]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/apps/gnome.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.if
CommitLineData
00219064
CP		 1## <summary>GNU network object model environment (GNOME)</summary>
2
efa04715 3###########################################################
00219064 4## <summary>
efa04715 5## Role access for gnome
00219064 6## </summary>
efa04715
MG		 7## <param name="role">
8## <summary>
9## Role allowed access
10## </summary>
00219064 11## </param>
efa04715
MG		 12## <param name="domain">
13## <summary>
14## User domain for the role
15## </summary>
00219064
CP		 16## </param>
17#
296273a7 18interface(`gnome_role',`
efa04715
MG		 19 gen_require(`
20 type gconfd_t, gconfd_exec_t;
21 type gconf_tmp_t;
22 ')
00219064 23
efa04715 24 role $1 types gconfd_t;
00219064 25
efa04715
MG		 26 domain_auto_trans($2, gconfd_exec_t, gconfd_t)
27 allow gconfd_t $2:fd use;
28 allow gconfd_t $2:fifo_file write;
29 allow gconfd_t $2:unix_stream_socket connectto;
6b19be33 30
efa04715 31 ps_process_pattern($2, gconfd_t)
00219064 32
31d4b0a6 33 #gnome_stream_connect_gconf_template($1, $2)
296273a7
CP		 34 read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
35 allow $2 gconfd_t:unix_stream_socket connectto;
efa04715 36')
ca9e8850 37
efa04715
MG		 38######################################
39## <summary>
40## The role template for the gnome-keyring-daemon.
41## </summary>
42## <param name="user_prefix">
43## <summary>
44## The user prefix.
45## </summary>
46## </param>
47## <param name="user_role">
48## <summary>
49## The user role.
50## </summary>
51## </param>
52## <param name="user_domain">
53## <summary>
54## The user domain associated with the role.
55## </summary>
56## </param>
57#
58interface(`gnome_role_gkeyringd',`
59 gen_require(`
60 attribute gkeyringd_domain;
61 attribute gnome_domain;
62 type gnome_home_t;
63 type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
1d7e6f6b 64 class dbus send_msg;
efa04715
MG		 65 ')
66
4153537b 67 type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
37c03afb 68 typealias $1_gkeyringd_t alias gkeyringd_$1_t;
4153537b
DW		 69 application_domain($1_gkeyringd_t, gkeyringd_exec_t)
70 ubac_constrained($1_gkeyringd_t)
71 domain_user_exemption_target($1_gkeyringd_t)
ca9e8850 72
ed2ac112
DW		 73 userdom_home_manager($1_gkeyringd_t)
74
4153537b 75 role $2 types $1_gkeyringd_t;
ca9e8850 76
4153537b 77 domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
ca9e8850 78
efa04715
MG		 79 allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
80 allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
ca9e8850 81
efa04715
MG		 82 allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
83 allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ca9e8850 84
4153537b
DW		 85 corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
86 corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
87 allow $1_gkeyringd_t $3:process sigkill;
88 allow $3 $1_gkeyringd_t:fd use;
89 allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
0e50301b 90
4153537b 91 ps_process_pattern($1_gkeyringd_t, $3)
ca9e8850 92
ae68f77d
DW		 93 auth_use_nsswitch($1_gkeyringd_t)
94
4153537b 95 ps_process_pattern($3, $1_gkeyringd_t)
995bdbb1 96 allow $3 $1_gkeyringd_t:process signal_perms;
efa04715
MG		 97 dontaudit $3 gkeyringd_exec_t:file entrypoint;
98
4153537b 99 stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
5598732f 100
4153537b
DW		 101 allow $1_gkeyringd_t $3:dbus send_msg;
102 allow $3 $1_gkeyringd_t:dbus send_msg;
efa04715 103 optional_policy(`
6b772880 104 dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
4153537b
DW		 105 dbus_session_bus_client($1_gkeyringd_t)
106 gnome_home_dir_filetrans($1_gkeyringd_t)
107 gnome_manage_generic_home_dirs($1_gkeyringd_t)
81085f1e 108 gnome_read_generic_data_home_files($1_gkeyringd_t)
efa04715 109
1d7e6f6b 110 optional_policy(`
4153537b 111 telepathy_mission_control_read_state($1_gkeyringd_t)
1d7e6f6b 112 ')
efa04715 113 ')
00219064 114')
2a98379a 115
ab8f919e
CP		 116########################################
117## <summary>
a947daf6 118## gconf connection template.
ab8f919e 119## </summary>
aa760a23 120## <param name="domain">
ab8f919e 121## <summary>
aa760a23 122## Domain allowed access.
ab8f919e
CP		 123## </summary>
124## </param>
125#
a947daf6 126interface(`gnome_stream_connect_gconf',`
ab8f919e 127 gen_require(`
a947daf6 128 type gconfd_t, gconf_tmp_t;
ab8f919e
CP		 129 ')
130
a947daf6
DW		 131 read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
132 allow $1 gconfd_t:unix_stream_socket connectto;
ab8f919e
CP		 133')
134
ca9e8850
DW		 135########################################
136## <summary>
137## Connect to gkeyringd with a unix stream socket.
