user_shared_mem',`
3368 gen_require(`
3369 attribute unpriv_userdomain;
3370 ')
3371
3372 allow $1 unpriv_userdomain:shm create_shm_perms;
3373 ')
3374
3375 ########################################
3376 ## <summary>
3377 ## Execute bin_t in the unprivileged user domains. This
3378 ## is an explicit transition, requiring the
3379 ## caller to use setexeccon().
3380 ## </summary>
3381 ## <param name="domain">
3382 ## <summary>
3383 ## Domain allowed to transition.
3384 ## </summary>
3385 ## </param>
3386 #
3387 interface(`userdom_bin_spec_domtrans_unpriv_users',`
3388 gen_require(`
3389 attribute unpriv_userdomain;
3390 ')
3391
3392 corecmd_bin_spec_domtrans($1, unpriv_userdomain)
3393 allow unpriv_userdomain $1:fd use;
3394 allow unpriv_userdomain $1:fifo_file rw_file_perms;
3395 allow unpriv_userdomain $1:process sigchld;
3396 ')
3397
3398 ########################################
3399 ## <summary>
3400 ## Execute all entrypoint files in unprivileged user
3401 ## domains. This is an explicit transition, requiring the
3402 ## caller to use setexeccon().
3403 ## </summary>
3404 ## <param name="domain">
3405 ## <summary>
3406 ## Domain allowed access.
3407 ## </summary>
3408 ## </param>
3409 #
3410 interface(`userdom_entry_spec_domtrans_unpriv_users',`
3411 gen_require(`
3412 attribute unpriv_userdomain;
3413 ')
3414
3415 domain_entry_file_spec_domtrans($1, unpriv_userdomain)
3416 allow unpriv_userdomain $1:fd use;
3417 allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
3418 allow unpriv_userdomain $1:process sigchld;
3419 ')
3420
3421 ########################################
3422 ## <summary>
3423 ## Search users home directories.
3424 ## </summary>
3425 ## <param name="domain">
3426 ## <summary>
3427 ## Domain allowed access.
3428 ## </summary>
3429 ## </param>
3430 #
3431 interface(`userdom_search_user_home_content',`
3432 gen_require(`
3433 type user_home_dir_t;
3434 attribute user_home_type;
3435 ')
3436
3437 files_list_home($1)
3438 allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
3439 allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
3440 ')
3441
3442 ########################################
3443 ## <summary>
3444 ## Send general signals to unprivileged user domains.
3445 ## </summary>
3446 ## <param name="domain">
3447 ## <summary>
3448 ## Domain allowed access.
3449 ## </summary>
3450 ## </param>
3451 #
3452 interface(`userdom_signal_unpriv_users',`
3453 gen_require(`
3454 attribute unpriv_userdomain;
3455 ')
3456
3457 allow $1 unpriv_userdomain:process signal;
3458 ')
3459
3460 ########################################
3461 ## <summary>
3462 ## Inherit the file descriptors from unprivileged user domains.
3463 ## </summary>
3464 ## <param name="domain">
3465 ## <summary>
3466 ## Domain allowed access.
3467 ## </summary>
3468 ## </param>
3469 #
3470 interface(`userdom_use_unpriv_users_fds',`
3471 gen_require(`
3472 attribute unpriv_userdomain;
3473 ')
3474
3475 allow $1 unpriv_userdomain:fd use;
3476 ')
3477
3478 ########################################
3479 ## <summary>
3480 ## Do not audit attempts to inherit the file descriptors
3481 ## from unprivileged user domains.
3482 ## </summary>
3483 ## <desc>
3484 ## <p>
3485 ## Do not audit attempts to inherit the file descriptors
3486 ## from unprivileged user domains. This will supress
3487 ## SELinux denial messages when the specified domain is denied
3488 ## the permission to inherit these file descriptors.
3489 ## </p>
3490 ## </desc>
3491 ## <param name="domain">
3492 ## <summary>
3493 ## Domain to not audit.
3494 ## </summary>
3495 ## </param>
3496 ## <infoflow type="none"/>
3497 #
3498 interface(`userdom_dontaudit_use_unpriv_user_fds',`
3499 gen_require(`
3500 attribute unpriv_userdomain;
3501 ')
3502
3503 dontaudit $1 unpriv_userdomain:fd use;
3504 ')
3505
3506 ########################################
3507 ## <summary>
3508 ## Do not audit attempts to use user ptys.
3509 ## </summary>
3510 ## <param name="domain">
3511 ## <summary>
3512 ## Domain to not audit.
3513 ## </summary>
3514 ## </param>
3515 #
3516 interface(`userdom_dontaudit_use_user_ptys',`
3517 gen_require(`
3518 type user_devpts_t;
3519 ')
3520
3521 dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
3522 ')
3523
3524 ########################################
3525 ## <summary>
3526 ## Relabel files to unprivileged user pty types.
3527 ## </summary>
3528 ## <param name="domain">
3529 ## <summary>
3530 ## Domain allowed access.
3531 ## </summary>
3532 ## </param>
3533 #
3534 interface(`userdom_relabelto_user_ptys',`
3535 gen_require(`
3536 type user_devpts_t;
3537 ')
3538
3539 allow $1 user_devpts_t:chr_file relabelto;
3540 ')
3541
3542 ########################################
3543 ## <summary>
3544 ## Do not audit attempts to relabel files from
3545 ## user pty types.
