[people/stevee/selinux-policy.git] / policy / modules / roles / xguest.te

policy_module(xguest, 1.1.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow xguest users to mount removable media
## </p>
## </desc>
gen_tunable(xguest_mount_media, true)

## <desc>
## <p>
## Allow xguest users to configure Network Manager and connect to apache ports
## </p>
## </desc>
gen_tunable(xguest_connect_network, true)

## <desc>
## <p>
## Allow xguest users to use blue tooth devices
## </p>
## </desc>
gen_tunable(xguest_use_bluetooth, true)

role xguest_r;

userdom_restricted_xwindows_user_template(xguest)
sysnet_dns_name_resolve(xguest_t)

########################################
#
# Local policy
#
ifndef(`enable_mls',`
	fs_exec_noxattr(xguest_t)

	tunable_policy(`user_rw_noexattrfile',`
		fs_manage_noxattr_fs_files(xguest_t)
		fs_manage_noxattr_fs_dirs(xguest_t)
		# Write floppies 
		storage_raw_read_removable_device(xguest_t)
		storage_raw_write_removable_device(xguest_t)
	',`
		storage_raw_read_removable_device(xguest_t)
	')
')

optional_policy(`
	# Dontaudit fusermount
	mount_dontaudit_exec_fusermount(xguest_t)
')

kernel_dontaudit_request_load_module(xguest_t)

tunable_policy(`allow_execstack',`
	allow xguest_t self:process execstack;
')

# Allow mounting of file systems
optional_policy(`
	tunable_policy(`xguest_mount_media',`
		kernel_read_fs_sysctls(xguest_t)
		kernel_request_load_module(xguest_t)
		files_dontaudit_getattr_boot_dirs(xguest_t)
		files_search_mnt(xguest_t)

		fs_manage_noxattr_fs_files(xguest_t)
		fs_manage_noxattr_fs_dirs(xguest_t)
		fs_manage_noxattr_fs_dirs(xguest_t)
		fs_getattr_noxattr_fs(xguest_t)
		fs_read_noxattr_fs_symlinks(xguest_t)
		fs_mount_fusefs(xguest_t)

		auth_list_pam_console_data(xguest_t)
	')
')

optional_policy(`
	tunable_policy(`xguest_use_bluetooth',`
		bluetooth_dbus_chat(xguest_t)
	')
')

optional_policy(`
	tunable_policy(`xguest_use_bluetooth',`
		blueman_dbus_chat(xguest_t)
	')
')

optional_policy(`
	hal_dbus_chat(xguest_t)
')

optional_policy(`
	apache_role(xguest_r, xguest_t)
')

optional_policy(`
	gnome_role(xguest_r, xguest_t)
')

optional_policy(`
	pcscd_read_pub_files(xguest_t)
	pcscd_stream_connect(xguest_t)
')

optional_policy(`
	rhsmcertd_dontaudit_dbus_chat(xguest_t)
')

optional_policy(`
	tunable_policy(`xguest_connect_network',`
		kernel_read_network_state(xguest_t)