138## </summary>
ca9e8850
DW		 139## <param name="domain">
140## <summary>
141## Domain allowed access.
142## </summary>
143## </param>
144#
145interface(`gnome_stream_connect_gkeyringd',`
146 gen_require(`
455fe183
MG		 147 attribute gkeyringd_domain;
148 type gkeyringd_tmp_t;
149 type gconf_tmp_t;
ca9e8850
DW		 150 ')
151
455fe183 152 allow $1 gconf_tmp_t:dir search_dir_perms;
c9799808 153 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 154')
155
156########################################
157## <summary>
158## Connect to gkeyringd with a unix stream socket.
159## </summary>
ca9e8850
DW		 160## <param name="domain">
161## <summary>
162## Domain allowed access.
163## </summary>
164## </param>
165#
166interface(`gnome_stream_connect_all_gkeyringd',`
167 gen_require(`
168 attribute gkeyringd_domain;
169 type gkeyringd_tmp_t;
f28aaa84 170 type gconf_tmp_t;
ca9e8850
DW		 171 ')
172
f28aaa84 173 allow $1 gconf_tmp_t:dir search_dir_perms;
ca9e8850 174 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 175')
176
a947daf6 177########################################
ab8f919e 178## <summary>
a947daf6 179## Run gconfd in gconfd domain.
ab8f919e
CP		 180## </summary>
181## <param name="domain">
182## <summary>
183## Domain allowed access.
184## </summary>
185## </param>
186#
a947daf6 187interface(`gnome_domtrans_gconfd',`
ab8f919e 188 gen_require(`
a947daf6 189 type gconfd_t, gconfd_exec_t;
ab8f919e
CP		 190 ')
191
a947daf6 192 domtrans_pattern($1, gconfd_exec_t, gconfd_t)
ab8f919e
CP		 193')
194
57955a25
DW		 195########################################
196## <summary>
197## Dontaudit read gnome homedir content (.config)
198## </summary>
199## <param name="domain">
200## <summary>
24280f35 201## Domain to not audit.
57955a25
DW		 202## </summary>
203## </param>
204#
205interface(`gnome_dontaudit_read_config',`
206 gen_require(`
207 attribute gnome_home_type;
208 ')
209
210 dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
211')
212
00219064
CP		 213########################################
214## <summary>
a947daf6 215## Dontaudit search gnome homedir content (.config)
00219064 216## </summary>
aa760a23 217## <param name="domain">
00219064 218## <summary>
24280f35 219## Domain to not audit.
6b19be33
CP		 220## </summary>
221## </param>
222#
a947daf6 223interface(`gnome_dontaudit_search_config',`
6b19be33 224 gen_require(`
a947daf6 225 attribute gnome_home_type;
6b19be33
CP		 226 ')
227
a947daf6 228 dontaudit $1 gnome_home_type:dir search_dir_perms;
6b19be33
CP		 229')
230
ab8f919e
CP		 231########################################
232## <summary>
a947daf6 233## manage gnome homedir content (.config)
3eaa9939 234## </summary>
aa760a23 235## <param name="domain">
3eaa9939 236## <summary>
aa760a23 237## Domain allowed access.
3eaa9939
DW		 238## </summary>
239## </param>
240#
a947daf6 241interface(`gnome_manage_config',`
3eaa9939
DW		 242 gen_require(`
243 attribute gnome_home_type;
244 ')
245
a947daf6
DW		 246 allow $1 gnome_home_type:dir manage_dir_perms;
247 allow $1 gnome_home_type:file manage_file_perms;
248 allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
249 userdom_search_user_home_dirs($1)
3eaa9939
DW		 250')
251
252########################################
253## <summary>
254## Send general signals to all gconf domains.
ab8f919e
CP		 255## </summary>
256## <param name="domain">
257## <summary>
258## Domain allowed access.
