495e2c203b
Remove complement (~) and wildcard (*) in allow rules so that there are no unintentional additions when new permissions are declared. This patch does not add or remove permissions from any rules.
563 lines
16 KiB
Plaintext
563 lines
16 KiB
Plaintext
policy_module(usermanage, 1.21.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute_role chfn_roles;
|
|
role system_r types chfn_t;
|
|
|
|
attribute_role groupadd_roles;
|
|
|
|
attribute_role passwd_roles;
|
|
roleattribute system_r passwd_roles;
|
|
|
|
attribute_role sysadm_passwd_roles;
|
|
roleattribute system_r sysadm_passwd_roles;
|
|
|
|
attribute_role useradd_roles;
|
|
|
|
type admin_passwd_exec_t;
|
|
files_type(admin_passwd_exec_t)
|
|
|
|
type chfn_t;
|
|
type chfn_exec_t;
|
|
domain_obj_id_change_exemption(chfn_t)
|
|
application_domain(chfn_t, chfn_exec_t)
|
|
role chfn_roles types chfn_t;
|
|
|
|
type crack_t;
|
|
type crack_exec_t;
|
|
application_domain(crack_t, crack_exec_t)
|
|
role system_r types crack_t;
|
|
|
|
type crack_db_t;
|
|
files_type(crack_db_t)
|
|
|
|
type crack_tmp_t;
|
|
files_tmp_file(crack_tmp_t)
|
|
|
|
type groupadd_t;
|
|
type groupadd_exec_t;
|
|
domain_obj_id_change_exemption(groupadd_t)
|
|
init_system_domain(groupadd_t, groupadd_exec_t)
|
|
role groupadd_roles types groupadd_t;
|
|
|
|
type passwd_t;
|
|
type passwd_exec_t;
|
|
domain_obj_id_change_exemption(passwd_t)
|
|
application_domain(passwd_t, passwd_exec_t)
|
|
role passwd_roles types passwd_t;
|
|
|
|
type sysadm_passwd_t;
|
|
domain_obj_id_change_exemption(sysadm_passwd_t)
|
|
application_domain(sysadm_passwd_t, admin_passwd_exec_t)
|
|
role sysadm_passwd_roles types sysadm_passwd_t;
|
|
|
|
type sysadm_passwd_tmp_t;
|
|
files_tmp_file(sysadm_passwd_tmp_t)
|
|
|
|
type useradd_t;
|
|
type useradd_exec_t;
|
|
domain_obj_id_change_exemption(useradd_t)
|
|
init_system_domain(useradd_t, useradd_exec_t)
|
|
role useradd_roles types useradd_t;
|
|
|
|
########################################
|
|
#
|
|
# Chfn local policy
|
|
#
|
|
|
|
allow chfn_t self:capability { chown dac_override fsetid setgid setuid sys_resource };
|
|
allow chfn_t self:process { transition sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
|
|
allow chfn_t self:fd use;
|
|
allow chfn_t self:fifo_file rw_fifo_file_perms;
|
|
allow chfn_t self:sock_file read_sock_file_perms;
|
|
allow chfn_t self:shm create_shm_perms;
|
|
allow chfn_t self:sem create_sem_perms;
|
|
allow chfn_t self:msgq create_msgq_perms;
|
|
allow chfn_t self:msg { send receive };
|
|
allow chfn_t self:unix_dgram_socket create_socket_perms;
|
|
allow chfn_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow chfn_t self:unix_dgram_socket sendto;
|
|
allow chfn_t self:unix_stream_socket connectto;
|
|
|
|
kernel_read_system_state(chfn_t)
|
|
kernel_read_kernel_sysctls(chfn_t)
|
|
|
|
selinux_get_fs_mount(chfn_t)
|
|
selinux_validate_context(chfn_t)
|
|
selinux_compute_access_vector(chfn_t)
|
|
selinux_compute_create_context(chfn_t)
|
|
selinux_compute_relabel_context(chfn_t)
|
|
selinux_compute_user_contexts(chfn_t)
|
|
|
|
term_use_all_ttys(chfn_t)
|
|
term_use_all_ptys(chfn_t)
|
|
|
|
fs_getattr_xattr_fs(chfn_t)
|
|
fs_search_auto_mountpoints(chfn_t)
|
|
|
|
# for SSP
|
|
dev_read_urand(chfn_t)
|
|
|
|
auth_run_chk_passwd(chfn_t, chfn_roles)
|
|
auth_dontaudit_read_shadow(chfn_t)
|
|
auth_use_nsswitch(chfn_t)
|
|
|
|
# allow checking if a shell is executable
|
|
corecmd_check_exec_shell(chfn_t)
|
|
|
|
domain_use_interactive_fds(chfn_t)
|
|
|
|
files_manage_etc_files(chfn_t)
|
|
files_read_etc_runtime_files(chfn_t)
|
|
files_dontaudit_search_var(chfn_t)
|
|
files_dontaudit_search_home(chfn_t)
