diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 23b4e59..7ee01bc 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -1,16 +1,95 @@ +## +## Allow execution of anonymous mappings, e.g. executable stack. +## +gen_tunable(allow_execmem,false) + +## +## Support Share libraries with text relocations +## +gen_tunable(allow_execmod,false) + +## +## Allow system to run with kerberos +## +gen_tunable(allow_kerberos,false) + +## +## Allow system to run with NIS +## +gen_tunable(allow_ypbind,false) + +## +## Allow system cron jobs to relabel filesystem +## for restoring file contexts. +## +gen_tunable(cron_can_relabel,false) + ## ## Enable extra rules in the cron domain ## to support fcron. ## gen_tunable(fcron_crond,false) +## +## Allow reading of default_t files. +## +gen_tunable(read_default_t,false) + +## +## Allow staff_r users to search the sysadm home +## dir and read files (such as ~/.bashrc) +## +gen_tunable(staff_read_sysadm_file,false) + ## ## Allow the use of DNS for name resolution. ## gen_tunable(use_dns,false) -## -## Allow system cron jobs to relabel filesystem -## for restoring file contexts. +## +## Support NFS home directories ## -gen_tunable(cron_can_relabel,false) +gen_tunable(use_nfs_home_dirs,false) + +## +## Support SAMBA home directories +## +gen_tunable(use_samba_home_dirs,false) + +## +## Allow regular users direct mouse access +## +gen_tunable(user_direct_mouse,false) + +## +## Allow users to read system messages. +## +gen_tunable(user_dmesg,false) + +## +## Allow users to control network interfaces +## (also needs USERCTL=true) +## +gen_tunable(user_net_control,false) + +## +## Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) +## +gen_tunable(user_rw_noexattrfile,false) + +## +## Allow users to rw usb devices +## +gen_tunable(user_rw_usb,false) + +## +## Allow users to run TCP servers (bind to ports and accept connection from +## the same domain and outside users) disabling this forces FTP passive mode +## and may change other protocols. +## +gen_tunable(user_tcp_server,false) + +## +## Allow w to display everyone +## +gen_tunable(user_ttyfile_stat,false) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 90253f6..5582b7a 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -174,36 +174,36 @@ define(`base_user_domain',` mta_rw_spool($1_t) - if (allow_execmem) { + tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; - } + ') - if (use_nfs_home_dirs) { + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_t) fs_manage_nfs_files($1_t) fs_manage_nfs_symlinks($1_t) fs_manage_nfs_named_sockets($1_t) fs_manage_nfs_named_pipes($1_t) fs_execute_nfs_files($1_t) - } + ') - if (use_samba_home_dirs) { + tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs($1_t) fs_manage_cifs_files($1_t) fs_manage_cifs_symlinks($1_t) fs_manage_cifs_named_sockets($1_t) fs_manage_cifs_named_pipes($1_t) fs_execute_cifs_files($1_t) - } + ') - if (user_direct_mouse) { + tunable_policy(`user_direct_mouse',` dev_read_mouse($1_t) - } + ') - if (user_ttyfile_stat) { + tunable_policy(`user_ttyfile_stat',` term_getattr_all_user_ttys($1_t) - } + ') optional_policy(`usermanage.te',` usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) @@ -478,18 +478,18 @@ define(`user_domain_template', ` # so it can be used without privilege to write real binary policy file selinux_exec_checkpol($1_t) - if (user_dmesg) { + tunable_policy(`user_dmesg',` kernel_read_ring_buffer($1_t) - } else { + ',` kernel_dontaudit_read_ring_buffer($1_t) - } + ') # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols - if (user_tcp_server) { + tunable_policy(`user_tcp_server',` corenet_tcp_bind_generic_port($1_t) - } + ') # for running depmod as part of the kernel packaging process optional_policy(`modutils.te',` diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 003cb57..751d6e9 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -26,54 +26,6 @@ attribute userdomain; # unprivileged user domains attribute unpriv_userdomain; -# Allow execution of anonymous mappings, e.g. executable stack. -bool allow_execmem false; - -# Support Share libraries with Text Relocation -bool allow_execmod false; - -# Allow system to run with kerberos -bool allow_kerberos false; - -# Allow system to run with NIS -bool allow_ypbind false; - -# Allow reading of default_t files. -bool read_default_t false; - -# Allow staff_r users to search the sysadm home dir and read -# files (such as ~/.bashrc) -bool staff_read_sysadm_file false; - -# Support NFS home directories -bool use_nfs_home_dirs false; - -# Support SAMBA home directories -bool use_samba_home_dirs false; - -# Allow regular users direct mouse access -bool user_direct_mouse false; - -# Allow users to read system messages. -bool user_dmesg false; - -# Allow users to control network interfaces (also needs USERCTL=true) -bool user_net_control false; - -# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) -bool user_rw_noexattrfile false; - -# Allow users to rw usb devices -bool user_rw_usb false; - -# Allow users to run TCP servers (bind to ports and accept connection from -# the same domain and outside users) disabling this forces FTP passive mode -# and may change other protocols -bool user_tcp_server false; - -# Allow w to display everyone -bool user_ttyfile_stat false; - admin_domain_template(sysadm) user_domain_template(staff) user_domain_template(user)