]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(xguest, 1.1.0) |
42d567c3 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | ## <desc> | |
9 | ## <p> | |
10 | ## Allow xguest users to mount removable media | |
11 | ## </p> | |
12 | ## </desc> | |
13 | gen_tunable(xguest_mount_media, true) | |
14 | ||
15 | ## <desc> | |
16 | ## <p> | |
b42ceb94 | 17 | ## Allow xguest users to configure Network Manager and connect to apache ports |
42d567c3 CP |
18 | ## </p> |
19 | ## </desc> | |
20 | gen_tunable(xguest_connect_network, true) | |
21 | ||
22 | ## <desc> | |
23 | ## <p> | |
b42ceb94 | 24 | ## Allow xguest users to use blue tooth devices |
42d567c3 CP |
25 | ## </p> |
26 | ## </desc> | |
27 | gen_tunable(xguest_use_bluetooth, true) | |
28 | ||
29 | role xguest_r; | |
30 | ||
31 | userdom_restricted_xwindows_user_template(xguest) | |
3eaa9939 | 32 | sysnet_dns_name_resolve(xguest_t) |
42d567c3 CP |
33 | |
34 | ######################################## | |
35 | # | |
36 | # Local policy | |
37 | # | |
c06a4452 CP |
38 | ifndef(`enable_mls',` |
39 | fs_exec_noxattr(xguest_t) | |
40 | ||
41 | tunable_policy(`user_rw_noexattrfile',` | |
42 | fs_manage_noxattr_fs_files(xguest_t) | |
43 | fs_manage_noxattr_fs_dirs(xguest_t) | |
44 | # Write floppies | |
45 | storage_raw_read_removable_device(xguest_t) | |
46 | storage_raw_write_removable_device(xguest_t) | |
47 | ',` | |
48 | storage_raw_read_removable_device(xguest_t) | |
49 | ') | |
50 | ') | |
01b4508d MG |
51 | |
52 | optional_policy(` | |
53 | # Dontaudit fusermount | |
54 | mount_dontaudit_exec_fusermount(xguest_t) | |
55 | ') | |
3eaa9939 | 56 | |
3eaa9939 DW |
57 | kernel_dontaudit_request_load_module(xguest_t) |
58 | ||
59 | tunable_policy(`allow_execstack',` | |
60 | allow xguest_t self:process execstack; | |
61 | ') | |
c06a4452 | 62 | |
42d567c3 CP |
63 | # Allow mounting of file systems |
64 | optional_policy(` | |
65 | tunable_policy(`xguest_mount_media',` | |
66 | kernel_read_fs_sysctls(xguest_t) | |
3eaa9939 | 67 | kernel_request_load_module(xguest_t) |
42d567c3 CP |
68 | files_dontaudit_getattr_boot_dirs(xguest_t) |
69 | files_search_mnt(xguest_t) | |
70 | ||
71 | fs_manage_noxattr_fs_files(xguest_t) | |
72 | fs_manage_noxattr_fs_dirs(xguest_t) | |
73 | fs_manage_noxattr_fs_dirs(xguest_t) | |
74 | fs_getattr_noxattr_fs(xguest_t) | |
75 | fs_read_noxattr_fs_symlinks(xguest_t) | |
3eaa9939 | 76 | fs_mount_fusefs(xguest_t) |
42d567c3 CP |
77 | |
78 | auth_list_pam_console_data(xguest_t) | |
42d567c3 CP |
79 | ') |
80 | ') | |
81 | ||
82 | optional_policy(` | |
83 | tunable_policy(`xguest_use_bluetooth',` | |
84 | bluetooth_dbus_chat(xguest_t) | |
85 | ') | |
86 | ') | |
87 | ||
a3cfe808 DW |
88 | optional_policy(` |
89 | tunable_policy(`xguest_use_bluetooth',` | |