|
|
|
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
|
# correctly without it. Do not audit write denials to utmp.
|
|
init_dontaudit_rw_utmp(chfn_t)
|
|
|
|
miscfiles_read_localization(chfn_t)
|
|
|
|
logging_send_syslog_msg(chfn_t)
|
|
|
|
seutil_read_file_contexts(chfn_t)
|
|
|
|
userdom_use_unpriv_users_fds(chfn_t)
|
|
# user generally runs this from their home directory, so do not audit a search
|
|
# on user home dir
|
|
userdom_dontaudit_search_user_home_content(chfn_t)
|
|
|
|
optional_policy(`
|
|
nscd_run(chfn_t, chfn_roles)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Crack local policy
|
|
#
|
|
|
|
allow crack_t self:process signal_perms;
|
|
allow crack_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
manage_files_pattern(crack_t, crack_db_t, crack_db_t)
|
|
manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
|
|
files_search_var(crack_t)
|
|
|
|
manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
|
|
manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
|
|
files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
|
|
|
|
kernel_read_system_state(crack_t)
|
|
|
|
# for SSP
|
|
dev_read_urand(crack_t)
|
|
|
|
fs_getattr_xattr_fs(crack_t)
|
|
|
|
files_read_etc_files(crack_t)
|
|
files_read_etc_runtime_files(crack_t)
|
|
# for dictionaries
|
|
files_read_usr_files(crack_t)
|
|
|
|
corecmd_exec_bin(crack_t)
|
|
|
|
logging_send_syslog_msg(crack_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(crack_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
allow crack_t self:process getsched;
|
|
# the package cracklib-runtime on Debian contains a daily maintenance
|
|
# script /etc/cron.daily/cracklib-runtime, that calls
|
|
# update-cracklib and that calls crack_mkdict, which is a shell script.
|
|
corecmd_exec_shell(crack_t)
|
|
dev_search_sysfs(crack_t)
|
|
miscfiles_read_localization(crack_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_system_entry(crack_t, crack_exec_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Groupadd local policy
|
|
#
|
|
|
|
allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
|
|
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
|
|
allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
|
|
allow groupadd_t self:fd use;
|
|
allow groupadd_t self:fifo_file rw_fifo_file_perms;
|
|
allow groupadd_t self:shm create_shm_perms;
|
|
allow groupadd_t self:sem create_sem_perms;
|
|
allow groupadd_t self:msgq create_msgq_perms;
|
|
allow groupadd_t self:msg { send receive };
|
|
allow groupadd_t self:unix_dgram_socket create_socket_perms;
|
|
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow groupadd_t self:unix_dgram_socket sendto;
|
|
allow groupadd_t self:unix_stream_socket connectto;
|
|
|
|
fs_getattr_xattr_fs(groupadd_t)
|
|
fs_search_auto_mountpoints(groupadd_t)
|
|
|
|
# Allow access to context for shadow file
|
|
selinux_get_fs_mount(groupadd_t)
|
|
selinux_validate_context(groupadd_t)
|
|
selinux_compute_access_vector(groupadd_t)
|
|
selinux_compute_create_context(groupadd_t)
|
|
selinux_compute_relabel_context(groupadd_t)
|
|
selinux_compute_user_contexts(groupadd_t)
|
|
|
|
term_use_all_ttys(groupadd_t)
|
|
term_use_all_ptys(groupadd_t)
|
|
|
|
init_use_fds(groupadd_t)
|
|
init_read_utmp(groupadd_t)
|
|
init_dontaudit_write_utmp(groupadd_t)
|
|
|
|
domain_use_interactive_fds(groupadd_t)
|
|
|
|
files_manage_etc_files(groupadd_t)
|
|
files_relabel_etc_files(groupadd_t)
|
|
files_read_etc_runtime_files(groupadd_t)
|
|
files_read_usr_symlinks(groupadd_t)
|
|
|
|
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
|
|
corecmd_exec_bin(groupadd_t)
|
|
|
|
logging_send_audit_msgs(groupadd_t)
|
|
logging_send_syslog_msg(groupadd_t)
|
|
|
|
miscfiles_read_localization(groupadd_t)
|
|
|
|
auth_run_chk_passwd(groupadd_t, groupadd_roles)
|
|
auth_rw_lastlog(groupadd_t)
|
|
auth_use_nsswitch(groupadd_t)
