selinux/policycoreutils/sepolicy/sepolicy/templates/user.py - nest-cam/4320010/selinux - Git at Google

 # Copyright (C) 2007-2012 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # policygentool is a tool for the initial generation of SELinux policy
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of the GNU General Public License as
 #    published by the Free Software Foundation; either version 2 of
 #    the License, or (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program; if not, write to the Free Software
 #    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
 #                                        02111-1307  USA
 #
 #
 ########################### Type Enforcement File #############################

 te_login_user_types="""\
 policy_module(TEMPLATETYPE, 1.0.0)

 ########################################
 #
 # Declarations
 #
 userdom_unpriv_user_template(TEMPLATETYPE)
 """

 te_admin_user_types="""\
 policy_module(TEMPLATETYPE, 1.0.0)

 ########################################
 #
 # Declarations
 #
 userdom_admin_user_template(TEMPLATETYPE)
 """

 te_min_login_user_types="""\
 policy_module(TEMPLATETYPE, 1.0.0)

 ########################################
 #
 # Declarations
 #

 userdom_restricted_user_template(TEMPLATETYPE)
 """

 te_x_login_user_types="""\
 policy_module(TEMPLATETYPE, 1.0.0)

 ########################################
 #
 # Declarations
 #

 userdom_restricted_xwindows_user_template(TEMPLATETYPE)
 """

 te_existing_user_types="""\
 policy_module(TEMPLATETYPE, 1.0.0)

 """

 te_root_user_types="""\
 policy_module(TEMPLATETYPE, 1.0.0)

 ## <desc>
 ## <p>
 ## Allow TEMPLATETYPE to read files in the user home directory
 ## </p>
 ## </desc>
 gen_tunable(TEMPLATETYPE_read_user_files, false)

 ## <desc>
 ## <p>
 ## Allow TEMPLATETYPE to manage files in the user home directory
 ## </p>
 ## </desc>
 gen_tunable(TEMPLATETYPE_manage_user_files, false)

 ########################################
 #
 # Declarations
 #

 userdom_base_user_template(TEMPLATETYPE)
 """

 te_login_user_rules="""\
 """

 te_existing_user_rules="""\

 ########################################
 #
 # TEMPLATETYPE customized policy
 #
 """

 te_x_login_user_rules="""\
 """

 te_root_user_rules="""\

 """

 te_transition_rules="""
 optional_policy(`
         APPLICATION_role(TEMPLATETYPE_r, TEMPLATETYPE_t)
 ')
 """

 te_user_trans_rules="""
 optional_policy(`
         gen_require(`
                 role USER_r;
         ')

         TEMPLATETYPE_role_change(USER_r)
 ')
 """

 te_admin_rules="""
 allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
 files_dontaudit_search_all_dirs(TEMPLATETYPE_t)

 selinux_get_enforce_mode(TEMPLATETYPE_t)
 seutil_domtrans_setfiles(TEMPLATETYPE_t)
 seutil_search_default_contexts(TEMPLATETYPE_t)

 logging_send_syslog_msg(TEMPLATETYPE_t)

 kernel_read_system_state(TEMPLATETYPE_t)

 domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t)
 domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t)

 userdom_dontaudit_search_admin_dir(TEMPLATETYPE_t)
 userdom_dontaudit_search_user_home_dirs(TEMPLATETYPE_t)

 tunable_policy(`TEMPLATETYPE_read_user_files',`
         userdom_read_user_home_content_files(TEMPLATETYPE_t)
         userdom_read_user_tmp_files(TEMPLATETYPE_t)
 ')

 tunable_policy(`TEMPLATETYPE_manage_user_files',`
 	userdom_manage_user_home_content_dirs(TEMPLATETYPE_t)
 	userdom_manage_user_home_content_files(TEMPLATETYPE_t)
 	userdom_manage_user_home_content_symlinks(TEMPLATETYPE_t)
         userdom_manage_user_tmp_files(TEMPLATETYPE_t)
 ')
 """

 te_admin_trans_rules="""
 gen_require(`
         role USER_r;
 ')

 allow USER_r TEMPLATETYPE_r;
 """

 te_admin_domain_rules="""
 optional_policy(`
         APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r)
 ')
 """

 te_roles_rules="""
 optional_policy(`
         gen_require(`
                 role ROLE_r;
         ')

         allow TEMPLATETYPE_r ROLE_r;
 ')
 """

 te_sudo_rules="""
 optional_policy(`
         sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t)
 ')
 """

 te_newrole_rules="""
 seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r)
 """
	# Copyright (C) 2007-2012 Red Hat
	# see file 'COPYING' for use and warranty information
	#
	# policygentool is a tool for the initial generation of SELinux policy
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of the GNU General Public License as
	# published by the Free Software Foundation; either version 2 of
	# the License, or (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program; if not, write to the Free Software
	# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
	# 02111-1307 USA
	#
	#
	########################### Type Enforcement File #############################

	te_login_user_types="""\
	policy_module(TEMPLATETYPE, 1.0.0)

