]>
Commit | Line | Data |
---|---|---|
00219064 CP |
1 | ## <summary>GNU network object model environment (GNOME)</summary> |
2 | ||
efa04715 | 3 | ########################################################### |
00219064 | 4 | ## <summary> |
efa04715 | 5 | ## Role access for gnome |
00219064 | 6 | ## </summary> |
efa04715 MG |
7 | ## <param name="role"> |
8 | ## <summary> | |
9 | ## Role allowed access | |
10 | ## </summary> | |
00219064 | 11 | ## </param> |
efa04715 MG |
12 | ## <param name="domain"> |
13 | ## <summary> | |
14 | ## User domain for the role | |
15 | ## </summary> | |
00219064 CP |
16 | ## </param> |
17 | # | |
296273a7 | 18 | interface(`gnome_role',` |
efa04715 MG |
19 | gen_require(` |
20 | type gconfd_t, gconfd_exec_t; | |
21 | type gconf_tmp_t; | |
22 | ') | |
00219064 | 23 | |
efa04715 | 24 | role $1 types gconfd_t; |
00219064 | 25 | |
efa04715 MG |
26 | domain_auto_trans($2, gconfd_exec_t, gconfd_t) |
27 | allow gconfd_t $2:fd use; | |
28 | allow gconfd_t $2:fifo_file write; | |
29 | allow gconfd_t $2:unix_stream_socket connectto; | |
6b19be33 | 30 | |
efa04715 | 31 | ps_process_pattern($2, gconfd_t) |
00219064 | 32 | |
31d4b0a6 | 33 | #gnome_stream_connect_gconf_template($1, $2) |
296273a7 CP |
34 | read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) |
35 | allow $2 gconfd_t:unix_stream_socket connectto; | |
efa04715 | 36 | ') |
ca9e8850 | 37 | |
efa04715 MG |
38 | ###################################### |
39 | ## <summary> | |
40 | ## The role template for the gnome-keyring-daemon. | |
41 | ## </summary> | |
42 | ## <param name="user_prefix"> | |
43 | ## <summary> | |
44 | ## The user prefix. | |
45 | ## </summary> | |
46 | ## </param> | |
47 | ## <param name="user_role"> | |
48 | ## <summary> | |
49 | ## The user role. | |
50 | ## </summary> | |
51 | ## </param> | |
52 | ## <param name="user_domain"> | |
53 | ## <summary> | |
54 | ## The user domain associated with the role. | |
55 | ## </summary> | |
56 | ## </param> | |
57 | # | |
58 | interface(`gnome_role_gkeyringd',` | |
59 | gen_require(` | |
60 | attribute gkeyringd_domain; | |
61 | attribute gnome_domain; | |
62 | type gnome_home_t; | |
63 | type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; | |
1d7e6f6b | 64 | class dbus send_msg; |
efa04715 MG |
65 | ') |
66 | ||
4153537b | 67 | type $1_gkeyringd_t, gnome_domain, gkeyringd_domain; |
37c03afb | 68 | typealias $1_gkeyringd_t alias gkeyringd_$1_t; |
4153537b DW |
69 | application_domain($1_gkeyringd_t, gkeyringd_exec_t) |
70 | ubac_constrained($1_gkeyringd_t) | |
71 | domain_user_exemption_target($1_gkeyringd_t) | |
ca9e8850 | 72 | |
4153537b | 73 | role $2 types $1_gkeyringd_t; |
ca9e8850 | 74 | |
4153537b | 75 | domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) |
ca9e8850 | 76 | |
efa04715 MG |
77 | allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms }; |
78 | allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms }; | |
ca9e8850 | 79 | |
efa04715 MG |
80 | allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms }; |
81 | allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; | |
ca9e8850 | 82 | |
4153537b DW |
83 | corecmd_bin_domtrans($1_gkeyringd_t, $1_t) |
84 | corecmd_shell_domtrans($1_gkeyringd_t, $1_t) | |
85 | allow $1_gkeyringd_t $3:process sigkill; | |
86 | allow $3 $1_gkeyringd_t:fd use; | |
87 | allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; | |
0e50301b | 88 | |
4153537b | 89 | ps_process_pattern($1_gkeyringd_t, $3) |
ca9e8850 | 90 | |
4153537b DW |
91 | ps_process_pattern($3, $1_gkeyringd_t) |
92 | allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; | |
ca9e8850 | 93 | |
efa04715 MG |
94 | dontaudit $3 gkeyringd_exec_t:file entrypoint; |
95 | ||
4153537b | 96 | stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) |
5598732f | 97 | |
4153537b DW |
98 | allow $1_gkeyringd_t $3:dbus send_msg; |
99 | allow $3 $1_gkeyringd_t:dbus send_msg; | |
efa04715 | 100 | optional_policy(` |
6b772880 | 101 | dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) |
4153537b DW |
102 | dbus_session_bus_client($1_gkeyringd_t) |
103 | gnome_home_dir_filetrans($1_gkeyringd_t) | |
104 | gnome_manage_generic_home_dirs($1_gkeyringd_t) | |
efa04715 | 105 | |
1d7e6f6b | 106 | optional_policy(` |
4153537b | 107 | telepathy_mission_control_read_state($1_gkeyringd_t) |
1d7e6f6b | 108 | ') |
efa04715 | 109 | ') |
00219064 | 110 | ') |
