selinux-policy/targeted/macros/base_user_macros.te

#
# Macros for all user login domains.
#

#
# base_user_domain(domain_prefix)
#
# Define derived types and rules for an ordinary user domain.
#
# The type declaration and role authorization for the domain must be
# provided separately.  Likewise, domain transitions into this domain
# must be specified separately.  
#

# base_user_domain() is also called by the admin_domain() macro
undefine(`base_user_domain')
define(`base_user_domain', `

# Type for network-obtained content
type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;
type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;

# Allow user to relabel untrusted content
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };

# Read content
read_content($1_t, $1)

# Write trusted content. This includes proper transition
# for /home, and /tmp, so no other transition is necessary (or allowed)
write_trusted($1_t, $1)

# Maybe the home directory is networked
network_home($1_t)

# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.
# Relabel files in the home directory 
file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file }); 
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
can_setfscreate($1_t)

ifdef(`ftpd.te' , `
if (ftpd_is_daemon) {
file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
}
')

allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };

# $1_r is authorized for $1_t for the initial login domain.
role $1_r types $1_t;
allow system_r $1_r;

r_dir_file($1_t, usercanread)

# Grant permissions within the domain.
general_domain_access($1_t)

if (allow_execmem) {
# Allow making anonymous memory executable, e.g. 
# for runtime-code generation or executable stack.
allow $1_t self:process execmem;
}

if (allow_execmem && allow_execstack) {
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
}

# Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t texrel_shlib_t:file execmod;

#
# kdeinit wants this access
#
allow $1_t device_t:dir { getattr search };

# Find CDROM devices
r_dir_file($1_t, sysctl_dev_t)
# for eject
allow $1_t fixed_disk_device_t:blk_file getattr;

allow $1_t fs_type:dir getattr;

allow $1_t event_device_t:chr_file { getattr read ioctl };

# open office is looking for the following
allow $1_t dri_device_t:chr_file getattr;
dontaudit $1_t dri_device_t:chr_file rw_file_perms;

# Supress ls denials:
# getattr() - ls -l
# search_dir() - symlink path resolution
# read_dir() - deep ls: ls parent/...

dontaudit_getattr($1_t)
dontaudit_search_dir($1_t)
dontaudit_read_dir($1_t)

# allow ptrace
can_ptrace($1_t, $1_t)

# Allow user to run restorecon and relabel files
can_getsecurity($1_t)
r_dir_file($1_t, default_context_t)
r_dir_file($1_t, file_context_t)

allow $1_t usbtty_device_t:chr_file read;

# GNOME checks for usb and other devices
rw_dir_file($1_t,usbfs_t)

can_exec($1_t, noexattrfile)
# Bind to a Unix domain socket in /tmp.
allow $1_t $1_tmp_t:unix_stream_socket name_bind;

# Use the type when relabeling terminal devices.
type_change $1_t tty_device_t:chr_file $1_tty_device_t;

# Debian login is from shadow utils and does not allow resetting the perms.
# have to fix this!
type_change $1_t ttyfile:chr_file $1_tty_device_t;

# for running TeX programs
r_dir_file($1_t, tetex_data_t)
can_exec($1_t, tetex_data_t)

# Use the type when relabeling pty devices.
type_change $1_t server_pty:chr_file $1_devpts_t;

tmpfs_domain($1)

ifdef(`cardmgr.te', `
# to allow monitoring of pcmcia status
allow $1_t cardmgr_var_run_t:file { getattr read };
')

# Modify mail spool file.
allow $1_t mail_spool_t:dir r_dir_perms;
allow $1_t mail_spool_t:file rw_file_perms;
allow $1_t mail_spool_t:lnk_file read;

#
# Allow graphical boot to check battery lifespan
#
ifdef(`apmd.te', `
allow $1_t apmd_t:unix_stream_socket connectto;
allow $1_t apmd_var_run_t:sock_file write;
')

#
# Allow the query of filesystem quotas
#
allow $1_t fs_type:filesystem quotaget;

# Run helper programs.
can_exec_any($1_t)
# Run programs developed by other users in the same domain.
can_exec($1_t, $1_home_t)
can_exec($1_t, $1_tmp_t)

# Run user programs that require different permissions in their own domain.
# These rules were moved into the individual program domains.

