Layer: system

Module: userdomain

Tunables Interfaces Templates

Description:

Policy for user domains


Tunables:

allow_user_mysql_connect
Default value

false

Description

Allow users to connect to mysql

allow_user_postgresql_connect
Default value

false

Description

Allow users to connect to PostgreSQL

user_direct_mouse
Default value

false

Description

Allow regular users direct mouse access

user_dmesg
Default value

false

Description

Allow users to read system messages.

user_exec_noexattrfile
Default value

true

Description

Allow user to exec files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

user_r_noexattrfile
Default value

true

Description

Allow user to read files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

user_r_unlabeledfile
Default value

true

Description

Allow user to read files on filesystems that with type unlabeled_t (ext4, squashfs)

user_rw_noexattrfile
Default value

true

Description

Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

user_rw_unlabeledfile
Default value

true

Description

Allow user to r/w files on filesystems that with type unlabeled_t (ext4, squashfs)

user_ttyfile_stat
Default value

false

Description

Allow w to display everyone

Return

Interfaces:

userdom_all_home_dir_filetrans( domain , private_type , object_class , name )
Summary

Create objects in all directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_all_home_dir_filetrans_home_content( domain , object_class , name )
Summary

Create objects in a user home directory with an automatic type transition to the user home file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_all_home_filetrans( domain , private_type , object_class , name )
Summary

Create objects under all home directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_append_inherited_user_home_content_files( domain )
Summary

Allow append on inherited user home files.

Parameters
Parameter:Description:
domain

Domain to allow.

userdom_attach_admin_tun_iface( domain )
Summary

Allow domain to attach to TUN devices created by administrative users.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_auditadm_home_dir_filetrans( domain , private_type , object_class , name )
Summary

Create objects in auditadm directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_auditadm_home_dir_filetrans_home_content( domain , object_class , name )
Summary

Create objects in a auditadm home directory with an automatic type transition to the audit home file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_auditadm_home_filetrans( domain , private_type , object_class , name )
Summary

Create objects under auditadm home directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_bin_spec_domtrans_unpriv_users( domain )
Summary

Execute bin_t in the unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

userdom_create_all_users_keys( domain )
Summary

Create keys for all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_create_net_sockets( domain )
Summary

Manager nstwork sock.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_create_user_home_dirs( domain )
Summary

Create user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_create_user_pty( domain )
Summary

Create a user pty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_create_user_tmp_sockets( domain )
Summary

Create named sockets in the tmp (/tmp).

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_dbus_send_all_users( domain )
Summary

Send a dbus message to all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_home_content_dirs( domain )
Summary

Delete all home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_home_content_files( domain )
Summary

Delete all user home content files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_home_content_symlinks( domain )
Summary

Delete all user home content symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_auditadm_home_content_dirs( domain )
Summary

Delete auditadm home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_auditadm_home_content_symlinks( domain )
Summary

Delete all auditadm home content symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_secadm_home_content_dirs( domain )
Summary

Delete secadm home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_secadm_home_content_symlinks( domain )
Summary

Delete all secadm home content symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_sysadm_home_content_dirs( domain )
Summary

Delete sysadm home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_sysadm_home_content_symlinks( domain )
Summary

Delete all sysadm home content symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_home_content_dirs( domain )
Summary

Delete user home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_home_content_files( domain )
Summary

Delete files in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_home_content_symlinks( domain )
Summary

Delete symbolic links in a user home directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_tmp_sockets( domain )
Summary

Delete named sockets in the tmp (/tmp).

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_tmpfs_files( domain )
Summary

Delete user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_dontaudit_append_user_home_content_files( domain )
Summary

Do not audit attempts to append user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_append_user_tmp_files( domain )
Summary

Do not audit attempts to append users temporary files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_exec_user_home_content_files( domain )
Summary

Do not audit attempts to execute user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_getattr_user_home_dirs( domain )
Summary

Do not audit attempts to get the attributes of user home directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_getattr_user_ttys( domain )
Summary

Do not audit attempts to get the attributes of a user domain tty.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_list_user_home_dirs( domain )
Summary

Do not audit attempts to list user home subdirectories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_list_user_tmp( domain )
Summary

Do not audit attempts to list user temporary directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_manage_user_home_content_dirs( domain )
Summary

Do not audit attempts to create, read, write, and delete directories in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_manage_user_tmp_dirs( domain )
Summary

Do not audit attempts to manage users temporary directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_manage_user_tmp_files( domain )
Summary

Do not audit attempts to manage users temporary files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_read_user_home_content_files( domain )
Summary

