[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.if

## <summary>GNU network object model environment (GNOME)</summary>

###########################################################
## <summary>
##  Role access for gnome
## </summary>
## <param name="role">
##  <summary>
##  Role allowed access
##  </summary>
## </param>
## <param name="domain">
##  <summary>
##  User domain for the role
##  </summary>
## </param>
#
interface(`gnome_role',`
    gen_require(`
        type gconfd_t, gconfd_exec_t;
        type gconf_tmp_t;
    ')

    role $1 types gconfd_t;

    domain_auto_trans($2, gconfd_exec_t, gconfd_t)
    allow gconfd_t $2:fd use;
    allow gconfd_t $2:fifo_file write;
    allow gconfd_t $2:unix_stream_socket connectto;

    ps_process_pattern($2, gconfd_t)

	#gnome_stream_connect_gconf_template($1, $2)
	read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
	allow $2 gconfd_t:unix_stream_socket connectto;
')

######################################
## <summary>
##      The role template for the gnome-keyring-daemon.
## </summary>
## <param name="user_prefix">
##      <summary>
##      The user prefix.
##      </summary>
## </param>
## <param name="user_role">
##      <summary>
##      The user role.
##      </summary>
## </param>
## <param name="user_domain">
##      <summary>
##      The user domain associated with the role.
##      </summary>
## </param>
#
interface(`gnome_role_gkeyringd',`
        gen_require(`
                attribute gkeyringd_domain;
                attribute gnome_domain;
                type gnome_home_t;
                type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
		class dbus send_msg;
        ')

	type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
	typealias $1_gkeyringd_t alias gkeyringd_$1_t;
	application_domain($1_gkeyringd_t, gkeyringd_exec_t)
	ubac_constrained($1_gkeyringd_t)
	domain_user_exemption_target($1_gkeyringd_t)

	role $2 types $1_gkeyringd_t;

	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)

	allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
	allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };

	allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
	allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };

	corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
	corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
	allow $1_gkeyringd_t $3:process sigkill;
	allow $3 $1_gkeyringd_t:fd use;
	allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;

	ps_process_pattern($1_gkeyringd_t, $3)

	ps_process_pattern($3, $1_gkeyringd_t)
	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };

	dontaudit $3 gkeyringd_exec_t:file entrypoint;

	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)

	allow $1_gkeyringd_t $3:dbus send_msg;
	allow $3 $1_gkeyringd_t:dbus send_msg;
	optional_policy(`
	       	dbus_session_domain($1_gkeyringd_t, gkeyringd_exec_t)
		dbus_session_bus_client($1_gkeyringd_t)
		gnome_home_dir_filetrans($1_gkeyringd_t)
		gnome_manage_generic_home_dirs($1_gkeyringd_t)

		optional_policy(`
			telepathy_mission_control_read_state($1_gkeyringd_t)
		')
	')
')

########################################
## <summary>
##	gconf connection template.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_stream_connect_gconf',`
	gen_require(`
		type gconfd_t, gconf_tmp_t;
	')

	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
	allow $1 gconfd_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	Connect to gkeyringd with a unix stream socket. 
## </summary>
## <param name="role_prefix">
##	<summary>
##	Role prefix.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_stream_connect_gkeyringd',`
	gen_require(`
			attribute gkeyringd_domain;
			type gkeyringd_tmp_t;
			type gconf_tmp_t;
	')

	allow $1 gconf_tmp_t:dir search_dir_perms;
	stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
')

########################################
## <summary>
##	Connect to gkeyringd with a unix stream socket. 
## </summary>
## <param name="role_prefix">
##	<summary>
##	Role prefix.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_stream_connect_all_gkeyringd',`
	gen_require(`
		attribute gkeyringd_domain;
		type gkeyringd_tmp_t;
		type gconf_tmp_t;
	')

	allow $1 gconf_tmp_t:dir search_dir_perms;
	stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
')

########################################
## <summary>
##	Run gconfd in gconfd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_domtrans_gconfd',`
	gen_require(`
		type gconfd_t, gconfd_exec_t;
	')

	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')

########################################
## <summary>
##	Dontaudit read gnome homedir content (.config)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_dontaudit_read_config',`
	gen_require(`
		attribute gnome_home_type;
	')

	dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
')

########################################
## <summary>
##	Dontaudit search gnome homedir content (.config)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_dontaudit_search_config',`
	gen_require(`
		attribute gnome_home_type;
	')

	dontaudit $1 gnome_home_type:dir search_dir_perms;
')

########################################
## <summary>
##	manage gnome homedir content (.config)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_manage_config',`
	gen_require(`
		attribute gnome_home_type;
	')

	allow $1 gnome_home_type:dir manage_dir_perms;
	allow $1 gnome_home_type:file manage_file_perms;
	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	Send general signals to all gconf domains.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_signal_all',`
	gen_require(`
		attribute gnome_domain;
	')

	allow $1 gnome_domain:process signal;
')

