]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/apps/gnome.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
More fixes for .if policy files
[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.if
CommitLineData
00219064
CP		 1## <summary>GNU network object model environment (GNOME)</summary>
2
efa04715 3###########################################################
00219064 4## <summary>
efa04715 5## Role access for gnome
00219064 6## </summary>
efa04715
MG		 7## <param name="role">
8## <summary>
9## Role allowed access
10## </summary>
00219064 11## </param>
efa04715
MG		 12## <param name="domain">
13## <summary>
14## User domain for the role
15## </summary>
00219064
CP		 16## </param>
17#
296273a7 18interface(`gnome_role',`
efa04715
MG		 19 gen_require(`
20 type gconfd_t, gconfd_exec_t;
21 type gconf_tmp_t;
22 ')
00219064 23
efa04715 24 role $1 types gconfd_t;
00219064 25
efa04715
MG		 26 domain_auto_trans($2, gconfd_exec_t, gconfd_t)
27 allow gconfd_t $2:fd use;
28 allow gconfd_t $2:fifo_file write;
29 allow gconfd_t $2:unix_stream_socket connectto;
6b19be33 30
efa04715 31 ps_process_pattern($2, gconfd_t)
00219064 32
31d4b0a6 33 #gnome_stream_connect_gconf_template($1, $2)
296273a7
CP		 34 read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
35 allow $2 gconfd_t:unix_stream_socket connectto;
efa04715 36')
ca9e8850 37
efa04715
MG		 38######################################
39## <summary>
40## The role template for the gnome-keyring-daemon.
41## </summary>
42## <param name="user_prefix">
43## <summary>
44## The user prefix.
45## </summary>
46## </param>
47## <param name="user_role">
48## <summary>
49## The user role.
50## </summary>
51## </param>
52## <param name="user_domain">
53## <summary>
54## The user domain associated with the role.
55## </summary>
56## </param>
57#
58interface(`gnome_role_gkeyringd',`
59 gen_require(`
60 attribute gkeyringd_domain;
61 attribute gnome_domain;
62 type gnome_home_t;
63 type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
1d7e6f6b 64 class dbus send_msg;
efa04715
MG		 65 ')
66
4153537b 67 type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
37c03afb 68 typealias $1_gkeyringd_t alias gkeyringd_$1_t;
4153537b
DW		 69 application_domain($1_gkeyringd_t, gkeyringd_exec_t)
70 ubac_constrained($1_gkeyringd_t)
71 domain_user_exemption_target($1_gkeyringd_t)
ca9e8850 72
4153537b 73 role $2 types $1_gkeyringd_t;
ca9e8850 74
4153537b 75 domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
ca9e8850 76
efa04715
MG		 77 allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
78 allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
ca9e8850 79
efa04715
MG		 80 allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
81 allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ca9e8850 82
4153537b
DW		 83 corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
84 corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
85 allow $1_gkeyringd_t $3:process sigkill;
86 allow $3 $1_gkeyringd_t:fd use;
87 allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
0e50301b 88
4153537b 89 ps_process_pattern($1_gkeyringd_t, $3)
ca9e8850 90
4153537b
DW		 91 ps_process_pattern($3, $1_gkeyringd_t)
92 allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
ca9e8850 93
efa04715
MG		 94 dontaudit $3 gkeyringd_exec_t:file entrypoint;
95
4153537b 96 stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
5598732f 97
4153537b
DW		 98 allow $1_gkeyringd_t $3:dbus send_msg;
99 allow $3 $1_gkeyringd_t:dbus send_msg;
efa04715 100 optional_policy(`
6b772880 101 dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
4153537b
DW		 102 dbus_session_bus_client($1_gkeyringd_t)
103 gnome_home_dir_filetrans($1_gkeyringd_t)
104 gnome_manage_generic_home_dirs($1_gkeyringd_t)
efa04715 105
1d7e6f6b 106 optional_policy(`
4153537b 107 telepathy_mission_control_read_state($1_gkeyringd_t)
1d7e6f6b 108 ')
efa04715 109 ')
00219064 110')
2a98379a 111
ab8f919e
CP		 112########################################
113## <summary>
a947daf6 114## gconf connection template.
