start adding in templated interfaces
This commit is contained in:
parent
d4df0aa62c
commit
2a94561a89
@ -96,7 +96,7 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
|
|||||||
@test -d tmp || mkdir -p tmp
|
@test -d tmp || mkdir -p tmp
|
||||||
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
|
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
|
||||||
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
|
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
|
||||||
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
|
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
|
||||||
>> $@ ;\
|
>> $@ ;\
|
||||||
done
|
done
|
||||||
$(QUIET) echo "')" >> $@
|
$(QUIET) echo "')" >> $@
|
||||||
|
@ -75,6 +75,7 @@ template(`su_per_userdomain_template',`
|
|||||||
term_use_all_user_ttys($1_su_t)
|
term_use_all_user_ttys($1_su_t)
|
||||||
term_use_all_user_ptys($1_su_t)
|
term_use_all_user_ptys($1_su_t)
|
||||||
|
|
||||||
|
auth_domtrans_user_chk_passwd($1_su_t,$1)
|
||||||
auth_dontaudit_read_shadow($1_su_t)
|
auth_dontaudit_read_shadow($1_su_t)
|
||||||
|
|
||||||
domain_wide_inherit_fd($1_su_t)
|
domain_wide_inherit_fd($1_su_t)
|
||||||
@ -96,6 +97,8 @@ template(`su_per_userdomain_template',`
|
|||||||
seutil_read_config($1_su_t)
|
seutil_read_config($1_su_t)
|
||||||
seutil_read_default_contexts($1_su_t)
|
seutil_read_default_contexts($1_su_t)
|
||||||
|
|
||||||
|
userdom_use_user_terminals($1_su_t,$1)
|
||||||
|
|
||||||
if(secure_mode)
|
if(secure_mode)
|
||||||
{
|
{
|
||||||
# Only allow transitions to unprivileged user domains.
|
# Only allow transitions to unprivileged user domains.
|
||||||
@ -130,17 +133,12 @@ template(`su_per_userdomain_template',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
domain_auto_trans($1_su_t, chkpwd_exec_t, $1_chkpwd_t)
|
|
||||||
|
|
||||||
# Caused by su - init scripts
|
# Caused by su - init scripts
|
||||||
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
||||||
|
|
||||||
# Inherit and use descriptors from gnome-pty-helper.
|
# Inherit and use descriptors from gnome-pty-helper.
|
||||||
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
|
||||||
|
|
||||||
# Write to the user domain tty.
|
|
||||||
access_terminal($1_su_t, $1)
|
|
||||||
|
|
||||||
allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
|
allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
|
||||||
allow $1_su_t $1_home_t:file create_file_perms;
|
allow $1_su_t $1_home_t:file create_file_perms;
|
||||||
|
|
||||||
|
@ -121,6 +121,10 @@ template(`sudo_per_userdomain_template',`
|
|||||||
seutil_read_config($1_sudo_t)
|
seutil_read_config($1_sudo_t)
|
||||||
seutil_read_default_contexts($1_sudo_t)
|
seutil_read_default_contexts($1_sudo_t)
|
||||||
|
|
||||||
|
userdom_manage_user_home_subdir_files($1_sudo_t,$1)
|
||||||
|
userdom_manage_user_home_subdir_symlinks($1_sudo_t,$1)
|
||||||
|
userdom_manage_user_tmp_files($1_sudo_t,$1)
|
||||||
|
userdom_manage_user_tmp_symlinks($1_sudo_t,$1)
|
||||||
userdom_use_unpriv_users_fd($1_sudo_t)
|
userdom_use_unpriv_users_fd($1_sudo_t)
|
||||||
# for some PAM modules and for cwd
|
# for some PAM modules and for cwd
|
||||||
userdom_dontaudit_search_all_users_home($1_sudo_t)
|
userdom_dontaudit_search_all_users_home($1_sudo_t)
|
||||||
@ -156,8 +160,5 @@ template(`sudo_per_userdomain_template',`
|
|||||||
allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
|
allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
|
||||||
allow $1_sudo_t pam_var_run_t:file create_file_perms;
|
allow $1_sudo_t pam_var_run_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
rw_dir_create_file($1_sudo_t, $1_tmp_t)
|
|
||||||
rw_dir_create_file($1_sudo_t, $1_home_t)
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
')
|
')
|
||||||
|
@ -112,6 +112,13 @@ template(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
miscfiles_read_localization($1_crond_t)
|
miscfiles_read_localization($1_crond_t)
|
||||||
|
|
||||||
|
userdom_manage_user_tmp_files($1_crond_t,$1)
|
||||||
|
userdom_manage_user_tmp_symlinks($1_crond_t,$1)
|
||||||
|
userdom_manage_user_tmp_pipes($1_crond_t,$1)
|
||||||
|
userdom_manage_user_tmp_sockets($1_crond_t,$1)