########################################
## <summary>
##	Create objects in a Gnome cache home directory
##	with an automatic type transition to
##	a specified private type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="private_type">
##	<summary>
##	The type of the object to create.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	The class of the object to be created.
##	</summary>
## </param>
#
interface(`gnome_cache_filetrans',`
	gen_require(`
		type cache_home_t;
	')

	filetrans_pattern($1, cache_home_t, $2, $3)
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	Read generic cache home files (.cache)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_read_generic_cache_files',`
	gen_require(`
		type cache_home_t;
	')

	read_files_pattern($1, cache_home_t, cache_home_t)
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	Set attributes of cache home dir (.cache)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_setattr_cache_home_dir',`
	gen_require(`
		type cache_home_t;
	')

	setattr_dirs_pattern($1, cache_home_t, cache_home_t)
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	append to generic cache home files (.cache)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_append_generic_cache_files',`
	gen_require(`
		type cache_home_t;
	')

	append_files_pattern($1, cache_home_t, cache_home_t)
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	write to generic cache home files (.cache)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_write_generic_cache_files',`
	gen_require(`
		type cache_home_t;
	')

	write_files_pattern($1, cache_home_t, cache_home_t)
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	read gnome homedir content (.config)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_read_config',`
	gen_require(`
		attribute gnome_home_type;
	')

	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
	read_files_pattern($1, gnome_home_type, gnome_home_type)
	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
')

########################################
## <summary>
##	Create objects in a Gnome gconf home directory
##	with an automatic type transition to
##	a specified private type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="private_type">
##	<summary>
##	The type of the object to create.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	The class of the object to be created.
##	</summary>
## </param>
#
interface(`gnome_data_filetrans',`
	gen_require(`
		type data_home_t;
	')

	filetrans_pattern($1, data_home_t, $2, $3)
	gnome_search_gconf($1)
')

#######################################
## <summary>
##      Manage gconf data home files
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`gnome_manage_data',`
        gen_require(`
                type data_home_t;
				type gconf_home_t;
        ')

		allow $1 gconf_home_t:dir search_dir_perms;
		manage_dirs_pattern($1, data_home_t, data_home_t)
        manage_files_pattern($1, data_home_t, data_home_t)
		manage_lnk_files_pattern($1, data_home_t, data_home_t)
')

########################################
## <summary>
##	Create gconf_home_t objects in the /root directory
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	The class of the object to be created.
##	</summary>
## </param>
#
interface(`gnome_admin_home_gconf_filetrans',`
	gen_require(`
		type gconf_home_t;
	')

	userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
')

########################################
## <summary>
##	read gconf config files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_read_gconf_config',`
	gen_require(`
		type gconf_etc_t;
	')

	allow $1 gconf_etc_t:dir list_dir_perms;
	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
	files_search_etc($1)
')

#######################################
## <summary>
##      Manage gconf config files
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`gnome_manage_gconf_config',`
        gen_require(`
                type gconf_etc_t;
        ')

        allow $1 gconf_etc_t:dir list_dir_perms;
        manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
')

########################################
## <summary>
##	Execute gconf programs in 
##	in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_exec_gconf',`
	gen_require(`
		type gconfd_exec_t;
	')

	can_exec($1, gconfd_exec_t)
')

########################################
## <summary>
##	Execute gnome keyringd in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_exec_keyringd',`
	gen_require(`
		type gkeyringd_exec_t;
	')

	can_exec($1, gkeyringd_exec_t)
	corecmd_search_bin($1)
')

########################################
## <summary>
##	Read gconf home files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_read_gconf_home_files',`
	gen_require(`
		type gconf_home_t;
		type data_home_t;
	')

	userdom_search_user_home_dirs($1)
	allow $1 gconf_home_t:dir list_dir_perms;
	allow $1 data_home_t:dir list_dir_perms;
	read_files_pattern($1, gconf_home_t, gconf_home_t)
	read_files_pattern($1, data_home_t, data_home_t)
	read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
	read_lnk_files_pattern($1, data_home_t, data_home_t)
')

########################################
## <summary>
##	Search gkeyringd temporary directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_search_gkeyringd_tmp_dirs',`
	gen_require(`
		type gkeyringd_tmp_t;
	')

	files_search_tmp($1)
	allow $1 gkeyringd_tmp_t:dir search_dir_perms;
')

########################################
## <summary>
##	search gconf homedir (.local)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_search_gconf',`
	gen_require(`
		type gconf_home_t;
	')

	allow $1 gconf_home_t:dir search_dir_perms;
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	Set attributes of Gnome config dirs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_setattr_config_dirs',`
	gen_require(`
		type gnome_home_t;
	')

