79 lines
2.3 KiB
Plaintext
79 lines
2.3 KiB
Plaintext
policy_module(guest)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
role guest_r;
|
|
|
|
userdom_restricted_user_template(guest)
|
|
|
|
kernel_read_system_state(guest_t)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether guest can
|
|
## configure network manager.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(guest_connect_network, false)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
optional_policy(`
|
|
dbus_role_template(guest, guest_r, guest_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`guest_connect_network',`
|
|
kernel_read_network_state(guest_t)
|
|
|
|
networkmanager_dbus_chat(guest_t)
|
|
networkmanager_read_lib_files(guest_t)
|
|
|
|
corenet_all_recvfrom_netlabel(guest_t)
|
|
corenet_tcp_sendrecv_generic_if(guest_t)
|
|
corenet_raw_sendrecv_generic_if(guest_t)
|
|
corenet_tcp_sendrecv_generic_node(guest_t)
|
|
corenet_raw_sendrecv_generic_node(guest_t)
|
|
|
|
corenet_sendrecv_pulseaudio_client_packets(guest_t)
|
|
corenet_tcp_connect_pulseaudio_port(guest_t)
|
|
|
|
corenet_sendrecv_http_client_packets(guest_t)
|
|
corenet_tcp_connect_http_port(guest_t)
|
|
|
|
corenet_sendrecv_http_cache_client_packets(guest_t)
|
|
corenet_tcp_connect_http_cache_port(guest_t)
|
|
|
|
corenet_sendrecv_squid_client_packets(guest_t)
|
|
corenet_tcp_connect_squid_port(guest_t)
|
|
|
|
corenet_sendrecv_ftp_client_packets(guest_t)
|
|
corenet_tcp_connect_ftp_port(guest_t)
|
|
|
|
corenet_sendrecv_ipp_client_packets(guest_t)
|
|
corenet_tcp_connect_ipp_port(guest_t)
|
|
|
|
corenet_sendrecv_generic_client_packets(guest_t)
|
|
corenet_tcp_connect_generic_port(guest_t)
|
|
|
|
corenet_sendrecv_soundd_client_packets(guest_t)
|
|
corenet_tcp_connect_soundd_port(guest_t)
|
|
|
|
corenet_sendrecv_speech_client_packets(guest_t)
|
|
corenet_tcp_connect_speech_port(guest_t)
|
|
|
|
corenet_sendrecv_transproxy_client_packets(guest_t)
|
|
corenet_tcp_connect_transproxy_port(guest_t)
|
|
|
|
corenet_dontaudit_tcp_bind_generic_port(guest_t)
|
|
')
|
|
')
|
|
|
|
#gen_user(guest_u, user, guest_r, s0, s0)
|