|
||||||
|
# Run scripts in user home directory and access shared libs.
|
||||||
|
userdom_exec_user_home_files($1_crond_t,$1)
|
||||||
|
|
||||||
tunable_policy(`fcron_crond', `
|
tunable_policy(`fcron_crond', `
|
||||||
allow crond_t $1_cron_spool_t:file create_file_perms;
|
allow crond_t $1_cron_spool_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
@ -122,13 +129,10 @@ template(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Access user files and dirs.
|
# Access user files and dirs.
|
||||||
allow $1_crond_t home_root_t:dir search;
|
|
||||||
file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
|
file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
|
||||||
|
|
||||||
# Run scripts in user home directory and access shared libs.
|
allow $1_crond_t tmp_t:dir rw_dir_perms;
|
||||||
can_exec($1_crond_t, $1_home_t)
|
type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
|
||||||
|
|
||||||
file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
|
|
||||||
|
|
||||||
ifdef(`mta.te', `
|
ifdef(`mta.te', `
|
||||||
domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
|
domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
|
||||||
@ -198,6 +202,9 @@ template(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
seutil_dontaudit_search_config($1_crontab_t)
|
seutil_dontaudit_search_config($1_crontab_t)
|
||||||
|
|
||||||
|
userdom_manage_user_tmp_dirs($1_crontab_t,$1)
|
||||||
|
userdom_manage_user_tmp_files($1_crontab_t,$1)
|
||||||
|
|
||||||
tunable_policy(`fcron_crond', `
|
tunable_policy(`fcron_crond', `
|
||||||
# fcron wants an instant update of a crontab change for the administrator
|
# fcron wants an instant update of a crontab change for the administrator
|
||||||
# also crontab does a security check for crontab -u
|
# also crontab does a security check for crontab -u
|
||||||
@ -210,8 +217,8 @@ template(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
dontaudit $1_crontab_t proc_t:dir search;
|
dontaudit $1_crontab_t proc_t:dir search;
|
||||||
|
|
||||||
# Type for temporary files.
|
allow $1_crond_t tmp_t:dir rw_dir_perms;
|
||||||
file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
|
type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
|
||||||
|
|
||||||
# Run helper programs as $1_t
|
# Run helper programs as $1_t
|
||||||
domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
|
domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
|
||||||
|
@ -113,6 +113,46 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Run unix_chkpwd to check a password
|
||||||
|
## for a user domain.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Run unix_chkpwd to check a password
|
||||||
|
## for a user domain.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`auth_domtrans_user_chk_passwd',`
|
||||||
|
gen_require(`
|
||||||
|
type chkpwd_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domain_auto_trans($1,chkpwd_exec_t,$2_chkpwd_t)
|
||||||
|
|
||||||
|
allow $1 $2_chkpwd_t:fd use;
|
||||||
|
allow $2_chkpwd_t $1:fd use;
|
||||||
|
allow $2_chkpwd_t $1:fifo_file rw_file_perms;
|
||||||
|
allow $2_chkpwd_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Use the login program as an entry point program.