3546 ## </summary>
3547 ## <param name="domain">
3548 ## <summary>
3549 ## Domain to not audit.
3550 ## </summary>
3551 ## </param>
3552 #
3553 interface(`userdom_dontaudit_relabelfrom_user_ptys',`
3554 gen_require(`
3555 type user_devpts_t;
3556 ')
3557
3558 dontaudit $1 user_devpts_t:chr_file relabelfrom;
3559 ')
3560
3561 ########################################
3562 ## <summary>
3563 ## Write all users files in /tmp
3564 ## </summary>
3565 ## <param name="domain">
3566 ## <summary>
3567 ## Domain allowed access.
3568 ## </summary>
3569 ## </param>
3570 #
3571 interface(`userdom_write_user_tmp_files',`
3572 gen_require(`
3573 type user_tmp_t;
3574 ')
3575
3576 write_files_pattern($1, user_tmp_t, user_tmp_t)
3577 ')
3578
3579 ########################################
3580 ## <summary>
3581 ## Do not audit attempts to write users
3582 ## temporary files.
3583 ## </summary>
3584 ## <param name="domain">
3585 ## <summary>
3586 ## Domain to not audit.
3587 ## </summary>
3588 ## </param>
3589 #
3590 interface(`userdom_dontaudit_write_user_tmp_files',`
3591 gen_require(`
3592 type user_tmp_t;
3593 ')
3594
3595 dontaudit $1 user_tmp_t:file write;
3596 ')
3597
3598 ########################################
3599 ## <summary>
3600 ## Do not audit attempts to read/write users
3601 ## temporary fifo files.
3602 ## </summary>
3603 ## <param name="domain">
3604 ## <summary>
3605 ## Domain to not audit.
3606 ## </summary>
3607 ## </param>
3608 #
3609 interface(`userdom_dontaudit_rw_user_tmp_pipes',`
3610 gen_require(`
3611 type user_tmp_t;
3612 ')
3613
3614 dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
3615 ')
3616
3617 ########################################
3618 ## <summary>
3619 ## Do not audit attempts to use user ttys.
3620 ## </summary>
3621 ## <param name="domain">
3622 ## <summary>
3623 ## Domain to not audit.
3624 ## </summary>
3625 ## </param>
3626 #
3627 interface(`userdom_dontaudit_use_user_ttys',`
3628 gen_require(`
3629 type user_tty_device_t;
3630 ')
3631
3632 dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
3633 ')
3634
3635 ########################################
3636 ## <summary>
3637 ## Read the process state of all user domains.
3638 ## </summary>
3639 ## <param name="domain">
3640 ## <summary>
3641 ## Domain allowed access.
3642 ## </summary>
3643 ## </param>
3644 #
3645 interface(`userdom_read_all_users_state',`
3646 gen_require(`
3647 attribute userdomain;
3648 ')
3649
3650 read_files_pattern($1, userdomain, userdomain)
3651 read_lnk_files_pattern($1,userdomain,userdomain)
3652 kernel_search_proc($1)
3653 ')
3654
3655 ########################################
3656 ## <summary>
3657 ## Get the attributes of all user domains.
3658 ## </summary>
3659 ## <param name="domain">
3660 ## <summary>
3661 ## Domain allowed access.
3662 ## </summary>
3663 ## </param>
3664 #
3665 interface(`userdom_getattr_all_users',`
3666 gen_require(`
3667 attribute userdomain;
3668 ')
3669
3670 allow $1 userdomain:process getattr;
3671 ')
3672
3673 ########################################
3674 ## <summary>
3675 ## Inherit the file descriptors from all user domains
3676 ## </summary>
3677 ## <param name="domain">
3678 ## <summary>
3679 ## Domain allowed access.
3680 ## </summary>
3681 ## </param>
3682 #
3683 interface(`userdom_use_all_users_fds',`
3684 gen_require(`
3685 attribute userdomain;
3686 ')
3687
3688 allow $1 userdomain:fd use;
3689 ')
3690
3691 ########################################
3692 ## <summary>
3693 ## Do not audit attempts to inherit the file
3694 ## descriptors from any user domains.
3695 ## </summary>
3696 ## <param name="domain">
3697 ## <summary>
3698 ## Domain to not audit.
3699 ## </summary>
3700 ## </param>
3701 #
3702 interface(`userdom_dontaudit_use_all_users_fds',`
3703 gen_require(`
3704 attribute userdomain;
3705 ')
3706
3707 dontaudit $1 userdomain:fd use;
3708 ')
3709
3710 ########################################
3711 ## <summary>
3712 ## Send general signals to all user domains.
3713 ## </summary>
3714 ## <param name="domain">
3715 ## <summary>
3716 ## Domain allowed access.
3717 ## </summary>
3718 ## </param>
3719 #
3720 interface(`userdom_signal_all_users',`
3721 gen_require(`
3722 attribute userdomain;
3723 ')
3724
3725 allow $1 userdomain:process signal;
3726 ')
3727
3728 ########################################
3729 ## <summary>
3730 ## Send kill signals to all user domains.
