selinux-refpolicy/policy/modules/roles/unprivuser.te

208 lines
2.9 KiB
Plaintext
Raw Normal View History

2019-02-01 20:03:42 +00:00
policy_module(unprivuser, 2.10.0)
# this module should be named user, but that is
# a compile error since user is a keyword.
########################################
#
# Declarations
#
#role user_r;
userdom_unpriv_user_template(user)
2008-11-05 16:10:46 +00:00
optional_policy(`
apache_role(user_r, user_t)
')
optional_policy(`
git_role(user_r, user_t)
')
optional_policy(`
modemmanager_dbus_chat(user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
screen_role_template(user, user_r, user_t)
2008-11-05 16:10:46 +00:00
')
optional_policy(`
2010-11-01 15:22:07 +00:00
vlock_run(user_t, user_r)
')
optional_policy(`
xscreensaver_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
xserver_role(user_r, user_t)
2008-11-05 16:10:46 +00:00
')
ifndef(`distro_redhat',`
optional_policy(`
auth_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
bluetooth_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
cdrecord_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
chromium There are several nacl binaries that need labels. Put an ifdef debian for some chromium paths. Git policy misses chromium_role() lines, were they in another patch that was submitted at the same time? I don't know what this is for but doesn't seem harmful to allow it: type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null) type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { associate } for pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { create } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { add_name } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir Allow domain_use_interactive_fds() for running via ssh -X. Allow managing xdg data, cache, and config. Allow reading public data from apt and dpkg, probably from lsb_release or some other shell script. How does the whold naclhelper thing work anyway? I'm nervous about process share access involving chromium_sandbox_t, is that really what we want? Added lots of other stuff like searching cgroup dirs etc.
2019-01-28 08:46:49 +00:00
optional_policy(`
chromium_role(user_r, user_t)
')
optional_policy(`
cron_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
dbus_role_template(user, user_r, user_t)
optional_policy(`
gnome_role_template(user, user_r, user_t)
')
optional_policy(`
telepathy_role_template(user, user_r, user_t)
')
optional_policy(`
wm_role_template(user, user_r, user_t)
')
')
2008-11-05 16:10:46 +00:00
2017-05-26 15:59:31 +00:00
optional_policy(`
dirmngr_role(user_r, user_t)
')
optional_policy(`
evolution_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
games_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
gift_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
gpg_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
2011-09-02 13:20:54 +00:00
hadoop_role(user_r, user_t)
')
optional_policy(`
irc_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
java_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
libmtp_role(user_r, user_t)
')
optional_policy(`
lockdev_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
lpd_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
mozilla_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
mplayer_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
mta_role(user_r, user_t)
')
2010-02-08 15:34:08 +00:00
optional_policy(`
ooffice_role(user_r, user_t)
')
optional_policy(`
postgresql_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
pulseaudio_role(user_r, user_t)
')
optional_policy(`
pyzor_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
razor_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
rssh_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
sigrok_run(user_r, user_t)
')
optional_policy(`
2011-07-29 12:50:24 +00:00
spamassassin_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
su_role_template(user, user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
sudo_role_template(user, user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
syncthing_role(user_r, user_t)
')
optional_policy(`
thunderbird_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
tvtime_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
uml_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
userhelper_role_template(user, user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
vmware_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
optional_policy(`
wireshark_role(user_r, user_t)
')
2008-11-05 16:10:46 +00:00
')