2a98379a | 111 | |
ab8f919e CP |
112 | ######################################## |
113 | ## <summary> | |
a947daf6 | 114 | ## gconf connection template. |
ab8f919e | 115 | ## </summary> |
aa760a23 | 116 | ## <param name="domain"> |
ab8f919e | 117 | ## <summary> |
aa760a23 | 118 | ## Domain allowed access. |
ab8f919e CP |
119 | ## </summary> |
120 | ## </param> | |
121 | # | |
a947daf6 | 122 | interface(`gnome_stream_connect_gconf',` |
ab8f919e | 123 | gen_require(` |
a947daf6 | 124 | type gconfd_t, gconf_tmp_t; |
ab8f919e CP |
125 | ') |
126 | ||
a947daf6 DW |
127 | read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) |
128 | allow $1 gconfd_t:unix_stream_socket connectto; | |
ab8f919e CP |
129 | ') |
130 | ||
ca9e8850 DW |
131 | ######################################## |
132 | ## <summary> | |
133 | ## Connect to gkeyringd with a unix stream socket. | |
134 | ## </summary> | |
135 | ## <param name="role_prefix"> | |
136 | ## <summary> | |
137 | ## Role prefix. | |
138 | ## </summary> | |
139 | ## </param> | |
140 | ## <param name="domain"> | |
141 | ## <summary> | |
142 | ## Domain allowed access. | |
143 | ## </summary> | |
144 | ## </param> | |
145 | # | |
146 | interface(`gnome_stream_connect_gkeyringd',` | |
147 | gen_require(` | |
455fe183 MG |
148 | attribute gkeyringd_domain; |
149 | type gkeyringd_tmp_t; | |
150 | type gconf_tmp_t; | |
ca9e8850 DW |
151 | ') |
152 | ||
455fe183 | 153 | allow $1 gconf_tmp_t:dir search_dir_perms; |
c9799808 | 154 | stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) |
ca9e8850 DW |
155 | ') |
156 | ||
157 | ######################################## | |
158 | ## <summary> | |
159 | ## Connect to gkeyringd with a unix stream socket. | |
160 | ## </summary> | |
161 | ## <param name="role_prefix"> | |
162 | ## <summary> | |
163 | ## Role prefix. | |
164 | ## </summary> | |
165 | ## </param> | |
166 | ## <param name="domain"> | |
167 | ## <summary> | |
168 | ## Domain allowed access. | |
169 | ## </summary> | |
170 | ## </param> | |
171 | # | |
172 | interface(`gnome_stream_connect_all_gkeyringd',` | |
173 | gen_require(` | |
174 | attribute gkeyringd_domain; | |
175 | type gkeyringd_tmp_t; | |
f28aaa84 | 176 | type gconf_tmp_t; |
ca9e8850 DW |
177 | ') |
178 | ||
f28aaa84 | 179 | allow $1 gconf_tmp_t:dir search_dir_perms; |
ca9e8850 | 180 | stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) |
ca9e8850 DW |
181 | ') |
182 | ||
a947daf6 | 183 | ######################################## |
ab8f919e | 184 | ## <summary> |
a947daf6 | 185 | ## Run gconfd in gconfd domain. |
ab8f919e CP |
186 | ## </summary> |
187 | ## <param name="domain"> | |
188 | ## <summary> | |
189 | ## Domain allowed access. | |
190 | ## </summary> | |
191 | ## </param> | |
192 | # | |
a947daf6 | 193 | interface(`gnome_domtrans_gconfd',` |
ab8f919e | 194 | gen_require(` |
a947daf6 | 195 | type gconfd_t, gconfd_exec_t; |
ab8f919e CP |
196 | ') |
197 | ||
a947daf6 | 198 | domtrans_pattern($1, gconfd_exec_t, gconfd_t) |
ab8f919e CP |
199 | ') |
200 | ||
57955a25 DW |
201 | ######################################## |
202 | ## <summary> | |
203 | ## Dontaudit read gnome homedir content (.config) | |
204 | ## </summary> | |
205 | ## <param name="domain"> | |
206 | ## <summary> | |
24280f35 | 207 | ## Domain to not audit. |
57955a25 DW |
208 | ## </summary> |
209 | ## </param> | |
210 | # | |
211 | interface(`gnome_dontaudit_read_config',` | |
212 | gen_require(` | |
213 | attribute gnome_home_type; | |
214 | ') | |
215 | ||
216 | dontaudit $1 gnome_home_type:dir read_inherited_file_perms; | |
217 | ') | |
218 | ||
00219064 CP |
219 | ######################################## |
220 | ## <summary> | |
a947daf6 | 221 | ## Dontaudit search gnome homedir content (.config) |
00219064 | 222 | ## </summary> |
aa760a23 | 223 | ## <param name="domain"> |
00219064 | 224 | ## <summary> |
24280f35 | 225 | ## Domain to not audit. |
6b19be33 CP |
226 | ## </summary> |
227 | ## </param> | |
228 | # | |
a947daf6 | 229 | interface(`gnome_dontaudit_search_config',` |
6b19be33 | 230 | gen_require(` |
a947daf6 | 231 | attribute gnome_home_type; |
6b19be33 CP |
232 | ') |
233 | ||
a947daf6 | 234 | dontaudit $1 gnome_home_type:dir search_dir_perms; |
6b19be33 CP |
235 | ') |
236 | ||
ab8f919e CP |
237 | ######################################## |
238 | ## <summary> | |
a947daf6 | 239 | ## manage gnome homedir content (.config) |
