selinux-policy/policy/modules/roles/xguest.te

policy_module(xguest, 1.1.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow xguest users to mount removable media
## </p>
## </desc>
gen_tunable(xguest_mount_media, true)

## <desc>
## <p>
## Allow xguest to configure Network Manager and connect to apache ports
## </p>
## </desc>
gen_tunable(xguest_connect_network, true)

## <desc>
## <p>
## Allow xguest to use blue tooth devices
## </p>
## </desc>
gen_tunable(xguest_use_bluetooth, true)

role xguest_r;

userdom_restricted_xwindows_user_template(xguest)
sysnet_dns_name_resolve(xguest_t)

########################################
#
# Local policy
#
ifndef(`enable_mls',`
	fs_exec_noxattr(xguest_t)

	tunable_policy(`user_rw_noexattrfile',`
		fs_manage_noxattr_fs_files(xguest_t)
		fs_manage_noxattr_fs_dirs(xguest_t)
		# Write floppies 
		storage_raw_read_removable_device(xguest_t)
		storage_raw_write_removable_device(xguest_t)
	',`
		storage_raw_read_removable_device(xguest_t)
	')
')
# Dontaudit fusermount
mount_dontaudit_exec_fusermount(xguest_t)

allow xguest_t self:process execmem;
kernel_dontaudit_request_load_module(xguest_t)

tunable_policy(`allow_execstack',`
	allow xguest_t self:process execstack;
')

# Allow mounting of file systems
optional_policy(`
	tunable_policy(`xguest_mount_media',`
		kernel_read_fs_sysctls(xguest_t)
		kernel_request_load_module(xguest_t)
		files_dontaudit_getattr_boot_dirs(xguest_t)
		files_search_mnt(xguest_t)

		fs_manage_noxattr_fs_files(xguest_t)
		fs_manage_noxattr_fs_dirs(xguest_t)
		fs_manage_noxattr_fs_dirs(xguest_t)
		fs_getattr_noxattr_fs(xguest_t)
		fs_read_noxattr_fs_symlinks(xguest_t)
		fs_mount_fusefs(xguest_t)

		auth_list_pam_console_data(xguest_t)
	')
')

optional_policy(`
	tunable_policy(`xguest_use_bluetooth',`
		bluetooth_dbus_chat(xguest_t)
	')
')

optional_policy(`
	chrome_role(xguest_r, xguest_usertype)
')


optional_policy(`
	hal_dbus_chat(xguest_t)
')

optional_policy(`
	apache_role(xguest_r, xguest_t)
')

optional_policy(`
	gnomeclock_dontaudit_dbus_chat(xguest_t)
')

optional_policy(`
	java_role_template(xguest, xguest_r, xguest_t)
')

optional_policy(`
	mono_role_template(xguest, xguest_r, xguest_t)
')

optional_policy(`
	mozilla_run_plugin(xguest_t, xguest_r)
')

optional_policy(`
	nsplugin_role(xguest_r, xguest_t)
')

optional_policy(`
	tunable_policy(`xguest_connect_network',`
		kernel_read_network_state(xguest_usertype)

