Navigation

← Previous Changeset
Next Changeset →

Changeset 2715

Timestamp:

06/12/08 17:17:59 (3 months ago)

Author:

cpebenito

Message:

rbacsep: reclaim templated interfaces for regular interface usage.

Files:

branches/rbacsep/policy/modules/system/userdomain.if (modified) (59 diffs)
branches/rbacsep/policy/modules/system/userdomain.te (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/system/userdomain.if

r2714	r2715
901	901	gen_require(`
902	902	attribute unpriv_userdomain;
903		attribute privhome~~, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode~~;
	903	attribute privhome;
904	904	')
905	905
…	…
908	908	typeattribute $1_t unpriv_userdomain;
909	909	domain_interactive_fd($1_t)
910
911		~~typeattribute $1_home_dir_t user_home_dir_type;~~
912		~~typeattribute $1_home_t user_home_type;~~
913		~~typeattribute $1_tmp_t user_tmpfile;~~
914	910
915	911	##############################
…	…
1585	1581	## </param>
1586	1582	#
1587		~~templat~~e(`userdom_user_home_content',`
	1583	interface(`userdom_user_home_content',`
1588	1584	gen_require(`
1589	1585	type user_home_t;
…	…
1598	1594	## Set the attributes of a user pty.
1599	1595	## </summary>
1600		## <desc>
1601		## <p>
1602		## Set the attributes of a user pty.
1603		## </p>
1604		## <p>
1605		## This is a templated interface, and should only
1606		## be called from a per-userdomain template.
1607		## </p>
1608		## </desc>
1609		## <param name="userdomain_prefix">
1610		## <summary>
1611		## The prefix of the user domain (e.g., user
1612		## is the prefix for user_t).
1613		## </summary>
1614		## </param>
1615		## <param name="domain">
1616		## <summary>
1617		## Domain allowed access.
1618		## </summary>
1619		## </param>
1620		#
1621		template(`userdom_setattr_user_ptys',`
1622		gen_require(`
1623		type $1_devpts_t;
1624		')
1625
1626		allow $2 $1_devpts_t:chr_file setattr;
	1596	## <param name="domain">
	1597	## <summary>
	1598	## Domain allowed access.
	1599	## </summary>
	1600	## </param>
	1601	#
	1602	interface(`userdom_setattr_user_ptys',`
	1603	gen_require(`
	1604	type user_devpts_t;
	1605	')
	1606
	1607	allow $1 user_devpts_t:chr_file setattr;
1627	1608	')
1628	1609
…	…
1631	1612	## Create a user pty.
1632	1613	## </summary>
1633		## <desc>
1634		## <p>
1635		## Create a user pty.
1636		## </p>
1637		## <p>
1638		## This is a templated interface, and should only
1639		## be called from a per-userdomain template.
1640		## </p>
1641		## </desc>
1642		## <param name="userdomain_prefix">
1643		## <summary>
1644		## The prefix of the user domain (e.g., user
1645		## is the prefix for user_t).
1646		## </summary>
1647		## </param>
1648		## <param name="domain">
1649		## <summary>
1650		## Domain allowed access.
1651		## </summary>
1652		## </param>
1653		#
1654		template(`userdom_create_user_pty',`
1655		gen_require(`
1656		type $1_devpts_t;
1657		')
1658
1659		term_create_pty($2, $1_devpts_t)
	1614	## <param name="domain">
	1615	## <summary>
	1616	## Domain allowed access.
	1617	## </summary>
	1618	## </param>
	1619	#
	1620	interface(`userdom_create_user_pty',`
	1621	gen_require(`
	1622	type user_devpts_t;
	1623	')
	1624
	1625	term_create_pty($1, user_devpts_t)
1660	1626	')
1661	1627
…	…
1664	1630	## Search user home directories.
1665	1631	## </summary>
1666		## <desc>
1667		## <p>
1668		## Search user home directories.
1669		## </p>
1670		## <p>
1671		## This is a templated interface, and should only
1672		## be called from a per-userdomain template.
1673		## </p>
1674		## </desc>
1675		## <param name="userdomain_prefix">
1676		## <summary>
1677		## The prefix of the user domain (e.g., user
1678		## is the prefix for user_t).
1679		## </summary>
1680		## </param>
1681		## <param name="domain">
1682		## <summary>
1683		## Domain allowed access.
1684		## </summary>
1685		## </param>
1686		#
1687		template(`userdom_search_user_home_dirs',`
1688		gen_require(`
1689		type $1_home_dir_t;
1690		')
1691
	1632	## <param name="domain">
	1633	## <summary>
	1634	## Domain allowed access.