ab8f919e 115## </summary>
aa760a23 116## <param name="domain">
ab8f919e 117## <summary>
aa760a23 118## Domain allowed access.
ab8f919e
CP		 119## </summary>
120## </param>
121#
a947daf6 122interface(`gnome_stream_connect_gconf',`
ab8f919e 123 gen_require(`
a947daf6 124 type gconfd_t, gconf_tmp_t;
ab8f919e
CP		 125 ')
126
a947daf6
DW		 127 read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
128 allow $1 gconfd_t:unix_stream_socket connectto;
ab8f919e
CP		 129')
130
ca9e8850
DW		 131########################################
132## <summary>
133## Connect to gkeyringd with a unix stream socket.
134## </summary>
ca9e8850
DW		 135## <param name="domain">
136## <summary>
137## Domain allowed access.
138## </summary>
139## </param>
140#
141interface(`gnome_stream_connect_gkeyringd',`
142 gen_require(`
455fe183
MG		 143 attribute gkeyringd_domain;
144 type gkeyringd_tmp_t;
145 type gconf_tmp_t;
ca9e8850
DW		 146 ')
147
455fe183 148 allow $1 gconf_tmp_t:dir search_dir_perms;
c9799808 149 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 150')
151
152########################################
153## <summary>
154## Connect to gkeyringd with a unix stream socket.
155## </summary>
ca9e8850
DW		 156## <param name="domain">
157## <summary>
158## Domain allowed access.
159## </summary>
160## </param>
161#
162interface(`gnome_stream_connect_all_gkeyringd',`
163 gen_require(`
164 attribute gkeyringd_domain;
165 type gkeyringd_tmp_t;
f28aaa84 166 type gconf_tmp_t;
ca9e8850
DW		 167 ')
168
f28aaa84 169 allow $1 gconf_tmp_t:dir search_dir_perms;
ca9e8850 170 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 171')
172
a947daf6 173########################################
ab8f919e 174## <summary>
a947daf6 175## Run gconfd in gconfd domain.
ab8f919e
CP		 176## </summary>
177## <param name="domain">
178## <summary>
179## Domain allowed access.
180## </summary>
181## </param>
182#
a947daf6 183interface(`gnome_domtrans_gconfd',`
ab8f919e 184 gen_require(`
a947daf6 185 type gconfd_t, gconfd_exec_t;
ab8f919e
CP		 186 ')
187
a947daf6 188 domtrans_pattern($1, gconfd_exec_t, gconfd_t)
ab8f919e
CP		 189')
190
57955a25
DW		 191########################################
192## <summary>
193## Dontaudit read gnome homedir content (.config)
194## </summary>
195## <param name="domain">
196## <summary>
24280f35 197## Domain to not audit.
57955a25
DW		 198## </summary>
199## </param>
200#
201interface(`gnome_dontaudit_read_config',`
202 gen_require(`
203 attribute gnome_home_type;
204 ')
205
206 dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
207')
208
00219064
CP		 209########################################
210## <summary>
a947daf6 211## Dontaudit search gnome homedir content (.config)
00219064 212## </summary>
aa760a23 213## <param name="domain">
00219064 214## <summary>
24280f35 215## Domain to not audit.
6b19be33
CP		 216## </summary>
217## </param>
218#
a947daf6 219interface(`gnome_dontaudit_search_config',`
6b19be33 220 gen_require(`
a947daf6 221 attribute gnome_home_type;
6b19be33
CP		 222 ')
223
a947daf6 224 dontaudit $1 gnome_home_type:dir search_dir_perms;
6b19be33
CP		 225')
226
ab8f919e
CP		 227########################################
228## <summary>
a947daf6 229## manage gnome homedir content (.config)
3eaa9939 230## </summary>
aa760a23 231## <param name="domain">
3eaa9939 232## <summary>
aa760a23 233## Domain allowed access.
