domain_role_change_exemption($1_sudo_t)
ubac_constrained($1_sudo_t)
role $2 types $1_sudo_t;
+ userdom_home_manager($1_sudo_t)
type $1_sudo_tmp_t;
files_tmp_file($1_sudo_tmp_t)
userdom_search_admin_dir(sudodomain)
userdom_manage_all_users_keys(sudodomain)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(sudodomain)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(sudodomain)
-')
-
optional_policy(`
dbus_system_bus_client(sudodomain)
')
userdom_dontaudit_read_user_home_content_files(cdrecord_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- files_search_mnt(cdrecord_t)
- fs_read_nfs_files(cdrecord_t)
- fs_read_nfs_symlinks(cdrecord_t)
-')
+userdom_home_manager(cdrecord_t)
optional_policy(`
resmgr_stream_connect(cdrecord_t)
# giftui looks in .icons, .themes.
userdom_dontaudit_read_user_home_content_files(gift_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gift_t)
- fs_manage_nfs_files(gift_t)
- fs_manage_nfs_symlinks(gift_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gift_t)
- fs_manage_cifs_files(gift_t)
- fs_manage_cifs_symlinks(gift_t)
-')
+userdom_home_manager(gift_t)
optional_policy(`
nscd_socket_use(gift_t)
sysnet_read_config(giftd_t)
userdom_use_inherited_user_terminals(giftd_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(giftd_t)
- fs_manage_nfs_files(giftd_t)
- fs_manage_nfs_symlinks(giftd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(giftd_t)
- fs_manage_cifs_files(giftd_t)
- fs_manage_cifs_symlinks(giftd_t)
-')
+userdom_home_manager(gitd_t)
ubac_constrained($1_gkeyringd_t)
domain_user_exemption_target($1_gkeyringd_t)
+ userdom_home_manager($1_gkeyringd_t)
+
role $2 types $1_gkeyringd_t;
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
policykit_read_reload(gconfdefaultsm_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gconfdefaultsm_t)
- fs_manage_nfs_files(gconfdefaultsm_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gconfdefaultsm_t)
- fs_manage_cifs_files(gconfdefaultsm_t)
-')
+userdom_home_manager(gconfdefaultsm_t)
#######################################
#
userdom_use_inherited_user_terminals(gnome_domain)
-tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(gkeyringd_domain)
- fs_manage_nfs_dirs(gkeyringd_domain)
- fs_manage_nfs_files(gkeyringd_domain)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gkeyringd_domain)
- fs_manage_cifs_files(gkeyringd_domain)
-')
mta_write_config(gpg_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_t)
- fs_manage_nfs_files(gpg_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_t)
- fs_manage_cifs_files(gpg_t)
-')
+userdom_home_manager(gpg_t)
optional_policy(`
gnome_read_config(gpg_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_agent_t)
- fs_manage_nfs_files(gpg_agent_t)
- fs_manage_nfs_symlinks(gpg_agent_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_agent_t)
- fs_manage_cifs_files(gpg_agent_t)
- fs_manage_cifs_symlinks(gpg_agent_t)
-')
+userdom_home_manager(gpg_agent_t)
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
userdom_signull_unpriv_users(gpg_pinentry_t)
userdom_use_user_terminals(gpg_pinentry_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(gpg_pinentry_t)
-')
+userdom_home_reader(gpg_pinentry_t)
optional_policy(`
gnome_read_home_config(gpg_pinentry_t)