	1635	## </summary>
	1636	## </param>
	1637	#
	1638	interface(`userdom_search_user_home_dirs',`
	1639	gen_require(`
	1640	type user_home_dir_t;
	1641	')
	1642
	1643	allow $1 user_home_dir_t:dir search_dir_perms;
1692	1644	files_search_home($2)
1693		~~allow $2 $1_home_dir_t:dir search_dir_perms;~~
1694	1645	')
1695	1646
…	…
1698	1649	## List user home directories.
1699	1650	## </summary>
1700		~~## <desc>~~
1701		~~## <p>~~
1702		~~## List user home directories.~~
1703		~~## </p>~~
1704		~~## <p>~~
1705		~~## This is a templated interface, and should only~~
1706		~~## be called from a per-userdomain template.~~
1707		~~## </p>~~
1708		~~## </desc>~~
1709		~~## <param name="userdomain_prefix">~~
1710		~~## <summary>~~
1711		~~## The prefix of the user domain (e.g., user~~
1712		~~## is the prefix for user_t).~~
1713		~~## </summary>~~
1714		~~## </param>~~
1715	1651	## <param name="domain">
1716	1652	## <summary>
…	…
1719	1655	## </param>
1720	1656	#
1721		~~templat~~e(`userdom_list_user_home_dirs',`
1722		gen_require(`
1723		type $1_home_dir_t;
1724		')
1725
1726		~~files_search_home($2)~~
1727		~~allow $2 $1_home_dir_t:dir list_dir_perms;~~
	1657	interface(`userdom_list_user_home_dirs',`
	1658	gen_require(`
	1659	type user_home_dir_t;
	1660	')
	1661
	1662	allow $1 user_home_dir_t:dir list_dir_perms;
	1663	files_search_home($1)
1728	1664	')
1729	1665
…	…
1745	1681	## the domains are not owned by this module.
1746	1682	## </p>
1747		~~## <p>~~
1748		~~## This is a templated interface, and should only~~
1749		~~## be called from a per-userdomain template.~~
1750		~~## </p>~~
1751	1683	## </desc>
1752		~~## <param name="userdomain_prefix">~~
1753		~~## <summary>~~
1754		~~## The prefix of the user domain (e.g., user~~
1755		~~## is the prefix for user_t).~~
1756		~~## </summary>~~
1757		~~## </param>~~
1758	1684	## <param name="source_domain">
1759	1685	## <summary>
…	…
1767	1693	## </param>
1768	1694	#
1769		~~templat~~e(`userdom_user_home_domtrans',`
1770		gen_require(`
1771		type ~~$1_home_dir_t, $1~~_home_t;
1772		')
1773
1774		~~files_search_home(~~$2)
1775		allow $~~2 $1~~_home_dir_t:dir search_dir_perms;
1776		~~domain_auto_trans($2,$1_home_t,$3~~)
	1695	interface(`userdom_user_home_domtrans',`
	1696	gen_require(`
	1697	type user_home_dir_t, user_home_t;
	1698	')
	1699
	1700	domain_auto_trans($1, user_home_t, $2)
	1701	allow $1 user_home_dir_t:dir search_dir_perms;
	1702	files_search_home($1)
1777	1703	')
1778	1704
…	…
1781	1707	## Do not audit attempts to list user home subdirectories.
1782	1708	## </summary>
1783		~~## <desc>~~
1784		~~## <p>~~
1785		~~## Do not audit attempts to list user home subdirectories.~~
1786		~~## </p>~~
1787		~~## <p>~~
1788		~~## This is a templated interface, and should only~~
1789		~~## be called from a per-userdomain template.~~
1790		~~## </p>~~
1791		~~## </desc>~~
1792		~~## <param name="userdomain_prefix">~~
1793		~~## <summary>~~
1794		~~## The prefix of the user domain (e.g., user~~
1795		~~## is the prefix for user_t).~~
1796		~~## </summary>~~
1797		~~## </param>~~
1798	1709	## <param name="domain">
1799	1710	## <summary>
…	…
1802	1713	## </param>
1803	1714	#
1804		~~templat~~e(`userdom_dontaudit_list_user_home_dirs',`
1805		gen_require(`
1806		type $1_home_dir_t;
1807		')
1808
1809		dontaudit $~~2 $1~~_home_dir_t:dir list_dir_perms;
	1715	interface(`userdom_dontaudit_list_user_home_dirs',`
	1716	gen_require(`
	1717	type user_home_dir_t;
	1718	')
	1719
	1720	dontaudit $1 user_home_dir_t:dir list_dir_perms;
1810	1721	')
1811	1722
…	…
1815	1726	## in a user home subdirectory.