3731 ## </summary>
3732 ## <param name="domain">
3733 ## <summary>
3734 ## Domain allowed access.
3735 ## </summary>
3736 ## </param>
3737 #
3738 interface(`userdom_kill_all_users',`
3739 gen_require(`
3740 attribute userdomain;
3741 ')
3742
3743 allow $1 userdomain:process sigkill;
3744 ')
3745
3746 ########################################
3747 ## <summary>
3748 ## Send a SIGCHLD signal to all user domains.
3749 ## </summary>
3750 ## <param name="domain">
3751 ## <summary>
3752 ## Domain allowed access.
3753 ## </summary>
3754 ## </param>
3755 #
3756 interface(`userdom_sigchld_all_users',`
3757 gen_require(`
3758 attribute userdomain;
3759 ')
3760
3761 allow $1 userdomain:process sigchld;
3762 ')
3763
3764 ########################################
3765 ## <summary>
3766 ## Create keys for all user domains.
3767 ## </summary>
3768 ## <param name="domain">
3769 ## <summary>
3770 ## Domain allowed access.
3771 ## </summary>
3772 ## </param>
3773 #
3774 interface(`userdom_create_all_users_keys',`
3775 gen_require(`
3776 attribute userdomain;
3777 ')
3778
3779 allow $1 userdomain:key create;
3780 ')
3781
3782 ########################################
3783 ## <summary>
3784 ## Send a dbus message to all user domains.
3785 ## </summary>
3786 ## <param name="domain">
3787 ## <summary>
3788 ## Domain allowed access.
3789 ## </summary>
3790 ## </param>
3791 #
3792 interface(`userdom_dbus_send_all_users',`
3793 gen_require(`
3794 attribute userdomain;
3795 class dbus send_msg;
3796 ')
3797
3798 allow $1 userdomain:dbus send_msg;
3799 ')
3800
3801 ########################################
3802 ## <summary>
3803 ## Allow apps to set rlimits on userdomain
3804 ## </summary>
3805 ## <param name="domain">
3806 ## <summary>
3807 ## Domain allowed access.
3808 ## </summary>
3809 ## </param>
3810 #
3811 interface(`userdom_set_rlimitnh',`
3812 gen_require(`
3813 attribute userdomain;
3814 ')
3815
3816 allow $1 userdomain:process rlimitinh;
3817 ')
3818
3819 ########################################
3820 ## <summary>
3821 ## Define this type as a Allow apps to set rlimits on userdomain
3822 ## </summary>
3823 ## <param name="domain">
3824 ## <summary>
3825 ## Domain allowed access.
3826 ## </summary>
3827 ## </param>
3828 ## <param name="userdomain_prefix">
3829 ## <summary>
3830 ## The prefix of the user domain (e.g., user
3831 ## is the prefix for user_t).
3832 ## </summary>
3833 ## </param>
3834 ## <param name="domain">
3835 ## <summary>
3836 ## Domain allowed access.
3837 ## </summary>
3838 ## </param>
3839 #
3840 template(`userdom_unpriv_usertype',`
3841 gen_require(`
3842 attribute unpriv_userdomain, userdomain;
3843 attribute $1_usertype;
3844 ')
3845 typeattribute $2 $1_usertype;
3846 typeattribute $2 unpriv_userdomain;
3847 typeattribute $2 userdomain;
3848
3849 ubac_constrained($2)
3850 ')
3851
3852 ########################################
3853 ## <summary>
3854 ## Connect to users over an unix stream socket.
3855 ## </summary>
3856 ## <param name="domain">
3857 ## <summary>
3858 ## Domain allowed access.
3859 ## </summary>
3860 ## </param>
3861 #
3862 interface(`userdom_stream_connect',`
3863 gen_require(`
3864 type user_tmp_t;
3865 attribute userdomain;
3866 ')
3867
3868 stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
3869 ')
3870
3871 ########################################
3872 ## <summary>
3873 ## Ptrace user domains.
3874 ## </summary>
3875 ## <param name="domain">
3876 ## <summary>
3877 ## Domain allowed access.
3878 ## </summary>
3879 ## </param>
3880 #
3881 interface(`userdom_ptrace_all_users',`
3882 gen_require(`
3883 attribute userdomain;
3884 ')
3885
3886 allow $1 userdomain:process ptrace;
3887 ')
3888
3889 ########################################
3890 ## <summary>
3891 ## dontaudit Search /root
3892 ## </summary>
3893 ## <param name="domain">
3894 ## <summary>
3895 ## Domain to not audit.
3896 ## </summary>
3897 ## </param>
3898 #
3899 interface(`userdom_dontaudit_search_admin_dir',`
3900 gen_require(`
3901 type admin_home_t;
3902 ')
3903
3904 dontaudit $1 admin_home_t:dir search_dir_perms;
3905 ')
3906
3907 ########################################
3908 ## <summary>
3909 ## dontaudit list /root
3910 ## </summary>
3911 ## <param name="domain">
3912 ## <summary>
3913 ## Domain to not audit.
