]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/apps/gnome.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Allow nsplugin to read /usr/share/config
[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.if
CommitLineData
00219064
CP		 1## <summary>GNU network object model environment (GNOME)</summary>
2
efa04715 3###########################################################
00219064 4## <summary>
efa04715 5## Role access for gnome
00219064 6## </summary>
efa04715
MG		 7## <param name="role">
8## <summary>
9## Role allowed access
10## </summary>
00219064 11## </param>
efa04715
MG		 12## <param name="domain">
13## <summary>
14## User domain for the role
15## </summary>
00219064
CP		 16## </param>
17#
296273a7 18interface(`gnome_role',`
efa04715
MG		 19 gen_require(`
20 type gconfd_t, gconfd_exec_t;
21 type gconf_tmp_t;
22 ')
00219064 23
efa04715 24 role $1 types gconfd_t;
00219064 25
efa04715
MG		 26 domain_auto_trans($2, gconfd_exec_t, gconfd_t)
27 allow gconfd_t $2:fd use;
28 allow gconfd_t $2:fifo_file write;
29 allow gconfd_t $2:unix_stream_socket connectto;
6b19be33 30
efa04715 31 ps_process_pattern($2, gconfd_t)
00219064 32
31d4b0a6 33 #gnome_stream_connect_gconf_template($1, $2)
296273a7
CP		 34 read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
35 allow $2 gconfd_t:unix_stream_socket connectto;
efa04715 36')
ca9e8850 37
efa04715
MG		 38######################################
39## <summary>
40## The role template for the gnome-keyring-daemon.
41## </summary>
42## <param name="user_prefix">
43## <summary>
44## The user prefix.
45## </summary>
46## </param>
47## <param name="user_role">
48## <summary>
49## The user role.
50## </summary>
51## </param>
52## <param name="user_domain">
53## <summary>
54## The user domain associated with the role.
55## </summary>
56## </param>
57#
58interface(`gnome_role_gkeyringd',`
59 gen_require(`
60 attribute gkeyringd_domain;
61 attribute gnome_domain;
62 type gnome_home_t;
63 type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
1d7e6f6b 64 class dbus send_msg;
efa04715
MG		 65 ')
66
4153537b 67 type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
37c03afb 68 typealias $1_gkeyringd_t alias gkeyringd_$1_t;
4153537b
DW		 69 application_domain($1_gkeyringd_t, gkeyringd_exec_t)
70 ubac_constrained($1_gkeyringd_t)
71 domain_user_exemption_target($1_gkeyringd_t)
ca9e8850 72
4153537b 73 role $2 types $1_gkeyringd_t;
ca9e8850 74
4153537b 75 domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
ca9e8850 76
efa04715
MG		 77 allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
78 allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
ca9e8850 79
efa04715
MG		 80 allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
81 allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ca9e8850 82
4153537b
DW		 83 corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
84 corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
85 allow $1_gkeyringd_t $3:process sigkill;
86 allow $3 $1_gkeyringd_t:fd use;
87 allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
0e50301b 88
4153537b 89 ps_process_pattern($1_gkeyringd_t, $3)
ca9e8850 90
ae68f77d
DW		 91 auth_use_nsswitch($1_gkeyringd_t)
92
4153537b
DW		 93 ps_process_pattern($3, $1_gkeyringd_t)
94 allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
ca9e8850 95
efa04715
MG		 96 dontaudit $3 gkeyringd_exec_t:file entrypoint;
97
4153537b 98 stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
5598732f 99
4153537b
DW		 100 allow $1_gkeyringd_t $3:dbus send_msg;
101 allow $3 $1_gkeyringd_t:dbus send_msg;
efa04715 102 optional_policy(`
6b772880 103 dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
4153537b
DW		 104 dbus_session_bus_client($1_gkeyringd_t)
105 gnome_home_dir_filetrans($1_gkeyringd_t)
106 gnome_manage_generic_home_dirs($1_gkeyringd_t)
efa04715 107
1d7e6f6b 108 optional_policy(`
4153537b 109 telepathy_mission_control_read_state($1_gkeyringd_t)
1d7e6f6b 110 ')
efa04715 111 ')
00219064 112')
2a98379a 113
ab8f919e
CP		 114########################################
115## <summary>
a947daf6 116## gconf connection template.
ab8f919e 117## </summary>
aa760a23 118## <param name="domain">
ab8f919e 119## <summary>
aa760a23 120## Domain allowed access.
ab8f919e
CP		 121## </summary>
122## </param>
123#
a947daf6 124interface(`gnome_stream_connect_gconf',`
ab8f919e 125 gen_require(`
a947daf6 126 type gconfd_t, gconf_tmp_t;
ab8f919e
CP		 127 ')
128
a947daf6
DW		 129 read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
130 allow $1 gconfd_t:unix_stream_socket connectto;
ab8f919e
CP		 131')
132
ca9e8850
DW		 133########################################
134## <summary>
135## Connect to gkeyringd with a unix stream socket.
