## <summary>Policy for user domains</summary>

#######################################

## <summary>

##	The template containing the most basic rules common to all users.

## </summary>

## <desc>

##	

##	The template containing the most basic rules common to all users.

##	

##	

##	This template creates a user domain, types, and

##	rules for the user's tty and pty.

##	

## </desc>

## <param name="userdomain_prefix">

##	<summary>

##	The prefix of the user domain (e.g., user

##	is the prefix for user_t).

##	</summary>

## </param>

## <rolebase/>

#

template(`userdom_base_user_template',`

	gen_require(`

		attribute userdomain;

		type user_devpts_t, user_tty_device_t;

		class context contains;

	')

	attribute $1_file_type;

	type $1_t, userdomain;

	domain_type($1_t)

	corecmd_shell_entry_type($1_t)

	corecmd_bin_entry_type($1_t)

	domain_user_exemption_target($1_t)

	ubac_constrained($1_t)

	role $1_r types $1_t;

	allow system_r $1_r;

	term_user_pty($1_t, user_devpts_t)

	term_user_tty($1_t, user_tty_device_t)

	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };

	allow $1_t self:fd use;

	allow $1_t self:fifo_file rw_fifo_file_perms;

	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };

	allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };

	allow $1_t self:shm create_shm_perms;

	allow $1_t self:sem create_sem_perms;

	allow $1_t self:msgq create_msgq_perms;

	allow $1_t self:msg { send receive };

	allow $1_t self:context contains;

	dontaudit $1_t self:socket create;

	allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };

	term_create_pty($1_t, user_devpts_t)

	# avoid annoying messages on terminal hangup on role change

	dontaudit $1_t user_devpts_t:chr_file ioctl;

	allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };

	# avoid annoying messages on terminal hangup on role change

	dontaudit $1_t user_tty_device_t:chr_file ioctl;

	kernel_read_kernel_sysctls($1_t)

	kernel_dontaudit_list_unlabeled($1_t)

	kernel_dontaudit_getattr_unlabeled_files($1_t)

	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)

	kernel_dontaudit_getattr_unlabeled_pipes($1_t)

	kernel_dontaudit_getattr_unlabeled_sockets($1_t)

	kernel_dontaudit_getattr_unlabeled_blk_files($1_t)

	kernel_dontaudit_getattr_unlabeled_chr_files($1_t)

	dev_dontaudit_getattr_all_blk_files($1_t)

	dev_dontaudit_getattr_all_chr_files($1_t)

	# When the user domain runs ps, there will be a number of access

	# denials when ps tries to search /proc. Do not audit these denials.

	domain_dontaudit_read_all_domains_state($1_t)

	domain_dontaudit_getattr_all_domains($1_t)

	domain_dontaudit_getsession_all_domains($1_t)

	files_read_etc_files($1_t)

	files_read_etc_runtime_files($1_t)

	files_read_usr_files($1_t)

	# Read directories and files with the readable_t type.

	# This type is a general type for "world"-readable files.

	files_list_world_readable($1_t)

	files_read_world_readable_files($1_t)

	files_read_world_readable_symlinks($1_t)

	files_read_world_readable_pipes($1_t)

	files_read_world_readable_sockets($1_t)

	# old broswer_domain():

	files_dontaudit_list_non_security($1_t)

	files_dontaudit_getattr_non_security_files($1_t)

	files_dontaudit_getattr_non_security_symlinks($1_t)

	files_dontaudit_getattr_non_security_pipes($1_t)

	files_dontaudit_getattr_non_security_sockets($1_t)

	libs_exec_ld_so($1_t)

	miscfiles_read_localization($1_t)

	miscfiles_read_certs($1_t)

	sysnet_read_config($1_t)

	tunable_policy(`allow_execmem',`

		# Allow loading DSOs that require executable stack.

		allow $1_t self:process execmem;

	')

	tunable_policy(`allow_execmem && allow_execstack',`

		# Allow making the stack executable via mprotect.

		allow $1_t self:process execstack;

	')

')

#######################################

## <summary>

##	Allow a home directory for which the

##	role has read-only access.

## </summary>

## <desc>

##	

##	Allow a home directory for which the

##	role has read-only access.

##	

##	

##	This does not allow execute access.

##	

## </desc>

## <param name="role">

##	<summary>

##	The user role

##	</summary>

## </param>

## <param name="userdomain">

##	<summary>

##	The user domain

##	</summary>

## </param>

## <rolebase/>

#

interface(`userdom_ro_home_role',`

	gen_require(`

		type user_home_t, user_home_dir_t;

