diff options
| author | Sumit Bose <sbose@nb.localdomain> | 2008-10-23 16:44:05 +0200 |
|---|---|---|
| committer | Sumit Bose <sbose@nb.localdomain> | 2008-10-23 16:44:05 +0200 |
| commit | a3ba3bc9399d8f36380b8cb68f7b0ca1084c1929 (patch) | |
| tree | 87452617dcbda39b495f8d498bf837fde29b3f15 | |
| parent | 2b0a5715646cba3c1fb4c9291779a631aaa653b6 (diff) | |
| download | ipa_policy-a3ba3bc9399d8f36380b8cb68f7b0ca1084c1929.tar.gz ipa_policy-a3ba3bc9399d8f36380b8cb68f7b0ca1084c1929.tar.xz ipa_policy-a3ba3bc9399d8f36380b8cb68f7b0ca1084c1929.zip | |
added new selinux_booleans and policykit_roles policies
| -rw-r--r-- | ipaaction/ipaaction.rng | 28 | ||||
| -rw-r--r-- | ipaaction/ipaaction_example_policy.xml | 3 | ||||
| -rw-r--r-- | policykit_roles/policykit_roles.rng | 153 | ||||
| -rw-r--r-- | policykit_roles/policykit_roles.xslt | 120 | ||||
| -rw-r--r-- | policykit_roles/policykit_roles_example_policy.xml | 46 | ||||
| -rw-r--r-- | selinux_booleans/selinux_booleans.rng | 386 | ||||
| -rw-r--r-- | selinux_booleans/selinux_booleans_example_policy.xml | 17 |
7 files changed, 748 insertions, 5 deletions
diff --git a/ipaaction/ipaaction.rng b/ipaaction/ipaaction.rng index 983786b..8500275 100644 --- a/ipaaction/ipaaction.rng +++ b/ipaaction/ipaaction.rng @@ -3,6 +3,7 @@ xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0" +xmlns:s="http://purl.oclc.org/dsdl/schematron" xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> <a:documentation>IPA Actions</a:documentation> @@ -26,6 +27,23 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> <ref name="policy_metadata"/> <element name="ipaaction"> + <s:pattern name="Only allow one file and one run element"> + <s:rule context="ipaaction"> + <s:assert test="count(file)<=1"> + too many files + </s:assert> + <s:assert test="count(run)<=1"> + too many runs + </s:assert> + </s:rule> + </s:pattern> + <optional> + <element name="condition"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + </optional> <oneOrMore> <choice> <element name="file"> @@ -57,11 +75,11 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> </element> </optional> <optional> - <element name="condition"> - <data type="string"> - <param name="pattern">/.*</param> - </data> - </element> + <oneOrMore> + <element name="acl"> + <text/> + </element> + </oneOrMore> </optional> </element> <!-- file --> <element name="run"> diff --git a/ipaaction/ipaaction_example_policy.xml b/ipaaction/ipaaction_example_policy.xml index 7198992..e545703 100644 --- a/ipaaction/ipaaction_example_policy.xml +++ b/ipaaction/ipaaction_example_policy.xml @@ -16,6 +16,9 @@ <owner>nobody</owner> <group>nogroup</group> <access>0444</access> + <selinux_context>unconfined_u:object_r:user_home_t:s0</selinux_context> + <acl>user:dummy:rw-</acl> + <acl>user:admin:rw-</acl> </file> <run> <command>/bin/rm /tmp/something.txt</command> diff --git a/policykit_roles/policykit_roles.rng b/policykit_roles/policykit_roles.rng new file mode 100644 index 0000000..204e9a9 --- /dev/null +++ b/policykit_roles/policykit_roles.rng @@ -0,0 +1,153 @@ +<?xml version="1.0" encoding="utf-8"?> +<grammar ns="http://freeipa.org/xml/rng/policykit_roles/1.0" +xmlns="http://relaxng.org/ns/structure/1.0" +datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" +xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0" +xmlns:s="http://purl.oclc.org/dsdl/schematron" +xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> + + <a:documentation>Role definitions for Policy Kit</a:documentation> + + <a:documentation>The following section can be used to register the RNG schema file for the UI</a:documentation> + <a:name>policykit_roles</a:name> + <a:description>modify Policy Kit