		networkmanager_dbus_chat(xguest_t)
		networkmanager_read_lib_files(xguest_t)
		corenet_tcp_connect_pulseaudio_port(xguest_usertype)
		corenet_all_recvfrom_unlabeled(xguest_usertype)
		corenet_all_recvfrom_netlabel(xguest_usertype)
		corenet_tcp_sendrecv_generic_if(xguest_usertype)
		corenet_raw_sendrecv_generic_if(xguest_usertype)
		corenet_tcp_sendrecv_generic_node(xguest_usertype)
		corenet_raw_sendrecv_generic_node(xguest_usertype)
		corenet_tcp_sendrecv_http_port(xguest_usertype)
		corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
		corenet_tcp_sendrecv_squid_port(xguest_usertype)
		corenet_tcp_sendrecv_ftp_port(xguest_usertype)
		corenet_tcp_sendrecv_ipp_port(xguest_usertype)
		corenet_tcp_connect_http_port(xguest_usertype)
		corenet_tcp_connect_http_cache_port(xguest_usertype)
		corenet_tcp_connect_squid_port(xguest_usertype)
		corenet_tcp_connect_flash_port(xguest_usertype)
		corenet_tcp_connect_ftp_port(xguest_usertype)
		corenet_tcp_connect_ipp_port(xguest_usertype)
		corenet_tcp_connect_generic_port(xguest_usertype)
		corenet_tcp_connect_soundd_port(xguest_usertype)
		corenet_sendrecv_http_client_packets(xguest_usertype)
		corenet_sendrecv_http_cache_client_packets(xguest_usertype)
		corenet_sendrecv_squid_client_packets(xguest_usertype)
		corenet_sendrecv_ftp_client_packets(xguest_usertype)
		corenet_sendrecv_ipp_client_packets(xguest_usertype)
		corenet_sendrecv_generic_client_packets(xguest_usertype)
		# Should not need other ports
		corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
		corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
		corenet_tcp_connect_speech_port(xguest_usertype)
		corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
		corenet_tcp_connect_transproxy_port(xguest_usertype)
	')

	optional_policy(`
		telepathy_dbus_session_role(xguest_r, xguest_t)
	')
')

optional_policy(`
	gen_require(`
		type mozilla_t;
	')

	allow xguest_t mozilla_t:process transition;
	role xguest_r types mozilla_t;
')

gen_user(xguest_u, user, xguest_r, s0, s0)
Bump module versions for release. 2010-05-24 19:32:01 +00:00			`policy_module(xguest, 1.1.0)`
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00
			`########################################`
			`#`
			`# Declarations`
			`#`

			`## <desc>`
			`## <p>`
			`## Allow xguest users to mount removable media`
			`## </p>`
			`## </desc>`
			`gen_tunable(xguest_mount_media, true)`

			`## <desc>`
			`## <p>`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`## Allow xguest to configure Network Manager and connect to apache ports`
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00			`## </p>`
			`## </desc>`
			`gen_tunable(xguest_connect_network, true)`

			`## <desc>`
			`## <p>`
			`## Allow xguest to use blue tooth devices`
			`## </p>`
			`## </desc>`
			`gen_tunable(xguest_use_bluetooth, true)`

			`role xguest_r;`

			`userdom_restricted_xwindows_user_template(xguest)`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`sysnet_dns_name_resolve(xguest_t)`
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00
			`########################################`
			`#`
			`# Local policy`
			`#`
Xguest patch from Dan Walsh. 2010-02-17 14:23:17 +00:00			ifndef(`enable_mls',`
			`fs_exec_noxattr(xguest_t)`

			tunable_policy(`user_rw_noexattrfile',`
			`fs_manage_noxattr_fs_files(xguest_t)`
			`fs_manage_noxattr_fs_dirs(xguest_t)`
			`# Write floppies`
			`storage_raw_read_removable_device(xguest_t)`
			`storage_raw_write_removable_device(xguest_t)`
			',`
			`storage_raw_read_removable_device(xguest_t)`
			`')`
			`')`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`# Dontaudit fusermount`
			`mount_dontaudit_exec_fusermount(xguest_t)`

			`allow xguest_t self:process execmem;`
			`kernel_dontaudit_request_load_module(xguest_t)`

			tunable_policy(`allow_execstack',`
			`allow xguest_t self:process execstack;`
			`')`
Xguest patch from Dan Walsh. 2010-02-17 14:23:17 +00:00
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00			`# Allow mounting of file systems`
			optional_policy(`
			tunable_policy(`xguest_mount_media',`
			`kernel_read_fs_sysctls(xguest_t)`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`kernel_request_load_module(xguest_t)`
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00			`files_dontaudit_getattr_boot_dirs(xguest_t)`
			`files_search_mnt(xguest_t)`

			`fs_manage_noxattr_fs_files(xguest_t)`
			`fs_manage_noxattr_fs_dirs(xguest_t)`
			`fs_manage_noxattr_fs_dirs(xguest_t)`
			`fs_getattr_noxattr_fs(xguest_t)`
			`fs_read_noxattr_fs_symlinks(xguest_t)`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`fs_mount_fusefs(xguest_t)`
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00
			`auth_list_pam_console_data(xguest_t)`
			`')`
			`')`

			optional_policy(`
			tunable_policy(`xguest_use_bluetooth',`
			`bluetooth_dbus_chat(xguest_t)`
			`')`
			`')`

