]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/apps/gnome.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Initial mailscanner policy
[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.if
CommitLineData
00219064
CP		 1## <summary>GNU network object model environment (GNOME)</summary>
2
efa04715 3###########################################################
00219064 4## <summary>
efa04715 5## Role access for gnome
00219064 6## </summary>
efa04715
MG		 7## <param name="role">
8## <summary>
9## Role allowed access
10## </summary>
00219064 11## </param>
efa04715
MG		 12## <param name="domain">
13## <summary>
14## User domain for the role
15## </summary>
00219064
CP		 16## </param>
17#
296273a7 18interface(`gnome_role',`
efa04715
MG		 19 gen_require(`
20 type gconfd_t, gconfd_exec_t;
21 type gconf_tmp_t;
22 ')
00219064 23
efa04715 24 role $1 types gconfd_t;
00219064 25
efa04715
MG		 26 domain_auto_trans($2, gconfd_exec_t, gconfd_t)
27 allow gconfd_t $2:fd use;
28 allow gconfd_t $2:fifo_file write;
29 allow gconfd_t $2:unix_stream_socket connectto;
6b19be33 30
efa04715 31 ps_process_pattern($2, gconfd_t)
00219064 32
31d4b0a6 33 #gnome_stream_connect_gconf_template($1, $2)
296273a7
CP		 34 read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
35 allow $2 gconfd_t:unix_stream_socket connectto;
efa04715 36')
ca9e8850 37
efa04715
MG		 38######################################
39## <summary>
40## The role template for the gnome-keyring-daemon.
41## </summary>
42## <param name="user_prefix">
43## <summary>
44## The user prefix.
45## </summary>
46## </param>
47## <param name="user_role">
48## <summary>
49## The user role.
50## </summary>
51## </param>
52## <param name="user_domain">
53## <summary>
54## The user domain associated with the role.
55## </summary>
56## </param>
57#
58interface(`gnome_role_gkeyringd',`
59 gen_require(`
60 attribute gkeyringd_domain;
61 attribute gnome_domain;
62 type gnome_home_t;
63 type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
1d7e6f6b 64 class dbus send_msg;
efa04715
MG		 65 ')
66
4153537b 67 type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
37c03afb 68 typealias $1_gkeyringd_t alias gkeyringd_$1_t;
4153537b
DW		 69 application_domain($1_gkeyringd_t, gkeyringd_exec_t)
70 ubac_constrained($1_gkeyringd_t)
71 domain_user_exemption_target($1_gkeyringd_t)
ca9e8850 72
4153537b 73 role $2 types $1_gkeyringd_t;
ca9e8850 74
4153537b 75 domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
ca9e8850 76
efa04715
MG		 77 allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
78 allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
ca9e8850 79
efa04715
MG		 80 allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
81 allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ca9e8850 82
4153537b
DW		 83 corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
84 corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
85 allow $1_gkeyringd_t $3:process sigkill;
86 allow $3 $1_gkeyringd_t:fd use;
87 allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
0e50301b 88
4153537b 89 ps_process_pattern($1_gkeyringd_t, $3)
ca9e8850 90
4153537b
DW		 91 ps_process_pattern($3, $1_gkeyringd_t)
92 allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
ca9e8850 93
efa04715
MG		 94 dontaudit $3 gkeyringd_exec_t:file entrypoint;
95
4153537b 96 stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
5598732f 97
4153537b
DW		 98 allow $1_gkeyringd_t $3:dbus send_msg;
99 allow $3 $1_gkeyringd_t:dbus send_msg;
efa04715 100 optional_policy(`
6b772880 101 dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
4153537b
DW		 102 dbus_session_bus_client($1_gkeyringd_t)
103 gnome_home_dir_filetrans($1_gkeyringd_t)
104 gnome_manage_generic_home_dirs($1_gkeyringd_t)
efa04715 105
1d7e6f6b 106 optional_policy(`
4153537b 107 telepathy_mission_control_read_state($1_gkeyringd_t)
1d7e6f6b 108 ')
efa04715 109 ')
00219064 110')
2a98379a 111
ab8f919e
CP		 112########################################
113## <summary>
a947daf6 114## gconf connection template.
