Policy for user domains
false
Allow users to connect to mysql
false
Allow users to connect to PostgreSQL
false
Allow regular users direct mouse access
false
Allow users to read system messages.
false
Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)
false
Allow w to display everyone
Execute bin_t in the unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create keys for all user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create user home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create a user pty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send and receive messages from all user domains over dbus.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a dbus message to all user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to append user home files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to append users temporary files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to execute user home files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to get the attributes of user home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to get the attributes of a user domain tty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to list user home subdirectories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit |
Do not audit attempts to list user temporary directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to create, read, write, and delete directories in a user home subdirectory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to manage users temporary directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to manage users temporary files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read user home files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read users temporary files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write user home files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to relabel files from user pty types.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to search user home content directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit |
Search user home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to set the attributes of user home files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to set the attributes of a user domain tty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to inherit the file descriptors from any user domains.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to inherit the file descriptors from all user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to use user ptys.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read and write a user domain tty and pty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to use user ttys.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to write user home files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Execute all entrypoint files in unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute user home files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
The execute access user temporary files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of all user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of user home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of a user domain tty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create directories in the home dir root with the user home directory type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List user home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List user temporary directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow a home directory for which the role has full access.
Allow a home directory for which the role has full access.
This does not allow execute access.
Parameter: | Description: |
---|---|
role |
The user role |
userdomain |
The user domain |
Manage user temporary files
Parameter: | Description: |
---|---|
role |
Role allowed access. |
domain |
Domain allowed access. |
Role access for the user tmpfs type that the user has full access.
Role access for the user tmpfs type that the user has full access.
This does not allow execute access.
Parameter: | Description: |
---|---|
role |
Role allowed access. |
domain |
Domain allowed access. |
Manage unpriviledged user SysV sempaphores.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage unpriviledged user SysV shared memory segments.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete directories in a user home subdirectory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete files in a user home subdirectory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete named pipes in a user home subdirectory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete named sockets in a user home subdirectory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete symbolic links in a user home subdirectory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create user home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete user temporary directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete user temporary files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete user temporary named pipes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete user temporary named sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete user temporary symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mmap user home files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Ptrace all user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the process state of all user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read user home files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read user home subdirectory symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read user temporary files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read user temporary symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel to user home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel files to unprivileged user pty types.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow a home directory for which the role has read-only access.
Allow a home directory for which the role has read-only access.
This does not allow execute access.
Parameter: | Description: |
---|---|
role |
The user role |
userdomain |
The user domain |
Read and write user temporary files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read user tmpfs files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search users home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search user home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of a user pty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of a user domain tty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a SIGCHLD signal to all user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send general signals to all user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send general signals to unprivileged user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute a shell in all user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create objects in the temporary directory with an automatic type transition to the user temporary type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
object_class |
The class of the object to be created. |
Inherit the file descriptors from all user domains
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Inherit the file descriptors from unprivileged user domains.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write a user domain pty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write a user domain tty and pty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write a user domain tty.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified type usable in a user home directory.
Parameter: | Description: |
---|---|
type |
Type to be used as a file in the user home directory. |
Create objects in a user home directory with an automatic type transition to a specified private type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
private_type |
The type of the object to create. |
object_class |
The class of the object to be created. |
Create objects in a user home directory with an automatic type transition to a specified private type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
private_type |
The type of the object to create. |
object_class |
The class of the object to be created. |
Create objects in a user home directory with an automatic type transition to the user home file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
object_class |
The class of the object to be created. |
Do a domain transition to the specified domain when executing a program in the user home directory.
Do a domain transition to the specified domain when executing a program in the user home directory.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Parameter: | Description: |
---|---|
source_domain |
Domain allowed access. |
target_domain |
Domain to transition to. |
Create objects in a user temporary directory with an automatic type transition to a specified private type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
private_type |
The type of the object to create. |
object_class |
The class of the object to be created. |
Write all users files in /tmp
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write to user temporary named sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
The template for creating an administrative user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The privileges given to administrative users are:
Raw disk access
Set all sysctls
All kernel ring buffer controls
Create, read, write, and delete all files but shadow
Manage source and binary format SELinux policy
Run insmod
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., sysadm is the prefix for sysadm_t). |
The template containing the most basic rules common to all users.
The template containing the most basic rules common to all users.
This template creates a user domain, types, and rules for the user's tty and pty.
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). |
The template allowing the user basic network permissions
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). |
The template for allowing the user to change passwords.
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). |
The template containing rules common to unprivileged users and administrative users.
This template creates a user domain, types, and rules for the user's tty, pty, tmp, and tmpfs files.
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). |
The template for creating a login user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). |
The template for creating a unprivileged login user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). |
The template for creating a unprivileged xwindows login user.
The template for creating a unprivileged xwindows login user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). |
Allow user to run as a secadm
Create objects in a user home directory with an automatic type transition to a specified private type.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
role |
The role of the object to create. |
The template for creating a unprivileged user roughly equivalent to a regular linux user.
The template for creating a unprivileged user roughly equivalent to a regular linux user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). |
The template for creating a user xwindows client.
Parameter: | Description: |
---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). |