Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Macros for all user login domains.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# role_tty_type_change(starting_role, ending_role)
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# change from role $1_r to $2_r and relabel tty appropriately
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
undefine(`role_tty_type_change')
Chris PeBenito ab58ad
define(`role_tty_type_change', `
Chris PeBenito ab58ad
allow $1_r $2_r;
Chris PeBenito ab58ad
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
Chris PeBenito ab58ad
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
Chris PeBenito ab58ad
# avoid annoying messages on terminal hangup
Chris PeBenito ab58ad
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# reach_sysadm(user)
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Reach sysadm_t via programs like userhelper/sudo/su
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
undefine(`reach_sysadm')
Chris PeBenito ab58ad
define(`reach_sysadm', `
Chris PeBenito ab58ad
ifdef(`userhelper.te', `userhelper_domain($1)')
Chris PeBenito ab58ad
ifdef(`sudo.te', `sudo_domain($1)')
Chris PeBenito ab58ad
ifdef(`su.te', `
Chris PeBenito ab58ad
su_domain($1)
Chris PeBenito ab58ad
# When an ordinary user domain runs su, su may try to
Chris PeBenito ab58ad
# update the /root/.Xauthority file, and the user shell may
Chris PeBenito ab58ad
# try to update the shell history. This is not allowed, but 
Chris PeBenito ab58ad
# we dont need to audit it.
Chris PeBenito ab58ad
dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
Chris PeBenito ab58ad
dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
Chris PeBenito ab58ad
dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
Chris PeBenito ab58ad
') dnl ifdef su.te
Chris PeBenito ab58ad
ifdef(`xauth.te', `
Chris PeBenito ab58ad
file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
Chris PeBenito ab58ad
ifdef(`userhelper.te', `
Chris PeBenito ab58ad
file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
Chris PeBenito ab58ad
') dnl userhelper.te 
Chris PeBenito ab58ad
') dnl xauth.te 
Chris PeBenito ab58ad
') dnl reach_sysadm
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# priv_user(user)
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Privileged user domain
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
undefine(`priv_user')
Chris PeBenito ab58ad
define(`priv_user', `
Chris PeBenito ab58ad
# Reach sysadm_t
Chris PeBenito ab58ad
reach_sysadm($1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Read file_contexts for rpm and get security decisions. 
Chris PeBenito ab58ad
r_dir_file($1_t, file_context_t)
Chris PeBenito ab58ad
can_getsecurity($1_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Signal and see information about unprivileged user domains.
Chris PeBenito ab58ad
allow $1_t unpriv_userdomain:process signal_perms;
Chris PeBenito ab58ad
can_ps($1_t, unpriv_userdomain)
Chris PeBenito ab58ad
allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Read /root files if boolean is enabled.
Chris PeBenito ab58ad
if (staff_read_sysadm_file) {
Chris PeBenito ab58ad
allow $1_t sysadm_home_dir_t:dir { getattr search };
Chris PeBenito ab58ad
allow $1_t sysadm_home_t:file { getattr read };
Chris PeBenito ab58ad
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad
') dnl priv_user
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# user_domain(domain_prefix)
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Define derived types and rules for an ordinary user domain.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# The type declaration and role authorization for the domain must be
Chris PeBenito ab58ad
# provided separately.  Likewise, domain transitions into this domain
Chris PeBenito ab58ad
# must be specified separately.  
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# user_domain() is also called by the admin_domain() macro
Chris PeBenito ab58ad
undefine(`user_domain')
Chris PeBenito ab58ad
define(`user_domain', `
Chris PeBenito ab58ad
# Use capabilities
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Type for home directory.
Chris PeBenito ab58ad
type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
Chris PeBenito ab58ad
type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Transition manually for { lnk sock fifo }. The rest is in content macros.
Chris PeBenito ab58ad
tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
Chris PeBenito ab58ad
file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
Chris PeBenito ab58ad
allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifdef(`support_polyinstantiation', `
Chris PeBenito ab58ad
type_member $1_t tmp_t:dir $1_tmp_t;
Chris PeBenito ab58ad
type_member $1_t $1_home_dir_t:dir $1_home_t;
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
base_user_domain($1)
Chris PeBenito ab58ad
ifdef(`mls_policy', `', `
Chris PeBenito ab58ad
access_removable_media($1_t)
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# do not allow privhome access to sysadm_home_dir_t
Chris PeBenito ab58ad
file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_t boot_t:dir { getattr search };
Chris PeBenito ab58ad
dontaudit $1_t boot_t:lnk_file read;
Chris PeBenito ab58ad
dontaudit $1_t boot_t:file read;
Chris PeBenito ab58ad
allow $1_t system_map_t:file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Instantiate derived domains for a number of programs.
