policy_module(userdomain,2.2.2) gen_require(` role sysadm_r, staff_r, user_r; ifdef(`enable_mls',` role secadm_r; role auditadm_r; ') ') ######################################## # # Declarations # ifdef(`strict_policy',` ## ##

## Allow sysadm to ptrace all processes ##

##
gen_tunable(allow_ptrace,false) ## ##

## Allow users to connect to mysql ##

##
gen_tunable(allow_user_mysql_connect,false) ## ##

## Allow regular users direct mouse access ##

##
gen_tunable(user_direct_mouse,false) ## ##

## Allow users to read system messages. ##

##
gen_tunable(user_dmesg,false) ## ##

## Allow user to r/w files on filesystems ## that do not have extended attributes (FAT, CDROM, FLOPPY) ##

##
gen_tunable(user_rw_noexattrfile,false) ## ##

## Allow w to display everyone ##

##
gen_tunable(user_ttyfile_stat,false) ') # admin users terminals (tty and pty) attribute admin_terminal; # users home directory attribute home_dir_type; # users home directory contents attribute home_type; # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) attribute privhome; # all unprivileged users home directories attribute user_home_dir_type; attribute user_home_type; # all unprivileged users ptys attribute user_ptynode; # all unprivileged users tmp files attribute user_tmpfile; # all unprivileged users ttys attribute user_ttynode; # all user domains attribute userdomain; # unprivileged user domains attribute unpriv_userdomain; attribute untrusted_content_type; attribute untrusted_content_tmp_type; ######################################## # # Local policy # ifdef(`strict_policy',` userdom_admin_user_template(sysadm) userdom_unpriv_user_template(staff) userdom_unpriv_user_template(user) # user role change rules: # sysadm_r can change to user roles userdom_role_change_template(sysadm, user) userdom_role_change_template(sysadm, staff) # only staff_r can change to sysadm_r userdom_role_change_template(staff, sysadm) dontaudit staff_t admin_terminal:chr_file { read write }; ifdef(`enable_mls',` userdom_unpriv_user_template(secadm) userdom_unpriv_user_template(auditadm) userdom_role_change_template(staff,auditadm) userdom_role_change_template(staff,secadm) userdom_role_change_template(sysadm,secadm) userdom_role_change_template(sysadm,auditadm) userdom_role_change_template(auditadm,secadm) userdom_role_change_template(auditadm,sysadm) userdom_role_change_template(secadm,auditadm) userdom_role_change_template(secadm,sysadm) ') # this should be tunable_policy, but # currently type_change and RBAC allow # do not work in conditionals ifdef(`user_canbe_sysadm',` userdom_role_change_template(user,sysadm) ') ######################################## # # Sysadm local policy # # for su allow sysadm_t userdomain:fd use; # Add/remove user home directories allow sysadm_t user_home_dir_t:dir manage_dir_perms; files_home_filetrans(sysadm_t,user_home_dir_t,dir) corecmd_exec_shell(sysadm_t) mls_process_read_up(sysadm_t) init_exec(sysadm_t) # Following for sending reboot and wall messages userdom_use_unpriv_users_ptys(sysadm_t) userdom_use_unpriv_users_ttys(sysadm_t) ifdef(`direct_sysadm_daemon',` optional_policy(` init_run_daemon(sysadm_t,sysadm_r,admin_terminal) ') ',` ifdef(`distro_gentoo',` optional_policy(` seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal) ') ') ') ifdef(`enable_mls',` allow auditadm_t self:capability { dac_read_search dac_override }; seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) domain_kill_all_domains(auditadm_t) seutil_read_bin_policy(auditadm_t) corecmd_exec_shell(auditadm_t) logging_send_syslog_msg(auditadm_t) logging_read_generic_logs(auditadm_t) logging_manage_audit_log(auditadm_t) logging_manage_audit_config(auditadm_t) logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t }) logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) allow secadm_t self:capability { dac_read_search dac_override }; corecmd_exec_shell(secadm_t) domain_obj_id_change_exemption(secadm_t) mls_process_read_up(secadm_t) mls_file_read_up(secadm_t) mls_file_write_down(secadm_t) mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) auth_relabel_all_files_except_shadow(secadm_t) dev_relabel_all_dev_nodes(secadm_t) auth_relabel_shadow(secadm_t) init_exec(secadm_t) logging_read_audit_log(secadm_t) logging_read_generic_logs(secadm_t) logging_read_audit_config(secadm_t) userdom_dontaudit_append_staff_home_content_files(secadm_t) userdom_dontaudit_read_sysadm_home_content_files(secadm_t) optional_policy(` aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) ') optional_policy(` netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) ') ',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal) ') tunable_policy(`allow_ptrace',` domain_ptrace_all_domains(sysadm_t) ') optional_policy(` amanda_run_recover(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` apache_run_helper(sysadm_t,sysadm_r,admin_terminal) #apache_run_all_scripts(sysadm_t,sysadm_r) #apache_domtrans_sys_script(sysadm_t) ') optional_policy(` tzdata_domtrans(sysadm_t) ') optional_policy(` raid_domtrans_mdadm(sysadm_t) ') optional_policy(` # cjp: why