roles</a:description> + <a:author>sbose@redhat.com</a:author> + <a:version>0.1</a:version> + + <define name="rng_filename"><value>policykit_roles.rng</value></define> + <define name="xslt_filename"><value>policykit_roles.xslt</value></define> + <define name="application_name"><value>policykit_roles</value></define> + <include href="policy_metadata.rng"/> + + <start ns="http://freeipa.org/xml/rng/policykit_roles/1.0"> + <element name="ipa"> + + <ref name="policy_metadata"/> + + <element name="iparole"> + <oneOrMore> + <element name="role"> + <element name="name"> + <text/> + </element> + <oneOrMore> + <element name="action"> + <choice> + <element name="action_id"> + <choice> + <value>org.freedesktop.consolekit.system.stop</value> + <value>org.freedesktop.consolekit.system.stop-multiple-users</value> + <value>org.freedesktop.consolekit.system.restart</value> + <value>org.freedesktop.consolekit.system.restart-multiple-users</value> + <value>org.freedesktop.hal.device-access.sound</value> + <value>org.freedesktop.hal.device-access.video4linux</value> + <value>org.freedesktop.hal.device-access.cdrom</value> + <value>org.freedesktop.hal.device-access.dvb</value> + <value>org.freedesktop.hal.device-access.camera</value> + <value>org.freedesktop.hal.device-access.scanner</value> + <value>org.freedesktop.hal.device-access.audio-player</value> + <value>org.freedesktop.hal.device-access.ieee1394-iidc</value> + <value>org.freedesktop.hal.device-access.ieee1394-avc</value> + <value>org.freedesktop.hal.device-access.pda</value> + <value>org.freedesktop.hal.dockstation.undock</value> + <value>org.freedesktop.hal.killswitch.bluetooth</value> + <value>org.freedesktop.hal.killswitch.wlan</value> + <value>org.freedesktop.hal.killswitch.wwan</value> + <value>org.freedesktop.hal.lock</value> + <value>org.freedesktop.hal.power-management.shutdown</value> + <value>org.freedesktop.hal.power-management.shutdown-multiple-sessions</value> + <value>org.freedesktop.hal.power-management.reboot</value> + <value>org.freedesktop.hal.power-management.reboot-multiple-sessions</value> + <value>org.freedesktop.hal.power-management.set-powersave</value> + <value>org.freedesktop.hal.power-management.suspend</value> + <value>org.freedesktop.hal.power-management.hibernate</value> + <value>org.freedesktop.hal.power-management.cpufreq</value> + <value>org.freedesktop.hal.power-management.lcd-panel</value> + <value>org.freedesktop.hal.power-management.light-sensor</value> + <value>org.freedesktop.hal.power-management.keyboard-backlight</value> + <value>org.freedesktop.hal.storage.mount-fixed</value> + <value>org.freedesktop.hal.storage.mount-removable</value> + <value>org.freedesktop.hal.storage.unmount-others</value> + <value>org.freedesktop.hal.storage.eject</value> + <value>org.freedesktop.hal.storage.crypto-setup-fixed</value> + <value>org.freedesktop.hal.storage.crypto-setup-removable</value> + <value>org.freedesktop.hal.wol.enabled</value> + <value>org.freedesktop.hal.wol.enable</value> + <value>org.freedesktop.hal.wol.supported</value> + <value>org.freedesktop.network-manager-settings.system.modify</value> + <value>org.freedesktop.packagekit.install</value> + <value>org.freedesktop.packagekit.localinstall-untrusted</value> + <value>org.freedesktop.packagekit.localinstall-trusted</value> + <value>org.freedesktop.packagekit.install-signature</value> + <value>org.freedesktop.packagekit.accept-eula</value> + <value>org.freedesktop.packagekit.update-package</value> + <value>org.freedesktop.packagekit.remove</value> + <value>org.freedesktop.packagekit.update-system</value> + <value>org.freedesktop.packagekit.rollback</value> + <value>org.freedesktop.packagekit.repo-change</value> + <