Chris PeBenito ab58ad
# These derived domains encode both information about the calling
Chris PeBenito ab58ad
# user domain and the program, and allow us to maintain separation
Chris PeBenito ab58ad
# between different instances of the program being run by different
Chris PeBenito ab58ad
# user domains.
Chris PeBenito ab58ad
ifelse($1, sysadm, `',`
Chris PeBenito ab58ad
ifdef(`apache.te', `apache_user_domain($1)')
Chris PeBenito ab58ad
ifdef(`i18n_input.te', `i18n_input_domain($1)')
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
ifdef(`slocate.te', `locate_domain($1)')
Chris PeBenito ab58ad
ifdef(`lockdev.te', `lockdev_domain($1)')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
can_kerberos($1_t)
Chris PeBenito ab58ad
# allow port_t name binding for UDP because it is not very usable otherwise
Chris PeBenito ab58ad
allow $1_t port_t:udp_socket name_bind;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Need the following rule to allow users to run vpnc
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
ifdef(`xserver.te', `
Chris PeBenito ab58ad
allow $1_t xserver_port_t:tcp_socket name_bind;
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow users to run TCP servers (bind to ports and accept connection from
Chris PeBenito ab58ad
# the same domain and outside users)  disabling this forces FTP passive mode
Chris PeBenito ab58ad
# and may change other protocols
Chris PeBenito ab58ad
if (user_tcp_server) {
Chris PeBenito ab58ad
allow $1_t port_t:tcp_socket name_bind;
Chris PeBenito ab58ad
}
Chris PeBenito ab58ad
# port access is audited even if dac would not have allowed it, so dontaudit it here
Chris PeBenito ab58ad
dontaudit $1_t { reserved_port_type reserved_port_t }:tcp_socket name_bind;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow system log read
Chris PeBenito ab58ad
if (user_dmesg) {
Chris PeBenito ab58ad
allow $1_t kernel_t:system syslog_read;
Chris PeBenito ab58ad
} else {
Chris PeBenito ab58ad
# else do not log it
Chris PeBenito ab58ad
dontaudit $1_t kernel_t:system syslog_read;
Chris PeBenito ab58ad
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow read access to utmp.
Chris PeBenito ab58ad
allow $1_t initrc_var_run_t:file { getattr read lock };
Chris PeBenito ab58ad
# The library functions always try to open read-write first,
Chris PeBenito ab58ad
# then fall back to read-only if it fails. 
Chris PeBenito ab58ad
# Do not audit write denials to utmp to avoid the noise.
Chris PeBenito ab58ad
dontaudit $1_t initrc_var_run_t:file write;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# do not audit read on disk devices
Chris PeBenito ab58ad
dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifdef(`xdm.te', `
Chris PeBenito ab58ad
allow xdm_t $1_home_t:lnk_file read;
Chris PeBenito ab58ad
allow xdm_t $1_home_t:dir search;
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
Chris PeBenito ab58ad
# 
Chris PeBenito ab58ad
dontaudit xdm_t $1_home_t:file rw_file_perms;
Chris PeBenito ab58ad
')dnl end ifdef xdm.te
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifdef(`ftpd.te', `
Chris PeBenito ab58ad
if (ftp_home_dir) {
Chris PeBenito ab58ad
file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
Chris PeBenito ab58ad
}
Chris PeBenito ab58ad
')dnl end ifdef ftpd
Chris PeBenito ab58ad
Chris PeBenito ab58ad
Chris PeBenito ab58ad
')dnl end user_domain macro
Chris PeBenito ab58ad
Chris PeBenito ab58ad
Chris PeBenito ab58ad
###########################################################################
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Domains for ordinary users.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
undefine(`limited_user_role')
Chris PeBenito ab58ad
define(`limited_user_role', `
Chris PeBenito ab58ad
# user_t/$1_t is an unprivileged users domain.
Chris PeBenito ab58ad
type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#Type for tty devices.
Chris PeBenito ab58ad
type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
Chris PeBenito ab58ad
# Type and access for pty devices.
Chris PeBenito ab58ad
can_create_pty($1, `, userpty_type, user_tty_type')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Access ttys.
Chris PeBenito ab58ad
allow $1_t privfd:fd use;
Chris PeBenito ab58ad
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Grant read/search permissions to some of /proc.
Chris PeBenito ab58ad
r_dir_file($1_t, proc_t)
Chris PeBenito ab58ad
# netstat needs to access proc_net_t; if you want to hide this info use dontaudit here instead
Chris PeBenito ab58ad
r_dir_file($1_t, proc_net_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
base_file_read_access($1_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Execute from the system shared libraries.
Chris PeBenito ab58ad
uses_shlib($1_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Read /etc.
