[people/stevee/selinux-policy.git] / policy / modules / roles / staff.te

policy_module(staff, 2.2.0)

########################################
#
# Declarations
#

role staff_r;

userdom_unpriv_user_template(staff)
fs_exec_noxattr(staff_t)

# needed for sandbox
allow staff_t self:process setexec;

########################################
#
# Local policy
#

kernel_read_ring_buffer(staff_usertype)
kernel_getattr_core_if(staff_usertype)
kernel_getattr_message_if(staff_usertype)
kernel_read_software_raid_state(staff_usertype)
kernel_read_fs_sysctls(staff_usertype)

domain_read_all_domains_state(staff_usertype)
domain_getattr_all_domains(staff_usertype)
domain_obj_id_change_exemption(staff_t)

files_read_kernel_modules(staff_usertype)

seutil_read_module_store(staff_t)
seutil_run_newrole(staff_t, staff_r)

storage_read_scsi_generic(staff_t)
storage_write_scsi_generic(staff_t)

term_use_unallocated_ttys(staff_usertype)

auth_domtrans_pam_console(staff_t)

init_dbus_chat(staff_t)
init_dbus_chat_script(staff_t)

miscfiles_read_hwdata(staff_usertype)

ifndef(`enable_mls',`
	selinux_read_policy(staff_t)
')

optional_policy(`
	abrt_cache_read(staff_t)
')

optional_policy(`
	apache_role(staff_r, staff_t)
')

optional_policy(`
	auditadm_role_change(staff_r)
')

optional_policy(`
	dbadm_role_change(staff_r)
')

optional_policy(`
	accountsd_dbus_chat(staff_t)
	accountsd_read_lib_files(staff_t)
')

optional_policy(`
	colord_dbus_chat(staff_t)
')

optional_policy(`
	gnomeclock_dbus_chat(staff_t)
')

optional_policy(`
	firewallgui_dbus_chat(staff_t)
')

optional_policy(`
	gnome_role(staff_r, staff_t)
')

optional_policy(`
	lpd_list_spool(staff_t)
')

optional_policy(`
	mock_role(staff_r, staff_t)
')

optional_policy(`
	kerneloops_dbus_chat(staff_t)
')

optional_policy(`
	logadm_role_change(staff_r)
')

optional_policy(`
	mozilla_run_plugin(staff_t, staff_r)
')

optional_policy(`
	modutils_read_module_config(staff_usertype)
	modutils_read_module_deps(staff_usertype)
')

optional_policy(`
	netutils_run_ping(staff_t, staff_r)
	netutils_run_traceroute(staff_t, staff_r)
	netutils_signal_ping(staff_t)
	netutils_kill_ping(staff_t)
')

optional_policy(`
	oident_manage_user_content(staff_t)
	oident_relabel_user_content(staff_t)
')

optional_policy(`
	mysql_exec(staff_t)
')

optional_policy(`
	postgresql_role(staff_r, staff_t)
')

optional_policy(`
	qemu_run(staff_t, staff_r)
	virt_manage_tmpfs_files(staff_t)
	virt_filetrans_home_content(staff_t)
')

optional_policy(`
	rtkit_scheduled(staff_t)
')

optional_policy(`
	rpm_dbus_chat(staff_usertype)
')

optional_policy(`
	secadm_role_change(staff_r)
')

optional_policy(`
	sandbox_transition(staff_t, staff_r)
')

optional_policy(`
	screen_role_template(staff, staff_r, staff_t)
')

optional_policy(`
	sysadm_role_change(staff_r)
	userdom_dontaudit_use_user_terminals(staff_t)
')
optional_policy(`
	setroubleshoot_stream_connect(staff_t)
	setroubleshoot_dbus_chat(staff_t)
	setroubleshoot_dbus_chat_fixit(staff_t)
')

optional_policy(`
	ssh_role_template(staff, staff_r, staff_t)
')

optional_policy(`
	sudo_role_template(staff, staff_r, staff_t)
')