1816	1727	## </summary>
1817		## <desc>
1818		## <p>
1819		## Create, read, write, and delete directories
1820		## in a user home subdirectory.
1821		## </p>
1822		## <p>
1823		## This is a templated interface, and should only
1824		## be called from a per-userdomain template.
1825		## </p>
1826		## </desc>
1827		## <param name="userdomain_prefix">
1828		## <summary>
1829		## The prefix of the user domain (e.g., user
1830		## is the prefix for user_t).
1831		## </summary>
1832		## </param>
1833		## <param name="domain">
1834		## <summary>
1835		## Domain allowed access.
1836		## </summary>
1837		## </param>
1838		#
1839		template(`userdom_manage_user_home_content_dirs',`
1840		gen_require(`
1841		type $1_home_dir_t, $1_home_t;
1842		')
1843
1844		files_search_home($2)
1845		manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
	1728	## <param name="domain">
	1729	## <summary>
	1730	## Domain allowed access.
	1731	## </summary>
	1732	## </param>
	1733	#
	1734	interface(`userdom_manage_user_home_content_dirs',`
	1735	gen_require(`
	1736	type user_home_dir_t, user_home_t;
	1737	')
	1738
	1739	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
	1740	files_search_home($1)
1846	1741	')
1847	1742
…	…
1851	1746	## attributes of user home files.
1852	1747	## </summary>
1853		## <desc>
1854		## <p>
1855		## Do not audit attempts to set the
1856		## attributes of user home files.
1857		## </p>
1858		## <p>
1859		## This is a templated interface, and should only
1860		## be called from a per-userdomain template.
1861		## </p>
1862		## </desc>
1863		## <param name="userdomain_prefix">
1864		## <summary>
1865		## The prefix of the user domain (e.g., user
1866		## is the prefix for user_t).
1867		## </summary>
1868		## </param>
1869		## <param name="domain">
1870		## <summary>
1871		## Domain allowed access.
1872		## </summary>
1873		## </param>
1874		#
1875		template(`userdom_dontaudit_setattr_user_home_content_files',`
1876		gen_require(`
1877		type $1_home_dir_t, $1_home_t;
1878		')
1879
1880		dontaudit $2 $1_home_t:file setattr;
	1748	## <param name="domain">
	1749	## <summary>
	1750	## Domain allowed access.
	1751	## </summary>
	1752	## </param>
	1753	#
	1754	interface(`userdom_dontaudit_setattr_user_home_content_files',`
	1755	gen_require(`
	1756	type user_home_t;
	1757	')
	1758
	1759	dontaudit $1 user_home_t:file setattr;
1881	1760	')
1882	1761
…	…
1885	1764	## Read user home files.
1886	1765	## </summary>
1887		## <desc>
1888		## <p>
1889		## Read user home files.
1890		## </p>
1891		## <p>
1892		## This is a templated interface, and should only
1893		## be called from a per-userdomain template.
1894		## </p>
1895		## </desc>
1896		## <param name="userdomain_prefix">
1897		## <summary>
1898		## The prefix of the user domain (e.g., user
1899		## is the prefix for user_t).
1900		## </summary>
1901		## </param>
1902		## <param name="domain">
1903		## <summary>
1904		## Domain allowed access.
1905		## </summary>
1906		## </param>
1907		#
1908		template(`userdom_read_user_home_content_files',`
1909		gen_require(`
1910		type $1_home_dir_t, $1_home_t;
1911		')
1912
1913		files_search_home($2)
1914		read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
	1766	## <param name="domain">
	1767	## <summary>
	1768	## Domain allowed access.
	1769	## </summary>
	1770	## </param>
	1771	#
	1772	interface(`userdom_read_user_home_content_files',`
	1773	gen_require(`
	1774	type user_home_dir_t, user_home_t;
	1775	')
	1776
	1777	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
	1778	files_search_home($1)
1915	1779	')
1916	1780
…	…
1919	1783	## Do not audit attempts to read user home files.
1920	1784	## </summary>
1921		~~## <desc>~~
1922		~~## <p>~~
1923		~~## Do not audit attempts to read user home files.~~
1924		~~## </p>~~
1925		~~## <p>~~
1926		~~## This is a templated interface, and should only~~
1927		~~## be called from a per-userdomain template.~~
1928		~~## </p>~~
1929		~~## </desc>~~
1930		~~## <param name="userdomain_prefix">~~
1931		~~## <summary>~~
1932		~~## The prefix of the user domain (e.g., user~~
1933		~~## is the prefix for user_t).~~
1934		~~## </summary>~~
1935		~~## </param>~~
1936	1785	## <param name="domain">
1937	1786	## <summary>
…	…
1940	1789	## </param>
1941	1790	#
1942		~~templat~~e(`userdom_dontaudit_read_user_home_content_files',`
1943		gen_require(`
1944		type $1_home_t;
1945		')
1946
1947		dontaudit $~~2 $1~~_home_t:dir list_dir_perms;
1948		dontaudit $~~2 $1~~_home_t:file read_file_perms;
	1791	interface(`userdom_dontaudit_read_user_home_content_files',`
	1792	gen_require(`
	1793	type user_home_t;
	1794	')
	1795
	1796	dontaudit $1 user_home_t:dir list_dir_perms;
	1797	dontaudit $1 user_home_t:file read_file_perms;
1949	1798	')
1950	1799
…	…
1953	1802	## Do not audit attempts to write user home files.
