Navigation

← Previous Changeset
Next Changeset →

Changeset 2714

Timestamp:

06/11/08 09:25:35 (4 months ago)

Author:

cpebenito

Message:

rbacsep: initial collapse of user home, tmp, and tmpfs.

Files:

branches/rbacsep/policy/modules/system/userdomain.if (modified) (15 diffs)
branches/rbacsep/policy/modules/system/userdomain.te (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/system/userdomain.if

r2705	r2714
123	123	#######################################
124	124	## <summary>
125		## ~~The template for creating a home directory~~
126		## ~~that the user~~ has read-only access.
127		## </summary>
128		## <desc>
129		## <p>
130		## ~~The template for creating a home directory~~
131		## ~~that the user~~ has read-only access.
	125	## Allow a home directory for which the
	126	## role has read-only access.
	127	## </summary>
	128	## <desc>
	129	## <p>
	130	## Allow a home directory for which the
	131	## role has read-only access.
132	132	## </p>
133	133	## <p>
…	…
135	135	## </p>
136	136	## </desc>
137		## <param name="userdomain_prefix">
138		## <summary>
139		## The prefix of the user domain (e.g., user
140		## is the prefix for user_t).
	137	## <param name="role">
	138	## <summary>
	139	## The user role
	140	## </summary>
	141	## </param>
	142	## <param name="userdomain">
	143	## <summary>
	144	## The user domain
141	145	## </summary>
142	146	## </param>
143	147	## <rolebase/>
144	148	#
145		template(`userdom_ro_home_template',`
146		gen_require(`
147		attribute home_type, home_dir_type, $1_file_type;
148		')
149
150		# type for contents of home directory
151		type $1_home_t, $1_file_type, home_type;
152		files_type($1_home_t)
153		files_associate_tmp($1_home_t)
154		fs_associate_tmpfs($1_home_t)
155		files_mountpoint($1_home_t)
156
157		# type of home directory
158		type $1_home_dir_t, home_dir_type, home_type;
159		files_type($1_home_dir_t)
160		files_mountpoint($1_home_dir_t)
161		files_associate_tmp($1_home_dir_t)
162		fs_associate_tmpfs($1_home_dir_t)
163		files_poly_member($1_home_dir_t)
164
165		##############################
166		#
167		# User home directory file rules
168		#
169
170		allow $1_file_type $1_home_t:filesystem associate;
171
172		# Rules used to associate a homedir as a mountpoint
173		allow $1_home_t self:filesystem associate;
	149	interface(`userdom_ro_home_role',`
	150	gen_require(`
	151	type user_home_t, user_home_dir_t;
	152	')
	153
	154	role $1 types { user_home_t user_home_dir_t };
174	155
175	156	##############################
…	…
178	159	#
179	160
	161	type_member $2 user_home_dir_t:dir user_home_dir_t;
	162
180	163	# read-only home directory
181		allow $~~1_t $1~~_home_dir_t:dir list_dir_perms;
182		allow $~~1_t $1~~_home_t:dir list_dir_perms;
183		allow $~~1_t $1~~_home_t:file entrypoint;
184		read_files_pattern($~~1_t,{ $1_home_t $1_home_dir_t },$1~~_home_t)
185		read_lnk_files_pattern($~~1_t,{ $1_home_t $1_home_dir_t },$1~~_home_t)
186		read_fifo_files_pattern($~~1_t,{ $1_home_t $1_home_dir_t },$1~~_home_t)
187		read_sock_files_pattern($~~1_t,{ $1_home_t $1_home_dir_t },$1~~_home_t)
188		files_list_home($~~1_t~~)
	164	allow $2 user_home_dir_t:dir list_dir_perms;
	165	allow $2 user_home_t:dir list_dir_perms;
	166	allow $2 user_home_t:file entrypoint;
	167	read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
	168	read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
	169	read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
	170	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
	171	files_list_home($2)
189	172
190	173	tunable_policy(`use_nfs_home_dirs',`
191		fs_list_nfs($~~1_t~~)
192		fs_read_nfs_files($~~1_t~~)
193		fs_read_nfs_symlinks($~~1_t~~)
194		fs_read_nfs_named_sockets($~~1_t~~)
195		fs_read_nfs_named_pipes($~~1_t~~)
	174	fs_list_nfs($2)
	175	fs_read_nfs_files($2)
	176	fs_read_nfs_symlinks($2)
	177	fs_read_nfs_named_sockets($2)
	178	fs_read_nfs_named_pipes($2)
196	179	',`
197		fs_dontaudit_list_nfs($~~1_t~~)
198		fs_dontaudit_read_nfs_files($~~1_t~~)
	180	fs_dontaudit_list_nfs($2)
	181	fs_dontaudit_read_nfs_files($2)
199	182	')
200	183
201	184	tunable_policy(`use_samba_home_dirs',`
202		fs_list_cifs($~~1_t~~)
203		fs_read_cifs_files($~~1_t~~)
204		fs_read_cifs_symlinks($~~1_t~~)
205		fs_read_cifs_named_sockets($~~1_t~~)
206		fs_read_cifs_named_pipes($~~1_t~~)
	185	fs_list_cifs($2)
	186	fs_read_cifs_files($2)
	187	fs_read_cifs_symlinks($2)
	188	fs_read_cifs_named_sockets($2)
	189	fs_read_cifs_named_pipes($2)
207	190	',`
208		fs_dontaudit_list_cifs($~~1_t~~)
209		fs_dontaudit_read_cifs_files($~~1_t~~)
	191	fs_dontaudit_list_cifs($2)
	192	fs_dontaudit_read_cifs_files($2)
210	193	')
211	194	')
…	…
213	196	#######################################
214	197	## <summary>
215		## ~~The template for creating a home directory~~
216		## ~~that the user~~ has full access.
217		## </summary>
218		## <desc>
219		## <p>
220		## ~~The template for creating a home directory~~
221		## ~~that the user~~ has full access.
	198	## Allow a home directory for which the
	199	## role has full access.
	200	## </summary>
	201	## <desc>
	202	## <p>