eba77273 | 90 | blueman_dbus_chat(xguest_t) |
a3cfe808 DW |
91 | ') |
92 | ') | |
93 | ||
42d567c3 CP |
94 | optional_policy(` |
95 | hal_dbus_chat(xguest_t) | |
96 | ') | |
97 | ||
98 | optional_policy(` | |
3eaa9939 DW |
99 | apache_role(xguest_r, xguest_t) |
100 | ') | |
101 | ||
ca9e8850 DW |
102 | optional_policy(` |
103 | gnome_role(xguest_r, xguest_t) | |
104 | ') | |
105 | ||
b82eab39 | 106 | optional_policy(` |
a6c4623b DW |
107 | pcscd_read_pub_files(xguest_t) |
108 | pcscd_stream_connect(xguest_t) | |
b82eab39 DW |
109 | ') |
110 | ||
4d3790e4 MG |
111 | optional_policy(` |
112 | rhsmcertd_dontaudit_dbus_chat(xguest_t) | |
113 | ') | |
114 | ||
42d567c3 CP |
115 | optional_policy(` |
116 | tunable_policy(`xguest_connect_network',` | |
a6c4623b | 117 | kernel_read_network_state(xguest_t) |
3eaa9939 | 118 | |
42d567c3 | 119 | networkmanager_dbus_chat(xguest_t) |
3eaa9939 | 120 | networkmanager_read_lib_files(xguest_t) |
a6c4623b DW |
121 | corenet_tcp_connect_pulseaudio_port(xguest_t) |
122 | corenet_all_recvfrom_unlabeled(xguest_t) | |
123 | corenet_all_recvfrom_netlabel(xguest_t) | |
124 | corenet_tcp_sendrecv_generic_if(xguest_t) | |
125 | corenet_raw_sendrecv_generic_if(xguest_t) | |
126 | corenet_tcp_sendrecv_generic_node(xguest_t) | |
127 | corenet_raw_sendrecv_generic_node(xguest_t) | |
128 | corenet_tcp_sendrecv_http_port(xguest_t) | |
129 | corenet_tcp_sendrecv_http_cache_port(xguest_t) | |
130 | corenet_tcp_sendrecv_squid_port(xguest_t) | |
131 | corenet_tcp_sendrecv_ftp_port(xguest_t) | |
132 | corenet_tcp_sendrecv_ipp_port(xguest_t) | |
133 | corenet_tcp_connect_http_port(xguest_t) | |
134 | corenet_tcp_connect_http_cache_port(xguest_t) | |
135 | corenet_tcp_connect_squid_port(xguest_t) | |
136 | corenet_tcp_connect_flash_port(xguest_t) | |
137 | corenet_tcp_connect_ftp_port(xguest_t) | |
138 | corenet_tcp_connect_ipp_port(xguest_t) | |
139 | corenet_tcp_connect_generic_port(xguest_t) | |
140 | corenet_tcp_connect_soundd_port(xguest_t) | |
141 | corenet_sendrecv_http_client_packets(xguest_t) | |
142 | corenet_sendrecv_http_cache_client_packets(xguest_t) | |
143 | corenet_sendrecv_squid_client_packets(xguest_t) | |
144 | corenet_sendrecv_ftp_client_packets(xguest_t) | |
145 | corenet_sendrecv_ipp_client_packets(xguest_t) | |
146 | corenet_sendrecv_generic_client_packets(xguest_t) | |
3eaa9939 | 147 | # Should not need other ports |
a6c4623b DW |
148 | corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) |
149 | corenet_dontaudit_tcp_bind_generic_port(xguest_t) | |
150 | corenet_tcp_connect_speech_port(xguest_t) | |
151 | corenet_tcp_sendrecv_transproxy_port(xguest_t) | |
152 | corenet_tcp_connect_transproxy_port(xguest_t) | |
42d567c3 | 153 | ') |
3eaa9939 DW |
154 | ') |
155 | ||
3eaa9939 | 156 | gen_user(xguest_u, user, xguest_r, s0, s0) |