## Policy for user domains ####################################### ## ## The template containing the most basic rules common to all users. ## ## ##

## The template containing the most basic rules common to all users. ##

##

## This template creates a user domain, types, and ## rules for the user's tty and pty. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # template(`userdom_base_user_template',` gen_require(` attribute userdomain; type user_devpts_t, user_tty_device_t; class context contains; role $1_r; ') attribute $1_file_type; attribute $1_usertype; type $1_t, userdomain, $1_usertype; domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) ubac_constrained($1_t) role $1_r types $1_t; allow system_r $1_r; term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) term_dontaudit_getattr_generic_ptys($1_t) allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; tunable_policy(`deny_ptrace',`',` allow $1_usertype $1_usertype:process ptrace; ') allow $1_usertype $1_usertype:fd use; allow $1_usertype $1_t:key { create view read write search link setattr }; allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; allow $1_usertype $1_usertype:shm create_shm_perms; allow $1_usertype $1_usertype:sem create_sem_perms; allow $1_usertype $1_usertype:msgq create_msgq_perms; allow $1_usertype $1_usertype:msg { send receive }; allow $1_usertype $1_usertype:context contains; dontaudit $1_usertype $1_usertype:socket create; allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; term_create_pty($1_usertype, user_devpts_t) # avoid annoying messages on terminal hangup on role change dontaudit $1_usertype user_devpts_t:chr_file ioctl; allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; # avoid annoying messages on terminal hangup on role change dontaudit $1_usertype user_tty_device_t:chr_file ioctl; application_exec_all($1_usertype) kernel_read_kernel_sysctls($1_usertype) kernel_read_all_sysctls($1_usertype) kernel_dontaudit_list_unlabeled($1_usertype) kernel_dontaudit_getattr_unlabeled_files($1_usertype) kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) kernel_dontaudit_list_proc($1_usertype) dev_dontaudit_getattr_all_blk_files($1_usertype) dev_dontaudit_getattr_all_chr_files($1_usertype) dev_getattr_mtrr_dev($1_t) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_read_all_domains_state($1_usertype) domain_dontaudit_getattr_all_domains($1_usertype) domain_dontaudit_getsession_all_domains($1_usertype) dev_dontaudit_all_access_check($1_usertype) files_read_etc_files($1_usertype) files_list_mnt($1_usertype) files_list_var($1_usertype) files_read_mnt_files($1_usertype) files_dontaudit_all_access_check($1_usertype) files_read_etc_runtime_files($1_usertype) files_read_usr_files($1_usertype) files_read_usr_src_files($1_usertype) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. files_list_world_readable($1_usertype) files_read_world_readable_files($1_usertype) files_read_world_readable_symlinks($1_usertype) files_read_world_readable_pipes($1_usertype) files_read_world_readable_sockets($1_usertype) # old broswer_domain(): files_dontaudit_getattr_all_dirs($1_usertype) files_dontaudit_list_non_security($1_usertype) files_dontaudit_getattr_all_files($1_usertype) files_dontaudit_getattr_non_security_symlinks($1_usertype) files_dontaudit_getattr_non_security_pipes($1_usertype) files_dontaudit_getattr_non_security_sockets($1_usertype) files_dontaudit_setattr_etc_runtime_files($1_usertype) files_exec_usr_files($1_t) fs_list_cgroup_dirs($1_usertype) fs_dontaudit_rw_cgroup_files($1_usertype) fs_read_tmpfs_symlinks($1_usertype) storage_rw_fuse($1_usertype) init_stream_connect($1_usertype) # The library functions always try to open read-write first, # then fall back to read-only if it fails. init_dontaudit_rw_utmp($1_usertype) libs_exec_ld_so($1_usertype) miscfiles_read_generic_certs($1_t) miscfiles_read_all_certs($1_usertype) miscfiles_read_public_files($1_usertype) systemd_dbus_chat_logind($1_usertype) systemd_read_logind_sessions_files($1_usertype) systemd_write_inhibit_pipes($1_usertype) systemd_write_inherited_logind_sessions_pipes($1_usertype) systemd_login_read_pid_files($1_usertype) tunable_policy(`deny_execmem',`', ` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; ') tunable_policy(`selinuxuser_execstack',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') optional_policy(` abrt_stream_connect($1_usertype) ') optional_policy(` fs_list_cgroup_dirs($1_usertype) ') optional_policy(` ssh_rw_stream_sockets($1_usertype) ssh_rw_dgram_sockets($1_usertype) ssh_delete_tmp($1_t) ssh_signal($1_t) ') ') ####################################### ## ## Allow a home directory for which the ## role has read-only access. ## ## ##

## Allow a home directory for which the ## role has read-only access. ##

##

## This does not allow execute access. ##

##
## ## ## The user role ## ## ## ## ## The user domain ## ## ## # interface(`userdom_ro_home_role',` gen_require(` type user_home_t, user_home_dir_t; ') role $1 types { user_home_t user_home_dir_t }; ############################## # # Domain access to home dir # type_member $2 user_home_dir_t:dir user_home_dir_t; # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; allow $2 user_home_t:dir list_dir_perms; allow $2 user_home_t:file entrypoint; read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) ') ####################################### ## ## Allow a home directory for which the ## role has full access. ## ## ##

## Allow a home directory for which the ## role has full access. ##

##

## This does not allow execute access. ##

##
## ## ## The user role ## ## ## ## ## The user domain ## ## ## # interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; attribute user_home_type; ') role $1 types { user_home_type user_home_dir_t }; ############################## # # Domain access to home dir # type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory allow $2 user_home_t:dir mounton; allow $2 user_home_t:file entrypoint; allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) userdom_filetrans_home_content($2) files_list_home($2) # cjp: this should probably be removed: allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` fs_mount_nfs($2) fs_mounton_nfs($2) fs_manage_nfs_dirs($2) fs_manage_nfs_files($2) fs_manage_nfs_symlinks($2) fs_manage_nfs_named_sockets($2) fs_manage_nfs_named_pipes($2) ') tunable_policy(`use_samba_home_dirs',` fs_mount_cifs($2) fs_mounton_cifs($2) fs_manage_cifs_dirs($2) fs_manage_cifs_files($2) fs_manage_cifs_symlinks($2) fs_manage_cifs_named_sockets($2) fs_manage_cifs_named_pipes($2) ') ') ####################################### ## ## Manage user temporary files ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_manage_tmp_files',` gen_require(` type user_tmp_t; ') manage_files_pattern($1, user_tmp_t, user_tmp_t) ') ####################################### ## ## Watch user temporary directories ## ## ## ## Domain allowed access. ## ## # interface(`userdom_watch_tmp_dirs',` gen_require(` type user_tmp_t; ') watch_dirs_pattern($1, user_tmp_t, user_tmp_t) ') ####################################### ## ## Watch_sb user temporary directories ## ## ## ## Domain allowed access. ## ## # interface(`userdom_watch_sb_tmp_dirs',` gen_require(` type user_tmp_t; ') watch_sb_dirs_pattern($1, user_tmp_t, user_tmp_t) ') ####################################### ## ## Watch_mount user temporary directories ## ## ## ## Domain allowed access. ## ## # interface(`userdom_watch_mount_tmp_dirs',` gen_require(` type user_tmp_t; ') watch_mount_dirs_pattern($1, user_tmp_t, user_tmp_t) ') ####################################### ## ## Watch_with_perm user temporary directories ## ## ## ## Domain allowed access. ## ## # interface(`userdom_watch_with_perm_tmp_dirs',` gen_require(` type user_tmp_t; ') watch_with_perm_dirs_pattern($1, user_tmp_t, user_tmp_t) ') ####################################### ## ## Mmap user temporary files ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_map_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file map; ') ####################################### ## ## Manage user temporary sockets ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_manage_tmp_sockets',` gen_require(` type user_tmp_t; ') manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) ') ####################################### ## ## Manage user temporary directories ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_manage_tmp_dirs',` gen_require(` type user_tmp_t; ') manage_dirs_pattern($1, user_tmp_t, user_tmp_t) ') ####################################### ## ## Manage user temporary directories ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_mounton_tmp_dirs',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir mounton; ') ####################################### ## ## Mounton user temporary socket files ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_mounton_tmp_sockets',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:sock_file mounton; ') ####################################### ## ## Manage user temporary files ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_manage_tmp_role',` gen_require(` attribute user_tmp_type; type user_tmp_t; ') role $1 types user_tmp_t; files_poly_member_tmp($2, user_tmp_t) allow $2 user_tmp_type:dir mounton; manage_dirs_pattern($2, user_tmp_type, user_tmp_type) manage_files_pattern($2, user_tmp_type, user_tmp_type) manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) relabel_files_pattern($2, user_tmp_type, user_tmp_type) relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type) relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) allow $2 user_tmp_type:file map; ') ####################################### ## ## Dontaudit search of user bin dirs. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_search_user_bin_dirs',` gen_require(` type home_bin_t; ') dontaudit $1 home_bin_t:dir search_dir_perms; ') ####################################### ## ## Execute user bin files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_exec_user_bin_files',` gen_require(` attribute user_home_type; type home_bin_t, user_home_dir_t; ') exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) files_search_home($1) ') ####################################### ## ## The execute access user temporary files. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_exec_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file entrypoint; exec_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ####################################### ## ## Manage user temporary file system files ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_manage_tmpfs_files',` gen_require(` type user_tmpfs_t; ') manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ') ####################################### ## ## Role access for the user tmpfs type ## that the user has full access. ## ## ##