is this not apm_run_client apm_domtrans_client(sysadm_t) ') optional_policy(` apt_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` backup_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` bootloader_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` bind_run_ndc(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` consoletype_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` clock_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` certwatach_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` cvs_exec(sysadm_t) ') optional_policy(` consoletype_exec(sysadm_t) ifdef(`enable_mls',` consoletype_exec(auditadm_t) ') ') optional_policy(` cron_admin_template(sysadm,sysadm_t,sysadm_r) ') optional_policy(` dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal) dcc_run_client(sysadm_t,sysadm_r,admin_terminal) dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` ddcprobe_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` dmesg_exec(sysadm_t) ifdef(`enable_mls',` dmesg_exec(auditadm_t) ') ') optional_policy(` dmidecode_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` dpkg_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal) ethereal_admin_template(sysadm,sysadm_t,sysadm_r) ') optional_policy(` firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t) ') optional_policy(` fstools_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` hostname_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` # allow system administrator to use the ipsec script to look # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing ipsec_exec_mgmt(sysadm_t) ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) ') optional_policy(` iptables_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` lvm_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` logrotate_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal) lpr_admin_template(sysadm,sysadm_t,sysadm_r) ') optional_policy(` kudzu_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal) modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal) modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` mount_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` mta_admin_template(sysadm,sysadm_t,sysadm_r) ') optional_policy(` mysql_stream_connect(sysadm_t) ') optional_policy(` netutils_run(sysadm_t,sysadm_r,admin_terminal) netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` rpc_domtrans_nfsd(sysadm_t) ') optional_policy(` munin_stream_connect(sysadm_t) ') optional_policy(` ntp_stub() corenet_udp_bind_ntp_port(sysadm_t) ') optional_policy(` oav_run_update(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` portage_run(sysadm_t,sysadm_r,admin_terminal) portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` portmap_run_helper(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` quota_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` rpm_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` rsync_exec(sysadm_t) ') optional_policy(` samba_run_net(sysadm_t,sysadm_r,admin_terminal) samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) ifdef(`enable_mls',` userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) ', ` userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) ') ') optional_policy(` sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal) sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal) tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal) tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal) tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` usbmodules_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` vpn_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` webalizer_run(sysadm_t,sysadm_r,admin_terminal) ') optional_policy(` yam_run(sysadm_t,sysadm_r,admin_terminal) ') ') ifdef(`targeted_policy',` # Define some type aliases to help with compatibility with # strict policy. unconfined_alias_domain(secadm_t) unconfined_alias_domain(auditadm_t) unconfined_alias_domain(sysadm_t) # User home directory type. type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type; files_type(user_home_t) files_associate_tmp(user_home_t) fs_associate_tmpfs(user_home_t) type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type; files_type(user_home_dir_t) files_associate_tmp(user_home_dir_t) fs_associate_tmpfs(user_home_dir_t) # compatibility for switching from strict # dominance { role secadm_r { role system_r; }} # dominance { role auditadm_r { role system_r; }} # dominance { role sysadm_r { role system_r; }} # dominance { role user_r { role system_r; }} # dominance { role staff_r { role system_r; }} # dont need to use the full role_change() allow sysadm_r system_r; allow sysadm_r user_r; allow user_r system_r; allow user_r sysadm_r; allow system_r sysadm_r; allow system_r sysadm_r; manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) files_search_home(privhome) ifdef(`enable_mls',` allow secadm_r system_r; allow auditadm_r system_r; allow secadm_r user_r; allow staff_r secadm_r; allow staff_r auditadm_r; ') optional_policy(` samba_per_role_template(user) ') ')