]>
Commit | Line | Data |
---|---|---|
00219064 CP |
1 | ## <summary>GNU network object model environment (GNOME)</summary> |
2 | ||
efa04715 | 3 | ########################################################### |
00219064 | 4 | ## <summary> |
efa04715 | 5 | ## Role access for gnome |
00219064 | 6 | ## </summary> |
efa04715 MG |
7 | ## <param name="role"> |
8 | ## <summary> | |
9 | ## Role allowed access | |
10 | ## </summary> | |
00219064 | 11 | ## </param> |
efa04715 MG |
12 | ## <param name="domain"> |
13 | ## <summary> | |
14 | ## User domain for the role | |
15 | ## </summary> | |
00219064 CP |
16 | ## </param> |
17 | # | |
296273a7 | 18 | interface(`gnome_role',` |
efa04715 MG |
19 | gen_require(` |
20 | type gconfd_t, gconfd_exec_t; | |
21 | type gconf_tmp_t; | |
22 | ') | |
00219064 | 23 | |
efa04715 | 24 | role $1 types gconfd_t; |
00219064 | 25 | |
efa04715 MG |
26 | domain_auto_trans($2, gconfd_exec_t, gconfd_t) |
27 | allow gconfd_t $2:fd use; | |
28 | allow gconfd_t $2:fifo_file write; | |
29 | allow gconfd_t $2:unix_stream_socket connectto; | |
6b19be33 | 30 | |
efa04715 | 31 | ps_process_pattern($2, gconfd_t) |
00219064 | 32 | |
31d4b0a6 | 33 | #gnome_stream_connect_gconf_template($1, $2) |
296273a7 CP |
34 | read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) |
35 | allow $2 gconfd_t:unix_stream_socket connectto; | |
efa04715 | 36 | ') |
ca9e8850 | 37 | |
efa04715 MG |
38 | ###################################### |
39 | ## <summary> | |
40 | ## The role template for the gnome-keyring-daemon. | |
41 | ## </summary> | |
42 | ## <param name="user_prefix"> | |
43 | ## <summary> | |
44 | ## The user prefix. | |
45 | ## </summary> | |
46 | ## </param> | |
47 | ## <param name="user_role"> | |
48 | ## <summary> | |
49 | ## The user role. | |
50 | ## </summary> | |
51 | ## </param> | |
52 | ## <param name="user_domain"> | |
53 | ## <summary> | |
54 | ## The user domain associated with the role. | |
55 | ## </summary> | |
56 | ## </param> | |
57 | # | |
58 | interface(`gnome_role_gkeyringd',` | |
59 | gen_require(` | |
60 | attribute gkeyringd_domain; | |
61 | attribute gnome_domain; | |
62 | type gnome_home_t; | |
63 | type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; | |
1d7e6f6b | 64 | class dbus send_msg; |
efa04715 MG |
65 | ') |
66 | ||
67 | type gkeyringd_$1_t, gnome_domain, gkeyringd_domain; | |
68 | application_domain(gkeyringd_$1_t, gkeyringd_exec_t) | |
69 | ubac_constrained(gkeyringd_$1_t) | |
ca9e8850 | 70 | |
efa04715 | 71 | role $2 types gkeyringd_$1_t; |
ca9e8850 | 72 | |
efa04715 | 73 | domtrans_pattern($3, gkeyringd_exec_t, gkeyringd_$1_t) |
ca9e8850 | 74 | |
efa04715 MG |
75 | allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms }; |
76 | allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms }; | |
ca9e8850 | 77 | |
efa04715 MG |
78 | allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms }; |
79 | allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; | |
ca9e8850 | 80 | |
0e50301b DW |
81 | corecmd_bin_domtrans(gkeyringd_$1_t, $1_t) |
82 | corecmd_shell_domtrans(gkeyringd_$1_t, $1_t) | |
83 | allow gkeyringd_$1_t $3:process sigkill; | |
84 | allow $3 gkeyringd_$1_t:fd use; | |
85 | allow $3 gkeyringd_$1_t:fifo_file rw_fifo_file_perms; | |
86 | ||
efa04715 | 87 | ps_process_pattern(gkeyringd_$1_t, $3) |
ca9e8850 | 88 | |
efa04715 MG |
89 | ps_process_pattern($3, gkeyringd_$1_t) |
90 | allow $3 gkeyringd_$1_t:process { ptrace signal_perms }; | |
ca9e8850 | 91 | |
efa04715 MG |
92 | dontaudit $3 gkeyringd_exec_t:file entrypoint; |
93 | ||
5598732f DW |
94 | stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_$1_t) |
95 | ||
1d7e6f6b DW |
96 | allow gkeyringd_$1_t $3:dbus send_msg; |
97 | allow $3 gkeyringd_$1_t:dbus send_msg; | |
efa04715 | 98 | optional_policy(` |
1d7e6f6b DW |
99 | dbus_session_domain(gkeyringd_$1_t, gkeyringd_exec_t) |
100 | dbus_session_bus_client(gkeyringd_$1_t) | |
101 | gnome_home_dir_filetrans(gkeyringd_$1_t) | |
102 | gnome_manage_generic_home_dirs(gkeyringd_$1_t) | |
efa04715 | 103 | |
1d7e6f6b | 104 | optional_policy(` |
efa04715 | 105 | telepathy_mission_control_read_state(gkeyringd_$1_t) |
1d7e6f6b | 106 | ') |
efa04715 | 107 | ') |
00219064 | 108 | ') |
2a98379a | 109 | |
ab8f919e CP |
110 | ######################################## |
111 | ## <summary> | |
a947daf6 | 112 | ## gconf connection template. |
ab8f919e | 113 | ## </summary> |
aa760a23 | 114 | ## <param name="domain"> |
ab8f919e | 115 | ## <summary> |
aa760a23 | 116 | ## Domain allowed access. |
ab8f919e CP |
117 | ## </summary> |
118 | ## </param> | |
119 | # | |
a947daf6 | 120 | interface(`gnome_stream_connect_gconf',` |
ab8f919e | 121 | gen_require(` |
a947daf6 | 122 | type gconfd_t, gconf_tmp_t; |
ab8f919e CP |
123 | ') |
124 | ||
a947daf6 DW |
125 | read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) |
126 | allow $1 gconfd_t:unix_stream_socket connectto; | |
ab8f919e CP |
127 | ') |
128 | ||
ca9e8850 DW |
129 | ######################################## |
130 | ## <summary> | |
131 | ## Connect to gkeyringd with a unix stream socket. | |
132 | ## </summary> | |
133 | ## <param name="role_prefix"> | |
134 | ## <summary> | |
135 | ## Role prefix. | |
136 | ## </summary> | |
137 | ## </param> | |
138 | ## <param name="domain"> | |
139 | ## <summary> | |
140 | ## Domain allowed access. | |
141 | ## </summary> | |
142 | ## </param> | |
143 | # | |
144 | interface(`gnome_stream_connect_gkeyringd',` | |
145 | gen_require(` | |
455fe183 MG |
146 | attribute gkeyringd_domain; |
147 | type gkeyringd_tmp_t; | |
148 | type gconf_tmp_t; | |
ca9e8850 DW |
149 | ') |
150 | ||
455fe183 | 151 | allow $1 gconf_tmp_t:dir search_dir_perms; |
c9799808 | 152 | stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) |
ca9e8850 DW |
153 | ') |
154 | ||
155 | ######################################## | |
156 | ## <summary> | |
157 | ## Connect to gkeyringd with a unix stream socket. | |
158 | ## </summary> | |
159 | ## <param name="role_prefix"> | |
160 | ## <summary> | |
161 | ## Role prefix. | |
162 | ## </summary> | |
163 | ## </param> | |
164 | ## <param name="domain"> | |
165 | ## <summary> | |
166 | ## Domain allowed access. | |
167 | ## </summary> | |
168 | ## </param> | |
169 | # | |
170 | interface(`gnome_stream_connect_all_gkeyringd',` | |
171 | gen_require(` | |
172 | attribute gkeyringd_domain; | |
173 | type gkeyringd_tmp_t; | |
f28aaa84 | 174 | type gconf_tmp_t; |
ca9e8850 DW |
175 | ') |
176 | ||
f28aaa84 | 177 | allow $1 gconf_tmp_t:dir search_dir_perms; |
ca9e8850 | 178 | stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) |
ca9e8850 DW |
179 | ') |
180 | ||
a947daf6 | 181 | ######################################## |
ab8f919e | 182 | ## <summary> |
a947daf6 | 183 | ## Run gconfd in gconfd domain. |
ab8f919e CP |
184 | ## </summary> |
185 | ## <param name="domain"> | |
186 | ## <summary> | |
187 | ## Domain allowed access. | |
188 | ## </summary> | |
189 | ## </param> | |
190 | # | |
a947daf6 | 191 | interface(`gnome_domtrans_gconfd',` |
ab8f919e | 192 | gen_require(` |
a947daf6 | 193 | type gconfd_t, gconfd_exec_t; |
ab8f919e CP |
194 | ') |
195 | ||
a947daf6 | 196 | domtrans_pattern($1, gconfd_exec_t, gconfd_t) |
ab8f919e CP |
197 | ') |
198 | ||
57955a25 DW |
199 | ######################################## |
200 | ## <summary> | |
201 | ## Dontaudit read gnome homedir content (.config) | |
202 | ## </summary> | |
203 | ## <param name="domain"> | |
204 | ## <summary> | |
205 | ## Domain allowed access. | |
206 | ## </summary> | |
207 | ## </param> | |
208 | # | |
209 | interface(`gnome_dontaudit_read_config',` | |
210 | gen_require(` | |
211 | attribute gnome_home_type; | |
212 | ') | |
213 | ||
214 | dontaudit $1 gnome_home_type:dir read_inherited_file_perms; | |
215 | ') | |
216 | ||
