Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/system/userdomain.te

629 lines
20 KiB
Text

policy_module(userdomain, 4.9.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow users to connect to the local mysql server
## </p>
## </desc>
gen_tunable(selinuxuser_mysql_connect_enabled, false)
## <desc>
## <p>
## Allow users to connect to PostgreSQL
## </p>
## </desc>
gen_tunable(selinuxuser_postgresql_connect_enabled, false)
## <desc>
## <p>
## Allow user to r/w files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
gen_tunable(selinuxuser_rw_noexattrfile, false)
## <desc>
## <p>
## Allow user music sharing
## </p>
## </desc>
gen_tunable(selinuxuser_share_music, false)
## <desc>
## <p>
## Allow user to use ssh chroot environment.
## </p>
## </desc>
gen_tunable(selinuxuser_use_ssh_chroot, false)
attribute admindomain;
attribute login_userdomain;
attribute confined_admindomain;
# all user domains
attribute userdomain;
# unprivileged user domains
attribute unpriv_userdomain;
attribute user_home_content_type;
attribute userdom_home_reader_certs_type;
attribute userdom_home_reader_type;
attribute userdom_home_manager_type;
attribute userdom_filetrans_type;
# unprivileged user domains
attribute user_home_type;
attribute user_tmp_type;
attribute user_tmpfs_type;
type admin_home_t;
files_type(admin_home_t)
files_associate_tmp(admin_home_t)
fs_associate_tmpfs(admin_home_t)
files_mountpoint(admin_home_t)
files_poly_member(admin_home_t)
files_poly_parent(admin_home_t)
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
files_mountpoint(user_home_dir_t)
files_associate_tmp(user_home_dir_t)
files_poly(user_home_dir_t)
files_poly_member(user_home_dir_t)
files_poly_parent(user_home_dir_t)
ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
typeattribute user_home_t user_home_type;
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
files_poly_member(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)
ubac_constrained(user_home_t)
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
dev_node(user_devpts_t)
files_type(user_devpts_t)
ubac_constrained(user_devpts_t)
type user_tmp_t, user_tmp_type, user_tmpfs_type;
typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
typealias user_tmp_t alias xdm_tmp_t;
typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
files_tmp_file(user_tmp_t)
files_tmpfs_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
files_poly_parent(user_tmp_t)
files_mountpoint(user_tmp_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
type audio_home_t;
userdom_user_home_content(audio_home_t)
ubac_constrained(audio_home_t)
type texlive_home_t;
userdom_user_home_content(texlive_home_t)
ubac_constrained(texlive_home_t)
type home_bin_t;
userdom_user_home_content(home_bin_t)
ubac_constrained(home_bin_t)
type home_cert_t;
miscfiles_cert_type(home_cert_t)
userdom_user_home_content(home_cert_t)
ubac_constrained(home_cert_t)
tunable_policy(`login_console_enabled',`
term_use_console(userdomain)
')
allow userdomain userdomain:process signull;
allow userdomain userdomain:fifo_file { map rw_inherited_fifo_file_perms };
dontaudit unpriv_userdomain self:rawip_socket create_socket_perms;
# Allow userdomain to stop systemd user-session
allow userdomain userdomain:system { halt reload };
# Nautilus causes this avc
domain_dontaudit_access_check(unpriv_userdomain)
dontaudit unpriv_userdomain self:dir setattr;
allow unpriv_userdomain self:file manage_file_perms;
allow unpriv_userdomain self:key manage_key_perms;
auth_filetrans_auth_home_content(userdomain)
files_dontaudit_manage_boot_files(unpriv_userdomain)
mount_dontaudit_write_mount_pid(unpriv_userdomain)
mount_entry_type(unpriv_userdomain)
optional_policy(`
alsa_read_rw_config(unpriv_userdomain)
alsa_manage_home_files(unpriv_userdomain)
alsa_relabel_home_files(unpriv_userdomain)
')
optional_policy(`
cockpit_manage_unix_stream_sockets(userdomain)
')
optional_policy(`
gssproxy_stream_connect(userdomain)
')
optional_policy(`
gnome_filetrans_home_content(userdomain)
')
optional_policy(`
gpg_noatsecure(userdomain)
