#
# Macros for all user login domains.
#

#
# mini_user_domain(domain_prefix)
#
# Define derived types and rules for a minimal privs user domain named
# $1_mini_t which is permitted to be in $1_r role and transition to $1_t.
#
undefine(`mini_user_domain')
define(`mini_user_domain',`
# user_t/$1_t is an unprivileged users domain.
type $1_mini_t, domain, user_mini_domain;

# for ~/.bash_profile and other files that the mini domain should be allowed
# to read (but not write)
type $1_home_mini_t, file_type, sysadmfile;
allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom };
allow $1_mini_t $1_home_mini_t:file r_file_perms;

# $1_r is authorized for $1_mini_t for the initial login domain.
role $1_r types $1_mini_t;
uses_shlib($1_mini_t)
pty_slave_label($1_mini, `, userpty_type, mini_pty_type')

allow $1_mini_t devtty_t:chr_file rw_file_perms;
allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read };
dontaudit $1_mini_t proc_t:dir { getattr search };
allow $1_mini_t self:unix_stream_socket create_socket_perms;
allow $1_mini_t self:fifo_file rw_file_perms;
allow $1_mini_t self:process { fork sigchld setpgid };
dontaudit $1_mini_t var_t:dir search;
allow $1_mini_t { bin_t sbin_t }:dir search;

dontaudit $1_mini_t device_t:dir { getattr read };
dontaudit $1_mini_t devpts_t:dir { getattr read };
dontaudit $1_mini_t proc_t:lnk_file read;

can_exec($1_mini_t, bin_t)
allow $1_mini_t { home_root_t $1_home_dir_t }:dir search;
dontaudit $1_mini_t home_root_t:dir getattr;
dontaudit $1_mini_t $1_home_dir_t:dir { getattr read };
dontaudit $1_mini_t $1_home_t:file { append getattr read write };

dontaudit $1_mini_t fs_t:filesystem getattr;

type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t;
# uncomment this if using mini domains for console logins
#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t;

type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t;
type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t;

domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t)
')dnl end mini_user_domain definition