term_user_tty($1_t, user_tty_device_t)
term_dontaudit_getattr_generic_ptys($1_t)
- allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ tunable_policy(`deny_ptrace',`',`
+ allow $1_usertype $1_usertype:process ptrace;
+ ')
allow $1_usertype $1_usertype:fd use;
allow $1_usertype $1_t:key { create view read write search link setattr };
systemd_dbus_chat_logind($1_usertype)
- tunable_policy(`allow_execmem',`
+ tunable_policy(`deny_execmem',`', `
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
')
- tunable_policy(`allow_execmem && allow_execstack',`
+ tunable_policy(`allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
auth_read_login_records($1_usertype)
auth_run_pam($1_t,$1_r)
auth_run_utempter($1_t,$1_r)
+ auth_filetrans_admin_home_content($1_t)
+ auth_filetrans_home_content($1_t)
init_read_utmp($1_usertype)
canna_stream_connect($1_usertype)
')
- optional_policy(`
- chrome_role($1_r, $1_usertype)
- ')
-
optional_policy(`
colord_read_lib_files($1_usertype)
')
devicekit_dbus_chat_disk($1_usertype)
')
- optional_policy(`
- evolution_dbus_chat($1_usertype)
- evolution_alarm_dbus_chat($1_usertype)
- ')
-
optional_policy(`
gnome_dbus_chat_gconfdefault($1_usertype)
')
mta_filetrans_home_content($1_usertype)
')
- optional_policy(`
- nsplugin_role($1_r, $1_usertype)
- ')
-
optional_policy(`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
optional_policy(`
slrnpull_search_spool($1_usertype)
')
-
- optional_policy(`
- thumb_role($1_r, $1_usertype)
- ')
')
#######################################
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+ allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
optional_policy(`
gnome_read_usr_config($1_usertype)
gnome_role_gkeyringd($1, $1_r, $1_usertype)
- # cjp: telepathy F15 bugs
- telepathy_role($1_r, $1_t, $1)
')
optional_policy(`
')
')
- optional_policy(`
- openoffice_role_template($1, $1_r, $1_usertype)
- ')
-
optional_policy(`
policykit_role($1_r, $1_usertype)
')
cron_role($1_r, $1_t)
')
- optional_policy(`
- games_rw_data($1_usertype)
- ')
-
optional_policy(`
gpg_role($1_r, $1_usertype)
')
gpm_stream_connect($1_usertype)
')
- optional_policy(`
- execmem_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
- java_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
- mono_role_template($1, $1_r, $1_t)
- ')
-
optional_policy(`
mount_run_fusermount($1_t, $1_r)
mount_read_pid_files($1_t)
# $1_t local policy
#
- allow $1_t self:capability ~{ sys_module audit_control audit_write };
+ allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
+ tunable_policy(`deny_ptrace',`',`
+ allow $1_t self:capability sys_ptrace;
+ ')
allow $1_t self:capability2 syslog;
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
ubac_constrained($2)
')
+#######################################
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_unpriv_type',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ ')
+ typeattribute $2 unpriv_userdomain;
+ typeattribute $2 userdomain;
+
+ auth_use_nsswitch($2)
+ ubac_constrained($2)
+')
+
########################################
## <summary>
## Connect to users over an unix stream socket.
attribute userdomain;
')
- allow $1 userdomain:process ptrace;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 userdomain:process ptrace;
+ ')
')
########################################
read_files_pattern($1, admin_home_t, admin_home_t)
')
+########################################
+## <summary>
+## Delete admin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_delete_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:file delete_file_perms;
+')
+
########################################
## <summary>
## Execute admin home files.
userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
+ gnome_config_filetrans($1, home_cert_t, dir, "certificates")
- optional_policy(`
- gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
+ #optional_policy(`
+ # gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
+ #')
+')
+
+########################################
+## <summary>
+## Make the specified type able to read content in user home dirs
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_home_reader',`
+ gen_require(`
+ attribute userdom_home_reader_type;
+ ')
+
+ typeattribute $1 userdom_home_reader_type;
+')
+
+
+########################################
+## <summary>
+## Make the specified type able to manage content in user home dirs
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_home_manager',`
+ gen_require(`
+ attribute userdom_home_manager_type;
')
+
+ typeattribute $1 userdom_home_manager_type;
')
projects / people / stevee / selinux-policy.git / blobdiff