policy_module(unprivuser, 2.4.0)

## <desc>
## <p>
## Allow unprivileged user to create and transition to svirt domains.
## </p>
## </desc>
gen_tunable(unprivuser_use_svirt, false)

# this module should be named user, but that is
# a compile error since user is a keyword.

########################################
#
# Declarations
#

role user_r;

userdom_unpriv_user_template(user)

########################################
#
# Local policy
#

allow user_t self:netlink_generic_socket { create_socket_perms };

kernel_read_numa_state(user_t)
kernel_write_numa_state(user_t)

dev_setattr_generic_usb_dev(user_t)

files_dontaudit_manage_boot_dirs(user_t)
fs_exec_noxattr(user_t)
fs_read_hugetlbfs_files(user_t)

storage_read_scsi_generic(user_t)
storage_write_scsi_generic(user_t)

seutil_read_module_store(user_t)

init_dbus_chat(user_t)
init_status(user_t)

mount_signal(user_t)
mount_run_ecryptmount(user_t, user_r)

tunable_policy(`selinuxuser_execmod',`
	userdom_execmod_user_home_files(user_t)
')

optional_policy(`
	abrt_read_cache(user_t)
')

optional_policy(`
	apache_role(user_r, user_t)
')

optional_policy(`
	blueman_dbus_chat(user_t)
')

optional_policy(`
	bluetooth_role(user_r, user_t)
')

optional_policy(`
	boltd_write_var_run_pipes(user_t)
')

optional_policy(`
	colord_dbus_chat(user_t)
')

optional_policy(`
	chrome_role(user_r, user_t)
')

optional_policy(`
    dirsrv_stream_connect(user_t)
')

optional_policy(`
	fwupd_dbus_chat(user_t)
')

optional_policy(`
	journalctl_role(user_r, user_t)
')

optional_policy(`
	irc_role(user_r, user_t)
')

optional_policy(`
	oident_manage_user_content(user_t)
	oident_relabel_user_content(user_t)
')

optional_policy(`
    mandb_map_cache_files(user_t)
')

optional_policy(`
	mozilla_run_plugin(user_t, user_r)
')

optional_policy(`
	mta_role(user_r, user_t)
')

optional_policy(`
	netutils_run_ping_cond(user_t, user_r)
	netutils_run_traceroute_cond(user_t, user_r)
')

optional_policy(`
	polipo_role(user_r, user_t)
	polipo_named_filetrans_cache_home_dirs(user_t)
	polipo_named_filetrans_config_home_files(user_t)
')

optional_policy(`
	rpc_rw_gssd_keys(user_t)
')

optional_policy(`
	rpm_dontaudit_dbus_chat(user_t)
')

optional_policy(`
	rtkit_scheduled(user_t)
')

optional_policy(`
	systemd_dbus_chat_machined(user_t)
	systemd_read_unit_files(user_t)
	systemd_exec_systemctl(user_t)
')

optional_policy(`
	sandbox_transition(user_t, user_r)
')

optional_policy(`
	sandbox_x_transition(user_t, user_r)
')

optional_policy(`
	ssh_role_template(user, user_r, user_t)
')

optional_policy(`
	screen_role_template(user, user_r, user_t)
')

optional_policy(`
	setroubleshoot_dontaudit_stream_connect(user_t)
')

#optional_policy(`
#	telepathy_dbus_session_role(user_r, user_t)
#')

optional_policy(`
	usbmuxd_stream_connect(user_t)
')

optional_policy(`
	vlock_run(user_t, user_r)
')

ifndef(`distro_redhat',`
	optional_policy(`
		auth_role(user_r, user_t)
	')

	optional_policy(`
		bluetooth_role(user_r, user_t)
	')

	optional_policy(`
		cdrecord_role(user_r, user_t)
	')

	optional_policy(`
		cron_role(user_r, user)
	')

	optional_policy(`
		dbus_role_template(user, user_r, user_t)

		optional_policy(`
			gnome_role_template(user, user_r, user_t)
		')
	')

	optional_policy(`
		evolution_role(user_r, user_t)
	')

	optional_policy(`
		games_role(user_r, user_t)
	')

	optional_policy(`
       		gnome_filetrans_fontconfig_home_content(user_t)
	')

	optional_policy(`
		gpg_role(user_r, user_t)
	')

	optional_policy(`
		hadoop_role(user_r, user_t)
	')

	optional_policy(`
		irc_role(user_r, user_t)
	')

	optional_policy(`
		java_role(user_r, user_t)
	')

	optional_policy(`
		lockdev_role(user_r, user_t)
	')

	optional_policy(`
		lpd_role(user_r, user_t)
	')

	optional_policy(`
		mozilla_role(user_r, user_t)
	')

	optional_policy(`
		mplayer_role(user_r, user_t)
	')

	optional_policy(`
		postgresql_role(user_r, user_t)
	')

	optional_policy(`
		pyzor_role(user_r, user_t)
	')

	optional_policy(`
		razor_role(user_r, user_t)
	')

	optional_policy(`
		rssh_role(user_r, user_t)
	')

	optional_policy(`
		spamassassin_role(user_r, user_t)
	')

	optional_policy(`
		ssh_role_template(user, user_r, user_t)
	')

	optional_policy(`
		systemd_systemctl_entrypoint(user_t)
	')


	optional_policy(`
		thunderbird_role(user_r, user_t)
	')

	optional_policy(`
		tvtime_role(user_r, user_t)
	')

	optional_policy(`
		uml_role(user_r, user_t)
	')

	optional_policy(`
		userhelper_role_template(user, user_r, user_t)
	')

	optional_policy(`
		vmware_role(user_r, user_t)
	')

	optional_policy(`
		wireshark_role(user_r, user_t)
	')

	optional_policy(`
		xserver_run(user_t, user_r)
	')
')

optional_policy(`
    vmtools_run_helper(user_t, user_r)
')


optional_policy(`
	virt_transition_svirt(user_t, user_r)
	virt_filetrans_home_content(user_t)
')

optional_policy(`
	tunable_policy(`unprivuser_use_svirt',`
		virt_manage_images(user_t)
	')
')