259## </summary>
260## </param>
261#
3eaa9939 262interface(`gnome_signal_all',`
ab8f919e 263 gen_require(`
ca9e8850 264 attribute gnome_domain;
ab8f919e
CP		 265 ')
266
ca9e8850 267 allow $1 gnome_domain:process signal;
ab8f919e
CP		 268')
269
270########################################
271## <summary>
3eaa9939
DW		 272## Create objects in a Gnome cache home directory
273## with an automatic type transition to
274## a specified private type.
275## </summary>
276## <param name="domain">
277## <summary>
278## Domain allowed access.
279## </summary>
280## </param>
281## <param name="private_type">
282## <summary>
283## The type of the object to create.
284## </summary>
285## </param>
286## <param name="object_class">
287## <summary>
288## The class of the object to be created.
289## </summary>
290## </param>
291#
292interface(`gnome_cache_filetrans',`
293 gen_require(`
294 type cache_home_t;
295 ')
296
2ea29241 297 filetrans_pattern($1, cache_home_t, $2, $3, $4)
3eaa9939
DW		 298 userdom_search_user_home_dirs($1)
299')
300
301########################################
302## <summary>
303## Read generic cache home files (.cache)
304## </summary>
305## <param name="domain">
306## <summary>
307## Domain allowed access.
308## </summary>
309## </param>
310#
311interface(`gnome_read_generic_cache_files',`
312 gen_require(`
313 type cache_home_t;
314 ')
315
316 read_files_pattern($1, cache_home_t, cache_home_t)
317 userdom_search_user_home_dirs($1)
318')
319
320########################################
321## <summary>
322## Set attributes of cache home dir (.cache)
323## </summary>
324## <param name="domain">
325## <summary>
326## Domain allowed access.
327## </summary>
328## </param>
329#
330interface(`gnome_setattr_cache_home_dir',`
331 gen_require(`
332 type cache_home_t;
333 ')
334
335 setattr_dirs_pattern($1, cache_home_t, cache_home_t)
336 userdom_search_user_home_dirs($1)
337')
338
c71f02c0
DW		 339########################################
340## <summary>
341## append to generic cache home files (.cache)
342## </summary>
343## <param name="domain">
344## <summary>
345## Domain allowed access.
346## </summary>
347## </param>
348#
349interface(`gnome_append_generic_cache_files',`
350 gen_require(`
351 type cache_home_t;
352 ')
353
354 append_files_pattern($1, cache_home_t, cache_home_t)
355 userdom_search_user_home_dirs($1)
356')
357
3eaa9939
DW		 358########################################
359## <summary>
360## write to generic cache home files (.cache)
361## </summary>
362## <param name="domain">
363## <summary>
364## Domain allowed access.
365## </summary>
366## </param>
367#
368interface(`gnome_write_generic_cache_files',`
369 gen_require(`
370 type cache_home_t;
371 ')
372
373 write_files_pattern($1, cache_home_t, cache_home_t)
374 userdom_search_user_home_dirs($1)
375')
376
24280f35
DW		 377########################################
378## <summary>
379## Dontaudit read/write to generic cache home files (.cache)
380## </summary>
381## <param name="domain">
382## <summary>
383## Domain to not audit.
384## </summary>
385## </param>
386#
387interface(`gnome_dontaudit_rw_generic_cache_files',`
388 gen_require(`
389 type cache_home_t;
390 ')
391
392 dontaudit $1 cache_home_t:file rw_inherited_file_perms;
393')
394
a947daf6
DW		 395########################################
396## <summary>
397## read gnome homedir content (.config)
398## </summary>
aa760a23 399## <param name="domain">
a947daf6 400## <summary>
aa760a23 401## Domain allowed access.
a947daf6
DW		 402## </summary>
403## </param>
404#
efa04715 405interface(`gnome_read_config',`
a947daf6
DW		 406 gen_require(`
407 attribute gnome_home_type;
408 ')
409
410 list_dirs_pattern($1, gnome_home_type, gnome_home_type)
411 read_files_pattern($1, gnome_home_type, gnome_home_type)
412 read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
413')
414
3eaa9939
DW		 415########################################
416## <summary>
417## Create objects in a Gnome gconf home directory
418## with an automatic type transition to
419## a specified private type.
420## </summary>
421## <param name="domain">
422## <summary>
423## Domain allowed access.
424## </summary>
425## </param>
426## <param name="private_type">
427## <summary>
428## The type of the object to create.
429## </summary>
430## </param>
431## <param name="object_class">
432## <summary>
433## The class of the object to be created.
