Blob Blame History Raw
## <summary>Generic unprivileged user role</summary>

########################################
## <summary>
##	Change to the generic user role.
## </summary>
## <param name="prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <rolecap/>
#
template(`unprivuser_role_change_template',`
	userdom_role_change_template($1, user)
')

########################################
## <summary>
##	Change from the generic user role.
## </summary>
## <desc>
##	<p>
##	Change from the generic user role to
##	the specified role.
##	</p>
##	<p>
##	This is a template to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
## </desc>
## <param name="prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <rolecap/>
#
template(`unprivuser_role_change_to_template',`
	userdom_role_change_template(user, $1)
')

########################################
## <summary>
##	Create generic user home directories
##	with automatic file type transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_home_filetrans_home_dir',`
	gen_require(`
		type user_home_dir_t;
	')

	files_home_filetrans($1,user_home_dir_t,dir)
')

########################################
## <summary>
##	Search generic user home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_search_home_dirs',`
	gen_require(`
		type user_home_dir_t;
	')

	allow $1 user_home_dir_t:dir search_dir_perms;
')

########################################
## <summary>
##	Create objects in generic user home directories
##	with automatic file type transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	The class of the object to be created.
##	If not specified, file is used.
##	</summary>
## </param>
#
interface(`unprivuser_home_dir_filetrans_home_content',`
	gen_require(`
		type user_home_dir_t, user_home_t;
	')

	files_search_home($1)
	filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
')

########################################
## <summary>
##	Don't audit search on the user home subdirectory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_dontaudit_search_home_dirs',`
	gen_require(`
		type user_home_t;
	')

	dontaudit $1 user_home_t:dir search_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete generic user
##	home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_manage_home_dirs',`
	gen_require(`
		type user_home_dir_t;
	')

	files_search_home($1)
	allow $1 user_home_dir_t:dir manage_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete
##	subdirectories of generic user
##	home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_manage_home_content_dirs',`
	gen_require(`
		type user_home_dir_t, user_home_t;
	')

	files_search_home($1)
	manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')

########################################
## <summary>
##	Relabel to generic user home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_relabelto_home_dirs',`
	gen_require(`
		type user_home_dir_t;
	')

	files_search_home($1)
	allow $1 user_home_dir_t:dir relabelto;
')

########################################
## <summary>
##	Read files in generic user home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_read_home_content_files',`
	gen_require(`
		type user_home_t, user_home_dir_t;
	')

	files_search_home($1)
	allow $1 user_home_t:dir list_dir_perms;
	read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')

########################################
## <summary>
##	Mmap of generic user
##	home files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_mmap_home_content_files',`
	gen_require(`
		type user_home_t;
	')

	files_search_home($1)
	allow $1 user_home_t:file execute;
')

########################################
## <summary>
##	Create, read, write, and delete files
##	in generic user home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_manage_home_content_files',`
	gen_require(`
		type user_home_dir_t, user_home_t;
	')

	files_search_home($1)
	manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')

########################################
## <summary>
##	Do not audit attempts to relabel generic user
##	home files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_dontaudit_relabel_home_content_files',`
	gen_require(`
		type user_home_t;
	')

	dontaudit $1 user_home_t:file { relabelto relabelfrom };
')

########################################
## <summary>
##	Create, read, write, and delete symbolic
##	links in generic user home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_manage_home_content_symlinks',`
	gen_require(`
		type user_home_dir_t, user_home_t;
	')

	files_search_home($1)
	manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')

########################################
## <summary>
##	Create, read, write, and delete named
##	pipes in generic user home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_manage_home_content_pipes',`
	gen_require(`
		type user_home_dir_t, user_home_t;
	')

	files_search_home($1)
	manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')

########################################
## <summary>
##	Create, read, write, and delete named
##	sockets in generic user home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`unprivuser_manage_home_content_sockets',`
	gen_require(`
		type user_home_dir_t, user_home_t;
	')

	files_search_home($1)
	manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')