# Copyright (C) 2005 Tresys Technology, LLC policy_module(userdomain,1.0) ######################################## # # Declarations # # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) attribute privhome; # all user domains attribute userdomain; # unprivileged user domains attribute unpriv_userdomain; # Allow execution of anonymous mappings, e.g. executable stack. bool allow_execmem false; # Support Share libraries with Text Relocation bool allow_execmod false; # Allow system to run with kerberos bool allow_kerberos false; # Allow system to run with NIS bool allow_ypbind false; # Allow reading of default_t files. bool read_default_t false; # Allow staff_r users to search the sysadm home dir and read # files (such as ~/.bashrc) bool staff_read_sysadm_file false; # Support NFS home directories bool use_nfs_home_dirs false; # Support SAMBA home directories bool use_samba_home_dirs false; # Allow regular users direct mouse access bool user_direct_mouse false; # Allow users to read system messages. bool user_dmesg false; # Allow users to control network interfaces (also needs USERCTL=true) bool user_net_control false; # Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) bool user_rw_noexattrfile false; # Allow users to rw usb devices bool user_rw_usb false; # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols bool user_tcp_server false; # Allow w to display everyone bool user_ttyfile_stat false; user_domain_template(staff) user_domain_template(user) type sysadm_t; domain_make_domain(sysadm_t) per_userdomain_templates(sysadm) ######################################## # # Local policy #