[people/stevee/selinux-policy.git] / policy / modules / roles / staff.te

policy_module(staff, 2.2.0)

########################################
#
# Declarations
#

role staff_r;

userdom_unpriv_user_template(staff)
fs_exec_noxattr(staff_t)

# needed for sandbox
allow staff_t self:process setexec;

########################################
#
# Local policy
#

kernel_read_ring_buffer(staff_t)
kernel_getattr_core_if(staff_t)
kernel_getattr_message_if(staff_t)
kernel_read_software_raid_state(staff_t)
kernel_read_fs_sysctls(staff_t)

fs_read_hugetlbfs_files(staff_t)

dev_read_cpuid(staff_t)

domain_read_all_domains_state(staff_t)
domain_getattr_all_domains(staff_t)
domain_obj_id_change_exemption(staff_t)

files_read_kernel_modules(staff_t)

seutil_read_module_store(staff_t)
seutil_run_newrole(staff_t, staff_r)

storage_read_scsi_generic(staff_t)
storage_write_scsi_generic(staff_t)

term_use_unallocated_ttys(staff_t)

auth_domtrans_pam_console(staff_t)

init_dbus_chat(staff_t)
init_dbus_chat_script(staff_t)

miscfiles_read_hwdata(staff_t)

ifndef(`enable_mls',`
	selinux_read_policy(staff_t)
')

optional_policy(`
	abrt_read_cache(staff_t)
')

optional_policy(`
	apache_role(staff_r, staff_t)
')

optional_policy(`
	auditadm_role_change(staff_r)
')

optional_policy(`
	blueman_dbus_chat(staff_t)
')

optional_policy(`
	dbadm_role_change(staff_r)
')

optional_policy(`
	accountsd_dbus_chat(staff_t)
	accountsd_read_lib_files(staff_t)
')

optional_policy(`
	colord_dbus_chat(staff_t)
')

optional_policy(`
	gnomeclock_dbus_chat(staff_t)
')

optional_policy(`
	gnome_role(staff_r, staff_t)
')

optional_policy(`
	irc_role(staff_r, staff_t)
')

optional_policy(`
	lpd_list_spool(staff_t)
')

optional_policy(`
	mock_role(staff_r, staff_t)
')

optional_policy(`
	kerneloops_dbus_chat(staff_t)
')

optional_policy(`
	logadm_role_change(staff_r)
')

optional_policy(`
	modutils_read_module_config(staff_t)
	modutils_read_module_deps(staff_t)
')

optional_policy(`
	netutils_run_ping(staff_t, staff_r)
	netutils_run_traceroute(staff_t, staff_r)
	netutils_signal_ping(staff_t)
	netutils_kill_ping(staff_t)
')

optional_policy(`
	oident_manage_user_content(staff_t)
	oident_relabel_user_content(staff_t)
')

optional_policy(`
	mta_role(staff_r, staff_t)
')

optional_policy(`
	mysql_exec(staff_t)
')

optional_policy(`
	polipo_role(staff_r, staff_t)
	polipo_named_filetrans_cache_home_dirs(staff_t)
	polipo_named_filetrans_config_home_files(staff_t)
')

optional_policy(`
	postgresql_role(staff_r, staff_t)
')

optional_policy(`
	rtkit_scheduled(staff_t)
')

optional_policy(`
	rpm_dbus_chat(staff_t)
')

optional_policy(`
	secadm_role_change(staff_r)
')

optional_policy(`
	sandbox_transition(staff_t, staff_r)
')

optional_policy(`
	screen_role_template(staff, staff_r, staff_t)
')

optional_policy(`
	sysadm_role_change(staff_r)
	userdom_dontaudit_use_user_terminals(staff_t)
')

optional_policy(`
	setroubleshoot_stream_connect(staff_t)
	setroubleshoot_dbus_chat(staff_t)
	setroubleshoot_dbus_chat_fixit(staff_t)
')

optional_policy(`
	ssh_role_template(staff, staff_r, staff_t)
')

optional_policy(`
	sudo_role_template(staff, staff_r, staff_t)
')

