]>
Commit | Line | Data |
---|---|---|
00219064 CP |
1 | ## <summary>GNU network object model environment (GNOME)</summary> |
2 | ||
efa04715 | 3 | ########################################################### |
00219064 | 4 | ## <summary> |
efa04715 | 5 | ## Role access for gnome |
00219064 | 6 | ## </summary> |
efa04715 MG |
7 | ## <param name="role"> |
8 | ## <summary> | |
9 | ## Role allowed access | |
10 | ## </summary> | |
00219064 | 11 | ## </param> |
efa04715 MG |
12 | ## <param name="domain"> |
13 | ## <summary> | |
14 | ## User domain for the role | |
15 | ## </summary> | |
00219064 CP |
16 | ## </param> |
17 | # | |
296273a7 | 18 | interface(`gnome_role',` |
efa04715 MG |
19 | gen_require(` |
20 | type gconfd_t, gconfd_exec_t; | |
21 | type gconf_tmp_t; | |
22 | ') | |
00219064 | 23 | |
efa04715 | 24 | role $1 types gconfd_t; |
00219064 | 25 | |
efa04715 MG |
26 | domain_auto_trans($2, gconfd_exec_t, gconfd_t) |
27 | allow gconfd_t $2:fd use; | |
28 | allow gconfd_t $2:fifo_file write; | |
29 | allow gconfd_t $2:unix_stream_socket connectto; | |
6b19be33 | 30 | |
efa04715 | 31 | ps_process_pattern($2, gconfd_t) |
00219064 | 32 | |
31d4b0a6 | 33 | #gnome_stream_connect_gconf_template($1, $2) |
296273a7 CP |
34 | read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) |
35 | allow $2 gconfd_t:unix_stream_socket connectto; | |
efa04715 | 36 | ') |
ca9e8850 | 37 | |
efa04715 MG |
38 | ###################################### |
39 | ## <summary> | |
40 | ## The role template for the gnome-keyring-daemon. | |
41 | ## </summary> | |
42 | ## <param name="user_prefix"> | |
43 | ## <summary> | |
44 | ## The user prefix. | |
45 | ## </summary> | |
46 | ## </param> | |
47 | ## <param name="user_role"> | |
48 | ## <summary> | |
49 | ## The user role. | |
50 | ## </summary> | |
51 | ## </param> | |
52 | ## <param name="user_domain"> | |
53 | ## <summary> | |
54 | ## The user domain associated with the role. | |
55 | ## </summary> | |
56 | ## </param> | |
57 | # | |
58 | interface(`gnome_role_gkeyringd',` | |
59 | gen_require(` | |
60 | attribute gkeyringd_domain; | |
61 | attribute gnome_domain; | |
62 | type gnome_home_t; | |
63 | type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; | |
1d7e6f6b | 64 | class dbus send_msg; |
efa04715 MG |
65 | ') |
66 | ||
4153537b | 67 | type $1_gkeyringd_t, gnome_domain, gkeyringd_domain; |
37c03afb | 68 | typealias $1_gkeyringd_t alias gkeyringd_$1_t; |
4153537b DW |
69 | application_domain($1_gkeyringd_t, gkeyringd_exec_t) |
70 | ubac_constrained($1_gkeyringd_t) | |
71 | domain_user_exemption_target($1_gkeyringd_t) | |
ca9e8850 | 72 | |
ed2ac112 DW |
73 | userdom_home_manager($1_gkeyringd_t) |
74 | ||
4153537b | 75 | role $2 types $1_gkeyringd_t; |
ca9e8850 | 76 | |
4153537b | 77 | domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) |
ca9e8850 | 78 | |
efa04715 MG |
79 | allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms }; |
80 | allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms }; | |
ca9e8850 | 81 | |
efa04715 MG |
82 | allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms }; |
83 | allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; | |
ca9e8850 | 84 | |
4153537b DW |
85 | corecmd_bin_domtrans($1_gkeyringd_t, $1_t) |
86 | corecmd_shell_domtrans($1_gkeyringd_t, $1_t) | |
87 | allow $1_gkeyringd_t $3:process sigkill; | |
88 | allow $3 $1_gkeyringd_t:fd use; | |
89 | allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; | |
0e50301b | 90 | |
4153537b | 91 | ps_process_pattern($1_gkeyringd_t, $3) |
ca9e8850 | 92 | |
ae68f77d DW |
93 | auth_use_nsswitch($1_gkeyringd_t) |
94 | ||
4153537b | 95 | ps_process_pattern($3, $1_gkeyringd_t) |
995bdbb1 | 96 | allow $3 $1_gkeyringd_t:process signal_perms; |
efa04715 MG |
97 | dontaudit $3 gkeyringd_exec_t:file entrypoint; |
98 | ||
4153537b | 99 | stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) |
5598732f | 100 | |
4153537b DW |
101 | allow $1_gkeyringd_t $3:dbus send_msg; |
102 | allow $3 $1_gkeyringd_t:dbus send_msg; | |
efa04715 | 103 | optional_policy(` |
6b772880 | 104 | dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) |
4153537b DW |
105 | dbus_session_bus_client($1_gkeyringd_t) |
106 | gnome_home_dir_filetrans($1_gkeyringd_t) | |
107 | gnome_manage_generic_home_dirs($1_gkeyringd_t) | |
81085f1e | 108 | gnome_read_generic_data_home_files($1_gkeyringd_t) |
efa04715 | 109 | |
1d7e6f6b | 110 | optional_policy(` |
4153537b | 111 | telepathy_mission_control_read_state($1_gkeyringd_t) |
1d7e6f6b | 112 | ') |
efa04715 | 113 | ') |
00219064 | 114 | ') |
2a98379a | 115 | |
ab8f919e CP |
116 | ######################################## |
117 | ## <summary> | |
a947daf6 | 118 | ## gconf connection template. |
ab8f919e | 119 | ## </summary> |
aa760a23 | 120 | ## <param name="domain"> |
ab8f919e | 121 | ## <summary> |
aa760a23 | 122 | ## Domain allowed access. |
ab8f919e CP |
123 | ## </summary> |
124 | ## </param> | |
125 | # | |
a947daf6 | 126 | interface(`gnome_stream_connect_gconf',` |
ab8f919e | 127 | gen_require(` |
a947daf6 | 128 | type gconfd_t, gconf_tmp_t; |
ab8f919e CP |
129 | ') |
130 | ||
a947daf6 DW |
131 | read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) |
132 | allow $1 gconfd_t:unix_stream_socket connectto; | |
ab8f919e CP |
133 | ') |
134 | ||
ca9e8850 DW |
135 | ######################################## |
136 | ## <summary> | |
