policy_module(staff, 2.4.0) ######################################## # # Declarations # role staff_r; userdom_unpriv_user_template(staff) fs_exec_noxattr(staff_t) ## ##

## allow staff user to create and transition to svirt domains. ##

## gen_tunable(staff_use_svirt, false) ######################################## # # Local policy # allow staff_t self:cap_userns { setpcap }; allow staff_t self:netlink_generic_socket { create_socket_perms }; corenet_ib_access_unlabeled_pkeys(staff_t) kernel_read_ring_buffer(staff_t) kernel_getattr_core_if(staff_t) kernel_getattr_message_if(staff_t) kernel_read_software_raid_state(staff_t) kernel_read_fs_sysctls(staff_t) kernel_read_numa_state(staff_t) kernel_write_numa_state(staff_t) fs_read_hugetlbfs_files(staff_t) files_dontaudit_read_all_symlinks(staff_t) files_dontaudit_manage_boot_dirs(staff_t) fs_read_tmpfs_files(staff_t) fs_read_binfmt_misc(staff_t) dev_read_cpuid(staff_t) dev_read_kmsg(staff_t) dev_map_video_dev(staff_t) dev_rwx_zero(staff_t) dev_setattr_generic_usb_dev(staff_t) domain_read_all_domains_state(staff_t) domain_getcap_all_domains(staff_t) domain_getsched_all_domains(staff_t) domain_getattr_all_domains(staff_t) domain_obj_id_change_exemption(staff_t) files_read_kernel_modules(staff_t) seutil_read_module_store(staff_t) seutil_run_newrole(staff_t, staff_r) seutil_dbus_chat_semanage(staff_t) seutil_read_login_config(staff_t) storage_read_scsi_generic(staff_t) storage_write_scsi_generic(staff_t) term_use_unallocated_ttys(staff_t) term_use_generic_ptys(staff_t) auth_run_pam_console(staff_t, staff_r) init_dbus_chat(staff_t) init_dbus_chat_script(staff_t) init_getattr_pid_blk_file(staff_t) init_getattr_pid_chr_file(staff_t) init_status(staff_t) miscfiles_read_hwdata(staff_t) mount_sigkill(staff_t) mount_signal(staff_t) mount_run_ecryptmount(staff_t, staff_r) ifndef(`enable_mls',` selinux_read_policy(staff_t) ') optional_policy(` abrt_read_cache(staff_t) abrt_map_cache(staff_t) ') optional_policy(` accountsd_read_lib_files(staff_t) ') optional_policy(` apache_role(staff_r, staff_t) ') optional_policy(` auditadm_role_change(staff_r) ') optional_policy(` blueman_dbus_chat(staff_t) ') optional_policy(` boltd_write_var_run_pipes(staff_t) ') optional_policy(` kdumpgui_dbus_chat(staff_t) ') optional_policy(` bluetooth_role(staff_r, staff_t) ') optional_policy(` chrome_role(staff_r, staff_t) ') optional_policy(` colord_dbus_chat(staff_t) ') optional_policy(` dbadm_role_change(staff_r) ') optional_policy(` container_stream_connect(staff_t) container_runtime_exec(staff_t) ') optional_policy(` dirsrv_stream_connect(staff_t) dirsrv_manage_log(staff_t) dirsrv_manage_var_lib(staff_t) dirsrv_manage_var_run(staff_t) dirsrv_manage_config(staff_t) ') optional_policy(` dnsmasq_read_pid_files(staff_t) ') optional_policy(` dmesg_exec(staff_t) ') optional_policy(` firewalld_dbus_chat(staff_t) ') optional_policy(` firewallgui_dbus_chat(staff_t) ') optional_policy(` freqset_run(staff_t, staff_r) ') optional_policy(` fwupd_dbus_chat(staff_t) fwupd_read_cache_files(staff_t) ') optional_policy(` gnome_filetrans_fontconfig_home_content(staff_t) ') optional_policy(` irc_role(staff_r, staff_t) ') optional_policy(` journalctl_role(staff_r, staff_t) ') optional_policy(` kerberos_read_keytab(staff_t) ') optional_policy(` kerneloops_dbus_chat(staff_t) ') optional_policy(` kpatch_run(staff_t, staff_r) ') optional_policy(` iotop_run(staff_t, staff_r) ') optional_policy(` iptables_systemctl(staff_t) iptables_run(staff_t, staff_r) ') optional_policy(` iotop_run(staff_t, staff_r) ') optional_policy(` logadm_role_change(staff_r) ') optional_policy(` lpd_list_spool(staff_t) ') optional_policy(` mandb_map_cache_files(staff_t) ') optional_policy(` mock_role(staff_r, staff_t) ') optional_policy(` mozilla_run_plugin(staff_t, staff_r) ') optional_policy(` modutils_read_module_config(staff_t) modutils_read_module_deps(staff_t) ') optional_