3914 ## </summary>
3915 ## </param>
3916 #
3917 interface(`userdom_dontaudit_list_admin_dir',`
3918 gen_require(`
3919 type admin_home_t;
3920 ')
3921
3922 dontaudit $1 admin_home_t:dir list_dir_perms;
3923 ')
3924
3925 ########################################
3926 ## <summary>
3927 ## Allow domain to list /root
3928 ## </summary>
3929 ## <param name="domain">
3930 ## <summary>
3931 ## Domain allowed access.
3932 ## </summary>
3933 ## </param>
3934 #
3935 interface(`userdom_list_admin_dir',`
3936 gen_require(`
3937 type admin_home_t;
3938 ')
3939
3940 allow $1 admin_home_t:dir list_dir_perms;
3941 ')
3942
3943 ########################################
3944 ## <summary>
3945 ## Allow Search /root
3946 ## </summary>
3947 ## <param name="domain">
3948 ## <summary>
3949 ## Domain allowed access.
3950 ## </summary>
3951 ## </param>
3952 #
3953 interface(`userdom_search_admin_dir',`
3954 gen_require(`
3955 type admin_home_t;
3956 ')
3957
3958 allow $1 admin_home_t:dir search_dir_perms;
3959 ')
3960
3961 ########################################
3962 ## <summary>
3963 ## RW unpriviledged user SysV sempaphores.
3964 ## </summary>
3965 ## <param name="domain">
3966 ## <summary>
3967 ## Domain allowed access.
3968 ## </summary>
3969 ## </param>
3970 #
3971 interface(`userdom_rw_semaphores',`
3972 gen_require(`
3973 attribute unpriv_userdomain;
3974 ')
3975
3976 allow $1 unpriv_userdomain:sem rw_sem_perms;
3977 ')
3978
3979 ########################################
3980 ## <summary>
3981 ## Send a message to unpriv users over a unix domain
3982 ## datagram socket.
3983 ## </summary>
3984 ## <param name="domain">
3985 ## <summary>
3986 ## Domain allowed access.
3987 ## </summary>
3988 ## </param>
3989 #
3990 interface(`userdom_dgram_send',`
3991 gen_require(`
3992 attribute unpriv_userdomain;
3993 ')
3994
3995 allow $1 unpriv_userdomain:unix_dgram_socket sendto;
3996 ')
3997
3998 ######################################
3999 ## <summary>
4000 ## Send a message to users over a unix domain
4001 ## datagram socket.
4002 ## </summary>
4003 ## <param name="domain">
4004 ## <summary>
4005 ## Domain allowed access.
4006 ## </summary>
4007 ## </param>
4008 #
4009 interface(`userdom_users_dgram_send',`
4010 gen_require(`
4011 attribute userdomain;
4012 ')
4013
4014 allow $1 userdomain:unix_dgram_socket sendto;
4015 ')
4016
4017 #######################################
4018 ## <summary>
4019 ## Allow execmod on files in homedirectory
4020 ## </summary>
4021 ## <param name="domain">
4022 ## <summary>
4023 ## Domain allowed access.
4024 ## </summary>
4025 ## </param>
4026 ## <rolebase/>
4027 #
4028 interface(`userdom_execmod_user_home_files',`
4029 gen_require(`
4030 type user_home_type;
4031 ')
4032
4033 allow $1 user_home_type:file execmod;
4034 ')
4035
4036 ########################################
4037 ## <summary>
4038 ## Read admin home files.
4039 ## </summary>
4040 ## <param name="domain">
4041 ## <summary>
4042 ## Domain allowed access.
4043 ## </summary>
4044 ## </param>
4045 ## <rolecap/>
4046 #
4047 interface(`userdom_read_admin_home_files',`
4048 gen_require(`
4049 type admin_home_t;
4050 ')
4051
4052 read_files_pattern($1, admin_home_t, admin_home_t)
4053 ')
4054
4055 ########################################
4056 ## <summary>
4057 ## Execute admin home files.
4058 ## </summary>
4059 ## <param name="domain">
4060 ## <summary>
4061 ## Domain allowed access.
4062 ## </summary>
4063 ## </param>
4064 ## <rolecap/>
4065 #
4066 interface(`userdom_exec_admin_home_files',`
4067 gen_require(`
4068 type admin_home_t;
4069 ')
4070
4071 exec_files_pattern($1, admin_home_t, admin_home_t)
4072 ')
4073
4074 ########################################
4075 ## <summary>
4076 ## Append files inherited
4077 ## in the /root directory.
4078 ## </summary>
4079 ## <param name="domain">
4080 ## <summary>
4081 ## Domain allowed access.
4082 ## </summary>
4083 ## </param>
4084 #
4085 interface(`userdom_inherit_append_admin_home_files',`
4086 gen_require(`
4087 type admin_home_t;
4088 ')
4089
4090 allow $1 admin_home_t:file { getattr append };
4091 ')
4092
4093
4094 #######################################
4095 ## <summary>
4096 ## Manage all files/directories in the homedir
4097 ## </summary>
4098 ## <param name="userdomain">
4099 ## <summary>
4100 ## The user domain
4101 ## </summary>
4102 ## </param>
4103 ## <rolebase/>
4104 #
4105 interface(`userdom_manage_user_home_content',`
4106 gen_require(`
4107 type user_home_dir_t, user_home_t;
4108 attribute user_home_type;
4109 ')
4110
4111 files_list_home($1)
4112 manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4113 manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4114 manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4115 manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4116 manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
4117 filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
4118
4119 ')
4120
4121
4122 ########################################
4123 ## <summary>
4124 ## Create objects in a user home directory
4125 ## with an automatic type transition to
4126 ## the user home file type.
