## Policy for user domains
#######################################
##
## The template containing the most basic rules common to all users.
##
##
##
## The template containing the most basic rules common to all users.
##
##
## This template creates a user domain, types, and
## rules for the user's tty and pty.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
template(`userdom_base_user_template',`
gen_require(`
attribute userdomain;
type user_devpts_t, user_tty_device_t;
class context contains;
')
attribute $1_file_type;
type $1_t, userdomain;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
ubac_constrained($1_t)
role $1_r types $1_t;
allow system_r $1_r;
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:context contains;
dontaudit $1_t self:socket create;
allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
term_create_pty($1_t, user_devpts_t)
# avoid annoying messages on terminal hangup on role change
dontaudit $1_t user_devpts_t:chr_file ioctl;
allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
# avoid annoying messages on terminal hangup on role change
dontaudit $1_t user_tty_device_t:chr_file ioctl;
kernel_read_kernel_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
kernel_dontaudit_getattr_unlabeled_pipes($1_t)
kernel_dontaudit_getattr_unlabeled_sockets($1_t)
kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
dev_dontaudit_getattr_all_blk_files($1_t)
dev_dontaudit_getattr_all_chr_files($1_t)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
domain_dontaudit_getattr_all_domains($1_t)
domain_dontaudit_getsession_all_domains($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
files_read_usr_files($1_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_t)
files_read_world_readable_files($1_t)
files_read_world_readable_symlinks($1_t)
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
# old broswer_domain():
files_dontaudit_list_non_security($1_t)
files_dontaudit_getattr_non_security_files($1_t)
files_dontaudit_getattr_non_security_symlinks($1_t)
files_dontaudit_getattr_non_security_pipes($1_t)
files_dontaudit_getattr_non_security_sockets($1_t)
libs_exec_ld_so($1_t)
miscfiles_read_localization($1_t)
miscfiles_read_generic_certs($1_t)
sysnet_read_config($1_t)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
')
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
')
#######################################
##
## Allow a home directory for which the
## role has read-only access.
##
##
##
## Allow a home directory for which the
## role has read-only access.
##
##
## This does not allow execute access.
##
##
##
##
## The user role
##
##
##
##
## The user domain
##
##
##
#
interface(`userdom_ro_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
')
##############################
#
# Domain access to home dir
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
allow $2 user_home_t:dir list_dir_perms;
allow $2 user_home_t:file entrypoint;
read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs($2)
fs_read_nfs_files($2)
fs_read_nfs_symlinks($2)
fs_read_nfs_named_sockets($2)
fs_read_nfs_named_pipes($2)
',`
fs_dontaudit_list_nfs($2)
fs_dontaudit_read_nfs_files($2)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs($2)
fs_read_cifs_files($2)
fs_read_cifs_symlinks($2)
fs_read_cifs_named_sockets($2)
fs_read_cifs_named_pipes($2)
',`
fs_dontaudit_list_cifs($2)
fs_dontaudit_read_cifs_files($2)
')
')
#######################################
##
## Allow a home directory for which the
## role has full access.
##
##
##
## Allow a home directory for which the
## role has full access.
##
##
## This does not allow execute access.
##
##
##
##
## The user role
##
##
##
##
## The user domain
##
##
##
#
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
')
##############################
#
# Domain access to home dir
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
allow $2 user_home_t:file entrypoint;
manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($2)
fs_manage_nfs_files($2)
fs_manage_nfs_symlinks($2)
fs_manage_nfs_named_sockets($2)
fs_manage_nfs_named_pipes($2)
',`
fs_dontaudit_manage_nfs_dirs($2)
fs_dontaudit_manage_nfs_files($2)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($2)
fs_manage_cifs_files($2)
fs_manage_cifs_symlinks($2)
fs_manage_cifs_named_sockets($2)
fs_manage_cifs_named_pipes($2)
',`
fs_dontaudit_manage_cifs_dirs($2)
fs_dontaudit_manage_cifs_files($2)
')
')
#######################################
##
## Manage user temporary files
##
##
##
## Role allowed access.
##
##
##
##
## Domain allowed access.
##
##
##
#
interface(`userdom_manage_tmp_role',`
gen_require(`
type user_tmp_t;
')
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
manage_files_pattern($2, user_tmp_t, user_tmp_t)
manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
')
#######################################
##
## The execute access user temporary files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`userdom_exec_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