## Role access for the user tmpfs type ## that the user has full access. ##

##

## This does not allow execute access. ##

##
## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_manage_tmpfs_role',` refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.') userdom_manage_tmp_role($1,$2) ') ####################################### ## ## The interface allowing the user basic ## network permissions ## ## ## ## The user domain ## ## ## # interface(`userdom_basic_networking',` allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_tcp_sendrecv_all_ports($1) corenet_udp_sendrecv_all_ports($1) corenet_tcp_connect_all_ports($1) corenet_sendrecv_all_client_packets($1) optional_policy(` init_tcp_recvfrom_all_daemons($1) init_udp_recvfrom_all_daemons($1) ') optional_policy(` ipsec_match_default_spd($1) ') ') ####################################### ## ## The template for creating a user xwindows client. (Deprecated) ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # template(`userdom_xwindows_client_template',` refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.') gen_require(` type $1_t, user_tmpfs_t; ') dev_rw_xserver_misc($1_t) dev_rw_power_management($1_t) dev_read_input($1_t) dev_read_misc($1_t) dev_write_misc($1_t) # open office is looking for the following dev_getattr_agp_dev($1_t) dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) dev_rw_generic_usb_dev($1_t) xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) xserver_dontaudit_write_log($1_t) xserver_stream_connect_xdm($1_t) # certain apps want to read xdm.pid file xserver_read_xdm_pid($1_t) # gnome-session creates socket under /tmp/.ICE-unix/ xserver_create_xdm_tmp_sockets($1_t) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($1_t) ') ####################################### ## ## The template for allowing the user to change passwords. ## NOTE! This template also allows the user to change shell. ## If you want to only allow changing passwords, you should ## use usermanage_run_passwd() instead. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # template(`userdom_change_password_template',` gen_require(` type $1_t; role $1_r; ') optional_policy(` usermanage_run_chfn($1_t,$1_r) usermanage_run_passwd($1_t,$1_r) ') ') ####################################### ## ## The template containing rules common to unprivileged ## users and administrative users. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # template(`userdom_common_user_template',` gen_require(` attribute unpriv_userdomain; ') userdom_basic_networking($1_usertype) corenet_all_recvfrom_netlabel($1_t) ############################## # # User domain Local policy # allow $1_t self:packet_socket create_socket_perms; # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; allow $1_t self:netlink_selinux_socket create_socket_perms; allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; allow $1_t self:socket create_socket_perms; allow $1_usertype unpriv_userdomain:fd use; kernel_read_system_state($1_t) kernel_read_network_state($1_usertype) kernel_read_software_raid_state($1_usertype) kernel_read_net_sysctls($1_usertype) kernel_read_afs_state($1_usertype) # Very permissive allowing every domain to see every type: kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: kernel_read_device_sysctls($1_usertype) kernel_request_load_module($1_usertype) corenet_udp_bind_generic_node($1_usertype) corenet_udp_bind_generic_port($1_usertype) dev_read_rand($1_usertype) dev_write_sound($1_usertype) dev_read_sound($1_usertype) dev_read_sound_mixer($1_usertype) dev_write_sound_mixer($1_usertype) dev_rw_inherited_input_dev($1_usertype) files_exec_etc_files($1_usertype) files_search_locks($1_usertype) # Check to see if cdrom is mounted files_search_mnt($1_usertype) # cjp: perhaps should cut back on file reads: files_read_var_files($1_usertype) files_read_var_symlinks($1_usertype) files_read_generic_spool($1_usertype) files_read_var_lib_files($1_usertype) # Stat lost+found. files_getattr_lost_found_dirs($1_usertype) files_read_config_files($1_usertype) fs_read_noxattr_fs_files($1_usertype) fs_read_noxattr_fs_symlinks($1_usertype) fs_rw_cgroup_files($1_usertype) application_getattr_socket($1_usertype) ifdef(`enable_mls',` init_rw_tcp_sockets($1_t) ') logging_send_syslog_msg($1_t) selinux_get_enforce_mode($1_t) # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) selinux_validate_context($1_t) selinux_compute_access_vector($1_t) selinux_compute_create_context($1_t) selinux_compute_relabel_context($1_t) selinux_compute_user_contexts($1_t) # for eject storage_getattr_fixed_disk_dev($1_usertype) auth_read_login_records($1_usertype) auth_run_pam_timestamp($1_t,$1_r) auth_run_utempter($1_t,$1_r) auth_filetrans_admin_home_content($1_t) init_read_utmp($1_usertype) seutil_read_file_contexts($1_usertype) seutil_read_default_contexts($1_usertype) seutil_run_newrole($1_t,$1_r) seutil_exec_checkpolicy($1_t) seutil_exec_setfiles($1_usertype) # for when the network connection is killed # this is needed when a login role can change # to this one. seutil_dontaudit_signal_newrole($1_t) term_getattr_all_ttys($1_t) optional_policy(` afs_read_config($1_t) ') optional_policy(` # Allow graphical boot to check battery lifespan apm_stream_connect($1_usertype) ') optional_policy(` chrome_role($1_r, $1_usertype) ') optional_policy(` canna_stream_connect($1_usertype) ') optional_policy(` colord_read_lib_files($1_usertype) ') optional_policy(` dbus_system_bus_client($1_usertype) allow $1_usertype $1_usertype:dbus send_msg; optional_policy(` avahi_dbus_chat($1_usertype) ') optional_policy(` bluetooth_dbus_chat($1_usertype) ') optional_policy(` consolekit_dbus_chat($1_usertype) consolekit_read_log($1_usertype) ') optional_policy(` devicekit_dbus_chat($1_usertype) devicekit_dbus_chat_power($1_usertype) devicekit_dbus_chat_disk($1_usertype) ') optional_policy(` evolution_dbus_chat($1_usertype) evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` firewalld_dbus_chat($1_usertype) ') optional_policy(` geoclue_dbus_chat($1_usertype) ') optional_policy(` gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` hwloc_exec_dhwd($1_t) hwloc_read_runtime_files($1_t) ') optional_policy(` memcached_stream_connect($1_usertype) ') optional_policy(` modemmanager_dbus_chat($1_usertype) ') optional_policy(` networkmanager_dbus_chat($1_usertype) networkmanager_read_lib_files($1_usertype) ') optional_policy(` policykit_dbus_chat($1_usertype) ') optional_policy(` vpn_dbus_chat($1_usertype) ') ') optional_policy(` git_role($1_r, $1_t) ') optional_policy(` inetd_use_fds($1_usertype) inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` inn_read_config($1_usertype) inn_read_news_lib($1_usertype) inn_read_news_spool($1_usertype) ') optional_policy(` lircd_stream_connect($1_usertype) ') optional_policy(` locate_read_lib_files($1_t) ') optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) mpd_stream_connect($1_t) ') # for running depmod as part of the kernel packaging process optional_policy(` modutils_read_module_config($1_usertype) ') optional_policy(` mta_rw_spool($1_usertype) mta_manage_queue($1_usertype) ') optional_policy(` tunable_policy(`selinuxuser_mysql_connect_enabled',` mysql_stream_connect($1_t) ') ') optional_policy(` oident_manage_user_content($1_t) oident_relabel_user_content($1_t) oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf") ') optional_policy(` # to allow monitoring of pcmcia status pcmcia_read_pid($1_usertype) ') optional_policy(` pcscd_read_pid_files($1_t) pcscd_stream_connect($1_t) ') optional_policy(` tunable_policy(`selinuxuser_postgresql_connect_enabled',` postgresql_stream_connect($1_usertype) postgresql_tcp_connect($1_usertype) ') ') optional_policy(` ppp_manage_home_files($1_t) ppp_relabel_home_files($1_t) ppp_home_filetrans_ppp_home($1_t, file, ".ppprc") ') optional_policy(` resmgr_stream_connect($1_usertype) ') optional_policy(` rpc_dontaudit_getattr_exports($1_usertype) ') optional_policy(` rpcbind_stream_connect($1_usertype) ') optional_policy(` samba_stream_connect_winbind($1_usertype) ') optional_policy(` sandbox_transition($1_usertype, $1_r) ') optional_policy(` seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` slrnpull_search_spool($1_usertype) ') optional_policy(` thumb_role($1_r, $1_usertype) ') ') ####################################### ## ## The template for creating a login user. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # template(`userdom_login_user_template', ` gen_require(` class context contains; attribute login_userdomain; ') userdom_base_user_template($1) typeattribute $1_t login_userdomain; userdom_manage_home_role($1_r, $1_t) userdom_manage_tmp_role($1_r, $1_usertype) ifelse(`$1',`unconfined',`',` gen_tunable(`$1_exec_content', true) tunable_policy(`$1_exec_content',` userdom_exec_user_tmp_files($1_usertype) userdom_exec_user_home_content_files($1_usertype) ') tunable_policy(`$1_exec_content && use_nfs_home_dirs',` fs_exec_nfs_files($1_usertype) ') tunable_policy(`$1_exec_content && use_samba_home_dirs',` fs_exec_cifs_files($1_usertype) ') ') # NOTE! This template also allows user to change shell. userdom_change_password_template($1) ############################## # # User domain Local policy # dontaudit $1_t self:capability { sys_nice fsetid }; allow $1_t self:process ~{ ptrace execmem execstack execheap }; tunable_policy(`selinuxuser_use_ssh_chroot',` allow $1_t self:capability { setuid setgid sys_chroot }; ') dontaudit $1_t self:process setrlimit; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; domain_dyntrans_type($1_t) allow $1_t self:context contains; kernel_dontaudit_read_system_state($1_usertype) kernel_dontaudit_list_all_proc($1_usertype) dev_read_sysfs($1_usertype) dev_read_rand($1_usertype) dev_read_urand($1_usertype) domain_use_interactive_fds($1_usertype) # Command completion can fire hundreds of denials domain_dontaudit_exec_all_entry_files($1_usertype) files_dontaudit_list_default($1_usertype) files_dontaudit_read_default_files($1_usertype) # Stat lost+found. files_getattr_lost_found_dirs($1_usertype) fs_get_all_fs_quotas($1_usertype) fs_getattr_all_fs($1_usertype) fs_search_all($1_usertype) auth_read_passwd($1_t) auth_role($1_r, $1_t) auth_create_cache($1_t) auth_rw_cache($1_t) auth_search_pam_console_data($1_t) auth_dontaudit_read_login_records($1_t) auth_dontaudit_write_login_records($1_t) application_exec_all($1_t) # Allow login user type to run systemd user session init_signal($1_usertype) # The library functions always try to open read-write first, # then fall back to read-only if it fails. init_dontaudit_rw_utmp($1_t) # Stop warnings about access to /dev/console init_dontaudit_use_fds($1_usertype) init_dontaudit_use_script_fds($1_usertype) # Needed by pam_selinux.so calling in systemd-users init_entrypoint_exec(login_userdomain) libs_exec_lib_files($1_usertype) logging_dontaudit_getattr_all_logs($1_usertype) # for running TeX programs miscfiles_read_tetex_data($1_usertype) miscfiles_exec_tetex_data($1_usertype) seutil_read_config($1_usertype) selinux_watch_config($1_usertype) seutil_read_file_contexts($1_usertype) seutil_read_default_contexts($1_usertype) seutil_exec_setfiles($1_usertype) optional_policy(` cups_read_config($1_usertype) cups_stream_connect($1_usertype) cups_stream_connect_ptal($1_usertype) ') optional_policy(` kerberos_use($1_usertype) init_write_key($1_usertype) ') optional_policy(` mysql_filetrans_named_content($1_usertype) ') optional_policy(` mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` rpm_read_db($1_usertype) rpm_dontaudit_manage_db($1_usertype) rpm_read_cache($1_usertype) ') optional_policy(` oddjob_run_mkhomedir($1_t, $1_r) oddjob_run($1_t, $1_r) ') optional_policy(` chronyd_run_chronyc($1_t, $1_r) ') optional_policy(` ipa_run_helper($1_t, $1_r) ') optional_policy(` wine_filetrans_named_content($1_usertype) ') optional_policy(` sssd_stream_connect($1_t) ') ') ####################################### ## ## The template for creating a unprivileged login user. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # template(`userdom_restricted_user_template',` gen_require(` attribute unpriv_userdomain; ') userdom_login_user_template($1) typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; seutil_read_file_contexts($1_t) seutil_read_default_contexts($1_t) ############################## # # Local policy # optional_policy(` loadkeys_run($1_t, $1_r) ') ') ####################################### ## ## The template for creating a unprivileged xwindows login user. ## ## ##

