rpms / selinux-policy

Clone
Source Code
GIT

Blame policy/modules/roles/xguest.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   ef98a37444a2b4eec9efeef341b93ef6b9afe12e
  2.   policy
  3.   modules
  4.   roles
  5.   xguest.te
Blob History Raw
Chris PeBenito 29af4c 
policy_module(xguest, 1.1.0)
Chris PeBenito 42d567
Chris PeBenito 42d567 
########################################
Chris PeBenito 42d567 
#
Chris PeBenito 42d567 
# Declarations
Chris PeBenito 42d567 
#
Chris PeBenito 42d567
Chris PeBenito 42d567 
## <desc>
Chris PeBenito 42d567 
##
Chris PeBenito 42d567 
## Allow xguest users to mount removable media
Chris PeBenito 42d567 
##
Chris PeBenito 42d567 
## </desc>
Chris PeBenito 42d567 
gen_tunable(xguest_mount_media, true)
Chris PeBenito 42d567
Chris PeBenito 42d567 
## <desc>
Chris PeBenito 42d567 
##
Dan Walsh 3eaa99 
## Allow xguest to configure Network Manager and connect to apache ports
Chris PeBenito 42d567 
##
Chris PeBenito 42d567 
## </desc>
Chris PeBenito 42d567 
gen_tunable(xguest_connect_network, true)
Chris PeBenito 42d567
Chris PeBenito 42d567 
## <desc>
Chris PeBenito 42d567 
##
Chris PeBenito 42d567 
## Allow xguest to use blue tooth devices
Chris PeBenito 42d567 
##
Chris PeBenito 42d567 
## </desc>
Chris PeBenito 42d567 
gen_tunable(xguest_use_bluetooth, true)
Chris PeBenito 42d567
Chris PeBenito 42d567 
role xguest_r;
Chris PeBenito 42d567
Chris PeBenito 42d567 
userdom_restricted_xwindows_user_template(xguest)
Dan Walsh 3eaa99 
sysnet_dns_name_resolve(xguest_t)
Chris PeBenito 42d567
Chris PeBenito 42d567 
########################################
Chris PeBenito 42d567 
#
Chris PeBenito 42d567 
# Local policy
Chris PeBenito 42d567 
#
Chris PeBenito c06a44 
ifndef(`enable_mls',`
Chris PeBenito c06a44 
	fs_exec_noxattr(xguest_t)
Chris PeBenito c06a44
Chris PeBenito c06a44 
	tunable_policy(`user_rw_noexattrfile',`
Chris PeBenito c06a44 
		fs_manage_noxattr_fs_files(xguest_t)
Chris PeBenito c06a44 
		fs_manage_noxattr_fs_dirs(xguest_t)
Chris PeBenito c06a44 
		# Write floppies
Chris PeBenito c06a44 
		storage_raw_read_removable_device(xguest_t)
Chris PeBenito c06a44 
		storage_raw_write_removable_device(xguest_t)
Chris PeBenito c06a44 
	',`
Chris PeBenito c06a44 
		storage_raw_read_removable_device(xguest_t)
Chris PeBenito c06a44 
	')
Chris PeBenito c06a44 
')
Dan Walsh 3eaa99 
# Dontaudit fusermount
Dan Walsh 3eaa99 
mount_dontaudit_exec_fusermount(xguest_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
allow xguest_t self:process execmem;
Dan Walsh 3eaa99 
kernel_dontaudit_request_load_module(xguest_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
tunable_policy(`allow_execstack',`
Dan Walsh 3eaa99 
	allow xguest_t self:process execstack;
Dan Walsh 3eaa99 
')
Chris PeBenito c06a44
Chris PeBenito 42d567 
# Allow mounting of file systems
Chris PeBenito 42d567 
optional_policy(`
Chris PeBenito 42d567 
	tunable_policy(`xguest_mount_media',`
Chris PeBenito 42d567 
		kernel_read_fs_sysctls(xguest_t)
Dan Walsh 3eaa99 
		kernel_request_load_module(xguest_t)
Chris PeBenito 42d567 
		files_dontaudit_getattr_boot_dirs(xguest_t)
Chris PeBenito 42d567 
		files_search_mnt(xguest_t)
Chris PeBenito 42d567
Chris PeBenito 42d567 
		fs_manage_noxattr_fs_files(xguest_t)
Chris PeBenito 42d567 
		fs_manage_noxattr_fs_dirs(xguest_t)
Chris PeBenito 42d567 
		fs_manage_noxattr_fs_dirs(xguest_t)
Chris PeBenito 42d567 
		fs_getattr_noxattr_fs(xguest_t)
Chris PeBenito 42d567 
		fs_read_noxattr_fs_symlinks(xguest_t)
Dan Walsh 3eaa99 
		fs_mount_fusefs(xguest_t)
Chris PeBenito 42d567
Chris PeBenito 42d567 
		auth_list_pam_console_data(xguest_t)
Chris PeBenito 42d567 
	')
Chris PeBenito 42d567 
')
Chris PeBenito 42d567
Chris PeBenito 42d567 
optional_policy(`
Chris PeBenito 42d567 
	tunable_policy(`xguest_use_bluetooth',`
Chris PeBenito 42d567 
		bluetooth_dbus_chat(xguest_t)
Chris PeBenito 42d567 
	')
Chris PeBenito 42d567 
')
Chris PeBenito 42d567
Chris PeBenito 42d567 
optional_policy(`
Dan Walsh 3eaa99 
	chrome_role(xguest_r, xguest_usertype)
Dan Walsh 3eaa99 
