[selinux-policy: 2103/3172] trunk: 6 patches from dan.

Thu Oct 7 22:06:36 UTC 2010

commit 42d567c3f4f10eec3043c481beb9fc6cc4fb9330
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Mar 31 13:40:59 2009 +0000

    trunk: 6 patches from dan.

 Changelog                                          |    2 +
 config/appconfig-mcs/guest_u_default_contexts      |    6 ++
 config/appconfig-mcs/xguest_u_default_contexts     |    7 ++
 config/appconfig-mls/guest_u_default_contexts      |    5 +
 config/appconfig-mls/xguest_u_default_contexts     |    7 ++
 config/appconfig-standard/guest_u_default_contexts |    7 ++
 .../appconfig-standard/xguest_u_default_contexts   |    7 ++
 policy/modules/roles/guest.fc                      |    1 +
 policy/modules/roles/guest.if                      |   50 ++++++++++++
 policy/modules/roles/guest.te                      |   22 +++++
 policy/modules/roles/xguest.fc                     |    1 +
 policy/modules/roles/xguest.if                     |   50 ++++++++++++
 policy/modules/roles/xguest.te                     |   83 ++++++++++++++++++++
 13 files changed, 248 insertions(+), 0 deletions(-)
---

diff --git a/Changelog b/Changelog
index a3656ff..436ab35 100644
--- a/Changelog
+++ b/Changelog
@@ -12,7 +12,9 @@
 - Remove node definitions and change node usage to generic nodes.
 - Add kernel_service access vectors, from Stephen Smalley.
 - Added modules:
+	gues (Dan Walsh)
 	logadm (Dan Walsh)
+	xguest (Dan Walsh)
 	zosremote (Dan Walsh)
 