434## </summary>
435## </param>
436#
437interface(`gnome_data_filetrans',`
438 gen_require(`
439 type data_home_t;
440 ')
441
2ea29241 442 filetrans_pattern($1, data_home_t, $2, $3, $4)
3eaa9939
DW		 443 gnome_search_gconf($1)
444')
445
4b7fe5b4
DW		 446#######################################
447## <summary>
c98bb1bc 448## Read generic data home files.
4b7fe5b4
DW		 449## </summary>
450## <param name="domain">
c98bb1bc
DG		 451## <summary>
452## Domain allowed access.
453## </summary>
454## </param>
455#
456interface(`gnome_read_generic_data_home_files',`
457 gen_require(`
458 type data_home_t, gconf_home_t;
459 ')
460
461 read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
462')
463
464#######################################
465## <summary>
466## Manage gconf data home files
467## </summary>
468## <param name="domain">
469## <summary>
470## Domain allowed access.
471## </summary>
4b7fe5b4
DW		 472## </param>
473#
474interface(`gnome_manage_data',`
c98bb1bc
DG		 475 gen_require(`
476 type data_home_t;
477 type gconf_home_t;
478 ')
4b7fe5b4 479
ceacf954 480 allow $1 gconf_home_t:dir search_dir_perms;
a768052f 481 manage_dirs_pattern($1, data_home_t, data_home_t)
c98bb1bc 482 manage_files_pattern($1, data_home_t, data_home_t)
a768052f 483 manage_lnk_files_pattern($1, data_home_t, data_home_t)
4b7fe5b4
DW		 484')
485
290e6f41
DG		 486########################################
487## <summary>
488## Read icc data home content.
489## </summary>
490## <param name="domain">
491## <summary>
492## Domain allowed access.
493## </summary>
494## </param>
495#
496interface(`gnome_read_home_icc_data_content',`
497 gen_require(`
498 type icc_data_home_t, gconf_home_t, data_home_t;
499 ')
500
501 userdom_search_user_home_dirs($1)
502 allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
503 list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
504 read_files_pattern($1, icc_data_home_t, icc_data_home_t)
505 read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
506')
507
508########################################
509## <summary>
510## Read inherited icc data home files.
511## </summary>
512## <param name="domain">
513## <summary>
514## Domain allowed access.
515## </summary>
516## </param>
517#
518interface(`gnome_read_inherited_home_icc_data_files',`
519 gen_require(`
520 type icc_data_home_t;
521 ')
522
523 allow $1 icc_data_home_t:file read_inherited_file_perms;
524')
525
3eaa9939
DW		 526########################################
527## <summary>
528## Create gconf_home_t objects in the /root directory
529## </summary>
530## <param name="domain">
531## <summary>
532## Domain allowed access.
533## </summary>
534## </param>
535## <param name="object_class">
536## <summary>
537## The class of the object to be created.
538## </summary>
539## </param>
540#
541interface(`gnome_admin_home_gconf_filetrans',`
542 gen_require(`
543 type gconf_home_t;
544 ')
545
546 userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
547')
548
c98dcd43
DG		 549########################################
550## <summary>
551## Do not audit attempts to read
552## inherited gconf config files.
553## </summary>
554## <param name="domain">
555## <summary>
556## Domain to not audit.
557## </summary>
558## </param>
559#
560interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
561 gen_require(`
562 type gconf_etc_t;
563 ')
564
565 dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
566')
567
3eaa9939
DW		 568########################################
569## <summary>
570## read gconf config files
ab8f919e 571## </summary>
aa760a23 572## <param name="domain">
ab8f919e 573## <summary>
aa760a23 574## Domain allowed access.
3eaa9939
DW		 575## </summary>
576## </param>
577#
d15b40a5 578interface(`gnome_read_gconf_config',`
3eaa9939
DW		 579 gen_require(`
580 type gconf_etc_t;
581 ')
582
583 allow $1 gconf_etc_t:dir list_dir_perms;
584 read_files_pattern($1, gconf_etc_t, gconf_etc_t)
f33c5066 585 files_search_etc($1)
3eaa9939
DW		 586')
587
588#######################################
589## <summary>
590## Manage gconf config files
591## </summary>
592## <param name="domain">
593## <summary>
594## Domain allowed access.
595## </summary>
596## </param>
597#
598interface(`gnome_manage_gconf_config',`
599 gen_require(`
600 type gconf_etc_t;
601 ')
602
603 allow $1 gconf_etc_t:dir list_dir_perms;
604 manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
605')
606
607########################################
608## <summary>
609## Execute gconf programs in
610## in the caller domain.