00219064 CP |
217 | ######################################## |
218 | ## <summary> | |
a947daf6 | 219 | ## Dontaudit search gnome homedir content (.config) |
00219064 | 220 | ## </summary> |
aa760a23 | 221 | ## <param name="domain"> |
00219064 | 222 | ## <summary> |
aa760a23 | 223 | ## Domain allowed access. |
6b19be33 CP |
224 | ## </summary> |
225 | ## </param> | |
226 | # | |
a947daf6 | 227 | interface(`gnome_dontaudit_search_config',` |
6b19be33 | 228 | gen_require(` |
a947daf6 | 229 | attribute gnome_home_type; |
6b19be33 CP |
230 | ') |
231 | ||
a947daf6 | 232 | dontaudit $1 gnome_home_type:dir search_dir_perms; |
6b19be33 CP |
233 | ') |
234 | ||
ab8f919e CP |
235 | ######################################## |
236 | ## <summary> | |
a947daf6 | 237 | ## manage gnome homedir content (.config) |
3eaa9939 | 238 | ## </summary> |
aa760a23 | 239 | ## <param name="domain"> |
3eaa9939 | 240 | ## <summary> |
aa760a23 | 241 | ## Domain allowed access. |
3eaa9939 DW |
242 | ## </summary> |
243 | ## </param> | |
244 | # | |
a947daf6 | 245 | interface(`gnome_manage_config',` |
3eaa9939 DW |
246 | gen_require(` |
247 | attribute gnome_home_type; | |
248 | ') | |
249 | ||
a947daf6 DW |
250 | allow $1 gnome_home_type:dir manage_dir_perms; |
251 | allow $1 gnome_home_type:file manage_file_perms; | |
252 | allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; | |
253 | userdom_search_user_home_dirs($1) | |
3eaa9939 DW |
254 | ') |
255 | ||
256 | ######################################## | |
257 | ## <summary> | |
258 | ## Send general signals to all gconf domains. | |
ab8f919e CP |
259 | ## </summary> |
260 | ## <param name="domain"> | |
261 | ## <summary> | |
262 | ## Domain allowed access. | |
263 | ## </summary> | |
264 | ## </param> | |
265 | # | |
3eaa9939 | 266 | interface(`gnome_signal_all',` |
ab8f919e | 267 | gen_require(` |
ca9e8850 | 268 | attribute gnome_domain; |
ab8f919e CP |
269 | ') |
270 | ||
ca9e8850 | 271 | allow $1 gnome_domain:process signal; |
ab8f919e CP |
272 | ') |
273 | ||
274 | ######################################## | |
275 | ## <summary> | |
3eaa9939 DW |
276 | ## Create objects in a Gnome cache home directory |
277 | ## with an automatic type transition to | |
278 | ## a specified private type. | |
279 | ## </summary> | |
280 | ## <param name="domain"> | |
281 | ## <summary> | |
282 | ## Domain allowed access. | |
283 | ## </summary> | |
284 | ## </param> | |
285 | ## <param name="private_type"> | |
286 | ## <summary> | |
287 | ## The type of the object to create. | |
288 | ## </summary> | |
289 | ## </param> | |
290 | ## <param name="object_class"> | |
291 | ## <summary> | |
292 | ## The class of the object to be created. | |
293 | ## </summary> | |
294 | ## </param> | |
295 | # | |
296 | interface(`gnome_cache_filetrans',` | |
297 | gen_require(` | |
298 | type cache_home_t; | |
299 | ') | |
300 | ||
301 | filetrans_pattern($1, cache_home_t, $2, $3) | |
302 | userdom_search_user_home_dirs($1) | |
303 | ') | |
304 | ||
305 | ######################################## | |
306 | ## <summary> | |
307 | ## Read generic cache home files (.cache) | |
308 | ## </summary> | |
309 | ## <param name="domain"> | |
310 | ## <summary> | |
311 | ## Domain allowed access. | |
312 | ## </summary> | |
313 | ## </param> | |
314 | # | |
315 | interface(`gnome_read_generic_cache_files',` | |
316 | gen_require(` | |
317 | type cache_home_t; | |
318 | ') | |
319 | ||
320 | read_files_pattern($1, cache_home_t, cache_home_t) | |
321 | userdom_search_user_home_dirs($1) | |
322 | ') | |
323 | ||
324 | ######################################## | |
325 | ## <summary> | |
326 | ## Set attributes of cache home dir (.cache) | |
327 | ## </summary> | |
328 | ## <param name="domain"> | |
329 | ## <summary> | |
330 | ## Domain allowed access. | |
331 | ## </summary> | |
332 | ## </param> | |
333 | # | |
334 | interface(`gnome_setattr_cache_home_dir',` | |