 * Wed Dec 10 2008 Chris PeBenito <selinux at tresys.com> - 2.20081210
diff --git a/config/appconfig-mcs/guest_u_default_contexts b/config/appconfig-mcs/guest_u_default_contexts
new file mode 100644
index 0000000..90e5262
--- /dev/null
+++ b/config/appconfig-mcs/guest_u_default_contexts
@@ -0,0 +1,6 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:initrc_su_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
diff --git a/config/appconfig-mcs/xguest_u_default_contexts b/config/appconfig-mcs/xguest_u_default_contexts
new file mode 100644
index 0000000..574363b
--- /dev/null
+++ b/config/appconfig-mcs/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0
diff --git a/config/appconfig-mls/guest_u_default_contexts b/config/appconfig-mls/guest_u_default_contexts
new file mode 100644
index 0000000..e2106ef
--- /dev/null
+++ b/config/appconfig-mls/guest_u_default_contexts
@@ -0,0 +1,5 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
diff --git a/config/appconfig-mls/xguest_u_default_contexts b/config/appconfig-mls/xguest_u_default_contexts
new file mode 100644
index 0000000..574363b
--- /dev/null
+++ b/config/appconfig-mls/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0
diff --git a/config/appconfig-standard/guest_u_default_contexts b/config/appconfig-standard/guest_u_default_contexts
new file mode 100644
index 0000000..85a35fb
--- /dev/null
+++ b/config/appconfig-standard/guest_u_default_contexts
@@ -0,0 +1,7 @@
+guest_r:guest_t			guest_r:guest_t
+system_r:crond_t		guest_r:guest_t
+system_r:initrc_su_t		guest_r:guest_t
+system_r:local_login_t		guest_r:guest_t
+system_r:remote_login_t		guest_r:guest_t
+system_r:sshd_t			guest_r:guest_t
+
diff --git a/config/appconfig-standard/xguest_u_default_contexts b/config/appconfig-standard/xguest_u_default_contexts
new file mode 100644
index 0000000..55d44d1
--- /dev/null
+++ b/config/appconfig-standard/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t	xguest_r:xguest_t
+system_r:initrc_su_t	xguest_r:xguest_t
+system_r:local_login_t	xguest_r:xguest_t
+system_r:remote_login_t	xguest_r:xguest_t
+system_r:sshd_t		xguest_r:xguest_t
+system_r:xdm_t		xguest_r:xguest_t
+xguest_r:xguest_t	xguest_r:xguest_t
diff --git a/policy/modules/roles/guest.fc b/policy/modules/roles/guest.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/guest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/guest.if b/policy/modules/roles/guest.if
new file mode 100644
index 0000000..ab01ad2
--- /dev/null
+++ b/policy/modules/roles/guest.if
@@ -0,0 +1,50 @@
+## <summary>Least privledge terminal user role</summary>
+
+########################################
+## <summary>
+##	Change to the guest role.
+## </summary>
+## <param name="role">
+##	<summary>
+##     Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change',`
+	gen_require(`
+		role guest_r;
+	')
+
+	allow $1 guest_r;
+')
+
+########################################
+## <summary>
+##	Change from the guest role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the guest role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change_to',`
+	gen_require(`
+		role guest_r;
+	')
+
+	allow guest_r $1;
+')
diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
new file mode 100644
index 0000000..739c13e
--- /dev/null
+++ b/policy/modules/roles/guest.te
@@ -0,0 +1,22 @@
+
+policy_module(guest, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role xguest_r;
+
+userdom_restricted_user_template(guest)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+	java_role(guest_r, guest_t)
+')
+
+#gen_user(guest_u,, guest_r, s0, s0)
diff --git a/policy/modules/roles/xguest.fc b/policy/modules/roles/xguest.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/xguest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/xguest.if b/policy/modules/roles/xguest.if
new file mode 100644
index 0000000..0f05b1c
--- /dev/null
+++ b/policy/modules/roles/xguest.if
@@ -0,0 +1,50 @@
+## <summary>Least privledge xwindows user role</summary>
+
+########################################
+## <summary>
+##	Change to the xguest role.
+## </summary>
+## <param name="role">
+##	<summary>
+##     Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change',`
+	gen_require(`
+		role xguest_r;
+	')
+
+	allow $1 xguest_r;
+')
+
+########################################
+## <summary>
+##	Change from the xguest role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the xguest role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change_to',`
+	gen_require(`
+		role xguest_r;
+	')
+
+	allow xguest_r $1;
+')
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
new file mode 100644
index 0000000..19f531d
--- /dev/null
+++ b/policy/modules/roles/xguest.te
@@ -0,0 +1,83 @@
+
+policy_module(xguest, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
+## </desc>
+gen_tunable(xguest_mount_media, true)
+
+## <desc>
+## <p>
+## Allow xguest to configure Network Manager
+## </p>
+## </desc>
+gen_tunable(xguest_connect_network, true)
+
+## <desc>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
+## </desc>
+gen_tunable(xguest_use_bluetooth, true)
+
+role xguest_r;
+
+userdom_restricted_xwindows_user_template(xguest)
+
+########################################
+#
+# Local policy
+#
+
+# Allow mounting of file systems
+optional_policy(`
+	tunable_policy(`xguest_mount_media',`
+		kernel_read_fs_sysctls(xguest_t)
+
+		files_dontaudit_getattr_boot_dirs(xguest_t)
+		files_search_mnt(xguest_t)
+
+		fs_manage_noxattr_fs_files(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_getattr_noxattr_fs(xguest_t)
+		fs_read_noxattr_fs_symlinks(xguest_t)
+
+		auth_list_pam_console_data(xguest_t)
+
+		init_read_utmp(xguest_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`xguest_use_bluetooth',`
+		bluetooth_dbus_chat(xguest_t)
+	')
+')
+
+optional_policy(`
+	hal_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+	java_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+	mozilla_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+	tunable_policy(`xguest_connect_network',`
+		networkmanager_dbus_chat(xguest_t)
+	')
+')
+
+#gen_user(xguest_u,, xguest_r, s0, s0)