Do not audit attempts to read user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_read_user_tmp_files( domain )
Summary

Do not audit attempts to read users temporary files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_relabel_user_home_content_files( domain )
Summary

Do not audit attempts to write user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_relabelfrom_user_ptys( domain )
Summary

Do not audit attempts to relabel files from user pty types.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_rw_stream( domain )
Summary

Do not audit attempts to read and write unserdomain stream.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_search_admin_dir( domain )
Summary

Allowed to dontaudit when a domain search admin dir

Parameters
Parameter:Description:
domain

Domain not to taudit.

userdom_dontaudit_search_user_home_content( domain )
Summary

Do not audit attempts to search user home content directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_search_user_home_dirs( domain )
Summary

Do not audit attempts to search user home directories.

Description

Do not audit attempts to search user home directories. This will supress SELinux denial messages when the specified domain is denied the permission to search these directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_setattr_user_home_content_files( domain )
Summary

Do not audit attempts to set the attributes of user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_setattr_user_ttys( domain )
Summary

Do not audit attempts to set the attributes of a user domain tty.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_all_users_fds( domain )
Summary

Do not audit attempts to inherit the file descriptors from any user domains.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_unpriv_user_fds( domain )
Summary

Do not audit attempts to inherit the file descriptors from unprivileged user domains.

Description

Do not audit attempts to inherit the file descriptors from unprivileged user domains. This will supress SELinux denial messages when the specified domain is denied the permission to inherit these file descriptors.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_user_ptys( domain )
Summary

Do not audit attempts to use user ptys.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_user_terminals( domain )
Summary

Do not audit attempts to read and write a user domain tty and pty.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_user_ttys( domain )
Summary

Do not audit attempts to use user ttys.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_write_user_home_content_files( domain )
Summary

Do not audit attempts to write user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_write_user_tmp_files( domain )
Summary

Do not audit attempts to write users temporary files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_entry_spec_domtrans_unpriv_users( domain )
Summary

Execute all entrypoint files in unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_all_home_content_files( domain )
Summary

Execute all home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_auditadm_home_content_files( domain )
Summary

Execute auditadm home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_secadm_home_content_files( domain )
Summary

Execute secadm home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_spec_home_content_files( domain )
Summary

Execute spec home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_sysadm_home_content_files( domain )
Summary

Execute sysadm home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_user_home_content_files( domain )
Summary

Execute user home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_user_tmp_files( domain )
Summary

The execute access user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_user_tmp_sockets( domain )
Summary

Exec to user temporary named sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_execute_user_tmpfs_files( domain )
Summary

Execute generic user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_getattr_all_users( domain )
Summary

Get the attributes of all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_getattr_user_home_dirs( domain )
Summary

Get the attributes of user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_getattr_user_ttys( domain )
Summary

Get the attributes of a user domain tty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_home_filetrans_user_home_dir( domain , name )
Summary

Create directories in the home dir root with the user home directory type.

Parameters
Parameter:Description:
domain

Domain allowed access.

name

The name of the object being created.

userdom_home_manager( type )
Summary

Associated a type with userdom_home_manager_type attribute.

Parameters
Parameter:Description:
type

Attribute type.

userdom_kill_all_users( domain )
Summary

Send kill signals to all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_all_home_content( domain )
Summary

List all users home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_auditadm_home_content( domain )
Summary

List auditadm users home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_secadm_home_content( domain )
Summary

List secadm home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_sysadm_home_content( domain )
Summary

List sysadm home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_user_home_content( domain )
Summary

List users home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_user_home_dirs( domain )
Summary

List user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_user_tmp( domain )
Summary

List user temporary directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_all_home_content_dirs( domain )
Summary

Create, read, write, and delete directories in all home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_all_home_content_files( domain )
Summary

Create, read, write, and delete files in all home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_all_home_content_pipes( domain )
Summary

Create, read, write, and delete named pipes in all home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_all_home_content_sockets( domain )
Summary

Create, read, write, and delete named sockets in all home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_all_home_content_symlinks( domain )
Summary

Create, read, write, and delete symbolic links all home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_all_home_dirs( domain )
Summary

Create on all home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_auditadm_home_content_dirs( domain )
Summary

Create, read, write, and delete directories in auditadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_auditadm_home_content_files( domain )
Summary

Create, read, write, and delete files in auditadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_auditadm_home_content_pipes( domain )
Summary

Create, read, write, and delete named pipes auditadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_auditadm_home_content_sockets( domain )
Summary

Create, read, write, and delete named sockets auditadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_auditadm_home_content_symlinks( domain )
Summary

