add cdrecord
This commit is contained in:
parent
3ffe29880c
commit
4ec6941bfa
|
@ -11,6 +11,7 @@
|
||||||
- Added modules:
|
- Added modules:
|
||||||
alsa
|
alsa
|
||||||
automount
|
automount
|
||||||
|
cdrecord
|
||||||
ddcprobe
|
ddcprobe
|
||||||
fetchmail
|
fetchmail
|
||||||
irc
|
irc
|
||||||
|
|
|
@ -159,6 +159,11 @@ gen_tunable(allow_ssh_keysign,false)
|
||||||
## Allow users to connect to mysql
|
## Allow users to connect to mysql
|
||||||
gen_tunable(allow_user_mysql_connect,false)
|
gen_tunable(allow_user_mysql_connect,false)
|
||||||
|
|
||||||
|
## Allow cdrecord to read various content.
|
||||||
|
## nfs, samba, removable devices, user temp
|
||||||
|
## and untrusted content files
|
||||||
|
gen_tunable(cdrecord_read_content,false)
|
||||||
|
|
||||||
## Allow system cron jobs to relabel filesystem
|
## Allow system cron jobs to relabel filesystem
|
||||||
## for restoring file contexts.
|
## for restoring file contexts.
|
||||||
gen_tunable(cron_can_relabel,false)
|
gen_tunable(cron_can_relabel,false)
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
#
|
||||||
|
# /usr
|
||||||
|
#
|
||||||
|
/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
|
||||||
|
|
|
@ -0,0 +1,197 @@
|
||||||
|
## <summary>Policy for cdrecord</summary>
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## The per user domain template for the cdrecord module.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## This template creates derived domains which are used
|
||||||
|
## for cdrecord.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This template is invoked automatically for each user, and
|
||||||
|
## generally does not need to be invoked directly
|
||||||
|
## by policy writers.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="user_domain">
|
||||||
|
## The type of the user domain.
|
||||||
|
## </param>
|
||||||
|
## <param name="user_role">
|
||||||
|
## The role associated with the user domain.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`cdrecord_per_userdomain_template', `
|
||||||
|
|
||||||
|
gen_require(`
|
||||||
|
type cdrecord_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type $1_cdrecord_t;
|
||||||
|
domain_type($1_cdrecord_t)
|
||||||
|
domain_entry_file($1_cdrecord_t,cdrecord_exec_t)
|
||||||
|
role $3 types $1_cdrecord_t;
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
|
||||||
|
allow $1_cdrecord_t self:process { getsched setsched sigkill };
|
||||||
|
allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
|
||||||
|
|
||||||
|
# allow ps to show cdrecord and allow the user to kill it
|
||||||
|
allow $2 $1_cdrecord_t:dir { search getattr read };
|
||||||
|
allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
|
||||||
|
allow $2 $1_cdrecord_t:process getattr;
|
||||||
|
#We need to suppress this denial because procps
|
||||||
|
#tries to access /proc/pid/environ and this now
|
||||||
|
#triggers a ptrace check in recent kernels
|
||||||
|
# (2.4 and 2.6). Might want to change procps
|
||||||
|
#to not do this, or only if running in a privileged domain.
|
||||||
|
dontaudit $2 $1_cdrecord_t:process ptrace;
|
||||||
|
allow $2 $1_cdrecord_t:process signal;
