Clone `xguest_connect_network` for guest role

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
This commit is contained in:
Pat Riehecky 2022-09-06 08:41:09 -05:00
parent f311d401cd
commit 53ed120ece
1 changed files with 55 additions and 0 deletions

View File

@ -11,6 +11,14 @@ userdom_restricted_user_template(guest)
kernel_read_system_state(guest_t) kernel_read_system_state(guest_t)
## <desc>
## <p>
## Determine whether guest can
## configure network manager.
## </p>
## </desc>
gen_tunable(guest_connect_network, false)
######################################## ########################################
# #
# Local policy # Local policy
@ -20,4 +28,51 @@ optional_policy(`
dbus_role_template(guest, guest_r, guest_t) dbus_role_template(guest, guest_r, guest_t)
') ')
optional_policy(`
tunable_policy(`guest_connect_network',`
kernel_read_network_state(guest_t)
networkmanager_dbus_chat(guest_t)
networkmanager_read_lib_files(guest_t)
corenet_all_recvfrom_netlabel(guest_t)
corenet_tcp_sendrecv_generic_if(guest_t)
corenet_raw_sendrecv_generic_if(guest_t)
corenet_tcp_sendrecv_generic_node(guest_t)
corenet_raw_sendrecv_generic_node(guest_t)
corenet_sendrecv_pulseaudio_client_packets(guest_t)
corenet_tcp_connect_pulseaudio_port(guest_t)
corenet_sendrecv_http_client_packets(guest_t)
corenet_tcp_connect_http_port(guest_t)
corenet_sendrecv_http_cache_client_packets(guest_t)
corenet_tcp_connect_http_cache_port(guest_t)
corenet_sendrecv_squid_client_packets(guest_t)
corenet_tcp_connect_squid_port(guest_t)
corenet_sendrecv_ftp_client_packets(guest_t)
corenet_tcp_connect_ftp_port(guest_t)
corenet_sendrecv_ipp_client_packets(guest_t)
corenet_tcp_connect_ipp_port(guest_t)
corenet_sendrecv_generic_client_packets(guest_t)
corenet_tcp_connect_generic_port(guest_t)
corenet_sendrecv_soundd_client_packets(guest_t)
corenet_tcp_connect_soundd_port(guest_t)
corenet_sendrecv_speech_client_packets(guest_t)
corenet_tcp_connect_speech_port(guest_t)
corenet_sendrecv_transproxy_client_packets(guest_t)
corenet_tcp_connect_transproxy_port(guest_t)
corenet_dontaudit_tcp_bind_generic_port(guest_t)
')
')
#gen_user(guest_u, user, guest_r, s0, s0) #gen_user(guest_u, user, guest_r, s0, s0)