|
|
# these may be unnecessary due to the above
|
|
# domtrans_chk_passwd() call.
|
|
auth_manage_shadow(groupadd_t)
|
|
auth_relabel_shadow(groupadd_t)
|
|
auth_etc_filetrans_shadow(groupadd_t)
|
|
|
|
seutil_read_config(groupadd_t)
|
|
seutil_read_file_contexts(groupadd_t)
|
|
|
|
userdom_use_unpriv_users_fds(groupadd_t)
|
|
# for when /root is the cwd
|
|
userdom_dontaudit_search_user_home_dirs(groupadd_t)
|
|
|
|
optional_policy(`
|
|
dpkg_use_fds(groupadd_t)
|
|
dpkg_rw_pipes(groupadd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_run(groupadd_t, groupadd_roles)
|
|
')
|
|
|
|
optional_policy(`
|
|
puppet_rw_tmp(groupadd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_use_fds(groupadd_t)
|
|
rpm_rw_pipes(groupadd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Passwd local policy
|
|
#
|
|
|
|
allow passwd_t self:capability { chown dac_override fsetid setgid setuid sys_nice sys_resource };
|
|
dontaudit passwd_t self:capability sys_tty_config;
|
|
allow passwd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
|
|
allow passwd_t self:fd use;
|
|
allow passwd_t self:fifo_file rw_fifo_file_perms;
|
|
allow passwd_t self:sock_file read_sock_file_perms;
|
|
allow passwd_t self:unix_dgram_socket create_socket_perms;
|
|
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow passwd_t self:unix_dgram_socket sendto;
|
|
allow passwd_t self:unix_stream_socket connectto;
|
|
allow passwd_t self:shm create_shm_perms;
|
|
allow passwd_t self:sem create_sem_perms;
|
|
allow passwd_t self:msgq create_msgq_perms;
|
|
allow passwd_t self:msg { send receive };
|
|
|
|
allow passwd_t crack_db_t:dir list_dir_perms;
|
|
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
|
|
|
|
kernel_read_kernel_sysctls(passwd_t)
|
|
|
|
# for SSP
|
|
dev_read_urand(passwd_t)
|
|
|
|
fs_getattr_xattr_fs(passwd_t)
|
|
fs_search_auto_mountpoints(passwd_t)
|
|
|
|
mls_file_write_all_levels(passwd_t)
|
|
mls_file_downgrade(passwd_t)
|
|
|
|
selinux_get_fs_mount(passwd_t)
|
|
selinux_validate_context(passwd_t)
|
|
selinux_compute_access_vector(passwd_t)
|
|
selinux_compute_create_context(passwd_t)
|
|
selinux_compute_relabel_context(passwd_t)
|
|
selinux_compute_user_contexts(passwd_t)
|
|
|
|
term_use_all_ttys(passwd_t)
|
|
term_use_all_ptys(passwd_t)
|
|
|
|
auth_run_chk_passwd(passwd_t, passwd_roles)
|
|
auth_manage_shadow(passwd_t)
|
|
auth_relabel_shadow(passwd_t)
|
|
auth_etc_filetrans_shadow(passwd_t)
|
|
auth_use_nsswitch(passwd_t)
|
|
|
|
# allow checking if a shell is executable
|
|
corecmd_check_exec_shell(passwd_t)
|
|
|
|
domain_use_interactive_fds(passwd_t)
|
|
|
|
files_read_etc_runtime_files(passwd_t)
|
|
files_manage_etc_files(passwd_t)
|
|
files_search_var(passwd_t)
|
|
files_dontaudit_search_pids(passwd_t)
|
|
files_relabel_etc_files(passwd_t)
