selinux-policy/policy/modules/system/userdomain.if
Dominick Grift bf530f532c Various permission set fixes.
Fix various interfaces to use permission sets for compatiblity with open permission.

Also use other permission sets where possible just because applicable permissions sets are available and the use of permission sets is encourage generally for compatibility.

The use of exec_file_perms permission set may be not be a good idea though since it may be a bit too coarse.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-03 13:10:55 -05:00

3114 lines
67 KiB
Plaintext

## <summary>Policy for user domains</summary>
#######################################
## <summary>
## The template containing the most basic rules common to all users.
## </summary>
## <desc>
## <p>
## The template containing the most basic rules common to all users.
## </p>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty and pty.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <rolebase/>
#
template(`userdom_base_user_template',`
gen_require(`
attribute userdomain;
type user_devpts_t, user_tty_device_t;
class context contains;
')
attribute $1_file_type;
type $1_t, userdomain;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
ubac_constrained($1_t)
role $1_r types $1_t;
allow system_r $1_r;
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:context contains;
dontaudit $1_t self:socket create;
allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
term_create_pty($1_t, user_devpts_t)
# avoid annoying messages on terminal hangup on role change
dontaudit $1_t user_devpts_t:chr_file ioctl;
allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
# avoid annoying messages on terminal hangup on role change
dontaudit $1_t user_tty_device_t:chr_file ioctl;
kernel_read_kernel_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
kernel_dontaudit_getattr_unlabeled_pipes($1_t)
kernel_dontaudit_getattr_unlabeled_sockets($1_t)
kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
dev_dontaudit_getattr_all_blk_files($1_t)
dev_dontaudit_getattr_all_chr_files($1_t)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
domain_dontaudit_getattr_all_domains($1_t)
domain_dontaudit_getsession_all_domains($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
files_read_usr_files($1_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_t)
files_read_world_readable_files($1_t)
files_read_world_readable_symlinks($1_t)
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
# old broswer_domain():
files_dontaudit_list_non_security($1_t)
files_dontaudit_getattr_non_security_files($1_t)
files_dontaudit_getattr_non_security_symlinks($1_t)
files_dontaudit_getattr_non_security_pipes($1_t)
files_dontaudit_getattr_non_security_sockets($1_t)
libs_exec_ld_so($1_t)
miscfiles_read_localization($1_t)
miscfiles_read_certs($1_t)
sysnet_read_config($1_t)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
')
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
')
#######################################
## <summary>
## Allow a home directory for which the
## role has read-only access.
## </summary>
## <desc>
## <p>
## Allow a home directory for which the
## role has read-only access.
## </p>
## <p>
## This does not allow execute access.
## </p>
## </desc>
## <param name="role">
## <summary>
## The user role
## </summary>
## </param>
## <param name="userdomain">
## <summary>
## The user domain
## </summary>
## </param>
## <rolebase/>
#
interface(`userdom_ro_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
')
role $1 types { user_home_t user_home_dir_t };
##############################
#
# Domain access to home dir
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
allow $2 user_home_t:dir list_dir_perms;
allow $2 user_home_t:file entrypoint;
read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs($2)
fs_read_nfs_files($2)
fs_read_nfs_symlinks($2)
fs_read_nfs_named_sockets($2)
fs_read_nfs_named_pipes($2)
',`
fs_dontaudit_list_nfs($2)
fs_dontaudit_read_nfs_files($2)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs($2)
fs_read_cifs_files($2)
fs_read_cifs_symlinks($2)
fs_read_cifs_named_sockets($2)
fs_read_cifs_named_pipes($2)
',`
fs_dontaudit_list_cifs($2)
fs_dontaudit_read_cifs_files($2)
')
')
