1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
policy_module(userdomain, 4.22.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow users to connect to mysql
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect, false)
## <desc>
## <p>
## Allow users to connect to PostgreSQL
## </p>
## </desc>
gen_tunable(allow_user_postgresql_connect, false)
## <desc>
## <p>
## Allow regular users direct mouse access
## </p>
## </desc>
gen_tunable(user_direct_mouse, false)
## <desc>
## <p>
## Allow users to read system messages.
## </p>
## </desc>
gen_tunable(user_dmesg, false)
## <desc>
## <p>
## Allow user to r/w files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
gen_tunable(user_rw_noexattrfile, false)
## <desc>
## <p>
## Allow user to execute files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
gen_tunable(user_exec_noexattrfile, false)
## <desc>
## <p>
## Allow user to write files on removable
## devices (e.g. external USB memory
## devices or floppies)
## </p>
## </desc>
gen_tunable(user_write_removable, false)
## <desc>
## <p>
## Allow w to display everyone
## </p>
## </desc>
gen_tunable(user_ttyfile_stat, false)
attribute admindomain;
# all user domains
attribute userdomain;
# unprivileged user domains
attribute unpriv_userdomain;
attribute user_home_content_type;
# dirs/files/etc created in /run/user/%{USERID}/
attribute user_runtime_content_type;
type user_home_dir_t;
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
files_mountpoint(user_home_dir_t)
files_associate_tmp(user_home_dir_t)
files_poly(user_home_dir_t)
files_poly_member(user_home_dir_t)
files_poly_parent(user_home_dir_t)
ubac_constrained(user_home_dir_t)
type user_home_t;
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)
type user_cert_t;
userdom_user_home_content(user_cert_t)
type user_devpts_t;
dev_node(user_devpts_t)
files_type(user_devpts_t)
ubac_constrained(user_devpts_t)
type user_tmp_t;
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
type user_tmpfs_t;
files_tmpfs_file(user_tmpfs_t)
userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t;
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
type user_runtime_root_t;
fs_associate_tmpfs(user_runtime_root_t)
files_mountpoint(user_runtime_root_t)
files_poly_parent(user_runtime_root_t)
type user_runtime_t;
fs_associate_tmpfs(user_runtime_t)
files_type(user_runtime_t)
files_mountpoint(user_runtime_t)
files_associate_tmp(user_runtime_t)
files_poly(user_runtime_t)
files_poly_member(user_runtime_t)
files_poly_parent(user_runtime_t)
ubac_constrained(user_runtime_t)
userdom_user_runtime_content(user_runtime_t)
ifdef(`distro_gentoo',`
# We used to use cert_home_t but an upstream commit introduced the same
# concept as user_cert_t. Enabling an alias to keep custom modules from
# users running.
typealias user_cert_t alias cert_home_t;
')
|
GitWeb