335 | gen_require(` | |
336 | type cache_home_t; | |
337 | ') | |
338 | ||
339 | setattr_dirs_pattern($1, cache_home_t, cache_home_t) | |
340 | userdom_search_user_home_dirs($1) | |
341 | ') | |
342 | ||
c71f02c0 DW |
343 | ######################################## |
344 | ## <summary> | |
345 | ## append to generic cache home files (.cache) | |
346 | ## </summary> | |
347 | ## <param name="domain"> | |
348 | ## <summary> | |
349 | ## Domain allowed access. | |
350 | ## </summary> | |
351 | ## </param> | |
352 | # | |
353 | interface(`gnome_append_generic_cache_files',` | |
354 | gen_require(` | |
355 | type cache_home_t; | |
356 | ') | |
357 | ||
358 | append_files_pattern($1, cache_home_t, cache_home_t) | |
359 | userdom_search_user_home_dirs($1) | |
360 | ') | |
361 | ||
3eaa9939 DW |
362 | ######################################## |
363 | ## <summary> | |
364 | ## write to generic cache home files (.cache) | |
365 | ## </summary> | |
366 | ## <param name="domain"> | |
367 | ## <summary> | |
368 | ## Domain allowed access. | |
369 | ## </summary> | |
370 | ## </param> | |
371 | # | |
372 | interface(`gnome_write_generic_cache_files',` | |
373 | gen_require(` | |
374 | type cache_home_t; | |
375 | ') | |
376 | ||
377 | write_files_pattern($1, cache_home_t, cache_home_t) | |
378 | userdom_search_user_home_dirs($1) | |
379 | ') | |
380 | ||
a947daf6 DW |
381 | ######################################## |
382 | ## <summary> | |
383 | ## read gnome homedir content (.config) | |
384 | ## </summary> | |
aa760a23 | 385 | ## <param name="domain"> |
a947daf6 | 386 | ## <summary> |
aa760a23 | 387 | ## Domain allowed access. |
a947daf6 DW |
388 | ## </summary> |
389 | ## </param> | |
390 | # | |
efa04715 | 391 | interface(`gnome_read_config',` |
a947daf6 DW |
392 | gen_require(` |
393 | attribute gnome_home_type; | |
394 | ') | |
395 | ||
396 | list_dirs_pattern($1, gnome_home_type, gnome_home_type) | |
397 | read_files_pattern($1, gnome_home_type, gnome_home_type) | |
398 | read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) | |
399 | ') | |
400 | ||
3eaa9939 DW |
401 | ######################################## |
402 | ## <summary> | |
403 | ## Create objects in a Gnome gconf home directory | |
404 | ## with an automatic type transition to | |
405 | ## a specified private type. | |
406 | ## </summary> | |
407 | ## <param name="domain"> | |
408 | ## <summary> | |
409 | ## Domain allowed access. | |
410 | ## </summary> | |
411 | ## </param> | |
412 | ## <param name="private_type"> | |
413 | ## <summary> | |
414 | ## The type of the object to create. | |
415 | ## </summary> | |
416 | ## </param> | |
417 | ## <param name="object_class"> | |
418 | ## <summary> | |
419 | ## The class of the object to be created. | |
420 | ## </summary> | |
421 | ## </param> | |
422 | # | |
423 | interface(`gnome_data_filetrans',` | |
424 | gen_require(` | |
425 | type data_home_t; | |
426 | ') | |
427 | ||
428 | filetrans_pattern($1, data_home_t, $2, $3) | |
429 | gnome_search_gconf($1) | |
430 | ') | |
431 | ||
4b7fe5b4 DW |
432 | ####################################### |
433 | ## <summary> | |
434 | ## Manage gconf data home files | |
435 | ## </summary> | |
436 | ## <param name="domain"> | |
437 | ## <summary> | |
438 | ## Domain allowed access. | |
439 | ## </summary> | |
440 | ## </param> | |
441 | # | |
442 | interface(`gnome_manage_data',` | |
443 | gen_require(` | |
060d0f18 | 444 | type data_home_t; |
3e2ff02b | 445 | type gconf_home_t; |
4b7fe5b4 DW |
446 | ') |
447 | ||
ceacf954 | 448 | allow $1 gconf_home_t:dir search_dir_perms; |
a768052f | 449 | manage_dirs_pattern($1, data_home_t, data_home_t) |
4b7fe5b4 | 450 | manage_files_pattern($1, data_home_t, data_home_t) |
a768052f | 451 | manage_lnk_files_pattern($1, data_home_t, data_home_t) |
4b7fe5b4 DW |
452 | ') |
453 | ||
3eaa9939 DW |
454 | ######################################## |