3eaa9939
DW		 234## </summary>
235## </param>
236#
a947daf6 237interface(`gnome_manage_config',`
3eaa9939
DW		 238 gen_require(`
239 attribute gnome_home_type;
240 ')
241
a947daf6
DW		 242 allow $1 gnome_home_type:dir manage_dir_perms;
243 allow $1 gnome_home_type:file manage_file_perms;
244 allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
245 userdom_search_user_home_dirs($1)
3eaa9939
DW		 246')
247
248########################################
249## <summary>
250## Send general signals to all gconf domains.
ab8f919e
CP		 251## </summary>
252## <param name="domain">
253## <summary>
254## Domain allowed access.
255## </summary>
256## </param>
257#
3eaa9939 258interface(`gnome_signal_all',`
ab8f919e 259 gen_require(`
ca9e8850 260 attribute gnome_domain;
ab8f919e
CP		 261 ')
262
ca9e8850 263 allow $1 gnome_domain:process signal;
ab8f919e
CP		 264')
265
266########################################
267## <summary>
3eaa9939
DW		 268## Create objects in a Gnome cache home directory
269## with an automatic type transition to
270## a specified private type.
271## </summary>
272## <param name="domain">
273## <summary>
274## Domain allowed access.
275## </summary>
276## </param>
277## <param name="private_type">
278## <summary>
279## The type of the object to create.
280## </summary>
281## </param>
282## <param name="object_class">
283## <summary>
284## The class of the object to be created.
285## </summary>
286## </param>
287#
288interface(`gnome_cache_filetrans',`
289 gen_require(`
290 type cache_home_t;
291 ')
292
293 filetrans_pattern($1, cache_home_t, $2, $3)
294 userdom_search_user_home_dirs($1)
295')
296
297########################################
298## <summary>
299## Read generic cache home files (.cache)
300## </summary>
301## <param name="domain">
302## <summary>
303## Domain allowed access.
304## </summary>
305## </param>
306#
307interface(`gnome_read_generic_cache_files',`
308 gen_require(`
309 type cache_home_t;
310 ')
311
312 read_files_pattern($1, cache_home_t, cache_home_t)
313 userdom_search_user_home_dirs($1)
314')
315
316########################################
317## <summary>
318## Set attributes of cache home dir (.cache)
319## </summary>
320## <param name="domain">
321## <summary>
322## Domain allowed access.
323## </summary>
324## </param>
325#
326interface(`gnome_setattr_cache_home_dir',`
327 gen_require(`
328 type cache_home_t;
329 ')
330
331 setattr_dirs_pattern($1, cache_home_t, cache_home_t)
332 userdom_search_user_home_dirs($1)
333')
334
c71f02c0
DW		 335########################################
336## <summary>
337## append to generic cache home files (.cache)
338## </summary>
339## <param name="domain">
340## <summary>
341## Domain allowed access.
342## </summary>
343## </param>
344#
345interface(`gnome_append_generic_cache_files',`
346 gen_require(`
347 type cache_home_t;
348 ')
349
350 append_files_pattern($1, cache_home_t, cache_home_t)
351 userdom_search_user_home_dirs($1)
352')
353
3eaa9939
DW		 354########################################
355## <summary>
356## write to generic cache home files (.cache)
357## </summary>
358## <param name="domain">
359## <summary>
360## Domain allowed access.
361## </summary>
362## </param>
363#
364interface(`gnome_write_generic_cache_files',`
365 gen_require(`
366 type cache_home_t;
367 ')
368
369 write_files_pattern($1, cache_home_t, cache_home_t)
370 userdom_search_user_home_dirs($1)
371')
372
24280f35
DW		 373########################################
374## <summary>
375## Dontaudit read/write to generic cache home files (.cache)
376## </summary>
377## <param name="domain">
378## <summary>
379## Domain to not audit.
380## </summary>
381## </param>
382#
383interface(`gnome_dontaudit_rw_generic_cache_files',`
384 gen_require(`
385 type cache_home_t;
386 ')
387
388 dontaudit $1 cache_home_t:file rw_inherited_file_perms;
389')
390
a947daf6
DW		 391########################################
392## <summary>
393## read gnome homedir content (.config)
394## </summary>
aa760a23 395## <param name="domain">
a947daf6 396## <summary>
aa760a23 397## Domain allowed access.
a947daf6
DW		 398## </summary>
399## </param>
400#
efa04715 401interface(`gnome_read_config',`
a947daf6
DW		 402 gen_require(`
403 attribute gnome_home_type;
404 ')
405
406 list_dirs_pattern($1, gnome_home_type, gnome_home_type)
407 read_files_pattern($1, gnome_home_type, gnome_home_type)
408 read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
409')
410
3eaa9939
DW		 411########################################
412## <summary>
413## Create objects in a Gnome gconf home directory
414## with an automatic type transition to
415## a specified private type.
