policy_module(userdomain, 3.0.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow users to connect to mysql
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect,false)

## <desc>
## <p>
## Allow users to connect to PostgreSQL
## </p>
## </desc>
gen_tunable(allow_user_postgresql_connect,false)

## <desc>
## <p>
## Allow regular users direct mouse access
## </p>
## </desc>
gen_tunable(user_direct_mouse,false)

## <desc>
## <p>
## Allow users to read system messages.
## </p>
## </desc>
gen_tunable(user_dmesg,false)

## <desc>
## <p>
## Allow user to r/w files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
gen_tunable(user_rw_noexattrfile,false)

## <desc>
## <p>
## Allow w to display everyone
## </p>
## </desc>
gen_tunable(user_ttyfile_stat,false)

# admin users terminals (tty and pty)
attribute admin_terminal;

# users home directory
attribute home_dir_type;

# users home directory contents
attribute home_type;

# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;

# all unprivileged users home directories
attribute user_home_dir_type;
attribute user_home_type;

# all unprivileged users ptys
attribute user_ptynode;

# all unprivileged users tmp files
attribute user_tmpfile;

# all unprivileged users ttys
attribute user_ttynode;

# all user domains
attribute userdomain;

# unprivileged user domains
attribute unpriv_userdomain;

attribute untrusted_content_type;
attribute untrusted_content_tmp_type;