#DESC User - Domains for ordinary users. # ################################# # Booleans for user domains. # Allow applications to read untrusted content # If this is disallowed, Internet content has # to be manually relabeled for read access to be granted bool read_untrusted_content false; # Allow applications to write untrusted content # If this is disallowed, no Internet content # will be stored. bool write_untrusted_content false; # Allow users to read system messages. bool user_dmesg false; # Support NFS home directories bool use_nfs_home_dirs false; # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. bool allow_execmem false; # Allow making the stack executable via mprotect. # Also requires allow_execmem. bool allow_execstack false; # Allow making a modified private file mapping executable (text relocation). bool allow_execmod false; # Support SAMBA home directories bool use_samba_home_dirs false; # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols bool user_tcp_server false; # Allow system to run with NIS bool allow_ypbind false; # Allow system to run with kerberos bool allow_kerberos false; # Allow users to rw usb devices bool user_rw_usb false; # Allow users to control network interfaces (also needs USERCTL=true) bool user_net_control false; # Allow regular users direct mouse access bool user_direct_mouse false; # Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) bool user_rw_noexattrfile false; # Allow reading of default_t files. bool read_default_t false; # Allow staff_r users to search the sysadm home dir and read # files (such as ~/.bashrc) bool staff_read_sysadm_file false; full_user_role(user) ifdef(`user_canbe_sysadm', ` reach_sysadm(user) role_tty_type_change(user, sysadm) ') # Do not add any rules referring to user_t to this file! That will break # support for multiple user roles. # a role for staff that allows seeing all domains and control over the user_t # domain full_user_role(staff) priv_user(staff) # if adding new user roles make sure you edit the in_user_role macro in # macros/user_macros.te to match # lots of user programs accidentally search /root, and also the admin often # logs in as UID=0 domain=user_t... dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; # # Allow the user roles to transition # into each other. role_tty_type_change(sysadm, user) role_tty_type_change(staff, sysadm) role_tty_type_change(sysadm, staff) role_tty_type_change(sysadm, secadm) role_tty_type_change(staff, secadm) # "ps aux" and "ls -l /dev/pts" make too much noise without this dontaudit unpriv_userdomain ptyfile:chr_file getattr; # to allow w to display everyone... bool user_ttyfile_stat false; if (user_ttyfile_stat) { allow userdomain ttyfile:chr_file getattr; }