416## </summary>
417## <param name="domain">
418## <summary>
419## Domain allowed access.
420## </summary>
421## </param>
422## <param name="private_type">
423## <summary>
424## The type of the object to create.
425## </summary>
426## </param>
427## <param name="object_class">
428## <summary>
429## The class of the object to be created.
430## </summary>
431## </param>
432#
433interface(`gnome_data_filetrans',`
434 gen_require(`
435 type data_home_t;
436 ')
437
438 filetrans_pattern($1, data_home_t, $2, $3)
439 gnome_search_gconf($1)
440')
441
4b7fe5b4
DW		 442#######################################
443## <summary>
444## Manage gconf data home files
445## </summary>
446## <param name="domain">
447## <summary>
448## Domain allowed access.
449## </summary>
450## </param>
451#
452interface(`gnome_manage_data',`
453 gen_require(`
060d0f18 454 type data_home_t;
3e2ff02b 455 type gconf_home_t;
4b7fe5b4
DW		 456 ')
457
ceacf954 458 allow $1 gconf_home_t:dir search_dir_perms;
a768052f 459 manage_dirs_pattern($1, data_home_t, data_home_t)
4b7fe5b4 460 manage_files_pattern($1, data_home_t, data_home_t)
a768052f 461 manage_lnk_files_pattern($1, data_home_t, data_home_t)
4b7fe5b4
DW		 462')
463
290e6f41
DG		 464########################################
465## <summary>
466## Read icc data home content.
467## </summary>
468## <param name="domain">
469## <summary>
470## Domain allowed access.
471## </summary>
472## </param>
473#
474interface(`gnome_read_home_icc_data_content',`
475 gen_require(`
476 type icc_data_home_t, gconf_home_t, data_home_t;
477 ')
478
479 userdom_search_user_home_dirs($1)
480 allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
481 list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
482 read_files_pattern($1, icc_data_home_t, icc_data_home_t)
483 read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
484')
485
486########################################
487## <summary>
488## Read inherited icc data home files.
489## </summary>
490## <param name="domain">
491## <summary>
492## Domain allowed access.
493## </summary>
494## </param>
495#
496interface(`gnome_read_inherited_home_icc_data_files',`
497 gen_require(`
498 type icc_data_home_t;
499 ')
500
501 allow $1 icc_data_home_t:file read_inherited_file_perms;
502')
503
3eaa9939
DW		 504########################################
505## <summary>
506## Create gconf_home_t objects in the /root directory
507## </summary>
508## <param name="domain">
509## <summary>
510## Domain allowed access.
511## </summary>
512## </param>
513## <param name="object_class">
514## <summary>
515## The class of the object to be created.
516## </summary>
517## </param>
518#
519interface(`gnome_admin_home_gconf_filetrans',`
520 gen_require(`
521 type gconf_home_t;
522 ')
523
524 userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
525')
526
c98dcd43
DG		 527########################################
528## <summary>
529## Do not audit attempts to read
530## inherited gconf config files.
531## </summary>
532## <param name="domain">
533## <summary>
534## Domain to not audit.
535## </summary>
536## </param>
537#
538interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
539 gen_require(`
540 type gconf_etc_t;
541 ')
542
543 dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
544')
545
3eaa9939
DW		 546########################################
547## <summary>
548## read gconf config files
ab8f919e 549## </summary>
aa760a23 550## <param name="domain">
ab8f919e 551## <summary>
aa760a23 552## Domain allowed access.