|
## Use the login program as an entry point program.
|
||||||
|
@ -81,7 +81,7 @@ template(`base_user_template',`
|
|||||||
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||||
|
|
||||||
# execute files in the home directory
|
# execute files in the home directory
|
||||||
allow $1_t $1_home_t:file { rx_file_perms execute_no_trans };
|
can_exec($1_t,$1_home_t)
|
||||||
|
|
||||||
# full control of the home directory
|
# full control of the home directory
|
||||||
allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
|
allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
|
||||||
@ -92,7 +92,7 @@ template(`base_user_template',`
|
|||||||
allow $1_t $1_home_dir_t:dir create_dir_perms;
|
allow $1_t $1_home_dir_t:dir create_dir_perms;
|
||||||
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
|
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
|
||||||
|
|
||||||
allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans };
|
can_exec($1_t,$1_tmp_t)
|
||||||
|
|
||||||
# Bind to a Unix domain socket in /tmp.
|
# Bind to a Unix domain socket in /tmp.
|
||||||
# cjp: this is combination is not checked and should be removed
|
# cjp: this is combination is not checked and should be removed
|
||||||
@ -114,7 +114,7 @@ template(`base_user_template',`
|
|||||||
# user domain and the program, and allow us to maintain separation
|
# user domain and the program, and allow us to maintain separation
|
||||||
# between different instances of the program being run by different
|
# between different instances of the program being run by different
|
||||||
# user domains.
|
# user domains.
|
||||||
per_userdomain_templates($1)
|
per_userdomain_templates($1,$1_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctl($1_t)
|
kernel_read_kernel_sysctl($1_t)
|
||||||
selinux_get_fs_mount($1_t)
|
selinux_get_fs_mount($1_t)
|
||||||
@ -865,6 +865,307 @@ template(`admin_user_template',`
|
|||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute user home files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Execute user home files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_exec_user_home_files',`
|
||||||
|
gen_require(`
|
||||||
|
class dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 $2_home_dir_t:dir search;
|
||||||
|
allow $1 $2_home_t:dir search;
|
||||||
|
can_exec($1,$2_home_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete files
|
||||||
|
## in a user home subdirectory.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create, read, write, and delete files
|
||||||
|
## in a user home subdirectory.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_manage_user_home_subdir_files',`
|
||||||
|
gen_require(`
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 $2_home_dir_t:dir search;
|
||||||
|
allow $1 $2_home_t:dir rw_dir_perms;
|
||||||
|
allow $1 $2_home_t:file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete symbolic links
|
||||||
|
## in a user home subdirectory.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create, read, write, and delete symbolic links
|
||||||
|
## in a user home subdirectory.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_manage_user_home_subdir_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class lnk_file create_lnk_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 $2_home_dir_t:dir search;
|
||||||
|
allow $1 $2_home_t:dir rw_dir_perms;
|
||||||
|
allow $1 $2_home_t:lnk_file create_lnk_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary directories.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary directories.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_manage_user_tmp_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
class dir create_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
|
allow $1 $2_tmp_t:dir create_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_manage_user_tmp_files',`
|
||||||
|
gen_require(`
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
|
allow $1 $2_tmp_t:dir rw_dir_perms;
|
||||||
|
allow $1 $2_tmp_t:file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary symbolic links.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary symbolic links.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_manage_user_tmp_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class lnk_file create_lnk_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
|
allow $1 $2_tmp_t:dir rw_dir_perms;
|
||||||
|
allow $1 $2_tmp_t:lnk_file create_lnk_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary named pipes.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary named pipes.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_manage_user_tmp_pipes',`
|
||||||
|
gen_require(`
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class fifo_file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
|
allow $1 $2_tmp_t:dir rw_dir_perms;
|
||||||
|
allow $1 $2_tmp_t:fifo_file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary named sockets.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create, read, write, and delete user
|
||||||
|
## temporary named sockets.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_manage_user_tmp_sockets',`
|
||||||
|
gen_require(`
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class sock_file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
|
allow $1 $2_tmp_t:dir rw_dir_perms;
|
||||||
|
allow $1 $2_tmp_t:sock_file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write a user domain tty and pty.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read and write a user domain tty and pty.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_use_user_terminals',`
|
||||||
|
gen_require(`
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 $2_tty_device_t:chr_file rw_term_perms;
|
||||||
|
allow $1 $2_devpts_t:chr_file rw_term_perms;
|
||||||
|
term_list_ptys($1)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute a shell in all user domains. This
|
## Execute a shell in all user domains. This
|
||||||
|
Loading…
Reference in New Issue
Block a user