	')

	role $1 types { user_home_t user_home_dir_t };

	##############################

	#

	# Domain access to home dir

	#

	type_member $2 user_home_dir_t:dir user_home_dir_t;

	# read-only home directory

	allow $2 user_home_dir_t:dir list_dir_perms;

	allow $2 user_home_t:dir list_dir_perms;

	allow $2 user_home_t:file entrypoint;

	read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)

	read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)

	read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)

	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)

	files_list_home($2)

	tunable_policy(`use_nfs_home_dirs',`

		fs_list_nfs($2)

		fs_read_nfs_files($2)

		fs_read_nfs_symlinks($2)

		fs_read_nfs_named_sockets($2)

		fs_read_nfs_named_pipes($2)

	',`

		fs_dontaudit_list_nfs($2)

		fs_dontaudit_read_nfs_files($2)

	')

	tunable_policy(`use_samba_home_dirs',`

		fs_list_cifs($2)

		fs_read_cifs_files($2)

		fs_read_cifs_symlinks($2)

		fs_read_cifs_named_sockets($2)

		fs_read_cifs_named_pipes($2)

	',`

		fs_dontaudit_list_cifs($2)

		fs_dontaudit_read_cifs_files($2)

	')

')

#######################################

## <summary>

##	Allow a home directory for which the

##	role has full access.

## </summary>

## <desc>

##	

##	Allow a home directory for which the

##	role has full access.

##	

##	

##	This does not allow execute access.

##	

## </desc>

## <param name="role">

##	<summary>

##	The user role

##	</summary>

## </param>

## <param name="userdomain">

##	<summary>

##	The user domain

##	</summary>

## </param>

## <rolebase/>

#

interface(`userdom_manage_home_role',`

	gen_require(`

		type user_home_t, user_home_dir_t;

	')

	role $1 types { user_home_t user_home_dir_t };

	##############################

	#

	# Domain access to home dir

	#

	type_member $2 user_home_dir_t:dir user_home_dir_t;

	# full control of the home directory

	allow $2 user_home_t:file entrypoint;

	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)

	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })

	files_list_home($2)

	# cjp: this should probably be removed:

	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };

	tunable_policy(`use_nfs_home_dirs',`

		fs_manage_nfs_dirs($2)

		fs_manage_nfs_files($2)

		fs_manage_nfs_symlinks($2)

		fs_manage_nfs_named_sockets($2)

		fs_manage_nfs_named_pipes($2)

	',`

		fs_dontaudit_manage_nfs_dirs($2)

		fs_dontaudit_manage_nfs_files($2)

	')

	tunable_policy(`use_samba_home_dirs',`

		fs_manage_cifs_dirs($2)

		fs_manage_cifs_files($2)

		fs_manage_cifs_symlinks($2)

		fs_manage_cifs_named_sockets($2)

		fs_manage_cifs_named_pipes($2)

	',`

		fs_dontaudit_manage_cifs_dirs($2)

		fs_dontaudit_manage_cifs_files($2)

	')

')

#######################################

## <summary>

##	Manage user temporary files

## </summary>

## <param name="role">

##	<summary>

##	Role allowed access.

##	</summary>

## </param>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <rolebase/>

#

interface(`userdom_manage_tmp_role',`

	gen_require(`

		type user_tmp_t;

	')

	role $1 types user_tmp_t;

	files_poly_member_tmp($2, user_tmp_t)

	manage_dirs_pattern($2, user_tmp_t, user_tmp_t)

	manage_files_pattern($2, user_tmp_t, user_tmp_t)

	manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)

	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)

	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)

	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })

')

#######################################

## <summary>

##	The execute access user temporary files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <rolebase/>

#

interface(`userdom_exec_user_tmp_files',`

	gen_require(`

		type user_tmp_t;

	')

	exec_files_pattern($1, user_tmp_t, user_tmp_t)

	files_search_tmp($1)

')

#######################################

## <summary>

##	Role access for the user tmpfs type

##	that the user has full access.

## </summary>

## <desc>

##	

##	Role access for the user tmpfs type

##	that the user has full access.

##	

##	

##	This does not allow execute access.

##	

## </desc>

## <param name="role">

##	<summary>

##	Role allowed access.

##	</summary>

## </param>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`userdom_manage_tmpfs_role',`

	gen_require(`

		type user_tmpfs_t;