#######################################
##
## Role access for the user tmpfs type
## that the user has full access.
##
##
##
## Role access for the user tmpfs type
## that the user has full access.
##
##
## This does not allow execute access.
##
##
##
##
## Role allowed access.
##
##
##
##
## Domain allowed access.
##
##
##
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
type user_tmpfs_t;
')
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
')
#######################################
##
## The template allowing the user basic
## network permissions
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
template(`userdom_basic_networking_template',`
gen_require(`
type $1_t;
')
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_udp_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
corenet_udp_sendrecv_generic_node($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
corenet_all_recvfrom_labeled($1_t, $1_t)
optional_policy(`
init_tcp_recvfrom_all_daemons($1_t)
init_udp_recvfrom_all_daemons($1_t)
')
optional_policy(`
ipsec_match_default_spd($1_t)
')
')
#######################################
##
## The template for creating a user xwindows client. (Deprecated)
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
template(`userdom_xwindows_client_template',`
refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
gen_require(`
type $1_t, user_tmpfs_t;
')
dev_rw_xserver_misc($1_t)
dev_rw_power_management($1_t)
dev_read_input($1_t)
dev_read_misc($1_t)
dev_write_misc($1_t)
# open office is looking for the following
dev_getattr_agp_dev($1_t)
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
xserver_dontaudit_write_log($1_t)
xserver_stream_connect_xdm($1_t)
# certain apps want to read xdm.pid file
xserver_read_xdm_pid($1_t)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($1_t)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($1_t)
')
#######################################
##
## The template for allowing the user to change passwords.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
template(`userdom_change_password_template',`
gen_require(`
type $1_t;
role $1_r;
')
optional_policy(`
usermanage_run_chfn($1_t, $1_r)
usermanage_run_passwd($1_t, $1_r)
')
')
#######################################
##
## The template containing rules common to unprivileged
## users and administrative users.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
template(`userdom_common_user_template',`
gen_require(`
attribute unpriv_userdomain;
')
userdom_basic_networking_template($1)
##############################
#
# User domain Local policy
#
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t unpriv_userdomain:fd use;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_net_sysctls($1_t)
# Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_t)
# Find CDROM devices:
kernel_read_device_sysctls($1_t)
corecmd_exec_bin($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_udp_bind_generic_port($1_t)
dev_read_rand($1_t)
dev_write_sound($1_t)
dev_read_sound($1_t)
dev_read_sound_mixer($1_t)
dev_write_sound_mixer($1_t)
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
files_search_mnt($1_t)
# cjp: perhaps should cut back on file reads:
files_read_var_files($1_t)
files_read_var_symlinks($1_t)
files_read_generic_spool($1_t)
files_read_var_lib_files($1_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
fs_rw_cgroup_files($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
selinux_compute_access_vector($1_t)
selinux_compute_create_context($1_t)
selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t)
# for eject
storage_getattr_fixed_disk_dev($1_t)
auth_use_nsswitch($1_t)
auth_read_login_records($1_t)
auth_search_pam_console_data($1_t)
auth_run_pam($1_t, $1_r)
auth_run_utempter($1_t, $1_r)
init_read_utmp($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
seutil_run_newrole($1_t, $1_r)
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
seutil_dontaudit_signal_newrole($1_t)
tunable_policy(`user_direct_mouse',`
dev_read_mouse($1_t)
')
tunable_policy(`user_ttyfile_stat',`
term_getattr_all_ttys($1_t)
')
optional_policy(`
alsa_manage_home_files($1_t)
alsa_read_rw_config($1_t)
alsa_relabel_home_files($1_t)
')
optional_policy(`
# Allow graphical boot to check battery lifespan
apm_stream_connect($1_t)
')
optional_policy(`
canna_stream_connect($1_t)
')
optional_policy(`
dbus_system_bus_client($1_t)
optional_policy(`
bluetooth_dbus_chat($1_t)
')
optional_policy(`
evolution_dbus_chat($1_t)
evolution_alarm_dbus_chat($1_t)
')
optional_policy(`