611## </summary>
612## <param name="domain">
613## <summary>
ab8f919e
CP		 614## Domain allowed access.
615## </summary>
616## </param>
617#
3eaa9939
DW		 618interface(`gnome_exec_gconf',`
619 gen_require(`
620 type gconfd_exec_t;
621 ')
622
623 can_exec($1, gconfd_exec_t)
624')
625
ca9e8850
DW		 626########################################
627## <summary>
628## Execute gnome keyringd in the caller domain.
629## </summary>
630## <param name="domain">
631## <summary>
632## Domain allowed access.
633## </summary>
634## </param>
635#
636interface(`gnome_exec_keyringd',`
637 gen_require(`
638 type gkeyringd_exec_t;
639 ')
640
641 can_exec($1, gkeyringd_exec_t)
642 corecmd_search_bin($1)
643')
644
3eaa9939
DW		 645########################################
646## <summary>
647## Read gconf home files
648## </summary>
649## <param name="domain">
650## <summary>
651## Domain allowed access.
652## </summary>
653## </param>
654#
655interface(`gnome_read_gconf_home_files',`
656 gen_require(`
657 type gconf_home_t;
658 type data_home_t;
659 ')
660
78ea2abe 661 userdom_search_user_home_dirs($1)
3eaa9939
DW		 662 allow $1 gconf_home_t:dir list_dir_perms;
663 allow $1 data_home_t:dir list_dir_perms;
664 read_files_pattern($1, gconf_home_t, gconf_home_t)
665 read_files_pattern($1, data_home_t, data_home_t)
3d21c02c
DW		 666 read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
667 read_lnk_files_pattern($1, data_home_t, data_home_t)
3eaa9939
DW		 668')
669
ca9e8850
DW		 670########################################
671## <summary>
672## Search gkeyringd temporary directories.
673## </summary>
674## <param name="domain">
675## <summary>
676## Domain allowed access.
677## </summary>
678## </param>
679#
680interface(`gnome_search_gkeyringd_tmp_dirs',`
681 gen_require(`
682 type gkeyringd_tmp_t;
683 ')
684
685 files_search_tmp($1)
686 allow $1 gkeyringd_tmp_t:dir search_dir_perms;
687')
688
3eaa9939
DW		 689########################################
690## <summary>
691## search gconf homedir (.local)
692## </summary>
aa760a23 693## <param name="domain">
3eaa9939 694## <summary>
aa760a23 695## Domain allowed access.
3eaa9939
DW		 696## </summary>
697## </param>
698#
699interface(`gnome_search_gconf',`
700 gen_require(`
701 type gconf_home_t;
702 ')
703
704 allow $1 gconf_home_t:dir search_dir_perms;
705 userdom_search_user_home_dirs($1)
706')
707
4251ae10
DW		 708########################################
709## <summary>
710## Set attributes of Gnome config dirs.
711## </summary>
712## <param name="domain">
713## <summary>
714## Domain allowed access.
715## </summary>
716## </param>
717#
718interface(`gnome_setattr_config_dirs',`
719 gen_require(`
720 type gnome_home_t;
721 ')
722
723 setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
724 files_search_home($1)
725')
726
ca9e8850
DW		 727########################################
728## <summary>
729## Manage generic gnome home files.
730## </summary>
731## <param name="domain">
732## <summary>
733## Domain allowed access.
734## </summary>
735## </param>
736#
737interface(`gnome_manage_generic_home_files',`
738 gen_require(`
739 type gnome_home_t;
740 ')
741
742 userdom_search_user_home_dirs($1)
743 manage_files_pattern($1, gnome_home_t, gnome_home_t)
744')
745
746########################################
747## <summary>
748## Manage generic gnome home directories.
749## </summary>
750## <param name="domain">
751## <summary>
752## Domain allowed access.
753## </summary>
754## </param>
755#
756interface(`gnome_manage_generic_home_dirs',`
757 gen_require(`
758 type gnome_home_t;
759 ')
760
761 userdom_search_user_home_dirs($1)
762 allow $1 gnome_home_t:dir manage_dir_perms;
763')
764
3eaa9939
DW		 765########################################
766## <summary>
767## Append gconf home files
768## </summary>
769## <param name="domain">
770## <summary>
771## Domain allowed access.