136## </summary>
ca9e8850
DW		 137## <param name="domain">
138## <summary>
139## Domain allowed access.
140## </summary>
141## </param>
142#
143interface(`gnome_stream_connect_gkeyringd',`
144 gen_require(`
455fe183
MG		 145 attribute gkeyringd_domain;
146 type gkeyringd_tmp_t;
147 type gconf_tmp_t;
ca9e8850
DW		 148 ')
149
455fe183 150 allow $1 gconf_tmp_t:dir search_dir_perms;
c9799808 151 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 152')
153
154########################################
155## <summary>
156## Connect to gkeyringd with a unix stream socket.
157## </summary>
ca9e8850
DW		 158## <param name="domain">
159## <summary>
160## Domain allowed access.
161## </summary>
162## </param>
163#
164interface(`gnome_stream_connect_all_gkeyringd',`
165 gen_require(`
166 attribute gkeyringd_domain;
167 type gkeyringd_tmp_t;
f28aaa84 168 type gconf_tmp_t;
ca9e8850
DW		 169 ')
170
f28aaa84 171 allow $1 gconf_tmp_t:dir search_dir_perms;
ca9e8850 172 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 173')
174
a947daf6 175########################################
ab8f919e 176## <summary>
a947daf6 177## Run gconfd in gconfd domain.
ab8f919e
CP		 178## </summary>
179## <param name="domain">
180## <summary>
181## Domain allowed access.
182## </summary>
183## </param>
184#
a947daf6 185interface(`gnome_domtrans_gconfd',`
ab8f919e 186 gen_require(`
a947daf6 187 type gconfd_t, gconfd_exec_t;
ab8f919e
CP		 188 ')
189
a947daf6 190 domtrans_pattern($1, gconfd_exec_t, gconfd_t)
ab8f919e
CP		 191')
192
57955a25
DW		 193########################################
194## <summary>
195## Dontaudit read gnome homedir content (.config)
196## </summary>
197## <param name="domain">
198## <summary>
24280f35 199## Domain to not audit.
57955a25
DW		 200## </summary>
201## </param>
202#
203interface(`gnome_dontaudit_read_config',`
204 gen_require(`
205 attribute gnome_home_type;
206 ')
207
208 dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
209')
210
00219064
CP		 211########################################
212## <summary>
a947daf6 213## Dontaudit search gnome homedir content (.config)
00219064 214## </summary>
aa760a23 215## <param name="domain">
00219064 216## <summary>
24280f35 217## Domain to not audit.
6b19be33
CP		 218## </summary>
219## </param>
220#
a947daf6 221interface(`gnome_dontaudit_search_config',`
6b19be33 222 gen_require(`
a947daf6 223 attribute gnome_home_type;
6b19be33
CP		 224 ')
225
a947daf6 226 dontaudit $1 gnome_home_type:dir search_dir_perms;
6b19be33
CP		 227')
228
ab8f919e
CP		 229########################################
230## <summary>
a947daf6 231## manage gnome homedir content (.config)
3eaa9939 232## </summary>
aa760a23 233## <param name="domain">
3eaa9939 234## <summary>
aa760a23 235## Domain allowed access.
3eaa9939
DW		 236## </summary>
237## </param>
238#
a947daf6 239interface(`gnome_manage_config',`
3eaa9939
DW		 240 gen_require(`
241 attribute gnome_home_type;
242 ')
243
a947daf6
DW		 244 allow $1 gnome_home_type:dir manage_dir_perms;
245 allow $1 gnome_home_type:file manage_file_perms;
246 allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
247 userdom_search_user_home_dirs($1)
3eaa9939
DW		 248')
249
250########################################
251## <summary>
252## Send general signals to all gconf domains.
ab8f919e
CP		 253## </summary>
254## <param name="domain">
255## <summary>
256## Domain allowed access.