')
optional_policy(`
locallogin_filetrans_home_content(userdomain)
')
optional_policy(`
pcscd_stream_connect(userdomain)
')
optional_policy(`
policykit_dbus_chat(userdomain)
dbus_system_bus_client(userdomain)
')
optional_policy(`
realmd_read_var_lib(userdomain)
')
optional_policy(`
ssh_filetrans_home_content(userdomain)
ssh_rw_tcp_sockets(userdomain)
')
optional_policy(`
stratisd_dbus_chat(userdomain)
')
optional_policy(`
telepathy_filetrans_home_content(userdomain)
')
optional_policy(`
xserver_filetrans_home_content(userdomain)
')
optional_policy(`
systemd_userdbd_stream_connect(userdomain)
')
# rules for types which can read home certs
allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms;
read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
userdom_search_user_home_content(userdom_home_reader_certs_type)
allow userdom_home_reader_certs_type home_cert_t:file map;
tunable_policy(`use_ecryptfs_home_dirs',`
fs_read_ecryptfs_files(userdom_home_reader_certs_type)
fs_read_ecryptfs_symlinks(userdom_home_reader_certs_type)
')
tunable_policy(`use_nfs_home_dirs',`
fs_list_auto_mountpoints(userdom_home_reader_type)
fs_read_nfs_files(userdom_home_reader_type)
')
tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files(userdom_home_reader_type)
')
tunable_policy(`use_fusefs_home_dirs',`
fs_read_fusefs_files(userdom_home_reader_type)
')
tunable_policy(`use_ecryptfs_home_dirs',`
fs_read_ecryptfs_files(userdom_home_reader_type)
fs_read_ecryptfs_symlinks(userdom_home_reader_type)
')
tunable_policy(`use_nfs_home_dirs',`
fs_list_auto_mountpoints(userdom_home_manager_type)
fs_manage_nfs_dirs(userdom_home_manager_type)
fs_manage_nfs_files(userdom_home_manager_type)
fs_manage_nfs_symlinks(userdom_home_manager_type)
fs_mmap_nfs_files(userdom_home_manager_type)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(userdom_home_manager_type)
fs_manage_cifs_files(userdom_home_manager_type)
fs_manage_cifs_symlinks(userdom_home_manager_type)
fs_map_cifs_files(userdom_home_manager_type)
')
tunable_policy(`use_fusefs_home_dirs',`
fs_manage_fusefs_dirs(userdom_home_manager_type)
fs_manage_fusefs_files(userdom_home_manager_type)
fs_manage_fusefs_symlinks(userdom_home_manager_type)
fs_mmap_fusefs_files(userdom_home_manager_type)
')
tunable_policy(`use_ecryptfs_home_dirs',`
fs_manage_ecryptfs_dirs(userdom_home_manager_type)
fs_manage_ecryptfs_files(userdom_home_manager_type)
fs_manage_ecryptfs_symlinks(userdom_home_manager_type)
')
# vi /etc/mtab can cause an avc trying to relabel to self.
dontaudit userdomain self:file relabelto;
userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file })
userdom_user_home_dir_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Audio")
userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Music")
userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert")
userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki")
userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp")
userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
optional_policy(`
gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
gnome_config_filetrans(userdom_filetrans_type, auth_home_t, dir, "Yubico")
#gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
')
optional_policy(`
alsa_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
apache_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
auth_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
cvs_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
gnome_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
gpg_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
irc_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
kerberos_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
mozilla_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
mta_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
pulseaudio_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
spamassassin_filetrans_home_content(userdom_filetrans_type)
spamassassin_filetrans_admin_home_content(userdom_filetrans_type)
')
