Policy for user domains
Append files in a user home subdirectory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute a generic bin program in the sysadm domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute bin_t in the unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create keys for all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Send a dbus message to all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
delete all directories in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete all files in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete all symlinks in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to append to the staff users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attepts to get the attributes of sysadm ttys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to list the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
dontaudit getattr all user file type
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to search the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
dontaudit relabel of generic user home files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to relabel files from unprivileged user pty types.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to search all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Don't audit search on the user home subdirectory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to search the staff users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to search the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to inherit the file descriptors from any user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Dont audit attempts to read and write sysadm ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to use sysadm ttys and ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to use sysadm ttys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to inherit the file descriptors from all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to use unprivileged user ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to use unprivileged user ttys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
dontaudit attempts to write to user home dir files
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute all entrypoint files in the sysadm domain. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute all entrypoint files in unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute user executables in the caller domain.
Parameter: | Description: | Optional: |
---|---|---|
type |
Domain allowed access. | No |
Make the specified type usable for files that are exectuables, such as binary programs. This does not include shared libraries.
Parameter: | Description: | Optional: |
---|---|---|
type |
Type to be used for files. | No |
allow execute of generic user home files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create objects in generic user home directories with automatic file type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
object_class |
The class of the object to be created. If not specified, file is used. | No |
getattr all executables
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create generic user home directories with automatic file type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all unprivileged users temporary directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
allow getattr all user file type
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete all directories in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete all files in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete all symlinks in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete subdirectories of generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete files in generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete named pipes in generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete named sockets in generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete symbolic links in generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete subdirectories of generic staff home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete staff home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Manage unpriviledged user SysV sempaphores.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Manage unpriviledged user SysV shared memory segments.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete directories in unprivileged users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete files in unprivileged users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and all executable files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Manage all files/directories in the homedir
Parameter: | Description: | Optional: |
---|---|---|
userdomain |
The user domain | No |
Mmap all executables as executable.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Make the specified domain a privileged home directory manager.
Make the specified domain a privileged home directory manager. This domain will be able to manage the contents of all users general home directory content, and create files with the correct context.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all user temporary untrusted content files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all user untrusted content files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all files in all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all users home directories symlinks.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read the process state of all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read files in generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read files in the staff users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read files in the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Allow to read sysadm tmp files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all unprivileged users home directory files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all unprivileged users temporary files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all unprivileged users temporary symbolic links.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel to and from the bin type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
allow relabel of staff home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
allow relabel of staff home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
allow relabel of home type directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel files to unprivileged user pty types.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write sysadm user unnamed pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute a generic sbin program in the sysadm domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute generic sbin programs in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search all users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search generic user home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the staff users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the sysadm users home sub directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Search the sysadm users home directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Search all unprivileged users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search users home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Allow apps to set rlimits on userdomain
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Set the attributes of user ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute a shell in the sysadm domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Send a SIGCHLD signal to all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Send a SIGCHLD signal to sysadm users.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Send general signals to all user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Send general signals to unprivileged user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Send signull to unprivileged user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute a shell in all user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create objects in staff home directories with automatic file type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
object_class |
The class of the object to be created. If not specified, file is used. | No |
Allow sysadm to execute a generic bin program in a specified domain. This is an explicit transition, requiring the caller to use setexeccon().
Allow sysadm to execute a generic bin program in a specified domain.
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to execute in. | No |
Allow sysadm to execute all entrypoint files in the specified domain. This is an explicit transition, requiring the caller to use setexeccon().
Allow sysadm to execute all entrypoint files in the specified domain. This is an explicit transition, requiring the caller to use setexeccon().
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to execute in. | No |
Create objects in sysadm home directories with automatic file type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
private type |
The type of the object to be created. | No |
object_class |
The class of the object to be created. If not specified, file is used. | No |
Allow sysadm to execute a generic sbin program in a specified domain. This is an explicit transition, requiring the caller to use setexeccon().
Allow sysadm to execute a generic sbin program in a specified domain.
