226 lines
6.4 KiB
Plaintext
226 lines
6.4 KiB
Plaintext
|
#
|
||
|
# Macros for all user login domains.
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# user_domain(domain_prefix)
|
||
|
#
|
||
|
# Define derived types and rules for an ordinary user domain.
|
||
|
#
|
||
|
# The type declaration and role authorization for the domain must be
|
||
|
# provided separately. Likewise, domain transitions into this domain
|
||
|
# must be specified separately.
|
||
|
#
|
||
|
|
||
|
# user_domain() is also called by the admin_domain() macro
|
||
|
undefine(`user_domain')
|
||
|
define(`user_domain', `
|
||
|
# Use capabilities
|
||
|
|
||
|
# Type for home directory.
|
||
|
type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
|
||
|
type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type;
|
||
|
|
||
|
tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
|
||
|
|
||
|
# Type and access for pty devices.
|
||
|
can_create_pty($1, `, userpty_type, user_tty_type')
|
||
|
|
||
|
#Type for tty devices.
|
||
|
type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
|
||
|
|
||
|
base_user_domain($1)
|
||
|
|
||
|
# do not allow privhome access to sysadm_home_dir_t
|
||
|
file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
|
||
|
|
||
|
allow $1_t boot_t:dir { getattr search };
|
||
|
dontaudit $1_t boot_t:lnk_file read;
|
||
|
dontaudit $1_t boot_t:file read;
|
||
|
allow $1_t system_map_t:file { getattr read };
|
||
|
|
||
|
# Instantiate derived domains for a number of programs.
|
||
|
# These derived domains encode both information about the calling
|
||
|
# user domain and the program, and allow us to maintain separation
|
||
|
# between different instances of the program being run by different
|
||
|
# user domains.
|
||
|
ifdef(`apache.te', `apache_domain($1)')
|
||
|
ifdef(`slocate.te', `locate_domain($1)')
|
||
|
ifdef(`lockdev.te', `lockdev_domain($1)')
|
||
|
|
||
|
can_kerberos($1_t)
|
||
|
# allow port_t name binding for UDP because it is not very usable otherwise
|
||
|
allow $1_t port_t:udp_socket name_bind;
|
||
|
|
||
|
#
|
||
|
# Need the following rule to allow users to run vpnc
|
||
|
#
|
||
|
ifdef(`xserver.te', `
|
||
|
allow $1_t xserver_port_t:tcp_socket name_bind;
|
||
|
')
|
||
|
|
||
|
# Allow users to run TCP servers (bind to ports and accept connection from
|
||
|
# the same domain and outside users) disabling this forces FTP passive mode
|
||
|
# and may change other protocols
|
||
|
if (user_tcp_server) {
|
||
|
allow $1_t port_t:tcp_socket name_bind;
|
||
|
}
|
||
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||
|
dontaudit $1_t reserved_port_type:tcp_socket name_bind;
|
||
|
|
||
|
# Allow system log read
|
||
|
if (user_dmesg) {
|
||
|
allow $1_t kernel_t:system syslog_read;
|
||
|
} else {
|
||
|
# else do not log it
|
||
|
dontaudit $1_t kernel_t:system syslog_read;
|
||
|
}
|
||
|
|
||
|
# Allow read access to utmp.
|
||
|
allow $1_t initrc_var_run_t:file { getattr read lock };
|
||
|
# The library functions always try to open read-write first,
|
||
|
# then fall back to read-only if it fails.
|
||
|
# Do not audit write denials to utmp to avoid the noise.
|
||
|
dontaudit $1_t initrc_var_run_t:file write;
|
||
|
|
||
|
|
||
|
# do not audit read on disk devices
|
||
|
dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
|
||
|
|
||
|
ifdef(`xdm.te', `
|
||
|
allow xdm_t $1_home_t:lnk_file read;
|
||
|
allow xdm_t $1_home_t:dir search;
|
||
|
#
|
||
|
# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
|
||
|
#
|
||
|
dontaudit xdm_t $1_home_t:file rw_file_perms;
|
||
|
')dnl end ifdef xdm.te
|
||
|
|
||
|
ifdef(`ftpd.te', `
|
||
|
if (ftp_home_dir) {
|
||
|
file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
|
||
|
}
|
||
|
')dnl end ifdef ftpd
|
||
|
|
||
|
|
||
|
')dnl end user_domain macro
|
||
|
|
||
|
|
||
|
###########################################################################
|
||
|
#
|
||
|
# Domains for ordinary users.
|
||
|
#
|
||
|
undefine(`full_user_role')
|
||
|
define(`full_user_role', `
|
||
|
|
||
|
# user_t/$1_t is an unprivileged users domain.
|
||
|
type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
|
||
|
|
||
|
attribute $1_file_type;