optional_policy(`
ssh_filetrans_admin_home_content(userdom_filetrans_type)
ssh_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
telepathy_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
thumb_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
tvtime_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
virt_filetrans_home_content(userdom_filetrans_type)
')
optional_policy(`
xserver_filetrans_home_content(userdom_filetrans_type)
xserver_filetrans_admin_home_content(userdom_filetrans_type)
')
############################################################
# login_userdomain local policy
allow login_userdomain self:service status;
corenet_tcp_bind_xmsg_port(login_userdomain)
create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
create_chr_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
create_fifo_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
create_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
create_sock_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
tunable_policy(`deny_bluetooth',`',`
allow login_userdomain self:bluetooth_socket rw_stream_socket_perms;
')
kernel_watch_unlabeled_dirs(login_userdomain)
auth_watch_passwd(login_userdomain)
corecmd_watch_bin_dirs(login_userdomain)
dev_watch_generic_dirs(login_userdomain)
files_map_var_lib_files(login_userdomain)
files_read_var_lib_symlinks(login_userdomain)
files_watch_etc_dirs(login_userdomain)
files_watch_etc_files(login_userdomain)
files_watch_root_dirs(login_userdomain)
files_watch_system_conf_dirs(login_userdomain)
files_watch_usr_dirs(login_userdomain)
files_watch_usr_files(login_userdomain)
files_watch_var_lib_dirs(login_userdomain)
files_watch_var_run_dirs(login_userdomain)
files_watch_generic_tmp_dirs(login_userdomain)
fs_create_cgroup_files(login_userdomain)
fs_watch_cgroup_files(login_userdomain)
libs_watch_lib_dirs(login_userdomain)
miscfiles_watch_fonts_dirs(login_userdomain)
miscfiles_watch_localization_dirs(login_userdomain)
miscfiles_watch_localization_symlinks(login_userdomain)
mount_watch_pid_dirs(login_userdomain)
mount_watch_pid_files(login_userdomain)
mount_watch_reads_pid_files(login_userdomain)
optional_policy(`
init_mmap_read_var_lib_files(login_userdomain)
init_read_pid_files(login_userdomain)
')
optional_policy(`
accountsd_watch_lib(login_userdomain)
')
optional_policy(`
dbus_create_session_tmp_sock_files(login_userdomain)
dbus_write_session_tmp_sock_files(login_userdomain)
')
optional_policy(`
gnome_watch_generic_data_home_dirs(login_userdomain)
gnome_watch_home_config_dirs(login_userdomain)
gnome_watch_home_config_files(login_userdomain)
')
optional_policy(`
logging_mmap_journal(login_userdomain)
logging_read_syslog_pid(login_userdomain)
')
optional_policy(`
pkcs_tmpfs_named_filetrans(login_userdomain)
')
optional_policy(`
rhsmcertd_dbus_chat(login_userdomain)
')
optional_policy(`
rpc_watch_exports(login_userdomain)
')
optional_policy(`
rpm_script_rw_stream_sockets(login_userdomain)
')
optional_policy(`
systemd_login_watch_pid_dirs(login_userdomain)
systemd_login_watch_session_dirs(login_userdomain)
systemd_machined_watch_pid_dirs(login_userdomain)
systemd_passwd_watch_pid_dirs(login_userdomain)
systemd_resolved_watch_pid_dirs(login_userdomain)
')
optional_policy(`
xserver_stream_accept_xdm(login_userdomain)
')
############################################################
# Local Policy Confined Admin
#
gen_require(`
class context contains;
class passwd { passwd chfn chsh rootok };
')
allow confined_admindomain self:capability ~{ sys_module audit_control audit_write };
allow confined_admindomain self:capability2 { block_suspend syslog };
allow confined_admindomain self:cap_userns { setpcap };
allow confined_admindomain self:process { setexec setfscreate };
allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv;
allow confined_admindomain self:tun_socket create_socket_perms;
allow confined_admindomain self:packet_socket create_socket_perms;
# Set password information for other users.
allow confined_admindomain self:passwd { passwd chfn chsh };