3eaa9939
DW		 553## </summary>
554## </param>
555#
d15b40a5 556interface(`gnome_read_gconf_config',`
3eaa9939
DW		 557 gen_require(`
558 type gconf_etc_t;
559 ')
560
561 allow $1 gconf_etc_t:dir list_dir_perms;
562 read_files_pattern($1, gconf_etc_t, gconf_etc_t)
f33c5066 563 files_search_etc($1)
3eaa9939
DW		 564')
565
566#######################################
567## <summary>
568## Manage gconf config files
569## </summary>
570## <param name="domain">
571## <summary>
572## Domain allowed access.
573## </summary>
574## </param>
575#
576interface(`gnome_manage_gconf_config',`
577 gen_require(`
578 type gconf_etc_t;
579 ')
580
581 allow $1 gconf_etc_t:dir list_dir_perms;
582 manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
583')
584
585########################################
586## <summary>
587## Execute gconf programs in
588## in the caller domain.
589## </summary>
590## <param name="domain">
591## <summary>
ab8f919e
CP		 592## Domain allowed access.
593## </summary>
594## </param>
595#
3eaa9939
DW		 596interface(`gnome_exec_gconf',`
597 gen_require(`
598 type gconfd_exec_t;
599 ')
600
601 can_exec($1, gconfd_exec_t)
602')
603
ca9e8850
DW		 604########################################
605## <summary>
606## Execute gnome keyringd in the caller domain.
607## </summary>
608## <param name="domain">
609## <summary>
610## Domain allowed access.
611## </summary>
612## </param>
613#
614interface(`gnome_exec_keyringd',`
615 gen_require(`
616 type gkeyringd_exec_t;
617 ')
618
619 can_exec($1, gkeyringd_exec_t)
620 corecmd_search_bin($1)
621')
622
3eaa9939
DW		 623########################################
624## <summary>
625## Read gconf home files
626## </summary>
627## <param name="domain">
628## <summary>
629## Domain allowed access.
630## </summary>
631## </param>
632#
633interface(`gnome_read_gconf_home_files',`
634 gen_require(`
635 type gconf_home_t;
636 type data_home_t;
637 ')
638
78ea2abe 639 userdom_search_user_home_dirs($1)
3eaa9939
DW		 640 allow $1 gconf_home_t:dir list_dir_perms;
641 allow $1 data_home_t:dir list_dir_perms;
642 read_files_pattern($1, gconf_home_t, gconf_home_t)
643 read_files_pattern($1, data_home_t, data_home_t)
3d21c02c
DW		 644 read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
645 read_lnk_files_pattern($1, data_home_t, data_home_t)
3eaa9939
DW		 646')
647
ca9e8850
DW		 648########################################
649## <summary>
650## Search gkeyringd temporary directories.
651## </summary>
652## <param name="domain">
653## <summary>
654## Domain allowed access.
655## </summary>
656## </param>
657#
658interface(`gnome_search_gkeyringd_tmp_dirs',`
659 gen_require(`
660 type gkeyringd_tmp_t;
661 ')
662
663 files_search_tmp($1)
664 allow $1 gkeyringd_tmp_t:dir search_dir_perms;
665')
666
3eaa9939
DW		 667########################################
668## <summary>
669## search gconf homedir (.local)
670## </summary>
aa760a23 671## <param name="domain">
3eaa9939 672## <summary>
aa760a23 673## Domain allowed access.
3eaa9939
DW		 674## </summary>
675## </param>
676#
677interface(`gnome_search_gconf',`
678 gen_require(`
679 type gconf_home_t;
680 ')
681
682 allow $1 gconf_home_t:dir search_dir_perms;
683 userdom_search_user_home_dirs($1)
684')
685
4251ae10
DW		 686########################################
687## <summary>
688## Set attributes of Gnome config dirs.
689## </summary>
690## <param name="domain">
691## <summary>
692## Domain allowed access.
693## </summary>
694## </param>
695#
696interface(`gnome_setattr_config_dirs',`
697 gen_require(`
698 type gnome_home_t;
699 ')
700
701 setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
702 files_search_home($1)
703')
704
ca9e8850
DW		 705########################################
706## <summary>
707## Manage generic gnome home files.
708## </summary>
709## <param name="domain">
710## <summary>
711## Domain allowed access.
