]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/apps/gnome.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove module for KDE.
[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.if
CommitLineData
00219064
CP		 1## <summary>GNU network object model environment (GNOME)</summary>
2
efa04715 3###########################################################
00219064 4## <summary>
efa04715 5## Role access for gnome
00219064 6## </summary>
efa04715
MG		 7## <param name="role">
8## <summary>
9## Role allowed access
10## </summary>
00219064 11## </param>
efa04715
MG		 12## <param name="domain">
13## <summary>
14## User domain for the role
15## </summary>
00219064
CP		 16## </param>
17#
296273a7 18interface(`gnome_role',`
efa04715
MG		 19 gen_require(`
20 type gconfd_t, gconfd_exec_t;
21 type gconf_tmp_t;
22 ')
00219064 23
efa04715 24 role $1 types gconfd_t;
00219064 25
efa04715
MG		 26 domain_auto_trans($2, gconfd_exec_t, gconfd_t)
27 allow gconfd_t $2:fd use;
28 allow gconfd_t $2:fifo_file write;
29 allow gconfd_t $2:unix_stream_socket connectto;
6b19be33 30
efa04715 31 ps_process_pattern($2, gconfd_t)
00219064 32
31d4b0a6 33 #gnome_stream_connect_gconf_template($1, $2)
296273a7
CP		 34 read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
35 allow $2 gconfd_t:unix_stream_socket connectto;
efa04715 36')
ca9e8850 37
efa04715
MG		 38######################################
39## <summary>
40## The role template for the gnome-keyring-daemon.
41## </summary>
42## <param name="user_prefix">
43## <summary>
44## The user prefix.
45## </summary>
46## </param>
47## <param name="user_role">
48## <summary>
49## The user role.
50## </summary>
51## </param>
52## <param name="user_domain">
53## <summary>
54## The user domain associated with the role.
55## </summary>
56## </param>
57#
58interface(`gnome_role_gkeyringd',`
59 gen_require(`
60 attribute gkeyringd_domain;
b34d0dd0 61 attribute gnomedomain;
efa04715
MG		 62 type gnome_home_t;
63 type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
1d7e6f6b 64 class dbus send_msg;
efa04715
MG		 65 ')
66
b34d0dd0 67 type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
37c03afb 68 typealias $1_gkeyringd_t alias gkeyringd_$1_t;
4153537b
DW		 69 application_domain($1_gkeyringd_t, gkeyringd_exec_t)
70 ubac_constrained($1_gkeyringd_t)
71 domain_user_exemption_target($1_gkeyringd_t)
ca9e8850 72
ed2ac112
DW		 73 userdom_home_manager($1_gkeyringd_t)
74
4153537b 75 role $2 types $1_gkeyringd_t;
ca9e8850 76
4153537b 77 domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
ca9e8850 78
efa04715
MG		 79 allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
80 allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
ca9e8850 81
efa04715
MG		 82 allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
83 allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ca9e8850 84
4153537b
DW		 85 corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
86 corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
87 allow $1_gkeyringd_t $3:process sigkill;
88 allow $3 $1_gkeyringd_t:fd use;
89 allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
0e50301b 90
4153537b 91 ps_process_pattern($1_gkeyringd_t, $3)
ca9e8850 92
ae68f77d
DW		 93 auth_use_nsswitch($1_gkeyringd_t)
94
4153537b 95 ps_process_pattern($3, $1_gkeyringd_t)
995bdbb1 96 allow $3 $1_gkeyringd_t:process signal_perms;
efa04715
MG		 97 dontaudit $3 gkeyringd_exec_t:file entrypoint;
98
4153537b 99 stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
5598732f 100
4153537b
DW		 101 allow $1_gkeyringd_t $3:dbus send_msg;
102 allow $3 $1_gkeyringd_t:dbus send_msg;
efa04715 103 optional_policy(`
6b772880 104 dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
4153537b
DW		 105 dbus_session_bus_client($1_gkeyringd_t)
106 gnome_home_dir_filetrans($1_gkeyringd_t)
107 gnome_manage_generic_home_dirs($1_gkeyringd_t)
81085f1e 108 gnome_read_generic_data_home_files($1_gkeyringd_t)
efa04715 109 ')
00219064 110')
2a98379a 111
ab8f919e
CP		 112########################################
113## <summary>
a947daf6 114## gconf connection template.