137 | ## Connect to gkeyringd with a unix stream socket. | |
138 | ## </summary> | |
ca9e8850 DW |
139 | ## <param name="domain"> |
140 | ## <summary> | |
141 | ## Domain allowed access. | |
142 | ## </summary> | |
143 | ## </param> | |
144 | # | |
145 | interface(`gnome_stream_connect_gkeyringd',` | |
146 | gen_require(` | |
455fe183 MG |
147 | attribute gkeyringd_domain; |
148 | type gkeyringd_tmp_t; | |
149 | type gconf_tmp_t; | |
ca9e8850 DW |
150 | ') |
151 | ||
455fe183 | 152 | allow $1 gconf_tmp_t:dir search_dir_perms; |
c9799808 | 153 | stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) |
ca9e8850 DW |
154 | ') |
155 | ||
156 | ######################################## | |
157 | ## <summary> | |
158 | ## Connect to gkeyringd with a unix stream socket. | |
159 | ## </summary> | |
ca9e8850 DW |
160 | ## <param name="domain"> |
161 | ## <summary> | |
162 | ## Domain allowed access. | |
163 | ## </summary> | |
164 | ## </param> | |
165 | # | |
166 | interface(`gnome_stream_connect_all_gkeyringd',` | |
167 | gen_require(` | |
168 | attribute gkeyringd_domain; | |
169 | type gkeyringd_tmp_t; | |
f28aaa84 | 170 | type gconf_tmp_t; |
ca9e8850 DW |
171 | ') |
172 | ||
f28aaa84 | 173 | allow $1 gconf_tmp_t:dir search_dir_perms; |
ca9e8850 | 174 | stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) |
ca9e8850 DW |
175 | ') |
176 | ||
a947daf6 | 177 | ######################################## |
ab8f919e | 178 | ## <summary> |
a947daf6 | 179 | ## Run gconfd in gconfd domain. |
ab8f919e CP |
180 | ## </summary> |
181 | ## <param name="domain"> | |
182 | ## <summary> | |
183 | ## Domain allowed access. | |
184 | ## </summary> | |
185 | ## </param> | |
186 | # | |
a947daf6 | 187 | interface(`gnome_domtrans_gconfd',` |
ab8f919e | 188 | gen_require(` |
a947daf6 | 189 | type gconfd_t, gconfd_exec_t; |
ab8f919e CP |
190 | ') |
191 | ||
a947daf6 | 192 | domtrans_pattern($1, gconfd_exec_t, gconfd_t) |
ab8f919e CP |
193 | ') |
194 | ||
57955a25 DW |
195 | ######################################## |
196 | ## <summary> | |
197 | ## Dontaudit read gnome homedir content (.config) | |
198 | ## </summary> | |
199 | ## <param name="domain"> | |
200 | ## <summary> | |
24280f35 | 201 | ## Domain to not audit. |
57955a25 DW |
202 | ## </summary> |
203 | ## </param> | |
204 | # | |
205 | interface(`gnome_dontaudit_read_config',` | |
206 | gen_require(` | |
207 | attribute gnome_home_type; | |
208 | ') | |
209 | ||
210 | dontaudit $1 gnome_home_type:dir read_inherited_file_perms; | |
211 | ') | |
212 | ||
00219064 CP |
213 | ######################################## |
214 | ## <summary> | |
a947daf6 | 215 | ## Dontaudit search gnome homedir content (.config) |
00219064 | 216 | ## </summary> |
aa760a23 | 217 | ## <param name="domain"> |
00219064 | 218 | ## <summary> |
24280f35 | 219 | ## Domain to not audit. |
6b19be33 CP |
220 | ## </summary> |
221 | ## </param> | |
222 | # | |
a947daf6 | 223 | interface(`gnome_dontaudit_search_config',` |
6b19be33 | 224 | gen_require(` |
a947daf6 | 225 | attribute gnome_home_type; |
6b19be33 CP |
226 | ') |
227 | ||
a947daf6 | 228 | dontaudit $1 gnome_home_type:dir search_dir_perms; |
6b19be33 CP |
229 | ') |
230 | ||
ab8f919e CP |
231 | ######################################## |
232 | ## <summary> | |
a947daf6 | 233 | ## manage gnome homedir content (.config) |
3eaa9939 | 234 | ## </summary> |
aa760a23 | 235 | ## <param name="domain"> |
3eaa9939 | 236 | ## <summary> |
aa760a23 | 237 | ## Domain allowed access. |
3eaa9939 DW |
238 | ## </summary> |
239 | ## </param> | |
240 | # | |
a947daf6 | 241 | interface(`gnome_manage_config',` |
3eaa9939 DW |
242 | gen_require(` |
243 | attribute gnome_home_type; | |
244 | ') | |
245 | ||
a947daf6 DW |
246 | allow $1 gnome_home_type:dir manage_dir_perms; |
247 | allow $1 gnome_home_type:file manage_file_perms; | |
248 | allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; | |
249 | userdom_search_user_home_dirs($1) | |
3eaa9939 DW |
250 | ') |
251 | ||
252 | ######################################## | |
253 | ## <summary> | |
254 | ## Send general signals to all gconf domains. | |
ab8f919e CP |
255 | ## </summary> |
256 | ## <param name="domain"> | |
257 | ## <summary> | |
258 | ## Domain allowed access. | |
259 | ## </summary> | |
260 | ## </param> | |
261 | # | |
3eaa9939 | 262 | interface(`gnome_signal_all',` |
ab8f919e | 263 | gen_require(` |
ca9e8850 | 264 | attribute gnome_domain; |
ab8f919e CP |
265 | ') |
266 | ||
ca9e8850 | 267 | allow $1 gnome_domain:process signal; |
ab8f919e CP |
268 | ') |
269 | ||
270 | ######################################## | |
271 | ## <summary> | |
3eaa9939 DW |
272 | ## Create objects in a Gnome cache home directory |
273 | ## with an automatic type transition to | |
274 | ## a specified private type. | |
275 | ## </summary> | |
276 | ## <param name="domain"> | |
277 | ## <summary> | |
278 | ## Domain allowed access. | |
279 | ## </summary> | |
280 | ## </param> | |
281 | ## <param name="private_type"> | |
282 | ## <summary> | |
283 | ## The type of the object to create. | |
284 | ## </summary> | |
285 | ## </param> | |
286 | ## <param name="object_class"> | |
287 | ## <summary> | |
288 | ## The class of the object to be created. | |
289 | ## </summary> | |
290 | ## </param> | |
291 | # | |
292 | interface(`gnome_cache_filetrans',` | |
293 | gen_require(` | |