cups_dbus_chat_config($1_t)
')
optional_policy(`
hal_dbus_chat($1_t)
')
optional_policy(`
networkmanager_dbus_chat($1_t)
')
')
optional_policy(`
inetd_use_fds($1_t)
inetd_rw_tcp_sockets($1_t)
')
optional_policy(`
inn_read_config($1_t)
inn_read_news_lib($1_t)
inn_read_news_spool($1_t)
')
optional_policy(`
locate_read_lib_files($1_t)
')
# for running depmod as part of the kernel packaging process
optional_policy(`
modutils_read_module_config($1_t)
')
optional_policy(`
mta_rw_spool($1_t)
')
optional_policy(`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
')
')
optional_policy(`
oident_manage_user_content($1_t)
oident_relabel_user_content($1_t)
')
optional_policy(`
# to allow monitoring of pcmcia status
pcmcia_read_pid($1_t)
')
optional_policy(`
pcscd_read_pub_files($1_t)
pcscd_stream_connect($1_t)
')
optional_policy(`
tunable_policy(`allow_user_postgresql_connect',`
postgresql_stream_connect($1_t)
postgresql_tcp_connect($1_t)
')
')
optional_policy(`
resmgr_stream_connect($1_t)
')
optional_policy(`
rpc_dontaudit_getattr_exports($1_t)
rpc_manage_nfs_rw_content($1_t)
')
optional_policy(`
samba_stream_connect_winbind($1_t)
')
optional_policy(`
slrnpull_search_spool($1_t)
')
optional_policy(`
usernetctl_run($1_t, $1_r)
')
')
#######################################
##
## The template for creating a login user.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
template(`userdom_login_user_template', `
gen_require(`
class context contains;
')
userdom_base_user_template($1)
userdom_manage_home_role($1_r, $1_t)
userdom_manage_tmp_role($1_r, $1_t)
userdom_manage_tmpfs_role($1_r, $1_t)
userdom_exec_user_tmp_files($1_t)
userdom_exec_user_home_content_files($1_t)
userdom_change_password_template($1)
##############################
#
# User domain Local policy
#
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t self:context contains;
kernel_dontaudit_read_system_state($1_t)
dev_read_sysfs($1_t)
dev_read_urand($1_t)
domain_use_interactive_fds($1_t)
# Command completion can fire hundreds of denials
domain_dontaudit_exec_all_entry_files($1_t)
files_dontaudit_list_default($1_t)
files_dontaudit_read_default_files($1_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
fs_getattr_all_dirs($1_t)
fs_search_auto_mountpoints($1_t)
fs_list_cgroup_dirs($1_t)
fs_list_inotifyfs($1_t)
fs_rw_anon_inodefs_files($1_t)
fs_dontaudit_rw_cgroup_files($1_t)
auth_dontaudit_write_login_records($1_t)
application_exec_all($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_rw_utmp($1_t)
# Stop warnings about access to /dev/console
init_dontaudit_use_fds($1_t)
init_dontaudit_use_script_fds($1_t)
libs_exec_lib_files($1_t)
logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_man_pages($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
seutil_read_config($1_t)
optional_policy(`
cups_read_config($1_t)
cups_stream_connect($1_t)
cups_stream_connect_ptal($1_t)
')
optional_policy(`
kerberos_use($1_t)
')
optional_policy(`
mta_dontaudit_read_spool_symlinks($1_t)
')
optional_policy(`
quota_dontaudit_getattr_db($1_t)
')
optional_policy(`
rpm_read_db($1_t)
rpm_dontaudit_manage_db($1_t)
')
')
#######################################
##
## The template for creating a unprivileged login user.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
template(`userdom_restricted_user_template',`
gen_require(`
attribute unpriv_userdomain;
')
userdom_login_user_template($1)
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
##############################
#
# Local policy
#
optional_policy(`
loadkeys_run($1_t, $1_r)
')
')
#######################################
##
## The template for creating a unprivileged xwindows login user.
##
##
##
## The template for creating a unprivileged xwindows login user.
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
template(`userdom_restricted_xwindows_user_template',`
userdom_restricted_user_template($1)
##############################
#
# Local policy
#
auth_role($1_r, $1_t)
auth_search_pam_console_data($1_t)
dev_read_sound($1_t)
dev_write_sound($1_t)
# gnome keyring wants to read this.
dev_dontaudit_read_rand($1_t)
logging_send_syslog_msg($1_t)
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
xserver_restricted_role($1_r, $1_t)
optional_policy(`
alsa_read_rw_config($1_t)
')
optional_policy(`
dbus_role_template($1, $1_r, $1_t)
dbus_system_bus_client($1_t)
optional_policy(`
consolekit_dbus_chat($1_t)
')
optional_policy(`
cups_dbus_chat($1_t)
')
')
optional_policy(`
java_role($1_r, $1_t)
')
optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
')
')