# Instantiate derived domains for a number of programs.
# These derived domains encode both information about the calling
# user domain and the program, and allow us to maintain separation
# between different instances of the program being run by different
# user domains.
ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
ifdef(`chkpwd.te', `chkpwd_domain($1)')
ifdef(`fingerd.te', `fingerd_macro($1)')
ifdef(`mta.te', `mail_domain($1)')
ifdef(`exim.te', `exim_user_domain($1)')
ifdef(`crontab.te', `crontab_domain($1)')

ifdef(`screen.te', `screen_domain($1)')
ifdef(`tvtime.te', `tvtime_domain($1)')
ifdef(`mozilla.te', `mozilla_domain($1)')
ifdef(`thunderbird.te', `thunderbird_domain($1)')
ifdef(`samba.te', `samba_domain($1)')
ifdef(`gpg.te', `gpg_domain($1)')
ifdef(`xauth.te', `xauth_domain($1)')
ifdef(`iceauth.te', `iceauth_domain($1)')
ifdef(`startx.te', `xserver_domain($1)')
ifdef(`lpr.te', `lpr_domain($1)')
ifdef(`ssh.te', `ssh_domain($1)')
ifdef(`irc.te', `irc_domain($1)')
ifdef(`using_spamassassin', `spamassassin_domain($1)')
ifdef(`pyzor.te', `pyzor_domain($1)')
ifdef(`razor.te', `razor_domain($1)')
ifdef(`uml.te', `uml_domain($1)')
ifdef(`cdrecord.te', `cdrecord_domain($1)')
ifdef(`mplayer.te', `mplayer_domains($1)')

fontconfig_domain($1)

# GNOME
ifdef(`gnome.te', `
gnome_domain($1)
ifdef(`games.te', `games_domain($1)')
ifdef(`gift.te', `gift_domains($1)')
ifdef(`evolution.te', `evolution_domains($1)')
ifdef(`ethereal.te', `ethereal_domain($1)')
')

# ICE communication channel
ice_domain($1, $1)

# ORBit communication channel (independent of GNOME)
orbit_domain($1, $1)

# Instantiate a derived domain for user cron jobs.
ifdef(`crond.te', `crond_domain($1)')

ifdef(`vmware.te', `vmware_domain($1)')

if (user_direct_mouse) {
# Read the mouse.
allow $1_t mouse_device_t:chr_file r_file_perms;
}
# Access other miscellaneous devices.
allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms;
allow $1_t device_t:lnk_file { getattr read };

can_resmgrd_connect($1_t)

#
# evolution and gnome-session try to create a netlink socket
#
dontaudit $1_t self:netlink_socket create_socket_perms;
dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;

# Use the network.
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
can_ypbind($1_t)
can_winbind($1_t)

ifdef(`pamconsole.te', `
allow $1_t pam_var_console_t:dir search;
')

allow $1_t var_lock_t:dir search;

# Grant permissions to access the system DBus
ifdef(`dbusd.te', `
dbusd_client(system, $1)
can_network_server_tcp($1_dbusd_t)
allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;

allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
dbusd_client($1, $1)
allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
dbusd_domain($1)
ifdef(`hald.te', `
allow $1_t hald_t:dbus send_msg;
allow hald_t $1_t:dbus send_msg;
') dnl end ifdef hald.te
') dnl end ifdef dbus.te

# allow port_t name binding for UDP because it is not very usable otherwise
allow $1_t port_t:udp_socket name_bind;

# Gnome pannel binds to the following
ifdef(`cups.te', `
allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
')

# for perl
dontaudit $1_t net_conf_t:file ioctl;

# Communicate within the domain.
can_udp_send($1_t, self)

# Connect to inetd.
ifdef(`inetd.te', `
can_tcp_connect($1_t, inetd_t)
can_udp_send($1_t, inetd_t)
can_udp_send(inetd_t, $1_t)
')

# Connect to portmap.
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')

# Inherit and use sockets from inetd
ifdef(`inetd.te', `
allow $1_t inetd_t:fd use;
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;')

