[people/stevee/selinux-policy.git] / policy / modules / roles / staff.te

policy_module(staff, 2.2.0)

########################################
#
# Declarations
#

role staff_r;

userdom_unpriv_user_template(staff)
fs_exec_noxattr(staff_t)

# needed for sandbox
allow staff_t self:process setexec;

########################################
#
# Local policy
#

kernel_read_ring_buffer(staff_t)
kernel_getattr_core_if(staff_t)
kernel_getattr_message_if(staff_t)
kernel_read_software_raid_state(staff_t)
kernel_read_fs_sysctls(staff_t)

fs_read_hugetlbfs_files(staff_t)

dev_read_cpuid(staff_t)

domain_read_all_domains_state(staff_t)
domain_getattr_all_domains(staff_t)
domain_obj_id_change_exemption(staff_t)

files_read_kernel_modules(staff_t)

seutil_read_module_store(staff_t)
seutil_run_newrole(staff_t, staff_r)

storage_read_scsi_generic(staff_t)
storage_write_scsi_generic(staff_t)

term_use_unallocated_ttys(staff_t)

auth_domtrans_pam_console(staff_t)

init_dbus_chat(staff_t)
init_dbus_chat_script(staff_t)

miscfiles_read_hwdata(staff_t)

ifndef(`enable_mls',`
	selinux_read_policy(staff_t)
')

optional_policy(`
	abrt_read_cache(staff_t)
')

optional_policy(`
	apache_role(staff_r, staff_t)
')

optional_policy(`
	auditadm_role_change(staff_r)
')

optional_policy(`
	blueman_dbus_chat(staff_t)
')

optional_policy(`
	dbadm_role_change(staff_r)
')

optional_policy(`
	accountsd_dbus_chat(staff_t)
	accountsd_read_lib_files(staff_t)
')

optional_policy(`
	colord_dbus_chat(staff_t)
')

optional_policy(`
	gnomeclock_dbus_chat(staff_t)
')

optional_policy(`
	firewallgui_dbus_chat(staff_t)
')

optional_policy(`
	gnome_role(staff_r, staff_t)
')

optional_policy(`
	irc_role(staff_r, staff_t)
')

optional_policy(`
	lpd_list_spool(staff_t)
')

optional_policy(`
	mock_role(staff_r, staff_t)
')

optional_policy(`
	kerneloops_dbus_chat(staff_t)
')

optional_policy(`
	logadm_role_change(staff_r)
')

optional_policy(`
	modutils_read_module_config(staff_t)
	modutils_read_module_deps(staff_t)
')

optional_policy(`
	netutils_run_ping(staff_t, staff_r)
	netutils_run_traceroute(staff_t, staff_r)
	netutils_signal_ping(staff_t)
	netutils_kill_ping(staff_t)
')

optional_policy(`
	oident_manage_user_content(staff_t)
	oident_relabel_user_content(staff_t)
')

optional_policy(`
	mta_role(staff_r, staff_t)
')

optional_policy(`
	mysql_exec(staff_t)
')

optional_policy(`
	polipo_role(staff_r, staff_t)
	polipo_named_filetrans_cache_home_dirs(staff_t)
	polipo_named_filetrans_config_home_files(staff_t)
')

optional_policy(`
	postgresql_role(staff_r, staff_t)
')

optional_policy(`
	rtkit_scheduled(staff_t)
')

optional_policy(`
	rpm_dbus_chat(staff_t)
')

optional_policy(`
	secadm_role_change(staff_r)
')

optional_policy(`
	sandbox_transition(staff_t, staff_r)
')

optional_policy(`
	screen_role_template(staff, staff_r, staff_t)
')

optional_policy(`
	sysadm_role_change(staff_r)
	userdom_dontaudit_use_user_terminals(staff_t)
')

optional_policy(`
	setroubleshoot_stream_connect(staff_t)
	setroubleshoot_dbus_chat(staff_t)
	setroubleshoot_dbus_chat_fixit(staff_t)
')

optional_policy(`
	ssh_role_template(staff, staff_r, staff_t)
')

optional_policy(`
	sudo_role_template(staff, staff_r, staff_t)
')