# Write to the user domain tty.
userdom_use_inherited_user_terminals(irc_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(irc_t)
- fs_manage_nfs_files(irc_t)
- fs_manage_nfs_symlinks(irc_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(irc_t)
- fs_manage_cifs_files(irc_t)
- fs_manage_cifs_symlinks(irc_t)
-')
+userdom_home_manager(irc_t)
optional_policy(`
nis_use_ypbind(irc_t)
corenet_sendrecv_all_client_packets(irssi_t)
')
-tunable_policy(`use_nfs_home_dirs', `
- fs_manage_nfs_dirs(irssi_t)
- fs_manage_nfs_files(irssi_t)
- fs_manage_nfs_symlinks(irssi_t)
-')
-
-tunable_policy(`use_samba_home_dirs', `
- fs_manage_cifs_dirs(irssi_t)
- fs_manage_cifs_files(irssi_t)
- fs_manage_cifs_symlinks(irssi_t)
-')
+userdom_home_manager(irssi_t)
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(irssi_t)
allow mozilla_t self:process execmem;
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_t)
- fs_manage_nfs_files(mozilla_t)
- fs_manage_nfs_symlinks(mozilla_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_t)
- fs_manage_cifs_files(mozilla_t)
- fs_manage_cifs_symlinks(mozilla_t)
-')
+userdom_home_manager(mozilla_t)
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
allow mozilla_plugin_t self:process execstack;
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
-')
+userdom_home_manager(mozilla_plugin_t)
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
userdom_read_user_tmp_symlinks(mencoder_t)
userdom_read_user_home_content_files(mencoder_t)
userdom_read_user_home_content_symlinks(mencoder_t)
+userdom_home_manager(mencoder_t)
# Read content to encode
ifndef(`enable_mls',`
allow mencoder_t self:process { execmem execstack };
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mencoder_t)
- fs_manage_nfs_files(mencoder_t)
- fs_manage_nfs_symlinks(mencoder_t)
-
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mencoder_t)
- fs_manage_cifs_files(mencoder_t)
- fs_manage_cifs_symlinks(mencoder_t)
-
-')
-
-# Read content to encode
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints(mencoder_t)
- files_list_home(mencoder_t)
- fs_read_nfs_files(mencoder_t)
- fs_read_nfs_symlinks(mencoder_t)
-
-',`
- files_dontaudit_list_home(mencoder_t)
- fs_dontaudit_list_auto_mountpoints(mencoder_t)
- fs_dontaudit_read_nfs_files(mencoder_t)
- fs_dontaudit_list_nfs(mencoder_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_auto_mountpoints(mencoder_t)
- files_list_home(mencoder_t)
- fs_read_cifs_files(mencoder_t)
- fs_read_cifs_symlinks(mencoder_t)
-',`
- files_dontaudit_list_home(mencoder_t)
- fs_dontaudit_list_auto_mountpoints(mencoder_t)
- fs_dontaudit_read_cifs_files(mencoder_t)
- fs_dontaudit_list_cifs(mencoder_t)
-')
-
########################################
#
# mplayer local policy
userdom_read_user_home_content_files(mplayer_t)
userdom_read_user_home_content_symlinks(mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
+userdom_home_manager(mplayer_t)
xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
allow mplayer_t self:process { execmem execstack };
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mplayer_t)
- fs_manage_nfs_files(mplayer_t)
- fs_manage_nfs_symlinks(mplayer_t)
-')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mplayer_t)
- fs_manage_cifs_files(mplayer_t)
- fs_manage_cifs_symlinks(mplayer_t)
-')
-
# Legacy domain issues
tunable_policy(`allow_mplayer_execstack',`
allow mplayer_t mplayer_tmpfs_t:file execute;
')
-# Read songs
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints(mplayer_t)
- files_list_home(mplayer_t)
- fs_read_nfs_files(mplayer_t)
- fs_read_nfs_symlinks(mplayer_t)
-
-',`
- files_dontaudit_list_home(mplayer_t)
- fs_dontaudit_list_auto_mountpoints(mplayer_t)
- fs_dontaudit_read_nfs_files(mplayer_t)
- fs_dontaudit_list_nfs(mplayer_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_auto_mountpoints(mplayer_t)
- files_list_home(mplayer_t)
- fs_read_cifs_files(mplayer_t)
- fs_read_cifs_symlinks(mplayer_t)
-',`
- files_dontaudit_list_home(mplayer_t)