4127 ## </summary>
4128 ## <param name="domain">
4129 ## <summary>
4130 ## Domain allowed access.
4131 ## </summary>
4132 ## </param>
4133 ## <param name="object_class">
4134 ## <summary>
4135 ## The class of the object to be created.
4136 ## </summary>
4137 ## </param>
4138 #
4139 interface(`userdom_user_home_dir_filetrans_pattern',`
4140 gen_require(`
4141 type user_home_dir_t, user_home_t;
4142 ')
4143
4144 type_transition $1 user_home_dir_t:$2 user_home_t;
4145 ')
4146
4147 ########################################
4148 ## <summary>
4149 ## Create objects in the /root directory
4150 ## with an automatic type transition to
4151 ## a specified private type.
4152 ## </summary>
4153 ## <param name="domain">
4154 ## <summary>
4155 ## Domain allowed access.
4156 ## </summary>
4157 ## </param>
4158 ## <param name="private_type">
4159 ## <summary>
4160 ## The type of the object to create.
4161 ## </summary>
4162 ## </param>
4163 ## <param name="object_class">
4164 ## <summary>
4165 ## The class of the object to be created.
4166 ## </summary>
4167 ## </param>
4168 #
4169 interface(`userdom_admin_home_dir_filetrans',`
4170 gen_require(`
4171 type admin_home_t;
4172 ')
4173
4174 filetrans_pattern($1, admin_home_t, $2, $3, $4)
4175 ')
4176
4177 ########################################
4178 ## <summary>
4179 ## Send signull to unprivileged user domains.
4180 ## </summary>
4181 ## <param name="domain">
4182 ## <summary>
4183 ## Domain allowed access.
4184 ## </summary>
4185 ## </param>
4186 #
4187 interface(`userdom_signull_unpriv_users',`
4188 gen_require(`
4189 attribute unpriv_userdomain;
4190 ')
4191
4192 allow $1 unpriv_userdomain:process signull;
4193 ')
4194
4195 ########################################
4196 ## <summary>
4197 ## Write all users files in /tmp
4198 ## </summary>
4199 ## <param name="domain">
4200 ## <summary>
4201 ## Domain allowed access.
4202 ## </summary>
4203 ## </param>
4204 #
4205 interface(`userdom_write_user_tmp_dirs',`
4206 gen_require(`
4207 type user_tmp_t;
4208 ')
4209
4210 write_files_pattern($1, user_tmp_t, user_tmp_t)
4211 ')
4212
4213 ########################################
4214 ## <summary>
4215 ## Manage keys for all user domains.
4216 ## </summary>
4217 ## <param name="domain">
4218 ## <summary>
4219 ## Domain allowed access.
4220 ## </summary>
4221 ## </param>
4222 #
4223 interface(`userdom_manage_all_users_keys',`
4224 gen_require(`
4225 attribute userdomain;
4226 ')
4227
4228 allow $1 userdomain:key manage_key_perms;
4229 ')
4230
4231
4232 ########################################
4233 ## <summary>
4234 ## Do not audit attempts to read and write
4235 ## unserdomain stream.
4236 ## </summary>
4237 ## <param name="domain">
4238 ## <summary>
4239 ## Domain to not audit.
4240 ## </summary>
4241 ## </param>
4242 #
4243 interface(`userdom_dontaudit_rw_stream',`
4244 gen_require(`
4245 attribute userdomain;
4246 ')
4247
4248 dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
4249 ')
4250
4251 ########################################
4252 ## <summary>
4253 ## Do not audit attempts to read and write
4254 ## unserdomain datagram socket.
4255 ## </summary>
4256 ## <param name="domain">
4257 ## <summary>
4258 ## Domain to not audit.
4259 ## </summary>
4260 ## </param>
4261 #
4262 interface(`userdom_dontaudit_rw_dgram_socket',`
4263 gen_require(`
4264 attribute userdomain;
4265 ')
4266
4267 dontaudit $1 userdomain:unix_dgram_socket { read write };
4268 ')
4269
4270 ########################################
4271 ## <summary>
4272 ## Append files
4273 ## in a user home subdirectory.
4274 ## </summary>
4275 ## <param name="domain">
4276 ## <summary>
4277 ## Domain allowed access.
4278 ## </summary>
4279 ## </param>
4280 #
4281 interface(`userdom_append_user_home_content_files',`
4282 gen_require(`
4283 type user_home_dir_t, user_home_t;
4284 ')
4285
4286 append_files_pattern($1, user_home_t, user_home_t)
4287 allow $1 user_home_dir_t:dir search_dir_perms;
4288 files_search_home($1)
4289 ')
4290
4291 ########################################
4292 ## <summary>
4293 ## Read files inherited
4294 ## in a user home subdirectory.
4295 ## </summary>
4296 ## <param name="domain">
4297 ## <summary>
4298 ## Domain allowed access.