294 | type cache_home_t; | |
295 | ') | |
296 | ||
2ea29241 | 297 | filetrans_pattern($1, cache_home_t, $2, $3, $4) |
3eaa9939 DW |
298 | userdom_search_user_home_dirs($1) |
299 | ') | |
300 | ||
301 | ######################################## | |
302 | ## <summary> | |
303 | ## Read generic cache home files (.cache) | |
304 | ## </summary> | |
305 | ## <param name="domain"> | |
306 | ## <summary> | |
307 | ## Domain allowed access. | |
308 | ## </summary> | |
309 | ## </param> | |
310 | # | |
311 | interface(`gnome_read_generic_cache_files',` | |
312 | gen_require(` | |
313 | type cache_home_t; | |
314 | ') | |
315 | ||
316 | read_files_pattern($1, cache_home_t, cache_home_t) | |
317 | userdom_search_user_home_dirs($1) | |
318 | ') | |
319 | ||
320 | ######################################## | |
321 | ## <summary> | |
322 | ## Set attributes of cache home dir (.cache) | |
323 | ## </summary> | |
324 | ## <param name="domain"> | |
325 | ## <summary> | |
326 | ## Domain allowed access. | |
327 | ## </summary> | |
328 | ## </param> | |
329 | # | |
330 | interface(`gnome_setattr_cache_home_dir',` | |
331 | gen_require(` | |
332 | type cache_home_t; | |
333 | ') | |
334 | ||
335 | setattr_dirs_pattern($1, cache_home_t, cache_home_t) | |
336 | userdom_search_user_home_dirs($1) | |
337 | ') | |
338 | ||
c71f02c0 DW |
339 | ######################################## |
340 | ## <summary> | |
341 | ## append to generic cache home files (.cache) | |
342 | ## </summary> | |
343 | ## <param name="domain"> | |
344 | ## <summary> | |
345 | ## Domain allowed access. | |
346 | ## </summary> | |
347 | ## </param> | |
348 | # | |
349 | interface(`gnome_append_generic_cache_files',` | |
350 | gen_require(` | |
351 | type cache_home_t; | |
352 | ') | |
353 | ||
354 | append_files_pattern($1, cache_home_t, cache_home_t) | |
355 | userdom_search_user_home_dirs($1) | |
356 | ') | |
357 | ||
3eaa9939 DW |
358 | ######################################## |
359 | ## <summary> | |
360 | ## write to generic cache home files (.cache) | |
361 | ## </summary> | |
362 | ## <param name="domain"> | |
363 | ## <summary> | |
364 | ## Domain allowed access. | |
365 | ## </summary> | |
366 | ## </param> | |
367 | # | |
368 | interface(`gnome_write_generic_cache_files',` | |
369 | gen_require(` | |
370 | type cache_home_t; | |
371 | ') | |
372 | ||
373 | write_files_pattern($1, cache_home_t, cache_home_t) | |
374 | userdom_search_user_home_dirs($1) | |
375 | ') | |
376 | ||
24280f35 DW |
377 | ######################################## |
378 | ## <summary> | |
379 | ## Dontaudit read/write to generic cache home files (.cache) | |
380 | ## </summary> | |
381 | ## <param name="domain"> | |
382 | ## <summary> | |
383 | ## Domain to not audit. | |
384 | ## </summary> | |
385 | ## </param> | |
386 | # | |
387 | interface(`gnome_dontaudit_rw_generic_cache_files',` | |
388 | gen_require(` | |
389 | type cache_home_t; | |
390 | ') | |
391 | ||
392 | dontaudit $1 cache_home_t:file rw_inherited_file_perms; | |
393 | ') | |
394 | ||
a947daf6 DW |
395 | ######################################## |
396 | ## <summary> | |
397 | ## read gnome homedir content (.config) | |
398 | ## </summary> | |
aa760a23 | 399 | ## <param name="domain"> |
a947daf6 | 400 | ## <summary> |
aa760a23 | 401 | ## Domain allowed access. |
a947daf6 DW |
402 | ## </summary> |
403 | ## </param> | |
404 | # | |
efa04715 | 405 | interface(`gnome_read_config',` |
a947daf6 DW |
406 | gen_require(` |
407 | attribute gnome_home_type; | |
408 | ') | |
409 | ||
410 | list_dirs_pattern($1, gnome_home_type, gnome_home_type) | |
411 | read_files_pattern($1, gnome_home_type, gnome_home_type) | |
412 | read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) | |
413 | ') | |
414 | ||
3eaa9939 DW |
415 | ######################################## |
416 | ## <summary> | |
417 | ## Create objects in a Gnome gconf home directory | |
418 | ## with an automatic type transition to | |
419 | ## a specified private type. | |
420 | ## </summary> | |
421 | ## <param name="domain"> | |
422 | ## <summary> | |
423 | ## Domain allowed access. | |
424 | ## </summary> | |
425 | ## </param> | |
426 | ## <param name="private_type"> | |
427 | ## <summary> | |
428 | ## The type of the object to create. | |
429 | ## </summary> | |
430 | ## </param> | |
431 | ## <param name="object_class"> | |
432 | ## <summary> | |
433 | ## The class of the object to be created. | |
434 | ## </summary> | |
435 | ## </param> | |
436 | # | |
437 | interface(`gnome_data_filetrans',` | |
438 | gen_require(` | |
439 | type data_home_t; | |
440 | ') | |
441 | ||
2ea29241 | 442 | filetrans_pattern($1, data_home_t, $2, $3, $4) |
3eaa9939 DW |
443 | gnome_search_gconf($1) |
444 | ') | |
445 | ||
4b7fe5b4 DW |
446 | ####################################### |
447 | ## <summary> | |
c98bb1bc | 448 | ## Read generic data home files. |
4b7fe5b4 DW |
449 | ## </summary> |
450 | ## <param name="domain"> | |
c98bb1bc DG |
451 | ## <summary> |
452 | ## Domain allowed access. | |
453 | ## </summary> | |
454 | ## </param> | |
455 | # | |
456 | interface(`gnome_read_generic_data_home_files',` | |
457 | gen_require(` | |
458 | type data_home_t, gconf_home_t; | |
459 | ') | |
460 | ||
461 | read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) | |
462 | ') | |
463 | ||
464 | ####################################### | |
465 | ## <summary> | |