## The template for creating a unprivileged xwindows login user. ##

##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # template(`userdom_restricted_xwindows_user_template',` userdom_restricted_user_template($1) ############################## # # Local policy # allow $1_usertype self:cap_userns { sys_admin sys_chroot }; dontaudit $1_usertype self:cap_userns sys_ptrace; allow $1_usertype self:dir { add_name write }; kernel_stream_connect($1_usertype) fs_associate_proc($1_usertype) dev_read_sound($1_usertype) dev_write_sound($1_usertype) # gnome keyring wants to read this. dev_dontaudit_read_rand($1_usertype) # temporarily allow since openoffice requires this dev_read_rand($1_usertype) dev_read_video_dev($1_usertype) dev_write_video_dev($1_usertype) dev_rw_wireless($1_usertype) libs_dontaudit_setattr_lib_files($1_usertype) init_read_state($1_usertype) init_signal($1_usertype) tunable_policy(`selinuxuser_rw_noexattrfile',` dev_rw_usbfs($1_t) dev_rw_generic_usb_dev($1_usertype) fs_manage_noxattr_fs_files($1_usertype) fs_manage_noxattr_fs_dirs($1_usertype) fs_manage_dos_dirs($1_usertype) fs_manage_dos_files($1_usertype) storage_raw_read_removable_device($1_usertype) storage_raw_write_removable_device($1_usertype) ') logging_send_syslog_msg($1_t) logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain selinux_get_enforce_mode($1_t) seutil_exec_restorecond($1_t) seutil_read_file_contexts($1_t) seutil_read_default_contexts($1_t) xserver_restricted_role($1_r, $1_t) optional_policy(` alsa_read_rw_config($1_usertype) ') # cjp: needed by KDE apps # bug: #682499 optional_policy(` gnome_read_usr_config($1_usertype) # cjp: telepathy F15 bugs telepathy_role($1_r, $1_t, $1) ') optional_policy(` obex_role($1_r, $1_t, $1) ') optional_policy(` dbus_role_template($1, $1_r, $1_usertype) dbus_system_bus_client($1_usertype) allow $1_usertype $1_usertype:dbus send_msg; optional_policy(` abrt_dbus_chat($1_usertype) abrt_run_helper($1_usertype, $1_r) ') optional_policy(` accountsd_dbus_chat($1_usertype) ') optional_policy(` consolekit_dontaudit_read_log($1_usertype) consolekit_dbus_chat($1_usertype) ') optional_policy(` cups_dbus_chat($1_usertype) cups_dbus_chat_config($1_usertype) ') optional_policy(` devicekit_dbus_chat($1_usertype) devicekit_dbus_chat_disk($1_usertype) devicekit_dbus_chat_power($1_usertype) ') optional_policy(` fprintd_dbus_chat($1_t) ') optional_policy(` realmd_dbus_chat($1_t) ') optional_policy(` gnome_role_template($1, $1_r, $1_t) ') optional_policy(` wm_role_template($1, $1_r, $1_t) ') ') optional_policy(` policykit_role($1_r, $1_usertype) ') optional_policy(` pulseaudio_role($1_r, $1_usertype) pulseaudio_filetrans_home_content($1_usertype) ') optional_policy(` rtkit_scheduled($1_usertype) ') optional_policy(` systemd_filetrans_home_content($1_usertype) ') optional_policy(` setroubleshoot_dontaudit_stream_connect($1_t) ') optional_policy(` udev_read_db($1_usertype) ') optional_policy(` xserver_xdm_ioctl_log($1_t) ') ') ####################################### ## ## The template for creating a unprivileged user roughly ## equivalent to a regular linux user. ## ## ##

## The template for creating a unprivileged user roughly ## equivalent to a regular linux user. ##

##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # template(`userdom_unpriv_user_template', ` ############################## # # Declarations # # Inherit rules for ordinary users. userdom_restricted_xwindows_user_template($1) userdom_common_user_template($1) ############################## # # Local policy # allow $1_t self:capability { setgid chown fowner }; allow $1_t self:alg_socket create_socket_perms; allow $1_t self:dccp_socket create_socket_perms; allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms; dontaudit $1_t self:capability { setuid }; dontaudit $1_t self:netlink_selinux_socket create_socket_perms; allow $1_t self:bpf { map_create map_read map_write prog_load prog_run }; allow $1_t $1_t:system all_system_perms; tunable_policy(`deny_bluetooth',`',` allow $1_t self:bluetooth_socket create_socket_perms; ') auth_use_nsswitch($1_t) corecmd_exec_chroot($1_t) # port access is audited even if dac would not have allowed it, so dontaudit it here # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) corenet_tcp_bind_generic_node($1_usertype) init_exec($1_t) init_rw_stream_sockets($1_t) storage_rw_fuse($1_t) files_getattr_non_security_dirs($1_t) files_exec_usr_files($1_t) # cjp: why? files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` fs_exec_noxattr($1_t) tunable_policy(`selinuxuser_rw_noexattrfile',` fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) ',` storage_raw_read_removable_device($1_t) ') ') miscfiles_read_hwdata($1_usertype) fs_manage_cgroup_dirs($1_t) fs_mounton_fusefs($1_usertype) # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols tunable_policy(`selinuxuser_share_music',` corenet_tcp_bind_daap_port($1_usertype) ') tunable_policy(`selinuxuser_tcp_server',` corenet_tcp_bind_all_unreserved_ports($1_usertype) ') tunable_policy(`selinuxuser_udp_server',` corenet_udp_bind_all_unreserved_ports($1_usertype) ') optional_policy(` cdrecord_role($1_r, $1_t) ') optional_policy(` cron_role($1_r, $1) ') optional_policy(` games_manage_data_files($1_usertype) ') optional_policy(` gpg_role($1_r, $1_usertype) ') optional_policy(` systemd_dbus_chat_timedated($1_t) systemd_dbus_chat_hostnamed($1_t) systemd_dbus_chat_localed($1_t) systemd_config_all_services($1_t) ') optional_policy(` gpm_stream_connect($1_usertype) ') optional_policy(` mount_run_fusermount($1_t, $1_r) mount_read_pid_files($1_t) ') optional_policy(` wine_role_template($1, $1_r, $1_t) ') optional_policy(` postfix_run_postdrop($1_t, $1_r) postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user optional_policy(` ppp_run_cond($1_t, $1_r) ') optional_policy(` vdagent_getattr_log($1_t) vdagent_getattr_exec_files($1_t) vdagent_stream_connect($1_t) ') ') ####################################### ## ## The template for creating an administrative user. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##

## The privileges given to administrative users are: ##

    ##
  • Raw disk access
  • ##
  • Set all sysctls
  • ##
  • All kernel ring buffer controls
  • ##
  • Create, read, write, and delete all files but shadow
  • ##
  • Manage source and binary format SELinux policy
  • ##
  • Run insmod
  • ##
##