#optional_policy(`
#	telepathy_dbus_session_role(staff_r, staff_t)
#')

optional_policy(`
	userhelper_console_role_template(staff, staff_r, staff_t)
')

optional_policy(`
	unconfined_role_change(staff_r)
')

optional_policy(`
	usbmuxd_stream_connect(staff_t)
')

optional_policy(`
	virt_stream_connect(staff_t)
')

optional_policy(`
	vlock_run(staff_t, staff_r)
')

optional_policy(`
	vnstatd_read_lib_files(staff_t)
')

optional_policy(`
	webadm_role_change(staff_r)
')

optional_policy(`
	xserver_role(staff_r, staff_t)
')

ifndef(`distro_redhat',`
	optional_policy(`
		auth_role(staff_r, staff_t)
	')

	optional_policy(`
		bluetooth_role(staff_r, staff_t)
	')

	optional_policy(`
		cdrecord_role(staff_r, staff_t)
	')

	optional_policy(`
		cron_role(staff_r, staff_t)
	')

	optional_policy(`
		dbus_role_template(staff, staff_r, staff_t)
	')

	optional_policy(`
		evolution_role(staff_r, staff_t)
	')

	optional_policy(`
		games_role(staff_r, staff_t)
	')

	optional_policy(`
		gift_role(staff_r, staff_t)
	')

	optional_policy(`
		gpg_role(staff_r, staff_t)
	')

	optional_policy(`
		java_role(staff_r, staff_t)
	')

	optional_policy(`
		lockdev_role(staff_r, staff_t)
	')

	optional_policy(`
		lpd_role(staff_r, staff_t)
	')

	optional_policy(`
		mplayer_role(staff_r, staff_t)
	')

	optional_policy(`
		pyzor_role(staff_r, staff_t)
	')

	optional_policy(`
		razor_role(staff_r, staff_t)
	')

	optional_policy(`
		rssh_role(staff_r, staff_t)
	')

	optional_policy(`
		spamassassin_role(staff_r, staff_t)
	')

	optional_policy(`
		su_role_template(staff, staff_r, staff_t)
	')

	optional_policy(`
		thunderbird_role(staff_r, staff_t)
	')

	optional_policy(`
		tvtime_role(staff_r, staff_t)
	')

	optional_policy(`
		uml_role(staff_r, staff_t)
	')

	optional_policy(`
		userhelper_role_template(staff, staff_r, staff_t)
	')

	optional_policy(`
		vmware_role(staff_r, staff_t)
	')

	optional_policy(`
		wireshark_role(staff_r, staff_t)
	')
')