257## </summary>
258## </param>
259#
3eaa9939 260interface(`gnome_signal_all',`
ab8f919e 261 gen_require(`
ca9e8850 262 attribute gnome_domain;
ab8f919e
CP		 263 ')
264
ca9e8850 265 allow $1 gnome_domain:process signal;
ab8f919e
CP		 266')
267
268########################################
269## <summary>
3eaa9939
DW		 270## Create objects in a Gnome cache home directory
271## with an automatic type transition to
272## a specified private type.
273## </summary>
274## <param name="domain">
275## <summary>
276## Domain allowed access.
277## </summary>
278## </param>
279## <param name="private_type">
280## <summary>
281## The type of the object to create.
282## </summary>
283## </param>
284## <param name="object_class">
285## <summary>
286## The class of the object to be created.
287## </summary>
288## </param>
289#
290interface(`gnome_cache_filetrans',`
291 gen_require(`
292 type cache_home_t;
293 ')
294
2ea29241 295 filetrans_pattern($1, cache_home_t, $2, $3, $4)
3eaa9939
DW		 296 userdom_search_user_home_dirs($1)
297')
298
299########################################
300## <summary>
301## Read generic cache home files (.cache)
302## </summary>
303## <param name="domain">
304## <summary>
305## Domain allowed access.
306## </summary>
307## </param>
308#
309interface(`gnome_read_generic_cache_files',`
310 gen_require(`
311 type cache_home_t;
312 ')
313
314 read_files_pattern($1, cache_home_t, cache_home_t)
315 userdom_search_user_home_dirs($1)
316')
317
318########################################
319## <summary>
320## Set attributes of cache home dir (.cache)
321## </summary>
322## <param name="domain">
323## <summary>
324## Domain allowed access.
325## </summary>
326## </param>
327#
328interface(`gnome_setattr_cache_home_dir',`
329 gen_require(`
330 type cache_home_t;
331 ')
332
333 setattr_dirs_pattern($1, cache_home_t, cache_home_t)
334 userdom_search_user_home_dirs($1)
335')
336
c71f02c0
DW		 337########################################
338## <summary>
339## append to generic cache home files (.cache)
340## </summary>
341## <param name="domain">
342## <summary>
343## Domain allowed access.
344## </summary>
345## </param>
346#
347interface(`gnome_append_generic_cache_files',`
348 gen_require(`
349 type cache_home_t;
350 ')
351
352 append_files_pattern($1, cache_home_t, cache_home_t)
353 userdom_search_user_home_dirs($1)
354')
355
3eaa9939
DW		 356########################################
357## <summary>
358## write to generic cache home files (.cache)
359## </summary>
360## <param name="domain">
361## <summary>
362## Domain allowed access.
363## </summary>
364## </param>
365#
366interface(`gnome_write_generic_cache_files',`
367 gen_require(`
368 type cache_home_t;
369 ')
370
371 write_files_pattern($1, cache_home_t, cache_home_t)
372 userdom_search_user_home_dirs($1)
373')
374
24280f35
DW		 375########################################
376## <summary>
377## Dontaudit read/write to generic cache home files (.cache)
378## </summary>
379## <param name="domain">
380## <summary>
381## Domain to not audit.
382## </summary>
383## </param>
384#
385interface(`gnome_dontaudit_rw_generic_cache_files',`
386 gen_require(`
387 type cache_home_t;
388 ')
389
390 dontaudit $1 cache_home_t:file rw_inherited_file_perms;
391')
392
a947daf6
DW		 393########################################
394## <summary>
395## read gnome homedir content (.config)
396## </summary>
aa760a23 397## <param name="domain">
a947daf6 398## <summary>
aa760a23 399## Domain allowed access.
a947daf6
DW		 400## </summary>
401## </param>
402#
efa04715 403interface(`gnome_read_config',`
a947daf6
DW		 404 gen_require(`
405 attribute gnome_home_type;
406 ')
407
408 list_dirs_pattern($1, gnome_home_type, gnome_home_type)
409 read_files_pattern($1, gnome_home_type, gnome_home_type)
410 read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
411')
412
3eaa9939
DW		 413########################################
414## <summary>
415## Create objects in a Gnome gconf home directory
416## with an automatic type transition to
417## a specified private type.
418## </summary>
419## <param name="domain">
420## <summary>
421## Domain allowed access.