# Very permissive allowing every domain to see every type.
allow $1_t kernel_t:system ipc_info;

# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc.  Do not audit these denials.
dontaudit $1_t domain:dir r_dir_perms;
dontaudit $1_t domain:notdevfile_class_set r_file_perms;
dontaudit $1_t domain:process { getattr getsession };
#
# Cups daemon running as user tries to write /etc/printcap
#
dontaudit $1_t usr_t:file setattr;

# Use X
x_client_domain($1, $1)

ifdef(`xserver.te', `
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
')

ifdef(`xdm.te', `
# Connect to the X server run by the X Display Manager.
can_unix_connect($1_t, xdm_t)
# certain apps want to read xdm.pid file
r_dir_file($1_t, xdm_var_run_t)
allow $1_t xdm_var_lib_t:file { getattr read };
allow xdm_t $1_home_dir_t:dir getattr;
ifdef(`xauth.te', `
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
')

')dnl end ifdef xdm.te

# Access the sound device.
allow $1_t sound_device_t:chr_file { getattr read write ioctl };

# Access the power device.
allow $1_t power_device_t:chr_file { getattr read write ioctl };

allow $1_t var_log_t:dir { getattr search };
dontaudit $1_t logfile:file getattr;

# Check to see if cdrom is mounted
allow $1_t mnt_t:dir { getattr search };

# Get attributes of file systems.
allow $1_t fs_type:filesystem getattr;

# Read and write /dev/tty and /dev/null.
allow $1_t devtty_t:chr_file rw_file_perms;
allow $1_t null_device_t:chr_file rw_file_perms;
allow $1_t zero_device_t:chr_file { rw_file_perms execute };
allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
#
# Added to allow reading of cdrom
#
allow $1_t rpc_pipefs_t:dir getattr;
allow $1_t nfsd_fs_t:dir getattr;
allow $1_t binfmt_misc_fs_t:dir getattr;

# /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir getattr;

#
# Emacs wants this access
#
allow $1_t wtmp_t:file r_file_perms;
dontaudit $1_t wtmp_t:file write;

# Read the devpts root directory.
allow $1_t devpts_t:dir r_dir_perms;

r_dir_file($1_t, src_t)

# Allow user to read default_t files
# This is different from reading default_t content, 
# because it also includes sockets, fifos, and links

if (read_default_t) {
allow $1_t default_t:dir r_dir_perms;
allow $1_t default_t:notdevfile_class_set r_file_perms;
}

# Read fonts
read_fonts($1_t, $1)

read_sysctl($1_t);

#
# Caused by su - init scripts
#
dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };

#
# Running ifconfig as a user generates the following
#
dontaudit $1_t self:socket create;
dontaudit $1_t sysctl_net_t:dir search;

ifdef(`rpcd.te', `
create_dir_file($1_t, nfsd_rw_t)
')

')dnl end base_user_domain macro
add 1.27.1-22 targeted policy 2005-10-21 18:05:21 +00:00			`#`
			`# Macros for all user login domains.`
			`#`

			`#`
			`# base_user_domain(domain_prefix)`
			`#`
			`# Define derived types and rules for an ordinary user domain.`
			`#`
			`# The type declaration and role authorization for the domain must be`
			`# provided separately. Likewise, domain transitions into this domain`
			`# must be specified separately.`
			`#`

			`# base_user_domain() is also called by the admin_domain() macro`
			undefine(`base_user_domain')
			define(`base_user_domain', `

			`# Type for network-obtained content`
			`type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;`
			`type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;`

			`# Allow user to relabel untrusted content`
			`allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };`
			`allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };`

			`# Read content`
			`read_content($1_t, $1)`

			`# Write trusted content. This includes proper transition`
			`# for /home, and /tmp, so no other transition is necessary (or allowed)`
			`write_trusted($1_t, $1)`

			`# Maybe the home directory is networked`
			`network_home($1_t)`

			`# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.`
			`# Relabel files in the home directory`
			`file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file });`
			`allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };`
			`can_setfscreate($1_t)`

			ifdef(`ftpd.te' , `
			`if (ftpd_is_daemon) {`
			`file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)`
			`}`
			`')`

			`allow $1_t self:capability { setgid chown fowner };`
			`dontaudit $1_t self:capability { sys_nice fsetid };`