1954	1803	## </summary>
1955		~~## <desc>~~
1956		~~## <p>~~
1957		~~## Do not audit attempts to write user home files.~~
1958		~~## </p>~~
1959		~~## <p>~~
1960		~~## This is a templated interface, and should only~~
1961		~~## be called from a per-userdomain template.~~
1962		~~## </p>~~
1963		~~## </desc>~~
1964		~~## <param name="userdomain_prefix">~~
1965		~~## <summary>~~
1966		~~## The prefix of the user domain (e.g., user~~
1967		~~## is the prefix for user_t).~~
1968		~~## </summary>~~
1969		~~## </param>~~
1970	1804	## <param name="domain">
1971	1805	## <summary>
…	…
1974	1808	## </param>
1975	1809	#
1976		~~templat~~e(`userdom_dontaudit_write_user_home_content_files',`
1977		gen_require(`
1978		type $1_home_t;
1979		')
1980
1981		dontaudit $~~2 $1~~_home_t:file write;
	1810	interface(`userdom_dontaudit_write_user_home_content_files',`
	1811	gen_require(`
	1812	type user_home_t;
	1813	')
	1814
	1815	dontaudit $1 user_home_t:file write;
1982	1816	')
1983	1817
…	…
1986	1820	## Read user home subdirectory symbolic links.
1987	1821	## </summary>
1988		## <desc>
1989		## <p>
1990		## Read user home subdirectory symbolic links.
1991		## </p>
1992		## <p>
1993		## This is a templated interface, and should only
1994		## be called from a per-userdomain template.
1995		## </p>
1996		## </desc>
1997		## <param name="userdomain_prefix">
1998		## <summary>
1999		## The prefix of the user domain (e.g., user
2000		## is the prefix for user_t).
2001		## </summary>
2002		## </param>
2003		## <param name="domain">
2004		## <summary>
2005		## Domain allowed access.
2006		## </summary>
2007		## </param>
2008		#
2009		template(`userdom_read_user_home_content_symlinks',`
2010		gen_require(`
2011		type $1_home_dir_t, $1_home_t;
2012		')
2013
2014		files_search_home($2)
2015		read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
	1822	## <param name="domain">
	1823	## <summary>
	1824	## Domain allowed access.
	1825	## </summary>
	1826	## </param>
	1827	#
	1828	interface(`userdom_read_user_home_content_symlinks',`
	1829	gen_require(`
	1830	type user_home_dir_t, user_home_t;
	1831	')
	1832
	1833	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
	1834	files_search_home($1)
2016	1835	')
2017	1836
…	…
2048	1867	## Do not audit attempts to execute user home files.
2049	1868	## </summary>
2050		## <desc>
2051		## <p>
2052		## Do not audit attempts to execute user home files.
2053		## </p>
2054		## <p>
2055		## This is a templated interface, and should only
2056		## be called from a per-userdomain template.
2057		## </p>
2058		## </desc>
2059		## <param name="userdomain_prefix">
2060		## <summary>
2061		## The prefix of the user domain (e.g., user
2062		## is the prefix for user_t).
2063		## </summary>
2064		## </param>
2065		## <param name="domain">
2066		## <summary>
2067		## Domain allowed access.
2068		## </summary>
2069		## </param>
2070		#
2071		template(`userdom_dontaudit_exec_user_home_content_files',`
2072		gen_require(`
2073		type $1_home_t;
2074		')
2075
2076		dontaudit $2 $1_home_t:file execute;
	1869	## <param name="domain">
	1870	## <summary>
	1871	## Domain allowed access.
	1872	## </summary>
	1873	## </param>
	1874	#
	1875	interface(`userdom_dontaudit_exec_user_home_content_files',`
	1876	gen_require(`
	1877	type user_home_t;
	1878	')
	1879
	1880	dontaudit $1 user_home_t:file execute;
2077	1881	')
2078	1882
…	…
2082	1886	## in a user home subdirectory.
2083	1887	## </summary>
2084		## <desc>
2085		## <p>
2086		## Create, read, write, and delete files
2087		## in a user home subdirectory.