|
||||||
|
|
||||||
|
# Transition from the user domain to the derived domain.
|
||||||
|
domain_auto_trans($2, cdrecord_exec_t, $1_cdrecord_t)
|
||||||
|
allow $2 $1_cdrecord_t:fd use;
|
||||||
|
allow $1_cdrecord_t $2:fd use;
|
||||||
|
allow $1_cdrecord_t $2:fifo_file rw_file_perms;
|
||||||
|
allow $1_cdrecord_t $2:process sigchld;
|
||||||
|
|
||||||
|
# allow searching for cdrom-drive
|
||||||
|
dev_list_all_dev_nodes($1_cdrecord_t)
|
||||||
|
|
||||||
|
domain_wide_inherit_fd($1_cdrecord_t)
|
||||||
|
domain_use_wide_inherit_fd($1_cdrecord_t)
|
||||||
|
|
||||||
|
files_read_etc_files($1_cdrecord_t)
|
||||||
|
|
||||||
|
term_use_controlling_term($1_cdrecord_t)
|
||||||
|
term_list_ptys($1_cdrecord_t)
|
||||||
|
|
||||||
|
# allow cdrecord to write the CD
|
||||||
|
storage_raw_write_removable_device($1_cdrecord_t)
|
||||||
|
storage_write_scsi_generic($1_cdrecord_t)
|
||||||
|
|
||||||
|
libs_use_ld_so($1_cdrecord_t)
|
||||||
|
libs_use_shared_libs($1_cdrecord_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg($1_cdrecord_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization($1_cdrecord_t)
|
||||||
|
|
||||||
|
# write to the user domain tty.
|
||||||
|
userdom_use_user_terminals($1,$1_cdrecord_t)
|
||||||
|
userdom_use_user_terminals($1,$2)
|
||||||
|
|
||||||
|
userdom_read_user_home_files($1,$1_cdrecord_t)
|
||||||
|
|
||||||
|
# Handle nfs home dirs
|
||||||
|
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
|
||||||
|
fs_list_auto_mountpoints($1_cdrecord_t)
|
||||||
|
files_list_home($1_cdrecord_t)
|
||||||
|
fs_read_nfs_files($1_cdrecord_t)
|
||||||
|
fs_read_nfs_symlinks($1_cdrecord_t)
|
||||||
|
|
||||||
|
',`
|
||||||
|
files_dontaudit_list_home($1_cdrecord_t)
|
||||||
|
fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
|
||||||
|
fs_dontaudit_read_nfs_files($1_cdrecord_t)
|
||||||
|
fs_dontaudit_list_nfs($1_cdrecord_t)
|
||||||
|
')
|
||||||
|
# Handle samba home dirs
|
||||||
|
tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
|
||||||
|
fs_list_auto_mountpoints($1_cdrecord_t)
|
||||||
|
files_list_home($1_cdrecord_t)
|
||||||
|
fs_read_cifs_files($1_cdrecord_t)
|
||||||
|
fs_read_cifs_symlinks($1_cdrecord_t)
|
||||||
|
',`
|
||||||
|
files_dontaudit_list_home($1_cdrecord_t)
|
||||||
|
fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
|
||||||
|
fs_dontaudit_read_cifs_files($1_cdrecord_t)
|
||||||
|
fs_dontaudit_list_cifs($1_cdrecord_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
# Handle removable media, /tmp, and /home
|
||||||
|
tunable_policy(`cdrecord_read_content',`
|
||||||
|
userdom_list_user_tmp($1,$1_cdrecord_t)
|
||||||
|
userdom_read_user_tmp_files($1,$1_cdrecord_t)
|
||||||
|
userdom_read_user_tmp_symlinks($1,$1_cdrecord_t)
|
||||||
|
userdom_search_user_home($1,$1_cdrecord_t)
|
||||||
|
userdom_read_user_home_files($1,$1_cdrecord_t)
|
||||||
|
userdom_read_user_home_symlinks($1,$1_cdrecord_t)
|
||||||
|
|
||||||
|
ifdef(`enable_mls',`
|
||||||
|
',`
|
||||||
|
fs_search_removable_dirs($1_cdrecord_t)
|
||||||
|
fs_read_removable_files($1_cdrecord_t)
|
||||||
|
fs_read_removable_symlinks($1_cdrecord_t)
|
||||||
|
')
|
||||||
|
',`
|
||||||
|
files_dontaudit_list_tmp($1_cdrecord_t)
|
||||||
|
files_dontaudit_list_home($1_cdrecord_t)
|
||||||
|
fs_dontaudit_list_removable_dirs($1_cdrecord_t)
|
||||||
|
fs_donaudit_read_removable_files($1_cdrecord_t)
|
||||||
|
userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
|
||||||
|
userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
|
||||||
|
userdom_dontaudit_list_user_home_dir($1,$1_cdrecord_t)
|
||||||
|
userdom_dontaudit_read_user_home_files($1,$1_cdrecord_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
# Handle default_t content
|
||||||
|
