#DESC User - Domains for ordinary users.

#

#################################

# Booleans for user domains.

# Allow users to read system messages.

bool user_dmesg false;

# Support NFS home directories

bool use_nfs_home_dirs false;

# Allow execution of anonymous mappings, e.g. executable stack.

bool allow_execmem false;

# Support Share libraries with Text Relocation

bool allow_execmod false;

# Support SAMBA home directories

bool use_samba_home_dirs false;

# Allow users to run TCP servers (bind to ports and accept connection from

# the same domain and outside users)  disabling this forces FTP passive mode

# and may change other protocols 

bool user_tcp_server false;

# Allow system to run with NIS

bool allow_ypbind false;

# Allow system to run with kerberos

bool allow_kerberos false;

# Allow users to rw usb devices

bool user_rw_usb false;

# Allow users to control network interfaces (also needs USERCTL=true)

bool user_net_control false;

# Allow regular users direct mouse access 

bool user_direct_mouse false;

# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)

bool user_rw_noexattrfile false;

# Allow reading of default_t files.

bool read_default_t false;

# Allow staff_r users to search the sysadm home dir and read

# files (such as ~/.bashrc)

bool staff_read_sysadm_file false;

# change from role $1_r to $2_r and relabel tty appropriately

define(`role_tty_type_change', `

allow $1_r $2_r;

type_change $2_t $1_devpts_t:chr_file $2_devpts_t;

type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;

# avoid annoying messages on terminal hangup

dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;

')

# Reach sysadm_t via programs like userhelper/sudo/su

undefine(`reach_sysadm')

define(`reach_sysadm', `

ifdef(`userhelper.te', `userhelper_domain($1)')

ifdef(`sudo.te', `sudo_domain($1)')

ifdef(`su.te', `

su_domain($1)

# When an ordinary user domain runs su, su may try to

# update the /root/.Xauthority file, and the user shell may

# try to update the shell history. This is not allowed, but 

# we dont need to audit it.

dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;

dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;

dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;

') dnl ifdef su.te

')

# Privileged user domain

undefine(`priv_user')

define(`priv_user', `

# Reach sysadm_t

reach_sysadm($1)

# Read file_contexts for rpm and get security decisions. 

r_dir_file($1_t, file_context_t)

can_getsecurity($1_t)

# Signal and see information about unprivileged user domains.

allow $1_t unpriv_userdomain:process signal_perms;

can_ps($1_t, unpriv_userdomain)

allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;

# Read /root files if boolean is enabled.

if (staff_read_sysadm_file) {

allow $1_t sysadm_home_dir_t:dir { getattr search };

allow $1_t sysadm_home_t:file { getattr read };

}

') dnl priv_user

full_user_role(user)

ifdef(`user_canbe_sysadm', `

reach_sysadm(user)

role_tty_type_change(user, sysadm)

')

#  Do not add any rules referring to user_t to this file!  That will break

#  support for multiple user roles.

# a role for staff that allows seeing all domains and control over the user_t

# domain

full_user_role(staff)

priv_user(staff)

# if adding new user roles make sure you edit the in_user_role macro in

# macros/user_macros.te to match

# lots of user programs accidentally search /root, and also the admin often

# logs in as UID=0 domain=user_t...

dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };

#

# Allow the user roles to transition

# into each other.

role_tty_type_change(sysadm, user)

role_tty_type_change(staff, sysadm)

role_tty_type_change(sysadm, staff)

# "ps aux" and "ls -l /dev/pts" make too much noise without this

dontaudit unpriv_userdomain ptyfile:chr_file getattr;