#######################################
## <summary>
## Allow a home directory for which the
## role has full access.
## </summary>
## <desc>
## <p>
## Allow a home directory for which the
## role has full access.
## </p>
## <p>
## This does not allow execute access.
## </p>
## </desc>
## <param name="role">
## <summary>
## The user role
## </summary>
## </param>
## <param name="userdomain">
## <summary>
## The user domain
## </summary>
## </param>
## <rolebase/>
#
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
')
role $1 types { user_home_t user_home_dir_t };
##############################
#
# Domain access to home dir
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
allow $2 user_home_t:file entrypoint;
manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($2)
fs_manage_nfs_files($2)
fs_manage_nfs_symlinks($2)
fs_manage_nfs_named_sockets($2)
fs_manage_nfs_named_pipes($2)
',`
fs_dontaudit_manage_nfs_dirs($2)
fs_dontaudit_manage_nfs_files($2)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($2)
fs_manage_cifs_files($2)
fs_manage_cifs_symlinks($2)
fs_manage_cifs_named_sockets($2)
fs_manage_cifs_named_pipes($2)
',`
fs_dontaudit_manage_cifs_dirs($2)
fs_dontaudit_manage_cifs_files($2)
')
')
#######################################
## <summary>
## Manage user temporary files
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolebase/>
#
interface(`userdom_manage_tmp_role',`
gen_require(`
type user_tmp_t;
')
role $1 types user_tmp_t;
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
manage_files_pattern($2, user_tmp_t, user_tmp_t)
manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
')
#######################################
## <summary>
## The execute access user temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolebase/>
#
interface(`userdom_exec_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
#######################################
## <summary>
## Role access for the user tmpfs type
## that the user has full access.
## </summary>
## <desc>
## <p>
## Role access for the user tmpfs type
## that the user has full access.
## </p>
## <p>
## This does not allow execute access.
## </p>
## </desc>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
type user_tmpfs_t;
')
role $1 types user_tmpfs_t;
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
')
#######################################
## <summary>
## The template allowing the user basic
## network permissions
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <rolebase/>
#
template(`userdom_basic_networking_template',`
gen_require(`
type $1_t;
')
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_udp_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
corenet_udp_sendrecv_generic_node($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
corenet_all_recvfrom_labeled($1_t, $1_t)
optional_policy(`
init_tcp_recvfrom_all_daemons($1_t)
init_udp_recvfrom_all_daemons($1_t)
')
optional_policy(`
ipsec_match_default_spd($1_t)
')
')
#######################################
## <summary>
## The template for creating a user xwindows client. (Deprecated)
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <rolebase/>
#
template(`userdom_xwindows_client_template',`
refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
gen_require(`
type $1_t, user_tmpfs_t;
')
dev_rw_xserver_misc($1_t)
dev_rw_power_management($1_t)
dev_read_input($1_t)
dev_read_misc($1_t)
dev_write_misc($1_t)
# open office is looking for the following
dev_getattr_agp_dev($1_t)
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
xserver_dontaudit_write_log($1_t)
xserver_stream_connect_xdm($1_t)
# certain apps want to read xdm.pid file
xserver_read_xdm_pid($1_t)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($1_t)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($1_t)
')
#######################################
## <summary>
## The template for allowing the user to change passwords.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <rolebase/>
#
template(`userdom_change_password_template',`
gen_require(`
type $1_t;
role $1_r;
')
optional_policy(`
usermanage_run_chfn($1_t,$1_r)
usermanage_run_passwd($1_t,$1_r)
')
')
#######################################
## <summary>
## The template containing rules common to unprivileged
## users and administrative users.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, tmp, and tmpfs files.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`userdom_common_user_template',`
gen_require(`
attribute unpriv_userdomain;
')
userdom_basic_networking_template($1)
##############################
#
# User domain Local policy
#
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t unpriv_userdomain:fd use;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_net_sysctls($1_t)
# Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_t)
# Find CDROM devices:
kernel_read_device_sysctls($1_t)