	')

	role $1 types user_tmpfs_t;

	manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)

	manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)

	manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)

	manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)

	manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)

	fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })

')

#######################################

## <summary>

##	The template allowing the user basic

##	network permissions

## </summary>

## <param name="userdomain_prefix">

##	<summary>

##	The prefix of the user domain (e.g., user

##	is the prefix for user_t).

##	</summary>

## </param>

## <rolebase/>

#

template(`userdom_basic_networking_template',`

	gen_require(`

		type $1_t;

	')

	allow $1_t self:tcp_socket create_stream_socket_perms;

	allow $1_t self:udp_socket create_socket_perms;

	corenet_all_recvfrom_unlabeled($1_t)

	corenet_all_recvfrom_netlabel($1_t)

	corenet_tcp_sendrecv_generic_if($1_t)

	corenet_udp_sendrecv_generic_if($1_t)

	corenet_tcp_sendrecv_generic_node($1_t)

	corenet_udp_sendrecv_generic_node($1_t)

	corenet_tcp_sendrecv_all_ports($1_t)

	corenet_udp_sendrecv_all_ports($1_t)

	corenet_tcp_connect_all_ports($1_t)

	corenet_sendrecv_all_client_packets($1_t)

	corenet_all_recvfrom_labeled($1_t, $1_t)

	optional_policy(`

		init_tcp_recvfrom_all_daemons($1_t)

		init_udp_recvfrom_all_daemons($1_t)

	')

	optional_policy(`

		ipsec_match_default_spd($1_t)

	')

')

#######################################

## <summary>

##	The template for creating a user xwindows client.  (Deprecated)

## </summary>

## <param name="userdomain_prefix">

##	<summary>

##	The prefix of the user domain (e.g., user

##	is the prefix for user_t).

##	</summary>

## </param>

## <rolebase/>

#

template(`userdom_xwindows_client_template',`

	refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')

	gen_require(`

		type $1_t, user_tmpfs_t;

	')

	dev_rw_xserver_misc($1_t)

	dev_rw_power_management($1_t)

	dev_read_input($1_t)

	dev_read_misc($1_t)

	dev_write_misc($1_t)

	# open office is looking for the following

	dev_getattr_agp_dev($1_t)

	dev_dontaudit_rw_dri($1_t)

	# GNOME checks for usb and other devices:

	dev_rw_usbfs($1_t)

	xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)

	xserver_xsession_entry_type($1_t)

	xserver_dontaudit_write_log($1_t)

	xserver_stream_connect_xdm($1_t)

	# certain apps want to read xdm.pid file

	xserver_read_xdm_pid($1_t)

	# gnome-session creates socket under /tmp/.ICE-unix/

	xserver_create_xdm_tmp_sockets($1_t)

	# Needed for escd, remove if we get escd policy

	xserver_manage_xdm_tmp_files($1_t)

')

#######################################

## <summary>

##	The template for allowing the user to change passwords.

## </summary>

## <param name="userdomain_prefix">

##	<summary>

##	The prefix of the user domain (e.g., user

##	is the prefix for user_t).

##	</summary>

## </param>

## <rolebase/>

#

template(`userdom_change_password_template',`

	gen_require(`

		type $1_t;

		role $1_r;

	')

	optional_policy(`

		usermanage_run_chfn($1_t,$1_r)

		usermanage_run_passwd($1_t,$1_r)

	')

')

#######################################

## <summary>

##	The template containing rules common to unprivileged

##	users and administrative users.

## </summary>

## <desc>

##	

##	This template creates a user domain, types, and

##	rules for the user's tty, pty, tmp, and tmpfs files.

##	

## </desc>

## <param name="userdomain_prefix">

##	<summary>

##	The prefix of the user domain (e.g., user

##	is the prefix for user_t).

##	</summary>

## </param>

#

template(`userdom_common_user_template',`

	gen_require(`

		attribute unpriv_userdomain;

	')

	userdom_basic_networking_template($1)

	##############################

	#

	# User domain Local policy

	#

	# evolution and gnome-session try to create a netlink socket

	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };

	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };

	allow $1_t unpriv_userdomain:fd use;

	kernel_read_system_state($1_t)

	kernel_read_network_state($1_t)

	kernel_read_net_sysctls($1_t)

	# Very permissive allowing every domain to see every type:

	kernel_get_sysvipc_info($1_t)