#optional_policy(`
#	telepathy_dbus_session_role(staff_r, staff_t)
#')

optional_policy(`
	userhelper_console_role_template(staff, staff_r, staff_usertype)
')

optional_policy(`
	unconfined_role_change(staff_r)
')

optional_policy(`
	virt_stream_connect(staff_t)
')

optional_policy(`
	vnstatd_read_lib_files(staff_t)
')

optional_policy(`
	webadm_role_change(staff_r)
')

optional_policy(`
	vlock_run(staff_t, staff_r)
')

optional_policy(`
	xserver_role(staff_r, staff_t)
')

ifndef(`distro_redhat',`
	optional_policy(`
		auth_role(staff_r, staff_t)
	')

	optional_policy(`
		bluetooth_role(staff_r, staff_t)
	')

	optional_policy(`
		cdrecord_role(staff_r, staff_t)
	')

	optional_policy(`
		cron_role(staff_r, staff_t)
	')

	optional_policy(`
		dbus_role_template(staff, staff_r, staff_t)
	')

	optional_policy(`
		evolution_role(staff_r, staff_t)
	')

	optional_policy(`
		games_role(staff_r, staff_t)
	')

	optional_policy(`
		gift_role(staff_r, staff_t)
	')

	optional_policy(`
		gpg_role(staff_r, staff_t)
	')

	optional_policy(`
		irc_role(staff_r, staff_t)
	')

	optional_policy(`
		java_role(staff_r, staff_t)
	')

	optional_policy(`
		lockdev_role(staff_r, staff_t)
	')

	optional_policy(`
		lpd_role(staff_r, staff_t)
	')

	optional_policy(`
		mozilla_role(staff_r, staff_t)
	')

	optional_policy(`
		mplayer_role(staff_r, staff_t)
	')

	optional_policy(`
		mta_role(staff_r, staff_t)
	')

	optional_policy(`
		pyzor_role(staff_r, staff_t)
	')

	optional_policy(`
		razor_role(staff_r, staff_t)
	')

	optional_policy(`
		rssh_role(staff_r, staff_t)
	')

	optional_policy(`
		spamassassin_role(staff_r, staff_t)
	')

	optional_policy(`
		su_role_template(staff, staff_r, staff_t)
	')

	optional_policy(`
		thunderbird_role(staff_r, staff_t)
	')

	optional_policy(`
		tvtime_role(staff_r, staff_t)
	')

	optional_policy(`
		uml_role(staff_r, staff_t)
	')

	optional_policy(`
		userhelper_role_template(staff, staff_r, staff_t)
	')

	optional_policy(`
		vmware_role(staff_r, staff_t)
	')

	optional_policy(`
		wireshark_role(staff_r, staff_t)
	')
')

