## Policy for user domains ####################################### ## ## The template containing rules common to unprivileged ## users and administrative users. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##

## This generally should not be used, rather the ## unpriv_user_template or admin_user_template should ## be used. ##

##
## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## # template(`base_user_template',` attribute $1_file_type; type $1_t, userdomain; domain_type($1_t) corecmd_shell_entry_type($1_t) role $1_r types $1_t; allow system_r $1_r; # user pseudoterminal type $1_devpts_t; term_user_pty($1_t,$1_devpts_t) # type for contents of home directory type $1_home_t, $1_file_type, home_type; files_type($1_home_t) # type of home directory type $1_home_dir_t, home_dir_type, home_type; files_type($1_home_t) type $1_tmp_t, $1_file_type; files_tmp_file($1_tmp_t) type $1_tmpfs_t; files_tmpfs_file($1_tmpfs_t) type $1_tty_device_t; term_tty($1_t,$1_tty_device_t) ############################## # # Local policy # allow $1_t self:capability { setgid chown fowner }; dontaudit $1_t self:capability { sys_nice fsetid }; allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow $1_t self:process { ptrace setfscreate }; allow $1_t self:fd use; allow $1_t self:fifo_file rw_file_perms; allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:unix_dgram_socket sendto; allow $1_t self:unix_stream_socket connectto; allow $1_t self:shm create_shm_perms; allow $1_t self:sem create_sem_perms; allow $1_t self:msgq create_msgq_perms; allow $1_t self:msg { send receive }; dontaudit $1_t self:socket create; # Irrelevant until we have labeled networking. #allow $1_t self:udp_socket { sendto recvfrom }; # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; # execute files in the home directory allow $1_t $1_home_t:file { rx_file_perms execute_no_trans }; # full control of the home directory allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto }; allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto }; allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto }; allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto }; allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto }; allow $1_t $1_home_dir_t:dir create_dir_perms; type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans }; # Bind to a Unix domain socket in /tmp. # cjp: this is combination is not checked and should be removed allow $1_t $1_tmp_t:unix_stream_socket name_bind; allow $1_t $1_tmpfs_t:dir rw_dir_perms; allow $1_t $1_tmpfs_t:file create_file_perms; allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms; allow $1_t $1_tmpfs_t:sock_file create_file_perms; allow $1_t $1_tmpfs_t:fifo_file create_file_perms; fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; allow $1_t unpriv_userdomain:fd use; # Instantiate derived domains for a number of programs. # These derived domains encode both information about the calling # user domain and the program, and allow us to maintain separation # between different instances of the program being run by different # user domains. per_userdomain_templates($1) kernel_read_kernel_sysctl($1_t) selinux_get_fs_mount($1_t) # Very permissive allowing every domain to see every type: kernel_get_sysvipc_info($1_t) # Find CDROM devices: kernel_read_device_sysctl($1_t) dev_rw_power_management($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) corenet_tcp_sendrecv_all_if($1_t) corenet_raw_sendrecv_all_if($1_t) corenet_udp_sendrecv_all_if($1_t) corenet_tcp_sendrecv_all_nodes($1_t) corenet_raw_sendrecv_all_nodes($1_t) corenet_udp_sendrecv_all_nodes($1_t) corenet_tcp_sendrecv_all_ports($1_t) corenet_udp_sendrecv_all_ports($1_t) corenet_tcp_bind_all_nodes($1_t) corenet_udp_bind_all_nodes($1_t) # allow port_t name binding for UDP because it is not very usable otherwise corenet_udp_bind_generic_port($1_t) dev_read_input($1_t) dev_read_misc($1_t) dev_write_misc($1_t) dev_write_snd_dev($1_t) dev_read_snd_dev($1_t) dev_read_snd_mixer_dev($1_t) dev_write_snd_mixer_dev($1_t) dev_read_rand($1_t) dev_read_urand($1_t) # open office is looking for the following dev_getattr_agp_dev($1_t) dev_dontaudit_rw_dri_dev($1_t) fs_get_all_fs_quotas($1_t) fs_getattr_all_fs($1_t) fs_search_auto_mountpoints($1_t) fs_exec_noxattr($1_t) # for eject