UPdate for f14 policy 2010-08-26 13:41:21 +00:00			optional_policy(`
			`chrome_role(xguest_r, xguest_usertype)`
			`')`


trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00			optional_policy(`
			`hal_dbus_chat(xguest_t)`
			`')`

			optional_policy(`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`apache_role(xguest_r, xguest_t)`
			`')`

			optional_policy(`
			`gnomeclock_dontaudit_dbus_chat(xguest_t)`
			`')`

			optional_policy(`
			`java_role_template(xguest, xguest_r, xguest_t)`
			`')`

			optional_policy(`
			`mono_role_template(xguest, xguest_r, xguest_t)`
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00			`')`

			optional_policy(`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`mozilla_run_plugin(xguest_t, xguest_r)`
			`')`

			optional_policy(`
			`nsplugin_role(xguest_r, xguest_t)`
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00			`')`

			optional_policy(`
			tunable_policy(`xguest_connect_network',`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`kernel_read_network_state(xguest_usertype)`

trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00			`networkmanager_dbus_chat(xguest_t)`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`networkmanager_read_lib_files(xguest_t)`
			`corenet_tcp_connect_pulseaudio_port(xguest_usertype)`
			`corenet_all_recvfrom_unlabeled(xguest_usertype)`
			`corenet_all_recvfrom_netlabel(xguest_usertype)`
			`corenet_tcp_sendrecv_generic_if(xguest_usertype)`
			`corenet_raw_sendrecv_generic_if(xguest_usertype)`
			`corenet_tcp_sendrecv_generic_node(xguest_usertype)`
			`corenet_raw_sendrecv_generic_node(xguest_usertype)`
			`corenet_tcp_sendrecv_http_port(xguest_usertype)`
			`corenet_tcp_sendrecv_http_cache_port(xguest_usertype)`
			`corenet_tcp_sendrecv_squid_port(xguest_usertype)`
			`corenet_tcp_sendrecv_ftp_port(xguest_usertype)`
			`corenet_tcp_sendrecv_ipp_port(xguest_usertype)`
			`corenet_tcp_connect_http_port(xguest_usertype)`
			`corenet_tcp_connect_http_cache_port(xguest_usertype)`
			`corenet_tcp_connect_squid_port(xguest_usertype)`
			`corenet_tcp_connect_flash_port(xguest_usertype)`
			`corenet_tcp_connect_ftp_port(xguest_usertype)`
			`corenet_tcp_connect_ipp_port(xguest_usertype)`
			`corenet_tcp_connect_generic_port(xguest_usertype)`
			`corenet_tcp_connect_soundd_port(xguest_usertype)`
			`corenet_sendrecv_http_client_packets(xguest_usertype)`
			`corenet_sendrecv_http_cache_client_packets(xguest_usertype)`
			`corenet_sendrecv_squid_client_packets(xguest_usertype)`
			`corenet_sendrecv_ftp_client_packets(xguest_usertype)`
			`corenet_sendrecv_ipp_client_packets(xguest_usertype)`
			`corenet_sendrecv_generic_client_packets(xguest_usertype)`
			`# Should not need other ports`
			`corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)`
			`corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)`
			`corenet_tcp_connect_speech_port(xguest_usertype)`
			`corenet_tcp_sendrecv_transproxy_port(xguest_usertype)`
			`corenet_tcp_connect_transproxy_port(xguest_usertype)`
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00			`')`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00
			optional_policy(`
			`telepathy_dbus_session_role(xguest_r, xguest_t)`
			`')`
			`')`

			optional_policy(`
			gen_require(`
			`type mozilla_t;`
			`')`

			`allow xguest_t mozilla_t:process transition;`
			`role xguest_r types mozilla_t;`
trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00			`')`

UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`gen_user(xguest_u, user, xguest_r, s0, s0)`