455 | ## <summary> | |
456 | ## Create gconf_home_t objects in the /root directory | |
457 | ## </summary> | |
458 | ## <param name="domain"> | |
459 | ## <summary> | |
460 | ## Domain allowed access. | |
461 | ## </summary> | |
462 | ## </param> | |
463 | ## <param name="object_class"> | |
464 | ## <summary> | |
465 | ## The class of the object to be created. | |
466 | ## </summary> | |
467 | ## </param> | |
468 | # | |
469 | interface(`gnome_admin_home_gconf_filetrans',` | |
470 | gen_require(` | |
471 | type gconf_home_t; | |
472 | ') | |
473 | ||
474 | userdom_admin_home_dir_filetrans($1, gconf_home_t, $2) | |
475 | ') | |
476 | ||
477 | ######################################## | |
478 | ## <summary> | |
479 | ## read gconf config files | |
ab8f919e | 480 | ## </summary> |
aa760a23 | 481 | ## <param name="domain"> |
ab8f919e | 482 | ## <summary> |
aa760a23 | 483 | ## Domain allowed access. |
3eaa9939 DW |
484 | ## </summary> |
485 | ## </param> | |
486 | # | |
d15b40a5 | 487 | interface(`gnome_read_gconf_config',` |
3eaa9939 DW |
488 | gen_require(` |
489 | type gconf_etc_t; | |
490 | ') | |
491 | ||
492 | allow $1 gconf_etc_t:dir list_dir_perms; | |
493 | read_files_pattern($1, gconf_etc_t, gconf_etc_t) | |
f33c5066 | 494 | files_search_etc($1) |
3eaa9939 DW |
495 | ') |
496 | ||
497 | ####################################### | |
498 | ## <summary> | |
499 | ## Manage gconf config files | |
500 | ## </summary> | |
501 | ## <param name="domain"> | |
502 | ## <summary> | |
503 | ## Domain allowed access. | |
504 | ## </summary> | |
505 | ## </param> | |
506 | # | |
507 | interface(`gnome_manage_gconf_config',` | |
508 | gen_require(` | |
509 | type gconf_etc_t; | |
510 | ') | |
511 | ||
512 | allow $1 gconf_etc_t:dir list_dir_perms; | |
513 | manage_files_pattern($1, gconf_etc_t, gconf_etc_t) | |
514 | ') | |
515 | ||
516 | ######################################## | |
517 | ## <summary> | |
518 | ## Execute gconf programs in | |
519 | ## in the caller domain. | |
520 | ## </summary> | |
521 | ## <param name="domain"> | |
522 | ## <summary> | |
ab8f919e CP |
523 | ## Domain allowed access. |
524 | ## </summary> | |
525 | ## </param> | |
526 | # | |
3eaa9939 DW |
527 | interface(`gnome_exec_gconf',` |
528 | gen_require(` | |
529 | type gconfd_exec_t; | |
530 | ') | |
531 | ||
532 | can_exec($1, gconfd_exec_t) | |
533 | ') | |
534 | ||
ca9e8850 DW |
535 | ######################################## |
536 | ## <summary> | |
537 | ## Execute gnome keyringd in the caller domain. | |
538 | ## </summary> | |
539 | ## <param name="domain"> | |
540 | ## <summary> | |
541 | ## Domain allowed access. | |
542 | ## </summary> | |
543 | ## </param> | |
544 | # | |
545 | interface(`gnome_exec_keyringd',` | |
546 | gen_require(` | |
547 | type gkeyringd_exec_t; | |
548 | ') | |
549 | ||
550 | can_exec($1, gkeyringd_exec_t) | |
551 | corecmd_search_bin($1) | |
552 | ') | |
553 | ||
3eaa9939 DW |
554 | ######################################## |
555 | ## <summary> | |
556 | ## Read gconf home files | |
557 | ## </summary> | |
558 | ## <param name="domain"> | |
559 | ## <summary> | |
560 | ## Domain allowed access. | |
561 | ## </summary> | |
562 | ## </param> | |
563 | # | |
564 | interface(`gnome_read_gconf_home_files',` | |
565 | gen_require(` | |
566 | type gconf_home_t; | |
567 | type data_home_t; | |
568 | ') | |
569 | ||
78ea2abe | 570 | userdom_search_user_home_dirs($1) |
3eaa9939 DW |
571 | allow $1 gconf_home_t:dir list_dir_perms; |
572 | allow $1 data_home_t:dir list_dir_perms; | |
573 | read_files_pattern($1, gconf_home_t, gconf_home_t) | |
574 | read_files_pattern($1, data_home_t, data_home_t) | |
575 | ') | |
576 | ||
ca9e8850 DW |
577 | ######################################## |
578 | ## <summary> | |
579 | ## Search gkeyringd temporary directories. | |
580 | ## </summary> | |
581 | ## <param name="domain"> | |
