policy/modules/roles/xguest.te

   1 policy_module(xguest, 1.1.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow xguest users to mount removable media
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(xguest_mount_media, true)
  14
  15 ## <desc>
  16 ## <p>
  17 ## Allow xguest to configure Network Manager
  18 ## </p>
  19 ## </desc>
  20 gen_tunable(xguest_connect_network, true)
  21
  22 ## <desc>
  23 ## <p>
  24 ## Allow xguest to use blue tooth devices
  25 ## </p>
  26 ## </desc>
  27 gen_tunable(xguest_use_bluetooth, true)
  28
  29 role xguest_r;
  30
  31 userdom_restricted_xwindows_user_template(xguest)
  32
  33 ########################################
  34 #
  35 # Local policy
  36 #
  37
  38 ifndef(`enable_mls',`
  39         fs_exec_noxattr(xguest_t)
  40
  41         tunable_policy(`user_rw_noexattrfile',`
  42                 fs_manage_noxattr_fs_files(xguest_t)
  43                 fs_manage_noxattr_fs_dirs(xguest_t)
  44                 # Write floppies
  45                 storage_raw_read_removable_device(xguest_t)
  46                 storage_raw_write_removable_device(xguest_t)
  47         ',`
  48                 storage_raw_read_removable_device(xguest_t)
  49         ')
  50 ')
  51
  52 # Allow mounting of file systems
  53 optional_policy(`
  54         tunable_policy(`xguest_mount_media',`
  55                 kernel_read_fs_sysctls(xguest_t)
  56
  57                 files_dontaudit_getattr_boot_dirs(xguest_t)
  58                 files_search_mnt(xguest_t)
  59
  60                 fs_manage_noxattr_fs_files(xguest_t)
  61                 fs_manage_noxattr_fs_dirs(xguest_t)
  62                 fs_manage_noxattr_fs_dirs(xguest_t)
  63                 fs_getattr_noxattr_fs(xguest_t)
  64                 fs_read_noxattr_fs_symlinks(xguest_t)
  65
  66                 auth_list_pam_console_data(xguest_t)
  67
  68                 init_read_utmp(xguest_t)
  69         ')
  70 ')
  71
  72 optional_policy(`
  73         tunable_policy(`xguest_use_bluetooth',`
  74                 bluetooth_dbus_chat(xguest_t)
  75         ')
  76 ')
  77
  78 optional_policy(`
  79         hal_dbus_chat(xguest_t)
  80 ')
  81
  82 optional_policy(`
  83         java_role(xguest_r, xguest_t)
  84 ')
  85
  86 optional_policy(`
  87         mozilla_role(xguest_r, xguest_t)
  88 ')
  89
  90 optional_policy(`
  91         tunable_policy(`xguest_connect_network',`
  92                 networkmanager_dbus_chat(xguest_t)
  93                 corenet_tcp_connect_pulseaudio_port(xguest_t)
  94                 corenet_tcp_connect_ipp_port(xguest_t)
  95         ')
  96 ')
  97
  98 #gen_user(xguest_u,, xguest_r, s0, s0)