4299 ## </summary>
4300 ## </param>
4301 #
4302 interface(`userdom_read_inherited_user_home_content_files',`
4303 gen_require(`
4304 attribute user_home_type;
4305 ')
4306
4307 allow $1 user_home_type:file { getattr read };
4308 ')
4309
4310 ########################################
4311 ## <summary>
4312 ## Append files inherited
4313 ## in a user home subdirectory.
4314 ## </summary>
4315 ## <param name="domain">
4316 ## <summary>
4317 ## Domain allowed access.
4318 ## </summary>
4319 ## </param>
4320 #
4321 interface(`userdom_inherit_append_user_home_content_files',`
4322 gen_require(`
4323 type user_home_t;
4324 ')
4325
4326 allow $1 user_home_t:file { getattr append };
4327 ')
4328
4329 ########################################
4330 ## <summary>
4331 ## Append files inherited
4332 ## in a user tmp files.
4333 ## </summary>
4334 ## <param name="domain">
4335 ## <summary>
4336 ## Domain allowed access.
4337 ## </summary>
4338 ## </param>
4339 #
4340 interface(`userdom_inherit_append_user_tmp_files',`
4341 gen_require(`
4342 type user_tmp_t;
4343 ')
4344
4345 allow $1 user_tmp_t:file { getattr append };
4346 ')
4347
4348 ######################################
4349 ## <summary>
4350 ## Read audio files in the users homedir.
4351 ## </summary>
4352 ## <param name="domain">
4353 ## <summary>
4354 ## Domain allowed access.
4355 ## </summary>
4356 ## </param>
4357 ## <rolecap/>
4358 #
4359 interface(`userdom_read_home_audio_files',`
4360 gen_require(`
4361 type audio_home_t;
4362 ')
4363
4364 userdom_search_user_home_dirs($1)
4365 allow $1 audio_home_t:dir list_dir_perms;
4366 read_files_pattern($1, audio_home_t, audio_home_t)
4367 read_lnk_files_pattern($1, audio_home_t, audio_home_t)
4368 ')
4369
4370 ########################################
4371 ## <summary>
4372 ## Do not audit attempts to write all user home content files.
4373 ## </summary>
4374 ## <param name="domain">
4375 ## <summary>
4376 ## Domain to not audit.
4377 ## </summary>
4378 ## </param>
4379 #
4380 interface(`userdom_dontaudit_write_all_user_home_content_files',`
4381 gen_require(`
4382 attribute user_home_type;
4383 ')
4384
4385 dontaudit $1 user_home_type:file write_file_perms;
4386 ')
4387
4388 ########################################
4389 ## <summary>
4390 ## Do not audit attempts to write all user tmp content files.
4391 ## </summary>
4392 ## <param name="domain">
4393 ## <summary>
4394 ## Domain to not audit.
4395 ## </summary>
4396 ## </param>
4397 #
4398 interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
4399 gen_require(`
4400 attribute user_tmp_type;
4401 ')
4402
4403 dontaudit $1 user_tmp_type:file write_file_perms;
4404 ')
4405
4406 ########################################
4407 ## <summary>
4408 ## Manage all user temporary content.
4409 ## </summary>
4410 ## <param name="domain">
4411 ## <summary>
4412 ## Domain allowed access.
4413 ## </summary>
4414 ## </param>
4415 #
4416 interface(`userdom_manage_all_user_tmp_content',`
4417 gen_require(`
4418 attribute user_tmp_type;
4419 ')
4420
4421 manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
4422 manage_files_pattern($1, user_tmp_type, user_tmp_type)
4423 manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4424 manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4425 manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4426 files_search_tmp($1)
4427 ')
4428
4429 ########################################
4430 ## <summary>
4431 ## List all user temporary content.
4432 ## </summary>
4433 ## <param name="domain">
4434 ## <summary>
4435 ## Domain allowed access.
4436 ## </summary>
4437 ## </param>
4438 #
4439 interface(`userdom_list_all_user_tmp_content',`
4440 gen_require(`
4441 attribute user_tmp_type;
4442 ')
4443
4444 list_dirs_pattern($1, user_tmp_type, user_tmp_type)
4445 getattr_files_pattern($1, user_tmp_type, user_tmp_type)
4446 read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4447 getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4448 getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4449 files_search_var($1)
4450 files_search_tmp($1)
4451 ')
4452
4453 ########################################
4454 ## <summary>
4455 ## Manage all user tmpfs content.
4456 ## </summary>
4457 ## <param name="domain">
4458 ## <summary>
4459 ## Domain allowed access.
4460 ## </summary>
4461 ## </param>
4462 #
4463 interface(`userdom_manage_all_user_tmpfs_content',`
4464 gen_require(`
4465 attribute user_tmpfs_type;
4466 ')
4467
4468 manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
4469 manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4470 manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4471 manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4472 manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
4473 fs_search_tmpfs($1)
4474 ')
4475
4476 ########################################
4477 ## <summary>
4478 ## Delete all user temporary content.
4479 ## </summary>
4480 ## <param name="domain">
4481 ## <summary>
4482 ## Domain allowed access.