|
|
|
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
|
# correctly without it. Do not audit write denials to utmp.
|
|
init_dontaudit_rw_utmp(passwd_t)
|
|
init_use_fds(passwd_t)
|
|
|
|
logging_send_audit_msgs(passwd_t)
|
|
logging_send_syslog_msg(passwd_t)
|
|
|
|
miscfiles_read_localization(passwd_t)
|
|
|
|
seutil_read_config(passwd_t)
|
|
seutil_read_file_contexts(passwd_t)
|
|
|
|
userdom_use_user_terminals(passwd_t)
|
|
userdom_use_unpriv_users_fds(passwd_t)
|
|
# make sure that getcon succeeds
|
|
userdom_getattr_all_users(passwd_t)
|
|
userdom_read_all_users_state(passwd_t)
|
|
userdom_read_user_tmp_files(passwd_t)
|
|
# user generally runs this from their home directory, so do not audit a search
|
|
# on user home dir
|
|
userdom_dontaudit_search_user_home_content(passwd_t)
|
|
|
|
optional_policy(`
|
|
nscd_run(passwd_t, passwd_roles)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Password admin local policy
|
|
#
|
|
|
|
allow sysadm_passwd_t self:capability { chown dac_override fsetid setgid setuid sys_resource };
|
|
allow sysadm_passwd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
|
|
allow sysadm_passwd_t self:fd use;
|
|
allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
|
|
allow sysadm_passwd_t self:sock_file read_sock_file_perms;
|
|
allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
|
|
allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow sysadm_passwd_t self:unix_dgram_socket sendto;
|
|
allow sysadm_passwd_t self:unix_stream_socket connectto;
|
|
allow sysadm_passwd_t self:shm create_shm_perms;
|
|
allow sysadm_passwd_t self:sem create_sem_perms;
|
|
allow sysadm_passwd_t self:msgq create_msgq_perms;
|
|
allow sysadm_passwd_t self:msg { send receive };
|
|
|
|
# allow vipw to create temporary files under /var/tmp/vi.recover
|
|
manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
|
|
manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
|
|
files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
|
files_search_var(sysadm_passwd_t)
|
|
files_dontaudit_search_home(sysadm_passwd_t)
|
|
|
|
kernel_read_kernel_sysctls(sysadm_passwd_t)
|
|
# for /proc/meminfo
|
|
kernel_read_system_state(sysadm_passwd_t)
|
|
|
|
selinux_get_fs_mount(sysadm_passwd_t)
|
|
selinux_validate_context(sysadm_passwd_t)
|
|
selinux_compute_access_vector(sysadm_passwd_t)
|
|
selinux_compute_create_context(sysadm_passwd_t)
|
|
selinux_compute_relabel_context(sysadm_passwd_t)
|
|
selinux_compute_user_contexts(sysadm_passwd_t)
|
|
|
|
# for SSP
|
|
dev_read_urand(sysadm_passwd_t)
|
|
|
|
fs_getattr_xattr_fs(sysadm_passwd_t)
|
|
fs_search_auto_mountpoints(sysadm_passwd_t)
|
|
|
|
term_use_all_ttys(sysadm_passwd_t)
|
|
term_use_all_ptys(sysadm_passwd_t)
|
|
|
|
auth_manage_shadow(sysadm_passwd_t)
|
|
auth_relabel_shadow(sysadm_passwd_t)
|
|
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
|
auth_use_nsswitch(sysadm_passwd_t)
|
|
|
|
# allow vipw to exec the editor
|
|
corecmd_exec_bin(sysadm_passwd_t)
|
|
corecmd_exec_shell(sysadm_passwd_t)
|
|
files_read_usr_files(sysadm_passwd_t)
|
|
|
|
domain_use_interactive_fds(sysadm_passwd_t)
|
|
|
|
files_manage_etc_files(sysadm_passwd_t)
|
|
files_relabel_etc_files(sysadm_passwd_t)
|
|
files_read_etc_runtime_files(sysadm_passwd_t)
|
|
# for nscd lookups
|
|
files_dontaudit_search_pids(sysadm_passwd_t)