ab8f919e 115## </summary>
aa760a23 116## <param name="domain">
ab8f919e 117## <summary>
aa760a23 118## Domain allowed access.
ab8f919e
CP		 119## </summary>
120## </param>
121#
a947daf6 122interface(`gnome_stream_connect_gconf',`
ab8f919e 123 gen_require(`
a947daf6 124 type gconfd_t, gconf_tmp_t;
ab8f919e
CP		 125 ')
126
a947daf6
DW		 127 read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
128 allow $1 gconfd_t:unix_stream_socket connectto;
ab8f919e
CP		 129')
130
ca9e8850
DW		 131########################################
132## <summary>
133## Connect to gkeyringd with a unix stream socket.
134## </summary>
ca9e8850
DW		 135## <param name="domain">
136## <summary>
137## Domain allowed access.
138## </summary>
139## </param>
140#
141interface(`gnome_stream_connect_gkeyringd',`
142 gen_require(`
455fe183
MG		 143 attribute gkeyringd_domain;
144 type gkeyringd_tmp_t;
145 type gconf_tmp_t;
ca9e8850
DW		 146 ')
147
455fe183 148 allow $1 gconf_tmp_t:dir search_dir_perms;
c9799808 149 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 150')
151
152########################################
153## <summary>
154## Connect to gkeyringd with a unix stream socket.
155## </summary>
ca9e8850
DW		 156## <param name="domain">
157## <summary>
158## Domain allowed access.
159## </summary>
160## </param>
161#
162interface(`gnome_stream_connect_all_gkeyringd',`
163 gen_require(`
164 attribute gkeyringd_domain;
165 type gkeyringd_tmp_t;
f28aaa84 166 type gconf_tmp_t;
ca9e8850
DW		 167 ')
168
f28aaa84 169 allow $1 gconf_tmp_t:dir search_dir_perms;
ca9e8850 170 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
ca9e8850
DW		 171')
172
a947daf6 173########################################
ab8f919e 174## <summary>
a947daf6 175## Run gconfd in gconfd domain.
ab8f919e
CP		 176## </summary>
177## <param name="domain">
178## <summary>
179## Domain allowed access.
180## </summary>
181## </param>
182#
a947daf6 183interface(`gnome_domtrans_gconfd',`
ab8f919e 184 gen_require(`
a947daf6 185 type gconfd_t, gconfd_exec_t;
ab8f919e
CP		 186 ')
187
a947daf6 188 domtrans_pattern($1, gconfd_exec_t, gconfd_t)
ab8f919e
CP		 189')
190
57955a25
DW		 191########################################
192## <summary>
193## Dontaudit read gnome homedir content (.config)
194## </summary>
195## <param name="domain">
196## <summary>
24280f35 197## Domain to not audit.
57955a25
DW		 198## </summary>
199## </param>
200#
201interface(`gnome_dontaudit_read_config',`
202 gen_require(`
203 attribute gnome_home_type;
204 ')
205
206 dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
207')
208
00219064
CP		 209########################################
210## <summary>
a947daf6 211## Dontaudit search gnome homedir content (.config)
00219064 212## </summary>
aa760a23 213## <param name="domain">
00219064 214## <summary>
24280f35 215## Domain to not audit.
