# # Macros for all user login domains. # define(`network_home_dir', ` create_dir_file($1, $2) can_exec($1, $2) allow $1 $2:{ sock_file fifo_file } create_file_perms; ') # # base_user_domain(domain_prefix) # # Define derived types and rules for an ordinary user domain. # # The type declaration and role authorization for the domain must be # provided separately. Likewise, domain transitions into this domain # must be specified separately. # # base_user_domain() is also called by the admin_domain() macro undefine(`base_user_domain') define(`base_user_domain', ` allow $1_t self:capability { setgid chown fowner }; dontaudit $1_t self:capability { sys_nice fsetid }; # $1_r is authorized for $1_t for the initial login domain. role $1_r types $1_t; allow system_r $1_r; r_dir_file($1_t, usercanread) # Grant permissions within the domain. general_domain_access($1_t) if (allow_execmem) { # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; } if (allow_execmod) { # Allow text relocations on system shared libraries, e.g. libGL. allow $1_t texrel_shlib_t:file execmod; } # # kdeinit wants this access # allow $1_t device_t:dir { getattr search }; # Find CDROM devices r_dir_file($1_t, sysctl_dev_t) # for eject allow $1_t fixed_disk_device_t:blk_file getattr; allow $1_t fs_type:dir getattr; allow $1_t event_device_t:chr_file { getattr read ioctl }; # open office is looking for the following allow $1_t dri_device_t:chr_file getattr; dontaudit $1_t dri_device_t:chr_file rw_file_perms; file_browse_domain($1_t) # allow ptrace can_ptrace($1_t, $1_t) # Create, access, and remove files in home directory. file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t) allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto }; can_setfscreate($1_t) allow $1_t autofs_t:dir { search getattr }; if (use_nfs_home_dirs) { network_home_dir($1_t, nfs_t) } if (use_samba_home_dirs) { network_home_dir($1_t, cifs_t) } can_exec($1_t, { removable_t noexattrfile } ) if (user_rw_noexattrfile) { create_dir_file($1_t, noexattrfile) create_dir_file($1_t, removable_t) # Write floppies allow $1_t removable_device_t:blk_file rw_file_perms; allow $1_t usbtty_device_t:chr_file write; } else { r_dir_file($1_t, noexattrfile) r_dir_file($1_t, removable_t) allow $1_t removable_device_t:blk_file r_file_perms; } allow $1_t usbtty_device_t:chr_file read; # GNOME checks for usb and other devices rw_dir_file($1_t,usbfs_t) can_exec($1_t, noexattrfile) # Bind to a Unix domain socket in /tmp. allow $1_t $1_tmp_t:unix_stream_socket name_bind; # Access ttys. allow $1_t privfd:fd use; allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; # Use the type when relabeling terminal devices. type_change $1_t tty_device_t:chr_file $1_tty_device_t; # read localization information read_locale($1_t) # Debian login is from shadow utils and does not allow resetting the perms. # have to fix this! type_change $1_t ttyfile:chr_file $1_tty_device_t; # for running TeX programs r_dir_file($1_t, tetex_data_t) can_exec($1_t, tetex_data_t) # Use the type when relabeling pty devices. type_change $1_t server_pty:chr_file $1_devpts_t; tmpfs_domain($1) ifdef(`cardmgr.te', ` # to allow monitoring of pcmcia status allow $1_t cardmgr_var_run_t:file { getattr read }; ') # Read and write /var/catman. allow $1_t catman_t:dir rw_dir_perms; allow $1_t catman_t:file create_file_perms; # Modify mail spool file. allow $1_t mail_spool_t:dir r_dir_perms; allow $1_t mail_spool_t:file rw_file_perms; allow $1_t mail_spool_t:lnk_file read; # # Allow graphical boot to check battery lifespan # ifdef(`apmd.te', ` allow $1_t apmd_t:unix_stream_socket connectto; allow $1_t apmd_var_run_t:sock_file write; ') # # Allow the query of filesystem quotas # allow $1_t fs_type:filesystem quotaget; # Run helper programs. can_exec_any($1_t) # Run programs developed by other users in the same domain. can_exec($1_t, $1_home_t) can_exec($1_t, $1_tmp_t) # Run user programs that require different permissions in their own domain. # These rules were moved into the individual program domains. # Instantiate derived domains for a number of programs. # These derived domains encode both information about the calling # user domain and the program, and allow us to maintain separation # between different instances of the program being run by different # user domains. ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)') ifdef(`chkpwd.te', `chkpwd_domain($1)') ifdef(`fingerd.te', `fingerd_macro($1)') ifdef(`mta.te', `mail_domain($1)') ifdef(`crontab.te', `crontab_domain($1)') ifdef(`screen.te', `screen_domain($1)') ifdef(`tvtime.te', `tvtime_domain($1)') ifdef(`mozilla.te', `mozilla_domain($1)') ifdef(`samba.te', `samba_domain($1)') ifdef(`games.te', `games_domain($1)') ifdef(`gpg.te', `gpg_domain($1)') ifdef(`xauth.te', `xauth_domain($1)') ifdef(`startx.te', `xserver_domain($1)') ifdef(`lpr.te', `lpr_domain($1)') ifdef(`ssh.te', `ssh_domain($1)') ifdef(`irc.te', `irc_domain($1)') ifdef(`using_spamassassin', `spamassassin_domain($1)') ifdef(`uml.te', `uml_domain($1)') ifdef(`cdrecord.te', `cdrecord_domain($1)') ifdef(`mplayer.te', `mplayer_domains($1)') ifdef(`gift.te', `gift_domains($1)') # Instantiate a derived domain for user cron jobs. ifdef(`crond.te', `crond_domain($1)') ifdef(`vmware.te', `vmware_domain($1)') if (user_direct_mouse) { # Read the mouse. allow $1_t mouse_device_t:chr_file r_file_perms; } # Access other miscellaneous devices. allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms; allow $1_t device_t:lnk_file { getattr read }; can_resmgrd_connect($1_t) # # evolution and gnome-session try to create a netlink socket # dontaudit $1_t self:netlink_socket create_socket_perms; dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms; # Use the network. can_network($1_t) can_ypbind($1_t) ifdef(`pamconsole.te', ` allow $1_t pam_var_console_t:dir search; ') allow $1_t var_lock_t:dir search; # Grant permissions to access the system DBus ifdef(`dbusd.te', ` dbusd_client(system, $1) can_network_server_tcp($1_dbusd_t) allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; dbusd_client($1, $1) allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; dbusd_domain($1) ifdef(`hald.te', ` allow $1_t hald_t:dbus send_msg; allow hald_t $1_t:dbus send_msg; ') dnl end ifdef hald.te ') dnl end ifdef dbus.te # allow port_t name binding for UDP because it is not very usable otherwise allow $1_t port_t:udp_socket name_bind; # Gnome pannel binds to the following ifdef(`cups.te', ` allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr }; ') # for perl dontaudit $1_t net_conf_t:file ioctl; # Communicate within the domain. can_udp_send($1_t, self) # Connect to inetd. ifdef(`inetd.te', ` can_tcp_connect($1_t, inetd_t) can_udp_send($1_t, inetd_t) can_udp_send(inetd_t, $1_t) ') # Connect to portmap. ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') # Inherit and use sockets from inetd ifdef(`inetd.te', ` allow $1_t inetd_t:fd use; allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;') # Very permissive allowing every domain to see every type. allow $1_t kernel_t:system ipc_info; # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. dontaudit $1_t domain:dir r_dir_perms; dontaudit $1_t domain:notdevfile_class_set r_file_perms; dontaudit $1_t domain:process { getattr getsession }; # # Cups daemon running as user tries to write /etc/printcap # dontaudit $1_t usr_t:file setattr; ifdef(`xserver.te', ` # for /tmp/.ICE-unix file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; ') ifdef(`xdm.te', ` # Connect to the X server run by the X Display Manager. can_unix_connect($1_t, xdm_t) allow $1_t xdm_tmp_t:sock_file rw_file_perms; allow $1_t xdm_tmp_t:dir r_dir_perms; allow $1_t xdm_tmp_t:file { getattr read }; allow $1_t xdm_xserver_tmp_t:sock_file { read write }; allow $1_t xdm_xserver_tmp_t:dir search; allow $1_t xdm_xserver_t:unix_stream_socket connectto; # certain apps want to read xdm.pid file r_dir_file($1_t, xdm_var_run_t) allow $1_t xdm_var_lib_t:file { getattr read }; allow xdm_t $1_home_dir_t:dir getattr; ifdef(`xauth.te', ` file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) ') # for shared memory allow xdm_xserver_t $1_tmpfs_t:file { read write }; ')dnl end ifdef xdm.te # Access the sound device. allow $1_t sound_device_t:chr_file { getattr read write ioctl }; # Access the power device. allow $1_t power_device_t:chr_file { getattr read write ioctl }; allow $1_t var_log_t:dir { getattr search }; dontaudit $1_t logfile:file getattr; # Check to see if cdrom is mounted allow $1_t mnt_t:dir { getattr search }; # Get attributes of file systems. allow $1_t fs_type:filesystem getattr; allow $1_t removable_t:filesystem getattr; # Read and write /dev/tty and /dev/null. allow $1_t devtty_t:chr_file rw_file_perms; allow $1_t null_device_t:chr_file rw_file_perms; allow $1_t zero_device_t:chr_file { rw_file_perms execute }; allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl }; # # Added to allow reading of cdrom # allow $1_t rpc_pipefs_t:dir getattr; allow $1_t nfsd_fs_t:dir getattr; allow $1_t binfmt_misc_fs_t:dir getattr; # /initrd is left mounted, various programs try to look at it dontaudit $1_t ramfs_t:dir getattr; # # Emacs wants this access # allow $1_t wtmp_t:file r_file_perms; dontaudit $1_t wtmp_t:file write; # Read the devpts root directory. allow $1_t devpts_t:dir r_dir_perms; allow $1_t src_t:dir r_dir_perms; allow $1_t src_t:notdevfile_class_set r_file_perms; if (read_default_t) { allow $1_t default_t:dir r_dir_perms; allow $1_t default_t:notdevfile_class_set r_file_perms; } read_sysctl($1_t); # # Caused by su - init scripts # dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write }; # # Running ifconfig as a user generates the following # dontaudit $1_t self:socket create; dontaudit $1_t sysctl_net_t:dir search; dontaudit $1_t default_context_t:dir search; ifdef(`rpcd.te', ` create_dir_file($1_t, nfsd_rw_t) ') ')dnl end base_user_domain macro