policy/modules/roles/xguest.te

   1 policy_module(xguest, 1.1.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow xguest users to mount removable media
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(xguest_mount_media, true)
  14
  15 ## <desc>
  16 ## <p>
  17 ## Allow xguest users to configure Network Manager and connect to apache ports
  18 ## </p>
  19 ## </desc>
  20 gen_tunable(xguest_connect_network, true)
  21
  22 ## <desc>
  23 ## <p>
  24 ## Allow xguest users to use blue tooth devices
  25 ## </p>
  26 ## </desc>
  27 gen_tunable(xguest_use_bluetooth, true)
  28
  29 role xguest_r;
  30
  31 userdom_restricted_xwindows_user_template(xguest)
  32 sysnet_dns_name_resolve(xguest_t)
  33
  34 ########################################
  35 #
  36 # Local policy
  37 #
  38 ifndef(`enable_mls',`
  39         fs_exec_noxattr(xguest_t)
  40
  41         tunable_policy(`user_rw_noexattrfile',`
  42                 fs_manage_noxattr_fs_files(xguest_t)
  43                 fs_manage_noxattr_fs_dirs(xguest_t)
  44                 # Write floppies
  45                 storage_raw_read_removable_device(xguest_t)
  46                 storage_raw_write_removable_device(xguest_t)
  47         ',`
  48                 storage_raw_read_removable_device(xguest_t)
  49         ')
  50 ')
  51
  52 optional_policy(`
  53         # Dontaudit fusermount
  54         mount_dontaudit_exec_fusermount(xguest_t)
  55 ')
  56
  57 kernel_dontaudit_request_load_module(xguest_t)
  58
  59 tunable_policy(`allow_execstack',`
  60         allow xguest_t self:process execstack;
  61 ')
  62
  63 # Allow mounting of file systems
  64 optional_policy(`
  65         tunable_policy(`xguest_mount_media',`
  66                 kernel_read_fs_sysctls(xguest_t)
  67                 kernel_request_load_module(xguest_t)
  68                 files_dontaudit_getattr_boot_dirs(xguest_t)
  69                 files_search_mnt(xguest_t)
  70
  71                 fs_manage_noxattr_fs_files(xguest_t)
  72                 fs_manage_noxattr_fs_dirs(xguest_t)
  73                 fs_manage_noxattr_fs_dirs(xguest_t)
  74                 fs_getattr_noxattr_fs(xguest_t)
  75                 fs_read_noxattr_fs_symlinks(xguest_t)
  76                 fs_mount_fusefs(xguest_t)
  77
  78                 auth_list_pam_console_data(xguest_t)
  79         ')
  80 ')
  81
  82 optional_policy(`
  83         tunable_policy(`xguest_use_bluetooth',`
  84                 bluetooth_dbus_chat(xguest_t)
  85         ')
  86 ')
  87
  88 optional_policy(`
  89         tunable_policy(`xguest_use_bluetooth',`
  90                 blueman_dbus_chat(xguest_t)
  91         ')
  92 ')
  93
  94 optional_policy(`
  95         hal_dbus_chat(xguest_t)
  96 ')
  97
  98 optional_policy(`
  99         apache_role(xguest_r, xguest_t)
 100 ')
 101
 102 optional_policy(`
 103         gnome_role(xguest_r, xguest_t)
 104 ')
 105
 106 optional_policy(`
 107         pcscd_read_pub_files(xguest_t)
 108         pcscd_stream_connect(xguest_t)
 109 ')
 110
 111 optional_policy(`
 112         rhsmcertd_dontaudit_dbus_chat(xguest_t)
 113 ')
 114
 115 optional_policy(`
 116         tunable_policy(`xguest_connect_network',`
 117                 kernel_read_network_state(xguest_t)
 118
 119                 networkmanager_dbus_chat(xguest_t)
 120                 networkmanager_read_lib_files(xguest_t)
 121                 corenet_tcp_connect_pulseaudio_port(xguest_t)
 122                 corenet_all_recvfrom_unlabeled(xguest_t)
 123                 corenet_all_recvfrom_netlabel(xguest_t)
 124                 corenet_tcp_sendrecv_generic_if(xguest_t)
 125                 corenet_raw_sendrecv_generic_if(xguest_t)
 126                 corenet_tcp_sendrecv_generic_node(xguest_t)
 127                 corenet_raw_sendrecv_generic_node(xguest_t)
 128                 corenet_tcp_sendrecv_http_port(xguest_t)
 129                 corenet_tcp_sendrecv_http_cache_port(xguest_t)
 130                 corenet_tcp_sendrecv_squid_port(xguest_t)
 131                 corenet_tcp_sendrecv_ftp_port(xguest_t)
 132                 corenet_tcp_sendrecv_ipp_port(xguest_t)
 133                 corenet_tcp_connect_http_port(xguest_t)
 134                 corenet_tcp_connect_http_cache_port(xguest_t)
 135                 corenet_tcp_connect_squid_port(xguest_t)
 136                 corenet_tcp_connect_flash_port(xguest_t)
 137                 corenet_tcp_connect_ftp_port(xguest_t)
 138                 corenet_tcp_connect_ipp_port(xguest_t)
 139                 corenet_tcp_connect_generic_port(xguest_t)
 140                 corenet_tcp_connect_soundd_port(xguest_t)
 141                 corenet_sendrecv_http_client_packets(xguest_t)
 142                 corenet_sendrecv_http_cache_client_packets(xguest_t)
 143                 corenet_sendrecv_squid_client_packets(xguest_t)
 144                 corenet_sendrecv_ftp_client_packets(xguest_t)
 145                 corenet_sendrecv_ipp_client_packets(xguest_t)
 146                 corenet_sendrecv_generic_client_packets(xguest_t)
 147                 # Should not need other ports
 148                 corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
 149                 corenet_dontaudit_tcp_bind_generic_port(xguest_t)
 150                 corenet_tcp_connect_speech_port(xguest_t)
 151                 corenet_tcp_sendrecv_transproxy_port(xguest_t)
 152                 corenet_tcp_connect_transproxy_port(xguest_t)
 153         ')
 154 ')
 155
 156 gen_user(xguest_u, user, xguest_r, s0, s0)