Layer: system

Module: userdomain

Description:

Policy for user domains

Interfaces:

userdom_dontaudit_search_all_users_home(
	
		domain
		
	)

Summary

Do not audit attempts to search all users home directories.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

userdom_dontaudit_search_staff_home_dir(
	
		domain
		
	)

Summary

Do not audit attempts to search the staff users home directory.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

userdom_dontaudit_search_sysadm_home_dir(
	
		domain
		
	)

Summary

Do not audit attempts to search the sysadm users home directory.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

userdom_dontaudit_use_sysadm_terms(
	
		domain
		
	)

Summary

Do not audit attempts to use sysadm ttys and ptys.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

userdom_dontaudit_use_sysadm_tty(
	
		domain
		
	)

Summary

Do not audit attempts to use sysadm ttys.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

userdom_dontaudit_use_unpriv_user_fd(
	
		domain
		
	)

Summary

Do not audit attempts to inherit the file descriptors from all user domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_dontaudit_use_unpriv_user_tty(
	
		domain
		
	)

Summary

Do not audit attempts to use unprivileged user ttys.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_read_all_user_files(
	
		domain
		
	)

Summary

Read all files in all users home directories.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_read_staff_home_files(
	
		domain
		
	)

Summary

Read files in the staff users home directory.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_read_sysadm_home_files(
	
		domain
		
	)

Summary

Read files in the sysadm users home directory.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_rw_sysadm_pipe(
	
		domain
		
	)

Summary

Read and write sysadm user unnamed pipes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_search_all_users_home(
	
		domain
		
	)

Summary

Search all users home directories.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_search_staff_home_dir(
	
		domain
		
	)

Summary

Search the staff users home directory.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

userdom_search_sysadm_home_dir(
	
		domain
		
	)

Summary

Search the sysadm users home directory.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

userdom_shell_domtrans_sysadm(
	
		domain
		
	)

Summary

Execute a shell in the sysadm domain.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_signal_all_users(
	
		domain
		
	)

Summary

Send general signals to all user domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_signal_unpriv_users(
	
		domain
		
	)

Summary

Send general signals to unprivileged user domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_spec_domtrans_all_users(
	
		domain
		
	)

Summary

Execute a shell in all user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_spec_domtrans_unpriv_users(
	
		domain
		
	)

Summary

Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_unconfined(
	
		domain
		
	)

Summary

Unconfined access to user domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

userdom_use_all_user_fd(
	
		domain
		
	)

Summary

Inherit the file descriptors from all user domains

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_use_sysadm_fd(
	
		domain
		
	)

Summary

Inherit and use sysadm file descriptors

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_use_sysadm_pty(
	
		domain
		
	)

Summary

Read and write sysadm ptys.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_use_sysadm_terms(
	
		domain
		
	)

Summary

Read and write sysadm ttys and ptys.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_use_sysadm_tty(
	
		domain
		
	)

Summary

Read and write sysadm ttys.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_use_unpriv_users_fd(
	
		domain
		
	)

Summary

Inherit the file descriptors from unprivileged user domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

userdom_write_unpriv_user_tmp(
	
		domain
		
	)

Summary

Write all unprivileged users files in /tmp

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

Return

Templates:

admin_user_template(
	
		userdomain_prefix
		
	)

Summary

The template for creating an administrative user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

The privileges given to administrative users are:

Raw disk access

Set all sysctls

All kernel ring buffer controls

Set SELinux enforcement mode (enforcing/permissive)

Set SELinux booleans

Relabel all files but shadow

Create, read, write, and delete all files but shadow

Manage source and binary format SELinux policy

Run insmod

Parameters

Parameter:	Description:	Optional:
userdomain_prefix	The prefix of the user domain (e.g., sysadm is the prefix for sysadm_t).	No

base_user_template(
	
		userdomain_prefix
		
	)

Summary

The template containing rules common to unprivileged users and administrative users.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

This generally should not be used, rather the unpriv_user_template or admin_user_template should be used.

Parameters

Parameter:	Description:	Optional:
userdomain_prefix	The prefix of the user domain (e.g., user is the prefix for user_t).	No

unpriv_user_template(
	
		userdomain_prefix
		
	)

Summary

The template for creating a unprivileged user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters

Parameter:	Description:	Optional:
userdomain_prefix	The prefix of the user domain (e.g., user is the prefix for user_t).	No

Return