##
@@ -953,19 +883,127 @@ template(`userdom_common_user_template',`
##
##
#
-template(`userdom_unpriv_user_template', `
+template(`userdom_login_user_template', `
+ userdom_base_user_template($1)
- gen_require(`
- attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
- ')
+ userdom_manage_home_template($1)
+ userdom_poly_home_template($1)
+ userdom_poly_tmp_template($1)
+
+ userdom_manage_tmp_template($1)
+ userdom_manage_tmpfs_template($1)
+
+ userdom_exec_tmp_template($1)
+ userdom_exec_home_template($1)
+
+ userdom_change_password_template($1)
##############################
#
- # Declarations
+ # User domain Local policy
#
- # Inherit rules for ordinary users.
- userdom_common_user_template($1)
+ allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
+
+ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+ dontaudit $1_t self:process setrlimit;
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+ allow $1_t self:context contains;
+
+ kernel_dontaudit_read_system_state($1_t)
+
+ dev_read_sysfs($1_t)
+ dev_read_urand($1_t)
+
+ domain_use_interactive_fds($1_t)
+ # Command completion can fire hundreds of denials
+ domain_dontaudit_exec_all_entry_files($1_t)
+
+ files_dontaudit_list_default($1_t)
+ files_dontaudit_read_default_files($1_t)
+ # Stat lost+found.
+ files_getattr_lost_found_dirs($1_t)
+
+ fs_get_all_fs_quotas($1_t)
+ fs_getattr_all_fs($1_t)
+ fs_getattr_all_dirs($1_t)
+ fs_search_auto_mountpoints($1_t)
+ fs_list_inotifyfs($1_t)
+ fs_rw_anon_inodefs_files($1_t)
+
+ auth_dontaudit_write_login_records($1_t)
+
+ application_exec_all($1_t)
+
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_rw_utmp($1_t)
+ # Stop warnings about access to /dev/console
+ init_dontaudit_use_fds($1_t)
+ init_dontaudit_use_script_fds($1_t)
+
+ libs_exec_lib_files($1_t)
+
+ logging_dontaudit_getattr_all_logs($1_t)
+
+ miscfiles_read_man_pages($1_t)
+ # for running TeX programs
+ miscfiles_read_tetex_data($1_t)
+ miscfiles_exec_tetex_data($1_t)
+
+ seutil_read_config($1_t)
+
+ optional_policy(`
+ cups_read_config($1_t)
+ cups_stream_connect($1_t)
+ cups_stream_connect_ptal($1_t)
+ ')
+
+ optional_policy(`
+ kerberos_use($1_t)
+ ')
+
+ optional_policy(`
+ mta_dontaudit_read_spool_symlinks($1_t)
+ ')
+
+ optional_policy(`
+ quota_dontaudit_getattr_db($1_t)
+ ')
+
+ optional_policy(`
+ rpm_read_db($1_t)
+ rpm_dontaudit_manage_db($1_t)
+ ')
+')
+
+#######################################
+##
+## The template for creating a unprivileged login user.
+##
+##
+##
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
+template(`userdom_restricted_user_template',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
+ ')
+
+ userdom_login_user_template($1)
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -976,9 +1014,6 @@ template(`userdom_unpriv_user_template', `
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
- userdom_poly_home_template($1)
- userdom_poly_tmp_template($1)
-
##############################
#
# Local policy
@@ -992,7 +1027,126 @@ template(`userdom_unpriv_user_template', `
manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
- corecmd_exec_all_executables($1_t)
+ optional_policy(`
+ loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ ')
+')
+
+#######################################
+##
+## The template for creating a unprivileged xwindows login user.
+##
+##
+##
+## The template for creating a unprivileged xwindows login user.
+##
+##
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
+template(`userdom_restricted_xwindows_user_template',`
+
+ userdom_restricted_user_template($1)
+
+ userdom_xwindows_client_template($1)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ authlogin_per_role_template($1, $1_t, $1_r)
+ auth_search_pam_console_data($1_t)
+
+ dev_read_sound($1_t)
+ dev_write_sound($1_t)
+ # gnome keyring wants to read this.
+ dev_dontaudit_read_rand($1_t)
+
+ logging_send_syslog_msg($1_t)
+ logging_dontaudit_send_audit_msgs($1_t)
+
+ # Need to to this just so screensaver will work. Should be moved to screensaver domain
+ logging_send_audit_msgs($1_t)
+ selinux_get_enforce_mode($1_t)
+
+ optional_policy(`
+ alsa_read_rw_config($1_t)
+ ')
+
+ optional_policy(`
+ dbus_per_role_template($1, $1_t, $1_r)
+ dbus_system_bus_client_template($1, $1_t)
+
+ optional_policy(`
+ consolekit_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat($1_t)
+ ')
+ ')
+
+ optional_policy(`
+ java_per_role_template($1, $1_t, $1_r)
+ ')
+
+ optional_policy(`
+ mono_per_role_template($1, $1_t, $1_r)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dontaudit_stream_connect($1_t)
+ ')
+')
+
+#######################################
+##
+## The template for creating a unprivileged user roughly
+## equivalent to a regular linux user.
+##
+##
+##
+## The template for creating a unprivileged user roughly
+## equivalent to a regular linux user.
+##
+##
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
+template(`userdom_unpriv_user_template', `
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Inherit rules for ordinary users.
+ userdom_restricted_user_template($1)
+ userdom_common_user_template($1)
+
+ ##############################
+ #
+ # Local policy
+ #
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
@@ -1032,14 +1186,6 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
- kerberos_use($1_t)
- ')
-
- optional_policy(`
- loadkeys_run($1_t,$1_r,$1_tty_device_t)
- ')
-
- optional_policy(`
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
@@ -1052,18 +1198,6 @@ template(`userdom_unpriv_user_template', `
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
-
- ifdef(`TODO',`
- ifdef(`xdm.te', `
- # this should cause the .xsession-errors file to be written to /tmp
- dontaudit xdm_t $1_home_t:file rw_file_perms;
- ')
-
- # Do not audit write denials to /etc/ld.so.cache.
- dontaudit $1_t ld_so_cache_t:file write;
-
- dontaudit $1_t sysadm_home_t:file { read append };
- ') dnl end TODO
')
#######################################
@@ -1107,6 +1241,7 @@ template(`userdom_admin_user_template',`
#
# Inherit rules for ordinary users.
+ userdom_login_user_template($1)
userdom_common_user_template($1)
typeattribute $1_t privhome;
@@ -1126,7 +1261,7 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
- allow $1_t self:capability ~sys_module;
+ allow $1_t self:capability ~{ sys_module audit_control audit_write };
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
@@ -3077,7 +3212,7 @@ template(`userdom_user_tmp_filetrans',`
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
- type $1_home_dir_t;
+ type $1_tmp_t;
')
files_tmp_filetrans($2,$1_tmp_t,$3)
@@ -5322,7 +5457,7 @@ interface(`userdom_read_unpriv_users_tmp_files',`
attribute user_tmpfile;
')
- allow $1 user_tmpfile:file { read getattr };
+ allow $1 user_tmpfile:file read_file_perms;
')
########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index d3d4c3a..87ba51f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,2.4.1)
+policy_module(userdomain,2.4.2)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -136,13 +136,6 @@ ifdef(`enable_mls',`
userdom_role_change_template(secadm, sysadm)
')
-# this should be tunable_policy, but
-# currently type_change and RBAC allow
-# do not work in conditionals
-ifdef(`user_canbe_sysadm',`
- userdom_role_change_template(user, sysadm)
-')
-
########################################
#
# Sysadm local policy