##
## ## ## The prefix of the user domain (e.g., sysadm ## is the prefix for sysadm_t). ## ## # template(`userdom_admin_user_template',` gen_require(` attribute admindomain; attribute confined_admindomain; class passwd { passwd chfn chsh rootok crontab }; ') ############################## # # Declarations # # Inherit rules for ordinary users. userdom_login_user_template($1) userdom_common_user_template($1) domain_obj_id_change_exemption($1_t) role system_r types $1_t; typeattribute $1_t admindomain; typeattribute $1_t confined_admindomain; ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) ') ############################## # # $1_t local policy # allow $1_t self:capability2 bpf; # Manipulate other users crontab. allow $1_t self:passwd crontab; allow $1_t self:bpf { map_create map_read map_write prog_load prog_run }; allow $1_t self:alg_socket create_stream_socket_perms; allow $1_t self:dccp_socket create_stream_socket_perms; allow $1_t self:cap_userns sys_ptrace; tunable_policy(`deny_bluetooth',`',` allow $1_t self:bluetooth_socket create_stream_socket_perms; ') auth_use_nsswitch($1_t) kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) kernel_change_ring_buffer_level($1_t) kernel_clear_ring_buffer($1_t) kernel_read_ring_buffer($1_t) kernel_read_afs_state($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctls($1_t) # signal unlabeled processes: kernel_kill_unlabeled($1_t) kernel_signal_unlabeled($1_t) kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) kernel_signal($1_t) kernel_stream_connect($1_t) corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels corenet_rw_tun_tap_dev($1_t) dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) # for lsof dev_getattr_mtrr_dev($1_t) # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) dev_delete_all_blk_files($1_t) dev_delete_all_chr_files($1_t) dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) dev_rw_generic_usb_dev($1_t) dev_rw_usbfs($1_t) dev_read_kmsg($1_t) dev_read_cpuid($1_t) domain_setpriority_all_domains($1_t) domain_read_all_domains_state($1_t) domain_getattr_all_domains($1_t) domain_getcap_all_domains($1_t) domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) domain_signal_all_domains($1_t) domain_signull_all_domains($1_t) domain_sigstop_all_domains($1_t) domain_sigstop_all_domains($1_t) domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) domain_dontaudit_getattr_all_sockets($1_t) files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) fs_getattr_all_files($1_t) fs_list_all($1_t) fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) storage_dontaudit_read_fixed_disk($1_t) term_use_all_inherited_terms($1_t) term_use_unallocated_ttys($1_t) auth_getattr_shadow($1_t) # Manage almost all files files_manage_non_security_dirs($1_t) files_manage_non_security_files($1_t) # Map almost all files files_map_non_security_files($1_t) # Relabel almost all files files_relabel_non_security_files($1_t) files_mounton_rootfs($1_t) init_telinit($1_t) logging_send_syslog_msg($1_t) optional_policy(` modutils_domtrans_kmod($1_t) ') # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator # cannot directly manipulate policy files with arbitrary programs. seutil_manage_src_policy($1_t) # Violates the goal of limiting write access to checkpolicy. # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) systemd_config_all_services($1_t) userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) userdom_manage_user_home_content_pipes($1_t) userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) tunable_policy(`selinuxuser_rw_noexattrfile',` fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) ',` fs_read_noxattr_fs_files($1_t) ') tunable_policy(`selinuxuser_tcp_server',` corenet_tcp_bind_all_unreserved_ports($1_t) ') tunable_policy(`selinuxuser_udp_server',` corenet_udp_bind_all_unreserved_ports($1_t) ') optional_policy(` afs_read_config($1_t) ') optional_policy(` abrt_dbus_chat($1_t) abrt_run_helper($1_t, $1_r) ') optional_policy(` postgresql_unconfined($1_t) ') optional_policy(` userhelper_exec($1_t) ') optional_policy(` vdagent_getattr_log($1_t) vdagent_getattr_exec_files($1_t) vdagent_stream_connect($1_t) ') ') ######################################## ## ## Allow user to run as a secadm ## ## ##

## Create objects in a user home directory ## with an automatic type transition to ## a specified private type. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The role of the object to create. ## ## # template(`userdom_security_admin',` allow $1 self:capability { audit_control dac_read_search }; allow $1 self:netlink_audit_socket { nlmsg_write create_netlink_socket_perms }; corecmd_exec_shell($1) domain_obj_id_change_exemption($1) dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) files_create_default_dir($1) files_root_filetrans_default($1, dir) # Necessary for managing /boot/efi fs_manage_dos_files($1) mls_process_read_up($1) mls_file_read_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) selinux_read_policy($1) files_relabel_all_files($1) auth_relabel_shadow($1) init_exec($1) logging_send_syslog_msg($1) logging_read_audit_log($1) logging_read_generic_logs($1) logging_read_audit_config($1) seutil_manage_bin_policy($1) seutil_manage_default_contexts($1) seutil_manage_file_contexts($1) seutil_manage_module_store($1) seutil_manage_config($1) seutil_manage_login_config($1) seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) seutil_run_setsebool($1,$2) seutil_run_setfiles($1, $2) optional_policy(` aide_run($1,$2) ') optional_policy(` consoletype_exec($1) ') optional_policy(` ipsec_run_setkey($1,$2) ') optional_policy(` netlabel_run_mgmt($1,$2) ') optional_policy(` samhain_run($1, $2) ') ') ######################################## ## ## Make the specified type usable as ## a user application domain type. ## ## ## ## Type to be used as a user application domain. ## ## # interface(`userdom_user_application_type',` application_type($1) ubac_constrained($1) ') ######################################## ## ## Make the specified type usable as ## a user application domain. ## ## ## ## Type to be used as a user application domain. ## ## ## ## ## Type to be used as the domain entry point. ## ## # interface(`userdom_user_application_domain',` application_domain($1, $2) ubac_constrained($1) ') ######################################## ## ## Make the specified type usable in a ## user home directory. ## ## ## ## Type to be used as a file in the ## user home directory. ## ## # interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; attribute user_home_type; ') typeattribute $1 user_home_content_type; allow $1 user_home_t:filesystem associate; files_type($1) ubac_constrained($1) files_poly_member($1) typeattribute $1 user_home_type; ') ######################################## ## ## Make the specified type usable as a ## user temporary file. ## ## ## ## Type to be used as a file in the ## temporary directories. ## ## # interface(`userdom_user_tmp_file',` files_tmp_file($1) ubac_constrained($1) ') ######################################## ## ## Make the specified type usable as a ## user tmpfs file. ## ## ## ## Type to be used as a file in ## tmpfs directories. ## ## # interface(`userdom_user_tmpfs_file',` refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.') userdom_user_tmp_file($1) ') ######################################## ## ## Make the specified type usable as ## user temporary content. ## ## ## ## Type to be used as a file in the ## generic temporary directory. ## ## # interface(`userdom_user_tmp_content',` gen_require(` attribute user_tmp_type; ') typeattribute $1 user_tmp_type; files_tmp_file($1) ubac_constrained($1) ') ######################################## ## ## Make the specified type usable in a ## generic tmpfs_t directory. ## ## ## ## Type to be used as a file in the ## generic temporary directory. ## ## # interface(`userdom_user_tmpfs_content',` refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.') userdom_user_tmp_content($1) ') ######################################## ## ## Allow domain to attach to TUN devices created by administrative users. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_attach_admin_tun_iface',` gen_require(` attribute admindomain; ') allow $1 admindomain:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; ') ######################################## ## ## Set the attributes of a user pty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_setattr_user_ptys',` gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file setattr_chr_file_perms; ') ######################################## ## ## Create a user pty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_create_user_pty',` gen_require(` type user_devpts_t; ') term_create_pty($1, user_devpts_t) ') ######################################## ## ## Get the attributes of user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_getattr_user_home_dirs',` gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir getattr_dir_perms; files_search_home($1) ') ######################################## ## ## Do not audit attempts to get the attributes of user home directories. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_getattr_user_home_dirs',` gen_require(` type user_home_dir_t; ') dontaudit $1 user_home_dir_t:dir getattr_dir_perms; ') ######################################## ## ## Search user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_search_user_home_dirs',` gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; files_search_home($1) ') ######################################## ## ## Search user tmp directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_search_user_tmp_dirs',` gen_require(` type user_tmp_t; ') files_search_tmp($1) allow $1 user_tmp_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search user home directories. ## ## ##

## Do not audit attempts to search user home directories. ## This will supress SELinux denial messages when the specified ## domain is denied the permission to search these directories. ##

##
## ## ## Domain to not audit. ## ## ## # interface(`userdom_dontaudit_search_user_home_dirs',` gen_require(` type user_home_dir_t; ') dontaudit $1 user_home_dir_t:dir search_dir_perms; ') ######################################## ## ## List user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_list_user_home_dirs',` gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) tunable_policy(`use_nfs_home_dirs',` fs_list_nfs($1) ') tunable_policy(`use_samba_home_dirs',` fs_list_cifs($1) ') ') ######################################## ## ## Do not audit attempts to list user home subdirectories. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; type user_home_t; ') dontaudit $1 user_home_dir_t:dir list_dir_perms; dontaudit $1 user_home_t:dir list_dir_perms; ') ######################################## ## ## Create user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_create_user_home_dirs',` gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir create_dir_perms; ') ######################################## ## ## Watch user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_watch_user_home_dirs',` gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir watch_dir_perms; ') ######################################## ## ## Create user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_home_dirs',` gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir manage_dir_perms; ') ######################################## ## ## Create user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_dontaudit_manage_user_home_dirs',` gen_require(` type user_home_dir_t; ') dontaudit $1 user_home_dir_t:dir manage_dir_perms; ') ######################################## ## ## Relabel to user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_relabelto_user_home_dirs',` gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir relabelto; ') ######################################## ## ## Relabel to user home files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_relabelto_user_home_files',` gen_require(` type user_home_t; ') allow $1 user_home_t:file relabelto; ') ######################################## ## ## Relabel user home files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_relabel_user_home_files',` gen_require(` type user_home_t; ') allow $1 user_home_t:file relabel_file_perms; ') ######################################## ## ## Relabel user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_relabel_user_home_dirs',` gen_require(` type user_home_dir_t; ') allow $1 user_home_t:dir relabel_file_perms; ') ######################################## ## ## Create directories in the home dir root with ## the user home directory type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`userdom_home_filetrans_user_home_dir',` gen_require(` type user_home_dir_t; ') files_home_filetrans($1, user_home_dir_t, dir, $2) ') ######################################## ## ## Do a domain transition to the specified ## domain when executing a program in the ## user home directory. ## ## ##