772## </summary>
773## </param>
774#
775interface(`gnome_append_gconf_home_files',`
776 gen_require(`
777 type gconf_home_t;
778 ')
779
780 append_files_pattern($1, gconf_home_t, gconf_home_t)
781')
782
783########################################
784## <summary>
785## manage gconf home files
786## </summary>
787## <param name="domain">
788## <summary>
789## Domain allowed access.
790## </summary>
791## </param>
792#
793interface(`gnome_manage_gconf_home_files',`
794 gen_require(`
795 type gconf_home_t;
796 ')
797
798 allow $1 gconf_home_t:dir list_dir_perms;
799 manage_files_pattern($1, gconf_home_t, gconf_home_t)
800')
801
802########################################
803## <summary>
804## Connect to gnome over an unix stream socket.
805## </summary>
806## <param name="domain">
807## <summary>
808## Domain allowed access.
809## </summary>
810## </param>
811## <param name="user_domain">
812## <summary>
813## The type of the user domain.
814## </summary>
815## </param>
816#
817interface(`gnome_stream_connect',`
818 gen_require(`
819 attribute gnome_home_type;
820 ')
821
822 # Connect to pulseaudit server
823 stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
824')
825
826########################################
827## <summary>
2d4a79a0 828## list gnome homedir content (.config)
3eaa9939 829## </summary>
aa760a23 830## <param name="domain">
3eaa9939 831## <summary>
aa760a23 832## Domain allowed access.
3eaa9939
DW		 833## </summary>
834## </param>
835#
d15b40a5 836interface(`gnome_list_home_config',`
3eaa9939
DW		 837 gen_require(`
838 type config_home_t;
839 ')
840
841 allow $1 config_home_t:dir list_dir_perms;
842')
843
5ef740e5
DW		 844########################################
845## <summary>
846## Set attributes of gnome homedir content (.config)
847## </summary>
848## <param name="domain">
849## <summary>
850## Domain allowed access.
851## </summary>
852## </param>
853#
448d2cf1 854interface(`gnome_setattr_home_config',`
5ef740e5
DW		 855 gen_require(`
856 type config_home_t;
857 ')
858
859 setattr_dirs_pattern($1, config_home_t, config_home_t)
860 userdom_search_user_home_dirs($1)
861')
862
2d4a79a0
DW		 863########################################
864## <summary>
865## read gnome homedir content (.config)
866## </summary>
aa760a23 867## <param name="domain">
2d4a79a0 868## <summary>
aa760a23 869## Domain allowed access.
2d4a79a0
DW		 870## </summary>
871## </param>
872#
d15b40a5 873interface(`gnome_read_home_config',`
2d4a79a0
DW		 874 gen_require(`
875 type config_home_t;
876 ')
877
b533b084 878 list_dirs_pattern($1, config_home_t, config_home_t)
2d4a79a0 879 read_files_pattern($1, config_home_t, config_home_t)
6f93adfa 880 read_lnk_files_pattern($1, config_home_t, config_home_t)
2d4a79a0
DW		 881')
882
93b53615
MG		 883#######################################
884## <summary>
885## delete gnome homedir content (.config)
886## </summary>
887## <param name="domain">
888## <summary>
889## Domain allowed access.
890## </summary>
891## </param>
892#
893interface(`gnome_delete_home_config',`
894 gen_require(`
895 type config_home_t;
896 ')
897
898 delete_files_pattern($1, config_home_t, config_home_t)
899')
900
f5b49a5e
DW		 901########################################
902## <summary>
903## manage gnome homedir content (.config)
904## </summary>
aa760a23 905## <param name="domain">
f5b49a5e 906## <summary>
aa760a23 907## Domain allowed access.
f5b49a5e
DW		 908## </summary>
909## </param>
910#
448d2cf1 911interface(`gnome_manage_home_config',`
f5b49a5e
DW		 912 gen_require(`
913 type config_home_t;
914 ')
915
916 manage_files_pattern($1, config_home_t, config_home_t)
917')
918
93b53615
MG		 919#######################################
920## <summary>
921## delete gnome homedir content (.config)
922## </summary>
923## <param name="domain">
924## <summary>
925## Domain allowed access.
926## </summary>
927## </param>
928#
929interface(`gnome_delete_home_config_dirs',`
930 gen_require(`
931 type config_home_t;
932 ')
933
934 delete_dirs_pattern($1, config_home_t, config_home_t)
935')
936
63c324b2
MG		 937########################################
938## <summary>
939## manage gnome homedir content (.config)
940## </summary>
941## <param name="domain">
942## <summary>
943## Domain allowed access.
