Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Macros for all user login domains.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# mini_user_domain(domain_prefix)
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Define derived types and rules for a minimal privs user domain named
Chris PeBenito ab58ad
# $1_mini_t which is permitted to be in $1_r role and transition to $1_t.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
undefine(`mini_user_domain')
Chris PeBenito ab58ad
define(`mini_user_domain',`
Chris PeBenito ab58ad
# user_t/$1_t is an unprivileged users domain.
Chris PeBenito ab58ad
type $1_mini_t, domain, user_mini_domain;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# for ~/.bash_profile and other files that the mini domain should be allowed
Chris PeBenito ab58ad
# to read (but not write)
Chris PeBenito ab58ad
type $1_home_mini_t, file_type, sysadmfile;
Chris PeBenito ab58ad
allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito ab58ad
allow $1_mini_t $1_home_mini_t:file r_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# $1_r is authorized for $1_mini_t for the initial login domain.
Chris PeBenito ab58ad
role $1_r types $1_mini_t;
Chris PeBenito ab58ad
uses_shlib($1_mini_t)
Chris PeBenito ab58ad
pty_slave_label($1_mini, `, userpty_type, mini_pty_type')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_mini_t devtty_t:chr_file rw_file_perms;
Chris PeBenito ab58ad
allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito ab58ad
dontaudit $1_mini_t proc_t:dir { getattr search };
Chris PeBenito ab58ad
allow $1_mini_t self:unix_stream_socket create_socket_perms;
Chris PeBenito ab58ad
allow $1_mini_t self:fifo_file rw_file_perms;
Chris PeBenito ab58ad
allow $1_mini_t self:process { fork sigchld setpgid };
Chris PeBenito ab58ad
dontaudit $1_mini_t var_t:dir search;
Chris PeBenito ab58ad
allow $1_mini_t { bin_t sbin_t }:dir search;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
dontaudit $1_mini_t device_t:dir { getattr read };
Chris PeBenito ab58ad
dontaudit $1_mini_t devpts_t:dir { getattr read };
Chris PeBenito ab58ad
dontaudit $1_mini_t proc_t:lnk_file read;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
can_exec($1_mini_t, bin_t)
Chris PeBenito ab58ad
allow $1_mini_t { home_root_t $1_home_dir_t }:dir search;
Chris PeBenito ab58ad
dontaudit $1_mini_t home_root_t:dir getattr;
Chris PeBenito ab58ad
dontaudit $1_mini_t $1_home_dir_t:dir { getattr read };
Chris PeBenito ab58ad
dontaudit $1_mini_t $1_home_t:file { append getattr read write };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
dontaudit $1_mini_t fs_t:filesystem getattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t;
Chris PeBenito ab58ad
# uncomment this if using mini domains for console logins
Chris PeBenito ab58ad
#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t;
Chris PeBenito ab58ad
type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t)
Chris PeBenito ab58ad
')dnl end mini_user_domain definition
Chris PeBenito ab58ad