	########################################
	#
	# Declarations
	#
	userdom_unpriv_user_template(TEMPLATETYPE)
	"""

	te_admin_user_types="""\
	policy_module(TEMPLATETYPE, 1.0.0)

	########################################
	#
	# Declarations
	#
	userdom_admin_user_template(TEMPLATETYPE)
	"""

	te_min_login_user_types="""\
	policy_module(TEMPLATETYPE, 1.0.0)

	########################################
	#
	# Declarations
	#

	userdom_restricted_user_template(TEMPLATETYPE)
	"""

	te_x_login_user_types="""\
	policy_module(TEMPLATETYPE, 1.0.0)

	########################################
	#
	# Declarations
	#

	userdom_restricted_xwindows_user_template(TEMPLATETYPE)
	"""

	te_existing_user_types="""\
	policy_module(TEMPLATETYPE, 1.0.0)

	"""

	te_root_user_types="""\
	policy_module(TEMPLATETYPE, 1.0.0)

	## <desc>
	## <p>
	## Allow TEMPLATETYPE to read files in the user home directory
	## </p>
	## </desc>
	gen_tunable(TEMPLATETYPE_read_user_files, false)

	## <desc>
	## <p>
	## Allow TEMPLATETYPE to manage files in the user home directory
	## </p>
	## </desc>
	gen_tunable(TEMPLATETYPE_manage_user_files, false)

	########################################
	#
	# Declarations
	#

	userdom_base_user_template(TEMPLATETYPE)
	"""

	te_login_user_rules="""\
	"""

	te_existing_user_rules="""\

	########################################
	#
	# TEMPLATETYPE customized policy
	#
	"""

	te_x_login_user_rules="""\
	"""

	te_root_user_rules="""\

	"""

	te_transition_rules="""
	optional_policy(`
	APPLICATION_role(TEMPLATETYPE_r, TEMPLATETYPE_t)
	')
	"""

	te_user_trans_rules="""
	optional_policy(`
	gen_require(`
	role USER_r;
	')

	TEMPLATETYPE_role_change(USER_r)
	')
	"""

	te_admin_rules="""
	allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
	files_dontaudit_search_all_dirs(TEMPLATETYPE_t)

	selinux_get_enforce_mode(TEMPLATETYPE_t)
	seutil_domtrans_setfiles(TEMPLATETYPE_t)
	seutil_search_default_contexts(TEMPLATETYPE_t)

	logging_send_syslog_msg(TEMPLATETYPE_t)

	kernel_read_system_state(TEMPLATETYPE_t)

	domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t)
	domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t)

	userdom_dontaudit_search_admin_dir(TEMPLATETYPE_t)
	userdom_dontaudit_search_user_home_dirs(TEMPLATETYPE_t)

	tunable_policy(`TEMPLATETYPE_read_user_files',`
	userdom_read_user_home_content_files(TEMPLATETYPE_t)
	userdom_read_user_tmp_files(TEMPLATETYPE_t)
	')

	tunable_policy(`TEMPLATETYPE_manage_user_files',`
	userdom_manage_user_home_content_dirs(TEMPLATETYPE_t)
	userdom_manage_user_home_content_files(TEMPLATETYPE_t)
	userdom_manage_user_home_content_symlinks(TEMPLATETYPE_t)
	userdom_manage_user_tmp_files(TEMPLATETYPE_t)
	')
	"""

	te_admin_trans_rules="""
	gen_require(`
	role USER_r;
	')

	allow USER_r TEMPLATETYPE_r;
	"""

	te_admin_domain_rules="""
	optional_policy(`
	APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r)
	')
	"""

	te_roles_rules="""
	optional_policy(`
	gen_require(`
	role ROLE_r;
	')

	allow TEMPLATETYPE_r ROLE_r;
	')
	"""

	te_sudo_rules="""
	optional_policy(`
	sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t)
	')
	"""

	te_newrole_rules="""
	seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r)
	"""