			`# $1_r is authorized for $1_t for the initial login domain.`
			`role $1_r types $1_t;`
			`allow system_r $1_r;`

			`r_dir_file($1_t, usercanread)`

			`# Grant permissions within the domain.`
			`general_domain_access($1_t)`

			`if (allow_execmem) {`
			`# Allow making anonymous memory executable, e.g.`
			`# for runtime-code generation or executable stack.`
			`allow $1_t self:process execmem;`
			`}`

			`if (allow_execmem && allow_execstack) {`
			`# Allow making the stack executable via mprotect.`
			`allow $1_t self:process execstack;`
			`}`

			`# Allow text relocations on system shared libraries, e.g. libGL.`
			`allow $1_t texrel_shlib_t:file execmod;`

			`#`
			`# kdeinit wants this access`
			`#`
			`allow $1_t device_t:dir { getattr search };`

			`# Find CDROM devices`
			`r_dir_file($1_t, sysctl_dev_t)`
			`# for eject`
			`allow $1_t fixed_disk_device_t:blk_file getattr;`

			`allow $1_t fs_type:dir getattr;`

			`allow $1_t event_device_t:chr_file { getattr read ioctl };`

			`# open office is looking for the following`
			`allow $1_t dri_device_t:chr_file getattr;`
			`dontaudit $1_t dri_device_t:chr_file rw_file_perms;`

			`# Supress ls denials:`
			`# getattr() - ls -l`
			`# search_dir() - symlink path resolution`
			`# read_dir() - deep ls: ls parent/...`

			`dontaudit_getattr($1_t)`
			`dontaudit_search_dir($1_t)`
			`dontaudit_read_dir($1_t)`

			`# allow ptrace`
			`can_ptrace($1_t, $1_t)`

			`# Allow user to run restorecon and relabel files`
			`can_getsecurity($1_t)`
			`r_dir_file($1_t, default_context_t)`
			`r_dir_file($1_t, file_context_t)`

			`allow $1_t usbtty_device_t:chr_file read;`

			`# GNOME checks for usb and other devices`
			`rw_dir_file($1_t,usbfs_t)`

			`can_exec($1_t, noexattrfile)`
			`# Bind to a Unix domain socket in /tmp.`
			`allow $1_t $1_tmp_t:unix_stream_socket name_bind;`

			`# Use the type when relabeling terminal devices.`
			`type_change $1_t tty_device_t:chr_file $1_tty_device_t;`

			`# Debian login is from shadow utils and does not allow resetting the perms.`
			`# have to fix this!`
			`type_change $1_t ttyfile:chr_file $1_tty_device_t;`

			`# for running TeX programs`
			`r_dir_file($1_t, tetex_data_t)`
			`can_exec($1_t, tetex_data_t)`

			`# Use the type when relabeling pty devices.`
			`type_change $1_t server_pty:chr_file $1_devpts_t;`

			`tmpfs_domain($1)`

			ifdef(`cardmgr.te', `
			`# to allow monitoring of pcmcia status`
			`allow $1_t cardmgr_var_run_t:file { getattr read };`
			`')`

			`# Modify mail spool file.`
			`allow $1_t mail_spool_t:dir r_dir_perms;`
			`allow $1_t mail_spool_t:file rw_file_perms;`
			`allow $1_t mail_spool_t:lnk_file read;`

			`#`
			`# Allow graphical boot to check battery lifespan`
			`#`
			ifdef(`apmd.te', `
			`allow $1_t apmd_t:unix_stream_socket connectto;`
			`allow $1_t apmd_var_run_t:sock_file write;`
			`')`

			`#`
			`# Allow the query of filesystem quotas`
			`#`
			`allow $1_t fs_type:filesystem quotaget;`

			`# Run helper programs.`
			`can_exec_any($1_t)`
			`# Run programs developed by other users in the same domain.`
			`can_exec($1_t, $1_home_t)`
			`can_exec($1_t, $1_tmp_t)`

			`# Run user programs that require different permissions in their own domain.`
			`# These rules were moved into the individual program domains.`