|
||
|
# Grant read/search permissions to some of /proc.
|
||
|
r_dir_file($1_t, proc_t)
|
||
|
r_dir_file($1_t, proc_net_t)
|
||
|
|
||
|
base_file_read_access($1_t)
|
||
|
|
||
|
can_exec($1_t, usr_t)
|
||
|
|
||
|
# Read directories and files with the readable_t type.
|
||
|
# This type is a general type for "world"-readable files.
|
||
|
allow $1_t readable_t:dir r_dir_perms;
|
||
|
allow $1_t readable_t:notdevfile_class_set r_file_perms;
|
||
|
|
||
|
# Stat lost+found.
|
||
|
allow $1_t lost_found_t:dir getattr;
|
||
|
|
||
|
# Read /var, /var/spool, /var/run.
|
||
|
allow $1_t var_t:dir r_dir_perms;
|
||
|
allow $1_t var_t:notdevfile_class_set r_file_perms;
|
||
|
allow $1_t var_spool_t:dir r_dir_perms;
|
||
|
allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
|
||
|
allow $1_t var_run_t:dir r_dir_perms;
|
||
|
allow $1_t var_run_t:{ file lnk_file } r_file_perms;
|
||
|
allow $1_t var_lib_t:dir r_dir_perms;
|
||
|
allow $1_t var_lib_t:file { getattr read };
|
||
|
|
||
|
read_sysctl($1_t)
|
||
|
|
||
|
# Read /etc.
|
||
|
allow $1_t etc_t:dir r_dir_perms;
|
||
|
allow $1_t etc_t:notdevfile_class_set r_file_perms;
|
||
|
allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms;
|
||
|
|
||
|
# for running depmod as part of the kernel packaging process
|
||
|
allow $1_t modules_conf_t:file { getattr read };
|
||
|
|
||
|
# Read man directories and files.
|
||
|
allow $1_t man_t:dir r_dir_perms;
|
||
|
allow $1_t man_t:notdevfile_class_set r_file_perms;
|
||
|
|
||
|
# Allow users to rw usb devices
|
||
|
if (user_rw_usb) {
|
||
|
rw_dir_create_file($1_t,usbdevfs_t)
|
||
|
} else {
|
||
|
r_dir_file($1_t,usbdevfs_t)
|
||
|
}
|
||
|
|
||
|
r_dir_file($1_t,sysfs_t)
|
||
|
|
||
|
# Read /dev directories and any symbolic links.
|
||
|
allow $1_t device_t:dir r_dir_perms;
|
||
|
allow $1_t device_t:lnk_file r_file_perms;
|
||
|
|
||
|
# Do not audit write denials to /etc/ld.so.cache.
|
||
|
dontaudit $1_t ld_so_cache_t:file write;
|
||
|
|
||
|
# Execute from the system shared libraries.
|
||
|
uses_shlib($1_t);
|
||
|
|
||
|
# $1_t is also granted permissions specific to user domains.
|
||
|
user_domain($1)
|
||
|
|
||
|
dontaudit $1_t sysadm_home_t:file { read append };
|
||
|
|
||
|
ifdef(`syslogd.te', `
|
||
|
# Some programs that are left in $1_t will try to connect
|
||
|
# to syslogd, but we do not want to let them generate log messages.
|
||
|
# Do not audit.
|
||
|
dontaudit $1_t devlog_t:sock_file { read write };
|
||
|
dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
|
||
|
')
|
||
|
|
||
|
# Stop warnings about access to /dev/console
|
||
|
dontaudit $1_t init_t:fd use;
|
||
|
dontaudit $1_t initrc_t:fd use;
|
||
|
allow $1_t initrc_t:fifo_file write;
|
||
|
ifdef(`user_can_mount', `
|
||
|
#
|
||
|
# Allow users to mount file systems like floppies and cdrom
|
||
|
#
|
||
|
mount_domain($1, $1_mount, `, fs_domain')
|
||
|
r_dir_file($1_t, mnt_t)
|
||
|
allow $1_mount_t device_t:lnk_file read;
|
||
|
allow $1_mount_t removable_device_t:blk_file read;
|
||
|
allow $1_mount_t iso9660_t:filesystem relabelfrom;
|
||
|
allow $1_mount_t removable_t:filesystem { mount relabelto };
|
||
|
allow $1_mount_t removable_t:dir mounton;
|
||
|
ifdef(`xdm.te', `
|
||
|
allow $1_mount_t xdm_t:fd use;
|
||
|
allow $1_mount_t xdm_t:fifo_file { read write };
|
||
|
')
|
||
|
')
|
||
|
|
||
|
#
|
||
|
# Rules used to associate a homedir as a mountpoint
|
||
|
#
|
||
|
allow $1_home_t self:filesystem associate;
|
||
|
allow $1_file_type $1_home_t:filesystem associate;
|
||
|
')
|
||
|
|
||
|
undefine(`in_user_role')
|
||
|
define(`in_user_role', `
|
||
|
role user_r types $1;
|
||
|
role staff_r types $1;
|
||
|
')
|
||
|
|