storage_getattr_fixed_disk($1_t) auth_read_login_records($1_t) auth_dontaudit_write_login_records($1_t) auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) corecmd_exec_bin($1_t) corecmd_exec_sbin($1_t) corecmd_exec_ls($1_t) domain_exec_all_entry_files($1_t) domain_use_wide_inherit_fd($1_t) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_read_all_domains_state($1_t) domain_dontaudit_getsession_all_domains($1_t) files_exec_etc_files($1_t) files_read_usr_src_files($1_t) files_search_locks($1_t) # Caused by su - init scripts init_dontaudit_use_script_pty($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) libs_exec_ld_so($1_t) libs_exec_lib_files($1_t) logging_dontaudit_getattr_all_logs($1_t) miscfiles_read_localization($1_t) miscfiles_rw_man_cache($1_t) # for running TeX programs miscfiles_read_tetex_data($1_t) miscfiles_exec_tetex_data($1_t) seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) mta_rw_spool($1_t) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; ') tunable_policy(`read_default_t',` files_list_default($1_t) files_read_default_files($1_t) files_read_default_symlinks($1_t) files_read_default_sockets($1_t) files_read_default_pipes($1_t) ') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_t) fs_manage_nfs_files($1_t) fs_manage_nfs_symlinks($1_t) fs_manage_nfs_named_sockets($1_t) fs_manage_nfs_named_pipes($1_t) fs_execute_nfs_files($1_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs($1_t) fs_manage_cifs_files($1_t) fs_manage_cifs_symlinks($1_t) fs_manage_cifs_named_sockets($1_t) fs_manage_cifs_named_pipes($1_t) fs_execute_cifs_files($1_t) ') tunable_policy(`user_direct_mouse',` dev_read_mouse($1_t) ') tunable_policy(`user_ttyfile_stat',` term_getattr_all_user_ttys($1_t) ') optional_policy(`inetd.te',` inetd_tcp_connect($1_t) ') optional_policy(`nis.te',` nis_use_ypbind($1_t) ') optional_policy(`mysql.te',` ifdef(`targeted_policy',`',` tunable_policy(`allow_user_mysql_connect',` mysql_stream_connect($1_t) ') ') ') optional_policy(`nscd.te',` nscd_use_socket($1_t) ') optional_policy(`pcmcia.te',` # to allow monitoring of pcmcia status pcmcia_read_pid($1_t) ') optional_policy(`rpm.te',` files_getattr_var_lib_dir($1_t) files_search_var_lib($1_t) ') optional_policy(`usermanage.te',` usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) ') ifdef(`TODO',` # # Cups daemon running as user tries to write /etc/printcap # dontaudit $1_t usr_t:file setattr; # Check to see if cdrom is mounted allow $1_t mnt_t:dir { getattr search }; # # Added to allow reading of cdrom # allow $1_t rpc_pipefs_t:dir getattr; allow $1_t nfsd_fs_t:dir getattr; allow $1_t binfmt_misc_fs_t:dir getattr; # /initrd is left mounted, various programs try to look at it dontaudit $1_t ramfs_t:dir getattr; # # Running ifconfig as a user generates the following # dontaudit $1_t sysctl_net_t:dir search; dontaudit $1_t default_context_t:dir search; r_dir_file($1_t, usercanread) tunable_policy(`allow_execmod',` # Allow text relocations on system shared libraries, e.g. libGL. allow $1_t texrel_shlib_t:file execmod; ') allow $1_t fs_type:dir getattr; # old "file_browse_domain": # Regular files/directories that are not security sensitive dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr; dontaudit $1_t file_type - secure_file_type:dir { read search }; # /dev dontaudit $1_t dev_fs:dir_file_class_set getattr; dontaudit $1_t dev_fs:dir { read search }; # /proc dontaudit $1_t sysctl_t:dir_file_class_set getattr; dontaudit $1_t proc_fs:dir { read search }; tunable_policy(`user_rw_noexattrfile',` create_dir_file($1_t, noexattrfile) # Write floppies storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) # cjp: what does this have to do with removable devices? allow $1_t usbtty_device_t:chr_file write; ',` r_dir_file($1_t, noexattrfile) r_dir_file($1_t, removable_t) allow $1_t removable_device_t:blk_file r_file_perms; ') allow $1_t usbtty_device_t:chr_file read; can_resmgrd_connect($1_t) # Grant permissions to access the system DBus ifdef(`dbusd.te', ` dbusd_client(system, $1) can_network_server_tcp($1_dbusd_t) allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; dbusd_client($1, $1) allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; dbusd_domain($1) ifdef(`hald.te', ` allow $1_t hald_t:dbus send_msg; allow hald_t $1_t:dbus send_msg; ') ') # Gnome pannel binds to the following ifdef(`cups.te', ` allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms; ') ifdef(`inetd.te', ` # Connect to inetd. can_tcp_connect($1_t, inetd_t) can_udp_send($1_t, inetd_t) can_udp_send(inetd_t, $1_t) # Inherit and use sockets from inetd allow $1_t inetd_t:fd use; allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; ') # Connect to portmap. ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') ifdef(`xserver.te', ` # for /tmp/.ICE-unix file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; ') ifdef(`xdm.te', ` # Connect to the X server run by the X Display Manager. can_unix_connect($1_t, xdm_t) allow $1_t xdm_tmp_t:sock_file rw_file_perms; allow $1_t xdm_tmp_t:dir r_dir_perms; allow $1_t xdm_tmp_t:file r_file_perms; allow $1_t xdm_xserver_tmp_t:sock_file { read write }; allow $1_t xdm_xserver_tmp_t:dir search; allow $1_t xdm_xserver_t:unix_stream_socket connectto; # certain apps want to read xdm.pid file r_dir_file($1_t, xdm_var_run_t) allow $1_t xdm_var_lib_t:file r_file_perms; allow xdm_t $1_home_dir_t:dir getattr; ifdef(`xauth.te', ` file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) ') # for shared memory allow xdm_xserver_t $1_tmpfs_t:file { read write }; ') ifdef(`rpcd.te', ` create_dir_file($1_t, nfsd_rw_t) ') # # Allow graphical boot to check battery lifespan # ifdef(`apmd.te', ` allow $1_t apmd_t:unix_stream_socket connectto; allow $1_t apmd_var_run_t:sock_file write; ') ifdef(`pamconsole.te', ` allow $1_t pam_var_console_t:dir search; ') ') dnl endif TODO ') ####################################### ## ## The template for creating a unprivileged user. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##
## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## # template(`unpriv_user_template', ` ############################## # # Declarations # # Inherit rules for ordinary users. base_user_template($1) typeattribute $1_t unpriv_userdomain; #, web_client_domain domain_wide_inherit_fd($1_t) #typeattribute $1_devpts_t userpty_type, user_tty_type; #typeattribute $1_home_dir_t user_home_dir_type; #typeattribute $1_home_t user_home_type; typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; ############################## # # Local policy # allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; term_create_pty($1_t,$1_devpts_t) # Rules used to associate a homedir as a mountpoint allow $1_home_t self:filesystem associate; allow $1_file_type $1_home_t:filesystem associate; # user temporary files allow $1_t $1_tmp_t:file create_file_perms; allow $1_t $1_tmp_t:lnk_file create_lnk_perms; allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:sock_file create_file_perms; allow $1_t $1_tmp_t:fifo_file create_file_perms; files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) # privileged home directory writers allow privhome $1_home_t:file create_file_perms; allow privhome $1_home_t:lnk_file create_lnk_perms; allow privhome $1_home_t:dir create_dir_perms; allow privhome $1_home_t:sock_file create_file_perms; allow privhome $1_home_t:fifo_file create_file_perms; type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; kernel_read_system_state($1_t) kernel_read_network_state($1_t) dev_read_sysfs($1_t) # cjp: why? bootloader_read_kernel_symbol_table($1_t) # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) files_read_etc_files($1_t) files_list_home($1_t) files_read_usr_files($1_t) files_exec_usr_files($1_t) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. files_list_world_readable($1_t) files_read_world_readable_files($1_t) files_read_world_readable_symlinks($1_t) files_read_world_readable_pipes($1_t) files_read_world_readable_sockets($1_t) init_read_script_pid($1_t) # The library functions always try to open read-write first, # then fall back to read-only if it fails. init_dontaudit_write_script_pid($1_t) # Stop warnings about access to /dev/console init_dontaudit_use_fd($1_t) init_dontaudit_use_script_fd($1_t) miscfiles_read_man_pages($1_t) seutil_read_config($1_t) # Allow users to execute checkpolicy without a domain transition # so it can be used without privilege to write real binary policy file seutil_exec_checkpol($1_t) tunable_policy(`user_dmesg',` kernel_read_ring_buffer($1_t) ',` kernel_dontaudit_read_ring_buffer($1_t) ') # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_generic_port($1_t) ') optional_policy(`kerberos.te',` kerberos_use($1_t) ') # for