Layer: system

Module: userdomain

Tunables Interfaces Templates

Description:

Policy for user domains

Tunables:

allow_user_mysql_connect
Default value

false

Description

Allow users to connect to mysql

allow_user_postgresql_connect
Default value

false

Description

Allow users to connect to PostgreSQL

user_direct_mouse
Default value

false

Description

Allow regular users direct mouse access

user_dmesg
Default value

false

Description

Allow users to read system messages.

user_exec_noexattrfile
Default value

false

Description

Allow user to execute files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

user_rw_noexattrfile
Default value

false

Description

Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

user_ttyfile_stat
Default value

false

Description

Allow w to display everyone

user_write_removable
Default value

false

Description

Allow user to write files on removable devices (e.g. external USB memory devices or floppies)

Return

Interfaces:

userdom_append_inherited_user_home_content_files( domain )
Summary

Allow append on inherited user home files.

Parameters
Parameter:Description:
domain

Domain to allow.

userdom_application_exec_domain( domain , userdomain_prefix )
Summary

Associate the specified domain to be a domain capable of executing other applications on behalf of the specified user.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_attach_admin_tun_iface( domain )
Summary

Allow domain to attach to TUN devices created by administrative users.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_bin_spec_domtrans_unpriv_users( domain )
Summary

Execute bin_t in the unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

userdom_create_all_users_keys( domain )
Summary

Create keys for all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_create_user_home_dirs( domain )
Summary

Create user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_create_user_pty( domain )
Summary

Create a user pty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_dbus_send_all_users( domain )
Summary

Send a dbus message to all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_home_content_dirs( domain )
Summary

Delete all user home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_home_content_files( domain )
Summary

Delete all user home content files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_home_content_symlinks( domain )
Summary

Delete all user home content symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_runtime_blk_files( domain )
Summary

delete user runtime blk files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_runtime_chr_files( domain )
Summary

delete user runtime chr files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_runtime_dirs( domain )
Summary

delete user runtime directories

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_runtime_files( domain )
Summary

delete user runtime files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_runtime_named_pipes( domain )
Summary

delete user runtime fifo files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_runtime_named_sockets( domain )
Summary

delete user runtime socket files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_all_user_runtime_symlinks( domain )
Summary

delete user runtime symlink files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_home_content_dirs( domain )
Summary

Delete directories in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_home_content_files( domain )
Summary

Delete files in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_home_content_symlinks( domain )
Summary

Delete symbolic links in a user home directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_runtime_files( domain )
Summary

delete user runtime files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_tmp_dirs( domain )
Summary

Delete users temporary directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_tmp_files( domain )
Summary

Delete users temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_tmp_named_pipes( domain )
Summary

Delete users temporary named pipes.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_tmp_named_sockets( domain )
Summary

Delete users temporary named sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_tmp_symlinks( domain )
Summary

Delete users temporary symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_delete_user_tmpfs_files( domain )
Summary

Delete user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_dontaudit_append_user_home_content_files( domain )
Summary

Do not audit attempts to append user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_append_user_tmp_files( domain )
Summary

Do not audit attempts to append users temporary files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_exec_user_home_content_files( domain )
Summary

Do not audit attempts to execute user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_getattr_user_home_dirs( domain )
Summary

Do not audit attempts to get the attributes of user home directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_getattr_user_ttys( domain )
Summary

Do not audit attempts to get the attributes of a user domain tty.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_list_user_home_dirs( domain )
Summary

Do not audit attempts to list user home subdirectories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_list_user_tmp( domain )
Summary

Do not audit attempts to list user temporary directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_manage_user_certs( domain )
Summary

Do not audit attempts to manage the user SSL certificates.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_dontaudit_manage_user_home_content_dirs( domain )
Summary

Do not audit attempts to create, read, write, and delete directories in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_manage_user_home_dirs( domain )
Summary

Do not audit attempts to manage user home directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_manage_user_tmp_dirs( domain )
Summary

Do not audit attempts to manage users temporary directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_manage_user_tmp_files( domain )
Summary

Do not audit attempts to manage users temporary files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_read_user_home_content_files( domain )
Summary

Do not audit attempts to read user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_read_user_tmp_files( domain )
Summary

