1# Copyright (C) 2007-2012 Red Hat
2# see file 'COPYING' for use and warranty information
3#
4# policygentool is a tool for the initial generation of SELinux policy
5#
6#    This program is free software; you can redistribute it and/or
7#    modify it under the terms of the GNU General Public License as
8#    published by the Free Software Foundation; either version 2 of
9#    the License, or (at your option) any later version.
10#
11#    This program is distributed in the hope that it will be useful,
12#    but WITHOUT ANY WARRANTY; without even the implied warranty of
13#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14#    GNU General Public License for more details.
15#
16#    You should have received a copy of the GNU General Public License
17#    along with this program; if not, write to the Free Software
18#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19#                                        02111-1307  USA
20#
21#
22########################### Type Enforcement File #############################
23
24te_login_user_types="""\
25policy_module(TEMPLATETYPE, 1.0.0)
26
27########################################
28#
29# Declarations
30#
31userdom_unpriv_user_template(TEMPLATETYPE)
32"""
33
34te_admin_user_types="""\
35policy_module(TEMPLATETYPE, 1.0.0)
36
37########################################
38#
39# Declarations
40#
41userdom_admin_user_template(TEMPLATETYPE)
42"""
43
44te_min_login_user_types="""\
45policy_module(TEMPLATETYPE, 1.0.0)
46
47########################################
48#
49# Declarations
50#
51
52userdom_restricted_user_template(TEMPLATETYPE)
53"""
54
55te_x_login_user_types="""\
56policy_module(TEMPLATETYPE, 1.0.0)
57
58########################################
59#
60# Declarations
61#
62
63userdom_restricted_xwindows_user_template(TEMPLATETYPE)
64"""
65
66te_existing_user_types="""\
67policy_module(TEMPLATETYPE, 1.0.0)
68
69"""
70
71te_root_user_types="""\
72policy_module(TEMPLATETYPE, 1.0.0)
73
74## <desc>
75## <p>
76## Allow TEMPLATETYPE to read files in the user home directory
77## </p>
78## </desc>
79gen_tunable(TEMPLATETYPE_read_user_files, false)
80
81## <desc>
82## <p>
83## Allow TEMPLATETYPE to manage files in the user home directory
84## </p>
85## </desc>
86gen_tunable(TEMPLATETYPE_manage_user_files, false)
87
88########################################
89#
90# Declarations
91#
92
93userdom_base_user_template(TEMPLATETYPE)
94"""
95
96te_login_user_rules="""\
97"""
98
99te_existing_user_rules="""\
100
101########################################
102#
103# TEMPLATETYPE customized policy
104#
105"""
106
107te_x_login_user_rules="""\
108"""
109
110te_root_user_rules="""\
111
112"""
113
114te_transition_rules="""
115optional_policy(`
116        APPLICATION_role(TEMPLATETYPE_r, TEMPLATETYPE_t)
117')
118"""
119
120te_user_trans_rules="""
121optional_policy(`
122        gen_require(`
123                role USER_r;
124        ')
125
126        TEMPLATETYPE_role_change(USER_r)
127')
128"""
129
130te_admin_rules="""
131allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
132files_dontaudit_search_all_dirs(TEMPLATETYPE_t)
133
134selinux_get_enforce_mode(TEMPLATETYPE_t)
135seutil_domtrans_setfiles(TEMPLATETYPE_t)
136seutil_search_default_contexts(TEMPLATETYPE_t)
137
138logging_send_syslog_msg(TEMPLATETYPE_t)
139
140kernel_read_system_state(TEMPLATETYPE_t)
141
142domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t)
143domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t)
144
145userdom_dontaudit_search_admin_dir(TEMPLATETYPE_t)
146userdom_dontaudit_search_user_home_dirs(TEMPLATETYPE_t)
147
148tunable_policy(`TEMPLATETYPE_read_user_files',`
149        userdom_read_user_home_content_files(TEMPLATETYPE_t)
150        userdom_read_user_tmp_files(TEMPLATETYPE_t)
151')
152
153tunable_policy(`TEMPLATETYPE_manage_user_files',`
154	userdom_manage_user_home_content_dirs(TEMPLATETYPE_t)
155	userdom_manage_user_home_content_files(TEMPLATETYPE_t)
156	userdom_manage_user_home_content_symlinks(TEMPLATETYPE_t)
157        userdom_manage_user_tmp_files(TEMPLATETYPE_t)
158')
159"""
160
161te_admin_trans_rules="""
162gen_require(`
163        role USER_r;
164')
165
166allow USER_r TEMPLATETYPE_r;
167"""
168
169te_admin_domain_rules="""
170optional_policy(`
171        APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r)
172')
173"""
174
175te_roles_rules="""
176optional_policy(`
177        gen_require(`
178                role ROLE_r;
179        ')
180
181        allow TEMPLATETYPE_r ROLE_r;
182')
183"""
184
185te_sudo_rules="""
186optional_policy(`
187        sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t)
188')
189"""
190
191te_newrole_rules="""
192seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r)
193"""
194