944## </summary>
945## </param>
946#
947interface(`gnome_manage_home_config_dirs',`
948 gen_require(`
949 type config_home_t;
950 ')
951
952 manage_dirs_pattern($1, config_home_t, config_home_t)
953')
954
0b71fec3
DG		 955########################################
956## <summary>
957## manage gstreamer home content files.
958## </summary>
959## <param name="domain">
960## <summary>
961## Domain allowed access.
962## </summary>
963## </param>
964#
965interface(`gnome_manage_gstreamer_home_files',`
966 gen_require(`
967 type gstreamer_home_t;
968 ')
969
970 manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
971')
972
3eaa9939
DW		 973########################################
974## <summary>
975## Read/Write all inherited gnome home config
976## </summary>
977## <param name="domain">
978## <summary>
979## Domain allowed access.
980## </summary>
981## </param>
982#
983interface(`gnome_rw_inherited_config',`
984 gen_require(`
985 attribute gnome_home_type;
986 ')
987
988 allow $1 gnome_home_type:file rw_inherited_file_perms;
989')
990
991########################################
992## <summary>
993## Send and receive messages from
994## gconf system service over dbus.
995## </summary>
996## <param name="domain">
997## <summary>
998## Domain allowed access.
999## </summary>
1000## </param>
1001#
1002interface(`gnome_dbus_chat_gconfdefault',`
1003 gen_require(`
1004 type gconfdefaultsm_t;
1005 class dbus send_msg;
1006 ')
1007
1008 allow $1 gconfdefaultsm_t:dbus send_msg;
1009 allow gconfdefaultsm_t $1:dbus send_msg;
1010')
ca9e8850
DW		 1011
1012########################################
1013## <summary>
1014## Send and receive messages from
1015## gkeyringd over dbus.
1016## </summary>
ca9e8850
DW		 1017## <param name="domain">
1018## <summary>
1019## Domain allowed access.
1020## </summary>
1021## </param>
1022#
1023interface(`gnome_dbus_chat_gkeyringd',`
1024 gen_require(`
31f04122 1025 attribute gkeyringd_domain;
ca9e8850
DW		 1026 class dbus send_msg;
1027 ')
1028
f80308f9
MG		 1029 allow $1 gkeyringd_domain:dbus send_msg;
1030 allow gkeyringd_domain $1:dbus send_msg;
ca9e8850 1031')
31f04122 1032
b094d593
DW		 1033########################################
1034## <summary>
1035## Send signull signal to gkeyringd processes.
1036## </summary>
1037## <param name="domain">
1038## <summary>
1039## Domain allowed access.
1040## </summary>
1041## </param>
1042#
1043interface(`gnome_signull_gkeyringd',`
1044 gen_require(`
1045 attribute gkeyringd_domain;
1046 ')
1047
1048 allow $1 gkeyringd_domain:process signull;
1049')
1050
1051########################################
1052## <summary>
1053## Allow the domain to read gkeyringd state files in /proc.
1054## </summary>
1055## <param name="domain">
1056## <summary>
1057## Domain allowed access.
1058## </summary>
1059## </param>
1060#
1061interface(`gnome_read_gkeyringd_state',`
1062 gen_require(`
1063 attribute gkeyringd_domain;
1064 ')
1065
1066 ps_process_pattern($1, gkeyringd_domain)
1067')
1068
ca9e8850
DW		 1069########################################
1070## <summary>
1071## Create directories in user home directories
1072## with the gnome home file type.
1073## </summary>
1074## <param name="domain">
1075## <summary>
1076## Domain allowed access.
1077## </summary>
1078## </param>
1079#
1080interface(`gnome_home_dir_filetrans',`
1081 gen_require(`
1082 type gnome_home_t;
1083 ')
1084
1085 userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
1086 userdom_search_user_home_dirs($1)
1087')
a8183914
MG		 1088
1089######################################
1090## <summary>
1091## Allow read kde config content
1092## </summary>
1093## <param name="domain">
1094## <summary>
1095## Domain allowed access.
1096## </summary>
1097## </param>
1098#
1099interface(`gnome_read_usr_config',`
1100 gen_require(`
1101 type config_usr_t;
1102 ')
1103
1104 files_search_usr($1)
1105 list_dirs_pattern($1, config_usr_t, config_usr_t)
1106 read_files_pattern($1, config_usr_t, config_usr_t)
1107 read_lnk_files_pattern($1, config_usr_t, config_usr_t)
1108')
1109
1110#######################################
1111## <summary>
1112## Allow manage kde config content
1113## </summary>
1114## <param name="domain">
1115## <summary>
1116## Domain allowed access.