Do not audit attempts to read users temporary files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_read_user_tmpfs_files( domain )
Summary

dontaudit Read attempts of user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_dontaudit_relabel_user_home_content_files( domain )
Summary

Do not audit attempts to relabel user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_relabelfrom_user_ptys( domain )
Summary

Do not audit attempts to relabel files from user pty types.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_rw_all_users_stream_sockets( domain )
Summary

Do not audit attempts to read and write unserdomain stream.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_rw_user_tmp_pipes( domain )
Summary

Do not audit attempts to read and write temporary pipes.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_dontaudit_search_user_home_content( domain )
Summary

Do not audit attempts to search user home content directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_search_user_home_dirs( domain )
Summary

Do not audit attempts to search user home directories.

Description

Do not audit attempts to search user home directories. This will suppress SELinux denial messages when the specified domain is denied the permission to search these directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_search_user_runtime_root( domain )
Summary

Do not audit attempts to search user runtime root directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_setattr_user_home_content_files( domain )
Summary

Do not audit attempts to set the attributes of user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_setattr_user_ttys( domain )
Summary

Do not audit attempts to set the attributes of a user domain tty.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_all_users_fds( domain )
Summary

Do not audit attempts to inherit the file descriptors from any user domains.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_unpriv_user_fds( domain )
Summary

Do not audit attempts to inherit the file descriptors from unprivileged user domains.

Description

Do not audit attempts to inherit the file descriptors from unprivileged user domains. This will suppress SELinux denial messages when the specified domain is denied the permission to inherit these file descriptors.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_user_ptys( domain )
Summary

Do not audit attempts to use user ptys.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_user_terminals( domain )
Summary

Do not audit attempts to read and write a user domain tty and pty.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_use_user_ttys( domain )
Summary

Do not audit attempts to use user ttys.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_write_user_home_content_files( domain )
Summary

Do not audit attempts to write user home files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_dontaudit_write_user_tmp_files( domain )
Summary

Do not audit attempts to write users temporary files.

Parameters
Parameter:Description:
domain

Domain to not audit.

userdom_entry_spec_domtrans_unpriv_users( domain )
Summary

Execute all entrypoint files in unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_user_bin_files( domain )
Summary

Execute user executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_user_home_content_files( domain )
Summary

Execute user home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_exec_user_tmp_files( domain )
Summary

The execute access user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_execmod_user_tmpfs_files( domain )
Summary

execute and execmod user tmpfs files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_getattr_all_users( domain )
Summary

Get the attributes of all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_getattr_user_home_dirs( domain )
Summary

Get the attributes of user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_getattr_user_ttys( domain )
Summary

Get the attributes of a user domain tty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_home_filetrans_user_home_dir( domain , name )
Summary

Create directories in the home dir root with the user home directory type.

Parameters
Parameter:Description:
domain

Domain allowed access.

name

The name of the object being created.

userdom_list_all_user_home_content( domain )
Summary

List all users home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_all_user_runtime( domain )
Summary

List user runtime directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_user_home_content( domain )
Summary

List contents of users home directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_user_home_dirs( domain )
Summary

List user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_list_user_tmp( domain )
Summary

List user temporary directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_all_user_home_content( domain )
Summary

Manage all user home content, including application-specific resources.

Parameters
Parameter:Description:
domain

Domain allowed access

userdom_manage_all_users_keys( domain )
Summary

Manage keys for all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_home_role( role , userdomain )
Summary

Allow a home directory for which the role has full access.

Description

Allow a home directory for which the role has full access.

This does not allow execute access.

Parameters
Parameter:Description:
role

The user role

userdomain

The user domain

userdom_manage_tmp_role( role , domain )
Summary

Manage user temporary files

Parameters
Parameter:Description:
role

Role allowed access.

domain

Domain allowed access.

userdom_manage_tmpfs_role( role , domain )
Summary

Role access for the user tmpfs type that the user has full access.

Description

Role access for the user tmpfs type that the user has full access.

This does not allow execute access.

