trunk: Patch to restructure user role templates to create restricted user roles from Dan Walsh.
This commit is contained in:
parent
3b498a9105
commit
847937da7d
|
@ -1,3 +1,5 @@
|
||||||
|
- Patch to restructure user role templates to create restricted user roles
|
||||||
|
from Dan Walsh.
|
||||||
- Russian man page translations from Andrey Markelov.
|
- Russian man page translations from Andrey Markelov.
|
||||||
- Remove unused types from dbus.
|
- Remove unused types from dbus.
|
||||||
- Add infrastructure for managing all user web content.
|
- Add infrastructure for managing all user web content.
|
||||||
|
|
|
@ -875,7 +875,6 @@ interface(`corecmd_exec_chroot',`
|
||||||
|
|
||||||
read_lnk_files_pattern($1,bin_t,bin_t)
|
read_lnk_files_pattern($1,bin_t,bin_t)
|
||||||
can_exec($1,chroot_exec_t)
|
can_exec($1,chroot_exec_t)
|
||||||
allow $1 self:capability sys_chroot;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(corecommands,1.8.3)
|
policy_module(corecommands,1.8.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -45,7 +45,7 @@ template(`userdom_base_user_template',`
|
||||||
type $1_tty_device_t;
|
type $1_tty_device_t;
|
||||||
term_user_tty($1_t,$1_tty_device_t)
|
term_user_tty($1_t,$1_tty_device_t)
|
||||||
|
|
||||||
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
|
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
|
||||||
allow $1_t self:fd use;
|
allow $1_t self:fd use;
|
||||||
allow $1_t self:fifo_file rw_fifo_file_perms;
|
allow $1_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
|
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
|
@ -71,6 +71,9 @@ template(`userdom_base_user_template',`
|
||||||
kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
|
kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
|
||||||
kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
|
kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
|
||||||
|
|
||||||
|
dev_dontaudit_getattr_all_blk_files($1_t)
|
||||||
|
dev_dontaudit_getattr_all_chr_files($1_t)
|
||||||
|
|
||||||
# When the user domain runs ps, there will be a number of access
|
# When the user domain runs ps, there will be a number of access
|
||||||
# denials when ps tries to search /proc. Do not audit these denials.
|
# denials when ps tries to search /proc. Do not audit these denials.
|
||||||
domain_dontaudit_read_all_domains_state($1_t)
|
domain_dontaudit_read_all_domains_state($1_t)
|
||||||
|
@ -93,8 +96,6 @@ template(`userdom_base_user_template',`
|
||||||
files_dontaudit_getattr_non_security_symlinks($1_t)
|
files_dontaudit_getattr_non_security_symlinks($1_t)
|
||||||
files_dontaudit_getattr_non_security_pipes($1_t)
|
files_dontaudit_getattr_non_security_pipes($1_t)
|
||||||
files_dontaudit_getattr_non_security_sockets($1_t)
|
files_dontaudit_getattr_non_security_sockets($1_t)
|
||||||
files_dontaudit_getattr_non_security_blk_files($1_t)
|
|
||||||
files_dontaudit_getattr_non_security_chr_files($1_t)
|
|
||||||
|
|
||||||
libs_use_ld_so($1_t)
|
libs_use_ld_so($1_t)
|
||||||
libs_use_shared_libs($1_t)
|
libs_use_shared_libs($1_t)
|
||||||
|
@ -184,7 +185,7 @@ template(`userdom_ro_home_template',`
|
||||||