ab8f919e 115## </summary>
aa760a23 116## <param name="domain">
ab8f919e 117## <summary>
aa760a23 118## Domain allowed access.
ab8f919e
CP		 119## </summary>
120## </param>
121#
a947daf6 122interface(`gnome_stream_connect_gconf',`
ab8f919e 123 gen_require(`
a947daf6 124 type gconfd_t, gconf_tmp_t;
ab8f919e
CP		 125 ')
126
a947daf6
DW		 127 read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
128 allow $1 gconfd_t:unix_stream_socket connectto;
ab8f919e
CP		 129')
130
ca9e8850
DW		 131########################################
132## <summary>
133## Connect to gkeyringd with a unix stream socket.
134## </summary>
135## <param name="role_prefix">
136## <summary>
137## Role prefix.
138## </summary>
139## </param>
140## <param name="domain">
141## <summary>
142## Domain allowed access.
143## </summary>
144## </param>
145#
146interface(`gnome_stream_connect_gkeyringd',`
147 gen_require(`
455fe183
MG		 148 attribute gkeyringd_domain;
149 type gkeyringd_tmp_t;
150 type gconf_tmp_t;
ca9e8850
DW		 151 ')
152
455fe183 153 allow $1 gconf_tmp_t:dir search_dir_perms;
c9799808 154 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 155')
156
157########################################
158## <summary>
159## Connect to gkeyringd with a unix stream socket.
160## </summary>
161## <param name="role_prefix">
162## <summary>
163## Role prefix.
164## </summary>
165## </param>
166## <param name="domain">
167## <summary>
168## Domain allowed access.
169## </summary>
170## </param>
171#
172interface(`gnome_stream_connect_all_gkeyringd',`
173 gen_require(`
174 attribute gkeyringd_domain;
175 type gkeyringd_tmp_t;
f28aaa84 176 type gconf_tmp_t;
ca9e8850
DW		 177 ')
178
f28aaa84 179 allow $1 gconf_tmp_t:dir search_dir_perms;
ca9e8850 180 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 181')
182
a947daf6 183########################################
ab8f919e 184## <summary>
a947daf6 185## Run gconfd in gconfd domain.
ab8f919e
CP		 186## </summary>
187## <param name="domain">
188## <summary>
189## Domain allowed access.
190## </summary>
191## </param>
192#
a947daf6 193interface(`gnome_domtrans_gconfd',`
ab8f919e 194 gen_require(`
a947daf6 195 type gconfd_t, gconfd_exec_t;
ab8f919e
CP		 196 ')
197
a947daf6 198 domtrans_pattern($1, gconfd_exec_t, gconfd_t)
ab8f919e
CP		 199')
200
57955a25
DW		 201########################################
202## <summary>
203## Dontaudit read gnome homedir content (.config)
204## </summary>
205## <param name="domain">
206## <summary>
24280f35 207## Domain to not audit.
57955a25
DW		 208## </summary>
209## </param>
210#
211interface(`gnome_dontaudit_read_config',`
212 gen_require(`
213 attribute gnome_home_type;
214 ')
215
216 dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
217')
218
00219064
CP		 219########################################
220## <summary>
a947daf6 221## Dontaudit search gnome homedir content (.config)
00219064 222## </summary>
aa760a23 223## <param name="domain">
00219064 224## <summary>
24280f35 225## Domain to not audit.
6b19be33
CP		 226## </summary>
227## </param>
228#
a947daf6 229interface(`gnome_dontaudit_search_config',`
6b19be33 230 gen_require(`
a947daf6 231 attribute gnome_home_type;
6b19be33
CP		 232 ')
233
a947daf6 234 dontaudit $1 gnome_home_type:dir search_dir_perms;
6b19be33
CP		 235')
236
ab8f919e
CP		 237########################################
238## <summary>
a947daf6 239## manage gnome homedir content (.config)
3eaa9939 240## </summary>
aa760a23 241## <param name="domain">
3eaa9939 242## <summary>
aa760a23 243## Domain allowed access.