2088		## </p>
2089		## <p>
2090		## This is a templated interface, and should only
2091		## be called from a per-userdomain template.
2092		## </p>
2093		## </desc>
2094		## <param name="userdomain_prefix">
2095		## <summary>
2096		## The prefix of the user domain (e.g., user
2097		## is the prefix for user_t).
2098		## </summary>
2099		## </param>
2100		## <param name="domain">
2101		## <summary>
2102		## Domain allowed access.
2103		## </summary>
2104		## </param>
2105		#
2106		template(`userdom_manage_user_home_content_files',`
2107		gen_require(`
2108		type $1_home_dir_t, $1_home_t;
2109		')
2110
2111		files_search_home($2)
2112		allow $2 $1_home_dir_t:dir search_dir_perms;
2113		manage_files_pattern($2,$1_home_t,$1_home_t)
	1888	## <param name="domain">
	1889	## <summary>
	1890	## Domain allowed access.
	1891	## </summary>
	1892	## </param>
	1893	#
	1894	interface(`userdom_manage_user_home_content_files',`
	1895	gen_require(`
	1896	type user_home_dir_t, user_home_t;
	1897	')
	1898
	1899	manage_files_pattern($1, user_home_t, user_home_t)
	1900	allow $1 user_home_dir_t:dir search_dir_perms;
	1901	files_search_home($1)
2114	1902	')
2115	1903
…	…
2119	1907	## in a user home subdirectory.
2120	1908	## </summary>
2121		## <desc>
2122		## <p>
2123		## Do not audit attempts to create, read, write, and delete directories
2124		## in a user home subdirectory.
2125		## </p>
2126		## <p>
2127		## This is a templated interface, and should only
2128		## be called from a per-userdomain template.
2129		## </p>
2130		## </desc>
2131		## <param name="userdomain_prefix">
2132		## <summary>
2133		## The prefix of the user domain (e.g., user
2134		## is the prefix for user_t).
2135		## </summary>
2136		## </param>
2137		## <param name="domain">
2138		## <summary>
2139		## Domain allowed access.
2140		## </summary>
2141		## </param>
2142		#
2143		template(`userdom_dontaudit_manage_user_home_content_dirs',`
2144		gen_require(`
2145		type $1_home_dir_t, $1_home_t;
2146		')
2147
2148		dontaudit $2 $1_home_t:dir manage_dir_perms;
	1909	## <param name="domain">
	1910	## <summary>
	1911	## Domain allowed access.
	1912	## </summary>
	1913	## </param>
	1914	#
	1915	interface(`userdom_dontaudit_manage_user_home_content_dirs',`
	1916	gen_require(`
	1917	type user_home_dir_t, user_home_t;
	1918	')
	1919
	1920	dontaudit $1 user_home_t:dir manage_dir_perms;
2149	1921	')
2150	1922
…	…
2154	1926	## in a user home subdirectory.
2155	1927	## </summary>
2156		## <desc>
2157		## <p>
2158		## Create, read, write, and delete symbolic links
2159		## in a user home subdirectory.
2160		## </p>
2161		## <p>
2162		## This is a templated interface, and should only
2163		## be called from a per-userdomain template.
2164		## </p>
2165		## </desc>
2166		## <param name="userdomain_prefix">
2167		## <summary>
2168		## The prefix of the user domain (e.g., user
2169		## is the prefix for user_t).
2170		## </summary>
2171		## </param>
2172		## <param name="domain">
2173		## <summary>
2174		## Domain allowed access.
2175		## </summary>
2176		## </param>
2177		#
2178		template(`userdom_manage_user_home_content_symlinks',`
2179		gen_require(`
2180		type $1_home_dir_t, $1_home_t;
2181		')
2182
2183		files_search_home($2)
2184		allow $2 $1_home_dir_t:dir search_dir_perms;
2185		manage_lnk_files_pattern($2,$1_home_t,$1_home_t)
	1928	## <param name="domain">
	1929	## <summary>
	1930	## Domain allowed access.
	1931	## </summary>
	1932	## </param>
	1933	#
	1934	interface(`userdom_manage_user_home_content_symlinks',`
	1935	gen_require(`
	1936	type user_home_dir_t, user_home_t;
	1937	')
	1938
	1939	manage_lnk_files_pattern($1, user_home_t, user_home_t)
	1940	allow $1 user_home_dir_t:dir search_dir_perms;
	1941	files_search_home($1)
2186	1942	')
2187	1943
…	…
2191	1947	## in a user home subdirectory.
2192	1948	## </summary>
2193		## <desc>
2194		## <p>
2195		## Create, read, write, and delete named pipes
2196		## in a user home subdirectory.