tunable_policy(`cdrecord_read_content && read_default_t',`
|
||||||
|
files_list_default($1_cdrecord_t)
|
||||||
|
files_read_default_files($1_cdrecord_t)
|
||||||
|
files_read_default_symlinks($1_cdrecord_t)
|
||||||
|
',`
|
||||||
|
files_dontaudit_read_default_files($1_cdrecord_t)
|
||||||
|
files_dontaudit_list_default($1_cdrecord_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
# Handle untrusted content
|
||||||
|
tunable_policy(`cdrecord_read_content && read_untrusted_content',`
|
||||||
|
files_list_tmp($1_cdrecord_t)
|
||||||
|
files_list_home($1_cdrecord_t)
|
||||||
|
userdom_search_user_home($1,$1_cdrecord_t)
|
||||||
|
|
||||||
|
userdom_list_user_untrusted_content($1,$1_cdrecord_t)
|
||||||
|
userdom_read_user_untrusted_content_files($1,$1_cdrecord_t)
|
||||||
|
userdom_read_user_untrusted_content_symlinks($1,$1_cdrecord_t)
|
||||||
|
userdom_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
|
||||||
|
userdom_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
|
||||||
|
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_cdrecord_t)
|
||||||
|
',`
|
||||||
|
files_dontaudit_list_tmp($1_cdrecord_t)
|
||||||
|
files_dontaudit_list_home($1_cdrecord_t)
|
||||||
|
userdom_dontaudit_list_user_home_dir($1,$1_cdrecord_t)
|
||||||
|
userdom_dontaudit_list_user_untrusted_content($1,$1_cdrecord_t)
|
||||||
|
userdom_dontaudit_read_user_untrusted_content_files($1,$1_cdrecord_t)
|
||||||
|
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
|
||||||
|
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
files_search_mnt($1_cdrecord_t)
|
||||||
|
fs_read_nfs_files($1_cdrecord_t)
|
||||||
|
fs_read_nfs_symlinks($1_cdrecord_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
can_resmgrd_connect($1_cdrecord_t)
|
||||||
|
')
|
||||||
|
')
|
|
@ -0,0 +1,12 @@
|
||||||
|
|
||||||
|
policy_module(cdrecord,1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type cdrecord_t;
|
||||||
|
type cdrecord_exec_t;
|
||||||
|
domain_entry_file(cdrecord_t, cdrecord_exec_t)
|
||||||
|
|
|
@ -124,8 +124,8 @@ template(`java_per_userdomain_template',`
|
||||||
sysnet_read_config($1_javaplugin_t)
|
sysnet_read_config($1_javaplugin_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
|
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
|
||||||
userdom_dontauit_setattr_user_home_files($1,$1_javaplugin_t)
|
userdom_dontaudit_setattr_user_home_files($1,$1_javaplugin_t)
|
||||||
userdom_dontauit_exec_user_home_files($1,$1_javaplugin_t)
|
userdom_dontaudit_exec_user_home_files($1,$1_javaplugin_t)
|
||||||
userdom_create_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file },$1_home_t)
|
userdom_create_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file },$1_home_t)
|
||||||
userdom_manage_user_home_subdirs($1,$1_javaplugin_t)
|
userdom_manage_user_home_subdirs($1,$1_javaplugin_t)
|
||||||
userdom_manage_user_home_subdir_files($1,$1_javaplugin_t)
|
userdom_manage_user_home_subdir_files($1,$1_javaplugin_t)
|
||||||
|
|
|
@ -1811,6 +1811,23 @@ interface(`files_dontaudit_search_home',`
|
||||||
dontaudit $1 home_root_t:dir search_dir_perms;
|
dontaudit $1 home_root_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to list
|
||||||
|
## home directories root (/home).
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_dontaudit_list_home',`
|
||||||
|
gen_require(`
|
||||||
|
type home_root_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 home_root_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get listing of home directories.
|
## Get listing of home directories.
|
||||||
|
@ -2142,6 +2159,22 @@ interface(`files_list_tmp',`
|
||||||
allow $1 tmp_t:dir list_dir_perms;
|
allow $1 tmp_t:dir list_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit listing of the tmp directory (/tmp).