#######################################
##
## The template for creating a unprivileged user roughly
## equivalent to a regular linux user.
##
##
##
## The template for creating a unprivileged user roughly
## equivalent to a regular linux user.
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
template(`userdom_unpriv_user_template', `
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
userdom_restricted_user_template($1)
userdom_common_user_template($1)
##############################
#
# Local policy
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
files_exec_usr_files($1_t)
# cjp: why?
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
fs_exec_noxattr($1_t)
tunable_policy(`user_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
',`
storage_raw_read_removable_device($1_t)
')
')
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
kernel_dontaudit_read_ring_buffer($1_t)
')
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_generic_node($1_t)
corenet_tcp_bind_generic_port($1_t)
')
optional_policy(`
netutils_run_ping_cond($1_t, $1_r)
netutils_run_traceroute_cond($1_t, $1_r)
')
# Run pppd in pppd_t by default for user
optional_policy(`
ppp_run_cond($1_t, $1_r)
')
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
')
#######################################
##
## The template for creating an administrative user.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
## The privileges given to administrative users are:
##
## - Raw disk access
## - Set all sysctls
## - All kernel ring buffer controls
## - Create, read, write, and delete all files but shadow
## - Manage source and binary format SELinux policy
## - Run insmod
##
##
##
##
##
## The prefix of the user domain (e.g., sysadm
## is the prefix for sysadm_t).
##
##
#
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
class passwd { passwd chfn chsh rootok };
')
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
userdom_login_user_template($1)
userdom_common_user_template($1)
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
typeattribute $1_t admindomain;
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
')
##############################
#
# $1_t local policy
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
# Set password information for other users.
allow $1_t self:passwd { passwd chfn chsh };
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
kernel_change_ring_buffer_level($1_t)
kernel_clear_ring_buffer($1_t)
kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctls($1_t)
# signal unlabeled processes:
kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
corenet_rw_tun_tap_dev($1_t)
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
# for lsof
dev_getattr_mtrr_dev($1_t)
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
dev_delete_all_blk_files($1_t)
dev_delete_all_chr_files($1_t)
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
domain_getattr_all_domains($1_t)
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
domain_signal_all_domains($1_t)
domain_signull_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
# Manage almost all files
auth_manage_all_files_except_shadow($1_t)
# Relabel almost all files
auth_relabel_all_files_except_shadow($1_t)
init_telinit($1_t)
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
seutil_manage_src_policy($1_t)
# Violates the goal of limiting write access to checkpolicy.
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
userdom_manage_user_home_content_pipes($1_t)
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`user_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
',`
fs_read_noxattr_fs_files($1_t)
')
optional_policy(`
postgresql_unconfined($1_t)
')
optional_policy(`
userhelper_exec($1_t)
')
')
########################################
##
## Allow user to run as a secadm
##
##
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The role of the object to create.
##
##
#
template(`userdom_security_admin_template',`
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
domain_obj_id_change_exemption($1)
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
mls_process_read_up($1)
mls_file_read_all_levels($1)
mls_file_upgrade($1)
mls_file_downgrade($1)
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
init_exec($1)
logging_send_syslog_msg($1)
logging_read_audit_log($1)
logging_read_generic_logs($1)
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
seutil_run_checkpolicy($1, $2)
seutil_run_loadpolicy($1, $2)
seutil_run_semanage($1, $2)
seutil_run_setfiles($1, $2)
optional_policy(`
aide_run($1, $2)
')
optional_policy(`
consoletype_exec($1)
')
optional_policy(`
dmesg_exec($1)
')
optional_policy(`
ipsec_run_setkey($1, $2)
')
optional_policy(`
netlabel_run_mgmt($1, $2)
')
optional_policy(`
samhain_run($1, $2)
')
')