422## </summary>
423## </param>
424## <param name="private_type">
425## <summary>
426## The type of the object to create.
427## </summary>
428## </param>
429## <param name="object_class">
430## <summary>
431## The class of the object to be created.
432## </summary>
433## </param>
434#
435interface(`gnome_data_filetrans',`
436 gen_require(`
437 type data_home_t;
438 ')
439
2ea29241 440 filetrans_pattern($1, data_home_t, $2, $3, $4)
3eaa9939
DW		 441 gnome_search_gconf($1)
442')
443
4b7fe5b4
DW		 444#######################################
445## <summary>
c98bb1bc 446## Read generic data home files.
4b7fe5b4
DW		 447## </summary>
448## <param name="domain">
c98bb1bc
DG		 449## <summary>
450## Domain allowed access.
451## </summary>
452## </param>
453#
454interface(`gnome_read_generic_data_home_files',`
455 gen_require(`
456 type data_home_t, gconf_home_t;
457 ')
458
459 read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
460')
461
462#######################################
463## <summary>
464## Manage gconf data home files
465## </summary>
466## <param name="domain">
467## <summary>
468## Domain allowed access.
469## </summary>
4b7fe5b4
DW		 470## </param>
471#
472interface(`gnome_manage_data',`
c98bb1bc
DG		 473 gen_require(`
474 type data_home_t;
475 type gconf_home_t;
476 ')
4b7fe5b4 477
ceacf954 478 allow $1 gconf_home_t:dir search_dir_perms;
a768052f 479 manage_dirs_pattern($1, data_home_t, data_home_t)
c98bb1bc 480 manage_files_pattern($1, data_home_t, data_home_t)
a768052f 481 manage_lnk_files_pattern($1, data_home_t, data_home_t)
4b7fe5b4
DW		 482')
483
290e6f41
DG		 484########################################
485## <summary>
486## Read icc data home content.
487## </summary>
488## <param name="domain">
489## <summary>
490## Domain allowed access.
491## </summary>
492## </param>
493#
494interface(`gnome_read_home_icc_data_content',`
495 gen_require(`
496 type icc_data_home_t, gconf_home_t, data_home_t;
497 ')
498
499 userdom_search_user_home_dirs($1)
500 allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
501 list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
502 read_files_pattern($1, icc_data_home_t, icc_data_home_t)
503 read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
504')
505
506########################################
507## <summary>
508## Read inherited icc data home files.
509## </summary>
510## <param name="domain">
511## <summary>
512## Domain allowed access.
513## </summary>
514## </param>
515#
516interface(`gnome_read_inherited_home_icc_data_files',`
517 gen_require(`
518 type icc_data_home_t;
519 ')
520
521 allow $1 icc_data_home_t:file read_inherited_file_perms;
522')
523
3eaa9939
DW		 524########################################
525## <summary>
526## Create gconf_home_t objects in the /root directory
527## </summary>
528## <param name="domain">
529## <summary>
530## Domain allowed access.
531## </summary>
532## </param>
533## <param name="object_class">
534## <summary>
535## The class of the object to be created.
536## </summary>
537## </param>
538#
539interface(`gnome_admin_home_gconf_filetrans',`
540 gen_require(`
541 type gconf_home_t;
542 ')
543
544 userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
545')
546
c98dcd43
DG		 547########################################
548## <summary>
549## Do not audit attempts to read
550## inherited gconf config files.
551## </summary>
552## <param name="domain">
553## <summary>
554## Domain to not audit.
555## </summary>
556## </param>
557#
558interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
559 gen_require(`
560 type gconf_etc_t;
561 ')
562
563 dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
564')
565
3eaa9939
DW		 566########################################
567## <summary>
568## read gconf config files
ab8f919e 569## </summary>
aa760a23 570## <param name="domain">
ab8f919e 571## <summary>
aa760a23 572## Domain allowed access.
3eaa9939
DW		 573## </summary>
574## </param>
575#
d15b40a5 576interface(`gnome_read_gconf_config',`
3eaa9939
DW		 577 gen_require(`
578 type gconf_etc_t;
579 ')
580
581 allow $1 gconf_etc_t:dir list_dir_perms;
582 read_files_pattern($1, gconf_etc_t, gconf_etc_t)
f33c5066 583 files_search_etc($1)
3eaa9939
DW		 584')
585
586#######################################
587## <summary>
588## Manage gconf config files
589## </summary>
590## <param name="domain">
591## <summary>
592## Domain allowed access.