3eaa9939
DW		 244## </summary>
245## </param>
246#
a947daf6 247interface(`gnome_manage_config',`
3eaa9939
DW		 248 gen_require(`
249 attribute gnome_home_type;
250 ')
251
a947daf6
DW		 252 allow $1 gnome_home_type:dir manage_dir_perms;
253 allow $1 gnome_home_type:file manage_file_perms;
254 allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
255 userdom_search_user_home_dirs($1)
3eaa9939
DW		 256')
257
258########################################
259## <summary>
260## Send general signals to all gconf domains.
ab8f919e
CP		 261## </summary>
262## <param name="domain">
263## <summary>
264## Domain allowed access.
265## </summary>
266## </param>
267#
3eaa9939 268interface(`gnome_signal_all',`
ab8f919e 269 gen_require(`
ca9e8850 270 attribute gnome_domain;
ab8f919e
CP		 271 ')
272
ca9e8850 273 allow $1 gnome_domain:process signal;
ab8f919e
CP		 274')
275
276########################################
277## <summary>
3eaa9939
DW		 278## Create objects in a Gnome cache home directory
279## with an automatic type transition to
280## a specified private type.
281## </summary>
282## <param name="domain">
283## <summary>
284## Domain allowed access.
285## </summary>
286## </param>
287## <param name="private_type">
288## <summary>
289## The type of the object to create.
290## </summary>
291## </param>
292## <param name="object_class">
293## <summary>
294## The class of the object to be created.
295## </summary>
296## </param>
297#
298interface(`gnome_cache_filetrans',`
299 gen_require(`
300 type cache_home_t;
301 ')
302
303 filetrans_pattern($1, cache_home_t, $2, $3)
304 userdom_search_user_home_dirs($1)
305')
306
307########################################
308## <summary>
309## Read generic cache home files (.cache)
310## </summary>
311## <param name="domain">
312## <summary>
313## Domain allowed access.
314## </summary>
315## </param>
316#
317interface(`gnome_read_generic_cache_files',`
318 gen_require(`
319 type cache_home_t;
320 ')
321
322 read_files_pattern($1, cache_home_t, cache_home_t)
323 userdom_search_user_home_dirs($1)
324')
325
326########################################
327## <summary>
328## Set attributes of cache home dir (.cache)
329## </summary>
330## <param name="domain">
331## <summary>
332## Domain allowed access.
333## </summary>
334## </param>
335#
336interface(`gnome_setattr_cache_home_dir',`
337 gen_require(`
338 type cache_home_t;
339 ')
340
341 setattr_dirs_pattern($1, cache_home_t, cache_home_t)
342 userdom_search_user_home_dirs($1)
343')
344
c71f02c0
DW		 345########################################
346## <summary>
347## append to generic cache home files (.cache)
348## </summary>
349## <param name="domain">
350## <summary>
351## Domain allowed access.
352## </summary>
353## </param>
354#
355interface(`gnome_append_generic_cache_files',`
356 gen_require(`
357 type cache_home_t;
358 ')
359
360 append_files_pattern($1, cache_home_t, cache_home_t)
361 userdom_search_user_home_dirs($1)
362')
363
3eaa9939
DW		 364########################################
365## <summary>
366## write to generic cache home files (.cache)
367## </summary>
368## <param name="domain">
369## <summary>
370## Domain allowed access.
371## </summary>
372## </param>
373#
374interface(`gnome_write_generic_cache_files',`
375 gen_require(`
376 type cache_home_t;
377 ')
378
379 write_files_pattern($1, cache_home_t, cache_home_t)
380 userdom_search_user_home_dirs($1)
381')
382
24280f35
DW		 383########################################
384## <summary>
385## Dontaudit read/write to generic cache home files (.cache)
386## </summary>
387## <param name="domain">
388## <summary>
389## Domain to not audit.