	203	## Allow a home directory for which the
	204	## role has full access.
222	205	## </p>
223	206	## <p>
…	…
225	208	## </p>
226	209	## </desc>
227		## <param name="userdomain_prefix">
228		## <summary>
229		## The prefix of the user domain (e.g., user
230		## is the prefix for user_t).
	210	## <param name="role">
	211	## <summary>
	212	## The user role
	213	## </summary>
	214	## </param>
	215	## <param name="userdomain">
	216	## <summary>
	217	## The user domain
231	218	## </summary>
232	219	## </param>
233	220	## <rolebase/>
234	221	#
235		template(`userdom_manage_home_template',`
236		gen_require(`
237		attribute home_type, home_dir_type, $1_file_type;
238		')
239
240		# type for contents of home directory
241		type $1_home_t, $1_file_type, home_type;
242		files_type($1_home_t)
243		files_associate_tmp($1_home_t)
244		fs_associate_tmpfs($1_home_t)
245
246		# type of home directory
247		type $1_home_dir_t, home_dir_type, home_type;
248		files_type($1_home_dir_t)
249		files_associate_tmp($1_home_dir_t)
250		fs_associate_tmpfs($1_home_dir_t)
251
252		##############################
253		#
254		# User home directory file rules
255		#
256
257		allow $1_file_type $1_home_t:filesystem associate;
258
259		# Rules used to associate a homedir as a mountpoint
260		allow $1_home_t self:filesystem associate;
	222	interface(`userdom_manage_home_role',`
	223	gen_require(`
	224	type user_home_t, user_home_dir_t;
	225	')
	226
	227	role $1 types { user_home_t user_home_dir_t };
261	228
262	229	##############################
…	…
265	232	#
266	233
	234	type_member $2 user_home_dir_t:dir user_home_dir_t;
	235	# role_member?
	236
267	237	# full control of the home directory
268		allow $~~1_t $1~~_home_t:file entrypoint;
269		manage_dirs_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
270		manage_files_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
271		manage_lnk_files_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
272		manage_sock_files_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
273		manage_fifo_files_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
274		relabel_dirs_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
275		relabel_files_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
276		relabel_lnk_files_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
277		relabel_sock_files_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
278		relabel_fifo_files_pattern($~~1_t,{ $1_home_dir_t $1_home_t },$1~~_home_t)
279		filetrans_pattern($~~1_t,$1_home_dir_t,$1_home_t,~~{ dir file lnk_file sock_file fifo_file })
280		files_list_home($~~1_t~~)
	238	allow $2 user_home_t:file entrypoint;
	239	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	240	manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	241	manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	242	manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	243	manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	244	relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	245	relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	246	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	247	relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	248	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
	249	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
	250	files_list_home($2)
281	251
282	252	# cjp: this should probably be removed:
283		allow $~~1_t $1~~_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
	253	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
284	254
285	255	tunable_policy(`use_nfs_home_dirs',`
286		fs_manage_nfs_dirs($~~1_t~~)
287		fs_manage_nfs_files($~~1_t~~)
288		fs_manage_nfs_symlinks($~~1_t~~)
289		fs_manage_nfs_named_sockets($~~1_t~~)
290		fs_manage_nfs_named_pipes($~~1_t~~)
	256	fs_manage_nfs_dirs($2)
	257	fs_manage_nfs_files($2)
	258	fs_manage_nfs_symlinks($2)
	259	fs_manage_nfs_named_sockets($2)
	260	fs_manage_nfs_named_pipes($2)
291	261	',`
292		fs_dontaudit_manage_nfs_dirs($~~1_t~~)
293		fs_dontaudit_manage_nfs_files($~~1_t~~)
	262	fs_dontaudit_manage_nfs_dirs($2)
	263	fs_dontaudit_manage_nfs_files($2)
294	264	')
295	265
296	266	tunable_policy(`use_samba_home_dirs',`
297		fs_manage_cifs_dirs($~~1_t~~)
298		fs_manage_cifs_files($~~1_t~~)
299		fs_manage_cifs_symlinks($~~1_t~~)
300		fs_manage_cifs_named_sockets($~~1_t~~)
301		fs_manage_cifs_named_pipes($~~1_t~~)
	267	fs_manage_cifs_dirs($2)
	268	fs_manage_cifs_files($2)
	269	fs_manage_cifs_symlinks($2)
	270	fs_manage_cifs_named_sockets($2)
	271	fs_manage_cifs_named_pipes($2)
302	272	',`
303		fs_dontaudit_manage_cifs_dirs($~~1_t~~)
304		fs_dontaudit_manage_cifs_files($~~1_t~~)
	273	fs_dontaudit_manage_cifs_dirs($2)
	274	fs_dontaudit_manage_cifs_files($2)
305	275	')
306	276	')
…	…
308	278	#######################################
309	279	## <summary>
310		## The template for allowing the user
311		## to execute files in their home directory.
312		## </summary>
313		## <param name="userdomain_prefix">
314		## <summary>
315		## The prefix of the user domain (e.g., user
316		## is the prefix for user_t).
	280	## Manage user temporary files