## Do a domain transition to the specified ## domain when executing a program in the ## user home directory. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Domain to transition to. ## ## # interface(`userdom_user_home_domtrans',` gen_require(` type user_home_dir_t, user_home_t; ') domain_auto_trans($1, user_home_t, $2) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') ######################################## ## ## Do not audit attempts to search user home content directories. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:dir search_dir_perms; fs_dontaudit_list_nfs($1) fs_dontaudit_list_cifs($1) ') ######################################## ## ## List all users home content directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_list_all_user_home_content',` gen_require(` attribute user_home_content_type; ') userdom_search_user_home_dirs($1) allow $1 user_home_content_type:dir list_dir_perms; ') ######################################## ## ## List contents of users home directory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_list_user_home_content',` gen_require(` type user_home_dir_t; attribute user_home_type; ') files_list_home($1) allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; ') ######################################## ## ## Create, read, write, and delete directories ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_home_content_dirs',` gen_require(` type user_home_dir_t, user_home_t; ') manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') ######################################## ## ## Delete directories in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_user_home_content_dirs',` gen_require(` type user_home_t; ') allow $1 user_home_t:dir delete_dir_perms; ') ######################################## ## ## Delete files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_user_home_content_files',` gen_require(` type user_home_t; ') allow $1 user_home_t:file delete_file_perms; ') ######################################## ## ## Delete all directories in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:dir delete_dir_perms; ') ######################################## ## ## Set the attributes of user home files. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_setattr_user_home_content_files',` gen_require(` type user_home_t; ') allow $1 user_home_t:file setattr; ') ######################################## ## ## Set the attributes of user tmp files. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_setattr_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file setattr; ') ######################################## ## ## Create a user tmp sockets. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_create_user_tmp_sockets',` gen_require(` type user_tmp_t; ') files_search_tmp($1) allow $1 user_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, user_tmp_t, user_tmp_t) ') ######################################## ## ## Dontaudit getattr on user tmp sockets. ## ## ## ## Domain allowed access. ## ## # interface(`usedom_dontaudit_user_getattr_tmp_sockets',` refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') userdom_getattr_user_tmp_files($1) ') ######################################## ## ## Dontaudit getattr on user tmp sockets. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_dontaudit_user_getattr_tmp_sockets',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms; ') ######################################## ## ## Relabel user tmp files. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_relabel_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file relabel_file_perms; ') ######################################## ## ## Relabel user tmp files. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_relabel_user_tmp_dirs',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir relabel_dir_perms; ') ######################################## ## ## Do not audit attempts to set the ## attributes of user home files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file setattr_file_perms; ') ######################################## ## ## Set the attributes of all user home directories. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_setattr_all_user_home_content_dirs',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:dir setattr_dir_perms; ') ######################################## ## ## Mmap user home files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_mmap_user_home_content_files',` gen_require(` type user_home_t; ') allow $1 user_home_t:file map; files_search_home($1) ') ######################################## ## ## map user home files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_map_user_home_files',` gen_require(` type user_home_t; ') allow $1 user_home_t:file map; ') ######################################## ## ## Read user home files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; attribute user_home_type; ') allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) files_search_home($1) ') ######################################## ## ## Do not audit attempts to getattr user home files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_getattr_user_home_content',` gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:dir getattr; dontaudit $1 user_home_type:file getattr; ') ######################################## ## ## Do not audit attempts to read user home files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` attribute user_home_type; type user_home_dir_t; ') dontaudit $1 user_home_dir_t:dir list_dir_perms; dontaudit $1 user_home_type:dir list_dir_perms; dontaudit $1 user_home_type:file read_file_perms; dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; ') ######################################## ## ## Do not audit attempts to mmap user home files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_mmap_user_home_content_files',` gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:file map; ') ######################################## ## ## Do not audit attempts to append user home files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_append_user_home_content_files',` gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file append_file_perms; ') ######################################## ## ## Do not audit attempts to write user home files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_write_user_home_content_files',` gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file write_file_perms; ') ######################################## ## ## Delete all files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_all_user_home_content_files',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:file delete_file_perms; ') ######################################## ## ## Delete sock files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_user_home_content_sock_files',` gen_require(` type user_home_t; ') allow $1 user_home_t:sock_file delete_file_perms; ') ######################################## ## ## Delete all sock files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_all_user_home_content_sock_files',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:sock_file delete_file_perms; ') ######################################## ## ## Delete all files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_all_user_home_content',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:dir_file_class_set delete_file_perms; ') ######################################## ## ## Do not audit attempts to write user home files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_relabel_user_home_content_files',` gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file relabel_file_perms; ') ######################################## ## ## Read user home subdirectory symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_user_home_content_symlinks',` gen_require(` type user_home_dir_t, user_home_t; ') allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; ') ######################################## ## ## Execute user home files. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_exec_user_home_content_files',` gen_require(` type user_home_dir_t; attribute user_home_type; ') files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ') ######################################## ## ## Do not audit attempts to execute user home files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file exec_file_perms; ') ######################################## ## ## Create, read, write, and delete files ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; ') manage_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_t:file map; files_search_home($1) ') ######################################## ## ## Do not audit attempts to create, read, write, and delete directories ## in a user home subdirectory. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` type user_home_dir_t, user_home_t; ') dontaudit $1 user_home_t:dir manage_dir_perms; ') ######################################## ## ## Create, read, write, and delete symbolic links ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_home_content_symlinks',` gen_require(` type user_home_dir_t, user_home_t; ') manage_lnk_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') ######################################## ## ## Delete symbolic links in a user home directory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_user_home_content_symlinks',` gen_require(` type user_home_t; ') allow $1 user_home_t:lnk_file delete_lnk_file_perms; ') ######################################## ## ## Delete all symbolic links in a user home directory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_all_user_home_content_symlinks',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:lnk_file delete_lnk_file_perms; ') ######################################## ## ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_home_content_pipes',` gen_require(` type user_home_dir_t, user_home_t; ') manage_fifo_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') ######################################## ## ## Create, read, write, and delete named sockets ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_home_content_sockets',` gen_require(` type user_home_dir_t, user_home_t; ') allow $1 user_home_dir_t:dir search_dir_perms; manage_sock_files_pattern($1, user_home_t, user_home_t) files_search_home($1) ') ######################################## ## ## Create objects in a user home directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`userdom_user_home_dir_filetrans',` gen_require(` type user_home_dir_t; ') filetrans_pattern($1, user_home_dir_t, $2, $3, $4) files_search_home($1) ') ######################################## ## ## Create objects in a user home directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`userdom_user_home_content_filetrans',` gen_require(` type user_home_dir_t, user_home_t; ') filetrans_pattern($1, user_home_t, $2, $3, $4) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') ######################################## ## ## Create objects in a user home directory ## with an automatic type transition to ## the user home file type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` type user_home_dir_t, user_home_t; ') filetrans_pattern($1, user_home_dir_t, user_home_t, $2, $3) files_search_home($1) ') ######################################## ## ## Write to user temporary named sockets. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_write_user_tmp_sockets',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:sock_file write_sock_file_perms; files_search_tmp($1) ') ######################################## ## ## List user temporary directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_list_user_tmp',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) ') ######################################## ## ## Do not audit attempts to list user ## temporary directories. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_list_user_tmp',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to manage users ## temporary directories. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:dir manage_dir_perms; ') ######################################## ## ## Read user temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_getattr_user_tmp_files',` gen_require(` attribute user_tmp_type; ') getattr_files_pattern($1, user_tmp_type, user_tmp_type) files_search_tmp($1) ') ######################################## ## ## Read user temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_user_tmp_files',` gen_require(` attribute user_tmp_type; ') read_files_pattern($1, user_tmp_type, user_tmp_type) allow $1 user_tmp_type:dir list_dir_perms; files_search_tmp($1) ') ######################################## ## ## Read user temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_append_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file append_inherited_file_perms; ') ######################################## ## ## Do not audit attempts to read users ## temporary files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_read_user_tmp_files',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file read_inherited_file_perms; ') ######################################## ## ## Do not audit attempts to append users ## temporary files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_append_user_tmp_files',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file append_file_perms; ') ######################################## ## ## Read and write user temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir list_dir_perms; rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ######################################## ## ## Read and write user temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_user_tmp_sock_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir list_dir_perms; allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms; files_search_tmp($1) ') ######################################## ## ## Do not audit attempts to manage users ## temporary files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file manage_file_perms; ') ######################################## ## ## Read user temporary symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_user_tmp_symlinks',` gen_require(` type user_tmp_t; ') read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user ## temporary directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_tmp_dirs',` gen_require(` type user_tmp_t; ') manage_dirs_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user ## temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_tmp_files',` gen_require(` type user_tmp_t; ') manage_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user ## temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_filetrans_named_user_tmp_files',` gen_require(` type user_tmp_t; ') files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user ## temporary symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_tmp_symlinks',` gen_require(` type user_tmp_t; ') manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user ## temporary named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_inherited_user_tmp_pipes',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user ## temporary named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_tmp_pipes',` gen_require(` type user_tmp_t; ') manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user ## temporary named sockets. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_tmp_sockets',` gen_require(` type user_tmp_t; ') manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ######################################## ## ## Create objects in a user temporary directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`userdom_user_tmp_filetrans',` gen_require(` type user_tmp_t; ') filetrans_pattern($1, user_tmp_t, $2, $3, $4) files_search_tmp($1) ') ######################################## ## ## Create objects in the temporary directory ## with an automatic type transition to ## the user temporary type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`userdom_tmp_filetrans_user_tmp',` gen_require(` type user_tmp_t; ') files_tmp_filetrans($1, user_tmp_t, $2, $3) ') ####################################### ## ## Getattr user tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_getattr_user_tmpfs_files',` refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') userdom_getattr_user_tmp_files($1) ') ######################################## ## ## Read user tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_user_tmpfs_files',` refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.') userdom_read_user_tmp_files($1) ') ######################################## ## ## Read/Write user tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_user_tmpfs_files',` refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.') userdom_rw_user_tmp_files($1) ') ######################################## ## ## Manage user tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_tmpfs_files',` refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.') userdom_manage_user_tmp_files($1) ') ######################################## ## ## Read/Write inherited user tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_inherited_user_tmpfs_files',` refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.') userdom_rw_inherited_user_tmp_files($1) ') ######################################## ## ## Execute user tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_execute_user_tmpfs_files',` refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.') userdom_execute_user_tmp_files($1) ') ######################################## ## ## Execute user tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_execute_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file execute; ') ######################################## ## ## Get the attributes of a user domain tty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_getattr_user_ttys',` gen_require(` type user_tty_device_t; ') allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; ') ######################################## ## ## Do not audit attempts to get the attributes of a user domain tty. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_getattr_user_ttys',` gen_require(` type user_tty_device_t; ') dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; ') ######################################## ## ## Set the attributes of a user domain tty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_setattr_user_ttys',` gen_require(` type user_tty_device_t; ') allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; ') ######################################## ## ## Do not audit attempts to set the attributes of a user domain tty. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_setattr_user_ttys',` gen_require(` type user_tty_device_t; ') dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; ') ######################################## ## ## Read and write a user domain tty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_use_user_ttys',` gen_require(` type user_tty_device_t; ') allow $1 user_tty_device_t:chr_file rw_term_perms; ') ######################################## ## ## Read and write a inherited user domain tty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_use_inherited_user_ttys',` gen_require(` type user_tty_device_t; ') allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; ') ######################################## ## ## Read and write a user domain pty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_use_user_ptys',` gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file rw_term_perms; ') ######################################## ## ## Watch a user pty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_watch_user_ptys',` gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file watch_chr_file_perms; ') ######################################## ## ## Watch_reads a user pty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_watch_reads_user_ptys',` gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file watch_reads_chr_file_perms; ') ######################################## ## ## Read and write a inherited user domain pty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_use_inherited_user_ptys',` gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file rw_inherited_term_perms; ') ######################################## ## ## Read and write a inherited user TTYs and PTYs. ## ## ##