running depmod as part of the kernel packaging process optional_policy(`modutils.te',` modutils_read_module_conf($1_t) ') optional_policy(`selinuxutil.te',` # for when the network connection is killed seutil_dontaudit_signal_newrole($1_t) ') # Need the following rule to allow users to run vpnc optional_policy(`xserver.te', ` corenetwork_bind_tcp_on_xserver_port($1_t) ') ifdef(`TODO',` dontaudit $1_t boot_t:lnk_file read; dontaudit $1_t boot_t:file read; # do not audit read on disk devices dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; ifdef(`xdm.te', ` allow xdm_t $1_home_t:lnk_file read; allow xdm_t $1_home_t:dir search; # # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp # dontaudit xdm_t $1_home_t:file rw_file_perms; ') ifdef(`ftpd.te', ` tunable_policy(`ftp_home_dir',` file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) ') ') # Stat lost+found. allow $1_t lost_found_t:dir getattr; # Read /var, /var/spool, /var/run. allow $1_t var_t:dir r_dir_perms; allow $1_t var_t:notdevfile_class_set r_file_perms; allow $1_t var_spool_t:dir r_dir_perms; allow $1_t var_spool_t:notdevfile_class_set r_file_perms; allow $1_t var_run_t:dir r_dir_perms; allow $1_t var_run_t:{ file lnk_file } r_file_perms; allow $1_t var_lib_t:dir r_dir_perms; allow $1_t var_lib_t:file { getattr read }; # Allow users to rw usb devices tunable_policy(`user_rw_usb',` rw_dir_create_file($1_t,usbdevfs_t) ',` r_dir_file($1_t,usbdevfs_t) ') # Do not audit write denials to /etc/ld.so.cache. dontaudit $1_t ld_so_cache_t:file write; dontaudit $1_t sysadm_home_t:file { read append }; ifdef(`syslogd.te', ` # Some programs that are left in $1_t will try to connect # to syslogd, but we do not want to let them generate log messages. # Do not audit. dontaudit $1_t devlog_t:sock_file { read write }; dontaudit $1_t syslogd_t:unix_dgram_socket sendto; ') allow $1_t initrc_t:fifo_file write; ifdef(`user_can_mount', ` # # Allow users to mount file systems like floppies and cdrom # mount_domain($1, $1_mount, `, fs_domain') r_dir_file($1_t, mnt_t) allow $1_mount_t device_t:lnk_file read; allow $1_mount_t removable_device_t:blk_file read; allow $1_mount_t iso9660_t:filesystem relabelfrom; allow $1_mount_t removable_t:filesystem { mount relabelto }; allow $1_mount_t removable_t:dir mounton; ifdef(`xdm.te', ` allow $1_mount_t xdm_t:fd use; allow $1_mount_t xdm_t:fifo_file { read write }; ') ') ') dnl end TODO ') ####################################### ## ## The template for creating an administrative user. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##

## The privileges given to administrative users are: ##

##

##
## ## The prefix of the user domain (e.g., sysadm ## is the prefix for sysadm_t). ## # template(`admin_user_template',` ############################## # # Declarations # # Inherit rules for ordinary users. base_user_template($1) typeattribute $1_t privhome; #, admin, web_client_domain domain_obj_id_change_exempt($1_t) role system_r types $1_t; #ifdef(`direct_sysadm_daemon', `, priv_system_role') #; dnl end of sysadm_t type declaration typeattribute $1_devpts_t admin_terminal; typeattribute $1_tty_device_t admin_terminal; ############################## # # $1_t local policy # allow $1_t self:capability ~sys_module; allow $1_t self:process { setexec setfscreate }; # Set password information for other users. allow $1_t self:passwd { passwd chfn chsh }; # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; # Manipulate other users crontab. allow $1_t self:passwd crontab; # for the administrator to run TCP servers directly allow $1_t self:tcp_socket { acceptfrom connectto recvfrom }; allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; term_create_pty($1_t,$1_devpts_t) allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:file create_file_perms; allow $1_t $1_tmp_t:lnk_file create_file_perms; allow $1_t $1_tmp_t:fifo_file create_file_perms; allow $1_t $1_tmp_t:sock_file create_file_perms; files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) kernel_read_system_state($1_t) kernel_read_network_state($1_t) kernel_read_software_raid_state($1_t) kernel_getattr_core($1_t) kernel_getattr_message_if($1_t) kernel_change_ring_buffer_level($1_t) kernel_clear_ring_buffer($1_t) kernel_read_ring_buffer($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctl($1_t) # signal