selinux-refpolicy/refpolicy/policy/modules/system/userdomain.te

80 lines
1.9 KiB
Plaintext
Raw Normal View History

# Copyright (C) 2005 Tresys Technology, LLC
policy_module(userdomain,1.0)
########################################
#
# Declarations
#
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;
# all user domains
attribute userdomain;
# unprivileged user domains
attribute unpriv_userdomain;
# Allow execution of anonymous mappings, e.g. executable stack.
bool allow_execmem false;
# Support Share libraries with Text Relocation
bool allow_execmod false;
# Allow system to run with kerberos
bool allow_kerberos false;
# Allow system to run with NIS
bool allow_ypbind false;
# Allow reading of default_t files.
bool read_default_t false;
# Allow staff_r users to search the sysadm home dir and read
# files (such as ~/.bashrc)
bool staff_read_sysadm_file false;
# Support NFS home directories
bool use_nfs_home_dirs false;
# Support SAMBA home directories
bool use_samba_home_dirs false;
# Allow regular users direct mouse access
bool user_direct_mouse false;
# Allow users to read system messages.
bool user_dmesg false;
# Allow users to control network interfaces (also needs USERCTL=true)
bool user_net_control false;
# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
bool user_rw_noexattrfile false;
# Allow users to rw usb devices
bool user_rw_usb false;
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
bool user_tcp_server false;
# Allow w to display everyone
bool user_ttyfile_stat false;
user_domain_template(staff)
user_domain_template(user)
type sysadm_t;
domain_make_domain(sysadm_t)
per_userdomain_templates(sysadm)
########################################
#
# Local policy
#