			`# Instantiate derived domains for a number of programs.`
			`# These derived domains encode both information about the calling`
			`# user domain and the program, and allow us to maintain separation`
			`# between different instances of the program being run by different`
			`# user domains.`
			ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
			ifdef(`chkpwd.te', `chkpwd_domain($1)')
			ifdef(`fingerd.te', `fingerd_macro($1)')
			ifdef(`mta.te', `mail_domain($1)')
merge in some of dan's old policy changes 2005-11-07 20:09:28 +00:00			ifdef(`exim.te', `exim_user_domain($1)')
add 1.27.1-22 targeted policy 2005-10-21 18:05:21 +00:00			ifdef(`crontab.te', `crontab_domain($1)')

			ifdef(`screen.te', `screen_domain($1)')
			ifdef(`tvtime.te', `tvtime_domain($1)')
			ifdef(`mozilla.te', `mozilla_domain($1)')
			ifdef(`thunderbird.te', `thunderbird_domain($1)')
			ifdef(`samba.te', `samba_domain($1)')
			ifdef(`gpg.te', `gpg_domain($1)')
			ifdef(`xauth.te', `xauth_domain($1)')
			ifdef(`iceauth.te', `iceauth_domain($1)')
			ifdef(`startx.te', `xserver_domain($1)')
			ifdef(`lpr.te', `lpr_domain($1)')
			ifdef(`ssh.te', `ssh_domain($1)')
			ifdef(`irc.te', `irc_domain($1)')
			ifdef(`using_spamassassin', `spamassassin_domain($1)')
			ifdef(`pyzor.te', `pyzor_domain($1)')
			ifdef(`razor.te', `razor_domain($1)')
			ifdef(`uml.te', `uml_domain($1)')
			ifdef(`cdrecord.te', `cdrecord_domain($1)')
			ifdef(`mplayer.te', `mplayer_domains($1)')

			`fontconfig_domain($1)`

			`# GNOME`
			ifdef(`gnome.te', `
			`gnome_domain($1)`
			ifdef(`games.te', `games_domain($1)')
			ifdef(`gift.te', `gift_domains($1)')
			ifdef(`evolution.te', `evolution_domains($1)')
			ifdef(`ethereal.te', `ethereal_domain($1)')
			`')`

			`# ICE communication channel`
			`ice_domain($1, $1)`

			`# ORBit communication channel (independent of GNOME)`
			`orbit_domain($1, $1)`

			`# Instantiate a derived domain for user cron jobs.`
			ifdef(`crond.te', `crond_domain($1)')

			ifdef(`vmware.te', `vmware_domain($1)')

			`if (user_direct_mouse) {`
			`# Read the mouse.`
			`allow $1_t mouse_device_t:chr_file r_file_perms;`
			`}`
			`# Access other miscellaneous devices.`
			`allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms;`
			`allow $1_t device_t:lnk_file { getattr read };`

			`can_resmgrd_connect($1_t)`

			`#`
			`# evolution and gnome-session try to create a netlink socket`
			`#`
			`dontaudit $1_t self:netlink_socket create_socket_perms;`
			`dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;`

			`# Use the network.`
			`can_network($1_t)`
			`allow $1_t port_type:tcp_socket name_connect;`
			`can_ypbind($1_t)`
			`can_winbind($1_t)`

			ifdef(`pamconsole.te', `
			`allow $1_t pam_var_console_t:dir search;`
			`')`

			`allow $1_t var_lock_t:dir search;`

			`# Grant permissions to access the system DBus`
			ifdef(`dbusd.te', `
			`dbusd_client(system, $1)`
			`can_network_server_tcp($1_dbusd_t)`
			`allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;`

			`allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };`
			`dbusd_client($1, $1)`
			`allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };`
			`dbusd_domain($1)`
			ifdef(`hald.te', `
			`allow $1_t hald_t:dbus send_msg;`
			`allow hald_t $1_t:dbus send_msg;`
			`') dnl end ifdef hald.te`
			`') dnl end ifdef dbus.te`

			`# allow port_t name binding for UDP because it is not very usable otherwise`
			`allow $1_t port_t:udp_socket name_bind;`

			`# Gnome pannel binds to the following`
			ifdef(`cups.te', `
			`allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };`
			`')`