corecmd_exec_bin($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_udp_bind_generic_port($1_t)
dev_read_rand($1_t)
dev_write_sound($1_t)
dev_read_sound($1_t)
dev_read_sound_mixer($1_t)
dev_write_sound_mixer($1_t)
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
files_search_mnt($1_t)
# cjp: perhaps should cut back on file reads:
files_read_var_files($1_t)
files_read_var_symlinks($1_t)
files_read_generic_spool($1_t)
files_read_var_lib_files($1_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
selinux_compute_access_vector($1_t)
selinux_compute_create_context($1_t)
selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t)
# for eject
storage_getattr_fixed_disk_dev($1_t)
auth_use_nsswitch($1_t)
auth_read_login_records($1_t)
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r)
auth_run_utempter($1_t,$1_r)
init_read_utmp($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
seutil_run_newrole($1_t,$1_r)
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
seutil_dontaudit_signal_newrole($1_t)
tunable_policy(`user_direct_mouse',`
dev_read_mouse($1_t)
')
tunable_policy(`user_ttyfile_stat',`
term_getattr_all_ttys($1_t)
')
optional_policy(`
alsa_read_rw_config($1_t)
')
optional_policy(`
# Allow graphical boot to check battery lifespan
apm_stream_connect($1_t)
')
optional_policy(`
canna_stream_connect($1_t)
')
optional_policy(`
dbus_system_bus_client($1_t)
optional_policy(`
bluetooth_dbus_chat($1_t)
')
optional_policy(`
evolution_dbus_chat($1_t)
evolution_alarm_dbus_chat($1_t)
')
optional_policy(`
cups_dbus_chat_config($1_t)
')
optional_policy(`
hal_dbus_chat($1_t)
')
optional_policy(`
networkmanager_dbus_chat($1_t)
')
')
optional_policy(`
inetd_use_fds($1_t)
inetd_rw_tcp_sockets($1_t)
')
optional_policy(`
inn_read_config($1_t)
inn_read_news_lib($1_t)
inn_read_news_spool($1_t)
')
optional_policy(`
locate_read_lib_files($1_t)
')
# for running depmod as part of the kernel packaging process
optional_policy(`
modutils_read_module_config($1_t)
')
optional_policy(`
mta_rw_spool($1_t)
')
optional_policy(`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
')
')
optional_policy(`
# to allow monitoring of pcmcia status
pcmcia_read_pid($1_t)
')
optional_policy(`
pcscd_read_pub_files($1_t)
pcscd_stream_connect($1_t)
')
optional_policy(`
tunable_policy(`allow_user_postgresql_connect',`
postgresql_stream_connect($1_t)
postgresql_tcp_connect($1_t)
')
')
optional_policy(`
resmgr_stream_connect($1_t)
')
optional_policy(`
rpc_dontaudit_getattr_exports($1_t)
rpc_manage_nfs_rw_content($1_t)
')
optional_policy(`
samba_stream_connect_winbind($1_t)
')
optional_policy(`
slrnpull_search_spool($1_t)
')
optional_policy(`
usernetctl_run($1_t,$1_r)
')
')
#######################################
## <summary>
## The template for creating a login user.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`userdom_login_user_template', `
gen_require(`
class context contains;
')
userdom_base_user_template($1)
userdom_manage_home_role($1_r, $1_t)
userdom_manage_tmp_role($1_r, $1_t)
userdom_manage_tmpfs_role($1_r, $1_t)
userdom_exec_user_tmp_files($1_t)
userdom_exec_user_home_content_files($1_t)
userdom_change_password_template($1)
##############################
#
# User domain Local policy
#
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t self:context contains;
kernel_dontaudit_read_system_state($1_t)
dev_read_sysfs($1_t)
dev_read_urand($1_t)
domain_use_interactive_fds($1_t)
# Command completion can fire hundreds of denials
domain_dontaudit_exec_all_entry_files($1_t)
files_dontaudit_list_default($1_t)
files_dontaudit_read_default_files($1_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
fs_getattr_all_dirs($1_t)
fs_search_auto_mountpoints($1_t)
fs_list_inotifyfs($1_t)
fs_rw_anon_inodefs_files($1_t)
auth_dontaudit_write_login_records($1_t)
application_exec_all($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_rw_utmp($1_t)
# Stop warnings about access to /dev/console
init_dontaudit_use_fds($1_t)
init_dontaudit_use_script_fds($1_t)
libs_exec_lib_files($1_t)
logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_man_pages($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
seutil_read_config($1_t)
optional_policy(`
cups_read_config($1_t)
cups_stream_connect($1_t)
cups_stream_connect_ptal($1_t)
')
optional_policy(`
kerberos_use($1_t)
')
optional_policy(`
mta_dontaudit_read_spool_symlinks($1_t)
')
optional_policy(`
quota_dontaudit_getattr_db($1_t)
')
optional_policy(`
rpm_read_db($1_t)
rpm_dontaudit_manage_db($1_t)
')
')
#######################################
## <summary>
## The template for creating a unprivileged login user.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`userdom_restricted_user_template',`
gen_require(`
attribute unpriv_userdomain;
')
userdom_login_user_template($1)
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
##############################
#
# Local policy
#
optional_policy(`
loadkeys_run($1_t,$1_r)
')
')