########################################
##
## Make the specified type usable in a
## user home directory.
##
##
##
## Type to be used as a file in the
## user home directory.
##
##
#
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:filesystem associate;
files_type($1)
files_poly_member($1)
ubac_constrained($1)
')
########################################
##
## Allow domain to attach to TUN devices created by administrative users.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_attach_admin_tun_iface',`
gen_require(`
attribute admindomain;
')
allow $1 admindomain:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
')
########################################
##
## Set the attributes of a user pty.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_setattr_user_ptys',`
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
')
########################################
##
## Create a user pty.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_create_user_pty',`
gen_require(`
type user_devpts_t;
')
term_create_pty($1, user_devpts_t)
')
########################################
##
## Get the attributes of user home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_getattr_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir getattr_dir_perms;
files_search_home($1)
')
########################################
##
## Do not audit attempts to get the attributes of user home directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_getattr_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
')
########################################
##
## Search user home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_search_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
##
## Do not audit attempts to search user home directories.
##
##
##
## Do not audit attempts to search user home directories.
## This will supress SELinux denial messages when the specified
## domain is denied the permission to search these directories.
##
##
##
##
## Domain to not audit.
##
##
##
#
interface(`userdom_dontaudit_search_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
')
########################################
##
## List user home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
')
########################################
##
## Do not audit attempts to list user home subdirectories.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir list_dir_perms;
')
########################################
##
## Create user home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_create_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir create_dir_perms;
')
########################################
##
## Create user home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir manage_dir_perms;
')
########################################
##
## Relabel to user home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_relabelto_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir relabelto;
')
########################################
##
## Create directories in the home dir root with
## the user home directory type.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_home_filetrans_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
files_home_filetrans($1, user_home_dir_t, dir)
')
########################################
##
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
##
##
##
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## Domain to transition to.
##
##
#
interface(`userdom_user_home_domtrans',`
gen_require(`
type user_home_dir_t, user_home_t;
')
domain_auto_trans($1, user_home_t, $2)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
##
## Do not audit attempts to search user home content directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:dir search_dir_perms;
')
########################################
##
## List contents of users home directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_list_user_home_content',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir list_dir_perms;
')
########################################
##
## Create, read, write, and delete directories
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_home_content_dirs',`
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
########################################
##
## Delete directories in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_delete_user_home_content_dirs',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir delete_dir_perms;
')
########################################
##
## Do not audit attempts to set the
## attributes of user home files.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file setattr_file_perms;
')
########################################
##
## Mmap user home files.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_mmap_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
')
mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
########################################
##
## Read user home files.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
')
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
########################################
##
## Do not audit attempts to read user home files.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:dir list_dir_perms;
dontaudit $1 user_home_t:file read_file_perms;
')
########################################
##
## Do not audit attempts to append user home files.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_append_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file append_file_perms;
')
########################################
##
## Do not audit attempts to write user home files.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file write_file_perms;
')
########################################
##
## Delete files in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_delete_user_home_content_files',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:file delete_file_perms;
')
########################################
##
## Do not audit attempts to write user home files.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_relabel_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file relabel_file_perms;
')
########################################
##
## Read user home subdirectory symbolic links.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_read_user_home_content_symlinks',`
gen_require(`
type user_home_dir_t, user_home_t;
')
read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
########################################
##
## Execute user home files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
tunable_policy(`use_nfs_home_dirs',`
fs_exec_nfs_files($1)
')
tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files($1)
')
')
########################################
##
## Do not audit attempts to execute user home files.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file exec_file_perms;
')
########################################
##
## Create, read, write, and delete files
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
##
## Do not audit attempts to create, read, write, and delete directories
## in a user home subdirectory.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
type user_home_dir_t, user_home_t;
')
dontaudit $1 user_home_t:dir manage_dir_perms;
')
########################################
##
## Create, read, write, and delete symbolic links
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_home_content_symlinks',`
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_lnk_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
##
## Delete symbolic links in a user home directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_delete_user_home_content_symlinks',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:lnk_file delete_lnk_file_perms;
')
