policy/modules/system/userdomain.te

   1 policy_module(userdomain, 4.5.2)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow users to connect to the local mysql server
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(allow_user_mysql_connect, false)
  14
  15 ## <desc>
  16 ## <p>
  17 ## Allow users to connect to PostgreSQL
  18 ## </p>
  19 ## </desc>
  20 gen_tunable(allow_user_postgresql_connect, false)
  21
  22 ## <desc>
  23 ## <p>
  24 ## Allow regular users direct mouse access
  25 ## </p>
  26 ## </desc>
  27 gen_tunable(user_direct_mouse, false)
  28
  29 ## <desc>
  30 ## <p>
  31 ## Allow users to read system messages.
  32 ## </p>
  33 ## </desc>
  34 gen_tunable(user_dmesg, false)
  35
  36 ## <desc>
  37 ## <p>
  38 ## Allow user to r/w files on filesystems
  39 ## that do not have extended attributes (FAT, CDROM, FLOPPY)
  40 ## </p>
  41 ## </desc>
  42 gen_tunable(user_rw_noexattrfile, false)
  43
  44 ## <desc>
  45 ## <p>
  46 ## Allow user music sharing
  47 ## </p>
  48 ## </desc>
  49 gen_tunable(user_share_music, false)
  50
  51 ## <desc>
  52 ## <p>
  53 ## Allow user processes to change their priority
  54 ## </p>
  55 ## </desc>
  56 gen_tunable(user_setrlimit, false)
  57
  58 ## <desc>
  59 ## <p>
  60 ## Allow w to display everyone
  61 ## </p>
  62 ## </desc>
  63 gen_tunable(user_ttyfile_stat, false)
  64
  65 attribute admindomain;
  66
  67 # all user domains
  68 attribute userdomain;
  69
  70 # unprivileged user domains
  71 attribute unpriv_userdomain;
  72
  73 attribute untrusted_content_type;
  74 attribute untrusted_content_tmp_type;
  75
  76 attribute userdom_home_reader_type;
  77 attribute userdom_home_manager_type;
  78
  79 # unprivileged user domains
  80 attribute user_home_type;
  81 attribute user_tmp_type;
  82 attribute user_tmpfs_type;
  83
  84 type admin_home_t;
  85 files_type(admin_home_t)
  86 files_associate_tmp(admin_home_t)
  87 fs_associate_tmpfs(admin_home_t)
  88 files_mountpoint(admin_home_t)
  89 files_poly_member(admin_home_t)
  90 files_poly_parent(admin_home_t)
  91
  92 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  93 fs_associate_tmpfs(user_home_dir_t)
  94 files_type(user_home_dir_t)
  95 files_mountpoint(user_home_dir_t)
  96 files_associate_tmp(user_home_dir_t)
  97 files_poly(user_home_dir_t)
  98 files_poly_member(user_home_dir_t)
  99 files_poly_parent(user_home_dir_t)
 100 ubac_constrained(user_home_dir_t)
 101
 102 type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
 103 typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
 104 typeattribute user_home_t user_home_type;
 105 userdom_user_home_content(user_home_t)
 106 fs_associate_tmpfs(user_home_t)
 107 files_associate_tmp(user_home_t)
 108 files_poly_member(user_home_t)
 109 files_poly_parent(user_home_t)
 110 files_mountpoint(user_home_t)
 111 ubac_constrained(user_home_t)
 112
 113 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
 114 dev_node(user_devpts_t)
 115 files_type(user_devpts_t)
 116 ubac_constrained(user_devpts_t)
 117
 118 type user_tmp_t, user_tmp_type;
 119 typealias user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
 120 typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
 121 files_tmp_file(user_tmp_t)
 122 userdom_user_home_content(user_tmp_t)
 123 files_poly_parent(user_tmp_t)
 124
 125 type user_tmpfs_t, user_tmpfs_type;
 126 typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
 127 files_tmpfs_file(user_tmpfs_t)
 128 userdom_user_home_content(user_tmpfs_t)
 129
 130 type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
 131 dev_node(user_tty_device_t)
 132 ubac_constrained(user_tty_device_t)
 133
 134 type audio_home_t;
 135 userdom_user_home_content(audio_home_t)
 136 ubac_constrained(audio_home_t)
 137
 138 type home_bin_t;
 139 userdom_user_home_content(home_bin_t)
 140 ubac_constrained(home_bin_t)
 141
 142 type home_cert_t;
 143 miscfiles_cert_type(home_cert_t)
 144 userdom_user_home_content(home_cert_t)
 145 ubac_constrained(home_cert_t)
 146
 147 tunable_policy(`allow_console_login',`
 148         term_use_console(userdomain)
 149 ')
 150
 151 allow userdomain userdomain:process signull;
 152
 153 # Nautilus causes this avc
 154 dontaudit unpriv_userdomain self:dir setattr;
 155 allow unpriv_userdomain self:key manage_key_perms;
 156
 157 optional_policy(`
 158         alsa_read_rw_config(unpriv_userdomain)
 159         alsa_manage_home_files(unpriv_userdomain)
 160         alsa_relabel_home_files(unpriv_userdomain)
 161 ')
 162
 163 optional_policy(`
 164         ssh_filetrans_home_content(userdomain)
 165 ')
 166
 167 optional_policy(`
 168         xserver_filetrans_home_content(userdomain)
 169 ')
 170
 171
 172 tunable_policy(`use_nfs_home_dirs',`
 173     fs_read_nfs_files(userdom_home_reader_type)
 174 ')
 175
 176 tunable_policy(`use_samba_home_dirs',`
 177     fs_read_cifs_files(userdom_home_reader_type)
 178 ')
 179
 180 tunable_policy(`use_fusefs_home_dirs',`
 181     fs_read_fusefs_files(userdom_home_reader_type)
 182 ')
 183
 184 tunable_policy(`use_nfs_home_dirs',`
 185     fs_list_auto_mountpoints(userdom_home_manager_type)
 186     fs_manage_nfs_dirs(userdom_home_manager_type)
 187     fs_manage_nfs_files(userdom_home_manager_type)
 188     fs_manage_nfs_symlinks(userdom_home_manager_type)
 189 ')
 190
 191 tunable_policy(`use_samba_home_dirs',`
 192     fs_manage_cifs_dirs(userdom_home_manager_type)
 193     fs_manage_cifs_files(userdom_home_manager_type)
 194     fs_manage_cifs_symlinks(userdom_home_manager_type)
 195 ')
 196
 197 tunable_policy(`use_fusefs_home_dirs',`
 198     fs_manage_fusefs_dirs(userdom_home_manager_type)
 199     fs_manage_fusefs_files(userdom_home_manager_type)
 200     fs_manage_fusefs_symlinks(userdom_home_manager_type)
 201 ')
 202