trunk: 6 patches from dan.

Changelog

@@ -12,7 +12,9 @@
 - Remove node definitions and change node usage to generic nodes.
 - Add kernel_service access vectors, from Stephen Smalley.
 - Added modules:
+	gues (Dan Walsh)
 	logadm (Dan Walsh)
+	xguest (Dan Walsh)
 	zosremote (Dan Walsh)
 
 * Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210

config/appconfig-mcs/guest_u_default_contexts

@@ -0,0 +1,6 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:initrc_su_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0

config/appconfig-mcs/xguest_u_default_contexts

@@ -0,0 +1,7 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0

config/appconfig-mls/guest_u_default_contexts

@@ -0,0 +1,5 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0

config/appconfig-mls/xguest_u_default_contexts

@@ -0,0 +1,7 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0

config/appconfig-standard/guest_u_default_contexts

@@ -0,0 +1,7 @@
+guest_r:guest_t			guest_r:guest_t
+system_r:crond_t		guest_r:guest_t
+system_r:initrc_su_t		guest_r:guest_t
+system_r:local_login_t		guest_r:guest_t
+system_r:remote_login_t		guest_r:guest_t
+system_r:sshd_t			guest_r:guest_t
+

config/appconfig-standard/xguest_u_default_contexts

@@ -0,0 +1,7 @@
+system_r:crond_t	xguest_r:xguest_t
+system_r:initrc_su_t	xguest_r:xguest_t
+system_r:local_login_t	xguest_r:xguest_t
+system_r:remote_login_t	xguest_r:xguest_t
+system_r:sshd_t		xguest_r:xguest_t
+system_r:xdm_t		xguest_r:xguest_t
+xguest_r:xguest_t	xguest_r:xguest_t

policy/modules/roles/guest.fc

@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon

policy/modules/roles/guest.if

@@ -0,0 +1,50 @@
+## <summary>Least privledge terminal user role</summary>
+
+########################################
+## <summary>
+##	Change to the guest role.
+## </summary>
+## <param name="role">
+##	<summary>
+##     Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change',`
+	gen_require(`
+		role guest_r;
+	')
+
+	allow $1 guest_r;
+')
+
+########################################
+## <summary>
+##	Change from the guest role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the guest role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change_to',`
+	gen_require(`
+		role guest_r;
+	')
+
+	allow guest_r $1;
+')

policy/modules/roles/guest.te

@@ -0,0 +1,22 @@
+
+policy_module(guest, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role xguest_r;
+
+userdom_restricted_user_template(guest)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+	java_role(guest_r, guest_t)
+')
+
+#gen_user(guest_u,, guest_r, s0, s0)

policy/modules/roles/xguest.fc

@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon

policy/modules/roles/xguest.if

@@ -0,0 +1,50 @@
+## <summary>Least privledge xwindows user role</summary>
+
+########################################
+## <summary>
+##	Change to the xguest role.
+## </summary>
+## <param name="role">
+##	<summary>
+##     Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change',`
+	gen_require(`
+		role xguest_r;
+	')
+
+	allow $1 xguest_r;
+')
+
+########################################
+## <summary>
+##	Change from the xguest role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the xguest role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change_to',`
+	gen_require(`
+		role xguest_r;
+	')
+
+	allow xguest_r $1;
+')

policy/modules/roles/xguest.te

@@ -0,0 +1,83 @@
+
+policy_module(xguest, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
+## </desc>
+gen_tunable(xguest_mount_media, true)
+
+## <desc>
+## <p>
+## Allow xguest to configure Network Manager
+## </p>
+## </desc>
+gen_tunable(xguest_connect_network, true)
+
+## <desc>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
+## </desc>
+gen_tunable(xguest_use_bluetooth, true)
+
+role xguest_r;
+
+userdom_restricted_xwindows_user_template(xguest)
+
+########################################
+#
+# Local policy
+#
+
+# Allow mounting of file systems
+optional_policy(`
+	tunable_policy(`xguest_mount_media',`
+		kernel_read_fs_sysctls(xguest_t)
+
+		files_dontaudit_getattr_boot_dirs(xguest_t)
+		files_search_mnt(xguest_t)
+
+		fs_manage_noxattr_fs_files(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_getattr_noxattr_fs(xguest_t)
+		fs_read_noxattr_fs_symlinks(xguest_t)
+
+		auth_list_pam_console_data(xguest_t)
+
+		init_read_utmp(xguest_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`xguest_use_bluetooth',`
+		bluetooth_dbus_chat(xguest_t)
+	')
+')
+
+optional_policy(`
+	hal_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+	java_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+	mozilla_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+	tunable_policy(`xguest_connect_network',`
+		networkmanager_dbus_chat(xguest_t)
+	')
+')
+
+#gen_user(xguest_u,, xguest_r, s0, s0)