3eaa9939 | 240 | ## </summary> |
aa760a23 | 241 | ## <param name="domain"> |
3eaa9939 | 242 | ## <summary> |
aa760a23 | 243 | ## Domain allowed access. |
3eaa9939 DW |
244 | ## </summary> |
245 | ## </param> | |
246 | # | |
a947daf6 | 247 | interface(`gnome_manage_config',` |
3eaa9939 DW |
248 | gen_require(` |
249 | attribute gnome_home_type; | |
250 | ') | |
251 | ||
a947daf6 DW |
252 | allow $1 gnome_home_type:dir manage_dir_perms; |
253 | allow $1 gnome_home_type:file manage_file_perms; | |
254 | allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; | |
255 | userdom_search_user_home_dirs($1) | |
3eaa9939 DW |
256 | ') |
257 | ||
258 | ######################################## | |
259 | ## <summary> | |
260 | ## Send general signals to all gconf domains. | |
ab8f919e CP |
261 | ## </summary> |
262 | ## <param name="domain"> | |
263 | ## <summary> | |
264 | ## Domain allowed access. | |
265 | ## </summary> | |
266 | ## </param> | |
267 | # | |
3eaa9939 | 268 | interface(`gnome_signal_all',` |
ab8f919e | 269 | gen_require(` |
ca9e8850 | 270 | attribute gnome_domain; |
ab8f919e CP |
271 | ') |
272 | ||
ca9e8850 | 273 | allow $1 gnome_domain:process signal; |
ab8f919e CP |
274 | ') |
275 | ||
276 | ######################################## | |
277 | ## <summary> | |
3eaa9939 DW |
278 | ## Create objects in a Gnome cache home directory |
279 | ## with an automatic type transition to | |
280 | ## a specified private type. | |
281 | ## </summary> | |
282 | ## <param name="domain"> | |
283 | ## <summary> | |
284 | ## Domain allowed access. | |
285 | ## </summary> | |
286 | ## </param> | |
287 | ## <param name="private_type"> | |
288 | ## <summary> | |
289 | ## The type of the object to create. | |
290 | ## </summary> | |
291 | ## </param> | |
292 | ## <param name="object_class"> | |
293 | ## <summary> | |
294 | ## The class of the object to be created. | |
295 | ## </summary> | |
296 | ## </param> | |
297 | # | |
298 | interface(`gnome_cache_filetrans',` | |
299 | gen_require(` | |
300 | type cache_home_t; | |
301 | ') | |
302 | ||
303 | filetrans_pattern($1, cache_home_t, $2, $3) | |
304 | userdom_search_user_home_dirs($1) | |
305 | ') | |
306 | ||
307 | ######################################## | |
308 | ## <summary> | |
309 | ## Read generic cache home files (.cache) | |
310 | ## </summary> | |
311 | ## <param name="domain"> | |
312 | ## <summary> | |
313 | ## Domain allowed access. | |
314 | ## </summary> | |
315 | ## </param> | |
316 | # | |
317 | interface(`gnome_read_generic_cache_files',` | |
318 | gen_require(` | |
319 | type cache_home_t; | |
320 | ') | |
321 | ||
322 | read_files_pattern($1, cache_home_t, cache_home_t) | |
323 | userdom_search_user_home_dirs($1) | |
324 | ') | |
325 | ||
326 | ######################################## | |
327 | ## <summary> | |
328 | ## Set attributes of cache home dir (.cache) | |
329 | ## </summary> | |
330 | ## <param name="domain"> | |
331 | ## <summary> | |
332 | ## Domain allowed access. | |
333 | ## </summary> | |
334 | ## </param> | |
335 | # | |
336 | interface(`gnome_setattr_cache_home_dir',` | |
337 | gen_require(` | |
338 | type cache_home_t; | |
339 | ') | |
340 | ||
341 | setattr_dirs_pattern($1, cache_home_t, cache_home_t) | |
342 | userdom_search_user_home_dirs($1) | |
343 | ') | |
344 | ||
c71f02c0 DW |
345 | ######################################## |
346 | ## <summary> | |
347 | ## append to generic cache home files (.cache) | |
348 | ## </summary> | |
349 | ## <param name="domain"> | |
350 | ## <summary> | |
351 | ## Domain allowed access. | |
352 | ## </summary> | |
353 | ## </param> | |
354 | # | |
355 | interface(`gnome_append_generic_cache_files',` | |
356 | gen_require(` | |
357 | type cache_home_t; | |
358 | ') | |
359 | ||
360 | append_files_pattern($1, cache_home_t, cache_home_t) | |
361 | userdom_search_user_home_dirs($1) | |
362 | ') | |
363 | ||
3eaa9939 DW |
364 | ######################################## |
365 | ## <summary> | |
366 | ## write to generic cache home files (.cache) | |
367 | ## </summary> | |
368 | ## <param name="domain"> | |
369 | ## <summary> | |
370 | ## Domain allowed access. | |
371 | ## </summary> | |
372 | ## </param> | |
373 | # | |
374 | interface(`gnome_write_generic_cache_files',` | |
375 | gen_require(` | |
376 | type cache_home_t; | |
377 | ') | |
378 | ||
379 | write_files_pattern($1, cache_home_t, cache_home_t) | |