#optional_policy(`
#	telepathy_dbus_session_role(staff_r, staff_t)
#')

optional_policy(`
	userhelper_console_role_template(staff, staff_r, staff_t)
')

optional_policy(`
	unconfined_role_change(staff_r)
')

optional_policy(`
	usbmuxd_stream_connect(staff_t)
')

optional_policy(`
	virt_stream_connect(staff_t)
')

optional_policy(`
	vlock_run(staff_t, staff_r)
')

optional_policy(`
	vnstatd_read_lib_files(staff_t)
')

optional_policy(`
	webadm_role_change(staff_r)
')

optional_policy(`
	xserver_role(staff_r, staff_t)
')

ifndef(`distro_redhat',`
	optional_policy(`
		auth_role(staff_r, staff_t)
	')

	optional_policy(`
		bluetooth_role(staff_r, staff_t)
	')

	optional_policy(`
		cdrecord_role(staff_r, staff_t)
	')

	optional_policy(`
		cron_role(staff_r, staff_t)
	')

	optional_policy(`
		dbus_role_template(staff, staff_r, staff_t)
	')

	optional_policy(`
		gpg_role(staff_r, staff_t)
	')

	optional_policy(`
		java_role(staff_r, staff_t)
	')

	optional_policy(`
		lockdev_role(staff_r, staff_t)
	')

	optional_policy(`
		lpd_role(staff_r, staff_t)
	')

	optional_policy(`
		mplayer_role(staff_r, staff_t)
	')

	optional_policy(`
		pyzor_role(staff_r, staff_t)
	')

	optional_policy(`
		razor_role(staff_r, staff_t)
	')

	optional_policy(`
		rssh_role(staff_r, staff_t)
	')

	optional_policy(`
		spamassassin_role(staff_r, staff_t)
	')

	optional_policy(`
		su_role_template(staff, staff_r, staff_t)
	')

	optional_policy(`
		thunderbird_role(staff_r, staff_t)
	')

	optional_policy(`
		tvtime_role(staff_r, staff_t)
	')

	optional_policy(`
		uml_role(staff_r, staff_t)
	')

	optional_policy(`
		userhelper_role_template(staff, staff_r, staff_t)
	')

	optional_policy(`
		vmware_role(staff_r, staff_t)
	')

	optional_policy(`
		wireshark_role(staff_r, staff_t)
	')
')