Parameters
Parameter:Description:
role

Role allowed access.

domain

Domain allowed access.

userdom_manage_unpriv_user_semaphores( domain )
Summary

Manage unpriviledged user SysV sempaphores.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_unpriv_user_shared_mem( domain )
Summary

Manage unpriviledged user SysV shared memory segments.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_bin( domain )
Summary

Manage user executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_certs( domain )
Summary

Manage user SSL certificates.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_dirs( domain )
Summary

Create, read, write, and delete directories in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_files( domain )
Summary

Create, read, write, and delete files in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_pipes( domain )
Summary

Create, read, write, and delete named pipes in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_sockets( domain )
Summary

Create, read, write, and delete named sockets in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_content_symlinks( domain )
Summary

Create, read, write, and delete symbolic links in a user home subdirectory.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_home_dirs( domain )
Summary

Manage user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_runtime_dirs( domain )
Summary

Create, read, write, and delete user runtime dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_runtime_root_dirs( domain )
Summary

Create, read, write, and delete user runtime root dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_dirs( domain )
Summary

Create, read, write, and delete user temporary directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_files( domain )
Summary

Create, read, write, and delete user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_pipes( domain )
Summary

Create, read, write, and delete user temporary named pipes.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_sockets( domain )
Summary

Create, read, write, and delete user temporary named sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmp_symlinks( domain )
Summary

Create, read, write, and delete user temporary symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_manage_user_tmpfs_files( domain )
Summary

Create, read, write, and delete user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_map_all_user_home_content_files( domain )
Summary

Map all user home content, including application-specific resources.

Parameters
Parameter:Description:
domain

Domain allowed access

userdom_map_user_home_content_files( domain )
Summary

Map user home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_map_user_tmp_files( domain )
Summary

Map user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_map_user_tmpfs_files( domain )
Summary

Map user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_mmap_user_home_content_files( domain )
Summary

Mmap user home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_mounton_user_runtime_dirs( domain )
Summary

Mount a filesystem on user runtime dir directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_all_user_home_content( domain )
Summary

Read all user home content, including application-specific resources.

Parameters
Parameter:Description:
domain

Domain allowed access

userdom_read_all_users_keys( domain )
Summary

Read keys for all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_all_users_state( domain )
Summary

Read the process state of all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_certs( domain )
Summary

Read user SSL certificates.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_home_content_files( domain )
Summary

Read user home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_home_content_symlinks( domain )
Summary

Read user home subdirectory symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_tmp_files( domain )
Summary

Read user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_tmp_symlinks( domain )
Summary

Read user temporary symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_read_user_tmpfs_files( domain )
Summary

Read user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabel_generic_user_home_dirs( domain )
Summary

Relabel generic user home dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabel_generic_user_home_files( domain )
Summary

Relabel generic user home files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabel_user_runtime_root_dirs( domain )
Summary

Relabel to and from user runtime root dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabel_user_tmpfs_dirs( domain )
Summary

relabel to/from user tmpfs dirs

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabel_user_tmpfs_files( domain )
Summary

relabel to/from user tmpfs files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabelfrom_user_runtime_dirs( domain )
Summary

Relabel from user runtime directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabelto_user_home_dirs( domain )
Summary

Relabel to user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabelto_user_ptys( domain )
Summary

Relabel files to unprivileged user pty types.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_relabelto_user_runtime_dirs( domain )
Summary

Relabel to user runtime directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_ro_home_role( role , userdomain )
Summary

Allow a home directory for which the role has read-only access.

Description

Allow a home directory for which the role has read-only access.

This does not allow execute access.

Parameters
Parameter:Description:
role

The user role

userdomain

The user domain

userdom_runtime_filetrans_user_runtime_root( domain , object_class , name )
Summary

Create objects in the runtime directory with an automatic type transition to the user runtime root type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_rw_all_users_keys( domain )
Summary

Read and write keys for all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_rw_unpriv_user_semaphores( domain )
Summary

Read and write unpriviledged user SysV sempaphores.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_rw_unpriv_user_shared_mem( domain )
Summary

Read and write unpriviledged user SysV shared memory segments.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_rw_user_tmp_files( domain )
Summary

Read and write user temporary files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_rw_user_tmpfs_files( domain )
Summary

Read and write user tmpfs files.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_all_user_runtime( domain )
Summary

Search users runtime directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_user_home_content( domain )
Summary

Search users home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_user_home_dirs( domain )
Summary

Search user home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_user_runtime( domain )
Summary

Search users runtime directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_search_user_runtime_root( domain )
Summary

Search user runtime root directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_security_admin_template( domain , role )
Summary

Allow user to run as a secadm

Description

Create objects in a user home directory with an automatic type transition to a specified private type.

This is a templated interface, and should only be called from a per-userdomain template.

Parameters
Parameter:Description:
domain

Domain allowed access.

role

The role of the object to create.

userdom_setattr_all_user_home_content_dirs( domain )
Summary

Set attributes of all user home content directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_setattr_user_ptys( domain )
Summary

Set the attributes of a user pty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_setattr_user_ttys( domain )
Summary

Set the attributes of a user domain tty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_sigchld_all_users( domain )
Summary

Send a SIGCHLD signal to all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_signal_all_users( domain )
Summary

Send general signals to all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_signal_unpriv_users( domain )
Summary

Send general signals to unprivileged user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_signull_unpriv_users( domain )
Summary

Send signull to unprivileged user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_spec_domtrans_all_users( domain )
Summary

Execute a shell in all user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

userdom_spec_domtrans_unpriv_users( domain )
Summary

Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

userdom_tmp_filetrans_user_tmp( domain , object_class , name )
Summary

Create objects in the temporary directory with an automatic type transition to the user temporary type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_unlink_user_tmp_devices( domain )
Summary

Delete user_tmp_t device nodes (probably should not have been created in the first place)

Parameters
Parameter:Description:
domain

Domain to allow deleting

userdom_use_all_users_fds( domain )
Summary

Inherit the file descriptors from all user domains

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_inherited_user_terminals( domain )
Summary

Read and write a user TTYs and PTYs.

Description

Allow the specified domain to read and write user TTYs and PTYs. This will allow the domain to interact with the user via the terminal. Typically all interactive applications will require this access.

However, this also allows the applications to spy on user sessions or inject information into the user session. Thus, this access should likely not be allowed for non-interactive domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_unpriv_users_fds( domain )
Summary

Inherit the file descriptors from unprivileged user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_user_ptys( domain )
Summary

Read and write a user domain pty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_user_terminals( domain )
Summary

Read, write and open a user TTYs and PTYs.

Description

Allow the specified domain to read and write user TTYs and PTYs. This will allow the domain to interact with the user via the terminal. Typically all interactive applications will require this access.

This interface will also allow to open these user terminals, which should not be necessary in general and userdom_use_inherited_user_terminals() should be sufficient.

However, this also allows the applications to spy on user sessions or inject information into the user session. Thus, this access should likely not be allowed for non-interactive domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_use_user_ttys( domain )
Summary

Read and write a user domain tty.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_user_application_domain( type , type )
Summary

Make the specified type usable as a user application domain.

Parameters
Parameter:Description:
type

Type to be used as a user application domain.

type

Type to be used as the domain entry point.

userdom_user_application_type( type )
Summary

Make the specified type usable as a user application domain type.

Parameters
Parameter:Description:
type

Type to be used as a user application domain.

userdom_user_home_content( type )
Summary

Make the specified type usable in a user home directory.

Parameters
Parameter:Description:
type

Type to be used as a file in the user home directory.

userdom_user_home_content_filetrans( domain , private_type , object_class , name )
Summary

Create objects in a directory located in a user home directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_home_dir_filetrans( domain , private_type , object_class , name )
Summary

Create objects in a user home directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_home_dir_filetrans_user_cert( domain , class , filename )
Summary

Automatically use the user_cert_t label for selected resources created in a users home directory

Parameters
Parameter:Description:
domain

Domain allowed access

class

Resource type(s) for which the label should be used

filename

Name of the resource that is being created

userdom_user_home_dir_filetrans_user_home_content( domain , object_class , name )
Summary

Create objects in a user home directory with an automatic type transition to the user home file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_home_domtrans( source_domain , target_domain )
Summary

Do a domain transition to the specified domain when executing a program in the user home directory.

Description

Do a domain transition to the specified domain when executing a program in the user home directory.

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

Parameters
Parameter:Description:
source_domain

Domain allowed to transition.

target_domain

Domain to transition to.

userdom_user_run_filetrans_user_runtime( domain , object_class , name )
Summary

Create objects in the user runtime root directory with an automatic type transition to the user runtime dir type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_runtime_content( type )
Summary

Make the specified type usable in the directory /run/user/%{USERID}/.