value>org.freedesktop.packagekit.refresh-cache</value> + <value>org.freedesktop.packagekit.set-proxy</value> + <value>org.freedesktop.policykit.read</value> + <value>org.freedesktop.policykit.revoke</value> + <value>org.freedesktop.policykit.grant</value> + <value>org.freedesktop.policykit.modify-defaults</value> + <value>org.gnome.clockapplet.mechanism.settimezone</value> + <value>org.gnome.clockapplet.mechanism.settime</value> + <value>org.gnome.clockapplet.mechanism.configurehwclock</value> + <value>org.gnome.system-monitor.change-priority</value> + <value>org.gnome.system-monitor.increase-own-priority</value> + <value>org.gnome.system-monitor.kill</value> + <value>org.libvirt.unix.monitor</value> + <value>org.libvirt.unix.manage</value> + <value>org.pulseaudio.acquire-real-time</value> + <value>org.pulseaudio.acquire-high-priority</value> + </choice> + </element> + <element name="action_id_free"> + <text/> + </element> + </choice> + <element name="allow_any"> + <choice> + <value>no</value> + <value>auth_self</value> + <value>auth_self_keep_session</value> + <value>auth_self_keep_always</value> + <value>auth_admin</value> + <value>auth_admin_keep_session</value> + <value>auth_admin_keep_always</value> + <value>yes</value> + </choice> + </element> + <element name="allow_inactive"> + <choice> + <value>no</value> + <value>auth_self</value> + <value>auth_self_keep_session</value> + <value>auth_self_keep_always</value> + <value>auth_admin</value> + <value>auth_admin_keep_session</value> + <value>auth_admin_keep_always</value> + <value>yes</value> + </choice> + </element> + <element name="allow_active"> + <choice> + <value>no</value> + <value>auth_self</value> + <value>auth_self_keep_session</value> + <value>auth_self_keep_always</value> + <value>auth_admin</value> + <value>auth_admin_keep_session</value> + <value>auth_admin_keep_always</value> + <value>yes</value> + </choice> + </element> + </element> <!-- action --> + </oneOrMore> + </element> <!-- role --> + </oneOrMore> + </element> <!-- iparole --> + </element> <!-- ipa --> + </start> +</grammar> diff --git a/policykit_roles/policykit_roles.xslt b/policykit_roles/policykit_roles.xslt new file mode 100644 index 0000000..09718ee --- /dev/null +++ b/policykit_roles/policykit_roles.xslt @@ -0,0 +1,120 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:xs="http://www.w3.org/2001/XMLSchema" + xmlns:md="http://freeipa.org/xsl/metadata/1.0" + xmlns:xd="http://www.pnp-software.com/XSLTdoc" + xmlns:pol="http://freeipa.org/xml/rng/policykit_roles/1.0"> + + <md:output_handler> + <file name="/tmp/policykit-SAFE.ldif" owner="root" group="root" permission="400"/> + </md:output_handler> + + <xsl:param name="output_selector"/> + + <xsl:output method="text" indent="no"/> + <xsl:strip-space elements="*"/> + + <xsl:template match="/"> + <xsl:text># IPA generated ldif for policykit roles. DO NOT EDIT

</xsl:text> + <xsl:apply-templates select="pol:ipa"/> + </xsl:template> + + <xsl:template match="pol:ipa"> + <xsl:apply-templates> + <xsl:with-param name="pol:iparole"/> + </xsl:apply-templates> + </xsl:template> + + <xsl:template match="pol:metadata"> + </xsl:template> + + <xsl:template match="pol:iparole"> + <xsl:apply-templates select="pol:role"/> + </xsl:template> + + <xsl:template match="pol:role"> + <xsl:text># role: </xsl:text> + <xsl:value-of select="pol:name"/> + <xsl:text>
</xsl:text> + <xsl:text>dn: ou=</xsl:text> + <xsl:value-of select="pol:name"/> + <xsl:text>,ou=PolicyKitRoles,xx=some,xx=ldap,xx=path