#######################################
## <summary>
## The template for creating a unprivileged xwindows login user.
## </summary>
## <desc>
## <p>
## The template for creating a unprivileged xwindows login user.
## </p>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`userdom_restricted_xwindows_user_template',`
userdom_restricted_user_template($1)
##############################
#
# Local policy
#
auth_role($1_r, $1_t)
auth_search_pam_console_data($1_t)
dev_read_sound($1_t)
dev_write_sound($1_t)
# gnome keyring wants to read this.
dev_dontaudit_read_rand($1_t)
logging_send_syslog_msg($1_t)
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
xserver_restricted_role($1_r, $1_t)
optional_policy(`
alsa_read_rw_config($1_t)
')
optional_policy(`
dbus_role_template($1, $1_r, $1_t)
dbus_system_bus_client($1_t)
optional_policy(`
consolekit_dbus_chat($1_t)
')
optional_policy(`
cups_dbus_chat($1_t)
')
')
optional_policy(`
java_role($1_r, $1_t)
')
optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
')
')
#######################################
## <summary>
## The template for creating a unprivileged user roughly
## equivalent to a regular linux user.
## </summary>
## <desc>
## <p>
## The template for creating a unprivileged user roughly
## equivalent to a regular linux user.
## </p>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`userdom_unpriv_user_template', `
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
userdom_restricted_user_template($1)
userdom_common_user_template($1)
##############################
#
# Local policy
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
files_exec_usr_files($1_t)
# cjp: why?
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
fs_exec_noxattr($1_t)
tunable_policy(`user_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
',`
storage_raw_read_removable_device($1_t)
')
')
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
kernel_dontaudit_read_ring_buffer($1_t)
')
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_generic_node($1_t)
corenet_tcp_bind_generic_port($1_t)
')
optional_policy(`
netutils_run_ping_cond($1_t,$1_r)
netutils_run_traceroute_cond($1_t,$1_r)
')
# Run pppd in pppd_t by default for user
optional_policy(`
ppp_run_cond($1_t,$1_r)
')
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
')
#######################################
## <summary>
## The template for creating an administrative user.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## <p>
## The privileges given to administrative users are:
## <ul>
## <li>Raw disk access</li>
## <li>Set all sysctls</li>
## <li>All kernel ring buffer controls</li>
## <li>Create, read, write, and delete all files but shadow</li>
## <li>Manage source and binary format SELinux policy</li>
## <li>Run insmod</li>
## </ul>
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., sysadm
## is the prefix for sysadm_t).
## </summary>
## </param>
#
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
class passwd { passwd chfn chsh rootok };
')
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
userdom_login_user_template($1)
userdom_common_user_template($1)
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
typeattribute $1_t admindomain;
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
')
##############################
#
# $1_t local policy
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
# Set password information for other users.
allow $1_t self:passwd { passwd chfn chsh };
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
kernel_change_ring_buffer_level($1_t)
kernel_clear_ring_buffer($1_t)
kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctls($1_t)
# signal unlabeled processes:
kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
corenet_rw_tun_tap_dev($1_t)
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
# for lsof
dev_getattr_mtrr_dev($1_t)
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
dev_delete_all_blk_files($1_t)
dev_delete_all_chr_files($1_t)
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
domain_getattr_all_domains($1_t)
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
domain_signal_all_domains($1_t)
domain_signull_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
# Manage almost all files
auth_manage_all_files_except_shadow($1_t)
# Relabel almost all files
auth_relabel_all_files_except_shadow($1_t)
init_telinit($1_t)
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
seutil_manage_src_policy($1_t)
# Violates the goal of limiting write access to checkpolicy.
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
userdom_manage_user_home_content_pipes($1_t)
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`user_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
',`
fs_read_noxattr_fs_files($1_t)
')
optional_policy(`
postgresql_unconfined($1_t)
')
optional_policy(`
userhelper_exec($1_t)
')
')
########################################
## <summary>
## Allow user to run as a secadm
## </summary>
## <desc>
## <p>
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role of the object to create.