2197		## </p>
2198		## <p>
2199		## This is a templated interface, and should only
2200		## be called from a per-userdomain template.
2201		## </p>
2202		## </desc>
2203		## <param name="userdomain_prefix">
2204		## <summary>
2205		## The prefix of the user domain (e.g., user
2206		## is the prefix for user_t).
2207		## </summary>
2208		## </param>
2209		## <param name="domain">
2210		## <summary>
2211		## Domain allowed access.
2212		## </summary>
2213		## </param>
2214		#
2215		template(`userdom_manage_user_home_content_pipes',`
2216		gen_require(`
2217		type $1_home_dir_t, $1_home_t;
2218		')
2219
2220		files_search_home($2)
2221		allow $2 $1_home_dir_t:dir search_dir_perms;
2222		manage_fifo_files_pattern($2,$1_home_t,$1_home_t)
	1949	## <param name="domain">
	1950	## <summary>
	1951	## Domain allowed access.
	1952	## </summary>
	1953	## </param>
	1954	#
	1955	interface(`userdom_manage_user_home_content_pipes',`
	1956	gen_require(`
	1957	type user_home_dir_t, user_home_t;
	1958	')
	1959
	1960	manage_fifo_files_pattern($1, user_home_t, user_home_t)
	1961	allow $1 user_home_dir_t:dir search_dir_perms;
	1962	files_search_home($1)
2223	1963	')
2224	1964
…	…
2228	1968	## in a user home subdirectory.
2229	1969	## </summary>
2230		## <desc>
2231		## <p>
2232		## Create, read, write, and delete named sockets
2233		## in a user home subdirectory.
2234		## </p>
2235		## <p>
2236		## This is a templated interface, and should only
2237		## be called from a per-userdomain template.
2238		## </p>
2239		## </desc>
2240		## <param name="userdomain_prefix">
2241		## <summary>
2242		## The prefix of the user domain (e.g., user
2243		## is the prefix for user_t).
2244		## </summary>
2245		## </param>
2246		## <param name="domain">
2247		## <summary>
2248		## Domain allowed access.
2249		## </summary>
2250		## </param>
2251		#
2252		template(`userdom_manage_user_home_content_sockets',`
2253		gen_require(`
2254		type $1_home_dir_t, $1_home_t;
2255		')
2256
2257		files_search_home($2)
2258		allow $2 $1_home_dir_t:dir search_dir_perms;
2259		manage_sock_files_pattern($2,$1_home_t,$1_home_t)
	1970	## <param name="domain">
	1971	## <summary>
	1972	## Domain allowed access.
	1973	## </summary>
	1974	## </param>
	1975	#
	1976	interface(`userdom_manage_user_home_content_sockets',`
	1977	gen_require(`
	1978	type user_home_dir_t, user_home_t;
	1979	')
	1980
	1981	allow $1 user_home_dir_t:dir search_dir_perms;
	1982	manage_sock_files_pattern($1, user_home_t, user_home_t)
	1983	files_search_home($1)
2260	1984	')
2261	1985
…	…
2266	1990	## a specified private type.
2267	1991	## </summary>
2268		## <desc>
2269		## <p>
	1992	## <param name="domain">
	1993	## <summary>
	1994	## Domain allowed access.
	1995	## </summary>
	1996	## </param>
	1997	## <param name="private_type">
	1998	## <summary>
	1999	## The type of the object to create.
	2000	## </summary>
	2001	## </param>
	2002	## <param name="object_class">
	2003	## <summary>
	2004	## The class of the object to be created.
	2005	## </summary>
	2006	## </param>
	2007	#
	2008	interface(`userdom_user_home_dir_filetrans',`
	2009	gen_require(`
	2010	type user_home_dir_t;
	2011	')
	2012
	2013	filetrans_pattern($1, user_home_dir_t, $2, $3)
	2014	files_search_home($1)
	2015	')
	2016
	2017	########################################
	2018	## <summary>
2270	2019	## Create objects in a user home directory
2271	2020	## with an automatic type transition to
2272	2021	## a specified private type.
2273		## </p>
2274		## <p>
2275		## This is a templated interface, and should only
2276		## be called from a per-userdomain template.
2277		## </p>
2278		## </desc>
2279		## <param name="userdomain_prefix">
2280		## <summary>
2281		## The prefix of the user domain (e.g., user
2282		## is the prefix for user_t).
2283		## </summary>
2284		## </param>
	2022	## </summary>
2285	2023	## <param name="domain">
2286	2024	## <summary>
…	…
2295	2033	## <param name="object_class">
2296	2034	## <summary>
2297		## The class of the object to be created. If not
2298		## specified, file is used.