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to execute in. | No |
Unconfined access to user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Inherit the file descriptors from all user domains
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Inherit and use sysadm file descriptors
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write sysadm ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write sysadm ttys and ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write sysadm ttys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Inherit the file descriptors from unprivileged user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write unprivileged user ptys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write unprivileged user ttys.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Write all unprivileged users files in /tmp
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
The template for creating an administrative user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The privileges given to administrative users are:
Raw disk access
Set all sysctls
All kernel ring buffer controls
Create, read, write, and delete all files but shadow
Manage source and binary format SELinux policy
Run insmod
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., sysadm is the prefix for sysadm_t). | No |
The template containing the most basic rules common to all users.
The template containing the most basic rules common to all users.
This template creates a user domain, types, and rules for the user's tty and pty.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template allowing the user basic network permissions
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for allowing the user to change passwords.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template containing rules common to unprivileged users and administrative users.
This template creates a user domain, types, and rules for the user's tty, pty, tmp, and tmpfs files.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
Create a user pty.
Create a user pty.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Do not audit attempts to append users temporary files.
Do not audit attempts to append users temporary files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to execute user home files.
Do not audit attempts to execute user home files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Do not audit attempts to list user home subdirectories.
Do not audit attempts to list user home subdirectories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit | No |
Do not audit attempts to list user temporary directories.
Do not audit attempts to list user temporary directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to list user temporary untrusted directories.
Do not audit attempts to list user temporary directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to list user untrusted directories.
Do not audit attempts to read user untrusted directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to create, read, write, and delete directories in a user home subdirectory.
Do not audit attempts to create, read, write, and delete directories in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Do not audit attempts to manage users temporary directories.
Do not audit attempts to manage users temporary directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to manage users temporary files.
Do not audit attempts to manage users temporary files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to read user home files.
Do not audit attempts to read user home files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to read users temporary files.
Do not audit attempts to read users temporary files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to read users temporary untrusted files.
Do not audit attempts to read users temporary untrusted files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to read users untrusted files.
Do not audit attempts to read users untrusted files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
Do not audit attempts to set the attributes of user home files.
Do not audit attempts to set the attributes of user home files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Do not audit attempts to read and write a user domain tty and pty.
Do not audit attempts to read and write a user domain tty and pty.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Do not audit attempts to write user home files.
Do not audit attempts to write user home files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain to not audit. | No |
The template allowing the user to execute generic programs, such as those found in /bin, /sbin, /usr/bin, and /usr/sbin.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for allowing the user to execute files in their home directory.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for execute access to the user temporary files.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
Execute user home files.
Execute user home files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
List user home directories.
List user home directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
List user temporary directories.
List user temporary directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
List users temporary untrusted directories.
List users temporary untrusted directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
List users untrusted directories.
List users untrusted directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
The template for creating a login user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for creating a home directory that the user has full access.
The template for creating a home directory that the user has full access.
This does not allow execute access.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for full access to the temporary directories.
The template for full access to the temporary directories. This creates a derived type for the user temporary type. Execute access is not given.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for creating a tmpfs type that the user has full access.
The template for creating a tmpfs type that the user has full access.
This does not allow execute access.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
Create, read, write, and delete directories in a user home subdirectory.
Create, read, write, and delete directories in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create, read, write, and delete files in a user home subdirectory.
Create, read, write, and delete files in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create, read, write, and delete named pipes in a user home subdirectory.
Create, read, write, and delete named pipes in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create, read, write, and delete named sockets in a user home subdirectory.
Create, read, write, and delete named sockets in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create, read, write, and delete symbolic links in a user home subdirectory.
Create, read, write, and delete symbolic links in a user home subdirectory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create, read, write, and delete user temporary directories.
Create, read, write, and delete user temporary directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create, read, write, and delete user temporary files.
Create, read, write, and delete user temporary files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create, read, write, and delete user temporary named pipes.
Create, read, write, and delete user temporary named pipes.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create, read, write, and delete user temporary named sockets.
Create, read, write, and delete user temporary named sockets.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create, read, write, and delete user temporary symbolic links.
Create, read, write, and delete user temporary symbolic links.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Manage user untrusted files.
Create, read, write, and delete untrusted files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
The template for polyinstantiating a user home directory.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for a polyinstantiated temporary directory.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for creating a unprivileged user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
Read user home files.
Read user home files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Read user home subdirectory symbolic links.
Read user home subdirectory symbolic links.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Read user temporary files.
