Policy for user domains
Create objects in generic user home directories with automatic file type transition.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
| object_class | The class of the object to be created. If not specified, file is used. | yes | 
Create generic user home directories with automatic file type transition.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Do not audit attempts to list the sysadm users home directory.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain to not audit. | No | 
Do not audit attempts to search all users home directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain to not audit. | No | 
Do not audit attempts to search the staff users home directory.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain to not audit. | No | 
Do not audit attempts to search the sysadm users home directory.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain to not audit. | No | 
Do not audit attempts to use sysadm ttys and ptys.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain to not audit. | No | 
Do not audit attempts to use sysadm ttys.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain to not audit. | No | 
Do not audit attempts to inherit the file descriptors from all user domains.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Do not audit attempts to use unprivileged user ttys.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Create, read, write, and delete generic user home directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Create, read, write, and delete subdirectories of generic user home directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Create, read, write, and delete files in generic user home directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Create, read, write, and delete named pipes in generic user home directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Create, read, write, and delete named sockets in generic user home directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Create, read, write, and delete symbolic links in generic user home directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Read all files in all users home directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read files in the staff users home directory.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read files in the sysadm users home directory.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write sysadm user unnamed pipes.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Search all users home directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Search the staff users home directory.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain to not audit. | No | 
Search the sysadm users home directory.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain to not audit. | No | 
Execute a shell in the sysadm domain.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Send a SIGCHLD signal to all user domains.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Send general signals to all user domains.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Send general signals to unprivileged user domains.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Execute a shell in all user domains. This is an explicit transition, requiring the caller to use setexeccon().
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Unconfined access to user domains.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Inherit the file descriptors from all user domains
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Inherit and use sysadm file descriptors
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write sysadm ptys.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write sysadm ttys and ptys.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write sysadm ttys.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Inherit the file descriptors from unprivileged user domains.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Write all unprivileged users files in /tmp
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
The template for creating an administrative user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The privileges given to administrative users are:
Raw disk access
Set all sysctls
All kernel ring buffer controls
Set SELinux enforcement mode (enforcing/permissive)
Set SELinux booleans
Relabel all files but shadow
Create, read, write, and delete all files but shadow
Manage source and binary format SELinux policy
Run insmod
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., sysadm is the prefix for sysadm_t). | No | 
The template containing rules common to unprivileged users and administrative users.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
This generally should not be used, rather the unpriv_user_template or admin_user_template should be used.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
The template for creating a unprivileged user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
Execute user home files.
Execute user home files.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No | 
Create, read, write, and delete files in a user home subdirectory.
Create, read, write, and delete files in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No | 
Create, read, write, and delete symbolic links in a user home subdirectory.
Create, read, write, and delete symbolic links in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No | 
Create, read, write, and delete user temporary directories.
Create, read, write, and delete user temporary directories.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No | 
Create, read, write, and delete user temporary files.
Create, read, write, and delete user temporary files.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No | 
Create, read, write, and delete user temporary named pipes.
Create, read, write, and delete user temporary named pipes.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No | 
Create, read, write, and delete user temporary named sockets.
Create, read, write, and delete user temporary named sockets.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No | 
Create, read, write, and delete user temporary symbolic links.
Create, read, write, and delete user temporary symbolic links.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No | 
Read user home files.
Read user home files.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No | 
Read and write a user domain tty and pty.
Read and write a user domain tty and pty.
This is a templated interface, and should only be called from a per-userdomain template.
| Parameter: | Description: | Optional: | 
|---|---|---|
| userdomain_prefix | The prefix of the user domain (e.g., user is the prefix for user_t). | No | 
| domain | The type of the process performing this action. | No |