380 | userdom_search_user_home_dirs($1) | |
381 | ') | |
382 | ||
24280f35 DW |
383 | ######################################## |
384 | ## <summary> | |
385 | ## Dontaudit read/write to generic cache home files (.cache) | |
386 | ## </summary> | |
387 | ## <param name="domain"> | |
388 | ## <summary> | |
389 | ## Domain to not audit. | |
390 | ## </summary> | |
391 | ## </param> | |
392 | # | |
393 | interface(`gnome_dontaudit_rw_generic_cache_files',` | |
394 | gen_require(` | |
395 | type cache_home_t; | |
396 | ') | |
397 | ||
398 | dontaudit $1 cache_home_t:file rw_inherited_file_perms; | |
399 | ') | |
400 | ||
a947daf6 DW |
401 | ######################################## |
402 | ## <summary> | |
403 | ## read gnome homedir content (.config) | |
404 | ## </summary> | |
aa760a23 | 405 | ## <param name="domain"> |
a947daf6 | 406 | ## <summary> |
aa760a23 | 407 | ## Domain allowed access. |
a947daf6 DW |
408 | ## </summary> |
409 | ## </param> | |
410 | # | |
efa04715 | 411 | interface(`gnome_read_config',` |
a947daf6 DW |
412 | gen_require(` |
413 | attribute gnome_home_type; | |
414 | ') | |
415 | ||
416 | list_dirs_pattern($1, gnome_home_type, gnome_home_type) | |
417 | read_files_pattern($1, gnome_home_type, gnome_home_type) | |
418 | read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) | |
419 | ') | |
420 | ||
3eaa9939 DW |
421 | ######################################## |
422 | ## <summary> | |
423 | ## Create objects in a Gnome gconf home directory | |
424 | ## with an automatic type transition to | |
425 | ## a specified private type. | |
426 | ## </summary> | |
427 | ## <param name="domain"> | |
428 | ## <summary> | |
429 | ## Domain allowed access. | |
430 | ## </summary> | |
431 | ## </param> | |
432 | ## <param name="private_type"> | |
433 | ## <summary> | |
434 | ## The type of the object to create. | |
435 | ## </summary> | |
436 | ## </param> | |
437 | ## <param name="object_class"> | |
438 | ## <summary> | |
439 | ## The class of the object to be created. | |
440 | ## </summary> | |
441 | ## </param> | |
442 | # | |
443 | interface(`gnome_data_filetrans',` | |
444 | gen_require(` | |
445 | type data_home_t; | |
446 | ') | |
447 | ||
448 | filetrans_pattern($1, data_home_t, $2, $3) | |
449 | gnome_search_gconf($1) | |
450 | ') | |
451 | ||
4b7fe5b4 DW |
452 | ####################################### |
453 | ## <summary> | |
454 | ## Manage gconf data home files | |
455 | ## </summary> | |
456 | ## <param name="domain"> | |
457 | ## <summary> | |
458 | ## Domain allowed access. | |
459 | ## </summary> | |
460 | ## </param> | |
461 | # | |
462 | interface(`gnome_manage_data',` | |
463 | gen_require(` | |
060d0f18 | 464 | type data_home_t; |
3e2ff02b | 465 | type gconf_home_t; |
4b7fe5b4 DW |
466 | ') |
467 | ||
ceacf954 | 468 | allow $1 gconf_home_t:dir search_dir_perms; |
a768052f | 469 | manage_dirs_pattern($1, data_home_t, data_home_t) |
4b7fe5b4 | 470 | manage_files_pattern($1, data_home_t, data_home_t) |
a768052f | 471 | manage_lnk_files_pattern($1, data_home_t, data_home_t) |
4b7fe5b4 DW |
472 | ') |
473 | ||
3eaa9939 DW |
474 | ######################################## |
475 | ## <summary> | |
476 | ## Create gconf_home_t objects in the /root directory | |
477 | ## </summary> | |
478 | ## <param name="domain"> | |
479 | ## <summary> | |
480 | ## Domain allowed access. | |
481 | ## </summary> | |
482 | ## </param> | |
483 | ## <param name="object_class"> | |
484 | ## <summary> | |
485 | ## The class of the object to be created. | |
486 | ## </summary> | |
487 | ## </param> | |
488 | # | |
489 | interface(`gnome_admin_home_gconf_filetrans',` | |
490 | gen_require(` | |
491 | type gconf_home_t; | |
492 | ') | |
493 | ||
494 | userdom_admin_home_dir_filetrans($1, gconf_home_t, $2) | |
495 | ') | |
496 | ||
497 | ######################################## | |
498 | ## <summary> | |
499 | ## read gconf config files | |
ab8f919e | 500 | ## </summary> |
aa760a23 | 501 | ## <param name="domain"> |
ab8f919e | 502 | ## <summary> |
aa760a23 | 503 | ## Domain allowed access. |
3eaa9939 DW |
504 | ## </summary> |
505 | ## </param> | |
506 | # | |
d15b40a5 | 507 | interface(`gnome_read_gconf_config',` |
3eaa9939 DW |
508 | gen_require(` |
509 | type gconf_etc_t; | |
510 | ') | |
511 | ||
512 | allow $1 gconf_etc_t:dir list_dir_perms; | |
513 | read_files_pattern($1, gconf_etc_t, gconf_etc_t) | |