582 | ## <summary> | |
583 | ## Domain allowed access. | |
584 | ## </summary> | |
585 | ## </param> | |
586 | # | |
587 | interface(`gnome_search_gkeyringd_tmp_dirs',` | |
588 | gen_require(` | |
589 | type gkeyringd_tmp_t; | |
590 | ') | |
591 | ||
592 | files_search_tmp($1) | |
593 | allow $1 gkeyringd_tmp_t:dir search_dir_perms; | |
594 | ') | |
595 | ||
3eaa9939 DW |
596 | ######################################## |
597 | ## <summary> | |
598 | ## search gconf homedir (.local) | |
599 | ## </summary> | |
aa760a23 | 600 | ## <param name="domain"> |
3eaa9939 | 601 | ## <summary> |
aa760a23 | 602 | ## Domain allowed access. |
3eaa9939 DW |
603 | ## </summary> |
604 | ## </param> | |
605 | # | |
606 | interface(`gnome_search_gconf',` | |
607 | gen_require(` | |
608 | type gconf_home_t; | |
609 | ') | |
610 | ||
611 | allow $1 gconf_home_t:dir search_dir_perms; | |
612 | userdom_search_user_home_dirs($1) | |
613 | ') | |
614 | ||
4251ae10 DW |
615 | ######################################## |
616 | ## <summary> | |
617 | ## Set attributes of Gnome config dirs. | |
618 | ## </summary> | |
619 | ## <param name="domain"> | |
620 | ## <summary> | |
621 | ## Domain allowed access. | |
622 | ## </summary> | |
623 | ## </param> | |
624 | # | |
625 | interface(`gnome_setattr_config_dirs',` | |
626 | gen_require(` | |
627 | type gnome_home_t; | |
628 | ') | |
629 | ||
630 | setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) | |
631 | files_search_home($1) | |
632 | ') | |
633 | ||
ca9e8850 DW |
634 | ######################################## |
635 | ## <summary> | |
636 | ## Manage generic gnome home files. | |
637 | ## </summary> | |
638 | ## <param name="domain"> | |
639 | ## <summary> | |
640 | ## Domain allowed access. | |
641 | ## </summary> | |
642 | ## </param> | |
643 | # | |
644 | interface(`gnome_manage_generic_home_files',` | |
645 | gen_require(` | |
646 | type gnome_home_t; | |
647 | ') | |
648 | ||
649 | userdom_search_user_home_dirs($1) | |
650 | manage_files_pattern($1, gnome_home_t, gnome_home_t) | |
651 | ') | |
652 | ||
653 | ######################################## | |
654 | ## <summary> | |
655 | ## Manage generic gnome home directories. | |
656 | ## </summary> | |
657 | ## <param name="domain"> | |
658 | ## <summary> | |
659 | ## Domain allowed access. | |
660 | ## </summary> | |
661 | ## </param> | |
662 | # | |
663 | interface(`gnome_manage_generic_home_dirs',` | |
664 | gen_require(` | |
665 | type gnome_home_t; | |
666 | ') | |
667 | ||
668 | userdom_search_user_home_dirs($1) | |
669 | allow $1 gnome_home_t:dir manage_dir_perms; | |
670 | ') | |
671 | ||
3eaa9939 DW |
672 | ######################################## |
673 | ## <summary> | |
674 | ## Append gconf home files | |
675 | ## </summary> | |
676 | ## <param name="domain"> | |
677 | ## <summary> | |
678 | ## Domain allowed access. | |
679 | ## </summary> | |
680 | ## </param> | |
681 | # | |
682 | interface(`gnome_append_gconf_home_files',` | |
683 | gen_require(` | |
684 | type gconf_home_t; | |
685 | ') | |
686 | ||
687 | append_files_pattern($1, gconf_home_t, gconf_home_t) | |
688 | ') | |
689 | ||
690 | ######################################## | |
691 | ## <summary> | |
692 | ## manage gconf home files | |
693 | ## </summary> | |
694 | ## <param name="domain"> | |
695 | ## <summary> | |
696 | ## Domain allowed access. | |
697 | ## </summary> | |
698 | ## </param> | |
699 | # | |
700 | interface(`gnome_manage_gconf_home_files',` | |
701 | gen_require(` | |
702 | type gconf_home_t; | |
703 | ') | |
704 | ||
705 | allow $1 gconf_home_t:dir list_dir_perms; | |
706 | manage_files_pattern($1, gconf_home_t, gconf_home_t) | |
707 | ') | |
708 | ||
709 | ######################################## | |
710 | ## <summary> | |
711 | ## Connect to gnome over an unix stream socket. | |
712 | ## </summary> | |
713 | ## <param name="domain"> | |
714 | ## <summary> | |