files_list_home($1_t)
|
files_list_home($1_t)
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_list_nfs_dirs($1_t)
|
fs_list_nfs($1_t)
|
||||||
fs_read_nfs_files($1_t)
|
fs_read_nfs_files($1_t)
|
||||||
fs_read_nfs_symlinks($1_t)
|
fs_read_nfs_symlinks($1_t)
|
||||||
fs_read_nfs_named_sockets($1_t)
|
fs_read_nfs_named_sockets($1_t)
|
||||||
|
@ -195,7 +196,7 @@ template(`userdom_ro_home_template',`
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_samba_home_dirs',`
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
fs_list_cifs_dirs($1_t)
|
fs_list_cifs($1_t)
|
||||||
fs_read_cifs_files($1_t)
|
fs_read_cifs_files($1_t)
|
||||||
fs_read_cifs_symlinks($1_t)
|
fs_read_cifs_symlinks($1_t)
|
||||||
fs_read_cifs_named_sockets($1_t)
|
fs_read_cifs_named_sockets($1_t)
|
||||||
|
@ -566,29 +567,27 @@ template(`userdom_xwindows_client_template',`
|
||||||
type $1_t, $1_tmpfs_t;
|
type $1_t, $1_tmpfs_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
dev_rw_xserver_misc($1_t)
|
||||||
dev_rw_xserver_misc($1_t)
|
dev_rw_power_management($1_t)
|
||||||
dev_rw_power_management($1_t)
|
dev_read_input($1_t)
|
||||||
dev_read_input($1_t)
|
dev_read_misc($1_t)
|
||||||
dev_read_misc($1_t)
|
dev_write_misc($1_t)
|
||||||
dev_write_misc($1_t)
|
# open office is looking for the following
|
||||||
# open office is looking for the following
|
dev_getattr_agp_dev($1_t)
|
||||||
dev_getattr_agp_dev($1_t)
|
dev_dontaudit_rw_dri($1_t)
|
||||||
dev_dontaudit_rw_dri($1_t)
|
# GNOME checks for usb and other devices:
|
||||||
# GNOME checks for usb and other devices:
|
dev_rw_usbfs($1_t)
|
||||||
dev_rw_usbfs($1_t)
|
|
||||||
|
|
||||||
xserver_user_client_template($1,$1_t,$1_tmpfs_t)
|
xserver_user_client_template($1,$1_t,$1_tmpfs_t)
|
||||||
xserver_xsession_entry_type($1_t)
|
xserver_xsession_entry_type($1_t)
|
||||||
xserver_dontaudit_write_log($1_t)
|
xserver_dontaudit_write_log($1_t)
|
||||||
xserver_stream_connect_xdm($1_t)
|
xserver_stream_connect_xdm($1_t)
|
||||||
# certain apps want to read xdm.pid file
|
# certain apps want to read xdm.pid file
|
||||||
xserver_read_xdm_pid($1_t)
|
xserver_read_xdm_pid($1_t)
|
||||||
# gnome-session creates socket under /tmp/.ICE-unix/
|
# gnome-session creates socket under /tmp/.ICE-unix/
|
||||||
xserver_create_xdm_tmp_sockets($1_t)
|
xserver_create_xdm_tmp_sockets($1_t)
|
||||||
# Needed for escd, remove if we get escd policy
|
# Needed for escd, remove if we get escd policy
|
||||||
xserver_manage_xdm_tmp_files($1_t)
|
xserver_manage_xdm_tmp_files($1_t)
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
|
@ -664,38 +663,21 @@ template(`userdom_common_user_template',`
|
||||||
attribute unpriv_userdomain;
|
attribute unpriv_userdomain;
|
||||||
')
|
')
|
||||||
|
|
||||||
userdom_base_user_template($1)
|
|
||||||
|
|
||||||
userdom_manage_home_template($1)
|
|
||||||
userdom_exec_home_template($1)
|
|
||||||
|
|
||||||
userdom_manage_tmp_template($1)
|
|
||||||
userdom_exec_tmp_template($1)
|
|
||||||
|
|
||||||
userdom_manage_tmpfs_template($1)
|
|
||||||
|
|
||||||
userdom_untrusted_content_template($1)
|
userdom_untrusted_content_template($1)
|
||||||
|
|
||||||
userdom_basic_networking_template($1)