f33c5066 | 514 | files_search_etc($1) |
3eaa9939 DW |
515 | ') |
516 | ||
517 | ####################################### | |
518 | ## <summary> | |
519 | ## Manage gconf config files | |
520 | ## </summary> | |
521 | ## <param name="domain"> | |
522 | ## <summary> | |
523 | ## Domain allowed access. | |
524 | ## </summary> | |
525 | ## </param> | |
526 | # | |
527 | interface(`gnome_manage_gconf_config',` | |
528 | gen_require(` | |
529 | type gconf_etc_t; | |
530 | ') | |
531 | ||
532 | allow $1 gconf_etc_t:dir list_dir_perms; | |
533 | manage_files_pattern($1, gconf_etc_t, gconf_etc_t) | |
534 | ') | |
535 | ||
536 | ######################################## | |
537 | ## <summary> | |
538 | ## Execute gconf programs in | |
539 | ## in the caller domain. | |
540 | ## </summary> | |
541 | ## <param name="domain"> | |
542 | ## <summary> | |
ab8f919e CP |
543 | ## Domain allowed access. |
544 | ## </summary> | |
545 | ## </param> | |
546 | # | |
3eaa9939 DW |
547 | interface(`gnome_exec_gconf',` |
548 | gen_require(` | |
549 | type gconfd_exec_t; | |
550 | ') | |
551 | ||
552 | can_exec($1, gconfd_exec_t) | |
553 | ') | |
554 | ||
ca9e8850 DW |
555 | ######################################## |
556 | ## <summary> | |
557 | ## Execute gnome keyringd in the caller domain. | |
558 | ## </summary> | |
559 | ## <param name="domain"> | |
560 | ## <summary> | |
561 | ## Domain allowed access. | |
562 | ## </summary> | |
563 | ## </param> | |
564 | # | |
565 | interface(`gnome_exec_keyringd',` | |
566 | gen_require(` | |
567 | type gkeyringd_exec_t; | |
568 | ') | |
569 | ||
570 | can_exec($1, gkeyringd_exec_t) | |
571 | corecmd_search_bin($1) | |
572 | ') | |
573 | ||
3eaa9939 DW |
574 | ######################################## |
575 | ## <summary> | |
576 | ## Read gconf home files | |
577 | ## </summary> | |
578 | ## <param name="domain"> | |
579 | ## <summary> | |
580 | ## Domain allowed access. | |
581 | ## </summary> | |
582 | ## </param> | |
583 | # | |
584 | interface(`gnome_read_gconf_home_files',` | |
585 | gen_require(` | |
586 | type gconf_home_t; | |
587 | type data_home_t; | |
588 | ') | |
589 | ||
78ea2abe | 590 | userdom_search_user_home_dirs($1) |
3eaa9939 DW |
591 | allow $1 gconf_home_t:dir list_dir_perms; |
592 | allow $1 data_home_t:dir list_dir_perms; | |
593 | read_files_pattern($1, gconf_home_t, gconf_home_t) | |
594 | read_files_pattern($1, data_home_t, data_home_t) | |
3d21c02c DW |
595 | read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) |
596 | read_lnk_files_pattern($1, data_home_t, data_home_t) | |
3eaa9939 DW |
597 | ') |
598 | ||
ca9e8850 DW |
599 | ######################################## |
600 | ## <summary> | |
601 | ## Search gkeyringd temporary directories. | |
602 | ## </summary> | |
603 | ## <param name="domain"> | |
604 | ## <summary> | |
605 | ## Domain allowed access. | |
606 | ## </summary> | |
607 | ## </param> | |
608 | # | |
609 | interface(`gnome_search_gkeyringd_tmp_dirs',` | |
610 | gen_require(` | |
611 | type gkeyringd_tmp_t; | |
612 | ') | |
613 | ||
614 | files_search_tmp($1) | |
615 | allow $1 gkeyringd_tmp_t:dir search_dir_perms; | |
616 | ') | |
617 | ||
3eaa9939 DW |
618 | ######################################## |
619 | ## <summary> | |
620 | ## search gconf homedir (.local) | |
621 | ## </summary> | |
aa760a23 | 622 | ## <param name="domain"> |
3eaa9939 | 623 | ## <summary> |
aa760a23 | 624 | ## Domain allowed access. |
3eaa9939 DW |
625 | ## </summary> |
626 | ## </param> | |
627 | # | |
628 | interface(`gnome_search_gconf',` | |
629 | gen_require(` | |
630 | type gconf_home_t; | |
631 | ') | |
632 | ||
633 | allow $1 gconf_home_t:dir search_dir_perms; | |
634 | userdom_search_user_home_dirs($1) | |
635 | ') | |
636 | ||
4251ae10 DW |
637 | ######################################## |
638 | ## <summary> | |
639 | ## Set attributes of Gnome config dirs. | |
640 | ## </summary> | |
641 | ## <param name="domain"> | |
642 | ## <summary> | |
643 | ## Domain allowed access. | |
644 | ## </summary> | |
645 | ## </param> | |
646 | # | |
647 | interface(`gnome_setattr_config_dirs',` | |
648 | gen_require(` | |
649 | type gnome_home_t; | |
650 | ') | |
651 | ||
652 | setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) | |
653 | files_search_home($1) | |
654 | ') | |
655 | ||
ca9e8850 DW |
656 | ######################################## |
657 | ## <summary> | |
658 | ## Manage generic gnome home files. | |