390## </summary>
391## </param>
392#
393interface(`gnome_dontaudit_rw_generic_cache_files',`
394 gen_require(`
395 type cache_home_t;
396 ')
397
398 dontaudit $1 cache_home_t:file rw_inherited_file_perms;
399')
400
a947daf6
DW		 401########################################
402## <summary>
403## read gnome homedir content (.config)
404## </summary>
aa760a23 405## <param name="domain">
a947daf6 406## <summary>
aa760a23 407## Domain allowed access.
a947daf6
DW		 408## </summary>
409## </param>
410#
efa04715 411interface(`gnome_read_config',`
a947daf6
DW		 412 gen_require(`
413 attribute gnome_home_type;
414 ')
415
416 list_dirs_pattern($1, gnome_home_type, gnome_home_type)
417 read_files_pattern($1, gnome_home_type, gnome_home_type)
418 read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
419')
420
3eaa9939
DW		 421########################################
422## <summary>
423## Create objects in a Gnome gconf home directory
424## with an automatic type transition to
425## a specified private type.
426## </summary>
427## <param name="domain">
428## <summary>
429## Domain allowed access.
430## </summary>
431## </param>
432## <param name="private_type">
433## <summary>
434## The type of the object to create.
435## </summary>
436## </param>
437## <param name="object_class">
438## <summary>
439## The class of the object to be created.
440## </summary>
441## </param>
442#
443interface(`gnome_data_filetrans',`
444 gen_require(`
445 type data_home_t;
446 ')
447
448 filetrans_pattern($1, data_home_t, $2, $3)
449 gnome_search_gconf($1)
450')
451
4b7fe5b4
DW		 452#######################################
453## <summary>
454## Manage gconf data home files
455## </summary>
456## <param name="domain">
457## <summary>
458## Domain allowed access.
459## </summary>
460## </param>
461#
462interface(`gnome_manage_data',`
463 gen_require(`
060d0f18 464 type data_home_t;
3e2ff02b 465 type gconf_home_t;
4b7fe5b4
DW		 466 ')
467
ceacf954 468 allow $1 gconf_home_t:dir search_dir_perms;
a768052f 469 manage_dirs_pattern($1, data_home_t, data_home_t)
4b7fe5b4 470 manage_files_pattern($1, data_home_t, data_home_t)
a768052f 471 manage_lnk_files_pattern($1, data_home_t, data_home_t)
4b7fe5b4
DW		 472')
473
3eaa9939
DW		 474########################################
475## <summary>
476## Create gconf_home_t objects in the /root directory
477## </summary>
478## <param name="domain">
479## <summary>
480## Domain allowed access.
481## </summary>
482## </param>
483## <param name="object_class">
484## <summary>
485## The class of the object to be created.
486## </summary>
487## </param>
488#
489interface(`gnome_admin_home_gconf_filetrans',`
490 gen_require(`
491 type gconf_home_t;
492 ')
493
494 userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
495')
496
c98dcd43
DG		 497########################################
498## <summary>
499## Do not audit attempts to read
500## inherited gconf config files.
501## </summary>
502## <param name="domain">
503## <summary>
504## Domain to not audit.
505## </summary>
506## </param>
507#
508interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
509 gen_require(`
510 type gconf_etc_t;
511 ')
512
513 dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
514')
515
3eaa9939
DW		 516########################################
517## <summary>
518## read gconf config files
ab8f919e 519## </summary>
aa760a23 520## <param name="domain">
ab8f919e 521## <summary>
aa760a23 522## Domain allowed access.
3eaa9939
DW		 523## </summary>
524## </param>
525#
d15b40a5 526interface(`gnome_read_gconf_config',`
3eaa9939
DW		 527 gen_require(`
528 type gconf_etc_t;
529 ')
530
531 allow $1 gconf_etc_t:dir list_dir_perms;
532 read_files_pattern($1, gconf_etc_t, gconf_etc_t)
f33c5066 533 files_search_etc($1)
3eaa9939
DW		 534')
535
536#######################################
537## <summary>
538## Manage gconf config files
539## </summary>
540## <param name="domain">
541## <summary>
542## Domain allowed access.