712## </summary>
713## </param>
714#
715interface(`gnome_manage_generic_home_files',`
716 gen_require(`
717 type gnome_home_t;
718 ')
719
720 userdom_search_user_home_dirs($1)
721 manage_files_pattern($1, gnome_home_t, gnome_home_t)
722')
723
724########################################
725## <summary>
726## Manage generic gnome home directories.
727## </summary>
728## <param name="domain">
729## <summary>
730## Domain allowed access.
731## </summary>
732## </param>
733#
734interface(`gnome_manage_generic_home_dirs',`
735 gen_require(`
736 type gnome_home_t;
737 ')
738
739 userdom_search_user_home_dirs($1)
740 allow $1 gnome_home_t:dir manage_dir_perms;
741')
742
3eaa9939
DW		 743########################################
744## <summary>
745## Append gconf home files
746## </summary>
747## <param name="domain">
748## <summary>
749## Domain allowed access.
750## </summary>
751## </param>
752#
753interface(`gnome_append_gconf_home_files',`
754 gen_require(`
755 type gconf_home_t;
756 ')
757
758 append_files_pattern($1, gconf_home_t, gconf_home_t)
759')
760
761########################################
762## <summary>
763## manage gconf home files
764## </summary>
765## <param name="domain">
766## <summary>
767## Domain allowed access.
768## </summary>
769## </param>
770#
771interface(`gnome_manage_gconf_home_files',`
772 gen_require(`
773 type gconf_home_t;
774 ')
775
776 allow $1 gconf_home_t:dir list_dir_perms;
777 manage_files_pattern($1, gconf_home_t, gconf_home_t)
778')
779
780########################################
781## <summary>
782## Connect to gnome over an unix stream socket.
783## </summary>
784## <param name="domain">
785## <summary>
786## Domain allowed access.
787## </summary>
788## </param>
789## <param name="user_domain">
790## <summary>
791## The type of the user domain.
792## </summary>
793## </param>
794#
795interface(`gnome_stream_connect',`
796 gen_require(`
797 attribute gnome_home_type;
798 ')
799
800 # Connect to pulseaudit server
801 stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
802')
803
804########################################
805## <summary>
2d4a79a0 806## list gnome homedir content (.config)
3eaa9939 807## </summary>
aa760a23 808## <param name="domain">
3eaa9939 809## <summary>
aa760a23 810## Domain allowed access.
3eaa9939
DW		 811## </summary>
812## </param>
813#
d15b40a5 814interface(`gnome_list_home_config',`
3eaa9939
DW		 815 gen_require(`
816 type config_home_t;
817 ')
818
819 allow $1 config_home_t:dir list_dir_perms;
820')
821
5ef740e5
DW		 822########################################
823## <summary>
824## Set attributes of gnome homedir content (.config)
825## </summary>
826## <param name="domain">
827## <summary>
828## Domain allowed access.
829## </summary>
830## </param>
831#
832template(`gnome_setattr_home_config',`
833 gen_require(`
834 type config_home_t;
835 ')
836
837 setattr_dirs_pattern($1, config_home_t, config_home_t)
838 userdom_search_user_home_dirs($1)
839')
840
2d4a79a0
DW		 841########################################
842## <summary>
843## read gnome homedir content (.config)
844## </summary>
aa760a23 845## <param name="domain">
2d4a79a0 846## <summary>
aa760a23 847## Domain allowed access.
2d4a79a0
DW		 848## </summary>
849## </param>
850#
d15b40a5 851interface(`gnome_read_home_config',`
2d4a79a0
DW		 852 gen_require(`
853 type config_home_t;
854 ')
855
b533b084 856 list_dirs_pattern($1, config_home_t, config_home_t)
2d4a79a0 857 read_files_pattern($1, config_home_t, config_home_t)
6f93adfa 858 read_lnk_files_pattern($1, config_home_t, config_home_t)
2d4a79a0
DW		 859')
860
f5b49a5e
DW		 861########################################
862## <summary>
863## manage gnome homedir content (.config)
864## </summary>
aa760a23 865## <param name="domain">
f5b49a5e 866## <summary>
aa760a23 867## Domain allowed access.
f5b49a5e
DW		 868## </summary>
869## </param>
870#
871template(`gnome_manage_home_config',`
872 gen_require(`
873 type config_home_t;
874 ')
875
876 manage_files_pattern($1, config_home_t, config_home_t)
877')
878
3eaa9939
DW		 879########################################
880## <summary>
881## Read/Write all inherited gnome home config
882## </summary>
883## <param name="domain">
884## <summary>
885## Domain allowed access.