		networkmanager_dbus_chat(xguest_t)
		networkmanager_read_lib_files(xguest_t)
		corenet_tcp_connect_pulseaudio_port(xguest_t)
		corenet_all_recvfrom_unlabeled(xguest_t)
		corenet_all_recvfrom_netlabel(xguest_t)
		corenet_tcp_sendrecv_generic_if(xguest_t)
		corenet_raw_sendrecv_generic_if(xguest_t)
		corenet_tcp_sendrecv_generic_node(xguest_t)
		corenet_raw_sendrecv_generic_node(xguest_t)
		corenet_tcp_sendrecv_http_port(xguest_t)
		corenet_tcp_sendrecv_http_cache_port(xguest_t)
		corenet_tcp_sendrecv_squid_port(xguest_t)
		corenet_tcp_sendrecv_ftp_port(xguest_t)
		corenet_tcp_sendrecv_ipp_port(xguest_t)
		corenet_tcp_connect_http_port(xguest_t)
		corenet_tcp_connect_http_cache_port(xguest_t)
		corenet_tcp_connect_squid_port(xguest_t)
		corenet_tcp_connect_flash_port(xguest_t)
		corenet_tcp_connect_ftp_port(xguest_t)
		corenet_tcp_connect_ipp_port(xguest_t)
		corenet_tcp_connect_generic_port(xguest_t)
		corenet_tcp_connect_soundd_port(xguest_t)
		corenet_sendrecv_http_client_packets(xguest_t)
		corenet_sendrecv_http_cache_client_packets(xguest_t)
		corenet_sendrecv_squid_client_packets(xguest_t)
		corenet_sendrecv_ftp_client_packets(xguest_t)
		corenet_sendrecv_ipp_client_packets(xguest_t)
		corenet_sendrecv_generic_client_packets(xguest_t)
		# Should not need other ports
		corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
		corenet_dontaudit_tcp_bind_generic_port(xguest_t)
		corenet_tcp_connect_speech_port(xguest_t)
		corenet_tcp_sendrecv_transproxy_port(xguest_t)
		corenet_tcp_connect_transproxy_port(xguest_t)
	')
')