</xsl:text> + + <xsl:apply-templates select="pol:action"> + <xsl:with-param name="rolename" select="pol:name"/> + </xsl:apply-templates> + </xsl:template> + + <xsl:template match="pol:action"> + <xsl:param name="rolename"/> + + <xsl:text>dn: ou=</xsl:text> + <xsl:value-of select="pol:action_id"/> + <xsl:text>,ou=</xsl:text> + <xsl:value-of select="$rolename"/> + <xsl:text>,ou=PolicyKitRoles,xx=some,xx=ldap,xx=path
</xsl:text> + <xsl:text>changetype: modify
</xsl:text> + <xsl:text>replace: allow_any
allow_any: </xsl:text> + <xsl:value-of select="pol:allow_any"/> + <xsl:text>
-
changetype: modify
</xsl:text> + <xsl:text>replace: allow_inactive
allow_inactive: </xsl:text> + <xsl:value-of select="pol:allow_inactive"/> + <xsl:text>
-
changetype: modify
</xsl:text> + <xsl:text>replace: allow_active
allow_active: </xsl:text> + <xsl:value-of select="pol:allow_active"/> + <xsl:text>

</xsl:text> + </xsl:template> + + + <xsl:template match="pol:file"> + <xsl:choose> + <xsl:when test="name(./*[1])='url'"> + <xsl:text>su - nobody 'curl -o /tmp/SAFE_TEMP_FILE </xsl:text> + <xsl:value-of select="pol:url"/> + <xsl:text>'
</xsl:text> + </xsl:when> + <xsl:when test="name(./*[1])='data'"> + <xsl:text>cat << EOF | base64 -d > /tmp/SAFE_TEMP_FILE
</xsl:text> + <xsl:value-of select="pol:data"/> + <xsl:text>
EOF
</xsl:text> + </xsl:when> + <xsl:otherwise> + <xsl:text># unknown element: </xsl:text> + <xsl:value-of select="name(./*[1])"/> + <xsl:text>
</xsl:text> + </xsl:otherwise> + </xsl:choose> + + <xsl:text>mv /tmp/SAFE_TEMP_FILE </xsl:text> + <xsl:value-of select="pol:path"/> + <xsl:text>
</xsl:text> + + <xsl:text>chown </xsl:text> + <xsl:value-of select="pol:owner"/> + <xsl:text>:</xsl:text> + <xsl:value-of select="pol:group"/> + <xsl:text> </xsl:text> + <xsl:value-of select="pol:path"/> + <xsl:text>
</xsl:text> + </xsl:template> + + <xsl:template match="pol:run"> + <xsl:variable name="user"> + <xsl:choose> + <xsl:when test="pol:user != ''"> + <xsl:value-of select="pol:user"/> + </xsl:when> + <xsl:otherwise> + <xsl:text>nobody</xsl:text> + </xsl:otherwise> + </xsl:choose> + </xsl:variable> + <xsl:text>su - </xsl:text> + <xsl:value-of select="$user"/> + <xsl:text> '</xsl:text> + <xsl:value-of select="pol:command"/> + <xsl:text>'
</xsl:text> + </xsl:template> + +</xsl:stylesheet> diff --git a/policykit_roles/policykit_roles_example_policy.xml b/policykit_roles/policykit_roles_example_policy.xml new file mode 100644 index 0000000..1f615d3 --- /dev/null +++ b/policykit_roles/policykit_roles_example_policy.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<ipa xmlns="http://freeipa.org/xml/rng/policykit_roles/1.0"> + <metadata> + <name>simple policykit_roles example</name> + <author>sbose@redhat.com</author> + <version>0.7071</version> + <RNGfile>policykit_roles.rng</RNGfile> + <XSLTfile>policykit_roles.xslt</XSLTfile> + <app>policykit_roles</app> + </metadata> + + <iparole> + <role> + <name>allways_yes</name> + <action> + <action_id>org.pulseaudio.acquire-real-time</action_id> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </action> + <action> + <action_id>org.pulseaudio.acquire-high-priority</action_id> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </action> + </role> + + <role> + <name>allways_no</name> + <action> + <action_id>org.pulseaudio.acquire-real-time</action_id> + <allow_any>no</allow_any> + <allow_inactive>no</allow_inactive> + <allow_active>no</allow_active> + </action> + <action> + <action_id>org.pulseaudio.acquire-high-priority</action_id> + <allow_any>no</allow_any> + <allow_inactive>no</allow_inactive> + <allow_active>no</allow_active> + </action> + </role> + </iparole> + +</ipa> diff --git a/selinux_booleans/selinux_booleans.rng b/selinux_booleans/selinux_booleans.rng new file mode 100644 index 0000000..5402ce8 --- /dev/null +++ b/selinux_booleans/selinux_booleans.rng @@ -0,0 +1,386 @@ +<?xml version="1.0" encoding="utf-8"?