	# Find CDROM devices:

	kernel_read_device_sysctls($1_t)

	corecmd_exec_bin($1_t)

	corenet_udp_bind_generic_node($1_t)

	corenet_udp_bind_generic_port($1_t)

	dev_read_rand($1_t)

	dev_write_sound($1_t)

	dev_read_sound($1_t)

	dev_read_sound_mixer($1_t)

	dev_write_sound_mixer($1_t)

	files_exec_etc_files($1_t)

	files_search_locks($1_t)

	# Check to see if cdrom is mounted

	files_search_mnt($1_t)

	# cjp: perhaps should cut back on file reads:

	files_read_var_files($1_t)

	files_read_var_symlinks($1_t)

	files_read_generic_spool($1_t)

	files_read_var_lib_files($1_t)

	# Stat lost+found.

	files_getattr_lost_found_dirs($1_t)

	# cjp: some of this probably can be removed

	selinux_get_fs_mount($1_t)

	selinux_validate_context($1_t)

	selinux_compute_access_vector($1_t)

	selinux_compute_create_context($1_t)

	selinux_compute_relabel_context($1_t)

	selinux_compute_user_contexts($1_t)

	# for eject

	storage_getattr_fixed_disk_dev($1_t)

	auth_use_nsswitch($1_t)

	auth_read_login_records($1_t)

	auth_search_pam_console_data($1_t)

	auth_run_pam($1_t,$1_r)

	auth_run_utempter($1_t,$1_r)

	init_read_utmp($1_t)

	seutil_read_file_contexts($1_t)

	seutil_read_default_contexts($1_t)

	seutil_run_newrole($1_t,$1_r)

	seutil_exec_checkpolicy($1_t)

	seutil_exec_setfiles($1_t)

	# for when the network connection is killed

	# this is needed when a login role can change

	# to this one.

	seutil_dontaudit_signal_newrole($1_t)

	tunable_policy(`user_direct_mouse',`

		dev_read_mouse($1_t)

	')

	tunable_policy(`user_ttyfile_stat',`

		term_getattr_all_ttys($1_t)

	')

	optional_policy(`

		alsa_read_rw_config($1_t)

	')

	optional_policy(`

		# Allow graphical boot to check battery lifespan

		apm_stream_connect($1_t)

	')

	optional_policy(`

		canna_stream_connect($1_t)

	')

	optional_policy(`

		dbus_system_bus_client($1_t)

		optional_policy(`

			bluetooth_dbus_chat($1_t)

		')

		optional_policy(`

			evolution_dbus_chat($1_t)

			evolution_alarm_dbus_chat($1_t)

		')

		optional_policy(`

			cups_dbus_chat_config($1_t)

		')

		optional_policy(`

			hal_dbus_chat($1_t)

		')

		optional_policy(`

			networkmanager_dbus_chat($1_t)

		')

	')

	optional_policy(`

		inetd_use_fds($1_t)

		inetd_rw_tcp_sockets($1_t)

	')

	optional_policy(`

		inn_read_config($1_t)

		inn_read_news_lib($1_t)

		inn_read_news_spool($1_t)

	')

	optional_policy(`

		locate_read_lib_files($1_t)

	')

	# for running depmod as part of the kernel packaging process

	optional_policy(`

		modutils_read_module_config($1_t)

	')

	optional_policy(`

		mta_rw_spool($1_t)

	')

	optional_policy(`

		tunable_policy(`allow_user_mysql_connect',`

			mysql_stream_connect($1_t)

		')

	')

	optional_policy(`

		# to allow monitoring of pcmcia status

		pcmcia_read_pid($1_t)

	')

	optional_policy(`

		pcscd_read_pub_files($1_t)

		pcscd_stream_connect($1_t)

	')

	optional_policy(`

		tunable_policy(`allow_user_postgresql_connect',`

			postgresql_stream_connect($1_t)

			postgresql_tcp_connect($1_t)

		')

	')

	optional_policy(`

		resmgr_stream_connect($1_t)

	')

	optional_policy(`

		rpc_dontaudit_getattr_exports($1_t)

		rpc_manage_nfs_rw_content($1_t)

	')

	optional_policy(`

		samba_stream_connect_winbind($1_t)

	')

	optional_policy(`

		slrnpull_search_spool($1_t)

	')

	optional_policy(`

		usernetctl_run($1_t,$1_r)

	')

')