593## </summary>
594## </param>
595#
596interface(`gnome_manage_gconf_config',`
597 gen_require(`
598 type gconf_etc_t;
599 ')
600
601 allow $1 gconf_etc_t:dir list_dir_perms;
602 manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
603')
604
605########################################
606## <summary>
607## Execute gconf programs in
608## in the caller domain.
609## </summary>
610## <param name="domain">
611## <summary>
ab8f919e
CP		 612## Domain allowed access.
613## </summary>
614## </param>
615#
3eaa9939
DW		 616interface(`gnome_exec_gconf',`
617 gen_require(`
618 type gconfd_exec_t;
619 ')
620
621 can_exec($1, gconfd_exec_t)
622')
623
ca9e8850
DW		 624########################################
625## <summary>
626## Execute gnome keyringd in the caller domain.
627## </summary>
628## <param name="domain">
629## <summary>
630## Domain allowed access.
631## </summary>
632## </param>
633#
634interface(`gnome_exec_keyringd',`
635 gen_require(`
636 type gkeyringd_exec_t;
637 ')
638
639 can_exec($1, gkeyringd_exec_t)
640 corecmd_search_bin($1)
641')
642
3eaa9939
DW		 643########################################
644## <summary>
645## Read gconf home files
646## </summary>
647## <param name="domain">
648## <summary>
649## Domain allowed access.
650## </summary>
651## </param>
652#
653interface(`gnome_read_gconf_home_files',`
654 gen_require(`
655 type gconf_home_t;
656 type data_home_t;
657 ')
658
78ea2abe 659 userdom_search_user_home_dirs($1)
3eaa9939
DW		 660 allow $1 gconf_home_t:dir list_dir_perms;
661 allow $1 data_home_t:dir list_dir_perms;
662 read_files_pattern($1, gconf_home_t, gconf_home_t)
663 read_files_pattern($1, data_home_t, data_home_t)
3d21c02c
DW		 664 read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
665 read_lnk_files_pattern($1, data_home_t, data_home_t)
3eaa9939
DW		 666')
667
ca9e8850
DW		 668########################################
669## <summary>
670## Search gkeyringd temporary directories.
671## </summary>
672## <param name="domain">
673## <summary>
674## Domain allowed access.
675## </summary>
676## </param>
677#
678interface(`gnome_search_gkeyringd_tmp_dirs',`
679 gen_require(`
680 type gkeyringd_tmp_t;
681 ')
682
683 files_search_tmp($1)
684 allow $1 gkeyringd_tmp_t:dir search_dir_perms;
685')
686
3eaa9939
DW		 687########################################
688## <summary>
689## search gconf homedir (.local)
690## </summary>
aa760a23 691## <param name="domain">
3eaa9939 692## <summary>
aa760a23 693## Domain allowed access.
3eaa9939
DW		 694## </summary>
695## </param>
696#
697interface(`gnome_search_gconf',`
698 gen_require(`
699 type gconf_home_t;
700 ')
701
702 allow $1 gconf_home_t:dir search_dir_perms;
703 userdom_search_user_home_dirs($1)
704')
705
4251ae10
DW		 706########################################
707## <summary>
708## Set attributes of Gnome config dirs.
709## </summary>
710## <param name="domain">
711## <summary>
712## Domain allowed access.
713## </summary>
714## </param>
715#
716interface(`gnome_setattr_config_dirs',`
717 gen_require(`
718 type gnome_home_t;
719 ')
720
721 setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
722 files_search_home($1)
723')
724
ca9e8850
DW		 725########################################
726## <summary>
727## Manage generic gnome home files.
728## </summary>
729## <param name="domain">
730## <summary>
731## Domain allowed access.
732## </summary>
733## </param>
734#
735interface(`gnome_manage_generic_home_files',`
736 gen_require(`
737 type gnome_home_t;
738 ')
739
740 userdom_search_user_home_dirs($1)
741 manage_files_pattern($1, gnome_home_t, gnome_home_t)
742')
743
744########################################
745## <summary>
746## Manage generic gnome home directories.
747## </summary>
748## <param name="domain">
749## <summary>
750## Domain allowed access.
