## <summary>Generic unprivileged user role</summary>
########################################
## <summary>
## Change to the generic user role.
## </summary>
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <rolecap/>
#
template(`unprivuser_role_change_template',`
userdom_role_change_template($1, user)
')
########################################
## <summary>
## Change from the generic user role.
## </summary>
## <desc>
## <p>
## Change from the generic user role to
## the specified role.
## </p>
## <p>
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <rolecap/>
#
template(`unprivuser_role_change_to_template',`
userdom_role_change_template(user, $1)
')
########################################
## <summary>
## Create generic user home directories
## with automatic file type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_home_filetrans_home_dir',`
gen_require(`
type user_home_dir_t;
')
files_home_filetrans($1,user_home_dir_t,dir)
')
########################################
## <summary>
## Search generic user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_search_home_dirs',`
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
')
########################################
## <summary>
## Create objects in generic user home directories
## with automatic file type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## If not specified, file is used.
## </summary>
## </param>
#
interface(`unprivuser_home_dir_filetrans_home_content',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
')
########################################
## <summary>
## Don't audit search on the user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_dontaudit_search_home_dirs',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:dir search_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete generic user
## home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_manage_home_dirs',`
gen_require(`
type user_home_dir_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir manage_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## subdirectories of generic user
## home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_manage_home_content_dirs',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
## <summary>
## Relabel to generic user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_relabelto_home_dirs',`
gen_require(`
type user_home_dir_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir relabelto;
')
########################################
## <summary>
## Read files in generic user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_read_home_content_files',`
gen_require(`
type user_home_t, user_home_dir_t;
')
files_search_home($1)
allow $1 user_home_t:dir list_dir_perms;
read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
## <summary>
## Mmap of generic user
## home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_mmap_home_content_files',`
gen_require(`
type user_home_t;
')
files_search_home($1)
allow $1 user_home_t:file execute;
')
########################################
## <summary>
## Create, read, write, and delete files
## in generic user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_manage_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
## <summary>
## Do not audit attempts to relabel generic user
## home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_dontaudit_relabel_home_content_files',`
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file { relabelto relabelfrom };
')
########################################
## <summary>
## Create, read, write, and delete symbolic
## links in generic user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_manage_home_content_symlinks',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
## <summary>
## Create, read, write, and delete named
## pipes in generic user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_manage_home_content_pipes',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
## <summary>
## Create, read, write, and delete named
## sockets in generic user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_manage_home_content_sockets',`
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')