xref: /aosp_15_r20/external/selinux/python/sepolicy/sepolicy/templates/user.py (revision 2d543d20722ada2425b5bdab9d0d1d29470e7bba) 
1# Copyright (C) 2007-2012 Red Hat
2# see file 'COPYING' for use and warranty information
3#
4# policygentool is a tool for the initial generation of SELinux policy
5#
6#    This program is free software; you can redistribute it and/or
7#    modify it under the terms of the GNU General Public License as
8#    published by the Free Software Foundation; either version 2 of
9#    the License, or (at your option) any later version.
10#
11#    This program is distributed in the hope that it will be useful,
12#    but WITHOUT ANY WARRANTY; without even the implied warranty of
13#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14#    GNU General Public License for more details.
15#
16#    You should have received a copy of the GNU General Public License
17#    along with this program; if not, write to the Free Software
18#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19#                                        02111-1307  USA
20#
21#
22########################### Type Enforcement File #############################
23
24te_login_user_types="""\
25policy_module(TEMPLATETYPE, 1.0.0)
26
27########################################
28#
29# Declarations
30#
31role TEMPLATETYPE_r;
32
33userdom_unpriv_user_template(TEMPLATETYPE)
34"""
35
36te_admin_user_types="""\
37policy_module(TEMPLATETYPE, 1.0.0)
38
39########################################
40#
41# Declarations
42#
43role TEMPLATETYPE_r;
44
45userdom_admin_user_template(TEMPLATETYPE)
46"""
47
48te_min_login_user_types="""\
49policy_module(TEMPLATETYPE, 1.0.0)
50
51########################################
52#
53# Declarations
54#
55role TEMPLATETYPE_r;
56
57userdom_restricted_user_template(TEMPLATETYPE)
58"""
59
60te_x_login_user_types="""\
61policy_module(TEMPLATETYPE, 1.0.0)
62
63########################################
64#
65# Declarations
66#
67role TEMPLATETYPE_r;
68
69userdom_restricted_xwindows_user_template(TEMPLATETYPE)
70"""
71
72te_existing_user_types="""\
73policy_module(TEMPLATETYPE, 1.0.0)
74
75"""
76
77te_root_user_types="""\
78policy_module(TEMPLATETYPE, 1.0.0)
79
80## <desc>
81## <p>
82## Allow TEMPLATETYPE to read files in the user home directory
83## </p>
84## </desc>
85gen_tunable(TEMPLATETYPE_read_user_files, false)
86
87## <desc>
88## <p>
89## Allow TEMPLATETYPE to manage files in the user home directory
90## </p>
91## </desc>
92gen_tunable(TEMPLATETYPE_manage_user_files, false)
93
94########################################
95#
96# Declarations
97#
98role TEMPLATETYPE_r;
99
100userdom_base_user_template(TEMPLATETYPE)
101"""
102
103te_login_user_rules="""\
104"""
105
106te_existing_user_rules="""\
107
108########################################
109#
110# TEMPLATETYPE customized policy
111#
112"""
113
114te_x_login_user_rules="""\
115"""
116
117te_root_user_rules="""\
118
119"""
120
121te_transition_rules="""
122optional_policy(`
123        APPLICATION_role(TEMPLATETYPE_r, TEMPLATETYPE_t)
124')
125"""
126
127te_user_trans_rules="""
128optional_policy(`
129        gen_require(`
130                role USER_r;
131        ')
132
133        TEMPLATETYPE_role_change(USER_r)
134')
135"""
136
137te_admin_rules="""
138allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
139files_dontaudit_search_all_dirs(TEMPLATETYPE_t)
140
141selinux_get_enforce_mode(TEMPLATETYPE_t)
142seutil_domtrans_setfiles(TEMPLATETYPE_t)
143seutil_search_default_contexts(TEMPLATETYPE_t)
144
145logging_send_syslog_msg(TEMPLATETYPE_t)
146
147kernel_read_system_state(TEMPLATETYPE_t)
148
149domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t)
150domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t)
151
152userdom_dontaudit_search_admin_dir(TEMPLATETYPE_t)
153userdom_dontaudit_search_user_home_dirs(TEMPLATETYPE_t)
154
155tunable_policy(`TEMPLATETYPE_read_user_files',`
156        userdom_read_user_home_content_files(TEMPLATETYPE_t)
157        userdom_read_user_tmp_files(TEMPLATETYPE_t)
158')
159
160tunable_policy(`TEMPLATETYPE_manage_user_files',`
161	userdom_manage_user_home_content_dirs(TEMPLATETYPE_t)
162	userdom_manage_user_home_content_files(TEMPLATETYPE_t)
163	userdom_manage_user_home_content_symlinks(TEMPLATETYPE_t)
164        userdom_manage_user_tmp_files(TEMPLATETYPE_t)
165')
166"""
167
168te_admin_trans_rules="""
169gen_require(`
170        role USER_r;
171')
172
173allow USER_r TEMPLATETYPE_r;
174"""
175
176te_admin_domain_rules="""
177optional_policy(`
178        APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r)
179')
180"""
181
182te_roles_rules="""
183optional_policy(`
184        gen_require(`
185                role ROLE_r;
186        ')
187
188        allow TEMPLATETYPE_r ROLE_r;
189')
190"""
191
192te_sudo_rules="""
193optional_policy(`
194        sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t)
195')
196"""
197
198te_newrole_rules="""
199seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r)
200"""
201