> +<grammar ns="http://freeipa.org/xml/rng/selinux_booleans/1.0" +xmlns="http://relaxng.org/ns/structure/1.0" +datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" +xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0" +xmlns:s="http://purl.oclc.org/dsdl/schematron" +xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> + + <a:documentation>SELinux Booleans</a:documentation> + + <a:documentation>The following section can be used to register the RNG schema file for the UI</a:documentation> + <a:name>selinux_booleans</a:name> + <a:description>modify SELinux booleans</a:description> + <a:author>sbose@redhat.com</a:author> + <a:version>0.1</a:version> + + <define name="rng_filename"><value>selinux_booleans.rng</value></define> + <define name="xslt_filename"><value>selinux_booleans.xslt</value></define> + <define name="application_name"><value>selinux_booleans</value></define> + <include href="policy_metadata.rng"/> + + <start ns="http://freeipa.org/xml/rng/selinux_booleans/1.0"> + <element name="ipa"> + + <ref name="policy_metadata"/> + + <element name="ipaconfig"> + <oneOrMore> + <choice> + <element name="allow_console_login"> + <data type="boolean"/> + </element> + <element name="allow_cvs_read_shadow"> + <data type="boolean"/> + </element> + <element name="allow_daemons_dump_core"> + <data type="boolean"/> + </element> + <element name="allow_daemons_use_tty"> + <data type="boolean"/> + </element> + <element name="allow_domain_fd_use"> + <data type="boolean"/> + </element> + <element name="allow_execheap"> + <data type="boolean"/> + </element> + <element name="allow_execmem"> + <data type="boolean"/> + </element> + <element name="allow_execmod"> + <data type="boolean"/> + </element> + <element name="allow_execstack"> + <data type="boolean"/> + </element> + <element name="allow_ftpd_anon_write"> + <data type="boolean"/> + </element> + <element name="allow_ftpd_full_access"> + <data type="boolean"/> + </element> + <element name="allow_ftpd_use_cifs"> + <data type="boolean"/> + </element> + <element name="allow_ftpd_use_nfs"> + <data type="boolean"/> + </element> + <element name="allow_gadmin_exec_content"> + <data type="boolean"/> + </element> + <element name="allow_gssd_read_tmp"> + <data type="boolean"/> + </element> + <element name="allow_guest_exec_content"> + <data type="boolean"/> + </element> + <element name="allow_httpd_anon_write"> + <data type="boolean"/> + </element> + <element name="allow_httpd_dbus_avahi"> + <data type="boolean"/> + </element> + <element name="allow_httpd_mod_auth_ntlm_winbind"> + <data type="boolean"/> + </element> + <element name="allow_httpd_mod_auth_pam"> + <data type="boolean"/> + </element> + <element name="allow_httpd_sys_script_anon_write"> + <data type="boolean"/> + </element> + <element name="allow_kerberos"> + <data type="boolean"/> + </element> + <element name="allow_mount_anyfile"> + <data type="boolean"/> + </element> + <element name="allow_mplayer_execstack"> + <data type="boolean"/> + </element> + <element name="allow_nfsd_anon_write"> + <data type="boolean"/> + </element> + <element name="allow_nsplugin_execmem"> + <data type="boolean"/> + </element> + <element name="allow_polyinstantiation"> + <data type="boolean"/> + </element> + <element name="allow_postfix_local_write_mail_spool"> + <data type="boolean"/> + </element> + <element name="allow_ptrace"> + <data type="boolean"/> + </element> + <element name="allow_qemu_full_network"> + <data type="boolean"/> + </element> + <element name="allow_read_x_device"> + <data type="boolean"/> + </element> + <element name="allow_rsync_anon_write"> + <data type="boolean"/> + </element> + <element name="allow_saslauthd_read_shadow"> + <data