	281	## </summary>
	282	## <param name="role">
	283	## <summary>
	284	## Role allowed access.
	285	## </summary>
	286	## </param>
	287	## <param name="domain">
	288	## <summary>
	289	## Domain allowed access.
317	290	## </summary>
318	291	## </param>
319	292	## <rolebase/>
320	293	#
321		template(`userdom_exec_home_template',`
322		can_exec($1_t,$1_home_t)
323
324		tunable_policy(`use_nfs_home_dirs',`
325		fs_exec_nfs_files($1_t)
326		')
327
328		tunable_policy(`use_samba_home_dirs',`
329		fs_exec_cifs_files($1_t)
330		')
	294	interface(`userdom_manage_tmp_role',`
	295	gen_require(`
	296	type user_tmp_t;
	297	')
	298
	299	role $1 types user_tmp_t;
	300
	301	files_poly_member_tmp($2, user_tmp_t)
	302
	303	manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
	304	manage_files_pattern($2, user_tmp_t, user_tmp_t)
	305	manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
	306	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
	307	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
	308	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
	309	# role transition
331	310	')
332	311
333	312	#######################################
334	313	## <summary>
335		## The template for polyinstantiating
336		## a user home directory.
337		## </summary>
338		## <param name="userdomain_prefix">
339		## <summary>
340		## The prefix of the user domain (e.g., user
341		## is the prefix for user_t).
	314	## The execute access user temporary files.
	315	## </summary>
	316	## <param name="domain">
	317	## <summary>
	318	## Domain allowed access.
342	319	## </summary>
343	320	## </param>
344	321	## <rolebase/>
345	322	#
346		template(`userdom_poly_home_template',`
347		type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
348		files_poly($1_home_dir_t)
349		files_poly_parent($1_home_dir_t)
350		files_poly_parent($1_home_t)
351		files_poly_member($1_home_t)
	323	interface(`userdom_exec_user_tmp_files',`
	324	gen_require(`
	325	type user_tmp_t;
	326	')
	327
	328	exec_files_pattern($1, user_tmp_t, user_tmp_t)
	329	files_search_tmp($1)
352	330	')
353	331
354	332	#######################################
355	333	## <summary>
356		## The template for full access to the temporary directories.
357		## </summary>
358		## <desc>
359		## <p>
360		## The template for full access to the temporary directories.
361		## This creates a derived type for the user
362		## temporary type. Execute access is not given.
363		## </p>
364		## </desc>
365		## <param name="userdomain_prefix">
366		## <summary>
367		## The prefix of the user domain (e.g., user
368		## is the prefix for user_t).
369		## </summary>
370		## </param>
371		## <rolebase/>
372		#
373		template(`userdom_manage_tmp_template',`
374		gen_require(`
375		attribute $1_file_type;
376		')
377
378		type $1_tmp_t, $1_file_type;
379		files_tmp_file($1_tmp_t)
380
381		manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
382		manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
383		manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
384		manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
385		manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
386		files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
387		')
388
389		#######################################
390		## <summary>
391		## The template for execute access to the user temporary files.
392		## </summary>
393		## <param name="userdomain_prefix">
394		## <summary>
395		## The prefix of the user domain (e.g., user
396		## is the prefix for user_t).
397		## </summary>
398		## </param>
399		## <rolebase/>
400		#
401		template(`userdom_exec_tmp_template',`
402		exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
403		')
404
405		#######################################
406		## <summary>
407		## The template for a polyinstantiated temporary directory.
408		## </summary>
409		## <param name="userdomain_prefix">
410		## <summary>
411		## The prefix of the user domain (e.g., user
412		## is the prefix for user_t).
413		## </summary>
414		## </param>
415		## <rolebase/>
416		#
417		template(`userdom_poly_tmp_template',`
418		files_poly_member_tmp($1_t,tmp_t)
419		')
420
421		#######################################
422		## <summary>
423		## The template for creating a tmpfs type
	334	## Role access for the user tmpfs type
424	335	## that the user has full access.
425	336	## </summary>
426	337	## <desc>
427	338	## <p>
428		## ~~The template for creating a~~ tmpfs type
	339	## Role access for the user tmpfs type
429	340	## that the user has full access.
430	341	## </p>
…	…
433	344	## </p>
434	345	## </desc>
435		## <param name="userdomain_prefix">
436		## <summary>
437		## The prefix of the user domain (e.g., user
438		## is the prefix for user_t).
439		## </summary>
440		## </param>
441		## <rolebase/>
442		#
443		template(`userdom_manage_tmpfs_template',`
444		gen_require(`
445		attribute $1_file_type;
446		')
447
448		type $1_tmpfs_t, $1_file_type;
449		files_tmpfs_file($1_tmpfs_t)
450
451		manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
452		manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