659 | ## </summary> | |
660 | ## <param name="domain"> | |
661 | ## <summary> | |
662 | ## Domain allowed access. | |
663 | ## </summary> | |
664 | ## </param> | |
665 | # | |
666 | interface(`gnome_manage_generic_home_files',` | |
667 | gen_require(` | |
668 | type gnome_home_t; | |
669 | ') | |
670 | ||
671 | userdom_search_user_home_dirs($1) | |
672 | manage_files_pattern($1, gnome_home_t, gnome_home_t) | |
673 | ') | |
674 | ||
675 | ######################################## | |
676 | ## <summary> | |
677 | ## Manage generic gnome home directories. | |
678 | ## </summary> | |
679 | ## <param name="domain"> | |
680 | ## <summary> | |
681 | ## Domain allowed access. | |
682 | ## </summary> | |
683 | ## </param> | |
684 | # | |
685 | interface(`gnome_manage_generic_home_dirs',` | |
686 | gen_require(` | |
687 | type gnome_home_t; | |
688 | ') | |
689 | ||
690 | userdom_search_user_home_dirs($1) | |
691 | allow $1 gnome_home_t:dir manage_dir_perms; | |
692 | ') | |
693 | ||
3eaa9939 DW |
694 | ######################################## |
695 | ## <summary> | |
696 | ## Append gconf home files | |
697 | ## </summary> | |
698 | ## <param name="domain"> | |
699 | ## <summary> | |
700 | ## Domain allowed access. | |
701 | ## </summary> | |
702 | ## </param> | |
703 | # | |
704 | interface(`gnome_append_gconf_home_files',` | |
705 | gen_require(` | |
706 | type gconf_home_t; | |
707 | ') | |
708 | ||
709 | append_files_pattern($1, gconf_home_t, gconf_home_t) | |
710 | ') | |
711 | ||
712 | ######################################## | |
713 | ## <summary> | |
714 | ## manage gconf home files | |
715 | ## </summary> | |
716 | ## <param name="domain"> | |
717 | ## <summary> | |
718 | ## Domain allowed access. | |
719 | ## </summary> | |
720 | ## </param> | |
721 | # | |
722 | interface(`gnome_manage_gconf_home_files',` | |
723 | gen_require(` | |
724 | type gconf_home_t; | |
725 | ') | |
726 | ||
727 | allow $1 gconf_home_t:dir list_dir_perms; | |
728 | manage_files_pattern($1, gconf_home_t, gconf_home_t) | |
729 | ') | |
730 | ||
731 | ######################################## | |
732 | ## <summary> | |
733 | ## Connect to gnome over an unix stream socket. | |
734 | ## </summary> | |
735 | ## <param name="domain"> | |
736 | ## <summary> | |
737 | ## Domain allowed access. | |
738 | ## </summary> | |
739 | ## </param> | |
740 | ## <param name="user_domain"> | |
741 | ## <summary> | |
742 | ## The type of the user domain. | |
743 | ## </summary> | |
744 | ## </param> | |
745 | # | |
746 | interface(`gnome_stream_connect',` | |
747 | gen_require(` | |
748 | attribute gnome_home_type; | |
749 | ') | |
750 | ||
751 | # Connect to pulseaudit server | |
752 | stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) | |
753 | ') | |
754 | ||
755 | ######################################## | |
756 | ## <summary> | |
2d4a79a0 | 757 | ## list gnome homedir content (.config) |
3eaa9939 | 758 | ## </summary> |
aa760a23 | 759 | ## <param name="domain"> |
3eaa9939 | 760 | ## <summary> |
aa760a23 | 761 | ## Domain allowed access. |
3eaa9939 DW |
762 | ## </summary> |
763 | ## </param> | |
764 | # | |
d15b40a5 | 765 | interface(`gnome_list_home_config',` |
3eaa9939 DW |
766 | gen_require(` |
767 | type config_home_t; | |
768 | ') | |
769 | ||
770 | allow $1 config_home_t:dir list_dir_perms; | |
771 | ') | |
772 | ||
5ef740e5 DW |
773 | ######################################## |
774 | ## <summary> | |
775 | ## Set attributes of gnome homedir content (.config) | |
776 | ## </summary> | |
777 | ## <param name="domain"> | |
778 | ## <summary> | |
779 | ## Domain allowed access. | |
780 | ## </summary> | |
781 | ## </param> | |
782 | # | |
783 | template(`gnome_setattr_home_config',` | |
784 | gen_require(` | |
785 | type config_home_t; | |
786 | ') | |
787 | ||
788 | setattr_dirs_pattern($1, config_home_t, config_home_t) | |
789 | userdom_search_user_home_dirs($1) | |
790 | ') | |
791 | ||
2d4a79a0 DW |
792 | ######################################## |
793 | ## <summary> | |
794 | ## read gnome homedir content (.config) | |
795 | ## </summary> | |
aa760a23 | 796 | ## <param name="domain"> |
2d4a79a0 | 797 | ## <summary> |
aa760a23 | 798 | ## Domain allowed access. |
2d4a79a0 DW |
799 | ## </summary> |
800 | ## </param> | |
801 | # | |
d15b40a5 | 802 | interface(`gnome_read_home_config',` |
2d4a79a0 DW |
803 | gen_require(` |
