Policy for user domains
Create objects in generic user home directories with automatic file type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
object_class | The class of the object to be created. If not specified, file is used. | yes |
Create generic user home directories with automatic file type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create objects in sysadm home directories with automatic file type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
object_class | The class of the object to be created. If not specified, file is used. | yes |
Send a dbus message to all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to get the attributes of the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attepts to get the attributes of sysadm ttys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to list the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to search all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to search the staff users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to search the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Don't audit search on the user home subdirectory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to inherit the file descriptors from any user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Dont audit attempts to read and write sysadm ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to use sysadm ttys and ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to use sysadm ttys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to inherit the file descriptors from all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to use unprivileged user ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to use unprivileged user ttys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
List the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read all unprivileged users temporary directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, read, write, and delete all directories in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, read, write, and delete all files in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, read, write, and delete all symlinks in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, read, write, and delete generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, read, write, and delete subdirectories of generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, read, write, and delete files in generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, read, write, and delete named pipes in generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, read, write, and delete named sockets in generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, read, write, and delete symbolic links in generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Make the specified domain a privileged home directory manager.
Make the specified domain a privileged home directory manager. This domain will be able to manage the contents of all users general home directory content, and create files with the correct context.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read all files in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read the process state of all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read files in the staff users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read files in the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read all unprivileged users home directory files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read all unprivileged users temporary files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read all unprivileged users temporary symbolic links.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write sysadm user unnamed pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Search all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Search generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Search the staff users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Search the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Search the sysadm users home sub directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Search all unprivileged users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of user ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Execute a shell in the sysadm domain.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Send a SIGCHLD signal to all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Send a SIGCHLD signal to sysadm users.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Send general signals to all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Send general signals to unprivileged user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Execute a shell in all user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Unconfined access to user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Inherit the file descriptors from all user domains
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Inherit and use sysadm file descriptors
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write sysadm ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write sysadm ttys and ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write sysadm ttys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write unprivileged user ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Inherit the file descriptors from unprivileged user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write all unprivileged users files in /tmp
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
The template for creating an administrative user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The privileges given to administrative users are:
Raw disk access
Set all sysctls
All kernel ring buffer controls
Set SELinux enforcement mode (enforcing/permissive)
Set SELinux booleans
Relabel all files but shadow
Create, read, write, and delete all files but shadow
Manage source and binary format SELinux policy
Run insmod
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., sysadm is the prefix for sysadm_t). | No |
The template containing rules common to unprivileged users and administrative users.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
This generally should not be used, rather the unpriv_user_template or admin_user_template should be used.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for creating a unprivileged user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
Create, read, write, and delete named sockets in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
object_class | The class of the object to be created. If not specified, file is used. | yes |
private_type | The type of the object to create. If this is not specified, the regular home directory type is used. | yes |
Execute user home files.
Execute user home files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Make the specified type usable in a user home directory.
Make the specified type usable in a user home directory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
type | Type to be used as a file in the user home directory. | No |
Create, read, write, and delete files in a user home subdirectory.
Create, read, write, and delete files in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Create, read, write, and delete named pipes in a user home subdirectory.
Create, read, write, and delete named pipes in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Create, read, write, and delete named sockets in a user home subdirectory.
Create, read, write, and delete named sockets in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Create, read, write, and delete symbolic links in a user home subdirectory.
Create, read, write, and delete symbolic links in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Create, read, write, and delete symbolic links in a user home subdirectory.
Create, read, write, and delete symbolic links in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Create, read, write, and delete user temporary directories.
Create, read, write, and delete user temporary directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Create, read, write, and delete user temporary files.
Create, read, write, and delete user temporary files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Create, read, write, and delete user temporary named pipes.
Create, read, write, and delete user temporary named pipes.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Create, read, write, and delete user temporary named sockets.
Create, read, write, and delete user temporary named sockets.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Create, read, write, and delete user temporary symbolic links.
Create, read, write, and delete user temporary symbolic links.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Read user home files.
Read user home files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Search user home directories.
Search user home directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |
Read and write a user domain tty and pty.
Read and write a user domain tty and pty.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain | Domain allowed access. | No |