453		manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
454		manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
455		manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
456		fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	346	## <param name="role">
	347	## <summary>
	348	## Role allowed access.
	349	## </summary>
	350	## </param>
	351	## <param name="domain">
	352	## <summary>
	353	## Domain allowed access.
	354	## </summary>
	355	## </param>
	356	## <rolecap/>
	357	#
	358	interface(`userdom_manage_tmpfs_role',`
	359	gen_require(`
	360	type user_tmpfs_t;
	361	')
	362
	363	role $1 types user_tmpfs_t;
	364
	365	manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
	366	manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
	367	manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
	368	manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
	369	manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
	370	fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	371	# role transition
457	372	')
458	373
…	…
497	412	dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
498	413	')
499		')
500
501		~~#######################################~~
502		~~## <summary>~~
503		~~## The template allowing the user to execute~~
504		~~## generic programs, such as those found in /bin,~~
505		~~## /sbin, /usr/bin, and /usr/sbin.~~
506		~~## </summary>~~
507		~~## <param name="userdomain_prefix">~~
508		~~## <summary>~~
509		~~## The prefix of the user domain (e.g., user~~
510		~~## is the prefix for user_t).~~
511		~~## </summary>~~
512		~~## </param>~~
513		~~## <rolebase/>~~
514		#
515		~~template(`userdom_exec_generic_pgms_template',`~~
516		~~gen_require(`~~
517		~~type $1_t;~~
518		')
519
520		~~corecmd_exec_bin($1_t)~~
521	414	')
522	415
…	…
676	569	userdom_basic_networking_template($1)
677	570
678		~~userdom_exec_generic_pgms_template($1)~~
679
680	571	optional_policy(`
681	572	userdom_xwindows_client_template($1)
…	…
700	591	# Find CDROM devices:
701	592	kernel_read_device_sysctls($1_t)
	593
	594	corecmd_exec_bin($1_t)
702	595
703	596	corenet_udp_bind_all_nodes($1_t)
…	…
896	789	userdom_base_user_template($1)
897	790
898		userdom_manage_home_template($1)
899		userdom_poly_home_template($1)
900		userdom_poly_tmp_template($1)
901
902		userdom_manage_tmp_template($1)
903		userdom_manage_tmpfs_template($1)
904
905		userdom_exec_tmp_template($1)
906		userdom_exec_home_template($1)
	791	userdom_manage_home_role($1_r, $1_t)
	792
	793	userdom_manage_tmp_role($1_r, $1_t)
	794	userdom_manage_tmpfs_role($1_r, $1_t)
	795
	796	userdom_exec_user_tmp_files($1_t)
	797	userdom_exec_user_home_content_files($1_t)
907	798
908	799	userdom_change_password_template($1)
…	…
1687	1578	## user home directory.
1688	1579	## </summary>
1689		~~## <desc>~~
1690		~~## <p>~~
1691		~~## Make the specified type usable in a~~
1692		~~## user home directory.~~
1693		~~## </p>~~
1694		~~## <p>~~
1695		~~## This is a templated interface, and should only~~
1696		~~## be called from a per-userdomain template.~~
1697		~~## </p>~~
1698		~~## </desc>~~
1699		~~## <param name="userdomain_prefix">~~
1700		~~## <summary>~~
1701		~~## The prefix of the user domain (e.g., user~~
1702		~~## is the prefix for user_t).~~
1703		~~## </summary>~~
1704		~~## </param>~~
1705	1580	## <param name="type">
1706	1581	## <summary>
…	…
1712	1587	template(`userdom_user_home_content',`
1713	1588	gen_require(`
1714		~~attribute $1_file_type~~;
1715		')
1716
1717		~~typeattribute $2 $1_file_typ~~e;
1718		files_type($2)
	1589	type user_home_t;
	1590	')
	1591
	1592	allow $1 user_home_t:filesystem associate;
	1593	files_type($1)
1719	1594	')
1720	1595
…	…
2145	2020	## Execute user home files.
2146	2021	## </summary>
2147		## <desc>
2148		## <p>
2149		## Execute user home files.
2150		## </p>
2151		## <p>
2152		## This is a templated interface, and should only
2153		## be called from a per-userdomain template.
2154		## </p>
2155		## </desc>
2156		## <param name="userdomain_prefix">
2157		## <summary>
2158		## The prefix of the user domain (e.g., user
2159		## is the prefix for user_t).
2160		## </summary>
2161		## </param>
2162		## <param name="domain">
2163		## <summary>
2164		## Domain allowed access.
2165		## </summary>
2166		## </param>
2167		#
2168		template(`userdom_exec_user_home_content_files',`
2169		gen_require(`
2170		type $1_home_dir_t, $1_home_t;
2171		')
2172
2173		files_search_home($2)
2174		exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
	2022	## <param name="domain">
	2023	## <summary>
	2024	## Domain allowed access.
	2025	## </summary>
	2026	## </param>
	2027	## <rolecap>
	2028	#
	2029	interface(`userdom_exec_user_home_content_files',`
	2030	gen_require(`
	2031	type user_home_dir_t, user_home_t;
	2032	')
	2033
	2034	files_search_home($1)
	2035	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
	2036
	2037	tunable_policy(`use_nfs_home_dirs',`
	2038	fs_exec_nfs_files($1)
	2039	')
	2040
	2041	tunable_policy(`use_samba_home_dirs',`
	2042	fs_exec_cifs_files($1)
	2043	')
2175	2044	')
2176	2045