- fs_dontaudit_list_auto_mountpoints(mplayer_t)
- fs_dontaudit_read_cifs_files(mplayer_t)
- fs_dontaudit_list_cifs(mplayer_t)
-')
+userdom_home_manager(mplayer_t)
optional_policy(`
alsa_read_rw_config(mplayer_t)
ubac_constrained($1_screen_t)
role $2 types $1_screen_t;
+ userdom_home_reader($1_screen_t)
+
domtrans_pattern($3, screen_exec_t, $1_screen_t)
allow $3 $1_screen_t:process { signal sigchld };
dontaudit $3 $1_screen_t:unix_stream_socket { read write };
userdom_setattr_user_ptys(screen_domain)
userdom_setattr_user_ttys(screen_domain)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_symlinks(screen_domain)
- fs_list_cifs(screen_domain)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(screen_domain)
- fs_read_nfs_symlinks(screen_domain)
-')
corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_gabble_t)
- fs_manage_nfs_files(telepathy_gabble_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_gabble_t)
- fs_manage_cifs_files(telepathy_gabble_t)
-')
+userdom_home_manager(telepathy_gabble_t)
optional_policy(`
dbus_system_bus_client(telepathy_gabble_t)
fs_getattr_all_fs(telepathy_logger_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_logger_t)
- fs_manage_nfs_files(telepathy_logger_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_logger_t)
- fs_manage_cifs_files(telepathy_logger_t)
-')
+userdom_home_manager(telepathy_logger_t)
optional_policy(`
# ~/.config/dconf/user
files_read_etc_files(telepathy_mission_control_t)
files_read_usr_files(telepathy_mission_control_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_mission_control_t)
- fs_manage_nfs_files(telepathy_mission_control_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_mission_control_t)
- fs_manage_cifs_files(telepathy_mission_control_t)
-')
+userdom_home_manager(telepathy_mission_control_t)
optional_policy(`
dbus_system_bus_client(telepathy_mission_control_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
# Access ~/.thunderbird
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(thunderbird_t)
- fs_manage_nfs_files(thunderbird_t)
- fs_manage_nfs_symlinks(thunderbird_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(thunderbird_t)
- fs_manage_cifs_files(thunderbird_t)
- fs_manage_cifs_symlinks(thunderbird_t)
-')
+userdom_home_manager(thunderbird_t)
tunable_policy(`mail_read_content && use_nfs_home_dirs',`
files_list_home(thunderbird_t)
userdom_read_user_home_content_files(tvtime_t)
# X access, Home files
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(tvtime_t)
- fs_manage_nfs_files(tvtime_t)
- fs_manage_nfs_symlinks(tvtime_t)
-')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(tvtime_t)
- fs_manage_cifs_files(tvtime_t)
- fs_manage_cifs_symlinks(tvtime_t)
-')
+userdom_home_manager(tvtime_t)
optional_policy(`
xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
userdom_manage_user_home_content_files(wireshark_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(wireshark_t)
- fs_manage_nfs_files(wireshark_t)
- fs_manage_nfs_symlinks(wireshark_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(wireshark_t)
- fs_manage_cifs_files(wireshark_t)
- fs_manage_cifs_symlinks(wireshark_t)
-')
+userdom_home_manager(wireshark_t)
# Manual transition from userhelper
optional_policy(`
read_lnk_files_pattern($1, fusefs_t, fusefs_t)
')
+########################################
+## <summary>
+## Manage symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_fusefs_symlinks',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
########################################
## <summary>
## Get the attributes of an hugetlbfs
read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
')
-
-
dev_read_rand(iwhd_t)
dev_read_urand(iwhd_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints(iwhd_t)
- fs_manage_nfs_dirs(iwhd_t)
- fs_manage_nfs_files(iwhd_t)
- fs_manage_nfs_symlinks(iwhd_t)
-')
+userdom_home_manager(iwhd_t)
########################################
#
userdom_rw_user_tmpfs_files(colord_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