# Skip authentication when pam_rootok is specified.
allow confined_admindomain self:passwd rootok;
corecmd_shell_entry_type(confined_admindomain)
corecmd_bin_entry_type(confined_admindomain)
term_user_pty(confined_admindomain, user_devpts_t)
term_user_tty(confined_admindomain, user_tty_device_t)
term_dontaudit_getattr_generic_ptys(confined_admindomain)
allow confined_admindomain self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
tunable_policy(`deny_ptrace',`',`
allow confined_admindomain self:process ptrace;
')
allow confined_admindomain self:fd use;
allow confined_admindomain self:key manage_key_perms;
allow confined_admindomain self:fifo_file rw_fifo_file_perms;
allow confined_admindomain self:unix_dgram_socket { create_socket_perms sendto };
allow confined_admindomain self:unix_stream_socket { create_stream_socket_perms connectto };
allow confined_admindomain self:shm create_shm_perms;
allow confined_admindomain self:sem create_sem_perms;
allow confined_admindomain self:msgq create_msgq_perms;
allow confined_admindomain self:msg { send receive };
allow confined_admindomain self:context contains;
dontaudit confined_admindomain self:socket create;
allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
term_create_pty(confined_admindomain, user_devpts_t)
term_use_generic_ptys(confined_admindomain)
# avoid annoying messages on terminal hangup on role change
dontaudit confined_admindomain user_devpts_t:chr_file ioctl;
allow confined_admindomain user_tty_device_t:chr_file { setattr rw_chr_file_perms };
# avoid annoying messages on terminal hangup on role change
dontaudit confined_admindomain user_tty_device_t:chr_file ioctl;
application_exec_all(confined_admindomain)
kernel_read_kernel_sysctls(confined_admindomain)
kernel_read_all_sysctls(confined_admindomain)
kernel_dontaudit_list_unlabeled(confined_admindomain)
kernel_dontaudit_getattr_unlabeled_files(confined_admindomain)
kernel_dontaudit_getattr_unlabeled_symlinks(confined_admindomain)
kernel_dontaudit_getattr_unlabeled_pipes(confined_admindomain)
kernel_dontaudit_getattr_unlabeled_sockets(confined_admindomain)
kernel_dontaudit_getattr_unlabeled_blk_files(confined_admindomain)
kernel_dontaudit_getattr_unlabeled_chr_files(confined_admindomain)
kernel_dontaudit_list_proc(confined_admindomain)
dev_dontaudit_getattr_all_blk_files(confined_admindomain)
dev_dontaudit_getattr_all_chr_files(confined_admindomain)
dev_getattr_mtrr_dev(confined_admindomain)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state(confined_admindomain)
domain_dontaudit_getattr_all_domains(confined_admindomain)
domain_dontaudit_getsession_all_domains(confined_admindomain)
dev_dontaudit_all_access_check(confined_admindomain)
files_read_etc_files(confined_admindomain)
files_list_mnt(confined_admindomain)
files_list_var(confined_admindomain)
files_read_mnt_files(confined_admindomain)
files_dontaudit_all_access_check(confined_admindomain)
files_read_etc_runtime_files(confined_admindomain)
files_read_usr_files(confined_admindomain)
files_read_usr_src_files(confined_admindomain)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable(confined_admindomain)
files_read_world_readable_files(confined_admindomain)
files_read_world_readable_symlinks(confined_admindomain)
files_read_world_readable_pipes(confined_admindomain)
files_read_world_readable_sockets(confined_admindomain)
# old broswer_domain():
files_dontaudit_getattr_all_dirs(confined_admindomain)
files_dontaudit_list_non_security(confined_admindomain)
files_dontaudit_getattr_all_files(confined_admindomain)
files_dontaudit_getattr_non_security_symlinks(confined_admindomain)
files_dontaudit_getattr_non_security_pipes(confined_admindomain)
files_dontaudit_getattr_non_security_sockets(confined_admindomain)
files_dontaudit_setattr_etc_runtime_files(confined_admindomain)
files_exec_usr_files(confined_admindomain)
fs_list_cgroup_dirs(confined_admindomain)
fs_dontaudit_rw_cgroup_files(confined_admindomain)
storage_rw_fuse(confined_admindomain)
init_stream_connect(confined_admindomain)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_rw_utmp(confined_admindomain)
libs_exec_ld_so(confined_admindomain)
miscfiles_read_generic_certs(confined_admindomain)
miscfiles_read_all_certs(confined_admindomain)
miscfiles_read_public_files(confined_admindomain)
systemd_dbus_chat_logind(confined_admindomain)
systemd_read_logind_sessions_files(confined_admindomain)
systemd_write_inhibit_pipes(confined_admindomain)
systemd_write_inherited_logind_sessions_pipes(confined_admindomain)
systemd_login_read_pid_files(confined_admindomain)
tunable_policy(`deny_execmem',`', `
# Allow loading DSOs that require executable stack.
allow confined_admindomain self:process execmem;
')
tunable_policy(`selinuxuser_execstack',`
# Allow making the stack executable via mprotect.
allow confined_admindomain self:process execstack;
')
optional_policy(`
fs_list_cgroup_dirs(confined_admindomain)
')
optional_policy(`
kerberos_read_keytab(confined_admindomain)
')
optional_policy(`
rpc_rw_gssd_keys(confined_admindomain)
')
optional_policy(`
ssh_rw_stream_sockets(confined_admindomain)
ssh_delete_tmp(confined_admindomain)
ssh_signal(confined_admindomain)
')