Chris PeBenito ab58ad
r_dir_file($1_t, etc_t)
Chris PeBenito ab58ad
allow $1_t etc_runtime_t:file r_file_perms;
Chris PeBenito ab58ad
allow $1_t etc_runtime_t:lnk_file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_t self:process { fork sigchld setpgid signal_perms };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# read localization information
Chris PeBenito ab58ad
read_locale($1_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
read_sysctl($1_t)
Chris PeBenito ab58ad
can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_t self:dir search;
Chris PeBenito ab58ad
allow $1_t self:file { getattr read };
Chris PeBenito ab58ad
allow $1_t self:fifo_file rw_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow $1_t self:lnk_file read;
Chris PeBenito ab58ad
allow $1_t self:unix_stream_socket create_socket_perms;
Chris PeBenito ab58ad
allow $1_t urandom_device_t:chr_file { getattr read };
Chris PeBenito ab58ad
dontaudit $1_t { var_spool_t var_log_t }:dir search;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Read /dev directories and any symbolic links.
Chris PeBenito ab58ad
allow $1_t device_t:dir r_dir_perms;
Chris PeBenito ab58ad
allow $1_t device_t:lnk_file { getattr read };
Chris PeBenito ab58ad
allow $1_t devtty_t:chr_file { read write };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
undefine(`full_user_role')
Chris PeBenito ab58ad
define(`full_user_role', `
Chris PeBenito ab58ad
Chris PeBenito ab58ad
limited_user_role($1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
typeattribute  $1_t web_client_domain;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
attribute $1_file_type;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifdef(`useradd.te', `
Chris PeBenito ab58ad
# Useradd relabels /etc/skel files so needs these privs 
Chris PeBenito ab58ad
allow useradd_t $1_file_type:dir create_dir_perms;
Chris PeBenito ab58ad
allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
can_exec($1_t, usr_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Read directories and files with the readable_t type.
Chris PeBenito ab58ad
# This type is a general type for "world"-readable files.
Chris PeBenito ab58ad
allow $1_t readable_t:dir r_dir_perms;
Chris PeBenito ab58ad
allow $1_t readable_t:notdevfile_class_set r_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Stat lost+found.
Chris PeBenito ab58ad
allow $1_t lost_found_t:dir getattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Read /var, /var/spool, /var/run.
Chris PeBenito ab58ad
r_dir_file($1_t, var_t)
Chris PeBenito ab58ad
# what about pipes and sockets under /var/spool?
Chris PeBenito ab58ad
r_dir_file($1_t, var_spool_t)
Chris PeBenito ab58ad
r_dir_file($1_t, var_run_t)
Chris PeBenito ab58ad
allow $1_t var_lib_t:dir r_dir_perms;
Chris PeBenito ab58ad
allow $1_t var_lib_t:file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# for running depmod as part of the kernel packaging process
Chris PeBenito ab58ad
allow $1_t modules_conf_t:file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Read man directories and files.
Chris PeBenito ab58ad
r_dir_file($1_t, man_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Allow users to rw usb devices
Chris PeBenito ab58ad
if (user_rw_usb) {
Chris PeBenito ab58ad
rw_dir_create_file($1_t,usbdevfs_t)
Chris PeBenito ab58ad
} else {
Chris PeBenito ab58ad
r_dir_file($1_t,usbdevfs_t)
Chris PeBenito ab58ad
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad
r_dir_file($1_t,sysfs_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Do not audit write denials to /etc/ld.so.cache.
Chris PeBenito ab58ad
dontaudit $1_t ld_so_cache_t:file write;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# $1_t is also granted permissions specific to user domains.
Chris PeBenito ab58ad
user_domain($1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
dontaudit $1_t sysadm_home_t:file { read append };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
ifdef(`syslogd.te', `
Chris PeBenito ab58ad
# Some programs that are left in $1_t will try to connect
Chris PeBenito ab58ad
# to syslogd, but we do not want to let them generate log messages.
Chris PeBenito ab58ad
# Do not audit.
Chris PeBenito ab58ad
dontaudit $1_t devlog_t:sock_file { read write };
Chris PeBenito ab58ad
dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Stop warnings about access to /dev/console
Chris PeBenito ab58ad
dontaudit $1_t init_t:fd use;
Chris PeBenito ab58ad
dontaudit $1_t initrc_t:fd use;
Chris PeBenito ab58ad
allow $1_t initrc_t:fifo_file write;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Rules used to associate a homedir as a mountpoint
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
allow $1_home_t self:filesystem associate;
Chris PeBenito ab58ad
allow $1_file_type $1_home_t:filesystem associate;
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
undefine(`in_user_role')
Chris PeBenito ab58ad
define(`in_user_role', `
Chris PeBenito ab58ad
role user_r types $1;
Chris PeBenito ab58ad
role staff_r types $1;
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad