Blob Blame History Raw
# Copyright (C) 2005 Tresys Technology, LLC

policy_module(userdomain,1.0)

########################################
#
# Declarations
#

# admin users terminals (tty and pty)
attribute admin_terminal;

# users home directory
attribute home_dir_type;

# users home directory contents
attribute home_type;

# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;

# all user domains
attribute userdomain;

# unprivileged user domains
attribute unpriv_userdomain;

# Allow execution of anonymous mappings, e.g. executable stack.
bool allow_execmem false;

# Support Share libraries with Text Relocation
bool allow_execmod false;

# Allow system to run with kerberos
bool allow_kerberos false;

# Allow system to run with NIS
bool allow_ypbind false;

# Allow reading of default_t files.
bool read_default_t false;

# Allow staff_r users to search the sysadm home dir and read
# files (such as ~/.bashrc)
bool staff_read_sysadm_file false;

# Support NFS home directories
bool use_nfs_home_dirs false;

# Support SAMBA home directories
bool use_samba_home_dirs false;

# Allow regular users direct mouse access 
bool user_direct_mouse false;

# Allow users to read system messages.
bool user_dmesg false;

# Allow users to control network interfaces (also needs USERCTL=true)
bool user_net_control false;

# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
bool user_rw_noexattrfile false;

# Allow users to rw usb devices
bool user_rw_usb false;

# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users)  disabling this forces FTP passive mode
# and may change other protocols 
bool user_tcp_server false;

# Allow w to display everyone
bool user_ttyfile_stat false;

user_domain_template(staff)
user_domain_template(user)

########################################
#
# Local policy
#

#allow privhome home_root_t:dir { getattr search };

# Add/remove user home directories
#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)

########################################
#
# Sysadm local policy
#

admin_domain_template(sysadm)

# for su
allow sysadm_t userdomain:fd use;

optional_policy(`iptables.te',`
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')

optional_policy(`lvm.te',`
lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')

optional_policy(`modutils.te',`
modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')

optional_policy(`mount.te',`
mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')

optional_policy(`selinux.te',`
selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
optional_policy(`targeted_policy',`',`
selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
')

optional_policy(`sysnetwork.te',`
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')

optional_policy(`clock.te',`
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')