Create, read, write, and delete symbolic links auditadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_auditadm_home_dirs( domain )
Summary

Create on auditadm home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_secadm_home_content_dirs( domain )
Summary

Create, read, write, and delete directories in secadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_secadm_home_content_files( domain )
Summary

Create, read, write, and delete files in secadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_secadm_home_content_pipes( domain )
Summary

Create, read, write, and delete named pipes secadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_secadm_home_content_sockets( domain )
Summary

Create, read, write, and delete named sockets secadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_secadm_home_content_symlinks( domain )
Summary

Create, read, write, and delete symbolic links secadm subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_secadm_home_dirs( domain )
Summary

Create on secadm home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_spec_home_content_dirs( domain )
Summary

Create, read, write, and delete directories in spec home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_spec_home_content_files( domain )
Summary

Create, read, write, and delete files in spec home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_sysadm_home_content_dirs( domain )
Summary

Create, read, write, and delete directories in sysadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_sysadm_home_content_files( domain )
Summary

Create, read, write, and delete files in sysadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_sysadm_home_content_pipes( domain )
Summary

Create, read, write, and delete named pipes sysadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_sysadm_home_content_sockets( domain )
Summary

Create, read, write, and delete named sockets sysadm home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_sysadm_home_content_symlinks( domain )
Summary

Create, read, write, and delete symbolic links sysadm subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_sysadm_home_dirs( domain )
Summary

Create on sysadm home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_tmp_role( role , domain )
Summary

Manage user temporary files

Parameters
Parameter:Description:
role

Role allowed access.

domain

Domain allowed access.

userdom_manage_tmpfs_role( role , domain )
Summary

Role access for the user tmpfs type that the user has full access.

Description

Role access for the user tmpfs type that the user has full access.

This does not allow execute access.

Parameters
Parameter:Description:
role

Role allowed access.

domain

Domain allowed access.

userdom_manage_tmpfs_sock_file( domain )
Summary

Domain access for the user tmpfs type socket file

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_unpriv_user_semaphores( domain )
Summary

Manage unpriviledged user SysV sempaphores.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_unpriv_user_shared_mem( domain )
Summary

Manage unpriviledged user SysV shared memory segments.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_dirs( domain )
Summary

Create, read, write, and delete directories in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_files( domain )
Summary

Create, read, write, and delete files in user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_pipes( domain )
Summary

Create, read, write, and delete named pipes user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_sockets( domain )
Summary

Create, read, write, and delete named sockets user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_symlinks( domain )
Summary

Create, read, write, and delete symbolic links user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_dirs( domain )
Summary

Create on user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_dirs( domain )
Summary

Create, read, write, and delete user temporary directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_files( domain )
Summary

Create, read, write, and delete user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_pipes( domain )
Summary

Create, read, write, and delete user temporary named pipes.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_sockets( domain )
Summary

Create, read, write, and delete user temporary named sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_symlinks( domain )
Summary

Create, read, write, and delete user temporary symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmpfs( domain )
Summary

Manage user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed to access.

userdom_manage_user_tmpfs_files( domain )
Summary

Create, read, write, and delete user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmpfs_socket( domain )
Summary

Manage user temporary/sock files.

Parameters
Parameter:Description:
domain

Domain allowed to access.

userdom_mange_user_tmp( domain )
Summary

Manage user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed to access.

userdom_mmap_user_home_content_files( domain )
Summary

Mmap user home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_mount_tmpfs_file( domain )
Summary

User mount tmpfs file

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_mount_user_tmpfs_dir( domain )
Summary

mounton tmpfs dir.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_mounton_user_home( domain )
Summary

Mount user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_mounton_user_tmp( domain )
Summary

Mount user temporary directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_all_home_content_files( domain )
Summary

Read all home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_all_home_content_symlinks( domain )
Summary

Read user home subdirectory symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_all_users_state( domain )
Summary

Read the process state of all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_auditadm_home_content_files( domain )
Summary

Read auditadm home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_auditadm_home_content_symlinks( domain )
Summary

Read auditadm home subdirectory symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_secadm_home_content_files( domain )
Summary

Read secadm home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_secadm_home_content_symlinks( domain )
Summary

Read secadm home subdirectory symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_sysadm_home_content_files( domain )
Summary

Read sysadm home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_sysadm_home_content_symlinks( domain )
Summary

Read sysadm home subdirectory symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_home_content_files( domain )
Summary

Read user home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_home_content_symlinks( domain )
Summary

Read user home subdirectory symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_tmp_files( domain )
Summary

Read user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_tmp_symlinks( domain )
Summary

Read user temporary symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_tmpfs_files( domain )
Summary

Read user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabelto_user_home_dirs( domain )
Summary

Relabel to user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabelto_user_ptys( domain )
Summary

Relabel files to unprivileged user pty types.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_ro_home_role( role , userdomain )
Summary

Allow a home directory for which the role has read-only access.