751## </summary>
752## </param>
753#
754interface(`gnome_manage_generic_home_dirs',`
755 gen_require(`
756 type gnome_home_t;
757 ')
758
759 userdom_search_user_home_dirs($1)
760 allow $1 gnome_home_t:dir manage_dir_perms;
761')
762
3eaa9939
DW		 763########################################
764## <summary>
765## Append gconf home files
766## </summary>
767## <param name="domain">
768## <summary>
769## Domain allowed access.
770## </summary>
771## </param>
772#
773interface(`gnome_append_gconf_home_files',`
774 gen_require(`
775 type gconf_home_t;
776 ')
777
778 append_files_pattern($1, gconf_home_t, gconf_home_t)
779')
780
781########################################
782## <summary>
783## manage gconf home files
784## </summary>
785## <param name="domain">
786## <summary>
787## Domain allowed access.
788## </summary>
789## </param>
790#
791interface(`gnome_manage_gconf_home_files',`
792 gen_require(`
793 type gconf_home_t;
794 ')
795
796 allow $1 gconf_home_t:dir list_dir_perms;
797 manage_files_pattern($1, gconf_home_t, gconf_home_t)
798')
799
800########################################
801## <summary>
802## Connect to gnome over an unix stream socket.
803## </summary>
804## <param name="domain">
805## <summary>
806## Domain allowed access.
807## </summary>
808## </param>
809## <param name="user_domain">
810## <summary>
811## The type of the user domain.
812## </summary>
813## </param>
814#
815interface(`gnome_stream_connect',`
816 gen_require(`
817 attribute gnome_home_type;
818 ')
819
820 # Connect to pulseaudit server
821 stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
822')
823
824########################################
825## <summary>
2d4a79a0 826## list gnome homedir content (.config)
3eaa9939 827## </summary>
aa760a23 828## <param name="domain">
3eaa9939 829## <summary>
aa760a23 830## Domain allowed access.
3eaa9939
DW		 831## </summary>
832## </param>
833#
d15b40a5 834interface(`gnome_list_home_config',`
3eaa9939
DW		 835 gen_require(`
836 type config_home_t;
837 ')
838
839 allow $1 config_home_t:dir list_dir_perms;
840')
841
5ef740e5
DW		 842########################################
843## <summary>
844## Set attributes of gnome homedir content (.config)
845## </summary>
846## <param name="domain">
847## <summary>
848## Domain allowed access.
849## </summary>
850## </param>
851#
448d2cf1 852interface(`gnome_setattr_home_config',`
5ef740e5
DW		 853 gen_require(`
854 type config_home_t;
855 ')
856
857 setattr_dirs_pattern($1, config_home_t, config_home_t)
858 userdom_search_user_home_dirs($1)
859')
860
2d4a79a0
DW		 861########################################
862## <summary>
863## read gnome homedir content (.config)
864## </summary>
aa760a23 865## <param name="domain">
2d4a79a0 866## <summary>
aa760a23 867## Domain allowed access.
2d4a79a0
DW		 868## </summary>
869## </param>
870#
d15b40a5 871interface(`gnome_read_home_config',`
2d4a79a0
DW		 872 gen_require(`
873 type config_home_t;
874 ')
875
b533b084 876 list_dirs_pattern($1, config_home_t, config_home_t)
2d4a79a0 877 read_files_pattern($1, config_home_t, config_home_t)
6f93adfa 878 read_lnk_files_pattern($1, config_home_t, config_home_t)
2d4a79a0
DW		 879')
880
f5b49a5e
DW		 881########################################
882## <summary>
883## manage gnome homedir content (.config)
884## </summary>
aa760a23 885## <param name="domain">
f5b49a5e 886## <summary>
aa760a23 887## Domain allowed access.
f5b49a5e
DW		 888## </summary>
889## </param>
890#
448d2cf1 891interface(`gnome_manage_home_config',`
f5b49a5e
DW		 892 gen_require(`
893 type config_home_t;
894 ')
895
896 manage_files_pattern($1, config_home_t, config_home_t)
897')
898
63c324b2
MG		 899########################################
900## <summary>
901## manage gnome homedir content (.config)
902## </summary>
903## <param name="domain">
904## <summary>
905## Domain allowed access.
906## </summary>
907## </param>
908#
909interface(`gnome_manage_home_config_dirs',`
910 gen_require(`
911 type config_home_t;
912 ')
913
914 manage_dirs_pattern($1, config_home_t, config_home_t)
915')
916
0b71fec3
DG		 917########################################
918## <summary>
919## manage gstreamer home content files.