543## </summary>
544## </param>
545#
546interface(`gnome_manage_gconf_config',`
547 gen_require(`
548 type gconf_etc_t;
549 ')
550
551 allow $1 gconf_etc_t:dir list_dir_perms;
552 manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
553')
554
555########################################
556## <summary>
557## Execute gconf programs in
558## in the caller domain.
559## </summary>
560## <param name="domain">
561## <summary>
ab8f919e
CP		 562## Domain allowed access.
563## </summary>
564## </param>
565#
3eaa9939
DW		 566interface(`gnome_exec_gconf',`
567 gen_require(`
568 type gconfd_exec_t;
569 ')
570
571 can_exec($1, gconfd_exec_t)
572')
573
ca9e8850
DW		 574########################################
575## <summary>
576## Execute gnome keyringd in the caller domain.
577## </summary>
578## <param name="domain">
579## <summary>
580## Domain allowed access.
581## </summary>
582## </param>
583#
584interface(`gnome_exec_keyringd',`
585 gen_require(`
586 type gkeyringd_exec_t;
587 ')
588
589 can_exec($1, gkeyringd_exec_t)
590 corecmd_search_bin($1)
591')
592
3eaa9939
DW		 593########################################
594## <summary>
595## Read gconf home files
596## </summary>
597## <param name="domain">
598## <summary>
599## Domain allowed access.
600## </summary>
601## </param>
602#
603interface(`gnome_read_gconf_home_files',`
604 gen_require(`
605 type gconf_home_t;
606 type data_home_t;
607 ')
608
78ea2abe 609 userdom_search_user_home_dirs($1)
3eaa9939
DW		 610 allow $1 gconf_home_t:dir list_dir_perms;
611 allow $1 data_home_t:dir list_dir_perms;
612 read_files_pattern($1, gconf_home_t, gconf_home_t)
613 read_files_pattern($1, data_home_t, data_home_t)
3d21c02c
DW		 614 read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
615 read_lnk_files_pattern($1, data_home_t, data_home_t)
3eaa9939
DW		 616')
617
ca9e8850
DW		 618########################################
619## <summary>
620## Search gkeyringd temporary directories.
621## </summary>
622## <param name="domain">
623## <summary>
624## Domain allowed access.
625## </summary>
626## </param>
627#
628interface(`gnome_search_gkeyringd_tmp_dirs',`
629 gen_require(`
630 type gkeyringd_tmp_t;
631 ')
632
633 files_search_tmp($1)
634 allow $1 gkeyringd_tmp_t:dir search_dir_perms;
635')
636
3eaa9939
DW		 637########################################
638## <summary>
639## search gconf homedir (.local)
640## </summary>
aa760a23 641## <param name="domain">
3eaa9939 642## <summary>
aa760a23 643## Domain allowed access.
3eaa9939
DW		 644## </summary>
645## </param>
646#
647interface(`gnome_search_gconf',`
648 gen_require(`
649 type gconf_home_t;
650 ')
651
652 allow $1 gconf_home_t:dir search_dir_perms;
653 userdom_search_user_home_dirs($1)
654')
655
4251ae10
DW		 656########################################
657## <summary>
658## Set attributes of Gnome config dirs.
659## </summary>
660## <param name="domain">
661## <summary>
662## Domain allowed access.
663## </summary>
664## </param>
665#
666interface(`gnome_setattr_config_dirs',`
667 gen_require(`
668 type gnome_home_t;
669 ')
670
671 setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
672 files_search_home($1)
673')
674
ca9e8850
DW		 675########################################
676## <summary>
677## Manage generic gnome home files.
678## </summary>
679## <param name="domain">
680## <summary>
681## Domain allowed access.
682## </summary>
683## </param>
684#
685interface(`gnome_manage_generic_home_files',`
686 gen_require(`
687 type gnome_home_t;
688 ')
689
690 userdom_search_user_home_dirs($1)
691 manage_files_pattern($1, gnome_home_t, gnome_home_t)
692')
693
694########################################
695## <summary>
696## Manage generic gnome home directories.