tunable_policy(`allow_execmod',`
	userdom_execmod_user_home_files(staff_t)
')
Commit	Line	Data
826d0142	1	policy_module(staff, 2.2.0)
e9c6cda7 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	role staff_r;
	9
	10	userdom_unpriv_user_template(staff)
3eaa9939 DW	11	fs_exec_noxattr(staff_t)
	12
	13	# needed for sandbox
	14	allow staff_t self:process setexec;
e9c6cda7 CP	15
	16	########################################
	17	#
	18	# Local policy
	19	#
	20
a6c4623b DW	21	kernel_read_ring_buffer(staff_t)
	22	kernel_getattr_core_if(staff_t)
	23	kernel_getattr_message_if(staff_t)
	24	kernel_read_software_raid_state(staff_t)
	25	kernel_read_fs_sysctls(staff_t)
2968e068	26
a6c4623b	27	fs_read_hugetlbfs_files(staff_t)
acba86e0	28
a6c4623b	29	dev_read_cpuid(staff_t)
3ac15b7c	30
a6c4623b DW	31	domain_read_all_domains_state(staff_t)
a6c4623b DW	32	domain_getattr_all_domains(staff_t)
2968e068 DW	33	domain_obj_id_change_exemption(staff_t)
2968e068 DW	34
a6c4623b	35	files_read_kernel_modules(staff_t)
2968e068 DW	36
	37	seutil_read_module_store(staff_t)
	38	seutil_run_newrole(staff_t, staff_r)
	39
5c589335 DW	40	storage_read_scsi_generic(staff_t)
	41	storage_write_scsi_generic(staff_t)
	42
a6c4623b	43	term_use_unallocated_ttys(staff_t)
3eaa9939 DW	44
	45	auth_domtrans_pam_console(staff_t)
	46
	47	init_dbus_chat(staff_t)
	48	init_dbus_chat_script(staff_t)
	49
a6c4623b	50	miscfiles_read_hwdata(staff_t)
2968e068	51
4ba442da DW	52	ifndef(`enable_mls',`
	53	selinux_read_policy(staff_t)
	54	')
	55
4ad28653	56	optional_policy(`
0e7fbb58	57	abrt_read_cache(staff_t)
4ad28653 DW	58	')
4ad28653 DW	59
e9c6cda7	60	optional_policy(`
296273a7	61	apache_role(staff_r, staff_t)
e9c6cda7 CP	62	')
e9c6cda7 CP	63
3eaa9939	64	optional_policy(`
296273a7	65	auditadm_role_change(staff_r)
3eaa9939 DW	66	')
3eaa9939 DW	67
a3cfe808 DW	68	optional_policy(`
	69	blueman_dbus_chat(staff_t)
	70	')
	71
e9c6cda7	72	optional_policy(`
c62f1bef	73	dbadm_role_change(staff_r)
e9c6cda7 CP	74	')
e9c6cda7 CP	75
c62f1bef	76	optional_policy(`
14ffaf83 DW	77	accountsd_dbus_chat(staff_t)
14ffaf83 DW	78	accountsd_read_lib_files(staff_t)
3eaa9939 DW	79	')
3eaa9939 DW	80
27608c5b DW	81	optional_policy(`
	82	colord_dbus_chat(staff_t)
	83	')
	84
3eaa9939	85	optional_policy(`
14ffaf83	86	gnomeclock_dbus_chat(staff_t)
3eaa9939 DW	87	')
3eaa9939 DW	88
ca9e8850 DW	89	optional_policy(`
	90	gnome_role(staff_r, staff_t)
	91	')
	92
f8f030aa DG	93	optional_policy(`
	94	irc_role(staff_r, staff_t)
	95	')
	96
14ffaf83 DW	97	optional_policy(`
14ffaf83 DW	98	lpd_list_spool(staff_t)
3eaa9939 DW	99	')
3eaa9939 DW	100
28545264 DW	101	optional_policy(`
	102	mock_role(staff_r, staff_t)
	103	')
	104
3eaa9939	105	optional_policy(`
14ffaf83 DW	106	kerneloops_dbus_chat(staff_t)
	107	')
	108
	109	optional_policy(`
	110	logadm_role_change(staff_r)
	111	')
	112
2371d8d8	113	optional_policy(`
a6c4623b DW	114	modutils_read_module_config(staff_t)
a6c4623b DW	115	modutils_read_module_deps(staff_t)
2371d8d8 MG	116	')
	117
	118	optional_policy(`
	119	netutils_run_ping(staff_t, staff_r)
	120	netutils_run_traceroute(staff_t, staff_r)
	121	netutils_signal_ping(staff_t)
	122	netutils_kill_ping(staff_t)
	123	')
	124
366396d8 DW	125	optional_policy(`
	126	oident_manage_user_content(staff_t)
	127	oident_relabel_user_content(staff_t)
	128	')
	129
9a52a69e MG	130	optional_policy(`
	131	mta_role(staff_r, staff_t)
	132	')
	133
a7129342 DW	134	optional_policy(`
	135	mysql_exec(staff_t)
	136	')
	137
f1b7d092 DG	138	optional_policy(`
	139	polipo_role(staff_r, staff_t)
	140	polipo_named_filetrans_cache_home_dirs(staff_t)
	141	polipo_named_filetrans_config_home_files(staff_t)
	142	')
	143
3eaa9939	144	optional_policy(`
2968e068	145	postgresql_role(staff_r, staff_t)
3eaa9939 DW	146	')
	147
	148	optional_policy(`
14ffaf83	149	rtkit_scheduled(staff_t)
3eaa9939 DW	150	')
	151
	152	optional_policy(`
