58 lines
2.0 KiB
Plaintext
58 lines
2.0 KiB
Plaintext
#
|
|
# Macros for all user login domains.
|
|
#
|
|
|
|
#
|
|
# mini_user_domain(domain_prefix)
|
|
#
|
|
# Define derived types and rules for a minimal privs user domain named
|
|
# $1_mini_t which is permitted to be in $1_r role and transition to $1_t.
|
|
#
|
|
undefine(`mini_user_domain')
|
|
define(`mini_user_domain',`
|
|
# user_t/$1_t is an unprivileged users domain.
|
|
type $1_mini_t, domain, user_mini_domain;
|
|
|
|
# for ~/.bash_profile and other files that the mini domain should be allowed
|
|
# to read (but not write)
|
|
type $1_home_mini_t, file_type, sysadmfile;
|
|
allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom };
|
|
allow $1_mini_t $1_home_mini_t:file r_file_perms;
|
|
|
|
# $1_r is authorized for $1_mini_t for the initial login domain.
|
|
role $1_r types $1_mini_t;
|
|
uses_shlib($1_mini_t)
|
|
pty_slave_label($1_mini, `, userpty_type, mini_pty_type')
|
|
|
|
allow $1_mini_t devtty_t:chr_file rw_file_perms;
|
|
allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read };
|
|
dontaudit $1_mini_t proc_t:dir { getattr search };
|
|
allow $1_mini_t self:unix_stream_socket create_socket_perms;
|
|
allow $1_mini_t self:fifo_file rw_file_perms;
|
|
allow $1_mini_t self:process { fork sigchld setpgid };
|
|
dontaudit $1_mini_t var_t:dir search;
|
|
allow $1_mini_t { bin_t sbin_t }:dir search;
|
|
|
|
dontaudit $1_mini_t device_t:dir { getattr read };
|
|
dontaudit $1_mini_t devpts_t:dir { getattr read };
|
|
dontaudit $1_mini_t proc_t:lnk_file read;
|
|
|
|
can_exec($1_mini_t, bin_t)
|
|
allow $1_mini_t { home_root_t $1_home_dir_t }:dir search;
|
|
dontaudit $1_mini_t home_root_t:dir getattr;
|
|
dontaudit $1_mini_t $1_home_dir_t:dir { getattr read };
|
|
dontaudit $1_mini_t $1_home_t:file { append getattr read write };
|
|
|
|
dontaudit $1_mini_t fs_t:filesystem getattr;
|
|
|
|
type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t;
|
|
# uncomment this if using mini domains for console logins
|
|
#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t;
|
|
|
|
type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t;
|
|
type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t;
|
|
|
|
domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t)
|
|
')dnl end mini_user_domain definition
|
|
|