## <summary>Generic unprivileged user role</summary>

########################################

## <summary>

##	Change to the generic user role.

## </summary>

## <param name="prefix">

##	<summary>

##	The prefix of the user role (e.g., user

##	is the prefix for user_r).

##	</summary>

## </param>

## <rolecap/>

#

template(`unprivuser_role_change_template',`

	userdom_role_change_template($1, user)

')

########################################

## <summary>

##	Change from the generic user role.

## </summary>

## <desc>

##	

##	Change from the generic user role to

##	the specified role.

##	

##	

##	This is a template to support third party modules

##	and its use is not allowed in upstream reference

##	policy.

##	

## </desc>

## <param name="prefix">

##	<summary>

##	The prefix of the user role (e.g., user

##	is the prefix for user_r).

##	</summary>

## </param>

## <rolecap/>

#

template(`unprivuser_role_change_to_template',`

	userdom_role_change_template(user, $1)

')

########################################

## <summary>

##	Create generic user home directories

##	with automatic file type transition.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_home_filetrans_home_dir',`

	gen_require(`

		type user_home_dir_t;

	')

	files_home_filetrans($1, user_home_dir_t, dir)

')

########################################

## <summary>

##	Search generic user home directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_search_home_dirs',`

	gen_require(`

		type user_home_dir_t;

	')

	allow $1 user_home_dir_t:dir search_dir_perms;

')

########################################

## <summary>

##	Create objects in generic user home directories

##	with automatic file type transition.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <param name="object_class">

##	<summary>

##	The class of the object to be created.

##	If not specified, file is used.

##	</summary>

## </param>

#

interface(`unprivuser_home_dir_filetrans_home_content',`

	gen_require(`

		type user_home_dir_t, user_home_t;

	')

	files_search_home($1)

	filetrans_pattern($1, user_home_dir_t, user_home_t, $2)

')

########################################

## <summary>

##	Don't audit search on the user home subdirectory.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_dontaudit_search_home_dirs',`

	gen_require(`

		type user_home_t;

	')

	dontaudit $1 user_home_t:dir search_dir_perms;

')

########################################

## <summary>

##	Create, read, write, and delete generic user

##	home directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_manage_home_dirs',`

	gen_require(`

		type user_home_dir_t;

	')

	files_search_home($1)

	allow $1 user_home_dir_t:dir manage_dir_perms;

')

########################################

## <summary>

##	Create, read, write, and delete

##	subdirectories of generic user

##	home directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_manage_home_content_dirs',`

	gen_require(`

		type user_home_dir_t, user_home_t;

	')

	files_search_home($1)

	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)

')

########################################

## <summary>

##	Relabel to generic user home directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_relabelto_home_dirs',`

	gen_require(`

		type user_home_dir_t;

	')

	files_search_home($1)

	allow $1 user_home_dir_t:dir relabelto;

')

########################################

## <summary>

##	Read files in generic user home directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_read_home_content_files',`

	gen_require(`

		type user_home_t, user_home_dir_t;

	')

	files_search_home($1)

	allow $1 user_home_t:dir list_dir_perms;

	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)

')

########################################

## <summary>

##	Mmap of generic user

##	home files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_mmap_home_content_files',`

	gen_require(`

		type user_home_t;

	')

	files_search_home($1)

	allow $1 user_home_t:file execute;

')

########################################

## <summary>

##	Create, read, write, and delete files

##	in generic user home directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_manage_home_content_files',`

	gen_require(`

		type user_home_dir_t, user_home_t;

	')

	files_search_home($1)

	manage_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)

')

########################################

## <summary>

##	Do not audit attempts to relabel generic user

##	home files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_dontaudit_relabel_home_content_files',`

	gen_require(`

		type user_home_t;

	')

	dontaudit $1 user_home_t:file { relabelto relabelfrom };

')

########################################

## <summary>

##	Create, read, write, and delete symbolic

##	links in generic user home directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_manage_home_content_symlinks',`

	gen_require(`

		type user_home_dir_t, user_home_t;

	')

	files_search_home($1)

	manage_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)

')

########################################

## <summary>

##	Create, read, write, and delete named

##	pipes in generic user home directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_manage_home_content_pipes',`

	gen_require(`

		type user_home_dir_t, user_home_t;

	')

	files_search_home($1)

	manage_fifo_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)

')

########################################

## <summary>

##	Create, read, write, and delete named

##	sockets in generic user home directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`unprivuser_manage_home_content_sockets',`

	gen_require(`

		type user_home_dir_t, user_home_t;

	')

	files_search_home($1)

	manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)

')