180 lines
4.2 KiB
Plaintext
180 lines
4.2 KiB
Plaintext
|
|
policy_module(userdomain,1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
# admin users terminals (tty and pty)
|
|
attribute admin_terminal;
|
|
|
|
# users home directory
|
|
attribute home_dir_type;
|
|
|
|
# users home directory contents
|
|
attribute home_type;
|
|
|
|
# The privhome attribute identifies every domain that can create files under
|
|
# regular user home directories in the regular context (IE act on behalf of
|
|
# a user in writing regular files)
|
|
attribute privhome;
|
|
|
|
# all user domains
|
|
attribute userdomain;
|
|
|
|
# unprivileged user domains
|
|
attribute unpriv_userdomain;
|
|
|
|
# Allow execution of anonymous mappings, e.g. executable stack.
|
|
bool allow_execmem false;
|
|
|
|
# Support Share libraries with Text Relocation
|
|
bool allow_execmod false;
|
|
|
|
# Allow system to run with kerberos
|
|
bool allow_kerberos false;
|
|
|
|
# Allow system to run with NIS
|
|
bool allow_ypbind false;
|
|
|
|
# Allow reading of default_t files.
|
|
bool read_default_t false;
|
|
|
|
# Allow staff_r users to search the sysadm home dir and read
|
|
# files (such as ~/.bashrc)
|
|
bool staff_read_sysadm_file false;
|
|
|
|
# Support NFS home directories
|
|
bool use_nfs_home_dirs false;
|
|
|
|
# Support SAMBA home directories
|
|
bool use_samba_home_dirs false;
|
|
|
|
# Allow regular users direct mouse access
|
|
bool user_direct_mouse false;
|
|
|
|
# Allow users to read system messages.
|
|
bool user_dmesg false;
|
|
|
|
# Allow users to control network interfaces (also needs USERCTL=true)
|
|
bool user_net_control false;
|
|
|
|
# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
|
|
bool user_rw_noexattrfile false;
|
|
|
|
# Allow users to rw usb devices
|
|
bool user_rw_usb false;
|
|
|
|
# Allow users to run TCP servers (bind to ports and accept connection from
|
|
# the same domain and outside users) disabling this forces FTP passive mode
|
|
# and may change other protocols
|
|
bool user_tcp_server false;
|
|
|
|
# Allow w to display everyone
|
|
bool user_ttyfile_stat false;
|
|
|
|
admin_domain_template(sysadm)
|
|
user_domain_template(staff)
|
|
user_domain_template(user)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
# user role change rules:
|
|
define(`role_change',`
|
|
allow $1_r $2_r;
|
|
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
|
|
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
|
|
# avoid annoying messages on terminal hangup
|
|
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
|
|
')
|
|
|
|
# sysadm_r can change to user roles
|
|
role_change(sysadm, user)
|
|
role_change(sysadm, staff)
|
|
|
|
# only staff_r can change to sysadm_r
|
|
role_change(staff, sysadm)
|
|
|
|
# this should be tunable_policy, but
|
|
# currently type_change and RBAC allow
|
|
# do not work in conditionals
|
|
ifdef(`user_canbe_sysadm',`
|
|
role_change(user,sysadm)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
allow privhome home_root_t:dir { getattr search };
|
|
|
|
# Add/remove user home directories
|
|
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Sysadm local policy
|
|
#
|
|
|
|
# for su
|
|
allow sysadm_t userdomain:fd use;
|
|
|
|
optional_policy(`bootloader.te',`
|
|
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`clock.te',`
|
|
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`hostname.te',`
|
|
hostname_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`iptables.te',`
|
|
iptables_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`libraries.te',`
|
|
libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`lvm.te',`
|
|
lvm_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`modutils.te',`
|
|
modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
|
|
modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
|
|
modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`mount.te',`
|
|
mount_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`rpm.te',`
|
|
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`selinux.te',`
|
|
selinux_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
|
|
selinux_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
|
|
selinux_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
|
|
selinux_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
|
optional_policy(`targeted_policy',`',`
|
|
selinux_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
')
|
|
|
|
optional_policy(`sysnetwork.te',`
|
|
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|
|
|
|
optional_policy(`usermanage.te',`
|
|
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
|
|
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
|
|
')
|