886## </summary>
887## </param>
888#
889interface(`gnome_rw_inherited_config',`
890 gen_require(`
891 attribute gnome_home_type;
892 ')
893
894 allow $1 gnome_home_type:file rw_inherited_file_perms;
895')
896
897########################################
898## <summary>
899## Send and receive messages from
900## gconf system service over dbus.
901## </summary>
902## <param name="domain">
903## <summary>
904## Domain allowed access.
905## </summary>
906## </param>
907#
908interface(`gnome_dbus_chat_gconfdefault',`
909 gen_require(`
910 type gconfdefaultsm_t;
911 class dbus send_msg;
912 ')
913
914 allow $1 gconfdefaultsm_t:dbus send_msg;
915 allow gconfdefaultsm_t $1:dbus send_msg;
916')
ca9e8850
DW		 917
918########################################
919## <summary>
920## Send and receive messages from
921## gkeyringd over dbus.
922## </summary>
ca9e8850
DW		 923## <param name="domain">
924## <summary>
925## Domain allowed access.
926## </summary>
927## </param>
928#
929interface(`gnome_dbus_chat_gkeyringd',`
930 gen_require(`
31f04122 931 attribute gkeyringd_domain;
ca9e8850
DW		 932 class dbus send_msg;
933 ')
934
f80308f9
MG		 935 allow $1 gkeyringd_domain:dbus send_msg;
936 allow gkeyringd_domain $1:dbus send_msg;
ca9e8850 937')
31f04122 938
b094d593
DW		 939########################################
940## <summary>
941## Send signull signal to gkeyringd processes.
942## </summary>
943## <param name="domain">
944## <summary>
945## Domain allowed access.
946## </summary>
947## </param>
948#
949interface(`gnome_signull_gkeyringd',`
950 gen_require(`
951 attribute gkeyringd_domain;
952 ')
953
954 allow $1 gkeyringd_domain:process signull;
955')
956
957########################################
958## <summary>
959## Allow the domain to read gkeyringd state files in /proc.
960## </summary>
961## <param name="domain">
962## <summary>
963## Domain allowed access.
964## </summary>
965## </param>
966#
967interface(`gnome_read_gkeyringd_state',`
968 gen_require(`
969 attribute gkeyringd_domain;
970 ')
971
972 ps_process_pattern($1, gkeyringd_domain)
973')
974
ca9e8850
DW		 975########################################
976## <summary>
977## Create directories in user home directories
978## with the gnome home file type.
979## </summary>
980## <param name="domain">
981## <summary>
982## Domain allowed access.
983## </summary>
984## </param>
985#
986interface(`gnome_home_dir_filetrans',`
987 gen_require(`
988 type gnome_home_t;
989 ')
990
991 userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
992 userdom_search_user_home_dirs($1)
993')
a8183914
MG		 994
995######################################
996## <summary>
997## Allow read kde config content
998## </summary>
999## <param name="domain">
1000## <summary>
1001## Domain allowed access.
1002## </summary>
1003## </param>
1004#
1005interface(`gnome_read_usr_config',`
1006 gen_require(`
1007 type config_usr_t;
1008 ')
1009
1010 files_search_usr($1)
1011 list_dirs_pattern($1, config_usr_t, config_usr_t)
1012 read_files_pattern($1, config_usr_t, config_usr_t)
1013 read_lnk_files_pattern($1, config_usr_t, config_usr_t)
1014')
1015
1016#######################################
1017## <summary>
1018## Allow manage kde config content
1019## </summary>
1020## <param name="domain">
1021## <summary>
1022## Domain allowed access.