unlabeled processes: kernel_kill_unlabeled($1_t) kernel_signal_unlabeled($1_t) kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) # for the administrator to run TCP servers directly kernel_tcp_recvfrom($1_t) corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels corenet_use_tun_tap_device($1_t) dev_getattr_generic_blk_file($1_t) dev_getattr_generic_chr_file($1_t) dev_getattr_all_blk_files($1_t) dev_getattr_all_chr_files($1_t) fs_getattr_all_fs($1_t) fs_set_all_quotas($1_t) selinux_set_enforce_mode($1_t) selinux_set_boolean($1_t) selinux_set_parameters($1_t) # Get security policy decisions: selinux_get_fs_mount($1_t) selinux_validate_context($1_t) selinux_compute_access_vector($1_t) selinux_compute_create_context($1_t) selinux_compute_relabel_context($1_t) selinux_compute_user_contexts($1_t) storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) term_use_console($1_t) term_use_unallocated_tty($1_t) term_use_all_user_ptys($1_t) term_use_all_user_ttys($1_t) auth_getattr_shadow($1_t) # Manage almost all files auth_manage_all_files_except_shadow($1_t) # Relabel almost all files auth_relabel_all_files_except_shadow($1_t) domain_setpriority_all_domains($1_t) domain_read_all_domains_state($1_t) # signal all domains: domain_kill_all_domains($1_t) domain_signal_all_domains($1_t) domain_signull_all_domains($1_t) domain_sigstop_all_domains($1_t) domain_sigstop_all_domains($1_t) domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) files_exec_usr_files($1_t) init_use_initctl($1_t) logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) seutil_read_config($1_t) # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator # cannot directly manipulate policy files with arbitrary programs. seutil_manage_src_pol($1_t) # Violates the goal of limiting write access to checkpolicy. # But presently necessary for installing the file_contexts file. seutil_manage_binary_pol($1_t) optional_policy(`cron.te',` cron_admin_template($1) ') ifdef(`TODO',` # for lsof allow $1_t mtrr_device_t:file getattr; # for lsof allow $1_t eventpollfs_t:file getattr; allow $1_t serial_device:chr_file setattr; allow $1_t ptyfile:chr_file getattr; # Run admin programs that require different permissions in their own domain. # These rules were moved into the appropriate program domain file. ifdef(`xserver.te', ` # Create files in /tmp/.X11-unix with our X servers derived # tmp type rather than user_xserver_tmp_t. file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) ') ifdef(`xdm.te', ` tunable_policy(`xdm_sysadm_login',` allow xdm_t $1_home_t:lnk_file read; allow xdm_t $1_home_t:dir search; ') allow $1_t xdm_t:fifo_file rw_file_perms; ') # Connect data port to ftpd. ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') # Connect second port to rshd. ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') # Allow MAKEDEV to work allow $1_t device_t:dir rw_dir_perms; allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; allow $1_t device_t:lnk_file { create read }; # # A user who is authorized for sysadm_t may nonetheless have # a home directory labeled with user_home_t if the user is expected # to login in either user_t or sysadm_t. Hence, the derived domains # for programs need to be able to access user_home_t. # # Allow our gph domain to write to .xsession-errors. ifdef(`gnome-pty-helper.te', ` allow $1_gph_t user_home_dir_type:dir rw_dir_perms; allow $1_gph_t user_home_type:file create_file_perms; ') # Run programs from staff home directories. # Not ideal, but typical if users want to login as both sysadm_t or staff_t. can_exec($1_t, staff_home_t) ') dnl endif TODO ') ######################################## ## ## Execute a shell in all user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## The type of the process performing this action. ## # interface(`userdom_spec_domtrans_all_users',` gen_require(` attribute userdomain; ') corecmd_shell_spec_domtrans($1,userdomain) ') ######################################## ## ## Execute a shell in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## The type of the process performing this action. ## # interface(`userdom_spec_domtrans_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') corecmd_shell_spec_domtrans($1,unpriv_userdomain) ') ######################################## ## ## Execute a shell in