715 | ## Domain allowed access. | |
716 | ## </summary> | |
717 | ## </param> | |
718 | ## <param name="user_domain"> | |
719 | ## <summary> | |
720 | ## The type of the user domain. | |
721 | ## </summary> | |
722 | ## </param> | |
723 | # | |
724 | interface(`gnome_stream_connect',` | |
725 | gen_require(` | |
726 | attribute gnome_home_type; | |
727 | ') | |
728 | ||
729 | # Connect to pulseaudit server | |
730 | stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) | |
731 | ') | |
732 | ||
733 | ######################################## | |
734 | ## <summary> | |
2d4a79a0 | 735 | ## list gnome homedir content (.config) |
3eaa9939 | 736 | ## </summary> |
aa760a23 | 737 | ## <param name="domain"> |
3eaa9939 | 738 | ## <summary> |
aa760a23 | 739 | ## Domain allowed access. |
3eaa9939 DW |
740 | ## </summary> |
741 | ## </param> | |
742 | # | |
d15b40a5 | 743 | interface(`gnome_list_home_config',` |
3eaa9939 DW |
744 | gen_require(` |
745 | type config_home_t; | |
746 | ') | |
747 | ||
748 | allow $1 config_home_t:dir list_dir_perms; | |
749 | ') | |
750 | ||
5ef740e5 DW |
751 | ######################################## |
752 | ## <summary> | |
753 | ## Set attributes of gnome homedir content (.config) | |
754 | ## </summary> | |
755 | ## <param name="domain"> | |
756 | ## <summary> | |
757 | ## Domain allowed access. | |
758 | ## </summary> | |
759 | ## </param> | |
760 | # | |
761 | template(`gnome_setattr_home_config',` | |
762 | gen_require(` | |
763 | type config_home_t; | |
764 | ') | |
765 | ||
766 | setattr_dirs_pattern($1, config_home_t, config_home_t) | |
767 | userdom_search_user_home_dirs($1) | |
768 | ') | |
769 | ||
2d4a79a0 DW |
770 | ######################################## |
771 | ## <summary> | |
772 | ## read gnome homedir content (.config) | |
773 | ## </summary> | |
aa760a23 | 774 | ## <param name="domain"> |
2d4a79a0 | 775 | ## <summary> |
aa760a23 | 776 | ## Domain allowed access. |
2d4a79a0 DW |
777 | ## </summary> |
778 | ## </param> | |
779 | # | |
d15b40a5 | 780 | interface(`gnome_read_home_config',` |
2d4a79a0 DW |
781 | gen_require(` |
782 | type config_home_t; | |
783 | ') | |
784 | ||
b533b084 | 785 | list_dirs_pattern($1, config_home_t, config_home_t) |
2d4a79a0 | 786 | read_files_pattern($1, config_home_t, config_home_t) |
6f93adfa | 787 | read_lnk_files_pattern($1, config_home_t, config_home_t) |
2d4a79a0 DW |
788 | ') |
789 | ||
f5b49a5e DW |
790 | ######################################## |
791 | ## <summary> | |
792 | ## manage gnome homedir content (.config) | |
793 | ## </summary> | |
aa760a23 | 794 | ## <param name="domain"> |
f5b49a5e | 795 | ## <summary> |
aa760a23 | 796 | ## Domain allowed access. |
f5b49a5e DW |
797 | ## </summary> |
798 | ## </param> | |
799 | # | |
800 | template(`gnome_manage_home_config',` | |
801 | gen_require(` | |
802 | type config_home_t; | |
803 | ') | |
804 | ||
805 | manage_files_pattern($1, config_home_t, config_home_t) | |
806 | ') | |
807 | ||
3eaa9939 DW |
808 | ######################################## |
809 | ## <summary> | |
810 | ## Read/Write all inherited gnome home config | |
811 | ## </summary> | |
812 | ## <param name="domain"> | |
813 | ## <summary> | |
814 | ## Domain allowed access. | |
815 | ## </summary> | |
816 | ## </param> | |
817 | # | |
818 | interface(`gnome_rw_inherited_config',` | |
819 | gen_require(` | |
820 | attribute gnome_home_type; | |
821 | ') | |
822 | ||
823 | allow $1 gnome_home_type:file rw_inherited_file_perms; | |
824 | ') | |
825 | ||
826 | ######################################## | |
827 | ## <summary> | |
828 | ## Send and receive messages from | |
829 | ## gconf system service over dbus. | |
830 | ## </summary> | |
831 | ## <param name="domain"> | |
832 | ## <summary> | |
833 | ## Domain allowed access. | |
834 | ## </summary> | |
835 | ## </param> | |
836 | # | |
837 | interface(`gnome_dbus_chat_gconfdefault',` | |