policy(` netutils_run_ping(staff_t, staff_r) netutils_run_traceroute(staff_t, staff_r) netutils_signal_ping(staff_t) netutils_kill_ping(staff_t) ') optional_policy(` oident_manage_user_content(staff_t) oident_relabel_user_content(staff_t) ') optional_policy(` mta_role(staff_r, staff_t) ') optional_policy(` mysql_exec(staff_t) ') optional_policy(` polipo_role(staff_r, staff_t) polipo_named_filetrans_cache_home_dirs(staff_t) polipo_named_filetrans_config_home_files(staff_t) ') optional_policy(` openvpn_exec(staff_t) ') optional_policy(` postgresql_role(staff_r, staff_t) ') optional_policy(` rtkit_scheduled(staff_t) ') optional_policy(` rpm_dbus_chat(staff_t) ') optional_policy(` rwho_read_spool_files(staff_t) ') optional_policy(` secadm_role_change(staff_r) ') optional_policy(` sandbox_transition(staff_t, staff_r) ') optional_policy(` sandbox_x_transition(staff_t, staff_r) ') optional_policy(` screen_role_template(staff, staff_r, staff_t) ') optional_policy(` sysadm_role_change(staff_r) userdom_dontaudit_use_user_terminals(staff_t) userdom_dontaudit_read_admin_home_files(staff_t) ') optional_policy(` systemd_config_all_services(staff_t) systemd_dbus_chat_machined(staff_t) systemd_exec_systemctl(staff_t) systemd_hwdb_mmap_config(staff_t) systemd_manage_all_unit_files(staff_t) systemd_manage_unit_dirs(staff_t) ') optional_policy(` setroubleshoot_stream_connect(staff_t) setroubleshoot_dbus_chat(staff_t) setroubleshoot_dbus_chat_fixit(staff_t) ') optional_policy(` rpc_rw_gssd_keys(staff_t) ') optional_policy(` ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` userhelper_console_role_template(staff, staff_r, staff_t) ') optional_policy(` unconfined_role_change(staff_r) ') optional_policy(` usbmuxd_stream_connect(staff_t) ') optional_policy(` virt_getattr_exec(staff_t) virt_search_images(staff_t) virt_stream_connect(staff_t) ') optional_policy(` vlock_run(staff_t, staff_r) ') optional_policy(` vmtools_run_helper(staff_t, staff_r) ') optional_policy(` vnstatd_read_lib_files(staff_t) ') optional_policy(` webadm_role_change(staff_r) ') optional_policy(` wireshark_role(staff_r, staff_t) wireshark_rw_shm(staff_t) ') optional_policy(` xserver_read_log(staff_t) xserver_run(staff_t, staff_r) ') ifndef(`distro_redhat',` optional_policy(` auth_role(staff_r, staff_t) ') optional_policy(` cdrecord_role(staff_r, staff_t) ') optional_policy(` cron_role(staff_r, staff) ') optional_policy(` dbus_role_template(staff, staff_r, staff_t) ') optional_policy(` evolution_role(staff_r, staff_t) ') optional_policy(` games_role(staff_r, staff_t) ') optional_policy(` gpg_role(staff_r, staff_t) ') optional_policy(` java_role(staff_r, staff_t) ') optional_policy(` lockdev_role(staff_r, staff_t) ') optional_policy(` lpd_role(staff_r, staff_t) ') optional_policy(` mozilla_role(staff_r, staff_t) ') optional_policy(` mplayer_role(staff_r, staff_t) ') optional_policy(` pyzor_role(staff_r, staff_t) ') optional_policy(` razor_role(staff_r, staff_t) ') optional_policy(` rssh_role(staff_r, staff_t) ') optional_policy(` spamassassin_role(staff_r, staff_t) ') optional_policy(` systemd_systemctl_entrypoint(staff_t) ') optional_policy(` thunderbird_role(staff_r, staff_t) ') optional_policy(` tvtime_role(staff_r, staff_t) ') optional_policy(` uml_role(staff_r, staff_t) ') optional_policy(` userhelper_role_template(staff, staff_r, staff_t) ') optional_policy(` vmware_role(staff_r, staff_t) ') optional_policy(` wireshark_role(staff_r, staff_t) ') ') tunable_policy(`selinuxuser_execmod',` userdom_execmod_user_home_files(staff_t) ') optional_policy(` virt_transition_svirt(staff_t, staff_r) virt_filetrans_home_content(staff_t) ') optional_policy(` tunable_policy(`staff_use_svirt',` allow staff_t self:fifo_file relabelfrom; dev_rw_kvm(staff_t) virt_manage_images(staff_t) virt_stream_connect_svirt(staff_t) virt_systemctl(staff_t) virt_rw_stream_sockets_svirt(staff_t) virt_exec(staff_t) ') ')