type="boolean"/> + </element> + <element name="allow_smbd_anon_write"> + <data type="boolean"/> + </element> + <element name="allow_ssh_keysign"> + <data type="boolean"/> + </element> + <element name="allow_staff_exec_content"> + <data type="boolean"/> + </element> + <element name="allow_sysadm_exec_content"> + <data type="boolean"/> + </element> + <element name="allow_unconfined_exec_content"> + <data type="boolean"/> + </element> + <element name="allow_unconfined_mmap_low"> + <data type="boolean"/> + </element> + <element name="allow_unconfined_nsplugin_transition"> + <data type="boolean"/> + </element> + <element name="allow_unconfined_qemu_transition"> + <data type="boolean"/> + </element> + <element name="allow_user_exec_content"> + <data type="boolean"/> + </element> + <element name="allow_user_postgresql_connect"> + <data type="boolean"/> + </element> + <element name="allow_write_xshm"> + <data type="boolean"/> + </element> + <element name="allow_xguest_exec_content"> + <data type="boolean"/> + </element> + <element name="allow_xserver_execmem"> + <data type="boolean"/> + </element> + <element name="allow_ypbind"> + <data type="boolean"/> + </element> + <element name="allow_zebra_write_config"> + <data type="boolean"/> + </element> + <element name="browser_confine_xguest"> + <data type="boolean"/> + </element> + <element name="browser_write_xguest_data"> + <data type="boolean"/> + </element> + <element name="cdrecord_read_content"> + <data type="boolean"/> + </element> + <element name="exim_can_connect_db"> + <data type="boolean"/> + </element> + <element name="exim_manage_user_files"> + <data type="boolean"/> + </element> + <element name="exim_read_user_files"> + <data type="boolean"/> + </element> + <element name="fcron_crond"> + <data type="boolean"/> + </element> + <element name="ftp_home_dir"> + <data type="boolean"/> + </element> + <element name="global_ssp"> + <data type="boolean"/> + </element> + <element name="httpd_builtin_scripting"> + <data type="boolean"/> + </element> + <element name="httpd_can_network_connect"> + <data type="boolean"/> + </element> + <element name="httpd_can_network_connect_db"> + <data type="boolean"/> + </element> + <element name="httpd_can_network_relay"> + <data type="boolean"/> + </element> + <element name="httpd_can_sendmail"> + <data type="boolean"/> + </element> + <element name="httpd_enable_cgi"> + <data type="boolean"/> + </element> + <element name="httpd_enable_ftp_server"> + <data type="boolean"/> + </element> + <element name="httpd_enable_homedirs"> + <data type="boolean"/> + </element> + <element name="httpd_execmem"> + <data type="boolean"/> + </element> + <element name="httpd_ssi_exec"> + <data type="boolean"/> + </element> + <element name="httpd_tty_comm"> + <data type="boolean"/> + </element> + <element name="httpd_unified"> + <data type="boolean"/> + </element> + <element name="httpd_use_cifs"> + <data type="boolean"/> + </element> + <element name="httpd_use_nfs"> + <data type="boolean"/> + </element> + <element name="named_write_master_zones"> + <data type="boolean"/> + </element> + <element name="nfs_export_all_ro"> + <data type="boolean"/> + </element> + <element name="nfs_export_all_rw"> + <data type="boolean"/> + </element> + <element name="openvpn_enable_homedirs"> + <data type="boolean"/> + </element> + <element name="pppd_can_insmod"> + <data type="boolean"/> + </element> + <element name="pppd_for_user"> + <data type="boolean"/> + </element> + <element name="qemu_use_cifs"> + <data type="boolean"/> + </element> + <element name="qemu_use_nfs"> + <data type="boolean"/> + </element> + <element name="read_default_t"> + <data type="boolean"/> + </element> + <element