-')
+userdom_home_reader(colord_t)
optional_policy(`
cups_read_config(colord_t)
userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(consolekit_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(consolekit_t)
-')
+userdom_home_reader(consolekit_t)
optional_policy(`
cron_read_system_job_lib_files(consolekit_t)
lpd_manage_spool(cups_pdf_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_search_auto_mountpoints(cups_pdf_t)
- fs_manage_nfs_dirs(cups_pdf_t)
- fs_manage_nfs_files(cups_pdf_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
+userdom_home_manager(cups_pdf_t)
optional_policy(`
gnome_read_config(cups_pdf_t)
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
+ userdom_home_manager($1_dbusd_t)
+
##############################
#
# Local policy
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(system_dbusd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(system_dbusd_t)
-')
+userdom_home_reader(system_dbusd_t)
optional_policy(`
bind_domtrans(system_dbusd_t)
userdom_manage_user_home_content_files(session_bus_type)
userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(session_bus_type)
- fs_manage_nfs_files(session_bus_type)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(session_bus_type)
- fs_manage_cifs_files(session_bus_type)
-')
-
optional_policy(`
gnome_read_gconf_home_files(session_bus_type)
')
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
files_search_all_mountpoints(dovecot_t)
+files_read_var_lib_files(dovecot_t)
init_getattr_utmp(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
+userdom_home_manager(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
-files_read_var_lib_files(dovecot_t)
fs_getattr_xattr_fs(dovecot_auth_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t)
- fs_manage_nfs_files(dovecot_deliver_t)
- fs_manage_nfs_symlinks(dovecot_deliver_t)
- fs_manage_nfs_dirs(dovecot_t)
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_deliver_t)
- fs_manage_cifs_files(dovecot_deliver_t)
- fs_manage_cifs_symlinks(dovecot_deliver_t)
- fs_manage_cifs_dirs(dovecot_t)
- fs_manage_cifs_files(dovecot_t)
- fs_manage_cifs_symlinks(dovecot_t)
-')
+userdom_home_manager(dovecot_deliver_t)
optional_policy(`
gnome_manage_data(dovecot_deliver_t)
files_manage_non_security_files(sftpd_t)
')
-tunable_policy(`use_samba_home_dirs',`
- # allow read access to /home by default
- fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t)
- fs_read_cifs_symlinks(sftpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- # allow read access to /home by default
- fs_list_nfs(sftpd_t)
- fs_read_nfs_files(sftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
-')
+userdom_home_reader(sftpd_t)
userdom_search_user_home_dirs($1)
files_search_var_lib($1)
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1)
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- ')
+ userdom_home_manager($1)
tunable_policy(`git_system_use_cifs',`
fs_exec_cifs_files($1)
userdom_search_user_home_dirs($1)
files_search_var_lib($1)
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- ')
+ userdom_home_reader($1)
tunable_policy(`git_system_use_cifs',`
fs_list_cifs($1)
list_dirs_pattern($1, git_session_content_t, git_session_content_t)
read_files_pattern($1, git_session_content_t, git_session_content_t)
userdom_search_user_home_dirs($1)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- ')
+ userdom_home_reader($1)
')
#######################################
corenet_sendrecv_generic_server_packets(git_session_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(git_session_t)
- fs_read_nfs_files(git_session_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(git_session_t)
- fs_read_cifs_files(git_session_t)
-')
+userdom_home_reader(git_session_t)
########################################
#
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
userdom_read_user_home_content_files(i18n_input_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(i18n_input_t)