tunable_policy(`allow_execmod',`
	userdom_execmod_user_home_files(staff_usertype)
')
Commit	Line	Data
826d0142	1	policy_module(staff, 2.2.0)
e9c6cda7 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	role staff_r;
	9
	10	userdom_unpriv_user_template(staff)
3eaa9939 DW	11	fs_exec_noxattr(staff_t)
	12
	13	# needed for sandbox
	14	allow staff_t self:process setexec;
e9c6cda7 CP	15
	16	########################################
	17	#
	18	# Local policy
	19	#
	20
3eaa9939 DW	21	kernel_read_ring_buffer(staff_usertype)
	22	kernel_getattr_core_if(staff_usertype)
	23	kernel_getattr_message_if(staff_usertype)
	24	kernel_read_software_raid_state(staff_usertype)
2968e068 DW	25	kernel_read_fs_sysctls(staff_usertype)
	26
	27	domain_read_all_domains_state(staff_usertype)
	28	domain_getattr_all_domains(staff_usertype)
	29	domain_obj_id_change_exemption(staff_t)
	30
	31	files_read_kernel_modules(staff_usertype)
	32
	33	seutil_read_module_store(staff_t)
	34	seutil_run_newrole(staff_t, staff_r)
	35
5c589335 DW	36	storage_read_scsi_generic(staff_t)
	37	storage_write_scsi_generic(staff_t)
	38
2968e068	39	term_use_unallocated_ttys(staff_usertype)
3eaa9939 DW	40
	41	auth_domtrans_pam_console(staff_t)
	42
	43	init_dbus_chat(staff_t)
	44	init_dbus_chat_script(staff_t)
	45
2968e068 DW	46	miscfiles_read_hwdata(staff_usertype)
2968e068 DW	47
4ba442da DW	48	ifndef(`enable_mls',`
	49	selinux_read_policy(staff_t)
	50	')
	51
4ad28653 DW	52	optional_policy(`
	53	abrt_cache_read(staff_t)
	54	')
	55
e9c6cda7	56	optional_policy(`
296273a7	57	apache_role(staff_r, staff_t)
e9c6cda7 CP	58	')
e9c6cda7 CP	59
3eaa9939	60	optional_policy(`
296273a7	61	auditadm_role_change(staff_r)
3eaa9939 DW	62	')
3eaa9939 DW	63
e9c6cda7	64	optional_policy(`
c62f1bef	65	dbadm_role_change(staff_r)
e9c6cda7 CP	66	')
e9c6cda7 CP	67
c62f1bef	68	optional_policy(`
14ffaf83 DW	69	accountsd_dbus_chat(staff_t)
14ffaf83 DW	70	accountsd_read_lib_files(staff_t)
3eaa9939 DW	71	')
3eaa9939 DW	72
27608c5b DW	73	optional_policy(`
	74	colord_dbus_chat(staff_t)
	75	')
	76
3eaa9939	77	optional_policy(`
14ffaf83	78	gnomeclock_dbus_chat(staff_t)
3eaa9939 DW	79	')
3eaa9939 DW	80
3eaa9939	81	optional_policy(`
14ffaf83 DW	82	firewallgui_dbus_chat(staff_t)
	83	')
	84
ca9e8850 DW	85	optional_policy(`
	86	gnome_role(staff_r, staff_t)
	87	')
	88
14ffaf83 DW	89	optional_policy(`
14ffaf83 DW	90	lpd_list_spool(staff_t)
3eaa9939 DW	91	')
3eaa9939 DW	92
28545264 DW	93	optional_policy(`
	94	mock_role(staff_r, staff_t)
	95	')
	96
3eaa9939	97	optional_policy(`
14ffaf83 DW	98	kerneloops_dbus_chat(staff_t)
	99	')
	100
	101	optional_policy(`
	102	logadm_role_change(staff_r)
	103	')
	104
	105	optional_policy(`
	106	mozilla_run_plugin(staff_t, staff_r)
3eaa9939 DW	107	')
3eaa9939 DW	108
2371d8d8 MG	109	optional_policy(`
	110	modutils_read_module_config(staff_usertype)
	111	modutils_read_module_deps(staff_usertype)
	112	')
	113
	114	optional_policy(`
	115	netutils_run_ping(staff_t, staff_r)
	116	netutils_run_traceroute(staff_t, staff_r)
	117	netutils_signal_ping(staff_t)
	118	netutils_kill_ping(staff_t)
	119	')
	120
366396d8 DW	121	optional_policy(`
	122	oident_manage_user_content(staff_t)
	123	oident_relabel_user_content(staff_t)
	124	')
	125
a7129342 DW	126	optional_policy(`
	127	mysql_exec(staff_t)
	128	')
	129
3eaa9939	130	optional_policy(`
2968e068	131	postgresql_role(staff_r, staff_t)
3eaa9939 DW	132	')
3eaa9939 DW	133
4f620e4f	134	optional_policy(`
1966f12c	135	qemu_run(staff_t, staff_r)
d87a4847	136	virt_manage_tmpfs_files(staff_t)
a11cc065	137	virt_filetrans_home_content(staff_t)
4f620e4f DW	138	')
4f620e4f DW	139
3eaa9939	140	optional_policy(`
14ffaf83	141	rtkit_scheduled(staff_t)
3eaa9939 DW	142	')
	143
	144	optional_policy(`
14ffaf83	145	rpm_dbus_chat(staff_usertype)
3eaa9939 DW	146	')
	147
	148	optional_policy(`
c87e1502	149	secadm_role_change(staff_r)
296273a7 CP	150	')
	151
	152	optional_policy(`
14ffaf83	153	sandbox_transition(staff_t, staff_r)
3eaa9939 DW	154	')
	155
	156	optional_policy(`