1117## </summary>
1118## </param>
1119#
1120interface(`gnome_manage_usr_config',`
1121 gen_require(`
1122 type config_usr_t;
1123 ')
1124
1125 files_search_usr($1)
1126 manage_dirs_pattern($1, config_usr_t, config_usr_t)
1127 manage_files_pattern($1, config_usr_t, config_usr_t)
1128 manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
1129')
31f04122
DW		 1130
1131########################################
1132## <summary>
1133## Execute gnome-keyring in the user gkeyring domain
1134## </summary>
1135## <param name="domain">
1136## <summary>
1137## Domain allowed access
1138## </summary>
1139## </param>
1140## <param name="role">
1141## <summary>
1142## The role to be allowed the gkeyring domain.
1143## </summary>
1144## </param>
1145#
1146interface(`gnome_transition_gkeyringd',`
1147 gen_require(`
1148 attribute gkeyringd_domain;
1149 ')
1150
1151 allow $1 gkeyringd_domain:process transition;
1152 dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
1153 allow gkeyringd_domain $1:process { sigchld signull };
1154 allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
1155')
1156
15b2e336
DW		 1157
1158########################################
1159## <summary>
c181b91f 1160## Create gnome content in the user home directory
15b2e336
DW		 1161## with an correct label.
1162## </summary>
1163## <param name="domain">
1164## <summary>
1165## Domain allowed access.
1166## </summary>
1167## </param>
1168#
a11cc065 1169interface(`gnome_filetrans_home_content',`
15b2e336
DW		 1170
1171gen_require(`
1172 type config_home_t;
1173 type cache_home_t;
1174 type gstreamer_home_t;
1175 type gconf_home_t;
1176 type gnome_home_t;
290e6f41 1177 type data_home_t, icc_data_home_t;
15b2e336
DW		 1178 type gkeyringd_gnome_home_t;
1179')
1180
c181b91f 1181 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
26a75b33
DW		 1182 userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1183 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
1184 userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1185 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
1186 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1187 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1188 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1189 userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1190 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1191 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
290e6f41
DG		 1192 # ~/.color/icc: legacy
1193 userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
26a75b33
DW		 1194 filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
1195 filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
290e6f41 1196 filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
bf587d64 1197 userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
15b2e336
DW		 1198')
1199
1200########################################
1201## <summary>
1202## Create gnome directory in the /root directory
1203## with an correct label.
1204## </summary>
1205## <param name="domain">
1206## <summary>
1207## Domain allowed access.
1208## </summary>
1209## </param>
1210#
a11cc065 1211interface(`gnome_filetrans_admin_home_content',`
15b2e336
DW		 1212
1213gen_require(`
1214 type config_home_t;
1215 type cache_home_t;
1216 type gstreamer_home_t;
1217 type gconf_home_t;
1218 type gnome_home_t;
290e6f41 1219 type icc_data_home_t;
15b2e336
DW		 1220')
1221
26a75b33
DW		 1222 userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1223 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
1224 userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1225 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
1226 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1227 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1228 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1229 userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1230 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1231 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
290e6f41
DG		 1232 # /root/.color/icc: legacy
1233 userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
15b2e336 1234')
98d519e9 1235
3a7aacc9
MG		 1236######################################
1237## <summary>
1238## Execute gnome-keyring executable
1239## in the specified domain.
1240## </summary>
1241## <desc>
1242## <p>
1243## Execute a telepathy executable
1244## in the specified domain. This allows
1245## the specified domain to execute any file
1246## on these filesystems in the specified
1247## domain.
1248## </p>
1249## <p>
1250## No interprocess communication (signals, pipes,
1251## etc.) is provided by this interface since
1252## the domains are not owned by this module.
1253## </p>
1254## <p>
1255## This interface was added to handle
1256## the ssh-agent policy.
1257## </p>
1258## </desc>
1259## <param name="domain">
1260## <summary>
1261## Domain allowed to transition.
1262## </summary>
1263## </param>
1264## <param name="target_domain">
1265## <summary>
1266## The type of the new process.
1267## </summary>
1268## </param>
1269#
1270interface(`gnome_command_domtrans_gkeyringd', `
1271 gen_require(`
1272 type gkeyringd_exec_t;
1273 ')
1274
1275 allow $2 gkeyringd_exec_t:file entrypoint;
1276 domain_transition_pattern($1, gkeyringd_exec_t, $2)
1277 type_transition $1 gkeyringd_exec_t:process $2;
1278')
The IPFire selinux policy.