## Allow the specified domain to read and write inherited user ## TTYs and PTYs. This will allow the domain to ## interact with the user via the terminal. Typically ## all interactive applications will require this ## access. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`userdom_use_inherited_user_terminals',` gen_require(` type user_tty_device_t, user_devpts_t; ') allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; allow $1 user_devpts_t:chr_file rw_inherited_term_perms; ') ####################################### ## ## Allow attempts to read and write ## a user domain tty and pty. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_use_user_terminals',` gen_require(` type user_tty_device_t, user_devpts_t; ') allow $1 user_tty_device_t:chr_file rw_term_perms; allow $1 user_devpts_t:chr_file rw_term_perms; ') ######################################## ## ## Do not audit attempts to read and write ## a user domain tty and pty. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_use_user_terminals',` gen_require(` type user_tty_device_t, user_devpts_t; ') dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms; dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms; ') ######################################## ## ## Get attributes of user domain tty and pty. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_getattr_user_terminals',` gen_require(` type user_tty_device_t, user_devpts_t; ') allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; ') ######################################## ## ## Execute a shell in all user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # interface(`userdom_spec_domtrans_all_users',` gen_require(` attribute userdomain; ') corecmd_shell_spec_domtrans($1, userdomain) allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; ') ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # interface(`userdom_xsession_spec_domtrans_all_users',` gen_require(` attribute userdomain; ') xserver_xsession_spec_domtrans($1, userdomain) allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; ') ######################################## ## ## Execute a shell in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # interface(`userdom_spec_domtrans_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') corecmd_shell_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; ') ######################################## ## ## Execute a shell in all admin user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # interface(`userdom_spec_domtrans_admin_users',` gen_require(` attribute admindomain; ') corecmd_shell_spec_domtrans($1, admindomain) allow admindomain $1:fd use; allow admindomain $1:fifo_file rw_file_perms; allow admindomain $1:process sigchld; ') ######################################## ## ## Execute a shell in all confined admin user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # interface(`userdom_spec_domtrans_confined_admin_users',` gen_require(` attribute confined_admindomain; ') corecmd_shell_spec_domtrans($1, confined_admindomain) allow confined_admindomain $1:fd use; allow confined_admindomain $1:fifo_file rw_file_perms; allow confined_admindomain $1:process sigchld; ') ##################################### ## ## Allow domain dyntrans to unpriv userdomain. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_dyntransition_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:process dyntransition; ') #################################### ## ## Allow domain dyntrans to admin userdomain. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_dyntransition_admin_users',` gen_require(` attribute admindomain; ') allow $1 admindomain:process dyntransition; ') ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # interface(`userdom_xsession_spec_domtrans_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') xserver_xsession_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; ') ######################################## ## ## Manage unpriviledged user SysV sempaphores. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_unpriv_user_semaphores',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:sem create_sem_perms; ') ######################################## ## ## Manage unpriviledged user SysV shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:shm create_shm_perms; ') ######################################## ## ## Destroy unpriviledged user SysV shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_destroy_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:shm destroy; ') ######################################## ## ## Destroy unpriviledged user's message queue entries. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_destroy_unpriv_user_msgq',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:msgq destroy; ') ######################################## ## ## Execute bin_t in the unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # interface(`userdom_bin_spec_domtrans_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') corecmd_bin_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; ') ######################################## ## ## Execute all entrypoint files in unprivileged user ## domains. This is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed access. ## ## # interface(`userdom_entry_spec_domtrans_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; allow unpriv_userdomain $1:process sigchld; ') ######################################## ## ## Search users home directories. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_search_user_home_content',` gen_require(` type user_home_dir_t; attribute user_home_type; ') files_list_home($1) allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; ') ######################################## ## ## Send general signals to unprivileged user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_signal_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:process signal; ') ######################################## ## ## Inherit the file descriptors from unprivileged user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_use_unpriv_users_fds',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:fd use; ') ######################################## ## ## Do not audit attempts to inherit the file descriptors ## from unprivileged user domains. ## ## ##

## Do not audit attempts to inherit the file descriptors ## from unprivileged user domains. This will supress ## SELinux denial messages when the specified domain is denied ## the permission to inherit these file descriptors. ##