a6c4623b	153	rpm_dbus_chat(staff_t)
3eaa9939 DW	154	')
	155
	156	optional_policy(`
c87e1502	157	secadm_role_change(staff_r)
296273a7 CP	158	')
	159
	160	optional_policy(`
14ffaf83	161	sandbox_transition(staff_t, staff_r)
3eaa9939 DW	162	')
	163
	164	optional_policy(`
2968e068	165	screen_role_template(staff, staff_r, staff_t)
3eaa9939 DW	166	')
3eaa9939 DW	167
296273a7	168	optional_policy(`
c87e1502 JS	169	sysadm_role_change(staff_r)
c87e1502 JS	170	userdom_dontaudit_use_user_terminals(staff_t)
296273a7	171	')
7c525b65	172
14ffaf83 DW	173	optional_policy(`
	174	setroubleshoot_stream_connect(staff_t)
	175	setroubleshoot_dbus_chat(staff_t)
	176	setroubleshoot_dbus_chat_fixit(staff_t)
	177	')
	178
3eaa9939	179	optional_policy(`
4e857ebf	180	ssh_role_template(staff, staff_r, staff_t)
3eaa9939 DW	181	')
	182
	183	optional_policy(`
2968e068	184	sudo_role_template(staff, staff_r, staff_t)
3eaa9939 DW	185	')
3eaa9939 DW	186
3a7aacc9 MG	187	#optional_policy(`
	188	# telepathy_dbus_session_role(staff_r, staff_t)
	189	#')
c62f1bef	190
296273a7	191	optional_policy(`
a6c4623b	192	userhelper_console_role_template(staff, staff_r, staff_t)
14ffaf83 DW	193	')
	194
	195	optional_policy(`
	196	unconfined_role_change(staff_r)
	197	')
	198
3bf6566d	199	optional_policy(`
	200	usbmuxd_stream_connect(staff_t)
	201	')
	202
14ffaf83 DW	203	optional_policy(`
	204	virt_stream_connect(staff_t)
	205	')
	206
0a394bf0	207	optional_policy(`
7c525b65	208	vlock_run(staff_t, staff_r)
0a394bf0 DW	209	')
0a394bf0 DW	210
14ffaf83	211	optional_policy(`
7c525b65	212	vnstatd_read_lib_files(staff_t)
296273a7 CP	213	')
296273a7 CP	214
d35e2ee0	215	optional_policy(`
7c525b65	216	webadm_role_change(staff_r)
d35e2ee0 HC	217	')
d35e2ee0 HC	218
3eaa9939	219	optional_policy(`
2968e068	220	xserver_role(staff_r, staff_t)
3eaa9939 DW	221	')
	222
	223	ifndef(`distro_redhat',`
2968e068 DW	224	optional_policy(`
	225	auth_role(staff_r, staff_t)
	226	')
	227
	228	optional_policy(`
	229	bluetooth_role(staff_r, staff_t)
	230	')
	231
	232	optional_policy(`
	233	cdrecord_role(staff_r, staff_t)
	234	')
	235
	236	optional_policy(`
	237	cron_role(staff_r, staff_t)
	238	')
	239
	240	optional_policy(`
	241	dbus_role_template(staff, staff_r, staff_t)
2968e068	242	')
296273a7	243
2968e068 DW	244	optional_policy(`
	245	gpg_role(staff_r, staff_t)
	246	')
296273a7	247
2968e068 DW	248	optional_policy(`
	249	java_role(staff_r, staff_t)
	250	')
296273a7	251
2968e068 DW	252	optional_policy(`
	253	lockdev_role(staff_r, staff_t)
	254	')
296273a7	255
2968e068 DW	256	optional_policy(`
	257	lpd_role(staff_r, staff_t)
	258	')
296273a7	259
2968e068 DW	260	optional_policy(`
	261	mplayer_role(staff_r, staff_t)
	262	')
3eaa9939	263
2968e068 DW	264	optional_policy(`
	265	pyzor_role(staff_r, staff_t)
	266	')
3eaa9939	267
2968e068 DW	268	optional_policy(`
	269	razor_role(staff_r, staff_t)
	270	')
3eaa9939	271
2968e068 DW	272	optional_policy(`
	273	rssh_role(staff_r, staff_t)
	274	')
3eaa9939	275
2968e068 DW	276	optional_policy(`
	277	spamassassin_role(staff_r, staff_t)
	278	')
3eaa9939	279
2968e068 DW	280	optional_policy(`
	281	su_role_template(staff, staff_r, staff_t)
	282	')
3eaa9939	283
2968e068 DW	284	optional_policy(`
	285	thunderbird_role(staff_r, staff_t)
	286	')
3eaa9939	287
2968e068 DW	288	optional_policy(`
	289	tvtime_role(staff_r, staff_t)
	290	')
3eaa9939	291
2968e068 DW	292	optional_policy(`
	293	uml_role(staff_r, staff_t)
	294	')
3eaa9939	295
2968e068 DW	296	optional_policy(`
	297	userhelper_role_template(staff, staff_r, staff_t)
	298	')
3eaa9939	299
2968e068 DW	300	optional_policy(`
	301	vmware_role(staff_r, staff_t)
	302	')
3eaa9939	303
2968e068 DW	304	optional_policy(`
	305	wireshark_role(staff_r, staff_t)
	306	')
	307	')
4d22fba0 DW	308
4d22fba0 DW	309	tunable_policy(`allow_execmod',`
a6c4623b	310	userdom_execmod_user_home_files(staff_t)
4d22fba0	311	')