tunable_policy(`allow_execmod',`
	userdom_execmod_user_home_files(staff_t)
')
Commit	Line	Data
826d0142	1	policy_module(staff, 2.2.0)
e9c6cda7 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	role staff_r;
	9
	10	userdom_unpriv_user_template(staff)
3eaa9939 DW	11	fs_exec_noxattr(staff_t)
	12
	13	# needed for sandbox
	14	allow staff_t self:process setexec;
e9c6cda7 CP	15
	16	########################################
	17	#
	18	# Local policy
	19	#
	20
a6c4623b DW	21	kernel_read_ring_buffer(staff_t)
	22	kernel_getattr_core_if(staff_t)
	23	kernel_getattr_message_if(staff_t)
	24	kernel_read_software_raid_state(staff_t)
	25	kernel_read_fs_sysctls(staff_t)
2968e068	26
a6c4623b	27	fs_read_hugetlbfs_files(staff_t)
acba86e0	28
a6c4623b	29	dev_read_cpuid(staff_t)
3ac15b7c	30
a6c4623b DW	31	domain_read_all_domains_state(staff_t)
a6c4623b DW	32	domain_getattr_all_domains(staff_t)
2968e068 DW	33	domain_obj_id_change_exemption(staff_t)
2968e068 DW	34
a6c4623b	35	files_read_kernel_modules(staff_t)
2968e068 DW	36
	37	seutil_read_module_store(staff_t)
	38	seutil_run_newrole(staff_t, staff_r)
	39
5c589335 DW	40	storage_read_scsi_generic(staff_t)
	41	storage_write_scsi_generic(staff_t)
	42
a6c4623b	43	term_use_unallocated_ttys(staff_t)
3eaa9939 DW	44
	45	auth_domtrans_pam_console(staff_t)
	46
	47	init_dbus_chat(staff_t)
	48	init_dbus_chat_script(staff_t)
	49
a6c4623b	50	miscfiles_read_hwdata(staff_t)
2968e068	51
4ba442da DW	52	ifndef(`enable_mls',`
	53	selinux_read_policy(staff_t)
	54	')
	55
4ad28653	56	optional_policy(`
0e7fbb58	57	abrt_read_cache(staff_t)
4ad28653 DW	58	')
4ad28653 DW	59
e9c6cda7	60	optional_policy(`
296273a7	61	apache_role(staff_r, staff_t)
e9c6cda7 CP	62	')
e9c6cda7 CP	63
3eaa9939	64	optional_policy(`
296273a7	65	auditadm_role_change(staff_r)
3eaa9939 DW	66	')
3eaa9939 DW	67
a3cfe808 DW	68	optional_policy(`
	69	blueman_dbus_chat(staff_t)
	70	')
	71
e9c6cda7	72	optional_policy(`
c62f1bef	73	dbadm_role_change(staff_r)
e9c6cda7 CP	74	')
e9c6cda7 CP	75
c62f1bef	76	optional_policy(`
14ffaf83 DW	77	accountsd_dbus_chat(staff_t)
14ffaf83 DW	78	accountsd_read_lib_files(staff_t)
3eaa9939 DW	79	')
3eaa9939 DW	80
27608c5b DW	81	optional_policy(`
	82	colord_dbus_chat(staff_t)
	83	')
	84
3eaa9939	85	optional_policy(`
14ffaf83	86	gnomeclock_dbus_chat(staff_t)
3eaa9939 DW	87	')
3eaa9939 DW	88
3eaa9939	89	optional_policy(`
14ffaf83 DW	90	firewallgui_dbus_chat(staff_t)
	91	')
	92
ca9e8850 DW	93	optional_policy(`
	94	gnome_role(staff_r, staff_t)
	95	')
	96
f8f030aa DG	97	optional_policy(`
	98	irc_role(staff_r, staff_t)
	99	')
	100
14ffaf83 DW	101	optional_policy(`
14ffaf83 DW	102	lpd_list_spool(staff_t)
3eaa9939 DW	103	')
3eaa9939 DW	104
28545264 DW	105	optional_policy(`
	106	mock_role(staff_r, staff_t)
	107	')
	108
3eaa9939	109	optional_policy(`
14ffaf83 DW	110	kerneloops_dbus_chat(staff_t)
	111	')
	112
	113	optional_policy(`
	114	logadm_role_change(staff_r)
	115	')
	116
2371d8d8	117	optional_policy(`
a6c4623b DW	118	modutils_read_module_config(staff_t)
a6c4623b DW	119	modutils_read_module_deps(staff_t)
2371d8d8 MG	120	')
	121
	122	optional_policy(`
	123	netutils_run_ping(staff_t, staff_r)
	124	netutils_run_traceroute(staff_t, staff_r)
	125	netutils_signal_ping(staff_t)
	126	netutils_kill_ping(staff_t)
	127	')
	128
366396d8 DW	129	optional_policy(`
	130	oident_manage_user_content(staff_t)
	131	oident_relabel_user_content(staff_t)
	132	')
	133
9a52a69e MG	134	optional_policy(`
	135	mta_role(staff_r, staff_t)
	136	')
	137
a7129342 DW	138	optional_policy(`
	139	mysql_exec(staff_t)
	140	')
	141
f1b7d092 DG	142	optional_policy(`
	143	polipo_role(staff_r, staff_t)
	144	polipo_named_filetrans_cache_home_dirs(staff_t)
	145	polipo_named_filetrans_config_home_files(staff_t)
	146	')
	147
3eaa9939	148	optional_policy(`
2968e068	149	postgresql_role(staff_r, staff_t)
3eaa9939 DW	150	')
	151
	152	optional_policy(`
14ffaf83	153	rtkit_scheduled(staff_t)
3eaa9939 DW	154	')
	155
	156	optional_policy(`
a6c4623b	157	rpm_dbus_chat(staff_t)
3eaa9939 DW	158	')
	159
	160	optional_policy(`