	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
	files_search_home($1)
')

########################################
## <summary>
##	Manage generic gnome home files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_manage_generic_home_files',`
	gen_require(`
		type gnome_home_t;
	')

	userdom_search_user_home_dirs($1)
	manage_files_pattern($1, gnome_home_t, gnome_home_t)
')

########################################
## <summary>
##	Manage generic gnome home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_manage_generic_home_dirs',`
	gen_require(`
		type gnome_home_t;
	')

	userdom_search_user_home_dirs($1)
	allow $1 gnome_home_t:dir manage_dir_perms;
')

########################################
## <summary>
##	Append gconf home files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_append_gconf_home_files',`
	gen_require(`
		type gconf_home_t;
	')

	append_files_pattern($1, gconf_home_t, gconf_home_t)
')

########################################
## <summary>
##	manage gconf home files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_manage_gconf_home_files',`
	gen_require(`
		type gconf_home_t;
	')

	allow $1 gconf_home_t:dir list_dir_perms;
	manage_files_pattern($1, gconf_home_t, gconf_home_t)
')

########################################
## <summary>
##	Connect to gnome over an unix stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The type of the user domain.
##	</summary>
## </param>
#
interface(`gnome_stream_connect',`
	gen_require(`
		attribute gnome_home_type;
	')

	# Connect to pulseaudit server
	stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
')

########################################
## <summary>
##	list gnome homedir content (.config)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_list_home_config',`
	gen_require(`
		type config_home_t;
	')

	allow $1 config_home_t:dir list_dir_perms;
')

########################################
## <summary>
##	Set attributes of gnome homedir content (.config)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
template(`gnome_setattr_home_config',`
	gen_require(`
		type config_home_t;
	')

	setattr_dirs_pattern($1, config_home_t, config_home_t)
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
##	read gnome homedir content (.config)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_read_home_config',`
	gen_require(`
		type config_home_t;
	')

	list_dirs_pattern($1, config_home_t, config_home_t)
	read_files_pattern($1, config_home_t, config_home_t)
	read_lnk_files_pattern($1, config_home_t, config_home_t)
')

########################################
## <summary>
##	manage gnome homedir content (.config)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
template(`gnome_manage_home_config',`
	gen_require(`
		type config_home_t;
	')

	manage_files_pattern($1, config_home_t, config_home_t)
')

########################################
## <summary>
##	Read/Write all inherited gnome home config 
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_rw_inherited_config',`
	gen_require(`
		attribute gnome_home_type;
	')

	allow $1 gnome_home_type:file rw_inherited_file_perms;
')

########################################
## <summary>
##	Send and receive messages from
##	gconf system service over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_dbus_chat_gconfdefault',`
	gen_require(`
		type gconfdefaultsm_t;
		class dbus send_msg;
	')

	allow $1 gconfdefaultsm_t:dbus send_msg;
	allow gconfdefaultsm_t $1:dbus send_msg;
')

########################################
## <summary>
##	Send and receive messages from
##	gkeyringd over dbus.
## </summary>
## <param name="role_prefix">
##	<summary>
##	Role prefix.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_dbus_chat_gkeyringd',`
	gen_require(`
		attribute gkeyringd_domain;
		class dbus send_msg;
	')

	allow $1 gkeyringd_domain:dbus send_msg;
	allow gkeyringd_domain $1:dbus send_msg;
')

########################################
## <summary>
##	Create directories in user home directories
##	with the gnome home file type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_home_dir_filetrans',`
	gen_require(`
		type gnome_home_t;
	')

	userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
	userdom_search_user_home_dirs($1)
')

######################################
## <summary>
##      Allow read kde config content
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`gnome_read_usr_config',`
        gen_require(`
                type config_usr_t;
        ')

        files_search_usr($1)
		list_dirs_pattern($1, config_usr_t, config_usr_t)
		read_files_pattern($1, config_usr_t, config_usr_t)
		read_lnk_files_pattern($1, config_usr_t, config_usr_t)	
')

#######################################
## <summary>
##      Allow manage kde config content
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`gnome_manage_usr_config',`
        gen_require(`
                type config_usr_t;
        ')

        files_search_usr($1)
		manage_dirs_pattern($1, config_usr_t, config_usr_t)
		manage_files_pattern($1, config_usr_t, config_usr_t)
		manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
')

########################################
## <summary>
##	Execute gnome-keyring in the user gkeyring domain
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the gkeyring domain.
##	</summary>
## </param>
#
interface(`gnome_transition_gkeyringd',`
	gen_require(`
		attribute gkeyringd_domain;
	')

	allow $1 gkeyringd_domain:process transition;
	dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
	allow gkeyringd_domain $1:process { sigchld signull };
	allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
')