policy_module(guest,1.0.0)

#######################################
## <summary>
##	The template for creating a unprivileged user.
## </summary>
## <desc>
##	<p>
##	This template creates a user domain, types, and
##	rules for the user's tty, pty, home directories,
##	tmp, and tmpfs files.
##	</p>
## </desc>
## <param name="userdomain_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
#
define(`userdom_privhome_user_template',`
	gen_require(`
		type $1_home_dir_t,  $1_home_t;
	')

	# privileged home directory writers
	manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
	manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
	manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
	manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
	manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
	filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
')

define(`userdom_login_user', `
	userdom_base_user_template($1)

	userdom_manage_home_template($1)
	userdom_exec_home_template($1)
	userdom_manage_tmp_template($1)
	userdom_exec_tmp_template($1)
	userdom_manage_tmpfs_template($1)

	userdom_change_password_template($1)

	role $1_r types $1_t;
	allow system_r $1_r;

	corecmd_exec_all_executables($1_t)

	allow $1_t self:capability { setgid chown fowner };
	dontaudit $1_t self:capability { sys_nice fsetid };
	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
	
	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };

	##############################
	#
	# User domain Local policy
	#

	kernel_read_system_state($1_t)

	dev_read_sysfs($1_t)
	dev_read_urand($1_t)

	domain_use_interactive_fds($1_t)
	# Command completion can fire hundreds of denials
	domain_dontaudit_exec_all_entry_files($1_t)

	# Stat lost+found.
	files_getattr_lost_found_dirs($1_t)

	fs_get_all_fs_quotas($1_t)
	fs_getattr_all_fs($1_t)
	fs_getattr_all_dirs($1_t)
	fs_search_auto_mountpoints($1_t)
	fs_list_inotifyfs($1_t)

	# Stop warnings about access to /dev/console
	init_dontaudit_rw_utmp($1_t)
	init_dontaudit_use_fds($1_t)
	init_dontaudit_use_script_fds($1_t)

	libs_exec_lib_files($1_t)

	logging_dontaudit_getattr_all_logs($1_t)

	miscfiles_read_man_pages($1_t)
	# for running TeX programs
	miscfiles_read_tetex_data($1_t)
	miscfiles_exec_tetex_data($1_t)

	seutil_read_config($1_t)

	files_dontaudit_list_default($1_t)
	files_dontaudit_read_default_files($1_t)

	tunable_policy(`user_ttyfile_stat',`
		term_getattr_all_user_ttys($1_t)
	')

	# for running depmod as part of the kernel packaging process
	optional_policy(`
		modutils_read_module_config($1_t)
	')

	optional_policy(`
		mta_rw_spool($1_t)
	')

	optional_policy(`
		nis_use_ypbind($1_t)
	')

	optional_policy(`
		nscd_socket_use($1_t)
	')

	optional_policy(`
		quota_dontaudit_getattr_db($1_t)
	')

	optional_policy(`
		rpm_read_db($1_t)
		rpm_dontaudit_manage_db($1_t)
	')
')

define(`userdom_unpriv_login_user', `
	gen_require(`
		attribute unpriv_userdomain;
		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
	')
	userdom_login_user($1)
	userdom_privhome_user_template($1)

	typeattribute $1_t unpriv_userdomain;
	
	typeattribute $1_t unpriv_userdomain;
	domain_interactive_fd($1_t)

	typeattribute $1_devpts_t user_ptynode;
	typeattribute $1_home_dir_t user_home_dir_type;
	typeattribute $1_home_t user_home_type;
	typeattribute $1_tmp_t user_tmpfile;
	typeattribute $1_tty_device_t user_ttynode;

')
userdom_unpriv_login_user(guest)
#userdom_basic_networking_template(guest)
#kernel_read_network_state($1_t)
#kernel_read_net_sysctls($1_t)
#corenet_udp_bind_all_nodes($1_t)
#corenet_udp_bind_generic_port($1_t)