- fs_read_nfs_symlinks(i18n_input_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(i18n_input_t)
- fs_read_cifs_symlinks(i18n_input_t)
-')
+userdom_home_reader(i18n_input_t)
optional_policy(`
canna_stream_connect(i18n_input_t)
read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- files_list_home(lpr_t)
- fs_list_auto_mountpoints(lpr_t)
- fs_read_nfs_files(lpr_t)
- fs_read_nfs_symlinks(lpr_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- files_list_home(lpr_t)
- fs_list_auto_mountpoints(lpr_t)
- fs_read_cifs_files(lpr_t)
- fs_read_cifs_symlinks(lpr_t)
-')
+userdom_home_reader(lpr_t)
optional_policy(`
cups_read_config(lpr_t)
userdom_read_home_audio_files(mpd_t)
userdom_read_user_tmpfs_files(mpd_t)
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(mpd_t)
- fs_read_cifs_symlinks(mpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(mpd_t)
- fs_read_nfs_symlinks(mpd_t)
-')
+userdom_home_reader(mpd_t)
optional_policy(`
alsa_read_rw_config(mpd_t)
')
typeattribute $1 mailserver_delivery;
+
+ userdom_home_manager($1)
')
#######################################
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
- fs_manage_cifs_symlinks(mailserver_delivery)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
- fs_manage_nfs_symlinks(mailserver_delivery)
-')
-
optional_policy(`
dovecot_manage_spool(mailserver_delivery)
dovecot_domtrans_deliver(mailserver_delivery)
sysnet_read_config(oidentd_t)
oident_read_user_content(oidentd_t)
+userdom_home_reader(oidentd_t)
optional_policy(`
nis_use_ypbind(oidentd_t)
')
-
-tunable_policy(`use_samba_home_dirs', `
- fs_list_cifs(oidentd_t)
- fs_read_cifs_files(oidentd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs', `
- fs_list_nfs(oidentd_t)
- fs_read_nfs_files(oidentd_t)
-')
logging_send_syslog_msg(polipo_session_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(polipo_session_t)
-',`
- fs_dontaudit_manage_nfs_files(polipo_session_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(polipo_session_t)
-',`
- fs_dontaudit_manage_cifs_files(polipo_session_t)
-')
+userdom_home_manager(polipo_session_t)
mta_dontaudit_rw_queue(procmail_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(procmail_t)
- fs_manage_nfs_files(procmail_t)
- fs_manage_nfs_symlinks(procmail_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(procmail_t)
- fs_manage_cifs_files(procmail_t)
- fs_manage_cifs_symlinks(procmail_t)
-')
+userdom_home_manager(procmail_t)
optional_policy(`
clamav_domtrans_clamscan(procmail_t)
userdom_search_user_home_dirs(razor_t)
userdom_use_inherited_user_terminals(razor_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(razor_t)
- fs_manage_nfs_files(razor_t)
- fs_manage_nfs_symlinks(razor_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(razor_t)
- fs_manage_cifs_files(razor_t)
- fs_manage_cifs_symlinks(razor_t)
- ')
+ userdom_home_manager(razor_t)
optional_policy(`
milter_manage_spamass_state(razor_t)
userdom_manage_user_tmp_files(remote_login_t)
userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(remote_login_t)
- fs_read_nfs_symlinks(remote_login_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(remote_login_t)
- fs_read_cifs_symlinks(remote_login_t)
-')
+userdom_home_reader(remote_login_t)
optional_policy(`
alsa_domtrans(remote_login_t)
userdom_manage_user_tmp_files(rlogind_t)
userdom_tmp_filetrans_user_tmp(rlogind_t, file)
userdom_use_user_terminals(rlogind_t)
+userdom_home_reader(rlogind_t)
rlogin_read_home_content(rlogind_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(rlogind_t)
- fs_read_nfs_files(rlogind_t)
- fs_read_nfs_symlinks(rlogind_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(rlogind_t)
- fs_read_cifs_files(rlogind_t)
- fs_read_cifs_symlinks(rlogind_t)
-')
-
optional_policy(`
kerberos_keytab_template(rlogind, rlogind_t)
kerberos_manage_host_rcache(rlogind_t)
userdom_search_user_home_content(rshd_t)
userdom_manage_tmp_role(system_r, rshd_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(rshd_t)