920## </summary>
921## <param name="domain">
922## <summary>
923## Domain allowed access.
924## </summary>
925## </param>
926#
927interface(`gnome_manage_gstreamer_home_files',`
928 gen_require(`
929 type gstreamer_home_t;
930 ')
931
932 manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
933')
934
3eaa9939
DW		 935########################################
936## <summary>
937## Read/Write all inherited gnome home config
938## </summary>
939## <param name="domain">
940## <summary>
941## Domain allowed access.
942## </summary>
943## </param>
944#
945interface(`gnome_rw_inherited_config',`
946 gen_require(`
947 attribute gnome_home_type;
948 ')
949
950 allow $1 gnome_home_type:file rw_inherited_file_perms;
951')
952
953########################################
954## <summary>
955## Send and receive messages from
956## gconf system service over dbus.
957## </summary>
958## <param name="domain">
959## <summary>
960## Domain allowed access.
961## </summary>
962## </param>
963#
964interface(`gnome_dbus_chat_gconfdefault',`
965 gen_require(`
966 type gconfdefaultsm_t;
967 class dbus send_msg;
968 ')
969
970 allow $1 gconfdefaultsm_t:dbus send_msg;
971 allow gconfdefaultsm_t $1:dbus send_msg;
972')
ca9e8850
DW		 973
974########################################
975## <summary>
976## Send and receive messages from
977## gkeyringd over dbus.
978## </summary>
ca9e8850
DW		 979## <param name="domain">
980## <summary>
981## Domain allowed access.
982## </summary>
983## </param>
984#
985interface(`gnome_dbus_chat_gkeyringd',`
986 gen_require(`
31f04122 987 attribute gkeyringd_domain;
ca9e8850
DW		 988 class dbus send_msg;
989 ')
990
f80308f9
MG		 991 allow $1 gkeyringd_domain:dbus send_msg;
992 allow gkeyringd_domain $1:dbus send_msg;
ca9e8850 993')
31f04122 994
b094d593
DW		 995########################################
996## <summary>
997## Send signull signal to gkeyringd processes.
998## </summary>
999## <param name="domain">
1000## <summary>
1001## Domain allowed access.
1002## </summary>
1003## </param>
1004#
1005interface(`gnome_signull_gkeyringd',`
1006 gen_require(`
1007 attribute gkeyringd_domain;
1008 ')
1009
1010 allow $1 gkeyringd_domain:process signull;
1011')
1012
1013########################################
1014## <summary>
1015## Allow the domain to read gkeyringd state files in /proc.
1016## </summary>
1017## <param name="domain">
1018## <summary>
1019## Domain allowed access.
1020## </summary>
1021## </param>
1022#
1023interface(`gnome_read_gkeyringd_state',`
1024 gen_require(`
1025 attribute gkeyringd_domain;
1026 ')
1027
1028 ps_process_pattern($1, gkeyringd_domain)
1029')
1030
ca9e8850
DW		 1031########################################
1032## <summary>
1033## Create directories in user home directories
1034## with the gnome home file type.
1035## </summary>
1036## <param name="domain">
1037## <summary>
1038## Domain allowed access.
1039## </summary>
1040## </param>
1041#
1042interface(`gnome_home_dir_filetrans',`
1043 gen_require(`
1044 type gnome_home_t;
1045 ')
1046
1047 userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
1048 userdom_search_user_home_dirs($1)
1049')
a8183914
MG		 1050
1051######################################
1052## <summary>
1053## Allow read kde config content
1054## </summary>
1055## <param name="domain">
1056## <summary>
1057## Domain allowed access.
1058## </summary>
1059## </param>
1060#
1061interface(`gnome_read_usr_config',`
1062 gen_require(`
1063 type config_usr_t;
1064 ')
1065
1066 files_search_usr($1)
1067 list_dirs_pattern($1, config_usr_t, config_usr_t)
1068 read_files_pattern($1, config_usr_t, config_usr_t)
1069 read_lnk_files_pattern($1, config_usr_t, config_usr_t)
1070')
1071
1072#######################################
1073## <summary>
1074## Allow manage kde config content
1075## </summary>
1076## <param name="domain">
1077## <summary>
1078## Domain allowed access.
