|
 |
06d521d |
policy_module(xguest, 1.1.0)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Declarations
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
06d521d |
##
|
|
|
06d521d |
## Allow xguest users to mount removable media
|
|
|
06d521d |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
06d521d |
gen_tunable(xguest_mount_media, true)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## Allow xguest users to configure Network Manager and connect to apache ports
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
06d521d |
gen_tunable(xguest_connect_network, true)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
06d521d |
##
|
|
|
06d521d |
## Allow xguest to use blue tooth devices
|
|
|
06d521d |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
06d521d |
gen_tunable(xguest_use_bluetooth, true)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
role xguest_r;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_restricted_xwindows_user_template(xguest)
|
|
|
1ec3d1a |
sysnet_dns_name_resolve(xguest_t)
|
|
|
1ec3d1a |
|
|
 |
0317a2f |
init_dbus_chat(xguest_t)
|
|
|
0317a2f |
init_status(xguest_t)
|
|
|
0317a2f |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Local policy
|
|
|
1ec3d1a |
#
|
|
Chris PeBenito |
9401ae1 |
|
|
|
1ec3d1a |
ifndef(`enable_mls',`
|
|
|
1ec3d1a |
fs_exec_noxattr(xguest_t)
|
|
|
1ec3d1a |
|
|
|
2989e00 |
tunable_policy(`selinuxuser_rw_noexattrfile',`
|
|
|
1ec3d1a |
fs_manage_noxattr_fs_files(xguest_t)
|
|
|
1ec3d1a |
fs_manage_noxattr_fs_dirs(xguest_t)
|
|
|
06d521d |
# Write floppies
|
|
|
1ec3d1a |
storage_raw_read_removable_device(xguest_t)
|
|
|
1ec3d1a |
storage_raw_write_removable_device(xguest_t)
|
|
|
1ec3d1a |
',`
|
|
|
1ec3d1a |
storage_raw_read_removable_device(xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
# Dontaudit fusermount
|
|
|
1ec3d1a |
mount_dontaudit_exec_fusermount(xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
kernel_dontaudit_request_load_module(xguest_t)
|
|
|
1ec3d1a |
|
|
|
b28be49 |
tunable_policy(`selinuxuser_execstack',`
|
|
|
1ec3d1a |
allow xguest_t self:process execstack;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# Allow mounting of file systems
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
tunable_policy(`xguest_mount_media',`
|
|
|
1ec3d1a |
kernel_read_fs_sysctls(xguest_t)
|
|
|
1ec3d1a |
kernel_request_load_module(xguest_t)
|
|
|
1ec3d1a |
files_dontaudit_getattr_boot_dirs(xguest_t)
|
|
|
1ec3d1a |
files_search_mnt(xguest_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
fs_manage_noxattr_fs_files(xguest_t)
|
|
|
1ec3d1a |
fs_manage_noxattr_fs_dirs(xguest_t)
|
|
|
1ec3d1a |
fs_manage_noxattr_fs_dirs(xguest_t)
|
|
|
1ec3d1a |
fs_getattr_noxattr_fs(xguest_t)
|
|
|
1ec3d1a |
fs_read_noxattr_fs_symlinks(xguest_t)
|
|
|
1ec3d1a |
fs_mount_fusefs(xguest_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
auth_list_pam_console_data(xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
tunable_policy(`xguest_use_bluetooth',`
|
|
|
1ec3d1a |
bluetooth_dbus_chat(xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
tunable_policy(`xguest_use_bluetooth',`
|
|
|
1ec3d1a |
blueman_dbus_chat(xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
5147be1 |
colord_dbus_chat(xguest_t)
|
|
|
5147be1 |
')
|
|
|
5147be1 |
|
|
|
5147be1 |
optional_policy(`
|
|
|
1ec3d1a |
chrome_role(xguest_r, xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
5147be1 |
dbus_dontaudit_chat_system_bus(xguest_t)
|
|
|
5147be1 |
')
|
|
|
5147be1 |
|
|
|
5147be1 |
optional_policy(`
|
|
|
1ec3d1a |
hal_dbus_chat(xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
apache_role(xguest_r, xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
gnome_role(xguest_r, xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
mozilla_run_plugin(xguest_t, xguest_r)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
8d52352 |
pcscd_read_pid_files(xguest_t)
|
|
|
1ec3d1a |
pcscd_stream_connect(xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
rhsmcertd_dontaudit_dbus_chat(xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
tunable_policy(`xguest_connect_network',`
|
|
|
874f5fd |
networkmanager_dbus_chat(xguest_t)
|
|
|
5147be1 |
networkmanager_read_lib_files(xguest_t)
|
|
|
874f5fd |
')
|
|
|
874f5fd |
')
|
|
|
874f5fd |
|
|
|
874f5fd |
optional_policy(`
|
|
|
874f5fd |
tunable_policy(`xguest_connect_network',`
|
|
|
1ec3d1a |
kernel_read_network_state(xguest_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corenet_tcp_connect_pulseaudio_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_generic_if(xguest_t)
|
|
|
1ec3d1a |
corenet_raw_sendrecv_generic_if(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_generic_node(xguest_t)
|
|
|
1ec3d1a |
corenet_raw_sendrecv_generic_node(xguest_t)
|
|
|
1f86dac |
corenet_tcp_connect_commplex_link_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_http_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_http_cache_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_squid_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_ftp_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_ipp_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_http_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_http_cache_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_squid_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_flash_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_ftp_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_ipp_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_generic_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_soundd_port(xguest_t)
|
|
|
1ec3d1a |
corenet_sendrecv_http_client_packets(xguest_t)
|
|
|
1ec3d1a |
corenet_sendrecv_http_cache_client_packets(xguest_t)
|
|
|
1ec3d1a |
corenet_sendrecv_squid_client_packets(xguest_t)
|
|
|
1ec3d1a |
corenet_sendrecv_ftp_client_packets(xguest_t)
|
|
|
1ec3d1a |
corenet_sendrecv_ipp_client_packets(xguest_t)
|
|
|
1ec3d1a |
corenet_sendrecv_generic_client_packets(xguest_t)
|
|
|
1ec3d1a |
# Should not need other ports
|
|
|
1ec3d1a |
corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
|
|
|
1ec3d1a |
corenet_dontaudit_tcp_bind_generic_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_speech_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_transproxy_port(xguest_t)
|
|
|
1ec3d1a |
corenet_tcp_connect_transproxy_port(xguest_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type mozilla_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow xguest_t mozilla_t:process transition;
|
|
|
1ec3d1a |
role xguest_r types mozilla_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
gen_user(xguest_u, user, xguest_r, s0, s0)
|