466 | ## Manage gconf data home files | |
467 | ## </summary> | |
468 | ## <param name="domain"> | |
469 | ## <summary> | |
470 | ## Domain allowed access. | |
471 | ## </summary> | |
4b7fe5b4 DW |
472 | ## </param> |
473 | # | |
474 | interface(`gnome_manage_data',` | |
c98bb1bc DG |
475 | gen_require(` |
476 | type data_home_t; | |
477 | type gconf_home_t; | |
478 | ') | |
4b7fe5b4 | 479 | |
ceacf954 | 480 | allow $1 gconf_home_t:dir search_dir_perms; |
a768052f | 481 | manage_dirs_pattern($1, data_home_t, data_home_t) |
c98bb1bc | 482 | manage_files_pattern($1, data_home_t, data_home_t) |
a768052f | 483 | manage_lnk_files_pattern($1, data_home_t, data_home_t) |
4b7fe5b4 DW |
484 | ') |
485 | ||
290e6f41 DG |
486 | ######################################## |
487 | ## <summary> | |
488 | ## Read icc data home content. | |
489 | ## </summary> | |
490 | ## <param name="domain"> | |
491 | ## <summary> | |
492 | ## Domain allowed access. | |
493 | ## </summary> | |
494 | ## </param> | |
495 | # | |
496 | interface(`gnome_read_home_icc_data_content',` | |
497 | gen_require(` | |
498 | type icc_data_home_t, gconf_home_t, data_home_t; | |
499 | ') | |
500 | ||
501 | userdom_search_user_home_dirs($1) | |
502 | allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; | |
503 | list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) | |
504 | read_files_pattern($1, icc_data_home_t, icc_data_home_t) | |
505 | read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) | |
506 | ') | |
507 | ||
508 | ######################################## | |
509 | ## <summary> | |
510 | ## Read inherited icc data home files. | |
511 | ## </summary> | |
512 | ## <param name="domain"> | |
513 | ## <summary> | |
514 | ## Domain allowed access. | |
515 | ## </summary> | |
516 | ## </param> | |
517 | # | |
518 | interface(`gnome_read_inherited_home_icc_data_files',` | |
519 | gen_require(` | |
520 | type icc_data_home_t; | |
521 | ') | |
522 | ||
523 | allow $1 icc_data_home_t:file read_inherited_file_perms; | |
524 | ') | |
525 | ||
3eaa9939 DW |
526 | ######################################## |
527 | ## <summary> | |
528 | ## Create gconf_home_t objects in the /root directory | |
529 | ## </summary> | |
530 | ## <param name="domain"> | |
531 | ## <summary> | |
532 | ## Domain allowed access. | |
533 | ## </summary> | |
534 | ## </param> | |
535 | ## <param name="object_class"> | |
536 | ## <summary> | |
537 | ## The class of the object to be created. | |
538 | ## </summary> | |
539 | ## </param> | |
540 | # | |
541 | interface(`gnome_admin_home_gconf_filetrans',` | |
542 | gen_require(` | |
543 | type gconf_home_t; | |
544 | ') | |
545 | ||
546 | userdom_admin_home_dir_filetrans($1, gconf_home_t, $2) | |
547 | ') | |
548 | ||
c98dcd43 DG |
549 | ######################################## |
550 | ## <summary> | |
551 | ## Do not audit attempts to read | |
552 | ## inherited gconf config files. | |
553 | ## </summary> | |
554 | ## <param name="domain"> | |
555 | ## <summary> | |
556 | ## Domain to not audit. | |
557 | ## </summary> | |
558 | ## </param> | |
559 | # | |
560 | interface(`gnome_dontaudit_read_inherited_gconf_config_files',` | |
561 | gen_require(` | |
562 | type gconf_etc_t; | |
563 | ') | |
564 | ||
565 | dontaudit $1 gconf_etc_t:file read_inherited_file_perms; | |
566 | ') | |
567 | ||
3eaa9939 DW |
568 | ######################################## |
569 | ## <summary> | |
570 | ## read gconf config files | |
ab8f919e | 571 | ## </summary> |
aa760a23 | 572 | ## <param name="domain"> |
ab8f919e | 573 | ## <summary> |
aa760a23 | 574 | ## Domain allowed access. |
3eaa9939 DW |
575 | ## </summary> |
576 | ## </param> | |
577 | # | |
d15b40a5 | 578 | interface(`gnome_read_gconf_config',` |
3eaa9939 DW |
579 | gen_require(` |
580 | type gconf_etc_t; | |
581 | ') | |
582 | ||
583 | allow $1 gconf_etc_t:dir list_dir_perms; | |
584 | read_files_pattern($1, gconf_etc_t, gconf_etc_t) | |
f33c5066 | 585 | files_search_etc($1) |
3eaa9939 DW |
586 | ') |
587 | ||
588 | ####################################### | |
589 | ## <summary> | |
590 | ## Manage gconf config files | |
591 | ## </summary> | |
592 | ## <param name="domain"> | |
593 | ## <summary> | |
594 | ## Domain allowed access. | |
595 | ## </summary> | |
596 | ## </param> | |
597 | # | |
598 | interface(`gnome_manage_gconf_config',` | |
599 | gen_require(` | |
600 | type gconf_etc_t; | |
601 | ') | |
602 | ||
603 | allow $1 gconf_etc_t:dir list_dir_perms; | |
604 | manage_files_pattern($1, gconf_etc_t, gconf_etc_t) | |
605 | ') | |
606 | ||
607 | ######################################## | |
608 | ## <summary> | |
609 | ## Execute gconf programs in | |
610 | ## in the caller domain. | |
611 | ## </summary> | |
612 | ## <param name="domain"> | |
613 | ## <summary> | |
ab8f919e CP |
614 | ## Domain allowed access. |
615 | ## </summary> | |
616 | ## </param> | |
617 | # | |
3eaa9939 DW |
618 | interface(`gnome_exec_gconf',` |
619 | gen_require(` | |
620 | type gconfd_exec_t; | |
621 | ') | |
622 | ||
623 | can_exec($1, gconfd_exec_t) | |
624 | ') | |
625 | ||
ca9e8850 DW |
626 | ######################################## |
627 | ## <summary> | |
628 | ## Execute gnome keyringd in the caller domain. | |
629 | ## </summary> | |
630 | ## <param name="domain"> | |
631 | ## <summary> | |
632 | ## Domain allowed access. | |
633 | ## </summary> | |
634 | ## </param> | |