697## </summary>
698## <param name="domain">
699## <summary>
700## Domain allowed access.
701## </summary>
702## </param>
703#
704interface(`gnome_manage_generic_home_dirs',`
705 gen_require(`
706 type gnome_home_t;
707 ')
708
709 userdom_search_user_home_dirs($1)
710 allow $1 gnome_home_t:dir manage_dir_perms;
711')
712
3eaa9939
DW		 713########################################
714## <summary>
715## Append gconf home files
716## </summary>
717## <param name="domain">
718## <summary>
719## Domain allowed access.
720## </summary>
721## </param>
722#
723interface(`gnome_append_gconf_home_files',`
724 gen_require(`
725 type gconf_home_t;
726 ')
727
728 append_files_pattern($1, gconf_home_t, gconf_home_t)
729')
730
731########################################
732## <summary>
733## manage gconf home files
734## </summary>
735## <param name="domain">
736## <summary>
737## Domain allowed access.
738## </summary>
739## </param>
740#
741interface(`gnome_manage_gconf_home_files',`
742 gen_require(`
743 type gconf_home_t;
744 ')
745
746 allow $1 gconf_home_t:dir list_dir_perms;
747 manage_files_pattern($1, gconf_home_t, gconf_home_t)
748')
749
750########################################
751## <summary>
752## Connect to gnome over an unix stream socket.
753## </summary>
754## <param name="domain">
755## <summary>
756## Domain allowed access.
757## </summary>
758## </param>
759## <param name="user_domain">
760## <summary>
761## The type of the user domain.
762## </summary>
763## </param>
764#
765interface(`gnome_stream_connect',`
766 gen_require(`
767 attribute gnome_home_type;
768 ')
769
770 # Connect to pulseaudit server
771 stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
772')
773
774########################################
775## <summary>
2d4a79a0 776## list gnome homedir content (.config)
3eaa9939 777## </summary>
aa760a23 778## <param name="domain">
3eaa9939 779## <summary>
aa760a23 780## Domain allowed access.
3eaa9939
DW		 781## </summary>
782## </param>
783#
d15b40a5 784interface(`gnome_list_home_config',`
3eaa9939
DW		 785 gen_require(`
786 type config_home_t;
787 ')
788
789 allow $1 config_home_t:dir list_dir_perms;
790')
791
5ef740e5
DW		 792########################################
793## <summary>
794## Set attributes of gnome homedir content (.config)
795## </summary>
796## <param name="domain">
797## <summary>
798## Domain allowed access.
799## </summary>
800## </param>
801#
802template(`gnome_setattr_home_config',`
803 gen_require(`
804 type config_home_t;
805 ')
806
807 setattr_dirs_pattern($1, config_home_t, config_home_t)
808 userdom_search_user_home_dirs($1)
809')
810
2d4a79a0
DW		 811########################################
812## <summary>
813## read gnome homedir content (.config)
814## </summary>
aa760a23 815## <param name="domain">
2d4a79a0 816## <summary>
aa760a23 817## Domain allowed access.
2d4a79a0
DW		 818## </summary>
819## </param>
820#
d15b40a5 821interface(`gnome_read_home_config',`
2d4a79a0
DW		 822 gen_require(`
823 type config_home_t;
824 ')
825
b533b084 826 list_dirs_pattern($1, config_home_t, config_home_t)
2d4a79a0 827 read_files_pattern($1, config_home_t, config_home_t)
6f93adfa 828 read_lnk_files_pattern($1, config_home_t, config_home_t)
2d4a79a0
DW		 829')
830
f5b49a5e
DW		 831########################################
832## <summary>
833## manage gnome homedir content (.config)
834## </summary>
aa760a23 835## <param name="domain">
f5b49a5e 836## <summary>
aa760a23 837## Domain allowed access.
f5b49a5e
DW		 838## </summary>
839## </param>
840#
841template(`gnome_manage_home_config',`
842 gen_require(`
843 type config_home_t;
844 ')
845
846 manage_files_pattern($1, config_home_t, config_home_t)
847')
848
3eaa9939
DW		 849########################################
850## <summary>
851## Read/Write all inherited gnome home config
852## </summary>
853## <param name="domain">
854## <summary>
855## Domain allowed access.
