# Home macros

################################################
# network_home(source)
#
# Allows source domain to use a network home
# This includes privileges of create and execute
# as well as the ability to create sockets and fifo

define(`network_home', `
allow $1 autofs_t:dir { search getattr };

if (use_nfs_home_dirs) {
create_dir_file($1, nfs_t)
can_exec($1, nfs_t)
allow $1 nfs_t:{ sock_file fifo_file } create_file_perms;
}

if (use_samba_home_dirs) {
create_dir_file($1, cifs_t)
can_exec($1, cifs_t)
allow $1 cifs_t:{ sock_file fifo_file } create_file_perms;
}
') dnl network_home

################################################
# write_network_home(source)
#
# Allows source domain to create directories and
# files on network file system

define(`write_network_home', `
allow $1 home_root_t:dir search;

if (use_nfs_home_dirs) {
create_dir_file($1, nfs_t)
}
if (use_samba_home_dirs) {
create_dir_file($1, cifs_t)
}
allow $1 autofs_t:dir { search getattr };
') dnl write_network_home

################################################
# read_network_home(source)
#
# Allows source domain to read directories and
# files on network file system

define(`read_network_home', `
allow $1 home_root_t:dir search;

if (use_nfs_home_dirs) {
r_dir_file($1, nfs_t)
}
if (use_samba_home_dirs) {
r_dir_file($1, cifs_t)
}
allow $1 autofs_t:dir { search getattr };
') dnl read_network_home

##################################################
# home_domain_ro_access(source, user, app)
#
# Gives source access to the read-only home
# domain of app for the given user type

define(`home_domain_ro_access', `
allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
read_network_home($1)
r_dir_file($1, $2_$3_ro_home_t)
') dnl home_domain_ro_access

#################################################
# home_domain_access(source, user, app)
#
# Gives source full access to the home
# domain of app for the given user type
#
# Requires transition in caller

define(`home_domain_access', `
allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
write_network_home($1)
create_dir_file($1, $2_$3_home_t)
') dnl home_domain_access

####################################################################
# home_domain (prefix, app)
#
# Creates a domain in the prefix home where an application can
# store its settings. It is accessible by the prefix domain.
#
# Requires transition in caller

define(`home_domain', `

# Declare home domain
type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember;
typealias $1_$2_home_t alias $1_$2_rw_t;

# User side access
create_dir_file($1_t, $1_$2_home_t)
allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };

# App side access
home_domain_access($1_$2_t, $1, $2)
')

####################################################################
# home_domain_ro (user, app)
#
# Creates a read-only domain in the user home where an application can
# store its settings. It is fully accessible by the user, but
# it is read-only for the application.
#

define(`home_domain_ro', `

# Declare home domain
type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
typealias $1_$2_ro_home_t alias $1_$2_ro_t;

# User side access
create_dir_file($1_t, $1_$2_ro_home_t)
allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };

# App side access
home_domain_ro_access($1_$2_t, $1, $2)
')