635 | # | |
636 | interface(`gnome_exec_keyringd',` | |
637 | gen_require(` | |
638 | type gkeyringd_exec_t; | |
639 | ') | |
640 | ||
641 | can_exec($1, gkeyringd_exec_t) | |
642 | corecmd_search_bin($1) | |
643 | ') | |
644 | ||
3eaa9939 DW |
645 | ######################################## |
646 | ## <summary> | |
647 | ## Read gconf home files | |
648 | ## </summary> | |
649 | ## <param name="domain"> | |
650 | ## <summary> | |
651 | ## Domain allowed access. | |
652 | ## </summary> | |
653 | ## </param> | |
654 | # | |
655 | interface(`gnome_read_gconf_home_files',` | |
656 | gen_require(` | |
657 | type gconf_home_t; | |
658 | type data_home_t; | |
659 | ') | |
660 | ||
78ea2abe | 661 | userdom_search_user_home_dirs($1) |
3eaa9939 DW |
662 | allow $1 gconf_home_t:dir list_dir_perms; |
663 | allow $1 data_home_t:dir list_dir_perms; | |
664 | read_files_pattern($1, gconf_home_t, gconf_home_t) | |
665 | read_files_pattern($1, data_home_t, data_home_t) | |
3d21c02c DW |
666 | read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) |
667 | read_lnk_files_pattern($1, data_home_t, data_home_t) | |
3eaa9939 DW |
668 | ') |
669 | ||
ca9e8850 DW |
670 | ######################################## |
671 | ## <summary> | |
672 | ## Search gkeyringd temporary directories. | |
673 | ## </summary> | |
674 | ## <param name="domain"> | |
675 | ## <summary> | |
676 | ## Domain allowed access. | |
677 | ## </summary> | |
678 | ## </param> | |
679 | # | |
680 | interface(`gnome_search_gkeyringd_tmp_dirs',` | |
681 | gen_require(` | |
682 | type gkeyringd_tmp_t; | |
683 | ') | |
684 | ||
685 | files_search_tmp($1) | |
686 | allow $1 gkeyringd_tmp_t:dir search_dir_perms; | |
687 | ') | |
688 | ||
3eaa9939 DW |
689 | ######################################## |
690 | ## <summary> | |
691 | ## search gconf homedir (.local) | |
692 | ## </summary> | |
aa760a23 | 693 | ## <param name="domain"> |
3eaa9939 | 694 | ## <summary> |
aa760a23 | 695 | ## Domain allowed access. |
3eaa9939 DW |
696 | ## </summary> |
697 | ## </param> | |
698 | # | |
699 | interface(`gnome_search_gconf',` | |
700 | gen_require(` | |
701 | type gconf_home_t; | |
702 | ') | |
703 | ||
704 | allow $1 gconf_home_t:dir search_dir_perms; | |
705 | userdom_search_user_home_dirs($1) | |
706 | ') | |
707 | ||
4251ae10 DW |
708 | ######################################## |
709 | ## <summary> | |
710 | ## Set attributes of Gnome config dirs. | |
711 | ## </summary> | |
712 | ## <param name="domain"> | |
713 | ## <summary> | |
714 | ## Domain allowed access. | |
715 | ## </summary> | |
716 | ## </param> | |
717 | # | |
718 | interface(`gnome_setattr_config_dirs',` | |
719 | gen_require(` | |
720 | type gnome_home_t; | |
721 | ') | |
722 | ||
723 | setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) | |
724 | files_search_home($1) | |
725 | ') | |
726 | ||
ca9e8850 DW |
727 | ######################################## |
728 | ## <summary> | |
729 | ## Manage generic gnome home files. | |
730 | ## </summary> | |
731 | ## <param name="domain"> | |
732 | ## <summary> | |
733 | ## Domain allowed access. | |
734 | ## </summary> | |
735 | ## </param> | |
736 | # | |
737 | interface(`gnome_manage_generic_home_files',` | |
738 | gen_require(` | |
739 | type gnome_home_t; | |
740 | ') | |
741 | ||
742 | userdom_search_user_home_dirs($1) | |
743 | manage_files_pattern($1, gnome_home_t, gnome_home_t) | |
744 | ') | |
745 | ||
746 | ######################################## | |
747 | ## <summary> | |
748 | ## Manage generic gnome home directories. | |
749 | ## </summary> | |
750 | ## <param name="domain"> | |
751 | ## <summary> | |
752 | ## Domain allowed access. | |
753 | ## </summary> | |
754 | ## </param> | |
755 | # | |
756 | interface(`gnome_manage_generic_home_dirs',` | |
757 | gen_require(` | |
758 | type gnome_home_t; | |
759 | ') | |
760 | ||
761 | userdom_search_user_home_dirs($1) | |
762 | allow $1 gnome_home_t:dir manage_dir_perms; | |
763 | ') | |
764 | ||
3eaa9939 DW |
765 | ######################################## |
766 | ## <summary> | |
767 | ## Append gconf home files | |
768 | ## </summary> | |
769 | ## <param name="domain"> | |
770 | ## <summary> | |
771 | ## Domain allowed access. | |
772 | ## </summary> | |
773 | ## </param> | |
774 | # | |
775 | interface(`gnome_append_gconf_home_files',` | |
776 | gen_require(` | |
777 | type gconf_home_t; | |
778 | ') | |
779 | ||
780 | append_files_pattern($1, gconf_home_t, gconf_home_t) | |
781 | ') | |
782 | ||
783 | ######################################## | |
784 | ## <summary> | |
785 | ## manage gconf home files | |
786 | ## </summary> | |
787 | ## <param name="domain"> | |
788 | ## <summary> | |
789 | ## Domain allowed access. | |
790 | ## </summary> | |
791 | ## </param> | |
792 | # | |
793 | interface(`gnome_manage_gconf_home_files',` | |
794 | gen_require(` | |
795 | type gconf_home_t; | |
796 | ') | |
797 | ||
798 | allow $1 gconf_home_t:dir list_dir_perms; | |
799 | manage_files_pattern($1, gconf_home_t, gconf_home_t) | |
800 | ') | |
801 | ||
802 | ######################################## | |
803 | ## <summary> | |
804 | ## Connect to gnome over an unix stream socket. | |
805 | ## </summary> | |
806 | ## <param name="domain"> | |
807 | ## <summary> | |
808 | ## Domain allowed access. | |
809 | ## </summary> | |
810 | ## </param> | |
811 | ## <param name="user_domain"> | |