########################################
##
## Create, read, write, and delete named pipes
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_home_content_pipes',`
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_fifo_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
##
## Create, read, write, and delete named sockets
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_home_content_sockets',`
gen_require(`
type user_home_dir_t, user_home_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
manage_sock_files_pattern($1, user_home_t, user_home_t)
files_search_home($1)
')
########################################
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
#
interface(`userdom_user_home_dir_filetrans',`
gen_require(`
type user_home_dir_t;
')
filetrans_pattern($1, user_home_dir_t, $2, $3)
files_search_home($1)
')
########################################
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
#
interface(`userdom_user_home_content_filetrans',`
gen_require(`
type user_home_dir_t, user_home_t;
')
filetrans_pattern($1, user_home_t, $2, $3)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
##
## Create objects in a user home directory
## with an automatic type transition to
## the user home file type.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
##
##
#
interface(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
type user_home_dir_t, user_home_t;
')
filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
files_search_home($1)
')
########################################
##
## Write to user temporary named sockets.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_write_user_tmp_sockets',`
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:sock_file write_sock_file_perms;
files_search_tmp($1)
')
########################################
##
## List user temporary directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_list_user_tmp',`
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
')
########################################
##
## Do not audit attempts to list user
## temporary directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_list_user_tmp',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:dir list_dir_perms;
')
########################################
##
## Do not audit attempts to manage users
## temporary directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:dir manage_dir_perms;
')
########################################
##
## Read user temporary files.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
read_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
')
########################################
##
## Do not audit attempts to read users
## temporary files.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file read_file_perms;
')
########################################
##
## Do not audit attempts to append users
## temporary files.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file append_file_perms;
')
########################################
##
## Read and write user temporary files.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_rw_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:dir list_dir_perms;
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
##
## Do not audit attempts to manage users
## temporary files.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file manage_file_perms;
')
########################################
##
## Read user temporary symbolic links.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_read_user_tmp_symlinks',`
gen_require(`
type user_tmp_t;
')
read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
')
########################################
##
## Create, read, write, and delete user
## temporary directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_tmp_dirs',`
gen_require(`
type user_tmp_t;
')
manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
##
## Create, read, write, and delete user
## temporary files.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
manage_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
##
## Create, read, write, and delete user
## temporary symbolic links.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_tmp_symlinks',`
gen_require(`
type user_tmp_t;
')
manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
##
## Create, read, write, and delete user
## temporary named pipes.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
type user_tmp_t;
')
manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
##
## Create, read, write, and delete user
## temporary named sockets.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_tmp_sockets',`
gen_require(`
type user_tmp_t;
')
manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
##
## Create objects in a user temporary directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
#
interface(`userdom_user_tmp_filetrans',`
gen_require(`
type user_tmp_t;
')
filetrans_pattern($1, user_tmp_t, $2, $3)
files_search_tmp($1)
')
########################################
##
## Create objects in the temporary directory
## with an automatic type transition to
## the user temporary type.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
##
##
#
interface(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
type user_tmp_t;
')
files_tmp_filetrans($1, user_tmp_t, $2)
')
########################################
##
## Read user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_read_user_tmpfs_files',`
gen_require(`
type user_tmpfs_t;
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
allow $1 user_tmpfs_t:dir list_dir_perms;
fs_search_tmpfs($1)
')
########################################
##
## Read user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_rw_user_tmpfs_files',`
gen_require(`
type user_tmpfs_t;
')
rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
allow $1 user_tmpfs_t:dir list_dir_perms;
fs_search_tmpfs($1)
')
########################################
##
## Create, read, write, and delete user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_user_tmpfs_files',`
gen_require(`
type user_tmpfs_t;
')
manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
allow $1 user_tmpfs_t:dir list_dir_perms;
fs_search_tmpfs($1)
')
########################################
##
## Get the attributes of a user domain tty.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_getattr_user_ttys',`
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
')
########################################
##
## Do not audit attempts to get the attributes of a user domain tty.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_getattr_user_ttys',`
gen_require(`
type user_tty_device_t;
')
dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
')
########################################
##
## Set the attributes of a user domain tty.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_setattr_user_ttys',`
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
')
########################################
##
## Do not audit attempts to set the attributes of a user domain tty.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_setattr_user_ttys',`
gen_require(`
type user_tty_device_t;
')
dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
')
########################################
##
## Read and write a user domain tty.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_use_user_ttys',`
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file rw_term_perms;
')
########################################
##
## Read and write a user domain pty.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_use_user_ptys',`
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file rw_term_perms;
')