##
## ## ## Domain to not audit. ## ## ## # interface(`userdom_dontaudit_use_unpriv_user_fds',` gen_require(` attribute unpriv_userdomain; ') dontaudit $1 unpriv_userdomain:fd use; ') ######################################## ## ## Do not audit attempts to use user ptys. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_use_user_ptys',` gen_require(` type user_devpts_t; ') dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; ') ######################################## ## ## Do not audit attempts to open user ptys. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_open_user_ptys',` gen_require(` type user_devpts_t; ') dontaudit $1 user_devpts_t:chr_file open; ') ######################################## ## ## Relabel files to unprivileged user pty types. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_relabelto_user_ptys',` gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file relabelto; ') ######################################## ## ## Do not audit attempts to relabel files from ## user pty types. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_relabelfrom_user_ptys',` gen_require(` type user_devpts_t; ') dontaudit $1 user_devpts_t:chr_file relabelfrom; ') ######################################## ## ## Write all users files in /tmp ## ## ## ## Domain allowed access. ## ## # interface(`userdom_write_user_tmp_files',` gen_require(` type user_tmp_t; ') write_files_pattern($1, user_tmp_t, user_tmp_t) ') ######################################## ## ## Do not audit attempts to write users ## temporary files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_write_user_tmp_files',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file write; ') ######################################## ## ## Do not audit attempts to delete users ## temporary files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_delete_user_tmp_files',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file delete_file_perms; ') ######################################## ## ## Do not audit attempts to read/write users ## temporary fifo files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_rw_user_tmp_pipes',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## ## Allow domain to read/write inherited users ## fifo files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_inherited_user_pipes',` gen_require(` attribute userdomain; ') allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to use user ttys. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_use_user_ttys',` gen_require(` type user_tty_device_t; ') dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; ') ######################################## ## ## Read the process state of all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_all_users_state',` gen_require(` attribute userdomain; ') read_files_pattern($1, userdomain, userdomain) read_lnk_files_pattern($1,userdomain,userdomain) kernel_search_proc($1) ') ######################################## ## ## Get the attributes of all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_getattr_all_users',` gen_require(` attribute userdomain; ') allow $1 userdomain:process getattr; ') ######################################## ## ## Inherit the file descriptors from all user domains ## ## ## ## Domain allowed access. ## ## # interface(`userdom_use_all_users_fds',` gen_require(` attribute userdomain; ') allow $1 userdomain:fd use; ') ######################################## ## ## Do not audit attempts to inherit the file ## descriptors from any user domains. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_use_all_users_fds',` gen_require(` attribute userdomain; ') dontaudit $1 userdomain:fd use; ') ######################################## ## ## Send general signals to all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_signal_all_users',` gen_require(` attribute userdomain; ') allow $1 userdomain:process signal; ') ####################################### ## ## Send signull to all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_signull_all_users',` gen_require(` attribute userdomain; ') allow $1 userdomain:process signull; ') ######################################## ## ## Send kill signals to all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_kill_all_users',` gen_require(` attribute userdomain; ') allow $1 userdomain:process sigkill; ') ######################################## ## ## Send a SIGCHLD signal to all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_sigchld_all_users',` gen_require(` attribute userdomain; ') allow $1 userdomain:process sigchld; ') ######################################## ## ## Read keys for all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_all_users_keys',` gen_require(` attribute userdomain; ') allow $1 userdomain:key read; ') ######################################## ## ## View keys for all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_view_all_users_keys',` gen_require(` attribute userdomain; ') allow $1 userdomain:key view; ') ######################################## ## ## Write keys for all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_write_all_users_keys',` gen_require(` attribute userdomain; ') allow $1 userdomain:key write; ') ######################################## ## ## Read and write keys for all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_all_users_keys',` gen_require(` attribute userdomain; ') allow $1 userdomain:key { read view write }; ') ######################################## ## ## Create keys for all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_create_all_users_keys',` gen_require(` attribute userdomain; ') allow $1 userdomain:key create; ') ######################################## ## ## Send a dbus message to all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_dbus_send_all_users',` gen_require(` attribute userdomain; class dbus send_msg; ') allow $1 userdomain:dbus send_msg; ps_process_pattern($1, userdomain) ') ######################################## ## ## Allow apps to set rlimits on userdomain ## ## ## ## Domain allowed access. ## ## # interface(`userdom_set_rlimitnh',` gen_require(` attribute userdomain; ') allow $1 userdomain:process rlimitinh; ') ######################################## ## ## Define this type as a Allow apps to set rlimits on userdomain ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## # template(`userdom_unpriv_usertype',` gen_require(` attribute unpriv_userdomain, userdomain; attribute $1_usertype; ') typeattribute $2 $1_usertype; typeattribute $2 unpriv_userdomain; typeattribute $2 userdomain; auth_use_nsswitch($2) ubac_constrained($2) ') ####################################### ## ## Define this type as a Allow apps to set rlimits on userdomain ## ## ## ## Domain allowed access. ## ## # template(`userdom_unpriv_type',` gen_require(` attribute userdomain; ') typeattribute $1 userdomain; auth_use_nsswitch($1) ubac_constrained($1) ') ######################################## ## ## Connect to users over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_stream_connect',` gen_require(` type user_tmp_t; attribute userdomain; ') stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) ') ######################################## ## ## Ptrace user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_ptrace_all_users',` gen_require(` attribute userdomain; ') tunable_policy(`deny_ptrace',`',` allow $1 userdomain:process ptrace; ') ') ######################################## ## ## dontaudit Search /root ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_search_admin_dir',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; dontaudit $1 admin_home_t:dir search_dir_perms; ') ######################################## ## ## dontaudit list /root ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_list_admin_dir',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; dontaudit $1 admin_home_t:dir list_dir_perms; ') ######################################## ## ## Allow domain to list /root ## ## ## ## Domain allowed access. ## ## # interface(`userdom_list_admin_dir',` gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; allow $1 admin_home_t:dir list_dir_perms; ') ######################################## ## ## Allow Search /root ## ## ## ## Domain allowed access. ## ## # interface(`userdom_search_admin_dir',` gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; allow $1 admin_home_t:dir search_dir_perms; ') ######################################## ## ## dontaudit create dirs /root ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_create_admin_dir',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:dir create_dir_perms; ') ######################################## ## ## allow manage dirs /root ## ## ## ## Domain to not audit. ## ## # interface(`userdom_manage_admin_dirs',` gen_require(` type admin_home_t; ') allow $1 admin_home_t:dir manage_dir_perms; ') ######################################## ## ## allow manage files /root ## ## ## ## Domain to not audit. ## ## # interface(`userdom_manage_admin_files',` gen_require(` type admin_home_t; ') allow $1 admin_home_t:file manage_file_perms; ') ######################################## ## ## dontaudit manage dirs /root ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_manage_admin_dir',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:dir manage_dir_perms; ') ######################################## ## ## dontaudit manage files /root ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_manage_admin_files',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:file manage_file_perms; ') ######################################## ## ## RW unpriviledged user SysV sempaphores. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_semaphores',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:sem rw_sem_perms; ') ######################################## ## ## Send a message to unpriv users over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_dgram_send',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:unix_dgram_socket sendto; ') ###################################### ## ## Send a message to users over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_users_dgram_send',` gen_require(` attribute userdomain; ') allow $1 userdomain:unix_dgram_socket sendto; ') ####################################### ## ## Allow execmod on files in homedirectory ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_execmod_user_home_files',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:file execmod; ') ######################################## ## ## Read admin home files. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_read_admin_home_files',` gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; read_files_pattern($1, admin_home_t, admin_home_t) ') ######################################## ## ## Delete admin home files. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_delete_admin_home_files',` gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; allow $1 admin_home_t:file delete_file_perms; ') ######################################## ## ## Execute admin home files. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_exec_admin_home_files',` gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; exec_files_pattern($1, admin_home_t, admin_home_t) ') ######################################## ## ## Append files inherited ## in the /root directory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_inherit_append_admin_home_files',` gen_require(` type admin_home_t; ') allow $1 admin_home_t:file { getattr append }; ') ####################################### ## ## Manage all files/directories in the homedir ## ## ## ## The user domain ## ## ## # interface(`userdom_manage_user_home_content',` gen_require(` type user_home_dir_t, user_home_t; attribute user_home_type; ') files_list_home($1) manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) ') ###################################### ## ## Manage all dirs in the homedir ## ## ## ## The user domain ## ## # interface(`userdom_manage_all_user_home_type_dirs',` gen_require(` type user_home_dir_t, user_home_t; attribute user_home_type; ') files_list_home($1) manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ') ###################################### ## ## Manage all files in the homedir ## ## ## ## The user domain ## ## # interface(`userdom_manage_all_user_home_type_files',` gen_require(` type user_home_dir_t, user_home_t; attribute user_home_type; ') files_list_home($1) manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ') ######################################## ## ## Create objects in a user home directory ## with an automatic type transition to ## the user home file type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## # interface(`userdom_user_home_dir_filetrans_pattern',` gen_require(` type user_home_dir_t, user_home_t; ') type_transition $1 user_home_dir_t:$2 user_home_t; ') ######################################## ## ## Create objects in the /root directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`userdom_admin_home_dir_filetrans',` gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; filetrans_pattern($1, admin_home_t, $2, $3, $4) ') ######################################## ## ## Send signull to unprivileged user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_signull_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:process signull; ') ######################################## ## ## Write all users files in /tmp ## ## ## ## Domain allowed access. ## ## # interface(`userdom_write_user_tmp_dirs',` gen_require(` type user_tmp_t; ') list_dirs_pattern($1, user_tmp_t, user_tmp_t) rw_dirs_pattern($1, user_tmp_t, user_tmp_t) write_files_pattern($1, user_tmp_t, user_tmp_t) ') ######################################## ## ## Manage keys for all user domains. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_all_users_keys',` gen_require(` attribute userdomain; ') allow $1 userdomain:key manage_key_perms; ') ######################################## ## ## Do not audit attempts to read and write ## userdomain stream. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_rw_stream',` gen_require(` attribute userdomain; ') dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; ') ######################################## ## ## Read and write userdomain stream. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_stream',` gen_require(` attribute userdomain; ') allow $1 userdomain:unix_stream_socket rw_socket_perms; ') ######################################## ## ## Read and write userdomain stream. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_connectto_stream',` gen_require(` attribute userdomain; ') allow $1 userdomain:unix_stream_socket connectto; ') ######################################## ## ## Do not audit attempts to read and write ## unserdomain datagram socket. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_rw_dgram_socket',` gen_require(` attribute userdomain; ') dontaudit $1 userdomain:unix_dgram_socket { read write }; ') ######################################## ## ## Append files ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_append_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; ') append_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') ######################################## ## ## Read files inherited ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_inherited_user_home_content_files',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:file { getattr read }; ') ######################################## ## ## Dontaudit Read files inherited from the admin home dir. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_read_inherited_admin_home_files',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:file read_inherited_file_perms; ') ######################################## ## ## Dontaudit append files inherited from the admin home dir. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_append_inherited_admin_home_file',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:file append_inherited_file_perms; ') ######################################## ## ## Read/Write files inherited ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_inherited_user_home_content_files',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:file rw_inherited_file_perms; ') ######################################## ## ## Append files inherited ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_inherit_append_user_home_content_files',` gen_require(` type user_home_t; ') allow $1 user_home_t:file { getattr append }; ') ######################################## ## ## Append files inherited ## in a user tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_inherit_append_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file { getattr append }; ') ###################################### ## ## Read audio files in the users homedir. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_read_home_audio_files',` gen_require(` type audio_home_t; ') userdom_search_user_home_dirs($1) allow $1 audio_home_t:dir list_dir_perms; read_files_pattern($1, audio_home_t, audio_home_t) read_lnk_files_pattern($1, audio_home_t, audio_home_t) ') ###################################### ## ## Manage texlive content in the users homedir. ## ## ## ## Domain allowed access. ## ## ## # interface(`userdom_manage_home_texlive',` gen_require(` type texlive_home_t; ') userdom_search_user_home_dirs($1) userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012") userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013") userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014") manage_dirs_pattern($1, texlive_home_t, texlive_home_t) manage_files_pattern($1, texlive_home_t, texlive_home_t) manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t) allow $1 texlive_home_t:file relabelfrom; ') ######################################## ## ## Do not audit attempts to write all user home content files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_write_all_user_home_content_files',` gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:file write_inherited_file_perms; ') ######################################## ## ## Do not audit attempts to write all user tmp content files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_write_all_user_tmp_content_files',` gen_require(` attribute user_tmp_type; ') dontaudit $1 user_tmp_type:file write_inherited_file_perms; ') ######################################## ## ## Manage all user temporary content. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_all_user_tmp_content',` gen_require(` attribute user_tmp_type; ') manage_dirs_pattern($1, user_tmp_type, user_tmp_type) manage_files_pattern($1, user_tmp_type, user_tmp_type) manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) files_search_tmp($1) ') ######################################## ## ## List all user temporary content. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_list_all_user_tmp_content',` gen_require(` attribute user_tmp_type; ') list_dirs_pattern($1, user_tmp_type, user_tmp_type) getattr_files_pattern($1, user_tmp_type, user_tmp_type) read_lnk_files_pattern($1, user_tmp_type, user_tmp_type) getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type) getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type) files_search_var($1) files_search_tmp($1) ') ######################################## ## ## Manage all user tmpfs content. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_all_user_tmpfs_content',` refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.') userdom_manage_all_user_tmp_content($1) ') ######################################## ## ## Delete all user temporary content. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_all_user_tmp_content',` gen_require(` attribute user_tmp_type; ') delete_dirs_pattern($1, user_tmp_type, user_tmp_type) delete_files_pattern($1, user_tmp_type, user_tmp_type) delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type) delete_sock_files_pattern($1, user_tmp_type, user_tmp_type) delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type) # /var/tmp files_search_var($1) files_delete_tmp_dir_entry($1) ') ######################################## ## ## Read system SSL certificates in the users homedir. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_home_certs',` gen_require(` attribute userdom_home_reader_certs_type; ') typeattribute $1 userdom_home_reader_certs_type; ') ######################################## ## ## mmap system SSL certificates in the users homedir. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_map_home_certs',` gen_require(` type home_cert_t; ') allow $1 home_cert_t:file map; ') ######################################## ## ## Manage system SSL certificates in the users homedir. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_home_certs',` gen_require(` type home_cert_t; ') allow $1 home_cert_t:dir list_dir_perms; manage_dirs_pattern($1, home_cert_t, home_cert_t) manage_files_pattern($1, home_cert_t, home_cert_t) manage_lnk_files_pattern($1, home_cert_t, home_cert_t) userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki") userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert") ') ####################################### ## ## Dontaudit Write system SSL certificates in the users homedir. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_write_home_certs',` gen_require(` type home_cert_t; ') dontaudit $1 home_cert_t:file write; ') ######################################## ## ## dontaudit Search getatrr /root files ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_getattr_admin_home_files',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:file getattr; ') ######################################## ## ## dontaudit read /root lnk files ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_read_admin_home_lnk_files',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:lnk_file read; ') ######################################## ## ## dontaudit read /root files ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_read_admin_home_files',` gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; dontaudit $1 admin_home_t:file read_file_perms; ') ######################################## ## ## Create, read, write, and delete user ## temporary chr files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_tmp_chr_files',` gen_require(` type user_tmp_t; ') manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user ## temporary blk files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_manage_user_tmp_blk_files',` gen_require(` type user_tmp_t; ') manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ######################################## ## ## Dontaudit attempt to set attributes on user temporary directories. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_setattr_user_tmp',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:dir setattr; ') ######################################## ## ## Dontaudit attempt to set attributes on user temporary file system files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_setattr_user_tmpfs',` refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.') userdom_dontaudit_setattr_user_tmp($1) ') ######################################## ## ## Read all inherited users files in /tmp ## ## ## ## Domain allowed access. ## ## # interface(`userdom_read_inherited_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file read_inherited_file_perms; ') ######################################## ## ## Read/write/mmap all inherited users files in /tmp ## ## ## ## Domain allowed access. ## ## # interface(`userdom_mmap_rw_inherited_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file mmap_rw_inherited_file_perms; ') ######################################## ## ## Read/write all inherited users files in /tmp ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_inherited_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file rw_inherited_file_perms; ') ######################################## ## ## Write all inherited users files in /tmp ## ## ## ## Domain allowed access. ## ## # interface(`userdom_write_inherited_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file write; ') ######################################## ## ## Write all inherited users home files ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_inherited_user_home_sock_files',` gen_require(` attribute user_home_type; ') allow $1 user_home_type:sock_file write; ') ######################################## ## ## Delete all users files in /tmp ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_user_tmp_files',` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file delete_file_perms; ') ######################################## ## ## Delete user tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_delete_user_tmpfs_files',` refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmp_files instead.') userdom_delete_user_tmp_files($1) ') ######################################## ## ## Read/Write unpriviledged user SysV shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:shm rw_shm_perms; ') ######################################## ## ## Do not audit attempts to search user ## temporary directories. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_search_user_tmp',` gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:dir search_dir_perms; ') ######################################## ## ## Execute a file in a user home directory ## in the specified domain. ## ## ##