2299		## </summary>
2300		## </param>
2301		#
2302		template(`userdom_user_home_dir_filetrans',`
2303		gen_require(`
2304		type $1_home_dir_t;
2305		')
2306
2307		files_search_home($2)
2308		filetrans_pattern($2,$1_home_dir_t,$3,$4)
2309		')
2310
2311		########################################
2312		## <summary>
2313		## Create objects in a user home directory
2314		## with an automatic type transition to
2315		## a specified private type.
2316		## </summary>
2317		## <desc>
2318		## <p>
2319		## Create objects in a user home directory
2320		## with an automatic type transition to
2321		## a specified private type.
2322		## </p>
2323		## <p>
2324		## This is a templated interface, and should only
2325		## be called from a per-userdomain template.
2326		## </p>
2327		## </desc>
2328		## <param name="userdomain_prefix">
2329		## <summary>
2330		## The prefix of the user domain (e.g., user
2331		## is the prefix for user_t).
2332		## </summary>
2333		## </param>
2334		## <param name="domain">
2335		## <summary>
2336		## Domain allowed access.
2337		## </summary>
2338		## </param>
2339		## <param name="private_type">
2340		## <summary>
2341		## The type of the object to create.
2342		## </summary>
2343		## </param>
2344		## <param name="object_class">
2345		## <summary>
2346		## The class of the object to be created. If not
2347		## specified, file is used.
2348		## </summary>
2349		## </param>
2350		#
2351		template(`userdom_user_home_content_filetrans',`
2352		gen_require(`
2353		type $1_home_t;
2354		')
2355
2356		files_search_home($2)
2357		filetrans_pattern($2,$1_home_t,$3,$4)
	2035	## The class of the object to be created.
	2036	## </summary>
	2037	## </param>
	2038	#
	2039	interface(`userdom_user_home_content_filetrans',`
	2040	gen_require(`
	2041	type user_home_dir_t, user_home_t;
	2042	')
	2043
	2044	filetrans_pattern($1, user_home_t, $2, $3)
	2045	allow $1 user_home_dir_t:dir search_dir_perms;
	2046	files_search_home($1)
2358	2047	')
2359	2048
…	…
2364	2053	## the user home file type.
2365	2054	## </summary>
2366		~~## <desc>~~
2367		~~## <p>~~
2368		~~## Create objects in a user home directory~~
2369		~~## with an automatic type transition to~~
2370		~~## the user home file type.~~
2371		~~## </p>~~
2372		~~## <p>~~
2373		~~## This is a templated interface, and should only~~
2374		~~## be called from a per-userdomain template.~~
2375		~~## </p>~~
2376		~~## </desc>~~
2377		~~## <param name="userdomain_prefix">~~
2378		~~## <summary>~~
2379		~~## The prefix of the user domain (e.g., user~~
2380		~~## is the prefix for user_t).~~
2381		~~## </summary>~~
2382		~~## </param>~~
2383	2055	## <param name="domain">
2384	2056	## <summary>
…	…
2388	2060	## <param name="object_class">
2389	2061	## <summary>
2390		## The class of the object to be created. If not
2391		## specified, file is used.
2392		## </summary>
2393		## </param>
2394		#
2395		template(`userdom_user_home_dir_filetrans_user_home_content',`
2396		gen_require(`
2397		type $1_home_dir_t, $1_home_t;
2398		')
2399
2400		files_search_home($2)
2401		filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3)
	2062	## The class of the object to be created.
	2063	## </summary>
	2064	## </param>
	2065	#
	2066	interface(`userdom_user_home_dir_filetrans_user_home_content',`
	2067	gen_require(`
	2068	type user_home_dir_t, user_home_t;
	2069	')
	2070
	2071	filetrans_pattern($1, user_home_dir_t, user_home_t, $3)
	2072	files_search_home($1)
2402	2073	')
2403	2074
…	…
2406	2077	## Write to user temporary named sockets.
2407	2078	## </summary>
2408		~~## <desc>~~
2409		~~## <p>~~
2410		~~## Write to user temporary named sockets.~~
2411		~~## </p>~~
2412		~~## <p>~~
2413		~~## This is a templated interface, and should only~~
2414		~~## be called from a per-userdomain template.~~
2415		~~## </p>~~
2416		~~## </desc>~~
2417		~~## <param name="userdomain_prefix">~~
2418		~~## <summary>~~
2419		~~## The prefix of the user domain (e.g., user~~
2420		~~## is the prefix for user_t).~~
2421		~~## </summary>~~
2422		~~## </param>~~
2423	2079	## <param name="domain">
2424	2080	## <summary>
…	…
2427	2083	## </param>
2428	2084	#
2429		~~templat~~e(`userdom_write_user_tmp_sockets',`
2430		gen_require(`
2431		type $1_tmp_t;
2432		')
2433
2434		~~files_search_tmp($2)~~
2435		~~allow $2 $1_tmp_t:sock_file write;~~
	2085	interface(`userdom_write_user_tmp_sockets',`
	2086	gen_require(`
	2087	type user_tmp_t;
	2088	')
	2089
	2090	allow $1 user_tmp_t:sock_file write;
	2091	files_search_tmp($1)
2436	2092	')
2437	2093
…	…
2440	2096	## List user temporary directories.
