Clone `xguest_connect_network` for guest role

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
2022-09-06 08:41:09 -05:00 · 2022-09-06 08:41:09 -05:00 · 53ed120ece
parent f311d401cd
commit 53ed120ece
1 changed files with 55 additions and 0 deletions
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@ -11,6 +11,14 @@ userdom_restricted_user_template(guest)

 kernel_read_system_state(guest_t)

+## <desc>
+##      <p>
+##      Determine whether guest can
+##      configure network manager.
+##      </p>
+## </desc>
+gen_tunable(guest_connect_network, false)
+
 ########################################
 #
 # Local policy
@ -20,4 +28,51 @@ optional_policy(`
 	dbus_role_template(guest, guest_r, guest_t)
 ')

+optional_policy(`
+        tunable_policy(`guest_connect_network',`
+                kernel_read_network_state(guest_t)
+
+                networkmanager_dbus_chat(guest_t)
+                networkmanager_read_lib_files(guest_t)
+
+                corenet_all_recvfrom_netlabel(guest_t)
+                corenet_tcp_sendrecv_generic_if(guest_t)
+                corenet_raw_sendrecv_generic_if(guest_t)
+                corenet_tcp_sendrecv_generic_node(guest_t)
+                corenet_raw_sendrecv_generic_node(guest_t)
+
+                corenet_sendrecv_pulseaudio_client_packets(guest_t)
+                corenet_tcp_connect_pulseaudio_port(guest_t)
+
+                corenet_sendrecv_http_client_packets(guest_t)
+                corenet_tcp_connect_http_port(guest_t)
+
+                corenet_sendrecv_http_cache_client_packets(guest_t)
+                corenet_tcp_connect_http_cache_port(guest_t)
+
+                corenet_sendrecv_squid_client_packets(guest_t)
+                corenet_tcp_connect_squid_port(guest_t)
+
+                corenet_sendrecv_ftp_client_packets(guest_t)
+                corenet_tcp_connect_ftp_port(guest_t)
+
+                corenet_sendrecv_ipp_client_packets(guest_t)
+                corenet_tcp_connect_ipp_port(guest_t)
+
+                corenet_sendrecv_generic_client_packets(guest_t)
+                corenet_tcp_connect_generic_port(guest_t)
+
+                corenet_sendrecv_soundd_client_packets(guest_t)
+                corenet_tcp_connect_soundd_port(guest_t)
+
+                corenet_sendrecv_speech_client_packets(guest_t)
+                corenet_tcp_connect_speech_port(guest_t)
+
+                corenet_sendrecv_transproxy_client_packets(guest_t)
+                corenet_tcp_connect_transproxy_port(guest_t)
+
+                corenet_dontaudit_tcp_bind_generic_port(guest_t)
+        ')
+')
+
 #gen_user(guest_u, user, guest_r, s0, s0)