## Execute a file in a user home directory ## in the specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # interface(`userdom_domtrans_user_home',` gen_require(` type user_home_t; ') read_lnk_files_pattern($1, user_home_t, user_home_t) domain_transition_pattern($1, user_home_t, $2) type_transition $1 user_home_t:process $2; ') ######################################## ## ## Execute a file in a user tmp directory ## in the specified domain. ## ## ##

## Execute a file in a user tmp directory ## in the specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # interface(`userdom_domtrans_user_tmp',` gen_require(` type user_tmp_t; ') files_search_tmp($1) read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) domain_transition_pattern($1, user_tmp_t, $2) type_transition $1 user_tmp_t:process $2; ') ######################################## ## ## Do not audit attempts to read all user home content files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_read_all_user_home_content_files',` gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:file read_file_perms; ') ######################################## ## ## Do not audit attempts to read all user tmp content files. ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_read_all_user_tmp_content_files',` gen_require(` attribute user_tmp_type; ') dontaudit $1 user_tmp_type:file read_file_perms; ') ####################################### ## ## Read and write unpriviledged user SysV sempaphores. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_rw_unpriv_user_semaphores',` gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:sem rw_sem_perms; ') ######################################## ## ## Transition to userdom named content ## ## ## ## Domain allowed access. ## ## # interface(`userdom_filetrans_home_content',` gen_require(` attribute userdom_filetrans_type; ') typeattribute $1 userdom_filetrans_type; ') ######################################## ## ## Make the specified type able to read content in user home dirs ## ## ## ## Domain allowed access. ## ## # interface(`userdom_home_reader',` gen_require(` attribute userdom_home_reader_type; ') typeattribute $1 userdom_home_reader_type; ') ######################################## ## ## Make the specified type able to manage content in user home dirs ## ## ## ## Domain allowed access. ## ## # interface(`userdom_home_manager',` gen_require(` attribute userdom_home_manager_type; ') typeattribute $1 userdom_home_manager_type; ') ######################################## ## ## Create objects in the temporary filesystem directory ## with an automatic type transition to ## the user temporary filesystem type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # interface(`userdom_tmpfs_filetrans',` gen_require(` type user_tmpfs_t; ') fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3) ') ####################################### ## ## Create objects in the temporary filesystem directory ## with an automatic type transition to ## the user temporary filesystem type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`userdom_tmpfs_filetrans_to',` gen_require(` type user_tmpfs_t; ') filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) ') ###################################### ## ## File name transition for generic home content files. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_filetrans_generic_home_content',` gen_require(` type home_bin_t; type audio_home_t; type home_cert_t; type user_tmp_t; ') userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio") userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music") userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp") userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp") optional_policy(` gnome_data_filetrans($1, home_cert_t, dir, "certificates") ') ') ######################################## ## ## Allow caller to transition to any userdomain ## ## ## ## Domain allowed access. ## ## # interface(`userdom_transition',` gen_require(` attribute userdomain; ') allow $1 userdomain:process transition; ') ######################################## ## ## Allow caller to nnp_transition to login userdomain. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_nnp_transition_login_userdomain',` gen_require(` attribute login_userdomain; ') allow $1 login_userdomain:process2 nnp_transition; ') ######################################## ## ## Allow caller to transition to login userdomain. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_transition_login_userdomain',` gen_require(` attribute login_userdomain; ') allow $1 login_userdomain:process transition; ') ######################################## ## ## Allow caller noatsecure permission. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_noatsecure_login_userdomain',` gen_require(` attribute login_userdomain; ') allow $1 login_userdomain:process noatsecure ; ') ######################################## ## ## Allow caller to send sigchld to login userdomain. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_sigchld_login_userdomain',` gen_require(` attribute login_userdomain; ') allow $1 login_userdomain:process sigchld; ') ######################################## ## ## Add caller login userdomain attribute. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_login_userdomain',` gen_require(` attribute login_userdomain; ') typeattribute $1 login_userdomain; ') ######################################## ## ## Append to login_userdomain stream. ## ## ## ## Domain allowed access. ## ## # interface(`userdom_append_stream_userdomain',` gen_require(` attribute login_userdomain; ') allow $1 login_userdomain:unix_stream_socket { getattr append }; ') ######################################## ## ## Do not audit attempts to check the ## access on user content files ## ## ## ## Domain to not audit. ## ## # interface(`userdom_dontaudit_access_check_user_content',` gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:dir_file_class_set audit_access; ') ####################################### ## ## The template containing the most basic rules common to confined admin. ## ## ##

## The template containing the most basic rules common to all users. ##

##

## This template creates a user domain, types, and ## rules for the user's tty and pty. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # template(`userdom_confined_admin_template',` gen_require(` attribute confined_admindomain; attribute userdomain; type user_devpts_t, user_tty_device_t; class context contains; ') type $1_t, userdomain, confined_admindomain; role $1_r; role $1_r types $1_t; domain_type($1_t) domain_user_exemption_target($1_t) ubac_constrained($1_t) auth_use_nsswitch($1_t) ifelse(`$1',`unconfined',`',` gen_tunable(`$1_exec_content', true) tunable_policy(`$1_exec_content',` userdom_exec_user_tmp_files($1_t) userdom_exec_user_home_content_files($1_t) ') tunable_policy(`$1_exec_content && use_nfs_home_dirs',` fs_exec_nfs_files($1_t) ') tunable_policy(`$1_exec_content && use_samba_home_dirs',` fs_exec_cifs_files($1_t) ') ') ') ######################################## ## ## Allow user to run as a secadm ## ## ##

## Create objects in a user home directory ## with an automatic type transition to ## a specified private type. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The role of the object to create. ## ## # template(`userdom_security_admin_template',` allow $1 self:capability { audit_control dac_read_search }; allow $1 self:netlink_audit_socket { nlmsg_write create_netlink_socket_perms }; corecmd_exec_shell($1) domain_obj_id_change_exemption($1) dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) files_create_default_dir($1) files_root_filetrans_default($1, dir) # Necessary for managing /boot/efi fs_manage_dos_files($1) mls_process_read_up($1) mls_file_read_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) selinux_read_policy($1) files_relabel_all_files($1) auth_relabel_shadow($1) init_exec($1) logging_send_syslog_msg($1) logging_read_audit_log($1) logging_read_generic_logs($1) logging_read_audit_config($1) seutil_manage_bin_policy($1) seutil_manage_default_contexts($1) seutil_manage_file_contexts($1) seutil_manage_module_store($1) seutil_manage_config($1) seutil_manage_login_config($1) seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) seutil_run_setsebool($1,$2) seutil_run_setfiles($1, $2) optional_policy(` aide_run($1,$2) ') optional_policy(` consoletype_exec($1) ') optional_policy(` ipsec_run_setkey($1,$2) ') optional_policy(` netlabel_run_mgmt($1,$2) ') optional_policy(` samhain_run($1, $2) ') ') # ######################################## ## ## Allow caller domain to run bpftool on userdomain ## ## ## ## Domain allowed access. ## ## # interface(`userdom_prog_run_bpf_userdomain',` gen_require(` attribute userdomain; ') allow $1 userdomain:bpf { map_create map_read map_write prog_load prog_run }; ')