branches/rbacsep/policy/modules/system/userdomain.te

r2679	r2714
86	86	attribute untrusted_content_tmp_type;
87	87
	88	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
	89	fs_associate_tmpfs(user_home_dir_t)
	90	files_type(user_home_dir_t)
	91	files_mountpoint(user_home_dir_t)
	92	files_associate_tmp(user_home_dir_t)
	93	files_poly(user_home_dir_t)
	94	files_poly_member(user_home_dir_t)
	95	files_poly_parent(user_home_dir_t)
	96
	97	type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
	98	userdom_user_home_content(user_home_t)
	99	fs_associate_tmpfs(user_home_t)
	100	files_associate_tmp(user_home_t)
	101	files_poly_member(user_home_t)
	102	files_poly_parent(user_home_t)
	103	files_mountpoint(user_home_t)
	104
88	105	type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
89	106	dev_node(user_devpts_t)
90	107	files_type(user_devpts_t)
91	108
	109	type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
	110	files_tmp_file(user_tmp_t)
	111	userdom_user_home_content(user_tmp_t)
	112
	113	type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
	114	files_tmpfs_file(user_tmpfs_t)
	115	userdom_user_home_content(user_tmpfs_t)
	116
92	117	type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
93	118	dev_node(user_tty_device_t)

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.