1079## </summary>
1080## </param>
1081#
1082interface(`gnome_manage_usr_config',`
1083 gen_require(`
1084 type config_usr_t;
1085 ')
1086
1087 files_search_usr($1)
1088 manage_dirs_pattern($1, config_usr_t, config_usr_t)
1089 manage_files_pattern($1, config_usr_t, config_usr_t)
1090 manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
1091')
31f04122
DW		 1092
1093########################################
1094## <summary>
1095## Execute gnome-keyring in the user gkeyring domain
1096## </summary>
1097## <param name="domain">
1098## <summary>
1099## Domain allowed access
1100## </summary>
1101## </param>
1102## <param name="role">
1103## <summary>
1104## The role to be allowed the gkeyring domain.
1105## </summary>
1106## </param>
1107#
1108interface(`gnome_transition_gkeyringd',`
1109 gen_require(`
1110 attribute gkeyringd_domain;
1111 ')
1112
1113 allow $1 gkeyringd_domain:process transition;
1114 dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
1115 allow gkeyringd_domain $1:process { sigchld signull };
1116 allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
1117')
1118
15b2e336
DW		 1119
1120########################################
1121## <summary>
c181b91f 1122## Create gnome content in the user home directory
15b2e336
DW		 1123## with an correct label.
1124## </summary>
1125## <param name="domain">
1126## <summary>
1127## Domain allowed access.
1128## </summary>
1129## </param>
1130#
a11cc065 1131interface(`gnome_filetrans_home_content',`
15b2e336
DW		 1132
1133gen_require(`
1134 type config_home_t;
1135 type cache_home_t;
1136 type gstreamer_home_t;
1137 type gconf_home_t;
1138 type gnome_home_t;
290e6f41 1139 type data_home_t, icc_data_home_t;
15b2e336
DW		 1140 type gkeyringd_gnome_home_t;
1141')
1142
c181b91f 1143 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
26a75b33
DW		 1144 userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1145 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
1146 userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1147 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
1148 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1149 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1150 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1151 userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1152 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1153 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
290e6f41
DG		 1154 # ~/.color/icc: legacy
1155 userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
26a75b33
DW		 1156 filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
1157 filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
290e6f41 1158 filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
bf587d64 1159 userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
15b2e336
DW		 1160')
1161
1162########################################
1163## <summary>
1164## Create gnome directory in the /root directory
1165## with an correct label.
1166## </summary>
1167## <param name="domain">
1168## <summary>
1169## Domain allowed access.
1170## </summary>
1171## </param>
1172#
a11cc065 1173interface(`gnome_filetrans_admin_home_content',`
15b2e336
DW		 1174
1175gen_require(`
1176 type config_home_t;
1177 type cache_home_t;
1178 type gstreamer_home_t;
1179 type gconf_home_t;
1180 type gnome_home_t;
290e6f41 1181 type icc_data_home_t;
15b2e336
DW		 1182')
1183
26a75b33
DW		 1184 userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1185 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
1186 userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1187 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
1188 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1189 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1190 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1191 userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1192 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1193 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
290e6f41
DG		 1194 # /root/.color/icc: legacy
1195 userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
15b2e336 1196')
98d519e9 1197
3a7aacc9
MG		 1198######################################
1199## <summary>
1200## Execute gnome-keyring executable
1201## in the specified domain.
1202## </summary>
1203## <desc>
1204## <p>
1205## Execute a telepathy executable
1206## in the specified domain. This allows
1207## the specified domain to execute any file
1208## on these filesystems in the specified
1209## domain.
1210## </p>
1211## <p>
1212## No interprocess communication (signals, pipes,
1213## etc.) is provided by this interface since
1214## the domains are not owned by this module.
1215## </p>
1216## <p>
1217## This interface was added to handle
1218## the ssh-agent policy.
1219## </p>
1220## </desc>
1221## <param name="domain">
1222## <summary>
1223## Domain allowed to transition.
1224## </summary>
1225## </param>
1226## <param name="target_domain">
1227## <summary>
1228## The type of the new process.
1229## </summary>
1230## </param>
1231#
1232interface(`gnome_command_domtrans_gkeyringd', `
1233 gen_require(`
1234 type gkeyringd_exec_t;
1235 ')
1236
1237 allow $2 gkeyringd_exec_t:file entrypoint;
1238 domain_transition_pattern($1, gkeyringd_exec_t, $2)
1239 type_transition $1 gkeyringd_exec_t:process $2;
1240')
The IPFire selinux policy.