# Copyright (C) 2005 Tresys Technology, LLC policy_module(userdomain,1.0) ######################################## # # Declarations # # admin users terminals (tty and pty) attribute admin_terminal; # users home directory attribute home_dir_type; # users home directory contents attribute home_type; # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) attribute privhome; # all user domains attribute userdomain; # unprivileged user domains attribute unpriv_userdomain; # Allow execution of anonymous mappings, e.g. executable stack. bool allow_execmem false; # Support Share libraries with Text Relocation bool allow_execmod false; # Allow system to run with kerberos bool allow_kerberos false; # Allow system to run with NIS bool allow_ypbind false; # Allow reading of default_t files. bool read_default_t false; # Allow staff_r users to search the sysadm home dir and read # files (such as ~/.bashrc) bool staff_read_sysadm_file false; # Support NFS home directories bool use_nfs_home_dirs false; # Support SAMBA home directories bool use_samba_home_dirs false; # Allow regular users direct mouse access bool user_direct_mouse false; # Allow users to read system messages. bool user_dmesg false; # Allow users to control network interfaces (also needs USERCTL=true) bool user_net_control false; # Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) bool user_rw_noexattrfile false; # Allow users to rw usb devices bool user_rw_usb false; # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols bool user_tcp_server false; # Allow w to display everyone bool user_ttyfile_stat false; user_domain_template(staff) user_domain_template(user) ######################################## # # Local policy # #allow privhome home_root_t:dir { getattr search }; # Add/remove user home directories #file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) ######################################## # # Sysadm local policy # admin_domain_template(sysadm) # for su allow sysadm_t userdomain:fd use; optional_policy(`iptables.te',` iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`libraries.te',` libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`lvm.te',` lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`modutils.te',` modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`mount.te',` mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`rpm.te',` rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`selinux.te',` selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) optional_policy(`targeted_policy',`',` selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') ') optional_policy(`sysnetwork.te',` sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(`clock.te',` clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) ')