804 | type config_home_t; | |
805 | ') | |
806 | ||
b533b084 | 807 | list_dirs_pattern($1, config_home_t, config_home_t) |
2d4a79a0 | 808 | read_files_pattern($1, config_home_t, config_home_t) |
6f93adfa | 809 | read_lnk_files_pattern($1, config_home_t, config_home_t) |
2d4a79a0 DW |
810 | ') |
811 | ||
f5b49a5e DW |
812 | ######################################## |
813 | ## <summary> | |
814 | ## manage gnome homedir content (.config) | |
815 | ## </summary> | |
aa760a23 | 816 | ## <param name="domain"> |
f5b49a5e | 817 | ## <summary> |
aa760a23 | 818 | ## Domain allowed access. |
f5b49a5e DW |
819 | ## </summary> |
820 | ## </param> | |
821 | # | |
822 | template(`gnome_manage_home_config',` | |
823 | gen_require(` | |
824 | type config_home_t; | |
825 | ') | |
826 | ||
827 | manage_files_pattern($1, config_home_t, config_home_t) | |
828 | ') | |
829 | ||
3eaa9939 DW |
830 | ######################################## |
831 | ## <summary> | |
832 | ## Read/Write all inherited gnome home config | |
833 | ## </summary> | |
834 | ## <param name="domain"> | |
835 | ## <summary> | |
836 | ## Domain allowed access. | |
837 | ## </summary> | |
838 | ## </param> | |
839 | # | |
840 | interface(`gnome_rw_inherited_config',` | |
841 | gen_require(` | |
842 | attribute gnome_home_type; | |
843 | ') | |
844 | ||
845 | allow $1 gnome_home_type:file rw_inherited_file_perms; | |
846 | ') | |
847 | ||
848 | ######################################## | |
849 | ## <summary> | |
850 | ## Send and receive messages from | |
851 | ## gconf system service over dbus. | |
852 | ## </summary> | |
853 | ## <param name="domain"> | |
854 | ## <summary> | |
855 | ## Domain allowed access. | |
856 | ## </summary> | |
857 | ## </param> | |
858 | # | |
859 | interface(`gnome_dbus_chat_gconfdefault',` | |
860 | gen_require(` | |
861 | type gconfdefaultsm_t; | |
862 | class dbus send_msg; | |
863 | ') | |
864 | ||
865 | allow $1 gconfdefaultsm_t:dbus send_msg; | |
866 | allow gconfdefaultsm_t $1:dbus send_msg; | |
867 | ') | |
ca9e8850 DW |
868 | |
869 | ######################################## | |
870 | ## <summary> | |
871 | ## Send and receive messages from | |
872 | ## gkeyringd over dbus. | |
873 | ## </summary> | |
874 | ## <param name="role_prefix"> | |
875 | ## <summary> | |
876 | ## Role prefix. | |
877 | ## </summary> | |
878 | ## </param> | |
879 | ## <param name="domain"> | |
880 | ## <summary> | |
881 | ## Domain allowed access. | |
882 | ## </summary> | |
883 | ## </param> | |
884 | # | |
885 | interface(`gnome_dbus_chat_gkeyringd',` | |
886 | gen_require(` | |
31f04122 | 887 | attribute gkeyringd_domain; |
ca9e8850 DW |
888 | class dbus send_msg; |
889 | ') | |
890 | ||
f80308f9 MG |
891 | allow $1 gkeyringd_domain:dbus send_msg; |
892 | allow gkeyringd_domain $1:dbus send_msg; | |
ca9e8850 | 893 | ') |
31f04122 | 894 | |
ca9e8850 DW |
895 | ######################################## |
896 | ## <summary> | |
897 | ## Create directories in user home directories | |
898 | ## with the gnome home file type. | |
899 | ## </summary> | |
900 | ## <param name="domain"> | |
901 | ## <summary> | |
902 | ## Domain allowed access. | |
903 | ## </summary> | |
904 | ## </param> | |
905 | # | |
906 | interface(`gnome_home_dir_filetrans',` | |
907 | gen_require(` | |
908 | type gnome_home_t; | |
909 | ') | |
910 | ||
911 | userdom_user_home_dir_filetrans($1, gnome_home_t, dir) | |
912 | userdom_search_user_home_dirs($1) | |
913 | ') | |
a8183914 MG |
914 | |
915 | ###################################### | |
916 | ## <summary> | |
917 | ## Allow read kde config content | |
918 | ## </summary> | |
919 | ## <param name="domain"> | |
920 | ## <summary> | |
921 | ## Domain allowed access. | |
922 | ## </summary> | |
923 | ## </param> | |
924 | # | |
925 | interface(`gnome_read_usr_config',` | |
926 | gen_require(` | |
927 | type config_usr_t; | |
928 | ') | |
929 | ||
930 | files_search_usr($1) | |
931 | list_dirs_pattern($1, config_usr_t, config_usr_t) | |
932 | read_files_pattern($1, config_usr_t, config_usr_t) | |
933 | read_lnk_files_pattern($1, config_usr_t, config_usr_t) | |
934 | ') | |
935 | ||
936 | ####################################### | |
937 | ## <summary> | |
938 | ## Allow manage kde config content | |
939 | ## </summary> | |
940 | ## <param name="domain"> | |
941 | ## <summary> | |
942 | ## Domain allowed access. | |
943 | ## </summary> | |