c87e1502	161	secadm_role_change(staff_r)
296273a7 CP	162	')
	163
	164	optional_policy(`
14ffaf83	165	sandbox_transition(staff_t, staff_r)
3eaa9939 DW	166	')
	167
	168	optional_policy(`
2968e068	169	screen_role_template(staff, staff_r, staff_t)
3eaa9939 DW	170	')
3eaa9939 DW	171
296273a7	172	optional_policy(`
c87e1502 JS	173	sysadm_role_change(staff_r)
c87e1502 JS	174	userdom_dontaudit_use_user_terminals(staff_t)
296273a7	175	')
7c525b65	176
14ffaf83 DW	177	optional_policy(`
	178	setroubleshoot_stream_connect(staff_t)
	179	setroubleshoot_dbus_chat(staff_t)
	180	setroubleshoot_dbus_chat_fixit(staff_t)
	181	')
	182
3eaa9939	183	optional_policy(`
4e857ebf	184	ssh_role_template(staff, staff_r, staff_t)
3eaa9939 DW	185	')
	186
	187	optional_policy(`
2968e068	188	sudo_role_template(staff, staff_r, staff_t)
3eaa9939 DW	189	')
3eaa9939 DW	190
3a7aacc9 MG	191	#optional_policy(`
	192	# telepathy_dbus_session_role(staff_r, staff_t)
	193	#')
c62f1bef	194
296273a7	195	optional_policy(`
a6c4623b	196	userhelper_console_role_template(staff, staff_r, staff_t)
14ffaf83 DW	197	')
	198
	199	optional_policy(`
	200	unconfined_role_change(staff_r)
	201	')
	202
3bf6566d	203	optional_policy(`
	204	usbmuxd_stream_connect(staff_t)
	205	')
	206
14ffaf83 DW	207	optional_policy(`
	208	virt_stream_connect(staff_t)
	209	')
	210
0a394bf0	211	optional_policy(`
7c525b65	212	vlock_run(staff_t, staff_r)
0a394bf0 DW	213	')
0a394bf0 DW	214
14ffaf83	215	optional_policy(`
7c525b65	216	vnstatd_read_lib_files(staff_t)
296273a7 CP	217	')
296273a7 CP	218
d35e2ee0	219	optional_policy(`
7c525b65	220	webadm_role_change(staff_r)
d35e2ee0 HC	221	')
d35e2ee0 HC	222
3eaa9939	223	optional_policy(`
2968e068	224	xserver_role(staff_r, staff_t)
3eaa9939 DW	225	')
	226
	227	ifndef(`distro_redhat',`
2968e068 DW	228	optional_policy(`
	229	auth_role(staff_r, staff_t)
	230	')
	231
	232	optional_policy(`
	233	bluetooth_role(staff_r, staff_t)
	234	')
	235
	236	optional_policy(`
	237	cdrecord_role(staff_r, staff_t)
	238	')
	239
	240	optional_policy(`
	241	cron_role(staff_r, staff_t)
	242	')
	243
	244	optional_policy(`
	245	dbus_role_template(staff, staff_r, staff_t)
	246	')
3eaa9939	247
2968e068 DW	248	optional_policy(`
	249	evolution_role(staff_r, staff_t)
	250	')
3eaa9939	251
2968e068 DW	252	optional_policy(`
	253	games_role(staff_r, staff_t)
	254	')
3eaa9939	255
2968e068 DW	256	optional_policy(`
	257	gift_role(staff_r, staff_t)
	258	')
296273a7	259
2968e068 DW	260	optional_policy(`
	261	gpg_role(staff_r, staff_t)
	262	')
296273a7	263
2968e068 DW	264	optional_policy(`
	265	java_role(staff_r, staff_t)
	266	')
296273a7	267
2968e068 DW	268	optional_policy(`
	269	lockdev_role(staff_r, staff_t)
	270	')
296273a7	271
2968e068 DW	272	optional_policy(`
	273	lpd_role(staff_r, staff_t)
	274	')
296273a7	275
2968e068 DW	276	optional_policy(`
	277	mplayer_role(staff_r, staff_t)
	278	')
3eaa9939	279
2968e068 DW	280	optional_policy(`
	281	pyzor_role(staff_r, staff_t)
	282	')
3eaa9939	283
2968e068 DW	284	optional_policy(`
	285	razor_role(staff_r, staff_t)
	286	')
3eaa9939	287
2968e068 DW	288	optional_policy(`
	289	rssh_role(staff_r, staff_t)
	290	')
3eaa9939	291
2968e068 DW	292	optional_policy(`
	293	spamassassin_role(staff_r, staff_t)
	294	')
3eaa9939	295
2968e068 DW	296	optional_policy(`
	297	su_role_template(staff, staff_r, staff_t)
	298	')
3eaa9939	299
2968e068 DW	300	optional_policy(`
	301	thunderbird_role(staff_r, staff_t)
	302	')
3eaa9939	303
2968e068 DW	304	optional_policy(`
	305	tvtime_role(staff_r, staff_t)
	306	')
3eaa9939	307
2968e068 DW	308	optional_policy(`
	309	uml_role(staff_r, staff_t)
	310	')
3eaa9939	311
2968e068 DW	312	optional_policy(`
	313	userhelper_role_template(staff, staff_r, staff_t)
	314	')
3eaa9939	315
2968e068 DW	316	optional_policy(`
	317	vmware_role(staff_r, staff_t)
	318	')
3eaa9939	319
2968e068 DW	320	optional_policy(`
	321	wireshark_role(staff_r, staff_t)
	322	')
	323	')
4d22fba0 DW	324
4d22fba0 DW	325	tunable_policy(`allow_execmod',`
a6c4623b	326	userdom_execmod_user_home_files(staff_t)
4d22fba0	327	')