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
optional_policy(`
Chris PeBenito 42d567 
	hal_dbus_chat(xguest_t)
Chris PeBenito 42d567 
')
Chris PeBenito 42d567
Chris PeBenito 42d567 
optional_policy(`
Dan Walsh 3eaa99 
	apache_role(xguest_r, xguest_t)
Dan Walsh 3eaa99 
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
optional_policy(`
Dan Walsh 3eaa99 
	gnomeclock_dontaudit_dbus_chat(xguest_t)
Dan Walsh 3eaa99 
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
optional_policy(`
Dan Walsh 3eaa99 
	java_role_template(xguest, xguest_r, xguest_t)
Dan Walsh 3eaa99 
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
optional_policy(`
Dan Walsh 3eaa99 
	mono_role_template(xguest, xguest_r, xguest_t)
Chris PeBenito 42d567 
')
Chris PeBenito 42d567
Chris PeBenito 42d567 
optional_policy(`
Dan Walsh 3eaa99 
	mozilla_run_plugin(xguest_t, xguest_r)
Dan Walsh 3eaa99 
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
optional_policy(`
Dan Walsh 3eaa99 
	nsplugin_role(xguest_r, xguest_t)
Chris PeBenito 42d567 
')
Chris PeBenito 42d567
Chris PeBenito 42d567 
optional_policy(`
Chris PeBenito 42d567 
	tunable_policy(`xguest_connect_network',`
Dan Walsh 3eaa99 
		kernel_read_network_state(xguest_usertype)
Dan Walsh 3eaa99
Chris PeBenito 42d567 
		networkmanager_dbus_chat(xguest_t)
Dan Walsh 3eaa99 
		networkmanager_read_lib_files(xguest_t)
Dan Walsh 3eaa99 
		corenet_tcp_connect_pulseaudio_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_all_recvfrom_unlabeled(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_all_recvfrom_netlabel(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_sendrecv_generic_if(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_raw_sendrecv_generic_if(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_sendrecv_generic_node(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_raw_sendrecv_generic_node(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_sendrecv_http_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_sendrecv_squid_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_sendrecv_ftp_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_sendrecv_ipp_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_http_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_http_cache_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_squid_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_flash_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_ftp_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_ipp_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_generic_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_soundd_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_sendrecv_http_client_packets(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_sendrecv_http_cache_client_packets(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_sendrecv_squid_client_packets(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_sendrecv_ftp_client_packets(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_sendrecv_ipp_client_packets(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_sendrecv_generic_client_packets(xguest_usertype)
Dan Walsh 3eaa99 
		# Should not need other ports
Dan Walsh 3eaa99 
		corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_speech_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
Dan Walsh 3eaa99 
		corenet_tcp_connect_transproxy_port(xguest_usertype)
Chris PeBenito 42d567 
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
	optional_policy(`
Dan Walsh 3eaa99 
		telepathy_dbus_session_role(xguest_r, xguest_t)
Dan Walsh 3eaa99 
	')
Dan Walsh 3eaa99 
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
optional_policy(`
Dan Walsh 3eaa99 
	gen_require(`
Dan Walsh 3eaa99 
		type mozilla_t;
Dan Walsh 3eaa99 
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99 
	allow xguest_t mozilla_t:process transition;
Dan Walsh 3eaa99 
	role xguest_r types mozilla_t;
Chris PeBenito 42d567 
')
Chris PeBenito 42d567
Dan Walsh 3eaa99 
gen_user(xguest_u, user, xguest_r, s0, s0)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation