-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathshelluser.te.j2
40 lines (28 loc) · 1.56 KB
/
shelluser.te.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# {{ ansible_managed }}
policy_module(uberspace_{{ user }}, 1.0)
userdom_restricted_user_template(uberspace_{{ user }})
sysnet_dns_name_resolve(uberspace_{{ user }}_t)
allow uberspace_{{ user }}_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(uberspace_{{ user }}_t)
corenet_tcp_sendrecv_all_nodes(uberspace_{{ user }}_t)
corenet_tcp_sendrecv_all_ports(uberspace_{{ user }}_t)
allow uberspace_{{ user }}_t self:udp_socket { create_socket_perms listen };
corenet_udp_sendrecv_all_if(uberspace_{{ user }}_t)
corenet_udp_sendrecv_all_nodes(uberspace_{{ user }}_t)
corenet_udp_sendrecv_all_ports(uberspace_{{ user }}_t)
corenet_tcp_connect_all_ports(uberspace_{{ user }}_t) # allow all outgoing
type uberspace_{{ user }}_port_t, port_type;
allow uberspace_{{ user }}_t uberspace_{{ user }}_port_t:tcp_socket {
name_connect
name_bind
send_msg
recv_msg };
allow uberspace_{{ user }}_t proc_t:dir { getattr read };
allow uberspace_{{ user }}_t proc_t:file { getattr open read };
screen_role_template(uberspace_{{ user }}, uberspace_{{ user }}_r, uberspace_{{ user }}_t)
allow uberspace_{{ user }}_t screen_var_run_t:dir { getattr open read search ioctl };
allow uberspace_{{ user }}_t screen_var_run_t:sock_file { getattr read };
allow uberspace_{{ user }}_t screen_var_run_t:socket { getattr read connect ioctl };
# Allow users to only bind on specified ports.
allow uberspace_{{ user }}_t uberspace_{{ user }}_port_t:tcp_socket name_bind;
allow uberspace_{{ user }}_t uberspace_{{ user }}_port_t:udp_socket name_bind;