name="read_untrusted_content"> + <data type="boolean"/> + </element> + <element name="rsync_export_all_ro"> + <data type="boolean"/> + </element> + <element name="samba_domain_controller"> + <data type="boolean"/> + </element> + <element name="samba_enable_home_dirs"> + <data type="boolean"/> + </element> + <element name="samba_export_all_ro"> + <data type="boolean"/> + </element> + <element name="samba_export_all_rw"> + <data type="boolean"/> + </element> + <element name="samba_run_unconfined"> + <data type="boolean"/> + </element> + <element name="samba_share_fusefs"> + <data type="boolean"/> + </element> + <element name="samba_share_nfs"> + <data type="boolean"/> + </element> + <element name="secure_mode"> + <data type="boolean"/> + </element> + <element name="secure_mode_insmod"> + <data type="boolean"/> + </element> + <element name="secure_mode_policyload"> + <data type="boolean"/> + </element> + <element name="sepgsql_enable_users_ddl"> + <data type="boolean"/> + </element> + <element name="spamassassin_can_network"> + <data type="boolean"/> + </element> + <element name="spamd_enable_home_dirs"> + <data type="boolean"/> + </element> + <element name="squid_connect_any"> + <data type="boolean"/> + </element> + <element name="ssh_sysadm_login"> + <data type="boolean"/> + </element> + <element name="tftp_anon_write"> + <data type="boolean"/> + </element> + <element name="use_lpd_server"> + <data type="boolean"/> + </element> + <element name="use_nfs_home_dirs"> + <data type="boolean"/> + </element> + <element name="use_samba_home_dirs"> + <data type="boolean"/> + </element> + <element name="user_direct_mouse"> + <data type="boolean"/> + </element> + <element name="user_ping"> + <data type="boolean"/> + </element> + <element name="user_rw_noexattrfile"> + <data type="boolean"/> + </element> + <element name="user_tcp_server"> + <data type="boolean"/> + </element> + <element name="user_ttyfile_stat"> + <data type="boolean"/> + </element> + <element name="virt_use_nfs"> + <data type="boolean"/> + </element> + <element name="virt_use_samba"> + <data type="boolean"/> + </element> + <element name="webadm_manage_user_files"> + <data type="boolean"/> + </element> + <element name="webadm_read_user_files"> + <data type="boolean"/> + </element> + <element name="write_untrusted_content"> + <data type="boolean"/> + </element> + <element name="xdm_sysadm_login"> + <data type="boolean"/> + </element> + <element name="xen_use_nfs"> + <data type="boolean"/> + </element> + <element name="xguest_connect_network"> + <data type="boolean"/> + </element> + <element name="xguest_mount_media"> + <data type="boolean"/> + </element> + <element name="xguest_use_bluetooth"> + <data type="boolean"/> + </element> + <element name="xserver_object_manager"> + <data type="boolean"/> + </element> + </choice> + </oneOrMore> + </element> <!-- ipaconfig --> + </element> <!-- ipa --> + </start> +</grammar> diff --git a/selinux_booleans/selinux_booleans_example_policy.xml b/selinux_booleans/selinux_booleans_example_policy.xml new file mode 100644 index 0000000..a666789 --- /dev/null +++ b/selinux_booleans/selinux_booleans_example_policy.xml @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="UTF-8"?> +<ipa xmlns="http://freeipa.org/xml/rng/selinux_booleans/1.0"> + <metadata> + <name>simple selinux_booleans example</name> + <author>sbose@redhat.com</author> + <version>0.7071</version> + <RNGfile>selinux_booleans.rng</RNGfile> + <XSLTfile>selinux_booleans.xslt</XSLTfile> + <app>selinux_booleans</app> + </metadata> + + <ipaconfig> + <webadm_manage_user_files>true</webadm_manage_user_files> + <ssh_sysadm_login>false</ssh_sysadm_login> + </ipaconfig> + +</ipa> |