2441	2097	## </summary>
2442		## <desc>
2443		## <p>
2444		## List user temporary directories.
2445		## </p>
2446		## <p>
2447		## This is a templated interface, and should only
2448		## be called from a per-userdomain template.
2449		## </p>
2450		## </desc>
2451		## <param name="userdomain_prefix">
2452		## <summary>
2453		## The prefix of the user domain (e.g., user
2454		## is the prefix for user_t).
2455		## </summary>
2456		## </param>
2457		## <param name="domain">
2458		## <summary>
2459		## Domain allowed access.
2460		## </summary>
2461		## </param>
2462		#
2463		template(`userdom_list_user_tmp',`
2464		gen_require(`
2465		type $1_tmp_t;
2466		')
2467
2468		files_search_tmp($2)
2469		allow $2 $1_tmp_t:dir list_dir_perms;
	2098	## <param name="domain">
	2099	## <summary>
	2100	## Domain allowed access.
	2101	## </summary>
	2102	## </param>
	2103	#
	2104	interface(`userdom_list_user_tmp',`
	2105	gen_require(`
	2106	type user_tmp_t;
	2107	')
	2108
	2109	allow $1 user_tmp_t:dir list_dir_perms;
	2110	files_search_tmp($1)
2470	2111	')
2471	2112
…	…
2475	2116	## temporary directories.
2476	2117	## </summary>
2477		~~## <desc>~~
2478		~~## <p>~~
2479		~~## Do not audit attempts to list user~~
2480		~~## temporary directories.~~
2481		~~## </p>~~
2482		~~## <p>~~
2483		~~## This is a templated interface, and should only~~
2484		~~## be called from a per-userdomain template.~~
2485		~~## </p>~~
2486		~~## </desc>~~
2487		~~## <param name="userdomain_prefix">~~
2488		~~## <summary>~~
2489		~~## The prefix of the user domain (e.g., user~~
2490		~~## is the prefix for user_t).~~
2491		~~## </summary>~~
2492		~~## </param>~~
2493	2118	## <param name="domain">
2494	2119	## <summary>
…	…
2497	2122	## </param>
2498	2123	#
2499		~~templat~~e(`userdom_dontaudit_list_user_tmp',`
2500		gen_require(`
2501		type $1_tmp_t;
2502		')
2503
2504		dontaudit $~~2 $1~~_tmp_t:dir list_dir_perms;
	2124	interface(`userdom_dontaudit_list_user_tmp',`
	2125	gen_require(`
	2126	type user_tmp_t;
	2127	')
	2128
	2129	dontaudit $1 user_tmp_t:dir list_dir_perms;
2505	2130	')
2506	2131
…	…
2510	2135	## temporary directories.
2511	2136	## </summary>
2512		~~## <desc>~~
2513		~~## <p>~~
2514		~~## Do not audit attempts to manage users~~
2515		~~## temporary directories.~~
2516		~~## </p>~~
2517		~~## <p>~~
2518		~~## This is a templated interface, and should only~~
2519		~~## be called from a per-userdomain template.~~
2520		~~## </p>~~
2521		~~## </desc>~~
2522		~~## <param name="userdomain_prefix">~~
2523		~~## <summary>~~
2524		~~## The prefix of the user domain (e.g., user~~
2525		~~## is the prefix for user_t).~~
2526		~~## </summary>~~
2527		~~## </param>~~
2528	2137	## <param name="domain">
2529	2138	## <summary>
…	…
2532	2141	## </param>
2533	2142	#
2534		~~templat~~e(`userdom_dontaudit_manage_user_tmp_dirs',`
2535		gen_require(`
2536		type $1_tmp_t;
2537		')
2538
2539		dontaudit $~~2 $1~~_tmp_t:dir manage_dir_perms;
	2143	interface(`userdom_dontaudit_manage_user_tmp_dirs',`
	2144	gen_require(`
	2145	type user_tmp_t;
	2146	')
	2147
	2148	dontaudit $1 user_tmp_t:dir manage_dir_perms;
2540	2149	')
2541	2150
…	…
2544	2153	## Read user temporary files.&nbs