- fs_read_nfs_symlinks(rshd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(rshd_t)
- fs_read_cifs_symlinks(rshd_t)
-')
+userdom_home_reader(rshd_t)
optional_policy(`
kerberos_keytab_template(rshd, rshd_t)
manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_home_manager(spamassassin_t)
kernel_read_kernel_sysctls(spamassassin_t)
userdom_manage_user_home_content_symlinks(spamd_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamassassin_t)
- fs_manage_nfs_files(spamassassin_t)
- fs_manage_nfs_symlinks(spamassassin_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamassassin_t)
- fs_manage_cifs_files(spamassassin_t)
- fs_manage_cifs_symlinks(spamassassin_t)
-')
-
optional_policy(`
# Write pid file and socket in ~/.evolution/cache/tmp
evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
sysnet_read_config(spamc_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamc_t)
- fs_manage_nfs_files(spamc_t)
- fs_manage_nfs_symlinks(spamc_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamc_t)
- fs_manage_cifs_files(spamc_t)
- fs_manage_cifs_symlinks(spamc_t)
-')
-
+userdom_home_manager(spamc_t)
optional_policy(`
abrt_stream_connect(spamc_t)
userdom_use_unpriv_users_fds(spamd_t)
userdom_search_user_home_dirs(spamd_t)
+userdom_home_manager(spamd_t)
optional_policy(`
exim_manage_spool_dirs(spamd_t)
exim_manage_spool_files(spamd_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamd_t)
- fs_manage_nfs_files(spamd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamd_t)
- fs_manage_cifs_files(spamd_t)
-')
-
optional_policy(`
amavis_manage_lib_files(spamd_t)
')
# Allow checking users mail at login
mta_getattr_spool($1_t)
- tunable_policy(`use_fusefs_home_dirs',`
- fs_manage_fusefs_dirs($1_t)
- fs_manage_fusefs_files($1_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files($1_t)
- fs_read_nfs_symlinks($1_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files($1_t)
- ')
+ userdom_home_manager($1_t)
optional_policy(`
kerberos_use($1_t)
ssh_exec_keygen($3)
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- fs_nfs_domtrans($1_ssh_agent_t, $3)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- fs_cifs_domtrans($1_ssh_agent_t, $3)
- ')
+ userdom_home_manager($1_ssh_agent_t)
optional_policy(`
nis_use_ypbind($1_ssh_agent_t)
userdom_write_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t)
userdom_read_home_certs(ssh_t)
+userdom_home_manager(ssh_t)
tunable_policy(`allow_ssh_keysign',`
domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
fs_manage_fusefs_files(ssh_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(ssh_t)
- fs_manage_nfs_files(ssh_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(ssh_t)
- fs_manage_cifs_files(ssh_t)
-')
-
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port(ssh_t)
fs_read_cifs_symlinks(chroot_user_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(chroot_user_t)
- fs_read_nfs_symlinks(chroot_user_t)
-')
-
-tunable_policy(`use_fusefs_home_dirs',`
- fs_read_fusefs_files(chroot_user_t)
-')
+userdom_home_manager(chroot_user_t)
optional_policy(`
ssh_rw_dgram_sockets(chroot_user_t)
ldap_stream_connect(sssd_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(sssd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(sssd_t)
-')
-
-tunable_policy(`use_fusefs_home_dirs',`
- fs_read_fusefs_files(sssd_t)
-')
+userdom_home_reader(sssd_t)
userdom_use_inherited_user_terminals(iceauth_t)
userdom_read_user_tmp_files(iceauth_t)
userdom_read_all_users_state(iceauth_t)
-
-tunable_policy(`use_fusefs_home_dirs',`
- fs_manage_fusefs_files(iceauth_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(iceauth_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(iceauth_t)
-')
+userdom_home_manager(iceauth_t)
ifdef(`hide_broken_symptoms',`
dev_dontaudit_read_urand(iceauth_t)
fs_manage_fusefs_files(xauth_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(xauth_t)
- fs_read_nfs_symlinks(xauth_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(xauth_t)
-')
+userdom_home_manager(xauth_t)
ifdef(`hide_broken_symptoms',`
term_dontaudit_use_unallocated_ttys(xauth_t)
userdom_manage_user_tmp_files(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
+userdom_home_manager(xdm_t)
application_signal(xdm_t)
')
tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(xdm_t)
- fs_manage_nfs_files(xdm_t)
- fs_manage_nfs_symlinks(xdm_t)
fs_exec_nfs_files(xdm_t)
')
tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(xdm_t)
- fs_manage_cifs_files(xdm_t)
- fs_manage_cifs_symlinks(xdm_t)
fs_exec_cifs_files(xdm_t)
')
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
userdom_read_all_users_state(xserver_t)
+userdom_home_manager(xserver_t)
xserver_use_user_fonts(xserver_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(xserver_t)
- fs_manage_nfs_files(xserver_t)
- fs_manage_nfs_symlinks(xserver_t)
-')
-
-tunable_policy(`use_fusefs_home_dirs',`
- fs_manage_fusefs_dirs(xserver_t)
- fs_manage_fusefs_files(xserver_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(xserver_t)
- fs_manage_cifs_files(xserver_t)
- fs_manage_cifs_symlinks(xserver_t)
-')
-
optional_policy(`
dbus_system_bus_client(xserver_t)
term_relabel_console(local_login_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(local_login_t)
- fs_read_nfs_symlinks(local_login_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(local_login_t)
- fs_read_cifs_symlinks(local_login_t)
-')
+userdom_home_reader(local_login_t)
tunable_policy(`allow_console_login',`
term_use_console(local_login_t)
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
userdom_manage_user_tmp_files(depmod_t)
+userdom_home_reader(depmod_t)
ifdef(`distro_ubuntu',`
optional_policy(`
')
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(depmod_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(depmod_t)
-')
-
optional_policy(`
bootloader_rw_tmp_files(insmod_t)
')
# Handle pp files created in homedir and /tmp
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(semanage_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(semanage_t)
-')
+userdom_home_reader(semanage_t)
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
# gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
#')
')
+
+########################################
+## <summary>
+## Make the specified type able to read content in user home dirs
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_home_reader',`
+ gen_require(`
+ attribute userdom_home_reader_type;
+ ')
+
+ typeattribute $1 userdom_home_reader_type;
+')
+
+
+########################################
+## <summary>
+## Make the specified type able to manage content in user home dirs
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_home_manager',`
+ gen_require(`
+ attribute userdom_home_manager_type;
+ ')
+
+ typeattribute $1 userdom_home_manager_type;
+')
+
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
+attribute userdom_home_reader_type;
+attribute userdom_home_manager_type;
+
# unprivileged user domains
attribute user_home_type;
attribute user_tmp_type;
optional_policy(`
xserver_filetrans_home_content(userdomain)
')
+
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(userdom_home_reader_type)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(userdom_home_reader_type)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_read_fusefs_files(userdom_home_reader_type)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(userdom_home_manager_type)
+ fs_manage_nfs_dirs(userdom_home_manager_type)
+ fs_manage_nfs_files(userdom_home_manager_type)
+ fs_manage_nfs_symlinks(userdom_home_manager_type)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(userdom_home_manager_type)
+ fs_manage_cifs_files(userdom_home_manager_type)
+ fs_manage_cifs_symlinks(userdom_home_manager_type)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_dirs(userdom_home_manager_type)
+ fs_manage_fusefs_files(userdom_home_manager_type)
+ fs_manage_fusefs_symlinks(userdom_home_manager_type)
+')
+
projects / people / stevee / selinux-policy.git / commitdiff