4483 ## </summary>
4484 ## </param>
4485 #
4486 interface(`userdom_delete_all_user_tmp_content',`
4487 gen_require(`
4488 attribute user_tmp_type;
4489 ')
4490
4491 delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
4492 delete_files_pattern($1, user_tmp_type, user_tmp_type)
4493 delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
4494 delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
4495 delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
4496 # /var/tmp
4497 files_search_var($1)
4498 files_delete_tmp_dir_entry($1)
4499 ')
4500
4501 ########################################
4502 ## <summary>
4503 ## Read system SSL certificates in the users homedir.
4504 ## </summary>
4505 ## <param name="domain">
4506 ## <summary>
4507 ## Domain allowed access.
4508 ## </summary>
4509 ## </param>
4510 #
4511 interface(`userdom_read_home_certs',`
4512 gen_require(`
4513 type home_cert_t;
4514 ')
4515
4516 userdom_search_user_home_content($1)
4517 allow $1 home_cert_t:dir list_dir_perms;
4518 read_files_pattern($1, home_cert_t, home_cert_t)
4519 read_lnk_files_pattern($1, home_cert_t, home_cert_t)
4520 ')
4521
4522 #######################################
4523 ## <summary>
4524 ## Dontaudit Write system SSL certificates in the users homedir.
4525 ## </summary>
4526 ## <param name="domain">
4527 ## <summary>
4528 ## Domain to not audit.
4529 ## </summary>
4530 ## </param>
4531 #
4532 interface(`userdom_dontaudit_write_home_certs',`
4533 gen_require(`
4534 type home_cert_t;
4535 ')
4536
4537 dontaudit $1 home_cert_t:file write;
4538 ')
4539
4540 ########################################
4541 ## <summary>
4542 ## dontaudit Search getatrr /root files
4543 ## </summary>
4544 ## <param name="domain">
4545 ## <summary>
4546 ## Domain to not audit.
4547 ## </summary>
4548 ## </param>
4549 #
4550 interface(`userdom_dontaudit_getattr_admin_home_files',`
4551 gen_require(`
4552 type admin_home_t;
4553 ')
4554
4555 dontaudit $1 admin_home_t:file getattr;
4556 ')
4557
4558 ########################################
4559 ## <summary>
4560 ## dontaudit read /root lnk files
4561 ## </summary>
4562 ## <param name="domain">
4563 ## <summary>
4564 ## Domain to not audit.
4565 ## </summary>
4566 ## </param>
4567 #
4568 interface(`userdom_dontaudit_read_admin_home_lnk_files',`
4569 gen_require(`
4570 type admin_home_t;
4571 ')
4572
4573 dontaudit $1 admin_home_t:lnk_file read;
4574 ')
4575
4576 ########################################
4577 ## <summary>
4578 ## dontaudit read /root files
4579 ## </summary>
4580 ## <param name="domain">
4581 ## <summary>
4582 ## Domain to not audit.
4583 ## </summary>
4584 ## </param>
4585 #
4586 interface(`userdom_dontaudit_read_admin_home_files',`
4587 gen_require(`
4588 type admin_home_t;
4589 ')
4590
4591 dontaudit $1 admin_home_t:file read_file_perms;
4592 ')
4593
4594 ########################################
4595 ## <summary>
4596 ## Create, read, write, and delete user
4597 ## temporary chr files.
4598 ## </summary>
4599 ## <param name="domain">
4600 ## <summary>
4601 ## Domain allowed access.
4602 ## </summary>
4603 ## </param>
4604 #
4605 interface(`userdom_manage_user_tmp_chr_files',`
4606 gen_require(`
4607 type user_tmp_t;
4608 ')
4609
4610 manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
4611 files_search_tmp($1)
4612 ')
4613
4614 ########################################
4615 ## <summary>
4616 ## Create, read, write, and delete user
4617 ## temporary blk files.
4618 ## </summary>
4619 ## <param name="domain">
4620 ## <summary>
4621 ## Domain allowed access.
4622 ## </summary>
4623 ## </param>
4624 #
4625 interface(`userdom_manage_user_tmp_blk_files',`
4626 gen_require(`
4627 type user_tmp_t;
4628 ')
4629
4630 manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
4631 files_search_tmp($1)
4632 ')
4633
4634 ########################################
4635 ## <summary>
4636 ## Dontaudit attempt to set attributes on user temporary directories.
4637 ## </summary>
4638 ## <param name="domain">
4639 ## <summary>
4640 ## Domain to not audit.
4641 ## </summary>
4642 ## </param>
4643 #
4644 interface(`userdom_dontaudit_setattr_user_tmp',`
4645 gen_require(`
4646 type user_tmp_t;
4647 ')
4648
4649 dontaudit $1 user_tmp_t:dir setattr;
4650 ')
4651
4652 ########################################
4653 ## <summary>
4654 ## Write all inherited users files in /tmp
4655 ## </summary>
4656 ## <param name="domain">
4657 ## <summary>
4658 ## Domain allowed access.
4659 ## </summary>
4660 ## </param>
4661 #
4662 interface(`userdom_write_inherited_user_tmp_files',`
4663 gen_require(`
4664 type user_tmp_t;
4665 ')
4666
4667 allow $1 user_tmp_t:file write;
4668 ')
4669
4670 ########################################
4671 ## <summary>
4672 ## Delete all users files in /tmp
4673 ## </summary>
4674 ## <param name="domain">
4675 ## <summary>
4676 ## Domain allowed access.