812 | ## <summary> | |
813 | ## The type of the user domain. | |
814 | ## </summary> | |
815 | ## </param> | |
816 | # | |
817 | interface(`gnome_stream_connect',` | |
818 | gen_require(` | |
819 | attribute gnome_home_type; | |
820 | ') | |
821 | ||
822 | # Connect to pulseaudit server | |
823 | stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) | |
824 | ') | |
825 | ||
826 | ######################################## | |
827 | ## <summary> | |
2d4a79a0 | 828 | ## list gnome homedir content (.config) |
3eaa9939 | 829 | ## </summary> |
aa760a23 | 830 | ## <param name="domain"> |
3eaa9939 | 831 | ## <summary> |
aa760a23 | 832 | ## Domain allowed access. |
3eaa9939 DW |
833 | ## </summary> |
834 | ## </param> | |
835 | # | |
d15b40a5 | 836 | interface(`gnome_list_home_config',` |
3eaa9939 DW |
837 | gen_require(` |
838 | type config_home_t; | |
839 | ') | |
840 | ||
841 | allow $1 config_home_t:dir list_dir_perms; | |
842 | ') | |
843 | ||
5ef740e5 DW |
844 | ######################################## |
845 | ## <summary> | |
846 | ## Set attributes of gnome homedir content (.config) | |
847 | ## </summary> | |
848 | ## <param name="domain"> | |
849 | ## <summary> | |
850 | ## Domain allowed access. | |
851 | ## </summary> | |
852 | ## </param> | |
853 | # | |
448d2cf1 | 854 | interface(`gnome_setattr_home_config',` |
5ef740e5 DW |
855 | gen_require(` |
856 | type config_home_t; | |
857 | ') | |
858 | ||
859 | setattr_dirs_pattern($1, config_home_t, config_home_t) | |
860 | userdom_search_user_home_dirs($1) | |
861 | ') | |
862 | ||
2d4a79a0 DW |
863 | ######################################## |
864 | ## <summary> | |
865 | ## read gnome homedir content (.config) | |
866 | ## </summary> | |
aa760a23 | 867 | ## <param name="domain"> |
2d4a79a0 | 868 | ## <summary> |
aa760a23 | 869 | ## Domain allowed access. |
2d4a79a0 DW |
870 | ## </summary> |
871 | ## </param> | |
872 | # | |
d15b40a5 | 873 | interface(`gnome_read_home_config',` |
2d4a79a0 DW |
874 | gen_require(` |
875 | type config_home_t; | |
876 | ') | |
877 | ||
b533b084 | 878 | list_dirs_pattern($1, config_home_t, config_home_t) |
2d4a79a0 | 879 | read_files_pattern($1, config_home_t, config_home_t) |
6f93adfa | 880 | read_lnk_files_pattern($1, config_home_t, config_home_t) |
2d4a79a0 DW |
881 | ') |
882 | ||
93b53615 MG |
883 | ####################################### |
884 | ## <summary> | |
885 | ## delete gnome homedir content (.config) | |
886 | ## </summary> | |
887 | ## <param name="domain"> | |
888 | ## <summary> | |
889 | ## Domain allowed access. | |
890 | ## </summary> | |
891 | ## </param> | |
892 | # | |
893 | interface(`gnome_delete_home_config',` | |
894 | gen_require(` | |
895 | type config_home_t; | |
896 | ') | |
897 | ||
898 | delete_files_pattern($1, config_home_t, config_home_t) | |
899 | ') | |
900 | ||
f5b49a5e DW |
901 | ######################################## |
902 | ## <summary> | |
903 | ## manage gnome homedir content (.config) | |
904 | ## </summary> | |
aa760a23 | 905 | ## <param name="domain"> |
f5b49a5e | 906 | ## <summary> |
aa760a23 | 907 | ## Domain allowed access. |
f5b49a5e DW |
908 | ## </summary> |
909 | ## </param> | |
910 | # | |
448d2cf1 | 911 | interface(`gnome_manage_home_config',` |
f5b49a5e DW |
912 | gen_require(` |
913 | type config_home_t; | |
914 | ') | |
915 | ||
916 | manage_files_pattern($1, config_home_t, config_home_t) | |
917 | ') | |
918 | ||
93b53615 MG |
919 | ####################################### |
920 | ## <summary> | |
921 | ## delete gnome homedir content (.config) | |
922 | ## </summary> | |
923 | ## <param name="domain"> | |
924 | ## <summary> | |
925 | ## Domain allowed access. | |
926 | ## </summary> | |
927 | ## </param> | |
928 | # | |
929 | interface(`gnome_delete_home_config_dirs',` | |
930 | gen_require(` | |
931 | type config_home_t; | |
932 | ') | |
933 | ||
934 | delete_dirs_pattern($1, config_home_t, config_home_t) | |
935 | ') | |
936 | ||
63c324b2 MG |
937 | ######################################## |
938 | ## <summary> | |
939 | ## manage gnome homedir content (.config) | |
940 | ## </summary> | |
941 | ## <param name="domain"> | |
942 | ## <summary> | |
943 | ## Domain allowed access. | |
944 | ## </summary> | |
945 | ## </param> | |
946 | # | |
947 | interface(`gnome_manage_home_config_dirs',` | |
948 | gen_require(` | |
949 | type config_home_t; | |
950 | ') | |
951 | ||
952 | manage_dirs_pattern($1, config_home_t, config_home_t) | |
953 | ') | |
954 | ||
0b71fec3 DG |
955 | ######################################## |
956 | ## <summary> | |
957 | ## manage gstreamer home content files. | |
958 | ## </summary> | |
959 | ## <param name="domain"> | |
960 | ## <summary> | |
961 | ## Domain allowed access. | |
962 | ## </summary> | |
963 | ## </param> | |
964 | # | |
965 | interface(`gnome_manage_gstreamer_home_files',` | |
966 | gen_require(` | |
967 | type gstreamer_home_t; | |
968 | ') | |
969 | ||
970 | manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t) | |
971 | ') | |
972 | ||
3eaa9939 DW |
973 | ######################################## |
974 | ## <summary> | |
975 | ## Read/Write all inherited gnome home config | |
976 | ## </summary> | |
977 | ## <param name="domain"> | |
978 | ## <summary> | |
979 | ## Domain allowed access. | |
980 | ## </summary> | |
981 | ## </param> | |
982 | # | |
983 | interface(`gnome_rw_inherited_config',` | |