Description

Allow a home directory for which the role has read-only access.

This does not allow execute access.

Parameters
Parameter:Description:
role

The user role

userdomain

The user domain

userdom_rw_unconfined_shared_mem( domain )
Summary

Read and write unconfiend SysV shared memory segments.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_rw_unpriv_user_semaphores( domain )
Summary

Read and write unpriviledged user SysV sempaphores.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_rw_unpriv_user_shared_mem( domain )
Summary

Read and write unpriviledged user SysV shared memory segments.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_rw_user_tmp_files( domain )
Summary

Read and write user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_rw_user_tmpfs_files( domain )
Summary

Read user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_all_home_dirs( domain )
Summary

Search all home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_auditadm_home_dirs( domain )
Summary

Search auditadm home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_secadm_home_dirs( domain )
Summary

Search search home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_spec_home_dirs( domain )
Summary

Search spec home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_sysadm_home_dirs( domain )
Summary

Search sysadm home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_user_home_content( domain )
Summary

Search users home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_user_home_dirs( domain )
Summary

Search user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_secadm_home_dir_filetrans( domain , private_type , object_class , name )
Summary

Create objects in secadm directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_secadm_home_dir_filetrans_home_content( domain , object_class , name )
Summary

Create objects in a auditadm home directory with an automatic type transition to the audit home file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_secadm_home_filetrans( domain , private_type , object_class , name )
Summary

Create objects under secadm home directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_setattr_all_user_home_content_dirs( domain )
Summary

Set attributes of all user home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_setattr_user_ptys( domain )
Summary

Set the attributes of a user pty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_setattr_user_ttys( domain )
Summary

Set the attributes of a user domain tty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_sigchld_all_users( domain )
Summary

Send a SIGCHLD signal to all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_signal_all_users( domain )
Summary

Send general signals to all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_signal_unpriv_users( domain )
Summary

Send general signals to unprivileged user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_signull_all_users( domain )
Summary

Send signull to all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_signull_unpriv_users( domain )
Summary

Send signull to unprivileged user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_spec_domtrans_all_users( domain )
Summary

Execute a shell in all user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

userdom_spec_domtrans_unpriv_users( domain )
Summary

Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

userdom_sysadm_home_dir_filetrans( domain , private_type , object_class , name )
Summary

Create objects sysadm home directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_sysadm_home_dir_filetrans_home_content( domain , object_class , name )
Summary

Create objects in a sysadm home directory with an automatic type transition to the sysadm home file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_sysadm_home_filetrans( domain , private_type , object_class , name )
Summary

Create objects under sysadm home directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_tmp_filetrans_user_tmp( domain , object_class , name )
Summary

Create objects in the temporary directory with an automatic type transition to the user temporary type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_use_all_users_fds( domain )
Summary

Inherit the file descriptors from all user domains

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_inherited_user_terminals( domain )
Summary

Read and write a inherited user TTYs and PTYs.

Description

Allow the specified domain to read and write inherited user TTYs and PTYs. This will allow the domain to interact with the user via the terminal. Typically all interactive applications will require this access.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_unpriv_users_fds( domain )
Summary

Inherit the file descriptors from unprivileged user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_user_ptys( domain )
Summary

Read and write a user domain pty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_user_terminals( domain )
Summary

Read and write a user TTYs and PTYs.

Description

Allow the specified domain to read and write user TTYs and PTYs. This will allow the domain to interact with the user via the terminal. Typically all interactive applications will require this access.

However, this also allows the applications to spy on user sessions or inject information into the user session. Thus, this access should likely not be allowed for non-interactive domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_user_ttys( domain )
Summary

Read and write a user domain tty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_user_application_domain( type , type )
Summary

Make the specified type usable as a user application domain.

Parameters
Parameter:Description:
type

Type to be used as a user application domain.

type

Type to be used as the domain entry point.

userdom_user_application_type( type )
Summary

Make the specified type usable as a user application domain type.

Parameters
Parameter:Description:
type

Type to be used as a user application domain.

userdom_user_home_content( type )
Summary

Make the specified type usable in a user home directory.