########################################
##
## Read and write a user TTYs and PTYs.
##
##
##
## Allow the specified domain to read and write user
## TTYs and PTYs. This will allow the domain to
## interact with the user via the terminal. Typically
## all interactive applications will require this
## access.
##
##
## However, this also allows the applications to spy
## on user sessions or inject information into the
## user session. Thus, this access should likely
## not be allowed for non-interactive domains.
##
##
##
##
## Domain allowed access.
##
##
##
#
interface(`userdom_use_user_terminals',`
gen_require(`
type user_tty_device_t, user_devpts_t;
')
allow $1 user_tty_device_t:chr_file rw_term_perms;
allow $1 user_devpts_t:chr_file rw_term_perms;
term_list_ptys($1)
')
########################################
##
## Do not audit attempts to read and write
## a user domain tty and pty.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_use_user_terminals',`
gen_require(`
type user_tty_device_t, user_devpts_t;
')
dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
########################################
##
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
interface(`userdom_spec_domtrans_all_users',`
gen_require(`
attribute userdomain;
')
corecmd_shell_spec_domtrans($1, userdomain)
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
')
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
interface(`userdom_xsession_spec_domtrans_all_users',`
gen_require(`
attribute userdomain;
')
xserver_xsession_spec_domtrans($1, userdomain)
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
')
########################################
##
## Execute a shell in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
interface(`userdom_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
corecmd_shell_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
interface(`userdom_xsession_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
xserver_xsession_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
#######################################
##
## Read and write unpriviledged user SysV sempaphores.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_rw_unpriv_user_semaphores',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:sem rw_sem_perms;
')
########################################
##
## Manage unpriviledged user SysV sempaphores.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_unpriv_user_semaphores',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:sem create_sem_perms;
')
#######################################
##
## Read and write unpriviledged user SysV shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_rw_unpriv_user_shared_mem',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:shm rw_shm_perms;
')
########################################
##
## Manage unpriviledged user SysV shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_manage_unpriv_user_shared_mem',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:shm create_shm_perms;
')
########################################
##
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
interface(`userdom_bin_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
corecmd_bin_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
##
## Execute all entrypoint files in unprivileged user
## domains. This is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_entry_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
##
## Search users home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_search_user_home_content',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_list_home($1)
allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
')
########################################
##
## Send signull to unprivileged user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_signull_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:process signull;
')
########################################
##
## Send general signals to unprivileged user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_signal_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:process signal;
')
########################################
##
## Inherit the file descriptors from unprivileged user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_use_unpriv_users_fds',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:fd use;
')
########################################
##
## Do not audit attempts to inherit the file descriptors
## from unprivileged user domains.
##
##
##
## Do not audit attempts to inherit the file descriptors
## from unprivileged user domains. This will supress
## SELinux denial messages when the specified domain is denied
## the permission to inherit these file descriptors.
##
##
##
##
## Domain to not audit.
##
##
##
#
interface(`userdom_dontaudit_use_unpriv_user_fds',`
gen_require(`
attribute unpriv_userdomain;
')
dontaudit $1 unpriv_userdomain:fd use;
')
########################################
##
## Do not audit attempts to use user ptys.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_use_user_ptys',`
gen_require(`
type user_devpts_t;
')
dontaudit $1 user_devpts_t:chr_file rw_file_perms;
')
########################################
##
## Relabel files to unprivileged user pty types.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_relabelto_user_ptys',`
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file relabelto;
')
########################################
##
## Do not audit attempts to relabel files from
## user pty types.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_relabelfrom_user_ptys',`
gen_require(`
type user_devpts_t;
')
dontaudit $1 user_devpts_t:chr_file relabelfrom;
')
########################################
##
## Write all users files in /tmp
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_write_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file write_file_perms;
')
########################################
##
## Do not audit attempts to use user ttys.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_use_user_ttys',`
gen_require(`
type user_tty_device_t;
')
dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
')
########################################
##
## Read the process state of all user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_read_all_users_state',`
gen_require(`
attribute userdomain;
')
read_files_pattern($1, userdomain, userdomain)
kernel_search_proc($1)
')
########################################
##
## Get the attributes of all user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_getattr_all_users',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process getattr;
')
########################################
##
## Inherit the file descriptors from all user domains
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_use_all_users_fds',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:fd use;
')
########################################
##
## Do not audit attempts to inherit the file
## descriptors from any user domains.
##
##
##
## Domain to not audit.
##
##
#
interface(`userdom_dontaudit_use_all_users_fds',`
gen_require(`
attribute userdomain;
')
dontaudit $1 userdomain:fd use;
')
########################################
##
## Send general signals to all user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_signal_all_users',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process signal;
')
########################################
##
## Send a SIGCHLD signal to all user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_sigchld_all_users',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process sigchld;
')
########################################
##
## Create keys for all user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_create_all_users_keys',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:key create;
')
########################################
##
## Send a dbus message to all user domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`userdom_dbus_send_all_users',`
gen_require(`
attribute userdomain;
class dbus send_msg;
')
allow $1 userdomain:dbus send_msg;
')