|
userdom_basic_networking_template($1)
|
||||||
|
|
||||||
userdom_exec_generic_pgms_template($1)
|
userdom_exec_generic_pgms_template($1)
|
||||||
|
|
||||||
userdom_xwindows_client_template($1)
|
optional_policy(`
|
||||||
|
userdom_xwindows_client_template($1)
|
||||||
userdom_change_password_template($1)
|
')
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# User domain Local policy
|
# User domain Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow $1_t self:capability { setgid chown fowner };
|
|
||||||
dontaudit $1_t self:capability { sys_nice fsetid };
|
|
||||||
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
||||||
allow $1_t self:process { ptrace setfscreate };
|
|
||||||
|
|
||||||
allow $1_t self:context contains;
|
|
||||||
|
|
||||||
# evolution and gnome-session try to create a netlink socket
|
# evolution and gnome-session try to create a netlink socket
|
||||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||||
|
@ -713,18 +695,12 @@ template(`userdom_common_user_template',`
|
||||||
corenet_udp_bind_all_nodes($1_t)
|
corenet_udp_bind_all_nodes($1_t)
|
||||||
corenet_udp_bind_generic_port($1_t)
|
corenet_udp_bind_generic_port($1_t)
|
||||||
|
|
||||||
dev_read_sysfs($1_t)
|
|
||||||
dev_read_rand($1_t)
|
dev_read_rand($1_t)
|
||||||
dev_read_urand($1_t)
|
|
||||||
dev_write_sound($1_t)
|
dev_write_sound($1_t)
|
||||||
dev_read_sound($1_t)
|
dev_read_sound($1_t)
|
||||||
dev_read_sound_mixer($1_t)
|
dev_read_sound_mixer($1_t)
|
||||||
dev_write_sound_mixer($1_t)
|
dev_write_sound_mixer($1_t)
|
||||||
|
|
||||||
domain_use_interactive_fds($1_t)
|
|
||||||
# Command completion can fire hundreds of denials
|
|
||||||
domain_dontaudit_exec_all_entry_files($1_t)
|
|
||||||
|
|
||||||
files_exec_etc_files($1_t)
|
files_exec_etc_files($1_t)
|
||||||
files_search_locks($1_t)
|
files_search_locks($1_t)
|
||||||
# Check to see if cdrom is mounted
|
# Check to see if cdrom is mounted
|
||||||
|
@ -737,12 +713,6 @@ template(`userdom_common_user_template',`
|
||||||
# Stat lost+found.
|
# Stat lost+found.
|
||||||
files_getattr_lost_found_dirs($1_t)
|
files_getattr_lost_found_dirs($1_t)
|
||||||
|
|
||||||
fs_get_all_fs_quotas($1_t)
|
|
||||||
fs_getattr_all_fs($1_t)
|
|
||||||
fs_getattr_all_dirs($1_t)
|
|
||||||
fs_search_auto_mountpoints($1_t)
|
|
||||||
fs_list_inotifyfs($1_t)
|
|
||||||
|
|
||||||
# cjp: some of this probably can be removed
|
# cjp: some of this probably can be removed
|
||||||
selinux_get_fs_mount($1_t)
|
selinux_get_fs_mount($1_t)
|
||||||
selinux_validate_context($1_t)
|
selinux_validate_context($1_t)
|
||||||
|
@ -754,32 +724,16 @@ template(`userdom_common_user_template',`
|
||||||
# for eject
|
# for eject
|
||||||
storage_getattr_fixed_disk_dev($1_t)
|
storage_getattr_fixed_disk_dev($1_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch($1_t)
|
||||||
auth_read_login_records($1_t)
|
auth_read_login_records($1_t)
|
||||||
auth_dontaudit_write_login_records($1_t)
|
|
||||||
auth_search_pam_console_data($1_t)
|
auth_search_pam_console_data($1_t)
|
||||||
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
|
|
||||||
init_read_utmp($1_t)
|
init_read_utmp($1_t)