Read user temporary files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Read user temporary symbolic links.
Read user temporary symbolic links.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Read user temporary untrusted files.
Read user temporary untrusted files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Read user temporary untrusted symbolic links.
Read user temporary untrusted symbolic links.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
The template for creating a tmpfs type that the user has full access.
The template for creating a tmpfs type that the user has full access.
This does not allow execute access.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
Read user untrusted files.
Read user untrusted files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Read user untrusted symbolic links.
Read user untrusted symbolic links.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
The template for creating a unprivileged login user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for creating a home directory that the user has read-only access.
The template for creating a home directory that the user has read-only access.
This does not allow execute access.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
Change to the auditadm user role.
Change to the auditadm user role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the auditadm role (e.g., user is the prefix for user_r). | No |
Change from the auditadm user role.
Change from the auditadm user role to the specified role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user role (e.g., user is the prefix for user_r). | No |
Change from the generic user role.
Change from the generic user role to the specified role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user role (e.g., user is the prefix for user_r). | No |
Change from the secadm user role.
Change from the secadm user role to the specified role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user role (e.g., user is the prefix for user_r). | No |
Change from the staff user role.
Change from the staff user role to the specified role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user role (e.g., user is the prefix for user_r). | No |
Change from the sysadm user role.
Change from the sysadm user role to the specified role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user role (e.g., user is the prefix for user_r). | No |
Change to the generic user role.
Change to the generic user role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user role (e.g., user is the prefix for user_r). | No |
Change to the secadm user role.
Change to the secadm user role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user role (e.g., user is the prefix for user_r). | No |
Change to the staff user role.
Change to the staff user role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user role (e.g., user is the prefix for user_r). | No |
Change to the sysadm user role.
Change to the sysadm user role.
This is a template to support third party modules and its use is not allowed in upstream reference policy.
Parameter: | Description: | Optional: |
---|---|---|
prefix |
The prefix of the user role (e.g., user is the prefix for user_r). | No |
The template for allowing the user to change roles.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
Read and write user temporary files.
Read and write user temporary files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Read user tmpfs files.
Read user tmpfs files.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Search user home directories.
Search user home directories.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Allow user to run as a secadm
Create objects in a user home directory with an automatic type transition to a specified private type.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
role |
The role of the object to create. | No |
object_class |
The terminal | No |
Set the attributes of a user pty.
Set the attributes of a user pty.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Set the attributes of a user domain tty.
Set the attributes of a user domain tty.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Create objects in the temporary directory with an automatic type transition to the user temporary type.
Create objects in the temporary directory with an automatic type transition to the user temporary type.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
object_class |
The class of the object to be created. If not specified, file is used. | No |
Manage and create all files in /tmp on behalf of the user
The interface for full access to the temporary directories. This creates a derived type for the user temporary type. Execute access is not given.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
class |
The class of the object to be created. If not specified, file is used. | No |
The template for creating a unprivileged user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The template for creating a set of types for untrusted content.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
Read and write a user domain tty and pty.
Read and write a user domain tty and pty.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Read and write a user domain tty.
Read and write a user domain tty.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Make the specified type usable in a user home directory.
Make the specified type usable in a user home directory.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
type |
Type to be used as a file in the user home directory. | No |
Create objects in a user home directory with an automatic type transition to a specified private type.
Create objects in a user home directory with an automatic type transition to a specified private type.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
private_type |
The type of the object to create. | No |
object_class |
The class of the object to be created. If not specified, file is used. | No |
Create objects in a user home directory with an automatic type transition to the user home file type.
Create objects in a user home directory with an automatic type transition to the user home file type.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
object_class |
The class of the object to be created. If not specified, file is used. | No |
Do a domain transition to the specified domain when executing a program in the user home directory.
Do a domain transition to the specified domain when executing a program in the user home directory.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
source_domain |
Domain allowed access. | No |
target_domain |
Domain to transition to. | No |
Create objects in a user temporary directory with an automatic type transition to a specified private type.
Create objects in a user temporary directory with an automatic type transition to a specified private type.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
private_type |
The type of the object to create. | No |
object_class |
The class of the object to be created. If not specified, file is used. | No |
Write to user temporary named sockets.
Write to user temporary named sockets.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
The template for creating a user xwindows client.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |