# # Macros for all user login domains. # # # user_domain(domain_prefix) # # Define derived types and rules for an ordinary user domain. # # The type declaration and role authorization for the domain must be # provided separately. Likewise, domain transitions into this domain # must be specified separately. # # user_domain() is also called by the admin_domain() macro undefine(`user_domain') define(`user_domain', ` # Use capabilities # Type for home directory. type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type; type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type; tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }') # Type and access for pty devices. can_create_pty($1, `, userpty_type, user_tty_type') #Type for tty devices. type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs; base_user_domain($1) # do not allow privhome access to sysadm_home_dir_t file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t) allow $1_t boot_t:dir { getattr search }; dontaudit $1_t boot_t:lnk_file read; dontaudit $1_t boot_t:file read; allow $1_t system_map_t:file { getattr read }; # Instantiate derived domains for a number of programs. # These derived domains encode both information about the calling # user domain and the program, and allow us to maintain separation # between different instances of the program being run by different # user domains. ifdef(`apache.te', `apache_domain($1)') ifdef(`slocate.te', `locate_domain($1)') ifdef(`lockdev.te', `lockdev_domain($1)') can_kerberos($1_t) # allow port_t name binding for UDP because it is not very usable otherwise allow $1_t port_t:udp_socket name_bind; # # Need the following rule to allow users to run vpnc # ifdef(`xserver.te', ` allow $1_t xserver_port_t:tcp_socket name_bind; ') # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols if (user_tcp_server) { allow $1_t port_t:tcp_socket name_bind; } # port access is audited even if dac would not have allowed it, so dontaudit it here dontaudit $1_t reserved_port_type:tcp_socket name_bind; # Allow system log read if (user_dmesg) { allow $1_t kernel_t:system syslog_read; } else { # else do not log it dontaudit $1_t kernel_t:system syslog_read; } # Allow read access to utmp. allow $1_t initrc_var_run_t:file { getattr read lock }; # The library functions always try to open read-write first, # then fall back to read-only if it fails. # Do not audit write denials to utmp to avoid the noise. dontaudit $1_t initrc_var_run_t:file write; # do not audit read on disk devices dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; ifdef(`xdm.te', ` allow xdm_t $1_home_t:lnk_file read; allow xdm_t $1_home_t:dir search; # # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp # dontaudit xdm_t $1_home_t:file rw_file_perms; ')dnl end ifdef xdm.te ifdef(`ftpd.te', ` if (ftp_home_dir) { file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) } ')dnl end ifdef ftpd ')dnl end user_domain macro ########################################################################### # # Domains for ordinary users. # undefine(`full_user_role') define(`full_user_role', ` # user_t/$1_t is an unprivileged users domain. type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd; attribute $1_file_type; # Grant read/search permissions to some of /proc. r_dir_file($1_t, proc_t) r_dir_file($1_t, proc_net_t) base_file_read_access($1_t) can_exec($1_t, usr_t) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. allow $1_t readable_t:dir r_dir_perms; allow $1_t readable_t:notdevfile_class_set r_file_perms; # Stat lost+found. allow $1_t lost_found_t:dir getattr; # Read /var, /var/spool, /var/run. allow $1_t var_t:dir r_dir_perms; allow $1_t var_t:notdevfile_class_set r_file_perms; allow $1_t var_spool_t:dir r_dir_perms; allow $1_t var_spool_t:notdevfile_class_set r_file_perms; allow $1_t var_run_t:dir r_dir_perms; allow $1_t var_run_t:{ file lnk_file } r_file_perms; allow $1_t var_lib_t:dir r_dir_perms; allow $1_t var_lib_t:file { getattr read }; read_sysctl($1_t) # Read /etc. allow $1_t etc_t:dir r_dir_perms; allow $1_t etc_t:notdevfile_class_set r_file_perms; allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms; # for running depmod as part of the kernel packaging process allow $1_t modules_conf_t:file { getattr read }; # Read man directories and files. allow $1_t man_t:dir r_dir_perms; allow $1_t man_t:notdevfile_class_set r_file_perms; # Allow users to rw usb devices if (user_rw_usb) { rw_dir_create_file($1_t,usbdevfs_t) } else { r_dir_file($1_t,usbdevfs_t) } r_dir_file($1_t,sysfs_t) # Read /dev directories and any symbolic links. allow $1_t device_t:dir r_dir_perms; allow $1_t device_t:lnk_file r_file_perms; # Do not audit write denials to /etc/ld.so.cache. dontaudit $1_t ld_so_cache_t:file write; # Execute from the system shared libraries. uses_shlib($1_t); # $1_t is also granted permissions specific to user domains. user_domain($1) dontaudit $1_t sysadm_home_t:file { read append }; ifdef(`syslogd.te', ` # Some programs that are left in $1_t will try to connect # to syslogd, but we do not want to let them generate log messages. # Do not audit. dontaudit $1_t devlog_t:sock_file { read write }; dontaudit $1_t syslogd_t:unix_dgram_socket sendto; ') # Stop warnings about access to /dev/console dontaudit $1_t init_t:fd use; dontaudit $1_t initrc_t:fd use; allow $1_t initrc_t:fifo_file write; ifdef(`user_can_mount', ` # # Allow users to mount file systems like floppies and cdrom # mount_domain($1, $1_mount, `, fs_domain') r_dir_file($1_t, mnt_t) allow $1_mount_t device_t:lnk_file read; allow $1_mount_t removable_device_t:blk_file read; allow $1_mount_t iso9660_t:filesystem relabelfrom; allow $1_mount_t removable_t:filesystem { mount relabelto }; allow $1_mount_t removable_t:dir mounton; ifdef(`xdm.te', ` allow $1_mount_t xdm_t:fd use; allow $1_mount_t xdm_t:fifo_file { read write }; ') ') # # Rules used to associate a homedir as a mountpoint # allow $1_home_t self:filesystem associate; allow $1_file_type $1_home_t:filesystem associate; ') undefine(`in_user_role') define(`in_user_role', ` role user_r types $1; role staff_r types $1; ')