856## </summary>
857## </param>
858#
859interface(`gnome_rw_inherited_config',`
860 gen_require(`
861 attribute gnome_home_type;
862 ')
863
864 allow $1 gnome_home_type:file rw_inherited_file_perms;
865')
866
867########################################
868## <summary>
869## Send and receive messages from
870## gconf system service over dbus.
871## </summary>
872## <param name="domain">
873## <summary>
874## Domain allowed access.
875## </summary>
876## </param>
877#
878interface(`gnome_dbus_chat_gconfdefault',`
879 gen_require(`
880 type gconfdefaultsm_t;
881 class dbus send_msg;
882 ')
883
884 allow $1 gconfdefaultsm_t:dbus send_msg;
885 allow gconfdefaultsm_t $1:dbus send_msg;
886')
ca9e8850
DW		 887
888########################################
889## <summary>
890## Send and receive messages from
891## gkeyringd over dbus.
892## </summary>
893## <param name="role_prefix">
894## <summary>
895## Role prefix.
896## </summary>
897## </param>
898## <param name="domain">
899## <summary>
900## Domain allowed access.
901## </summary>
902## </param>
903#
904interface(`gnome_dbus_chat_gkeyringd',`
905 gen_require(`
31f04122 906 attribute gkeyringd_domain;
ca9e8850
DW		 907 class dbus send_msg;
908 ')
909
f80308f9
MG		 910 allow $1 gkeyringd_domain:dbus send_msg;
911 allow gkeyringd_domain $1:dbus send_msg;
ca9e8850 912')
31f04122 913
b094d593
DW		 914########################################
915## <summary>
916## Send signull signal to gkeyringd processes.
917## </summary>
918## <param name="domain">
919## <summary>
920## Domain allowed access.
921## </summary>
922## </param>
923#
924interface(`gnome_signull_gkeyringd',`
925 gen_require(`
926 attribute gkeyringd_domain;
927 ')
928
929 allow $1 gkeyringd_domain:process signull;
930')
931
932########################################
933## <summary>
934## Allow the domain to read gkeyringd state files in /proc.
935## </summary>
936## <param name="domain">
937## <summary>
938## Domain allowed access.
939## </summary>
940## </param>
941#
942interface(`gnome_read_gkeyringd_state',`
943 gen_require(`
944 attribute gkeyringd_domain;
945 ')
946
947 ps_process_pattern($1, gkeyringd_domain)
948')
949
ca9e8850
DW		 950########################################
951## <summary>
952## Create directories in user home directories
953## with the gnome home file type.
954## </summary>
955## <param name="domain">
956## <summary>
957## Domain allowed access.
958## </summary>
959## </param>
960#
961interface(`gnome_home_dir_filetrans',`
962 gen_require(`
963 type gnome_home_t;
964 ')
965
966 userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
967 userdom_search_user_home_dirs($1)
968')
a8183914
MG		 969
970######################################
971## <summary>
972## Allow read kde config content
973## </summary>
974## <param name="domain">
975## <summary>
976## Domain allowed access.
977## </summary>
978## </param>
979#
980interface(`gnome_read_usr_config',`
981 gen_require(`
982 type config_usr_t;
983 ')
984
985 files_search_usr($1)
986 list_dirs_pattern($1, config_usr_t, config_usr_t)
987 read_files_pattern($1, config_usr_t, config_usr_t)
988 read_lnk_files_pattern($1, config_usr_t, config_usr_t)
989')
990
991#######################################
992## <summary>
993## Allow manage kde config content
994## </summary>
995## <param name="domain">
996## <summary>
997## Domain allowed access.
