f5f0af2c24
Signed-off-by: Kenton Groombridge <me@concord.sh>
157 lines
3.5 KiB
Plaintext
157 lines
3.5 KiB
Plaintext
policy_module(xguest, 1.6.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether xguest can
|
|
## mount removable media.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(xguest_mount_media, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether xguest can
|
|
## configure network manager.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(xguest_connect_network, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether xguest can
|
|
## use blue tooth devices.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(xguest_use_bluetooth, false)
|
|
|
|
role xguest_r;
|
|
|
|
userdom_restricted_xwindows_user_template(xguest)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
kernel_dontaudit_request_load_module(xguest_t)
|
|
|
|
ifndef(`enable_mls',`
|
|
tunable_policy(`user_exec_noexattrfile',`
|
|
fs_exec_noxattr(xguest_t)
|
|
')
|
|
|
|
tunable_policy(`user_rw_noexattrfile',`
|
|
fs_manage_noxattr_fs_files(xguest_t)
|
|
fs_manage_noxattr_fs_dirs(xguest_t)
|
|
storage_raw_read_removable_device(xguest_t)
|
|
storage_raw_write_removable_device(xguest_t)
|
|
',`
|
|
storage_raw_read_removable_device(xguest_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`xguest_mount_media',`
|
|
kernel_read_fs_sysctls(xguest_t)
|
|
|
|
files_dontaudit_getattr_boot_dirs(xguest_t)
|
|
files_search_mnt(xguest_t)
|
|
|
|
fs_manage_noxattr_fs_files(xguest_t)
|
|
fs_manage_noxattr_fs_dirs(xguest_t)
|
|
fs_getattr_noxattr_fs(xguest_t)
|
|
fs_read_noxattr_fs_symlinks(xguest_t)
|
|
|
|
auth_list_pam_console_data(xguest_t)
|
|
|
|
init_read_utmp(xguest_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`xguest_use_bluetooth',`
|
|
bluetooth_dbus_chat(xguest_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`xguest_use_bluetooth',`
|
|
blueman_dbus_chat(xguest_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_role(xguest, xguest_t, xguest_application_exec_domain, xguest_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
gnomeclock_dontaudit_dbus_chat(xguest_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
java_role(xguest, xguest_t, xguest_application_exec_domain, xguest_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
mozilla_role(xguest, xguest_t, xguest_application_exec_domain, xguest_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`xguest_connect_network',`
|
|
kernel_read_network_state(xguest_t)
|
|
|
|
networkmanager_dbus_chat(xguest_t)
|
|
networkmanager_read_lib_files(xguest_t)
|
|
|
|
corenet_all_recvfrom_netlabel(xguest_t)
|
|
corenet_tcp_sendrecv_generic_if(xguest_t)
|
|
corenet_raw_sendrecv_generic_if(xguest_t)
|
|
corenet_tcp_sendrecv_generic_node(xguest_t)
|
|
corenet_raw_sendrecv_generic_node(xguest_t)
|
|
|
|
corenet_sendrecv_pulseaudio_client_packets(xguest_t)
|
|
corenet_tcp_connect_pulseaudio_port(xguest_t)
|
|
|
|
corenet_sendrecv_http_client_packets(xguest_t)
|
|
corenet_tcp_connect_http_port(xguest_t)
|
|
|
|
corenet_sendrecv_http_cache_client_packets(xguest_t)
|
|
corenet_tcp_connect_http_cache_port(xguest_t)
|
|
|
|
corenet_sendrecv_squid_client_packets(xguest_t)
|
|
corenet_tcp_connect_squid_port(xguest_t)
|
|
|
|
corenet_sendrecv_ftp_client_packets(xguest_t)
|
|
corenet_tcp_connect_ftp_port(xguest_t)
|
|
|
|
corenet_sendrecv_ipp_client_packets(xguest_t)
|
|
corenet_tcp_connect_ipp_port(xguest_t)
|
|
|
|
corenet_sendrecv_generic_client_packets(xguest_t)
|
|
corenet_tcp_connect_generic_port(xguest_t)
|
|
|
|
corenet_sendrecv_soundd_client_packets(xguest_t)
|
|
corenet_tcp_connect_soundd_port(xguest_t)
|
|
|
|
corenet_sendrecv_speech_client_packets(xguest_t)
|
|
corenet_tcp_connect_speech_port(xguest_t)
|
|
|
|
corenet_sendrecv_transproxy_client_packets(xguest_t)
|
|
corenet_tcp_connect_transproxy_port(xguest_t)
|
|
|
|
corenet_dontaudit_tcp_bind_generic_port(xguest_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
pcscd_read_runtime_files(xguest_t)
|
|
pcscd_stream_connect(xguest_t)
|
|
')
|
|
|
|
#gen_user(xguest_u,, xguest_r, s0, s0)
|