1023## </summary>
1024## </param>
1025#
1026interface(`gnome_manage_usr_config',`
1027 gen_require(`
1028 type config_usr_t;
1029 ')
1030
1031 files_search_usr($1)
1032 manage_dirs_pattern($1, config_usr_t, config_usr_t)
1033 manage_files_pattern($1, config_usr_t, config_usr_t)
1034 manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
1035')
31f04122
DW		 1036
1037########################################
1038## <summary>
1039## Execute gnome-keyring in the user gkeyring domain
1040## </summary>
1041## <param name="domain">
1042## <summary>
1043## Domain allowed access
1044## </summary>
1045## </param>
1046## <param name="role">
1047## <summary>
1048## The role to be allowed the gkeyring domain.
1049## </summary>
1050## </param>
1051#
1052interface(`gnome_transition_gkeyringd',`
1053 gen_require(`
1054 attribute gkeyringd_domain;
1055 ')
1056
1057 allow $1 gkeyringd_domain:process transition;
1058 dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
1059 allow gkeyringd_domain $1:process { sigchld signull };
1060 allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
1061')
1062
15b2e336
DW		 1063
1064########################################
1065## <summary>
c181b91f 1066## Create gnome content in the user home directory
15b2e336
DW		 1067## with an correct label.
1068## </summary>
1069## <param name="domain">
1070## <summary>
1071## Domain allowed access.
1072## </summary>
1073## </param>
1074#
a11cc065 1075interface(`gnome_filetrans_home_content',`
15b2e336
DW		 1076
1077gen_require(`
1078 type config_home_t;
1079 type cache_home_t;
1080 type gstreamer_home_t;
1081 type gconf_home_t;
1082 type gnome_home_t;
290e6f41 1083 type data_home_t, icc_data_home_t;
15b2e336
DW		 1084 type gkeyringd_gnome_home_t;
1085')
1086
c181b91f 1087 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
26a75b33
DW		 1088 userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1089 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
1090 userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1091 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
1092 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1093 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1094 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1095 userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1096 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1097 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
290e6f41
DG		 1098 # ~/.color/icc: legacy
1099 userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
26a75b33
DW		 1100 filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
1101 filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
290e6f41 1102 filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
15b2e336
DW		 1103')
1104
1105########################################
1106## <summary>
1107## Create gnome directory in the /root directory
1108## with an correct label.
1109## </summary>
1110## <param name="domain">
1111## <summary>
1112## Domain allowed access.
1113## </summary>
1114## </param>
1115#
a11cc065 1116interface(`gnome_filetrans_admin_home_content',`
15b2e336
DW		 1117
1118gen_require(`
1119 type config_home_t;
1120 type cache_home_t;
1121 type gstreamer_home_t;
1122 type gconf_home_t;
1123 type gnome_home_t;
290e6f41 1124 type icc_data_home_t;
15b2e336
DW		 1125')
1126
26a75b33
DW		 1127 userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1128 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
1129 userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1130 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
1131 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1132 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1133 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1134 userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1135 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1136 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
290e6f41
DG		 1137 # /root/.color/icc: legacy
1138 userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
15b2e336 1139')
3a7aacc9
MG		 1140######################################
1141## <summary>
1142## Execute gnome-keyring executable
1143## in the specified domain.
1144## </summary>
1145## <desc>
1146## <p>
1147## Execute a telepathy executable
1148## in the specified domain. This allows
1149## the specified domain to execute any file
1150## on these filesystems in the specified
1151## domain.
1152## </p>
1153## <p>
1154## No interprocess communication (signals, pipes,
1155## etc.) is provided by this interface since
1156## the domains are not owned by this module.
1157## </p>
1158## <p>
1159## This interface was added to handle
1160## the ssh-agent policy.
1161## </p>
1162## </desc>
1163## <param name="domain">
1164## <summary>
1165## Domain allowed to transition.
1166## </summary>
1167## </param>
1168## <param name="target_domain">
1169## <summary>
1170## The type of the new process.
1171## </summary>
1172## </param>
1173#
1174interface(`gnome_command_domtrans_gkeyringd', `
1175 gen_require(`
1176 type gkeyringd_exec_t;
1177 ')
1178
1179 allow $2 gkeyringd_exec_t:file entrypoint;
1180 domain_transition_pattern($1, gkeyringd_exec_t, $2)
1181 type_transition $1 gkeyringd_exec_t:process $2;
1182')
The IPFire selinux policy.