944 | ## </param> | |
945 | # | |
946 | interface(`gnome_manage_usr_config',` | |
947 | gen_require(` | |
948 | type config_usr_t; | |
949 | ') | |
950 | ||
951 | files_search_usr($1) | |
952 | manage_dirs_pattern($1, config_usr_t, config_usr_t) | |
953 | manage_files_pattern($1, config_usr_t, config_usr_t) | |
954 | manage_lnk_files_pattern($1, config_usr_t, config_usr_t) | |
955 | ') | |
31f04122 DW |
956 | |
957 | ######################################## | |
958 | ## <summary> | |
959 | ## Execute gnome-keyring in the user gkeyring domain | |
960 | ## </summary> | |
961 | ## <param name="domain"> | |
962 | ## <summary> | |
963 | ## Domain allowed access | |
964 | ## </summary> | |
965 | ## </param> | |
966 | ## <param name="role"> | |
967 | ## <summary> | |
968 | ## The role to be allowed the gkeyring domain. | |
969 | ## </summary> | |
970 | ## </param> | |
971 | # | |
972 | interface(`gnome_transition_gkeyringd',` | |
973 | gen_require(` | |
974 | attribute gkeyringd_domain; | |
975 | ') | |
976 | ||
977 | allow $1 gkeyringd_domain:process transition; | |
978 | dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh }; | |
979 | allow gkeyringd_domain $1:process { sigchld signull }; | |
980 | allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; | |
981 | ') | |
982 | ||
15b2e336 DW |
983 | |
984 | ######################################## | |
985 | ## <summary> | |
986 | ## Create gnome directory in the user home directory | |
987 | ## with an correct label. | |
988 | ## </summary> | |
989 | ## <param name="domain"> | |
990 | ## <summary> | |
991 | ## Domain allowed access. | |
992 | ## </summary> | |
993 | ## </param> | |
994 | # | |
a11cc065 | 995 | interface(`gnome_filetrans_home_content',` |
15b2e336 DW |
996 | |
997 | gen_require(` | |
998 | type config_home_t; | |
999 | type cache_home_t; | |
1000 | type gstreamer_home_t; | |
1001 | type gconf_home_t; | |
1002 | type gnome_home_t; | |
1003 | type data_home_t; | |
1004 | type gkeyringd_gnome_home_t; | |
1005 | ') | |
1006 | ||
1007 | userdom_user_home_dir_filetrans($1, config_home_t, file, .Xdefaults) | |
1008 | userdom_user_home_dir_filetrans($1, config_home_t, dir, .xine) | |
1009 | userdom_user_home_dir_filetrans($1, cache_home_t, dir, .cache) | |
1010 | userdom_user_home_dir_filetrans($1, config_home_t, dir, .kde) | |
1011 | userdom_user_home_dir_filetrans($1, gconf_home_t, dir, .gconf) | |
1012 | userdom_user_home_dir_filetrans($1, gconf_home_t, dir, .gconfd) | |
1013 | userdom_user_home_dir_filetrans($1, gconf_home_t, dir, .local) | |
1014 | userdom_user_home_dir_filetrans($1, gnome_home_t, dir, .gnome2) | |
1015 | userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-10) | |
1016 | userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-12) | |
1017 | filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, keyrings) | |
1018 | filetrans_pattern($1, gconf_home_t, data_home_t, dir, share) | |
1019 | ') | |
1020 | ||
1021 | ######################################## | |
1022 | ## <summary> | |
1023 | ## Create gnome directory in the /root directory | |
1024 | ## with an correct label. | |
1025 | ## </summary> | |
1026 | ## <param name="domain"> | |
1027 | ## <summary> | |
1028 | ## Domain allowed access. | |
1029 | ## </summary> | |
1030 | ## </param> | |
1031 | # | |
a11cc065 | 1032 | interface(`gnome_filetrans_admin_home_content',` |
15b2e336 DW |
1033 | |
1034 | gen_require(` | |
1035 | type config_home_t; | |
1036 | type cache_home_t; | |
1037 | type gstreamer_home_t; | |
1038 | type gconf_home_t; | |
1039 | type gnome_home_t; | |
1040 | type data_home_t; | |
1041 | ') | |
1042 | ||
1043 | userdom_admin_home_dir_filetrans($1, config_home_t, file, .Xdefaults) | |
1044 | userdom_admin_home_dir_filetrans($1, config_home_t, dir, .xine) | |
1045 | userdom_admin_home_dir_filetrans($1, cache_home_t, dir, .cache) | |
1046 | userdom_admin_home_dir_filetrans($1, config_home_t, dir, .kde) | |
1047 | userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, .gconf) | |
1048 | userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, .gconfd) | |
1049 | userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, .local) | |
1050 | userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, .gnome2) | |
1051 | userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-10) | |
1052 | userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-12) | |
1053 | ') |