|
||||||
# The library functions always try to open read-write first,
|
|
||||||
# then fall back to read-only if it fails.
|
|
||||||
init_dontaudit_write_utmp($1_t)
|
|
||||||
# Stop warnings about access to /dev/console
|
|
||||||
init_dontaudit_use_fds($1_t)
|
|
||||||
init_dontaudit_use_script_fds($1_t)
|
|
||||||
|
|
||||||
libs_exec_lib_files($1_t)
|
|
||||||
|
|
||||||
logging_dontaudit_getattr_all_logs($1_t)
|
|
||||||
|
|
||||||
miscfiles_read_man_pages($1_t)
|
|
||||||
# for running TeX programs
|
|
||||||
miscfiles_read_tetex_data($1_t)
|
|
||||||
miscfiles_exec_tetex_data($1_t)
|
|
||||||
|
|
||||||
seutil_read_file_contexts($1_t)
|
seutil_read_file_contexts($1_t)
|
||||||
seutil_read_default_contexts($1_t)
|
seutil_read_default_contexts($1_t)
|
||||||
seutil_read_config($1_t)
|
|
||||||
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||||
seutil_exec_checkpolicy($1_t)
|
seutil_exec_checkpolicy($1_t)
|
||||||
seutil_exec_setfiles($1_t)
|
seutil_exec_setfiles($1_t)
|
||||||
|
@ -794,9 +748,6 @@ template(`userdom_common_user_template',`
|
||||||
files_read_default_symlinks($1_t)
|
files_read_default_symlinks($1_t)
|
||||||
files_read_default_sockets($1_t)
|
files_read_default_sockets($1_t)
|
||||||
files_read_default_pipes($1_t)
|
files_read_default_pipes($1_t)
|
||||||
',`
|
|
||||||
files_dontaudit_list_default($1_t)
|
|
||||||
files_dontaudit_read_default_files($1_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`user_direct_mouse',`
|
tunable_policy(`user_direct_mouse',`
|
||||||
|
@ -820,11 +771,6 @@ template(`userdom_common_user_template',`
|
||||||
canna_stream_connect($1_t)
|
canna_stream_connect($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
cups_stream_connect($1_t)
|
|
||||||
cups_stream_connect_ptal($1_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client_template($1,$1_t)
|
dbus_system_bus_client_template($1,$1_t)
|
||||||
|
|
||||||
|
@ -874,9 +820,6 @@ template(`userdom_common_user_template',`
|
||||||
mta_rw_spool($1_t)
|
mta_rw_spool($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
nis_use_ypbind($1_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
tunable_policy(`allow_user_mysql_connect',`
|
tunable_policy(`allow_user_mysql_connect',`
|
||||||
|
@ -884,10 +827,6 @@ template(`userdom_common_user_template',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
nscd_socket_use($1_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# to allow monitoring of pcmcia status
|
# to allow monitoring of pcmcia status
|
||||||
pcmcia_read_pid($1_t)
|
pcmcia_read_pid($1_t)
|
||||||
|
@ -904,10 +843,6 @@ template(`userdom_common_user_template',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
quota_dontaudit_getattr_db($1_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
resmgr_stream_connect($1_t)
|
resmgr_stream_connect($1_t)
|
||||||
')
|
')
|
||||||
|
@ -917,11 +852,6 @@ template(`userdom_common_user_template',`
|
||||||
rpc_manage_nfs_rw_content($1_t)
|
rpc_manage_nfs_rw_content($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
rpm_read_db($1_t)
|
|
||||||
rpm_dontaudit_manage_db($1_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_stream_connect_winbind($1_t)
|
samba_stream_connect_winbind($1_t)
|
||||||
')
|
')
|
||||||
|
@ -937,7 +867,7 @@ template(`userdom_common_user_template',`
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## The template for creating a unprivileged user.
|
## The template for creating a login user.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
|
@ -953,19 +883,127 @@ template(`userdom_common_user_template',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
template(`userdom_unpriv_user_template', `
|
template(`userdom_login_user_template', `
|
||||||
|
userdom_base_user_template($1)
|
||||||
|
|
||||||
gen_require(`
|
userdom_manage_home_template($1)
|
||||||
attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
|
userdom_poly_home_template($1)
|
||||||
')
|
userdom_poly_tmp_template($1)
|
||||||
|
|
||||||
|
userdom_manage_tmp_template($1)
|
||||||
|
userdom_manage_tmpfs_template($1)
|
||||||
|
|
||||||
|
userdom_exec_tmp_template($1)
|
||||||
|
userdom_exec_home_template($1)
|
||||||
|
|
||||||
|
userdom_change_password_template($1)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Declarations
|
# User domain Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
# Inherit rules for ordinary users.
|
allow $1_t self:capability { setgid chown fowner };
|
||||||
userdom_common_user_template($1)
|
dontaudit $1_t self:capability { sys_nice fsetid };
|
||||||
|
|
||||||
|
allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
|
||||||
|
dontaudit $1_t self:process setrlimit;
|
||||||
|
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||||
|
|
||||||
|
allow $1_t self:context contains;
|
||||||
|
|
||||||
|
kernel_dontaudit_read_system_state($1_t)
|
||||||
|
|
||||||
|
dev_read_sysfs($1_t)
|
||||||
|
dev_read_urand($1_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds($1_t)
|
||||||
|
# Command completion can fire hundreds of denials
|
||||||
|
domain_dontaudit_exec_all_entry_files($1_t)
|
||||||
|
|
||||||
|
files_dontaudit_list_default($1_t)
|
||||||
|
files_dontaudit_read_default_files($1_t)