2968e068	157	screen_role_template(staff, staff_r, staff_t)
3eaa9939 DW	158	')
3eaa9939 DW	159
296273a7	160	optional_policy(`
c87e1502 JS	161	sysadm_role_change(staff_r)
c87e1502 JS	162	userdom_dontaudit_use_user_terminals(staff_t)
296273a7	163	')
14ffaf83 DW	164	optional_policy(`
	165	setroubleshoot_stream_connect(staff_t)
	166	setroubleshoot_dbus_chat(staff_t)
	167	setroubleshoot_dbus_chat_fixit(staff_t)
	168	')
	169
3eaa9939	170	optional_policy(`
2968e068	171	ssh_role_template(staff, staff_r, staff_t)
3eaa9939 DW	172	')
	173
	174	optional_policy(`
2968e068	175	sudo_role_template(staff, staff_r, staff_t)
3eaa9939 DW	176	')
3eaa9939 DW	177
3a7aacc9 MG	178	#optional_policy(`
	179	# telepathy_dbus_session_role(staff_r, staff_t)
	180	#')
c62f1bef	181
296273a7	182	optional_policy(`
14ffaf83 DW	183	userhelper_console_role_template(staff, staff_r, staff_usertype)
	184	')
	185
	186	optional_policy(`
	187	unconfined_role_change(staff_r)
	188	')
	189
	190	optional_policy(`
	191	virt_stream_connect(staff_t)
	192	')
	193
0a394bf0 DW	194	optional_policy(`
	195	vnstatd_read_lib_files(staff_t)
	196	')
	197
14ffaf83 DW	198	optional_policy(`
14ffaf83 DW	199	webadm_role_change(staff_r)
296273a7 CP	200	')
296273a7 CP	201
d35e2ee0	202	optional_policy(`
7f9f5bce	203	vlock_run(staff_t, staff_r)
d35e2ee0 HC	204	')
d35e2ee0 HC	205
3eaa9939	206	optional_policy(`
2968e068	207	xserver_role(staff_r, staff_t)
3eaa9939 DW	208	')
	209
	210	ifndef(`distro_redhat',`
2968e068 DW	211	optional_policy(`
	212	auth_role(staff_r, staff_t)
	213	')
	214
	215	optional_policy(`
	216	bluetooth_role(staff_r, staff_t)
	217	')
	218
	219	optional_policy(`
	220	cdrecord_role(staff_r, staff_t)
	221	')
	222
	223	optional_policy(`
	224	cron_role(staff_r, staff_t)
	225	')
	226
	227	optional_policy(`
	228	dbus_role_template(staff, staff_r, staff_t)
	229	')
3eaa9939	230
2968e068 DW	231	optional_policy(`
	232	evolution_role(staff_r, staff_t)
	233	')
3eaa9939	234
2968e068 DW	235	optional_policy(`
	236	games_role(staff_r, staff_t)
	237	')
3eaa9939	238
2968e068 DW	239	optional_policy(`
	240	gift_role(staff_r, staff_t)
	241	')
296273a7	242
2968e068 DW	243	optional_policy(`
	244	gpg_role(staff_r, staff_t)
	245	')
296273a7	246
2968e068 DW	247	optional_policy(`
	248	irc_role(staff_r, staff_t)
	249	')
3eaa9939	250
2968e068 DW	251	optional_policy(`
	252	java_role(staff_r, staff_t)
	253	')
296273a7	254
2968e068 DW	255	optional_policy(`
	256	lockdev_role(staff_r, staff_t)
	257	')
296273a7	258
2968e068 DW	259	optional_policy(`
	260	lpd_role(staff_r, staff_t)
	261	')
296273a7	262
2968e068 DW	263	optional_policy(`
	264	mozilla_role(staff_r, staff_t)
	265	')
3eaa9939	266
2968e068 DW	267	optional_policy(`
	268	mplayer_role(staff_r, staff_t)
	269	')
3eaa9939	270
2968e068 DW	271	optional_policy(`
	272	mta_role(staff_r, staff_t)
	273	')
3eaa9939	274
2968e068 DW	275	optional_policy(`
	276	pyzor_role(staff_r, staff_t)
	277	')
3eaa9939	278
2968e068 DW	279	optional_policy(`
	280	razor_role(staff_r, staff_t)
	281	')
3eaa9939	282
2968e068 DW	283	optional_policy(`
	284	rssh_role(staff_r, staff_t)
	285	')
3eaa9939	286
2968e068 DW	287	optional_policy(`
	288	spamassassin_role(staff_r, staff_t)
	289	')
3eaa9939	290
2968e068 DW	291	optional_policy(`
	292	su_role_template(staff, staff_r, staff_t)
	293	')
3eaa9939	294
2968e068 DW	295	optional_policy(`
	296	thunderbird_role(staff_r, staff_t)
	297	')
3eaa9939	298
2968e068 DW	299	optional_policy(`
	300	tvtime_role(staff_r, staff_t)
	301	')
3eaa9939	302
2968e068 DW	303	optional_policy(`
	304	uml_role(staff_r, staff_t)
	305	')
3eaa9939	306
2968e068 DW	307	optional_policy(`
	308	userhelper_role_template(staff, staff_r, staff_t)
	309	')
3eaa9939	310
2968e068 DW	311	optional_policy(`
	312	vmware_role(staff_r, staff_t)
	313	')
3eaa9939	314
2968e068 DW	315	optional_policy(`
	316	wireshark_role(staff_r, staff_t)
	317	')
	318	')
4d22fba0 DW	319
	320	tunable_policy(`allow_execmod',`
	321	userdom_execmod_user_home_files(staff_usertype)
	322	')