the sysadm domain. ## ## ## The type of the process performing this action. ## # interface(`userdom_shell_domtrans_sysadm',` ifdef(`targeted_policy',` #cjp: need to doublecheck this one unconfined_shell_domtrans($1) ',` gen_require(` type sysadm_t; class fd use; class fifo_file rw_file_perms; class process sigchld; ') corecmd_shell_domtrans($1,sysadm_t) allow $1 sysadm_t:fd use; allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; ') ') ######################################## ## ## Search the staff users home directory. ## ## ## Domain to not audit. ## # interface(`userdom_search_staff_home_dir',` gen_require(` type staff_home_dir_t; class dir search; ') files_search_home($1) allow $1 staff_home_dir_t:dir search; ') ######################################## ## ## Do not audit attempts to search the staff ## users home directory. ## ## ## Domain to not audit. ## # interface(`userdom_dontaudit_search_staff_home_dir',` gen_require(` type staff_home_dir_t; class dir search; ') dontaudit $1 staff_home_dir_t:dir search; ') ######################################## ## ## Read files in the staff users home directory. ## ## ## The type of the process performing this action. ## # interface(`userdom_read_staff_home_files',` gen_require(` type staff_home_dir_t, staff_home_t; class dir r_dir_perms; class file r_file_perms; class lnk_file r_file_perms; ') files_search_home($1) allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms; allow $1 staff_home_t:{ file lnk_file } r_file_perms; ') ######################################## ## ## Read and write sysadm ttys. ## ## ## The type of the process performing this action. ## # interface(`userdom_use_sysadm_tty',` ifdef(`targeted_policy',` term_use_unallocated_tty($1) ',` gen_require(` type sysadm_tty_device_t; class chr_file rw_term_perms; ') dev_list_all_dev_nodes($1) term_list_ptys($1) allow $1 sysadm_tty_device_t:chr_file rw_term_perms; ') ') ######################################## ## ## Do not audit attempts to use sysadm ttys. ## ## ## Domain to not audit. ## # interface(`userdom_dontaudit_use_sysadm_tty',` ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty($1) ',` gen_require(` attribute sysadm_tty_device_t; class chr_file { read write }; ') dontaudit $1 sysadm_tty_device_t:chr_file { read write }; ') ') ######################################## ## ## Read and write sysadm ptys. ## ## ## The type of the process performing this action. ## # interface(`userdom_use_sysadm_pty',` ifdef(`targeted_policy',` term_use_generic_pty($1) ',` gen_require(` type sysadm_devpts_t; class chr_file rw_term_perms; ') dev_list_all_dev_nodes($1) term_list_ptys($1) allow $1 sysadm_devpts_t:chr_file rw_term_perms; ') ') ######################################## ## ## Read and write sysadm ttys and ptys. ## ## ## The type of the process performing this action. ## # interface(`userdom_use_sysadm_terms',` userdom_use_sysadm_tty($1) userdom_use_sysadm_pty($1) ') ######################################## ## ## Do not audit attempts to use sysadm ttys and ptys. ## ## ## Domain to not audit. ## # interface(`userdom_dontaudit_use_sysadm_terms',` ifdef(`targeted_policy',` term_dontaudit_use_generic_pty($1) ',` gen_require(` attribute admin_terminal; class chr_file { read write }; ') dontaudit $1 admin_terminal:chr_file { read write }; ') ') ######################################## ## ## Inherit and use sysadm file descriptors ## ## ## The type of the process performing this action. ## # interface(`userdom_use_sysadm_fd',` ifdef(`targeted_policy',` #cjp: need to doublecheck this one unconfined_use_fd($1) ',` gen_require(` type sysadm_t; class fd use; ') allow $1 sysadm_t:fd use; ') ') ######################################## ## ## Read and write sysadm user unnamed pipes. ## ## ## The type of the process performing this action. ## # interface(`userdom_rw_sysadm_pipe',` ifdef(`targeted_policy',` #cjp: need to doublecheck this one unconfined_rw_pipe($1) ',` gen_require(` type sysadm_t; class fifo_file rw_file_perms; ') allow $1 sysadm_t:fifo_file rw_file_perms; ') ') ######################################## ## ## Search the sysadm users home directory. ## ## ## Domain to not audit. ## # interface(`userdom_search_sysadm_home_dir',` gen_require(` type sysadm_home_dir_t; class dir search; ') files_search_home($1) allow $1 sysadm_home_dir_t:dir