#######################################

## <summary>

##	The template for creating a login user.

## </summary>

## <desc>

##	

##	This template creates a user domain, types, and

##	rules for the user's tty, pty, home directories,

##	tmp, and tmpfs files.

##	

## </desc>

## <param name="userdomain_prefix">

##	<summary>

##	The prefix of the user domain (e.g., user

##	is the prefix for user_t).

##	</summary>

## </param>

#

template(`userdom_login_user_template', `

	gen_require(`

		class context contains;

	')

	userdom_base_user_template($1)

	userdom_manage_home_role($1_r, $1_t)

	userdom_manage_tmp_role($1_r, $1_t)

	userdom_manage_tmpfs_role($1_r, $1_t)

	userdom_exec_user_tmp_files($1_t)

	userdom_exec_user_home_content_files($1_t)

	userdom_change_password_template($1)

	##############################

	#

	# User domain Local policy

	#

	allow $1_t self:capability { setgid chown fowner };

	dontaudit $1_t self:capability { sys_nice fsetid };

	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };

	dontaudit $1_t self:process setrlimit;

	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };

	allow $1_t self:context contains;

	kernel_dontaudit_read_system_state($1_t)

	dev_read_sysfs($1_t)

	dev_read_urand($1_t)

	domain_use_interactive_fds($1_t)

	# Command completion can fire hundreds of denials

	domain_dontaudit_exec_all_entry_files($1_t)

	files_dontaudit_list_default($1_t)

	files_dontaudit_read_default_files($1_t)

	# Stat lost+found.

	files_getattr_lost_found_dirs($1_t)

	fs_get_all_fs_quotas($1_t)

	fs_getattr_all_fs($1_t)

	fs_getattr_all_dirs($1_t)

	fs_search_auto_mountpoints($1_t)

	fs_list_inotifyfs($1_t)

	fs_rw_anon_inodefs_files($1_t)

	auth_dontaudit_write_login_records($1_t)

	application_exec_all($1_t)

	# The library functions always try to open read-write first,

	# then fall back to read-only if it fails. 

	init_dontaudit_rw_utmp($1_t)

	# Stop warnings about access to /dev/console

	init_dontaudit_use_fds($1_t)

	init_dontaudit_use_script_fds($1_t)

	libs_exec_lib_files($1_t)

	logging_dontaudit_getattr_all_logs($1_t)

	miscfiles_read_man_pages($1_t)

	# for running TeX programs

	miscfiles_read_tetex_data($1_t)

	miscfiles_exec_tetex_data($1_t)

	seutil_read_config($1_t)

	optional_policy(`

		cups_read_config($1_t)

		cups_stream_connect($1_t)

		cups_stream_connect_ptal($1_t)

	')

	optional_policy(`

		kerberos_use($1_t)

	')

	optional_policy(`

		mta_dontaudit_read_spool_symlinks($1_t)

	')

	optional_policy(`

		quota_dontaudit_getattr_db($1_t)

	')

	optional_policy(`

		rpm_read_db($1_t)

		rpm_dontaudit_manage_db($1_t)

	')

')

#######################################

## <summary>

##	The template for creating a unprivileged login user.

## </summary>

## <desc>

##	

##	This template creates a user domain, types, and

##	rules for the user's tty, pty, home directories,

##	tmp, and tmpfs files.

##	

## </desc>

## <param name="userdomain_prefix">

##	<summary>

##	The prefix of the user domain (e.g., user

##	is the prefix for user_t).

##	</summary>

## </param>

#

template(`userdom_restricted_user_template',`

	gen_require(`

		attribute unpriv_userdomain;

	')

	userdom_login_user_template($1)

	typeattribute $1_t unpriv_userdomain;

	domain_interactive_fd($1_t)

	##############################

	#

	# Local policy

	#

	optional_policy(`

		loadkeys_run($1_t,$1_r)

	')

')

#######################################

## <summary>

##	The template for creating a unprivileged xwindows login user.

## </summary>

## <desc>

##	

##	The template for creating a unprivileged xwindows login user.

##	

##	

##	This template creates a user domain, types, and

##	rules for the user's tty, pty, home directories,

##	tmp, and tmpfs files.

##	

## </desc>

## <param name="userdomain_prefix">

##	<summary>

##	The prefix of the user domain (e.g., user

##	is the prefix for user_t).

##	</summary>

## </param>

#

template(`userdom_restricted_xwindows_user_template',`

	userdom_restricted_user_template($1)

	##############################

	#

	# Local policy

	#

	auth_role($1_r, $1_t)

	auth_search_pam_console_data($1_t)