|
||||||
|
# Stat lost+found.
|
||||||
|
files_getattr_lost_found_dirs($1_t)
|
||||||
|
|
||||||
|
fs_get_all_fs_quotas($1_t)
|
||||||
|
fs_getattr_all_fs($1_t)
|
||||||
|
fs_getattr_all_dirs($1_t)
|
||||||
|
fs_search_auto_mountpoints($1_t)
|
||||||
|
fs_list_inotifyfs($1_t)
|
||||||
|
fs_rw_anon_inodefs_files($1_t)
|
||||||
|
|
||||||
|
auth_dontaudit_write_login_records($1_t)
|
||||||
|
|
||||||
|
application_exec_all($1_t)
|
||||||
|
|
||||||
|
# The library functions always try to open read-write first,
|
||||||
|
# then fall back to read-only if it fails.
|
||||||
|
init_dontaudit_rw_utmp($1_t)
|
||||||
|
# Stop warnings about access to /dev/console
|
||||||
|
init_dontaudit_use_fds($1_t)
|
||||||
|
init_dontaudit_use_script_fds($1_t)
|
||||||
|
|
||||||
|
libs_exec_lib_files($1_t)
|
||||||
|
|
||||||
|
logging_dontaudit_getattr_all_logs($1_t)
|
||||||
|
|
||||||
|
miscfiles_read_man_pages($1_t)
|
||||||
|
# for running TeX programs
|
||||||
|
miscfiles_read_tetex_data($1_t)
|
||||||
|
miscfiles_exec_tetex_data($1_t)
|
||||||
|
|
||||||
|
seutil_read_config($1_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cups_read_config($1_t)
|
||||||
|
cups_stream_connect($1_t)
|
||||||
|
cups_stream_connect_ptal($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
kerberos_use($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mta_dontaudit_read_spool_symlinks($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
quota_dontaudit_getattr_db($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
rpm_read_db($1_t)
|
||||||
|
rpm_dontaudit_manage_db($1_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## The template for creating a unprivileged login user.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## This template creates a user domain, types, and
|
||||||
|
## rules for the user's tty, pty, home directories,
|
||||||
|
## tmp, and tmpfs files.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## <summary>
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_restricted_user_template',`
|
||||||
|
gen_require(`
|
||||||
|
attribute unpriv_userdomain;
|
||||||
|
attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
|
||||||
|
')
|
||||||
|
|
||||||
|
userdom_login_user_template($1)
|
||||||
|
|
||||||
typeattribute $1_t unpriv_userdomain;
|
typeattribute $1_t unpriv_userdomain;
|
||||||
domain_interactive_fd($1_t)
|
domain_interactive_fd($1_t)
|
||||||
|
@ -976,9 +1014,6 @@ template(`userdom_unpriv_user_template', `
|
||||||
typeattribute $1_tmp_t user_tmpfile;
|
typeattribute $1_tmp_t user_tmpfile;
|
||||||
typeattribute $1_tty_device_t user_ttynode;
|
typeattribute $1_tty_device_t user_ttynode;
|
||||||
|
|
||||||
userdom_poly_home_template($1)
|
|
||||||
userdom_poly_tmp_template($1)
|
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
|
@ -992,7 +1027,126 @@ template(`userdom_unpriv_user_template', `
|
||||||
manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||||
filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
|
filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
|
|
||||||
corecmd_exec_all_executables($1_t)
|
optional_policy(`
|
||||||
|
loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## The template for creating a unprivileged xwindows login user.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## The template for creating a unprivileged xwindows login user.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This template creates a user domain, types, and
|
||||||
|
## rules for the user's tty, pty, home directories,
|
||||||
|
## tmp, and tmpfs files.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## <summary>
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_restricted_xwindows_user_template',`
|
||||||
|
|
||||||
|
userdom_restricted_user_template($1)
|
||||||
|
|
||||||
|
userdom_xwindows_client_template($1)
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
authlogin_per_role_template($1, $1_t, $1_r)
|
||||||
|
auth_search_pam_console_data($1_t)
|
||||||
|
|
||||||
|
dev_read_sound($1_t)
|
||||||
|
dev_write_sound($1_t)