984 | gen_require(` | |
985 | attribute gnome_home_type; | |
986 | ') | |
987 | ||
988 | allow $1 gnome_home_type:file rw_inherited_file_perms; | |
989 | ') | |
990 | ||
991 | ######################################## | |
992 | ## <summary> | |
993 | ## Send and receive messages from | |
994 | ## gconf system service over dbus. | |
995 | ## </summary> | |
996 | ## <param name="domain"> | |
997 | ## <summary> | |
998 | ## Domain allowed access. | |
999 | ## </summary> | |
1000 | ## </param> | |
1001 | # | |
1002 | interface(`gnome_dbus_chat_gconfdefault',` | |
1003 | gen_require(` | |
1004 | type gconfdefaultsm_t; | |
1005 | class dbus send_msg; | |
1006 | ') | |
1007 | ||
1008 | allow $1 gconfdefaultsm_t:dbus send_msg; | |
1009 | allow gconfdefaultsm_t $1:dbus send_msg; | |
1010 | ') | |
ca9e8850 DW |
1011 | |
1012 | ######################################## | |
1013 | ## <summary> | |
1014 | ## Send and receive messages from | |
1015 | ## gkeyringd over dbus. | |
1016 | ## </summary> | |
ca9e8850 DW |
1017 | ## <param name="domain"> |
1018 | ## <summary> | |
1019 | ## Domain allowed access. | |
1020 | ## </summary> | |
1021 | ## </param> | |
1022 | # | |
1023 | interface(`gnome_dbus_chat_gkeyringd',` | |
1024 | gen_require(` | |
31f04122 | 1025 | attribute gkeyringd_domain; |
ca9e8850 DW |
1026 | class dbus send_msg; |
1027 | ') | |
1028 | ||
f80308f9 MG |
1029 | allow $1 gkeyringd_domain:dbus send_msg; |
1030 | allow gkeyringd_domain $1:dbus send_msg; | |
ca9e8850 | 1031 | ') |
31f04122 | 1032 | |
b094d593 DW |
1033 | ######################################## |
1034 | ## <summary> | |
1035 | ## Send signull signal to gkeyringd processes. | |
1036 | ## </summary> | |
1037 | ## <param name="domain"> | |
1038 | ## <summary> | |
1039 | ## Domain allowed access. | |
1040 | ## </summary> | |
1041 | ## </param> | |
1042 | # | |
1043 | interface(`gnome_signull_gkeyringd',` | |
1044 | gen_require(` | |
1045 | attribute gkeyringd_domain; | |
1046 | ') | |
1047 | ||
1048 | allow $1 gkeyringd_domain:process signull; | |
1049 | ') | |
1050 | ||
1051 | ######################################## | |
1052 | ## <summary> | |
1053 | ## Allow the domain to read gkeyringd state files in /proc. | |
1054 | ## </summary> | |
1055 | ## <param name="domain"> | |
1056 | ## <summary> | |
1057 | ## Domain allowed access. | |
1058 | ## </summary> | |
1059 | ## </param> | |
1060 | # | |
1061 | interface(`gnome_read_gkeyringd_state',` | |
1062 | gen_require(` | |
1063 | attribute gkeyringd_domain; | |
1064 | ') | |
1065 | ||
1066 | ps_process_pattern($1, gkeyringd_domain) | |
1067 | ') | |
1068 | ||
ca9e8850 DW |
1069 | ######################################## |
1070 | ## <summary> | |
1071 | ## Create directories in user home directories | |
1072 | ## with the gnome home file type. | |
1073 | ## </summary> | |
1074 | ## <param name="domain"> | |
1075 | ## <summary> | |
1076 | ## Domain allowed access. | |
1077 | ## </summary> | |
1078 | ## </param> | |
1079 | # | |
1080 | interface(`gnome_home_dir_filetrans',` | |
1081 | gen_require(` | |
1082 | type gnome_home_t; | |
1083 | ') | |
1084 | ||
1085 | userdom_user_home_dir_filetrans($1, gnome_home_t, dir) | |
1086 | userdom_search_user_home_dirs($1) | |
1087 | ') | |
a8183914 MG |
1088 | |
1089 | ###################################### | |
1090 | ## <summary> | |
1091 | ## Allow read kde config content | |
1092 | ## </summary> | |
1093 | ## <param name="domain"> | |
1094 | ## <summary> | |
1095 | ## Domain allowed access. | |
1096 | ## </summary> | |
1097 | ## </param> | |
1098 | # | |
1099 | interface(`gnome_read_usr_config',` | |
1100 | gen_require(` | |
1101 | type config_usr_t; | |
1102 | ') | |
1103 | ||
1104 | files_search_usr($1) | |
1105 | list_dirs_pattern($1, config_usr_t, config_usr_t) | |
1106 | read_files_pattern($1, config_usr_t, config_usr_t) | |
1107 | read_lnk_files_pattern($1, config_usr_t, config_usr_t) | |
1108 | ') | |
1109 | ||
1110 | ####################################### | |
1111 | ## <summary> | |
1112 | ## Allow manage kde config content | |
1113 | ## </summary> | |
1114 | ## <param name="domain"> | |
1115 | ## <summary> | |
1116 | ## Domain allowed access. | |
1117 | ## </summary> | |
1118 | ## </param> | |
1119 | # | |
1120 | interface(`gnome_manage_usr_config',` | |
1121 | gen_require(` | |
1122 | type config_usr_t; | |
1123 | ') | |
1124 | ||
1125 | files_search_usr($1) | |
1126 | manage_dirs_pattern($1, config_usr_t, config_usr_t) | |
1127 | manage_files_pattern($1, config_usr_t, config_usr_t) | |
1128 | manage_lnk_files_pattern($1, config_usr_t, config_usr_t) | |
1129 | ') | |
31f04122 DW |
1130 | |
1131 | ######################################## | |
1132 | ## <summary> | |
1133 | ## Execute gnome-keyring in the user gkeyring domain | |
1134 | ## </summary> | |
1135 | ## <param name="domain"> | |
1136 | ## <summary> | |
1137 | ## Domain allowed access | |
1138 | ## </summary> | |
1139 | ## </param> | |
1140 | ## <param name="role"> | |
1141 | ## <summary> | |
1142 | ## The role to be allowed the gkeyring domain. | |
1143 | ## </summary> | |
1144 | ## </param> | |
1145 | # | |
1146 | interface(`gnome_transition_gkeyringd',` | |
1147 | gen_require(` | |
1148 | attribute gkeyringd_domain; | |
1149 | ') | |
1150 | ||
1151 | allow $1 gkeyringd_domain:process transition; | |
1152 | dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh }; | |