## </summary>
## </param>
#
template(`userdom_security_admin_template',`
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
domain_obj_id_change_exemption($1)
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
mls_process_read_up($1)
mls_file_read_all_levels($1)
mls_file_upgrade($1)
mls_file_downgrade($1)
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
init_exec($1)
logging_send_syslog_msg($1)
logging_read_audit_log($1)
logging_read_generic_logs($1)
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
seutil_run_setfiles($1, $2)
optional_policy(`
aide_run($1,$2)
')
optional_policy(`
consoletype_exec($1)
')
optional_policy(`
dmesg_exec($1)
')
optional_policy(`
ipsec_run_setkey($1,$2)
')
optional_policy(`
netlabel_run_mgmt($1,$2)
')
')
########################################
## <summary>
## Make the specified type usable in a
## user home directory.
## </summary>
## <param name="type">
## <summary>
## Type to be used as a file in the
## user home directory.
## </summary>
## </param>
#
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:filesystem associate;
files_type($1)
ubac_constrained($1)
')
########################################
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_attach_admin_tun_iface',`
gen_require(`
attribute admindomain;
')
allow $1 admindomain:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
')
########################################
## <summary>
## Set the attributes of a user pty.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_setattr_user_ptys',`
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
')
########################################
## <summary>
## Create a user pty.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_create_user_pty',`
gen_require(`
type user_devpts_t;
')
term_create_pty($1, user_devpts_t)
')
########################################
## <summary>
## Get the attributes of user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_getattr_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir getattr_dir_perms;
files_search_home($1)
')
########################################
## <summary>
## Do not audit attempts to get the attributes of user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dontaudit_getattr_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
')
########################################
## <summary>
## Search user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_search_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
## <summary>
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
## <p>
## Do not audit attempts to search user home directories.
## This will supress SELinux denial messages when the specified
## domain is denied the permission to search these directories.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`userdom_dontaudit_search_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
')
########################################
## <summary>
## List user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
')
########################################
## <summary>
## Do not audit attempts to list user home subdirectories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit
## </summary>
## </param>
#
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir list_dir_perms;
')
########################################
## <summary>
## Create user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_create_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir create_dir_perms;
')
########################################
## <summary>
## Create user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir manage_dir_perms;
')
########################################
## <summary>
## Relabel to user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_relabelto_user_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir relabelto;
')
########################################
## <summary>
## Create directories in the home dir root with
## the user home directory type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_home_filetrans_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
files_home_filetrans($1, user_home_dir_t, dir)
')
########################################
## <summary>
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
## </summary>
## <desc>
## <p>
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## Domain to transition to.
## </summary>
## </param>
#
interface(`userdom_user_home_domtrans',`
gen_require(`
type user_home_dir_t, user_home_t;
')
domain_auto_trans($1, user_home_t, $2)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
## <summary>
## Do not audit attempts to search user home content directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit
## </summary>
## </param>
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:dir search_dir_perms;
')
########################################
## <summary>
## List contents of users home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_list_user_home_content',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir list_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete directories
## in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_home_content_dirs',`
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
########################################
## <summary>
## Delete directories in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_delete_user_home_content_dirs',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir delete_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file setattr_file_perms;
')
########################################
## <summary>
## Mmap user home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_mmap_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
')
mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
########################################
## <summary>
## Read user home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
')
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
########################################
## <summary>
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:dir list_dir_perms;
dontaudit $1 user_home_t:file read_file_perms;
')
########################################
## <summary>
## Do not audit attempts to append user home files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_append_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file append_file_perms;
')
########################################
## <summary>
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file write_file_perms;
')
########################################
## <summary>
## Delete files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_delete_user_home_content_files',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:file delete_file_perms;
')
########################################
## <summary>
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_relabel_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file relabel_file_perms;
')
########################################
## <summary>
## Read user home subdirectory symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_read_user_home_content_symlinks',`
gen_require(`
type user_home_dir_t, user_home_t;
')
read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
########################################
## <summary>
## Execute user home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
tunable_policy(`use_nfs_home_dirs',`
fs_exec_nfs_files($1)
')
tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files($1)
')
')
########################################
## <summary>
## Do not audit attempts to execute user home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file exec_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
## <summary>
## Do not audit attempts to create, read, write, and delete directories
## in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
type user_home_dir_t, user_home_t;
')
dontaudit $1 user_home_t:dir manage_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete symbolic links
## in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_home_content_symlinks',`
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_lnk_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
## <summary>
## Delete symbolic links in a user home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_delete_user_home_content_symlinks',`
gen_require(`
type user_home_t;
')
allow $1 user_home_t:lnk_file delete_lnk_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_home_content_pipes',`
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_fifo_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
## <summary>
## Create, read, write, and delete named sockets
## in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_home_content_sockets',`
gen_require(`
type user_home_dir_t, user_home_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
manage_sock_files_pattern($1, user_home_t, user_home_t)
files_search_home($1)
')
########################################
## <summary>
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`userdom_user_home_dir_filetrans',`
gen_require(`
type user_home_dir_t;
')
filetrans_pattern($1, user_home_dir_t, $2, $3)
files_search_home($1)
')
########################################
## <summary>
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`userdom_user_home_content_filetrans',`
gen_require(`
type user_home_dir_t, user_home_t;
')
filetrans_pattern($1, user_home_t, $2, $3)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
########################################
## <summary>
## Create objects in a user home directory
## with an automatic type transition to
## the user home file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
type user_home_dir_t, user_home_t;
')
filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
files_search_home($1)
')
########################################
## <summary>
## Write to user temporary named sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_write_user_tmp_sockets',`
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:sock_file write_sock_file_perms;
files_search_tmp($1)
')
########################################
## <summary>
## List user temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_list_user_tmp',`
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
')
########################################
## <summary>
## Do not audit attempts to list user
## temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_list_user_tmp',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to manage users
## temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:dir manage_dir_perms;
')
########################################
## <summary>
## Read user temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
read_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
')
########################################
## <summary>
## Do not audit attempts to read users
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file read_file_perms;
')
########################################
## <summary>
## Do not audit attempts to append users
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file append_file_perms;
')
########################################
## <summary>
## Read and write user temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_rw_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:dir list_dir_perms;
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Do not audit attempts to manage users
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file manage_file_perms;
')
########################################
## <summary>
## Read user temporary symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_read_user_tmp_symlinks',`
gen_require(`
type user_tmp_t;
')
read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_tmp_dirs',`
gen_require(`
type user_tmp_t;
')
manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
manage_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_tmp_symlinks',`
gen_require(`
type user_tmp_t;
')
manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary named pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
type user_tmp_t;
')
manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Create, read, write, and delete user
## temporary named sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_tmp_sockets',`
gen_require(`
type user_tmp_t;
')
manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Create objects in a user temporary directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`userdom_user_tmp_filetrans',`
gen_require(`
type user_tmp_t;
')
filetrans_pattern($1, user_tmp_t, $2, $3)
files_search_tmp($1)
')
########################################
## <summary>
## Create objects in the temporary directory
## with an automatic type transition to
## the user temporary type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
type user_tmp_t;
')
files_tmp_filetrans($1, user_tmp_t, $2)
')
########################################
## <summary>
## Read user tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
gen_require(`
type user_tmpfs_t;
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
allow $1 user_tmpfs_t:dir list_dir_perms;
fs_search_tmpfs($1)
')
########################################
## <summary>
## Read user tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
gen_require(`
type user_tmpfs_t;
')
rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
allow $1 user_tmpfs_t:dir list_dir_perms;
fs_search_tmpfs($1)
')
########################################
## <summary>
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_getattr_user_ttys',`
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
')
########################################
## <summary>
## Do not audit attempts to get the attributes of a user domain tty.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dontaudit_getattr_user_ttys',`
gen_require(`
type user_tty_device_t;
')
dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
')
########################################
## <summary>
## Set the attributes of a user domain tty.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_setattr_user_ttys',`
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
')
########################################
## <summary>
## Do not audit attempts to set the attributes of a user domain tty.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dontaudit_setattr_user_ttys',`
gen_require(`
type user_tty_device_t;
')
dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
')
########################################
## <summary>
## Read and write a user domain tty.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_use_user_ttys',`
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Read and write a user domain pty.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_use_user_ptys',`
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Read and write a user TTYs and PTYs.