			`# for perl`
			`dontaudit $1_t net_conf_t:file ioctl;`

			`# Communicate within the domain.`
			`can_udp_send($1_t, self)`

			`# Connect to inetd.`
			ifdef(`inetd.te', `
			`can_tcp_connect($1_t, inetd_t)`
			`can_udp_send($1_t, inetd_t)`
			`can_udp_send(inetd_t, $1_t)`
			`')`

			`# Connect to portmap.`
			ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')

			`# Inherit and use sockets from inetd`
			ifdef(`inetd.te', `
			`allow $1_t inetd_t:fd use;`
			`allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;')`

			`# Very permissive allowing every domain to see every type.`
			`allow $1_t kernel_t:system ipc_info;`

			`# When the user domain runs ps, there will be a number of access`
			`# denials when ps tries to search /proc. Do not audit these denials.`
			`dontaudit $1_t domain:dir r_dir_perms;`
			`dontaudit $1_t domain:notdevfile_class_set r_file_perms;`
			`dontaudit $1_t domain:process { getattr getsession };`
			`#`
			`# Cups daemon running as user tries to write /etc/printcap`
			`#`
			`dontaudit $1_t usr_t:file setattr;`

			`# Use X`
			`x_client_domain($1, $1)`

			ifdef(`xserver.te', `
			`allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;`
			`')`

			ifdef(`xdm.te', `
			`# Connect to the X server run by the X Display Manager.`
			`can_unix_connect($1_t, xdm_t)`
			`# certain apps want to read xdm.pid file`
			`r_dir_file($1_t, xdm_var_run_t)`
			`allow $1_t xdm_var_lib_t:file { getattr read };`
			`allow xdm_t $1_home_dir_t:dir getattr;`
			ifdef(`xauth.te', `
			`file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)`
			`')`

			`')dnl end ifdef xdm.te`

			`# Access the sound device.`
			`allow $1_t sound_device_t:chr_file { getattr read write ioctl };`

			`# Access the power device.`
			`allow $1_t power_device_t:chr_file { getattr read write ioctl };`

			`allow $1_t var_log_t:dir { getattr search };`
			`dontaudit $1_t logfile:file getattr;`

			`# Check to see if cdrom is mounted`
			`allow $1_t mnt_t:dir { getattr search };`

			`# Get attributes of file systems.`
			`allow $1_t fs_type:filesystem getattr;`

			`# Read and write /dev/tty and /dev/null.`
			`allow $1_t devtty_t:chr_file rw_file_perms;`
			`allow $1_t null_device_t:chr_file rw_file_perms;`
			`allow $1_t zero_device_t:chr_file { rw_file_perms execute };`
			`allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;`
			`#`
			`# Added to allow reading of cdrom`
			`#`
			`allow $1_t rpc_pipefs_t:dir getattr;`
			`allow $1_t nfsd_fs_t:dir getattr;`
			`allow $1_t binfmt_misc_fs_t:dir getattr;`

			`# /initrd is left mounted, various programs try to look at it`
			`dontaudit $1_t ramfs_t:dir getattr;`

			`#`
			`# Emacs wants this access`
			`#`
			`allow $1_t wtmp_t:file r_file_perms;`
			`dontaudit $1_t wtmp_t:file write;`

			`# Read the devpts root directory.`
			`allow $1_t devpts_t:dir r_dir_perms;`

			`r_dir_file($1_t, src_t)`

			`# Allow user to read default_t files`
			`# This is different from reading default_t content,`
			`# because it also includes sockets, fifos, and links`

			`if (read_default_t) {`
			`allow $1_t default_t:dir r_dir_perms;`
			`allow $1_t default_t:notdevfile_class_set r_file_perms;`
			`}`

			`# Read fonts`
			`read_fonts($1_t, $1)`

			`read_sysctl($1_t);`

			`#`
			`# Caused by su - init scripts`
			`#`
			`dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };`

			`#`
			`# Running ifconfig as a user generates the following`
			`#`
			`dontaudit $1_t self:socket create;`
			`dontaudit $1_t sysctl_net_t:dir search;`

			ifdef(`rpcd.te', `
			`create_dir_file($1_t, nfsd_rw_t)`
			`')`

			`')dnl end base_user_domain macro`