#DESC User - Domains for ordinary users. # ################################# # Booleans for user domains. # Allow users to read system messages. bool user_dmesg false; # Support NFS home directories bool use_nfs_home_dirs false; # Allow execution of anonymous mappings, e.g. executable stack. bool allow_execmem false; # Support Share libraries with Text Relocation bool allow_execmod false; # Support SAMBA home directories bool use_samba_home_dirs false; # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols bool user_tcp_server false; # Allow system to run with NIS bool allow_ypbind false; # Allow system to run with kerberos bool allow_kerberos false; # Allow users to rw usb devices bool user_rw_usb false; # Allow users to control network interfaces (also needs USERCTL=true) bool user_net_control false; # Allow regular users direct mouse access bool user_direct_mouse false; # Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) bool user_rw_noexattrfile false; # Allow reading of default_t files. bool read_default_t false; # Allow staff_r users to search the sysadm home dir and read # files (such as ~/.bashrc) bool staff_read_sysadm_file false; # change from role $1_r to $2_r and relabel tty appropriately define(`role_tty_type_change', ` allow $1_r $2_r; type_change $2_t $1_devpts_t:chr_file $2_devpts_t; type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; # avoid annoying messages on terminal hangup dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; ') # Reach sysadm_t via programs like userhelper/sudo/su undefine(`reach_sysadm') define(`reach_sysadm', ` ifdef(`userhelper.te', `userhelper_domain($1)') ifdef(`sudo.te', `sudo_domain($1)') ifdef(`su.te', ` su_domain($1) # When an ordinary user domain runs su, su may try to # update the /root/.Xauthority file, and the user shell may # try to update the shell history. This is not allowed, but # we dont need to audit it. dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search; dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms; dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms; ') dnl ifdef su.te ') # Privileged user domain undefine(`priv_user') define(`priv_user', ` # Reach sysadm_t reach_sysadm($1) # Read file_contexts for rpm and get security decisions. r_dir_file($1_t, file_context_t) can_getsecurity($1_t) # Signal and see information about unprivileged user domains. allow $1_t unpriv_userdomain:process signal_perms; can_ps($1_t, unpriv_userdomain) allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr; # Read /root files if boolean is enabled. if (staff_read_sysadm_file) { allow $1_t sysadm_home_dir_t:dir { getattr search }; allow $1_t sysadm_home_t:file { getattr read }; } ') dnl priv_user full_user_role(user) ifdef(`user_canbe_sysadm', ` reach_sysadm(user) role_tty_type_change(user, sysadm) ') # Do not add any rules referring to user_t to this file! That will break # support for multiple user roles. # a role for staff that allows seeing all domains and control over the user_t # domain full_user_role(staff) priv_user(staff) # if adding new user roles make sure you edit the in_user_role macro in # macros/user_macros.te to match # lots of user programs accidentally search /root, and also the admin often # logs in as UID=0 domain=user_t... dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; # # Allow the user roles to transition # into each other. role_tty_type_change(sysadm, user) role_tty_type_change(staff, sysadm) role_tty_type_change(sysadm, staff) # "ps aux" and "ls -l /dev/pts" make too much noise without this dontaudit unpriv_userdomain ptyfile:chr_file getattr;