## </summary>
## <desc>
## <p>
## Allow the specified domain to read and write user
## TTYs and PTYs. This will allow the domain to
## interact with the user via the terminal. Typically
## all interactive applications will require this
## access.
## </p>
## <p>
## However, this also allows the applications to spy
## on user sessions or inject information into the
## user session. Thus, this access should likely
## not be allowed for non-interactive domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`userdom_use_user_terminals',`
gen_require(`
type user_tty_device_t, user_devpts_t;
')
allow $1 user_tty_device_t:chr_file rw_term_perms;
allow $1 user_devpts_t:chr_file rw_term_perms;
term_list_ptys($1)
')
########################################
## <summary>
## Do not audit attempts to read and write
## a user domain tty and pty.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dontaudit_use_user_terminals',`
gen_require(`
type user_tty_device_t, user_devpts_t;
')
dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_spec_domtrans_all_users',`
gen_require(`
attribute userdomain;
')
corecmd_shell_spec_domtrans($1, userdomain)
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
')
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_xsession_spec_domtrans_all_users',`
gen_require(`
attribute userdomain;
')
xserver_xsession_spec_domtrans($1, userdomain)
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
')
########################################
## <summary>
## Execute a shell in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
corecmd_shell_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_xsession_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
xserver_xsession_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_unpriv_user_semaphores',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:sem create_sem_perms;
')
########################################
## <summary>
## Manage unpriviledged user SysV shared
## memory segments.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_unpriv_user_shared_mem',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:shm create_shm_perms;
')
########################################
## <summary>
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_bin_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
corecmd_bin_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
## <summary>
## Execute all entrypoint files in unprivileged user
## domains. This is an explicit transition, requiring the
## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_entry_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
########################################
## <summary>
## Search users home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_search_user_home_content',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_list_home($1)
allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
')
########################################
## <summary>
## Send general signals to unprivileged user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_signal_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:process signal;
')
########################################
## <summary>
## Inherit the file descriptors from unprivileged user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_use_unpriv_users_fds',`
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit the file descriptors
## from unprivileged user domains.
## </summary>
## <desc>
## <p>
## Do not audit attempts to inherit the file descriptors
## from unprivileged user domains. This will supress
## SELinux denial messages when the specified domain is denied
## the permission to inherit these file descriptors.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`userdom_dontaudit_use_unpriv_user_fds',`
gen_require(`
attribute unpriv_userdomain;
')
dontaudit $1 unpriv_userdomain:fd use;
')
########################################
## <summary>
## Do not audit attempts to use user ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_use_user_ptys',`
gen_require(`
type user_devpts_t;
')
dontaudit $1 user_devpts_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Relabel files to unprivileged user pty types.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_relabelto_user_ptys',`
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file relabelto;
')
########################################
## <summary>
## Do not audit attempts to relabel files from
## user pty types.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dontaudit_relabelfrom_user_ptys',`
gen_require(`
type user_devpts_t;
')
dontaudit $1 user_devpts_t:chr_file relabelfrom;
')
########################################
## <summary>
## Write all users files in /tmp
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_write_user_tmp_files',`
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file write_file_perms;
')
########################################
## <summary>
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dontaudit_use_user_ttys',`
gen_require(`
type user_tty_device_t;
')
dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Read the process state of all user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_read_all_users_state',`
gen_require(`
attribute userdomain;
')
read_files_pattern($1, userdomain, userdomain)
kernel_search_proc($1)
')
########################################
## <summary>
## Get the attributes of all user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_getattr_all_users',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process getattr;
')
########################################
## <summary>
## Inherit the file descriptors from all user domains
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_use_all_users_fds',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit the file
## descriptors from any user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_use_all_users_fds',`
gen_require(`
attribute userdomain;
')
dontaudit $1 userdomain:fd use;
')
########################################
## <summary>
## Send general signals to all user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_signal_all_users',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process signal;
')
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_sigchld_all_users',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process sigchld;
')
########################################
## <summary>
## Create keys for all user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_create_all_users_keys',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:key create;
')
########################################
## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_dbus_send_all_users',`
gen_require(`
attribute userdomain;
class dbus send_msg;
')
allow $1 userdomain:dbus send_msg;
')