1153 | allow gkeyringd_domain $1:process { sigchld signull }; | |
1154 | allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; | |
1155 | ') | |
1156 | ||
15b2e336 DW |
1157 | |
1158 | ######################################## | |
1159 | ## <summary> | |
c181b91f | 1160 | ## Create gnome content in the user home directory |
15b2e336 DW |
1161 | ## with an correct label. |
1162 | ## </summary> | |
1163 | ## <param name="domain"> | |
1164 | ## <summary> | |
1165 | ## Domain allowed access. | |
1166 | ## </summary> | |
1167 | ## </param> | |
1168 | # | |
a11cc065 | 1169 | interface(`gnome_filetrans_home_content',` |
15b2e336 DW |
1170 | |
1171 | gen_require(` | |
1172 | type config_home_t; | |
1173 | type cache_home_t; | |
1174 | type gstreamer_home_t; | |
1175 | type gconf_home_t; | |
1176 | type gnome_home_t; | |
290e6f41 | 1177 | type data_home_t, icc_data_home_t; |
15b2e336 DW |
1178 | type gkeyringd_gnome_home_t; |
1179 | ') | |
1180 | ||
c181b91f | 1181 | userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config") |
26a75b33 DW |
1182 | userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") |
1183 | userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine") | |
1184 | userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") | |
1185 | userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde") | |
1186 | userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") | |
1187 | userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") | |
1188 | userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local") | |
1189 | userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") | |
1190 | userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") | |
1191 | userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") | |
290e6f41 DG |
1192 | # ~/.color/icc: legacy |
1193 | userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc") | |
26a75b33 DW |
1194 | filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") |
1195 | filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share") | |
290e6f41 | 1196 | filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc") |
bf587d64 | 1197 | userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf") |
15b2e336 DW |
1198 | ') |
1199 | ||
1200 | ######################################## | |
1201 | ## <summary> | |
1202 | ## Create gnome directory in the /root directory | |
1203 | ## with an correct label. | |
1204 | ## </summary> | |
1205 | ## <param name="domain"> | |
1206 | ## <summary> | |
1207 | ## Domain allowed access. | |
1208 | ## </summary> | |
1209 | ## </param> | |
1210 | # | |
a11cc065 | 1211 | interface(`gnome_filetrans_admin_home_content',` |
15b2e336 DW |
1212 | |
1213 | gen_require(` | |
1214 | type config_home_t; | |
1215 | type cache_home_t; | |
1216 | type gstreamer_home_t; | |
1217 | type gconf_home_t; | |
1218 | type gnome_home_t; | |
290e6f41 | 1219 | type icc_data_home_t; |
15b2e336 DW |
1220 | ') |
1221 | ||
26a75b33 DW |
1222 | userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") |
1223 | userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine") | |
1224 | userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache") | |
1225 | userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde") | |
1226 | userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") | |
1227 | userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") | |
1228 | userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local") | |
1229 | userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") | |
1230 | userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") | |
1231 | userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") | |
290e6f41 DG |
1232 | # /root/.color/icc: legacy |
1233 | userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc") | |
15b2e336 | 1234 | ') |
98d519e9 | 1235 | |
3a7aacc9 MG |
1236 | ###################################### |
1237 | ## <summary> | |
1238 | ## Execute gnome-keyring executable | |
1239 | ## in the specified domain. | |
1240 | ## </summary> | |
1241 | ## <desc> | |
1242 | ## <p> | |
1243 | ## Execute a telepathy executable | |
1244 | ## in the specified domain. This allows | |
1245 | ## the specified domain to execute any file | |
1246 | ## on these filesystems in the specified | |
1247 | ## domain. | |
1248 | ## </p> | |
1249 | ## <p> | |
1250 | ## No interprocess communication (signals, pipes, | |
1251 | ## etc.) is provided by this interface since | |
1252 | ## the domains are not owned by this module. | |
1253 | ## </p> | |
1254 | ## <p> | |
1255 | ## This interface was added to handle | |
1256 | ## the ssh-agent policy. | |
1257 | ## </p> | |
1258 | ## </desc> | |
1259 | ## <param name="domain"> | |
1260 | ## <summary> | |
1261 | ## Domain allowed to transition. | |
1262 | ## </summary> | |
1263 | ## </param> | |
1264 | ## <param name="target_domain"> | |
1265 | ## <summary> | |
1266 | ## The type of the new process. | |
1267 | ## </summary> | |
1268 | ## </param> | |
1269 | # | |
1270 | interface(`gnome_command_domtrans_gkeyringd', ` | |
1271 | gen_require(` | |
1272 | type gkeyringd_exec_t; | |
1273 | ') | |
1274 | ||
1275 | allow $2 gkeyringd_exec_t:file entrypoint; | |
1276 | domain_transition_pattern($1, gkeyringd_exec_t, $2) | |
1277 | type_transition $1 gkeyringd_exec_t:process $2; | |
1278 | ') |