trunk: Move user roles into individual modules.

1 files changed, 162 insertions, 0 deletions

diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
new file mode 100644
index 00000000..6e0bc69f
--- /dev/null
+++ b/policy/modules/roles/staff.if
@@ -0,0 +1,162 @@
+## <summary>Administrator's unprivileged user role</summary>
+
+########################################
+## <summary>
+##	Change to the staff role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`staff_role_change_template',`
+	userdom_role_change_template($1, staff)
+')
+
+########################################
+## <summary>
+##	Change from the staff role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the staff role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`staff_role_change_to_template',`
+	userdom_role_change_template(staff, $1)
+')
+
+########################################
+## <summary>
+##	Search the staff users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_search_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the staff
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`staff_dontaudit_search_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	dontaudit $1 staff_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete staff
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_manage_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to staff home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_relabelto_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to the staff
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`staff_dontaudit_append_home_content_files',`
+	gen_require(`
+		type staff_home_t;
+	')
+
+	dontaudit $1 staff_home_t:file append;
+')
+
+########################################
+## <summary>
+##	Read files in the staff users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_read_home_content_files',`
+	gen_require(`
+		type staff_home_dir_t, staff_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
+	read_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
+	read_lnk_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
+')
+