search; ') ######################################## ## ## Do not audit attempts to search the sysadm ## users home directory. ## ## ## Domain to not audit. ## # interface(`userdom_dontaudit_search_sysadm_home_dir',` gen_require(` type sysadm_home_dir_t; class dir search; ') dontaudit $1 sysadm_home_dir_t:dir search; ') ######################################## ## ## Read files in the sysadm users home directory. ## ## ## The type of the process performing this action. ## # interface(`userdom_read_sysadm_home_files',` gen_require(` type sysadm_home_dir_t, sysadm_home_t; class dir r_dir_perms; class file r_file_perms; class lnk_file r_file_perms; ') files_search_home($1) allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms; allow $1 sysadm_home_t:{ file lnk_file } r_file_perms; ') ######################################## ## ## Search all users home directories. ## ## ## The type of the process performing this action. ## # interface(`userdom_search_all_users_home',` gen_require(` attribute home_dir_type, home_type; class dir search; ') files_list_home($1) allow $1 { home_dir_type home_type }:dir search; ') ######################################## ## ## Do not audit attempts to search all users home directories. ## ## ## Domain to not audit. ## # interface(`userdom_dontaudit_search_all_users_home',` gen_require(` attribute home_dir_type, home_type; class dir search; ') dontaudit $1 { home_dir_type home_type }:dir search; ') ######################################## ## ## Read all files in all users home directories. ## ## ## The type of the process performing this action. ## # interface(`userdom_read_all_user_files',` gen_require(` attribute home_type; class dir r_dir_perms; class file r_file_perms; ') files_list_home($1) allow $1 home_type:dir r_dir_perms; allow $1 home_type:file r_file_perms; ') ######################################## ## ## Write all unprivileged users files in /tmp ## ## ## The type of the process performing this action. ## # interface(`userdom_write_unpriv_user_tmp',` gen_require(` attribute user_tmpfile; class file { getattr write append }; ') allow $1 user_tmpfile:file { getattr write append }; ') ######################################## ## ## Inherit the file descriptors from all user domains ## ## ## The type of the process performing this action. ## # interface(`userdom_use_all_user_fd',` gen_require(` attribute userdomain; class fd use; ') allow $1 userdomain:fd use; ') ######################################## ## ## Send general signals to all user domains. ## ## ## The type of the process performing this action. ## # interface(`userdom_signal_all_users',` gen_require(` attribute userdomain; class process signal; ') allow $1 userdomain:process signal; ') ######################################## ## ## Send general signals to unprivileged user domains. ## ## ## The type of the process performing this action. ## # interface(`userdom_signal_unpriv_users',` gen_require(` attribute unpriv_userdomain; class process signal; ') allow $1 unpriv_userdomain:process signal; ') ######################################## ## ## Inherit the file descriptors from unprivileged user domains. ## ## ## The type of the process performing this action. ## # interface(`userdom_use_unpriv_users_fd',` gen_require(` attribute unpriv_userdomain; class fd use; ') allow $1 unpriv_userdomain:fd use; ') ######################################## ## ## Do not audit attempts to inherit the ## file descriptors from all user domains. ## ## ## The type of the process performing this action. ## # interface(`userdom_dontaudit_use_unpriv_user_fd',` gen_require(` attribute unpriv_userdomain; class fd use; ') dontaudit $1 unpriv_userdomain:fd use; ') ######################################## ## ## Do not audit attempts to use unprivileged ## user ttys. ## ## ## The type of the process performing this action. ## # interface(`userdom_dontaudit_use_unpriv_user_tty',` gen_require(` attribute user_ttynode; class chr_file rw_file_perms; ') dontaudit $1 user_ttynode:chr_file rw_file_perms; ') ######################################## ## ## Unconfined access to user domains. ## ## ## Domain allowed access. ## # interface(`userdom_unconfined',` gen_require(` type user_home_dir_t; class dir create_dir_perms; ') allow $1 user_home_dir_t:dir create_dir_perms; files_create_home_dirs($1,user_home_dir_t) ')