[selinux-policy: 2103/3172] trunk: 6 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:06:36 UTC 2010
commit 42d567c3f4f10eec3043c481beb9fc6cc4fb9330
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Mar 31 13:40:59 2009 +0000
trunk: 6 patches from dan.
Changelog | 2 +
config/appconfig-mcs/guest_u_default_contexts | 6 ++
config/appconfig-mcs/xguest_u_default_contexts | 7 ++
config/appconfig-mls/guest_u_default_contexts | 5 +
config/appconfig-mls/xguest_u_default_contexts | 7 ++
config/appconfig-standard/guest_u_default_contexts | 7 ++
.../appconfig-standard/xguest_u_default_contexts | 7 ++
policy/modules/roles/guest.fc | 1 +
policy/modules/roles/guest.if | 50 ++++++++++++
policy/modules/roles/guest.te | 22 +++++
policy/modules/roles/xguest.fc | 1 +
policy/modules/roles/xguest.if | 50 ++++++++++++
policy/modules/roles/xguest.te | 83 ++++++++++++++++++++
13 files changed, 248 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index a3656ff..436ab35 100644
--- a/Changelog
+++ b/Changelog
@@ -12,7 +12,9 @@
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
- Added modules:
+ gues (Dan Walsh)
logadm (Dan Walsh)
+ xguest (Dan Walsh)
zosremote (Dan Walsh)
* Wed Dec 10 2008 Chris PeBenito <selinux at tresys.com> - 2.20081210
diff --git a/config/appconfig-mcs/guest_u_default_contexts b/config/appconfig-mcs/guest_u_default_contexts
new file mode 100644
index 0000000..90e5262
--- /dev/null
+++ b/config/appconfig-mcs/guest_u_default_contexts
@@ -0,0 +1,6 @@
+guest_r:guest_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
+system_r:initrc_su_t:s0 guest_r:guest_t:s0
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
diff --git a/config/appconfig-mcs/xguest_u_default_contexts b/config/appconfig-mcs/xguest_u_default_contexts
new file mode 100644
index 0000000..574363b
--- /dev/null
+++ b/config/appconfig-mcs/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0 xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+system_r:local_login_t:s0 xguest_r:xguest_t:s0
+system_r:remote_login_t:s0 xguest_r:xguest_t:s0
+system_r:sshd_t:s0 xguest_r:xguest_t:s0
+system_r:xdm_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --git a/config/appconfig-mls/guest_u_default_contexts b/config/appconfig-mls/guest_u_default_contexts
new file mode 100644
index 0000000..e2106ef
--- /dev/null
+++ b/config/appconfig-mls/guest_u_default_contexts
@@ -0,0 +1,5 @@
+guest_r:guest_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
diff --git a/config/appconfig-mls/xguest_u_default_contexts b/config/appconfig-mls/xguest_u_default_contexts
new file mode 100644
index 0000000..574363b
--- /dev/null
+++ b/config/appconfig-mls/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0 xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+system_r:local_login_t:s0 xguest_r:xguest_t:s0
+system_r:remote_login_t:s0 xguest_r:xguest_t:s0
+system_r:sshd_t:s0 xguest_r:xguest_t:s0
+system_r:xdm_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --git a/config/appconfig-standard/guest_u_default_contexts b/config/appconfig-standard/guest_u_default_contexts
new file mode 100644
index 0000000..85a35fb
--- /dev/null
+++ b/config/appconfig-standard/guest_u_default_contexts
@@ -0,0 +1,7 @@
+guest_r:guest_t guest_r:guest_t
+system_r:crond_t guest_r:guest_t
+system_r:initrc_su_t guest_r:guest_t
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+
diff --git a/config/appconfig-standard/xguest_u_default_contexts b/config/appconfig-standard/xguest_u_default_contexts
new file mode 100644
index 0000000..55d44d1
--- /dev/null
+++ b/config/appconfig-standard/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t xguest_r:xguest_t
+system_r:initrc_su_t xguest_r:xguest_t
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:xdm_t xguest_r:xguest_t
+xguest_r:xguest_t xguest_r:xguest_t
diff --git a/policy/modules/roles/guest.fc b/policy/modules/roles/guest.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/guest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/guest.if b/policy/modules/roles/guest.if
new file mode 100644
index 0000000..ab01ad2
--- /dev/null
+++ b/policy/modules/roles/guest.if
@@ -0,0 +1,50 @@
+## <summary>Least privledge terminal user role</summary>
+
+########################################
+## <summary>
+## Change to the guest role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change',`
+ gen_require(`
+ role guest_r;
+ ')
+
+ allow $1 guest_r;
+')
+
+########################################
+## <summary>
+## Change from the guest role.
+## </summary>
+## <desc>
+## <p>
+## Change from the guest role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change_to',`
+ gen_require(`
+ role guest_r;
+ ')
+
+ allow guest_r $1;
+')
diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
new file mode 100644
index 0000000..739c13e
--- /dev/null
+++ b/policy/modules/roles/guest.te
@@ -0,0 +1,22 @@
+
+policy_module(guest, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role xguest_r;
+
+userdom_restricted_user_template(guest)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+ java_role(guest_r, guest_t)
+')
+
+#gen_user(guest_u,, guest_r, s0, s0)
diff --git a/policy/modules/roles/xguest.fc b/policy/modules/roles/xguest.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/xguest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/xguest.if b/policy/modules/roles/xguest.if
new file mode 100644
index 0000000..0f05b1c
--- /dev/null
+++ b/policy/modules/roles/xguest.if
@@ -0,0 +1,50 @@
+## <summary>Least privledge xwindows user role</summary>
+
+########################################
+## <summary>
+## Change to the xguest role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change',`
+ gen_require(`
+ role xguest_r;
+ ')
+
+ allow $1 xguest_r;
+')
+
+########################################
+## <summary>
+## Change from the xguest role.
+## </summary>
+## <desc>
+## <p>
+## Change from the xguest role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change_to',`
+ gen_require(`
+ role xguest_r;
+ ')
+
+ allow xguest_r $1;
+')
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
new file mode 100644
index 0000000..19f531d
--- /dev/null
+++ b/policy/modules/roles/xguest.te
@@ -0,0 +1,83 @@
+
+policy_module(xguest, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
+## </desc>
+gen_tunable(xguest_mount_media, true)
+
+## <desc>
+## <p>
+## Allow xguest to configure Network Manager
+## </p>
+## </desc>
+gen_tunable(xguest_connect_network, true)
+
+## <desc>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
+## </desc>
+gen_tunable(xguest_use_bluetooth, true)
+
+role xguest_r;
+
+userdom_restricted_xwindows_user_template(xguest)
+
+########################################
+#
+# Local policy
+#
+
+# Allow mounting of file systems
+optional_policy(`
+ tunable_policy(`xguest_mount_media',`
+ kernel_read_fs_sysctls(xguest_t)
+
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+
+ fs_manage_noxattr_fs_files(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
+
+ auth_list_pam_console_data(xguest_t)
+
+ init_read_utmp(xguest_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`xguest_use_bluetooth',`
+ bluetooth_dbus_chat(xguest_t)
+ ')
+')
+
+optional_policy(`
+ hal_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ java_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ mozilla_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ networkmanager_dbus_chat(xguest_t)
+ ')
+')
+
+#gen_user(xguest_u,, xguest_r, s0, s0)
More information about the scm-commits
mailing list