selinux-policy/refpolicy/policy/modules/system/userdomain.te

220 lines
5.2 KiB
Plaintext
Raw Normal View History

policy_module(userdomain,1.0)
########################################
#
# Declarations
#
# admin users terminals (tty and pty)
attribute admin_terminal;
# users home directory
attribute home_dir_type;
# users home directory contents
attribute home_type;
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;
2005-08-17 17:31:57 +00:00
# all unprivileged users home directories
attribute user_home_dir_type;
attribute user_home_type;
# all unprivileged users ptys
attribute user_ptynode;
2005-06-27 16:30:55 +00:00
# all unprivileged users tmp files
attribute user_tmpfile;
2005-06-29 20:53:53 +00:00
# all unprivileged users ttys
attribute user_ttynode;
# all user domains
attribute userdomain;
# unprivileged user domains
attribute unpriv_userdomain;
########################################
#
# Local policy
#
2005-05-18 13:20:16 +00:00
2005-05-27 21:56:01 +00:00
define(`role_change',`
allow $1_r $2_r;
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
# avoid annoying messages on terminal hangup
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
2005-05-27 21:56:01 +00:00
')
2005-07-06 20:28:29 +00:00
ifdef(`targeted_policy',`
# User home directory type.
type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
files_type(user_home_t)
2005-07-06 20:28:29 +00:00
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type;
files_type(user_home_dir_t)
2005-05-27 21:56:01 +00:00
2005-07-06 20:28:29 +00:00
unconfined_role(user_r)
unconfined_role(sysadm_r)
2005-05-27 21:56:01 +00:00
2005-07-06 20:28:29 +00:00
# dont need to use the full role_change()
allow sysadm_r system_r;
allow user_r system_r;
allow user_r sysadm_r;
allow system_r sysadm_r;
allow system_r sysadm_r;
2005-05-27 21:56:01 +00:00
2005-07-06 20:28:29 +00:00
ifdef(`TODO',`
allow privhome home_root_t:dir { getattr search };
file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
')
',`
admin_user_template(sysadm)
unpriv_user_template(staff)
unpriv_user_template(user)
# user role change rules:
# sysadm_r can change to user roles
role_change(sysadm, user)
role_change(sysadm, staff)
# only staff_r can change to sysadm_r
role_change(staff, sysadm)
# this should be tunable_policy, but
# currently type_change and RBAC allow
# do not work in conditionals
ifdef(`user_canbe_sysadm',`
role_change(user,sysadm)
')
2005-05-18 13:20:16 +00:00
2005-07-06 20:28:29 +00:00
ifdef(`TODO',`
allow privhome home_root_t:dir { getattr search };
')
2005-07-06 20:28:29 +00:00
########################################
#
# Sysadm local policy
#
2005-07-06 20:28:29 +00:00
# for su
allow sysadm_t userdomain:fd use;
2005-05-18 13:20:16 +00:00
2005-07-06 20:28:29 +00:00
# Add/remove user home directories
allow sysadm_t user_home_dir_t:dir create_dir_perms;
files_create_home_dirs(sysadm_t,user_home_dir_t)
2005-05-24 15:55:57 +00:00
2005-07-07 15:25:28 +00:00
ifdef(`direct_sysadm_daemon',`
optional_policy(`init.te',`
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
')
')
2005-07-06 20:28:29 +00:00
optional_policy(`bootloader.te',`
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
')
2005-05-27 21:56:01 +00:00
2005-07-06 20:28:29 +00:00
optional_policy(`clock.te',`
clock_run(sysadm_t,sysadm_r,admin_terminal)
')
2005-06-27 20:59:28 +00:00
2005-08-17 14:14:07 +00:00
optional_policy(`firstboot.te',`
firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
')
2005-07-06 20:28:29 +00:00
optional_policy(`fstools.te',`
fstools_run(sysadm_t,sysadm_r,admin_terminal)
')
2005-05-27 21:56:01 +00:00
2005-07-06 20:28:29 +00:00
optional_policy(`hostname.te',`
hostname_run(sysadm_t,sysadm_r,admin_terminal)
')
2005-07-18 18:31:49 +00:00
optional_policy(`ipsec.te',`
# allow system administrator to use the ipsec script to look
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
ipsec_exec_mgmt(sysadm_t)
ipsec_stream_connect(sysadm_t)
2005-07-18 18:31:49 +00:00
# for lsof
ipsec_getattr_key_socket(sysadm_t)
')
2005-07-06 20:28:29 +00:00
optional_policy(`iptables.te',`
iptables_run(sysadm_t,sysadm_r,admin_terminal)
')
2005-05-23 15:51:33 +00:00
2005-07-06 20:28:29 +00:00
optional_policy(`libraries.te',`
libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
')
2005-07-06 20:28:29 +00:00
optional_policy(`lvm.te',`
lvm_run(sysadm_t,sysadm_r,admin_terminal)
')
2005-07-06 20:28:29 +00:00
optional_policy(`modutils.te',`
modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
')
2005-06-28 20:54:49 +00:00
2005-07-06 20:28:29 +00:00
optional_policy(`logrotate.te',`
logrotate_run(sysadm_t,sysadm_r,admin_terminal)
')
2005-07-06 20:28:29 +00:00
optional_policy(`mount.te',`
mount_run(sysadm_t,sysadm_r,admin_terminal)
')
2005-06-27 16:30:55 +00:00
2005-08-03 17:56:26 +00:00
optional_policy(`mysql.te',`
mysql_stream_connect(sysadm_t)
')
2005-07-06 20:28:29 +00:00
optional_policy(`netutils.te',`
netutils_run(sysadm_t,sysadm_r,admin_terminal)
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
')
2005-05-23 15:51:33 +00:00
2005-07-14 20:57:17 +00:00
optional_policy(`pcmcia.te',`
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
')
2005-08-11 14:49:58 +00:00
optional_policy(`quota.te',`
quota_run(sysadm_t,sysadm_r,admin_terminal)
')
2005-07-06 20:28:29 +00:00
optional_policy(`rpm.te',`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`selinuxutil.te',`
2005-07-06 20:28:29 +00:00
seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
optional_policy(`targeted_policy',`',`
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
')
')
optional_policy(`sysnetwork.te',`
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
')
2005-07-18 18:31:49 +00:00
optional_policy(`unconfined.te',`
unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
')
2005-07-06 20:28:29 +00:00
optional_policy(`usermanage.te',`
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
')
')