838 | gen_require(` | |
839 | type gconfdefaultsm_t; | |
840 | class dbus send_msg; | |
841 | ') | |
842 | ||
843 | allow $1 gconfdefaultsm_t:dbus send_msg; | |
844 | allow gconfdefaultsm_t $1:dbus send_msg; | |
845 | ') | |
ca9e8850 DW |
846 | |
847 | ######################################## | |
848 | ## <summary> | |
849 | ## Send and receive messages from | |
850 | ## gkeyringd over dbus. | |
851 | ## </summary> | |
852 | ## <param name="role_prefix"> | |
853 | ## <summary> | |
854 | ## Role prefix. | |
855 | ## </summary> | |
856 | ## </param> | |
857 | ## <param name="domain"> | |
858 | ## <summary> | |
859 | ## Domain allowed access. | |
860 | ## </summary> | |
861 | ## </param> | |
862 | # | |
863 | interface(`gnome_dbus_chat_gkeyringd',` | |
864 | gen_require(` | |
31f04122 | 865 | attribute gkeyringd_domain; |
ca9e8850 DW |
866 | class dbus send_msg; |
867 | ') | |
868 | ||
31f04122 DW |
869 | allow $2 gkeyringd_domain:dbus send_msg; |
870 | allow gkeyringd_domain $2:dbus send_msg; | |
ca9e8850 | 871 | ') |
31f04122 | 872 | |
ca9e8850 DW |
873 | ######################################## |
874 | ## <summary> | |
875 | ## Create directories in user home directories | |
876 | ## with the gnome home file type. | |
877 | ## </summary> | |
878 | ## <param name="domain"> | |
879 | ## <summary> | |
880 | ## Domain allowed access. | |
881 | ## </summary> | |
882 | ## </param> | |
883 | # | |
884 | interface(`gnome_home_dir_filetrans',` | |
885 | gen_require(` | |
886 | type gnome_home_t; | |
887 | ') | |
888 | ||
889 | userdom_user_home_dir_filetrans($1, gnome_home_t, dir) | |
890 | userdom_search_user_home_dirs($1) | |
891 | ') | |
a8183914 MG |
892 | |
893 | ###################################### | |
894 | ## <summary> | |
895 | ## Allow read kde config content | |
896 | ## </summary> | |
897 | ## <param name="domain"> | |
898 | ## <summary> | |
899 | ## Domain allowed access. | |
900 | ## </summary> | |
901 | ## </param> | |
902 | # | |
903 | interface(`gnome_read_usr_config',` | |
904 | gen_require(` | |
905 | type config_usr_t; | |
906 | ') | |
907 | ||
908 | files_search_usr($1) | |
909 | list_dirs_pattern($1, config_usr_t, config_usr_t) | |
910 | read_files_pattern($1, config_usr_t, config_usr_t) | |
911 | read_lnk_files_pattern($1, config_usr_t, config_usr_t) | |
912 | ') | |
913 | ||
914 | ####################################### | |
915 | ## <summary> | |
916 | ## Allow manage kde config content | |
917 | ## </summary> | |
918 | ## <param name="domain"> | |
919 | ## <summary> | |
920 | ## Domain allowed access. | |
921 | ## </summary> | |
922 | ## </param> | |
923 | # | |
924 | interface(`gnome_manage_usr_config',` | |
925 | gen_require(` | |
926 | type config_usr_t; | |
927 | ') | |
928 | ||
929 | files_search_usr($1) | |
930 | manage_dirs_pattern($1, config_usr_t, config_usr_t) | |
931 | manage_files_pattern($1, config_usr_t, config_usr_t) | |
932 | manage_lnk_files_pattern($1, config_usr_t, config_usr_t) | |
933 | ') | |
31f04122 DW |
934 | |
935 | ######################################## | |
936 | ## <summary> | |
937 | ## Execute gnome-keyring in the user gkeyring domain | |
938 | ## </summary> | |
939 | ## <param name="domain"> | |
940 | ## <summary> | |
941 | ## Domain allowed access | |
942 | ## </summary> | |
943 | ## </param> | |
944 | ## <param name="role"> | |
945 | ## <summary> | |
946 | ## The role to be allowed the gkeyring domain. | |
947 | ## </summary> | |
948 | ## </param> | |
949 | # | |
950 | interface(`gnome_transition_gkeyringd',` | |
951 | gen_require(` | |
952 | attribute gkeyringd_domain; | |
953 | ') | |
954 | ||
955 | allow $1 gkeyringd_domain:process transition; | |
956 | dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh }; | |
957 | allow gkeyringd_domain $1:process { sigchld signull }; | |
958 | allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; | |
959 | ') | |
960 |