4677 ## </summary>
4678 ## </param>
4679 #
4680 interface(`userdom_delete_user_tmp_files',`
4681 gen_require(`
4682 type user_tmp_t;
4683 ')
4684
4685 allow $1 user_tmp_t:file delete_file_perms;
4686 ')
4687
4688 ########################################
4689 ## <summary>
4690 ## Delete user tmpfs files.
4691 ## </summary>
4692 ## <param name="domain">
4693 ## <summary>
4694 ## Domain allowed access.
4695 ## </summary>
4696 ## </param>
4697 #
4698 interface(`userdom_delete_user_tmpfs_files',`
4699 gen_require(`
4700 type user_tmpfs_t;
4701 ')
4702
4703 allow $1 user_tmpfs_t:file delete_file_perms;
4704 ')
4705
4706 ########################################
4707 ## <summary>
4708 ## Read/Write unpriviledged user SysV shared
4709 ## memory segments.
4710 ## </summary>
4711 ## <param name="domain">
4712 ## <summary>
4713 ## Domain allowed access.
4714 ## </summary>
4715 ## </param>
4716 #
4717 interface(`userdom_rw_unpriv_user_shared_mem',`
4718 gen_require(`
4719 attribute unpriv_userdomain;
4720 ')
4721
4722 allow $1 unpriv_userdomain:shm rw_shm_perms;
4723 ')
4724
4725 ########################################
4726 ## <summary>
4727 ## Do not audit attempts to search user
4728 ## temporary directories.
4729 ## </summary>
4730 ## <param name="domain">
4731 ## <summary>
4732 ## Domain to not audit.
4733 ## </summary>
4734 ## </param>
4735 #
4736 interface(`userdom_dontaudit_search_user_tmp',`
4737 gen_require(`
4738 type user_tmp_t;
4739 ')
4740
4741 dontaudit $1 user_tmp_t:dir search_dir_perms;
4742 ')
4743
4744 ########################################
4745 ## <summary>
4746 ## Execute a file in a user home directory
4747 ## in the specified domain.
4748 ## </summary>
4749 ## <desc>
4750 ## <p>
4751 ## Execute a file in a user home directory
4752 ## in the specified domain.
4753 ## </p>
4754 ## <p>
4755 ## No interprocess communication (signals, pipes,
4756 ## etc.) is provided by this interface since
4757 ## the domains are not owned by this module.
4758 ## </p>
4759 ## </desc>
4760 ## <param name="domain">
4761 ## <summary>
4762 ## Domain allowed access.
4763 ## </summary>
4764 ## </param>
4765 ## <param name="target_domain">
4766 ## <summary>
4767 ## The type of the new process.
4768 ## </summary>
4769 ## </param>
4770 #
4771 interface(`userdom_domtrans_user_home',`
4772 gen_require(`
4773 type user_home_t;
4774 ')
4775
4776 read_lnk_files_pattern($1, user_home_t, user_home_t)
4777 domain_transition_pattern($1, user_home_t, $2)
4778 type_transition $1 user_home_t:process $2;
4779 ')
4780
4781 ########################################
4782 ## <summary>
4783 ## Execute a file in a user tmp directory
4784 ## in the specified domain.
4785 ## </summary>
4786 ## <desc>
4787 ## <p>
4788 ## Execute a file in a user tmp directory
4789 ## in the specified domain.
4790 ## </p>
4791 ## <p>
4792 ## No interprocess communication (signals, pipes,
4793 ## etc.) is provided by this interface since
4794 ## the domains are not owned by this module.
4795 ## </p>
4796 ## </desc>
4797 ## <param name="domain">
4798 ## <summary>
4799 ## Domain allowed access.
4800 ## </summary>
4801 ## </param>
4802 ## <param name="target_domain">
4803 ## <summary>
4804 ## The type of the new process.
4805 ## </summary>
4806 ## </param>
4807 #
4808 interface(`userdom_domtrans_user_tmp',`
4809 gen_require(`
4810 type user_tmp_t;
4811 ')
4812
4813 files_search_tmp($1)
4814 read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
4815 domain_transition_pattern($1, user_tmp_t, $2)
4816 type_transition $1 user_tmp_t:process $2;
4817 ')
4818
4819 ########################################
4820 ## <summary>
4821 ## Do not audit attempts to read all user home content files.
4822 ## </summary>
4823 ## <param name="domain">
4824 ## <summary>
4825 ## Domain to not audit.
4826 ## </summary>
4827 ## </param>
4828 #
4829 interface(`userdom_dontaudit_read_all_user_home_content_files',`
4830 gen_require(`
4831 attribute user_home_type;
4832 ')
4833
4834 dontaudit $1 user_home_type:file read_file_perms;
4835 ')
4836
4837 ########################################
4838 ## <summary>
4839 ## Do not audit attempts to read all user tmp content files.
4840 ## </summary>
4841 ## <param name="domain">
4842 ## <summary>
4843 ## Domain to not audit.
4844 ## </summary>
4845 ## </param>
4846 #
4847 interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
4848 gen_require(`
4849 attribute user_tmp_type;
4850 ')
4851
4852 dontaudit $1 user_tmp_type:file read_file_perms;
4853 ')
4854
The IPFire selinux policy.