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain not to audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_dontaudit_list_tmp',`
|
||||||
|
gen_require(`
|
||||||
|
type tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 tmp_t:dir { read getattr search };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read files in the tmp directory (/tmp).
|
## Read files in the tmp directory (/tmp).
|
||||||
|
|
|
@ -377,6 +377,23 @@ interface(`fs_list_auto_mountpoints',`
|
||||||
allow $1 autofs_t:dir r_dir_perms;
|
allow $1 autofs_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to list directories of automatically
|
||||||
|
## mounted filesystems.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the domain performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_dontaudit_list_auto_mountpoints',`
|
||||||
|
gen_require(`
|
||||||
|
type autofs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 autofs_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Register an interpreter for new binary
|
## Register an interpreter for new binary
|
||||||
|
@ -1269,6 +1286,87 @@ interface(`fs_search_rpc_dirs',`
|
||||||
allow $1 rpc_pipefs_t:dir search_dir_perms;
|
allow $1 rpc_pipefs_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search removable storage directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_search_removable_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type removable_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 removable_t:dir { getattr read search };
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to list removable storage directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain not to audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_dontaudit_list_removable_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type removable_t;
|
||||||
|
')
|
||||||
|
dontaudit $1 removable_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read removable storage files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_read_removable_files',`
|
||||||
|
gen_require(`
|
||||||
|
type removable_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 removable_t:file { read getattr };
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read removable storage files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain not to audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_donaudit_read_removable_files',`
|
||||||
|
gen_require(`
|
||||||
|
type removable_t;
|
||||||
|
')
|
||||||
|
dontaudit $1 removable_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read removable storage symbolic links.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_read_removable_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
type removable_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 removable_t:lnk_file { getattr read };
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read directories of RPC file system pipes.
|
## Read directories of RPC file system pipes.
|
||||||
|
|
|
@ -1126,12 +1126,41 @@ template(`userdom_user_home_domtrans',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete symbolic links
|
## Do not audit attempts to list user home subdirectories.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to list user home subdirectories.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_list_user_home_dir',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_home_dir_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_home_dir_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete directories
|
||||||
## in a user home subdirectory.
|
## in a user home subdirectory.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Create, read, write, and delete symbolic links
|
## Create, read, write, and delete directories
|
||||||
## in a user home subdirectory.
|
## in a user home subdirectory.
|
||||||
## </p>
|
## </p>
|
||||||
## <p>
|
## <p>
|
||||||
|
@ -1180,7 +1209,7 @@ template(`userdom_manage_user_home_subdirs',`
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
template(`userdom_dontauit_setattr_user_home_files',`
|
template(`userdom_dontaudit_setattr_user_home_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type $1_home_dir_t, $1_home_t;
|
type $1_home_dir_t, $1_home_t;
|
||||||
')
|
')
|
||||||
|
@ -1216,17 +1245,47 @@ template(`userdom_read_user_home_files',`
|
||||||
|
|
||||||
files_search_home($2)
|
files_search_home($2)
|
||||||
allow $2 $1_home_dir_t:dir search;
|
allow $2 $1_home_dir_t:dir search;
|
||||||
allow $2 $1_home_t:dir search;
|
allow $2 $1_home_t:dir search_dir_perms;
|
||||||
allow $2 $1_home_t:file r_file_perms;
|
allow $2 $1_home_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to execute user home files.
|
## Do not audit attempts to read user home files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Do not audit attempts to execute user home files.
|
## Do not audit attempts to read user home files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_read_user_home_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_home_t:dir r_dir_perms;
|
||||||
|
dontaudit $2 $1_home_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read user home subdirectory symbolic links.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read user home subdirectory symbolic links.
