# Home macros

################################################

# network_home(source)

#

# Allows source domain to use a network home

# This includes privileges of create and execute

# as well as the ability to create sockets and fifo

define(`network_home', `

allow $1 autofs_t:dir { search getattr };

if (use_nfs_home_dirs) {

create_dir_file($1, nfs_t)

can_exec($1, nfs_t)

allow $1 nfs_t:{ sock_file fifo_file } create_file_perms;

}

if (use_samba_home_dirs) {

create_dir_file($1, cifs_t)

can_exec($1, cifs_t)

allow $1 cifs_t:{ sock_file fifo_file } create_file_perms;

}

') dnl network_home

################################################

# write_network_home(source)

#

# Allows source domain to create directories and

# files on network file system

define(`write_network_home', `

allow $1 home_root_t:dir search;

if (use_nfs_home_dirs) {

create_dir_file($1, nfs_t)

}

if (use_samba_home_dirs) {

create_dir_file($1, cifs_t)

}

allow $1 autofs_t:dir { search getattr };

') dnl write_network_home

################################################

# read_network_home(source)

#

# Allows source domain to read directories and

# files on network file system

define(`read_network_home', `

allow $1 home_root_t:dir search;

if (use_nfs_home_dirs) {

r_dir_file($1, nfs_t)

}

if (use_samba_home_dirs) {

r_dir_file($1, cifs_t)

}

allow $1 autofs_t:dir { search getattr };

') dnl read_network_home

##################################################

# home_domain_ro_access(source, user, app)

#

# Gives source access to the read-only home

# domain of app for the given user type

define(`home_domain_ro_access', `

allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };

read_network_home($1)

ifelse($3, `', `

r_dir_file($1, $2_home_t)

', `

r_dir_file($1, $2_$3_ro_home_t)

')

') dnl home_domain_ro_access

#################################################

# home_domain_access(source, user, app)

#

# Gives source full access to the home

# domain of app for the given user type

#

# Requires transition in caller

define(`home_domain_access', `

allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };

write_network_home($1)

ifelse($3, `', `

file_type_auto_trans($1, $2_home_dir_t, $2_home_t)

create_dir_file($1, $2_home_t)

', `

create_dir_file($1, $2_$3_home_t)

')

') dnl home_domain_access

####################################################################

# home_domain (prefix, app)

#

# Creates a domain in the prefix home where an application can

# store its settings. It is accessible by the prefix domain.

#

# Requires transition in caller

define(`home_domain', `

# Declare home domain

type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember;

typealias $1_$2_home_t alias $1_$2_rw_t;

# User side access

create_dir_file($1_t, $1_$2_home_t)

allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };

# App side access

home_domain_access($1_$2_t, $1, $2)

')

####################################################################

# home_domain_ro (user, app)

#

# Creates a read-only domain in the user home where an application can

# store its settings. It is fully accessible by the user, but

# it is read-only for the application.

#

define(`home_domain_ro', `

# Declare home domain

type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;

typealias $1_$2_ro_home_t alias $1_$2_ro_t;

# User side access

create_dir_file($1_t, $1_$2_ro_home_t)

allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };

# App side access

home_domain_ro_access($1_$2_t, $1, $2)

')