Parameters
Parameter:Description:
type

Type to be used as a file in the user home directory.

userdom_user_home_dir_filetrans( domain , private_type , object_class , name )
Summary

Create objects in user home directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_home_dir_filetrans_home_content( domain , object_class , name )
Summary

Create objects in a user home directory with an automatic type transition to the user home file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_home_domtrans( source_domain , target_domain )
Summary

Do a domain transition to the specified domain when executing a program in the user home directory.

Description

Do a domain transition to the specified domain when executing a program in the user home directory.

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

Parameters
Parameter:Description:
source_domain

Domain allowed to transition.

target_domain

Domain to transition to.

userdom_user_home_filetrans( domain , private_type , object_class , name )
Summary

Create objects under user home directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_tmp_file( type )
Summary

Make the specified type usable as a user temporary file.

Parameters
Parameter:Description:
type

Type to be used as a file in the temporary directories.

userdom_user_tmp_filetrans( domain , private_type , object_class , name )
Summary

Create objects in a user temporary directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_tmpfs_file( type )
Summary

Make the specified type usable as a user tmpfs file.

Parameters
Parameter:Description:
type

Type to be used as a file in tmpfs directories.

userdom_write_user_tmp_files( domain )
Summary

Write all users files in /tmp

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_write_user_tmp_sockets( domain )
Summary

Write to user temporary named sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_write_user_tmpfs_sockfiles( domain )
Summary

write user_tmpfs_t socket file .

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_xsession_spec_domtrans_all_users( domain )
Summary

Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

userdom_xsession_spec_domtrans_unpriv_users( domain )
Summary

Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

Return

Templates:

userdom_admin_user_template( userdomain_prefix )
Summary

The template for creating an administrative user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

The privileges given to administrative users are:

  • Raw disk access

  • Set all sysctls

  • All kernel ring buffer controls

  • Create, read, write, and delete all files but shadow

  • Manage source and binary format SELinux policy

  • Run insmod

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., sysadm is the prefix for sysadm_t).

userdom_auditadm_template( userdomain_prefix )
Summary

The template for auditadm

Description

The template for creating a unprivileged user roughly equivalent to a regular linux user.

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_base_user_template( userdomain_prefix )
Summary

The template containing the most basic rules common to all users.

Description

The template containing the most basic rules common to all users.

This template creates a user domain, types, and rules for the user's tty and pty.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_basic_networking_template( userdomain_prefix )
Summary

The template allowing the user basic network permissions

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_change_password_template( userdomain_prefix )
Summary

The template for allowing the user to change passwords.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_common_user_template( userdomain_prefix )
Summary

The template containing rules common to unprivileged users and administrative users.

Description

This template creates a user domain, types, and rules for the user's tty, pty, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_login_user_template( userdomain_prefix )
Summary

The template for creating a login user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_login_xguest_template( userdomain_prefix )
Summary

The template for creating a login user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_manage_home_role( role , userdomain )
Summary

The tempate allow a home directory for which the role has full access.

Description

Allow a home directory for which the role has full access.

This does not allow execute access.

Parameters
Parameter:Description:
role

The user role

userdomain

The user domain

userdom_restricted_user_template( userdomain_prefix )
Summary

The template for creating a unprivileged login user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_restricted_xguest_template( userdomain_prefix )
Summary

The template for creating a unprivileged login user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_restricted_xwindows_user_template( userdomain_prefix )
Summary

The template for creating a unprivileged xwindows login user.

Description

The template for creating a unprivileged xwindows login user.

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_restricted_xwindows_xguest_template( userdomain_prefix )
Summary

The template for xguest.

Description

The template for creating a unprivileged xwindows login user.

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_secadm_template( userdomain_prefix )
Summary

The template for secadm

Description

The template for creating a unprivileged user roughly equivalent to a regular linux user.

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_security_admin_template( domain , role )
Summary

Allow user to run as a secadm

Description

Create objects in a user home directory with an automatic type transition to a specified private type.

This is a templated interface, and should only be called from a per-userdomain template.

Parameters
Parameter:Description:
domain

Domain allowed access.

role

The role of the object to create.

userdom_sysadm_template( userdomain_prefix )
Summary

The template for sysadm

Description

The template for creating a unprivileged user roughly equivalent to a regular linux user.

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_unpriv_user_template( userdomain_prefix )
Summary

The template for creating a unprivileged user roughly equivalent to a regular linux user.

Description

The template for creating a unprivileged user roughly equivalent to a regular linux user.

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_xwindows_client_template( userdomain_prefix )
Summary

The template for creating a user xwindows client. (Deprecated)

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

Return