|
|
|
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
|
# correctly without it. Do not audit write denials to utmp.
|
|
init_dontaudit_rw_utmp(sysadm_passwd_t)
|
|
|
|
miscfiles_read_localization(sysadm_passwd_t)
|
|
|
|
logging_send_syslog_msg(sysadm_passwd_t)
|
|
|
|
seutil_dontaudit_search_config(sysadm_passwd_t)
|
|
|
|
userdom_use_unpriv_users_fds(sysadm_passwd_t)
|
|
# user generally runs this from their home directory, so do not audit a search
|
|
# on user home dir
|
|
userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
|
|
|
|
optional_policy(`
|
|
nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Useradd local policy
|
|
#
|
|
|
|
allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
|
|
dontaudit useradd_t self:capability sys_tty_config;
|
|
allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
|
|
allow useradd_t self:fd use;
|
|
allow useradd_t self:fifo_file rw_fifo_file_perms;
|
|
allow useradd_t self:shm create_shm_perms;
|
|
allow useradd_t self:sem create_sem_perms;
|
|
allow useradd_t self:msgq create_msgq_perms;
|
|
allow useradd_t self:msg { send receive };
|
|
allow useradd_t self:unix_dgram_socket create_socket_perms;
|
|
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow useradd_t self:unix_dgram_socket sendto;
|
|
allow useradd_t self:unix_stream_socket connectto;
|
|
|
|
# for getting the number of groups
|
|
kernel_read_kernel_sysctls(useradd_t)
|
|
|
|
corecmd_exec_shell(useradd_t)
|
|
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
|
corecmd_exec_bin(useradd_t)
|
|
|
|
domain_use_interactive_fds(useradd_t)
|
|
domain_read_all_domains_state(useradd_t)
|
|
|
|
files_manage_etc_files(useradd_t)
|
|
files_search_var_lib(useradd_t)
|
|
files_relabel_etc_files(useradd_t)
|
|
files_read_etc_runtime_files(useradd_t)
|
|
|
|
fs_search_auto_mountpoints(useradd_t)
|
|
fs_getattr_xattr_fs(useradd_t)
|
|
|
|
mls_file_upgrade(useradd_t)
|
|
|
|
# Allow access to context for shadow file
|
|
selinux_get_fs_mount(useradd_t)
|
|
selinux_validate_context(useradd_t)
|
|
selinux_compute_access_vector(useradd_t)
|
|
selinux_compute_create_context(useradd_t)
|
|
selinux_compute_relabel_context(useradd_t)
|
|
selinux_compute_user_contexts(useradd_t)
|
|
|
|
term_use_all_ttys(useradd_t)
|
|
term_use_all_ptys(useradd_t)
|
|
|
|
auth_run_chk_passwd(useradd_t, useradd_roles)
|
|
auth_rw_lastlog(useradd_t)
|
|
auth_rw_faillog(useradd_t)
|
|
auth_use_nsswitch(useradd_t)
|
|
# these may be unnecessary due to the above
|
|
# domtrans_chk_passwd() call.
|
|
auth_manage_shadow(useradd_t)
|
|
auth_relabel_shadow(useradd_t)
|
|
auth_etc_filetrans_shadow(useradd_t)
|
|
|
|
init_use_fds(useradd_t)
|
|
init_rw_utmp(useradd_t)
|
|
|
|
logging_send_audit_msgs(useradd_t)
|
|
logging_send_syslog_msg(useradd_t)
|
|
|
|
miscfiles_read_localization(useradd_t)
|
|
|
|
seutil_read_config(useradd_t)
|
|
seutil_read_file_contexts(useradd_t)
|
|
seutil_read_default_contexts(useradd_t)
|
|
seutil_run_semanage(useradd_t, useradd_roles)
|
|
seutil_run_setfiles(useradd_t, useradd_roles)
|
|
|
|
userdom_use_unpriv_users_fds(useradd_t)
|
|
# Add/remove user home directories
|
|
userdom_manage_user_home_dirs(useradd_t)
|
|
userdom_home_filetrans_user_home_dir(useradd_t)
|
|
userdom_manage_user_home_content_dirs(useradd_t)
|
|
userdom_manage_user_home_content_files(useradd_t)
|
|
userdom_home_filetrans_user_home_dir(useradd_t)
|
|
userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
|
|
|
|
optional_policy(`
|
|
mta_manage_spool(useradd_t)
|
|
')
|
|
|
|
ifdef(`distro_redhat',`
|
|
optional_policy(`
|
|
unconfined_domain(useradd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_manage_all_user_content(useradd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dpkg_use_fds(useradd_t)
|
|
dpkg_rw_pipes(useradd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_run(useradd_t, useradd_roles)
|
|
')
|
|
|
|
optional_policy(`
|
|
puppet_rw_tmp(useradd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`samba_domain_controller',`
|
|
samba_append_log(useradd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_use_fds(useradd_t)
|
|
rpm_rw_pipes(useradd_t)
|
|
')
|