policy_module(userdomain,1.0) ######################################## # # Declarations # # admin users terminals (tty and pty) attribute admin_terminal; # users home directory attribute home_dir_type; # users home directory contents attribute home_type; # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) attribute privhome; # all user domains attribute userdomain; # unprivileged user domains attribute unpriv_userdomain; # Allow execution of anonymous mappings, e.g. executable stack. bool allow_execmem false; # Support Share libraries with Text Relocation bool allow_execmod false; # Allow system to run with kerberos bool allow_kerberos false; # Allow system to run with NIS bool allow_ypbind false; # Allow reading of default_t files. bool read_default_t false; # Allow staff_r users to search the sysadm home dir and read # files (such as ~/.bashrc) bool staff_read_sysadm_file false; # Support NFS home directories bool use_nfs_home_dirs false; # Support SAMBA home directories bool use_samba_home_dirs false; # Allow regular users direct mouse access bool user_direct_mouse false; # Allow users to read system messages. bool user_dmesg false; # Allow users to control network interfaces (also needs USERCTL=true) bool user_net_control false; # Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) bool user_rw_noexattrfile false; # Allow users to rw usb devices bool user_rw_usb false; # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols bool user_tcp_server false; # Allow w to display everyone bool user_ttyfile_stat false; admin_domain_template(sysadm) user_domain_template(staff) user_domain_template(user) ######################################## # # Local policy # # user role change rules: define(`role_change',` allow $1_r $2_r; type_change $2_t $1_devpts_t:chr_file $2_devpts_t; type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; # avoid annoying messages on terminal hangup dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; ') # sysadm_r can change to user roles role_change(sysadm, user) role_change(sysadm, staff) # only staff_r can change to sysadm_r role_change(staff, sysadm) # this should be tunable_policy, but # currently type_change and RBAC allow # do not work in conditionals ifdef(`user_canbe_sysadm',` role_change(user,sysadm) ') ifdef(`TODO',` allow privhome home_root_t:dir { getattr search }; # Add/remove user home directories file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) ') ######################################## # # Sysadm local policy # # for su allow sysadm_t userdomain:fd use; optional_policy(`bootloader.te',` bootloader_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`clock.te',` clock_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`hostname.te',` hostname_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`iptables.te',` iptables_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`libraries.te',` libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`lvm.te',` lvm_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`modutils.te',` modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal) modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal) modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`mount.te',` mount_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`rpm.te',` rpm_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`selinux.te',` selinux_run_checkpol(sysadm_t,sysadm_r,admin_terminal) selinux_run_loadpol(sysadm_t,sysadm_r,admin_terminal) selinux_run_restorecon(sysadm_t,sysadm_r,admin_terminal) selinux_run_setfiles(sysadm_t,sysadm_r,admin_terminal) optional_policy(`targeted_policy',`',` selinux_run_runinit(sysadm_t,sysadm_r,admin_terminal) ') ') optional_policy(`sysnetwork.te',` sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`usermanage.te',` usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) ')