|
||||||
## </p>
|
## </p>
|
||||||
## <p>
|
## <p>
|
||||||
## This is a templated interface, and should only
|
## This is a templated interface, and should only
|
||||||
|
@ -1241,12 +1300,15 @@ template(`userdom_read_user_home_files',`
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
template(`userdom_dontauit_exec_user_home_files',`
|
template(`userdom_read_user_home_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type $1_home_t;
|
type $1_home_dir_t, $1_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $2 $1_home_t:file execute;
|
files_search_home($2)
|
||||||
|
allow $2 $1_home_dir_t:dir search;
|
||||||
|
allow $2 $1_home_t:dir search;
|
||||||
|
allow $2 $1_home_t:lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1281,6 +1343,35 @@ template(`userdom_exec_user_home_files',`
|
||||||
can_exec($2,$1_home_t)
|
can_exec($2,$1_home_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to execute user home files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to execute user home files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_exec_user_home_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_home_t:file execute;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete files
|
## Create, read, write, and delete files
|
||||||
|
@ -1502,6 +1593,162 @@ template(`userdom_write_user_tmp_sockets',`
|
||||||
allow $2 $1_tmp_t:sock_file write;
|
allow $2 $1_tmp_t:sock_file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List user temporary directories.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## List user temporary directories.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_list_user_tmp',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($2)
|
||||||
|
allow $2 $1_tmp_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to list user
|
||||||
|
## temporary directories.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to list user
|
||||||
|
## temporary directories.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_list_user_tmp',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_tmp_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read user temporary files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read user temporary files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_read_user_tmp_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($2)
|
||||||
|
allow $2 $1_tmp_t:dir rw_dir_perms;
|
||||||
|
allow $2 $1_tmp_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read users
|
||||||
|
## temporary files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to read users
|
||||||
|
## temporary files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_read_user_tmp_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_tmp_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read user
|
||||||
|
## temporary symbolic links.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read user
|
||||||
|
## temporary symbolic links.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_read_user_tmp_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($2)
|
||||||
|
allow $2 $1_tmp_t:dir rw_dir_perms;
|
||||||
|
allow $2 $1_tmp_t:lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete user
|
## Create, read, write, and delete user
|
||||||
|
@ -1666,6 +1913,308 @@ template(`userdom_manage_user_tmp_sockets',`
|
||||||
allow $2 $1_tmp_t:sock_file create_file_perms;
|
allow $2 $1_tmp_t:sock_file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List users untrusted directories.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## List users untrusted directories.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_list_user_untrusted_content',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $2 $1_untrusted_content_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to list user
|
||||||
|
## untrusted directories.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to read user
|
||||||
|
## untrusted directories.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_list_user_untrusted_content',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_untrusted_content_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read user untrusted files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read user untrusted files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_read_user_untrusted_content_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $2 $1_untrusted_content_t:dir rw_dir_perms;
|
||||||
|
allow $2 $1_untrusted_content_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read users
|
||||||
|
## untrusted files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to read users
|
||||||
|
## untrusted files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_read_user_untrusted_content_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_untrusted_content_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read user untrusted symbolic links.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read user untrusted symbolic links.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_read_user_untrusted_content_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $2 $1_untrusted_content_t:dir rw_dir_perms;
|
||||||
|
allow $2 $1_untrusted_content_t:lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List users temporary untrusted directories.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## List users temporary untrusted directories.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_list_user_tmp_untrusted_content',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to list user
|
||||||
|
## temporary untrusted directories.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to list user
|
||||||
|
## temporary directories.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read user temporary untrusted files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read user temporary untrusted files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_read_user_tmp_untrusted_content_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $2 $1_untrusted_content_tmp_t:dir rw_dir_perms;
|
||||||
|
allow $2 $1_untrusted_content_tmp_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read users
|
||||||
|
## temporary untrusted files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to read users
|
||||||
|
## temporary untrusted files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_untrusted_content_tmp_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read user temporary untrusted symbolic links.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read user temporary untrusted symbolic links.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_read_user_tmp_untrusted_content_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_untrusted_content_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $2 $1_untrusted_content_tmp_t:dir rw_dir_perms;
|
||||||
|
allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write a user domain tty and pty.
|
## Read and write a user domain tty and pty.
|
||||||
|
@ -1834,7 +2383,7 @@ interface(`userdom_shell_domtrans_sysadm',`
|
||||||
## Search the staff users home directory.
|
## Search the staff users home directory.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Domain to not audit.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`userdom_search_staff_home_dir',`
|
interface(`userdom_search_staff_home_dir',`
|
||||||
|
|
Loading…
Reference in New Issue