gen_user(xguest_u, user, xguest_r, s0, s0)
Commit	Line	Data
29af4c13	1	policy_module(xguest, 1.1.0)
42d567c3 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	## <desc>
	9	## <p>
	10	## Allow xguest users to mount removable media
	11	## </p>
	12	## </desc>
	13	gen_tunable(xguest_mount_media, true)
	14
	15	## <desc>
	16	## <p>
b42ceb94	17	## Allow xguest users to configure Network Manager and connect to apache ports
42d567c3 CP	18	## </p>
	19	## </desc>
	20	gen_tunable(xguest_connect_network, true)
	21
	22	## <desc>
	23	## <p>
b42ceb94	24	## Allow xguest users to use blue tooth devices
42d567c3 CP	25	## </p>
	26	## </desc>
	27	gen_tunable(xguest_use_bluetooth, true)
	28
	29	role xguest_r;
	30
	31	userdom_restricted_xwindows_user_template(xguest)
3eaa9939	32	sysnet_dns_name_resolve(xguest_t)
42d567c3 CP	33
	34	########################################
	35	#
	36	# Local policy
	37	#
c06a4452 CP	38	ifndef(`enable_mls',`
	39	fs_exec_noxattr(xguest_t)
	40
	41	tunable_policy(`user_rw_noexattrfile',`
	42	fs_manage_noxattr_fs_files(xguest_t)
	43	fs_manage_noxattr_fs_dirs(xguest_t)
	44	# Write floppies
	45	storage_raw_read_removable_device(xguest_t)
	46	storage_raw_write_removable_device(xguest_t)
	47	',`
	48	storage_raw_read_removable_device(xguest_t)
	49	')
	50	')
01b4508d MG	51
	52	optional_policy(`
	53	# Dontaudit fusermount
	54	mount_dontaudit_exec_fusermount(xguest_t)
	55	')
3eaa9939	56
3eaa9939 DW	57	kernel_dontaudit_request_load_module(xguest_t)
	58
	59	tunable_policy(`allow_execstack',`
	60	allow xguest_t self:process execstack;
	61	')
c06a4452	62
42d567c3 CP	63	# Allow mounting of file systems
	64	optional_policy(`
	65	tunable_policy(`xguest_mount_media',`
	66	kernel_read_fs_sysctls(xguest_t)
3eaa9939	67	kernel_request_load_module(xguest_t)
42d567c3 CP	68	files_dontaudit_getattr_boot_dirs(xguest_t)
	69	files_search_mnt(xguest_t)
	70
	71	fs_manage_noxattr_fs_files(xguest_t)
	72	fs_manage_noxattr_fs_dirs(xguest_t)
	73	fs_manage_noxattr_fs_dirs(xguest_t)
	74	fs_getattr_noxattr_fs(xguest_t)
	75	fs_read_noxattr_fs_symlinks(xguest_t)
3eaa9939	76	fs_mount_fusefs(xguest_t)
42d567c3 CP	77
42d567c3 CP	78	auth_list_pam_console_data(xguest_t)
42d567c3 CP	79	')
	80	')
	81
	82	optional_policy(`
	83	tunable_policy(`xguest_use_bluetooth',`
	84	bluetooth_dbus_chat(xguest_t)
	85	')
	86	')
	87
a3cfe808 DW	88	optional_policy(`
a3cfe808 DW	89	tunable_policy(`xguest_use_bluetooth',`
eba77273	90	blueman_dbus_chat(xguest_t)
a3cfe808 DW	91	')
	92	')
	93
42d567c3 CP	94	optional_policy(`
	95	hal_dbus_chat(xguest_t)
	96	')
	97
	98	optional_policy(`
3eaa9939 DW	99	apache_role(xguest_r, xguest_t)
	100	')
	101
ca9e8850 DW	102	optional_policy(`
	103	gnome_role(xguest_r, xguest_t)
	104	')
	105
b82eab39	106	optional_policy(`
a6c4623b DW	107	pcscd_read_pub_files(xguest_t)
a6c4623b DW	108	pcscd_stream_connect(xguest_t)
b82eab39 DW	109	')
b82eab39 DW	110
4d3790e4 MG	111	optional_policy(`
	112	rhsmcertd_dontaudit_dbus_chat(xguest_t)
	113	')
	114
42d567c3 CP	115	optional_policy(`
42d567c3 CP	116	tunable_policy(`xguest_connect_network',`
a6c4623b	117	kernel_read_network_state(xguest_t)
3eaa9939	118
42d567c3	119	networkmanager_dbus_chat(xguest_t)
3eaa9939	120	networkmanager_read_lib_files(xguest_t)
a6c4623b DW	121	corenet_tcp_connect_pulseaudio_port(xguest_t)
	122	corenet_all_recvfrom_unlabeled(xguest_t)
	123	corenet_all_recvfrom_netlabel(xguest_t)
	124	corenet_tcp_sendrecv_generic_if(xguest_t)
	125	corenet_raw_sendrecv_generic_if(xguest_t)
	126	corenet_tcp_sendrecv_generic_node(xguest_t)
	127	corenet_raw_sendrecv_generic_node(xguest_t)
	128	corenet_tcp_sendrecv_http_port(xguest_t)
	129	corenet_tcp_sendrecv_http_cache_port(xguest_t)
	130	corenet_tcp_sendrecv_squid_port(xguest_t)
	131	corenet_tcp_sendrecv_ftp_port(xguest_t)
	132	corenet_tcp_sendrecv_ipp_port(xguest_t)
	133	corenet_tcp_connect_http_port(xguest_t)
	134	corenet_tcp_connect_http_cache_port(xguest_t)
	135	corenet_tcp_connect_squid_port(xguest_t)
	136	corenet_tcp_connect_flash_port(xguest_t)
	137	corenet_tcp_connect_ftp_port(xguest_t)
	138	corenet_tcp_connect_ipp_port(xguest_t)
	139	corenet_tcp_connect_generic_port(xguest_t)
	140	corenet_tcp_connect_soundd_port(xguest_t)
	141	corenet_sendrecv_http_client_packets(xguest_t)
	142	corenet_sendrecv_http_cache_client_packets(xguest_t)
	143	corenet_sendrecv_squid_client_packets(xguest_t)
	144	corenet_sendrecv_ftp_client_packets(xguest_t)
	145	corenet_sendrecv_ipp_client_packets(xguest_t)
	146	corenet_sendrecv_generic_client_packets(xguest_t)
3eaa9939	147	# Should not need other ports
a6c4623b DW	148	corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
	149	corenet_dontaudit_tcp_bind_generic_port(xguest_t)
	150	corenet_tcp_connect_speech_port(xguest_t)
	151	corenet_tcp_sendrecv_transproxy_port(xguest_t)
	152	corenet_tcp_connect_transproxy_port(xguest_t)
42d567c3	153	')
3eaa9939 DW	154	')
3eaa9939 DW	155
3eaa9939	156	gen_user(xguest_u, user, xguest_r, s0, s0)