|
||||||
|
# gnome keyring wants to read this.
|
||||||
|
dev_dontaudit_read_rand($1_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg($1_t)
|
||||||
|
logging_dontaudit_send_audit_msgs($1_t)
|
||||||
|
|
||||||
|
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||||
|
logging_send_audit_msgs($1_t)
|
||||||
|
selinux_get_enforce_mode($1_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
alsa_read_rw_config($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
dbus_per_role_template($1, $1_t, $1_r)
|
||||||
|
dbus_system_bus_client_template($1, $1_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
consolekit_dbus_chat($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cups_dbus_chat($1_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
java_per_role_template($1, $1_t, $1_r)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mono_per_role_template($1, $1_t, $1_r)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
setroubleshoot_dontaudit_stream_connect($1_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## The template for creating a unprivileged user roughly
|
||||||
|
## equivalent to a regular linux user.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## The template for creating a unprivileged user roughly
|
||||||
|
## equivalent to a regular linux user.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This template creates a user domain, types, and
|
||||||
|
## rules for the user's tty, pty, home directories,
|
||||||
|
## tmp, and tmpfs files.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## <summary>
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_unpriv_user_template', `
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
# Inherit rules for ordinary users.
|
||||||
|
userdom_restricted_user_template($1)
|
||||||
|
userdom_common_user_template($1)
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||||
|
@ -1031,14 +1185,6 @@ template(`userdom_unpriv_user_template', `
|
||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
kerberos_use($1_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
|
@ -1052,18 +1198,6 @@ template(`userdom_unpriv_user_template', `
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
setroubleshoot_stream_connect($1_t)
|
setroubleshoot_stream_connect($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
ifdef(`xdm.te', `
|
|
||||||
# this should cause the .xsession-errors file to be written to /tmp
|
|
||||||
dontaudit xdm_t $1_home_t:file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
# Do not audit write denials to /etc/ld.so.cache.
|
|
||||||
dontaudit $1_t ld_so_cache_t:file write;
|
|
||||||
|
|
||||||
dontaudit $1_t sysadm_home_t:file { read append };
|
|
||||||
') dnl end TODO
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
|
@ -1107,6 +1241,7 @@ template(`userdom_admin_user_template',`
|
||||||
#
|
#
|
||||||
|
|
||||||
# Inherit rules for ordinary users.
|
# Inherit rules for ordinary users.
|
||||||
|
userdom_login_user_template($1)
|
||||||
userdom_common_user_template($1)
|
userdom_common_user_template($1)
|
||||||
|
|
||||||
typeattribute $1_t privhome;
|
typeattribute $1_t privhome;
|
||||||
|
@ -1126,7 +1261,7 @@ template(`userdom_admin_user_template',`
|
||||||
# $1_t local policy
|
# $1_t local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow $1_t self:capability ~sys_module;
|
allow $1_t self:capability ~{ sys_module audit_control audit_write };
|
||||||
allow $1_t self:process { setexec setfscreate };
|
allow $1_t self:process { setexec setfscreate };
|
||||||
|
|
||||||
# Set password information for other users.
|
# Set password information for other users.
|
||||||
|
@ -3077,7 +3212,7 @@ template(`userdom_user_tmp_filetrans',`
|
||||||
#
|
#
|
||||||
template(`userdom_tmp_filetrans_user_tmp',`
|
template(`userdom_tmp_filetrans_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type $1_home_dir_t;
|
type $1_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_tmp_filetrans($2,$1_tmp_t,$3)
|
files_tmp_filetrans($2,$1_tmp_t,$3)
|
||||||
|
@ -5322,7 +5457,7 @@ interface(`userdom_read_unpriv_users_tmp_files',`
|
||||||
attribute user_tmpfile;
|
attribute user_tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 user_tmpfile:file { read getattr };
|
allow $1 user_tmpfile:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(userdomain,2.4.1)
|
policy_module(userdomain,2.4.2)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
|
@ -136,13 +136,6 @@ ifdef(`enable_mls',`
|
||||||
userdom_role_change_template(secadm, sysadm)
|
userdom_role_change_template(secadm, sysadm)
|
||||||
')
|
')
|
||||||
|
|
||||||
# this should be tunable_policy, but
|
|
||||||
# currently type_change and RBAC allow
|
|
||||||
# do not work in conditionals
|
|
||||||
ifdef(`user_canbe_sysadm',`
|
|
||||||
userdom_role_change_template(user, sysadm)
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Sysadm local policy
|
# Sysadm local policy
|
||||||
|
|
Loading…
Reference in New Issue