include <tunables/global>

# Allow confined_users to read, write, lock and link to their own files
# anywhere, and execute from some places.
profile confined_user {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  deny capability sys_ptrace,

  /bin/** mrPix,
  /usr/bin/** mrPix,
  @{PROC}/** r,
  owner /** rwlk,
  owner @{HOMEDIRS}/bin/** mrix,
}

# By default, allow users to read, lock and link to their own files anywhere,
# but only write to files in their home directory. Only allow limited execution
# of files.
profile default_user {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  deny capability sys_ptrace,

  capability fsetid,

  /bin/** mrPix,
  /usr/bin/** mrPix,
  @{PROC}/** r,
  owner /** rlk,
  owner /** w,
  owner @{HOMEDIRS}/ w,
  owner @{HOMEDIRS}/** w,
}