Parameters
Parameter:Description:
type

Type to be used as a file in the user_runtime_content_dir_t.

userdom_user_runtime_filetrans( domain , private_type , object_class , name )
Summary

Create objects in a user runtime directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_runtime_filetrans_user_tmp( domain , object_class , name )
Summary

Create objects in the user runtime directory with an automatic type transition to the user temporary type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_runtime_root_filetrans_user_runtime( domain , object_class , name )
Summary

Create objects in the user runtime root directory with an automatic type transition to the user runtime dir type.

Parameters
Parameter:Description:
domain

Domain allowed access.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_tmp_file( type )
Summary

Make the specified type usable as a user temporary file.

Parameters
Parameter:Description:
type

Type to be used as a file in the temporary directories.

userdom_user_tmp_filetrans( domain , private_type , object_class , name )
Summary

Create objects in a user temporary directory with an automatic type transition to a specified private type.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to create.

object_class

The class of the object to be created.

name

The name of the object being created.

userdom_user_tmpfs_file( type )
Summary

Make the specified type usable as a user tmpfs file.

Parameters
Parameter:Description:
type

Type to be used as a file in tmpfs directories.

userdom_watch_user_home_dirs( domain )
Summary

watch users home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_write_all_user_runtime_named_sockets( domain )
Summary

write user runtime socket files

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_write_all_users_keys( domain )
Summary

Write keys for all user domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_write_user_runtime_sockets( domain )
Summary

write user runtime sockets

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_write_user_tmp_files( domain )
Summary

Write all users files in /tmp

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_write_user_tmp_sockets( domain )
Summary

Write to user temporary named sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

userdom_xsession_spec_domtrans_all_users( domain )
Summary

Execute an Xserver session in all user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

userdom_xsession_spec_domtrans_unpriv_users( domain )
Summary

Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the caller to use setexeccon().

Parameters
Parameter:Description:
domain

Domain allowed to transition.

Return

Templates:

userdom_admin_user_template( userdomain_prefix )
Summary

The template for creating an administrative user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

The privileges given to administrative users are:

  • Raw disk access

  • Set all sysctls

  • All kernel ring buffer controls

  • Create, read, write, and delete all files but shadow

  • Manage source and binary format SELinux policy

  • Run insmod

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., sysadm is the prefix for sysadm_t).

userdom_base_user_template( userdomain_prefix )
Summary

The template containing the most basic rules common to all users.

Description

The template containing the most basic rules common to all users.

This template creates a user domain, types, and rules for the user's tty and pty.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_basic_networking_template( userdomain_prefix )
Summary

The template allowing the user basic network permissions

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_change_password_template( userdomain_prefix )
Summary

The template for allowing the user to change passwords.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_common_user_template( userdomain_prefix )
Summary

The template containing rules common to unprivileged users and administrative users.

Description

This template creates a user domain, types, and rules for the user's tty, pty, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_login_user_template( userdomain_prefix )
Summary

The template for creating a login user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_restricted_user_template( userdomain_prefix )
Summary

The template for creating a unprivileged login user.

Description

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_restricted_xwindows_user_template( userdomain_prefix )
Summary

The template for creating a unprivileged xwindows login user.

Description

The template for creating a unprivileged xwindows login user.

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_unpriv_user_template( userdomain_prefix )
Summary

The template for creating a unprivileged user roughly equivalent to a regular linux user.

Description

The template for creating a unprivileged user roughly equivalent to a regular linux user.

This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.

Parameters
Parameter:Description:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

userdom_user_content_access_template( prefix , domain )
Summary

Template for handling user content through standard tunables

Description

This template generates the tunable blocks for accessing end user content, either the generic one (user_home_t) or the complete one (based on user_home_content_type).

It calls the *_read_generic_user_content, *_read_all_user_content, *_manage_generic_user_content, and *_manage_all_user_content booleans.

Parameters
Parameter:Description:
prefix

The application domain prefix to use, meant for the boolean calls

domain

The application domain which is granted the necessary privileges

userdom_xdg_user_template( domain )
Summary

Allow user to interact with xdg content types

Description

Create rules to allow a user to manage xdg content in a user home directory with an automatic type transition to those types.

This is a templated interface, and should only be called from a per-userdomain template.

Parameters
Parameter:Description:
domain

Domain allowed access.

Return