998## </summary>
999## </param>
1000#
1001interface(`gnome_manage_usr_config',`
1002 gen_require(`
1003 type config_usr_t;
1004 ')
1005
1006 files_search_usr($1)
1007 manage_dirs_pattern($1, config_usr_t, config_usr_t)
1008 manage_files_pattern($1, config_usr_t, config_usr_t)
1009 manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
1010')
31f04122
DW		 1011
1012########################################
1013## <summary>
1014## Execute gnome-keyring in the user gkeyring domain
1015## </summary>
1016## <param name="domain">
1017## <summary>
1018## Domain allowed access
1019## </summary>
1020## </param>
1021## <param name="role">
1022## <summary>
1023## The role to be allowed the gkeyring domain.
1024## </summary>
1025## </param>
1026#
1027interface(`gnome_transition_gkeyringd',`
1028 gen_require(`
1029 attribute gkeyringd_domain;
1030 ')
1031
1032 allow $1 gkeyringd_domain:process transition;
1033 dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
1034 allow gkeyringd_domain $1:process { sigchld signull };
1035 allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
1036')
1037
15b2e336
DW		 1038
1039########################################
1040## <summary>
1041## Create gnome directory in the user home directory
1042## with an correct label.
1043## </summary>
1044## <param name="domain">
1045## <summary>
1046## Domain allowed access.
1047## </summary>
1048## </param>
1049#
a11cc065 1050interface(`gnome_filetrans_home_content',`
15b2e336
DW		 1051
1052gen_require(`
1053 type config_home_t;
1054 type cache_home_t;
1055 type gstreamer_home_t;
1056 type gconf_home_t;
1057 type gnome_home_t;
1058 type data_home_t;
1059 type gkeyringd_gnome_home_t;
1060')
1061
26a75b33
DW		 1062 userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1063 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
1064 userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1065 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
1066 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1067 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1068 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1069 userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1070 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1071 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
1072 filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
1073 filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
15b2e336
DW		 1074')
1075
1076########################################
1077## <summary>
1078## Create gnome directory in the /root directory
1079## with an correct label.
1080## </summary>
1081## <param name="domain">
1082## <summary>
1083## Domain allowed access.
1084## </summary>
1085## </param>
1086#
a11cc065 1087interface(`gnome_filetrans_admin_home_content',`
15b2e336
DW		 1088
1089gen_require(`
1090 type config_home_t;
1091 type cache_home_t;
1092 type gstreamer_home_t;
1093 type gconf_home_t;
1094 type gnome_home_t;
1095 type data_home_t;
1096')
1097
26a75b33
DW		 1098 userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1099 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
1100 userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1101 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
1102 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1103 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1104 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1105 userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1106 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1107 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
15b2e336 1108')
3a7aacc9
MG		 1109######################################
1110## <summary>
1111## Execute gnome-keyring executable
1112## in the specified domain.
1113## </summary>
1114## <desc>
1115## <p>
1116## Execute a telepathy executable
1117## in the specified domain. This allows
1118## the specified domain to execute any file
1119## on these filesystems in the specified
1120## domain.
1121## </p>
1122## <p>
1123## No interprocess communication (signals, pipes,
1124## etc.) is provided by this interface since
1125## the domains are not owned by this module.
1126## </p>
1127## <p>
1128## This interface was added to handle
1129## the ssh-agent policy.
1130## </p>
1131## </desc>
1132## <param name="domain">
1133## <summary>
1134## Domain allowed to transition.
1135## </summary>
1136## </param>
1137## <param name="target_domain">
1138## <summary>
1139## The type of the new process.
1140## </summary>
1141## </param>
1142#
1143interface(`gnome_command_domtrans_gkeyringd', `
1144 gen_require(`
1145 type gkeyringd_exec_t;
1146 ')
1147
1148 allow $2 gkeyringd_exec_t:file entrypoint;
1149 domain_transition_pattern($1, gkeyringd_exec_t, $2)
1150 type_transition $1 gkeyringd_exec_t:process $2;
1151')
The IPFire selinux policy.