6b19be33
CP		 216## </summary>
217## </param>
218#
a947daf6 219interface(`gnome_dontaudit_search_config',`
6b19be33 220 gen_require(`
a947daf6 221 attribute gnome_home_type;
6b19be33
CP		 222 ')
223
a947daf6 224 dontaudit $1 gnome_home_type:dir search_dir_perms;
6b19be33
CP		 225')
226
ad141192
DW		 227########################################
228## <summary>
229## Dontaudit write gnome homedir content (.config)
230## </summary>
231## <param name="domain">
232## <summary>
233## Domain to not audit.
234## </summary>
235## </param>
236#
237interface(`gnome_dontaudit_write_config_files',`
238 gen_require(`
239 attribute gnome_home_type;
240 ')
241
242 dontaudit $1 gnome_home_type:file write;
243')
244
ab8f919e
CP		 245########################################
246## <summary>
a947daf6 247## manage gnome homedir content (.config)
3eaa9939 248## </summary>
aa760a23 249## <param name="domain">
3eaa9939 250## <summary>
aa760a23 251## Domain allowed access.
3eaa9939
DW		 252## </summary>
253## </param>
254#
a947daf6 255interface(`gnome_manage_config',`
3eaa9939
DW		 256 gen_require(`
257 attribute gnome_home_type;
258 ')
259
a947daf6
DW		 260 allow $1 gnome_home_type:dir manage_dir_perms;
261 allow $1 gnome_home_type:file manage_file_perms;
262 allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
263 userdom_search_user_home_dirs($1)
3eaa9939
DW		 264')
265
266########################################
267## <summary>
268## Send general signals to all gconf domains.
ab8f919e
CP		 269## </summary>
270## <param name="domain">
271## <summary>
272## Domain allowed access.
273## </summary>
274## </param>
275#
3eaa9939 276interface(`gnome_signal_all',`
ab8f919e 277 gen_require(`
b34d0dd0 278 attribute gnomedomain;
ab8f919e
CP		 279 ')
280
b34d0dd0 281 allow $1 gnomedomain:process signal;
ab8f919e
CP		 282')
283
284########################################
285## <summary>
3eaa9939
DW		 286## Create objects in a Gnome cache home directory
287## with an automatic type transition to
288## a specified private type.
289## </summary>
290## <param name="domain">
291## <summary>
292## Domain allowed access.
293## </summary>
294## </param>
295## <param name="private_type">
296## <summary>
297## The type of the object to create.
298## </summary>
299## </param>
300## <param name="object_class">
301## <summary>
302## The class of the object to be created.
303## </summary>
304## </param>
305#
306interface(`gnome_cache_filetrans',`
307 gen_require(`
308 type cache_home_t;
309 ')
310
2ea29241 311 filetrans_pattern($1, cache_home_t, $2, $3, $4)
3eaa9939
DW		 312 userdom_search_user_home_dirs($1)
313')
314
14c739f0
DW		 315########################################
316## <summary>
317## Create objects in a Gnome cache home directory
318## with an automatic type transition to
319## a specified private type.
320## </summary>
321## <param name="domain">
322## <summary>
323## Domain allowed access.
324## </summary>
325## </param>
326## <param name="private_type">
327## <summary>
328## The type of the object to create.
329## </summary>
330## </param>
331## <param name="object_class">
332## <summary>
333## The class of the object to be created.
334## </summary>
335## </param>
336#
337interface(`gnome_config_filetrans',`
338 gen_require(`
339 type config_home_t;
340 ')
341
342 filetrans_pattern($1, config_home_t, $2, $3, $4)
343 userdom_search_user_home_dirs($1)
344')
345
3eaa9939
DW		 346########################################
347## <summary>
348## Read generic cache home files (.cache)
349## </summary>
350## <param name="domain">
351## <summary>
352## Domain allowed access.
353## </summary>
354## </param>
355#
356interface(`gnome_read_generic_cache_files',`
357 gen_require(`
358 type cache_home_t;
359 ')
360
361 read_files_pattern($1, cache_home_t, cache_home_t)
362 userdom_search_user_home_dirs($1)
363')
364
365########################################
366## <summary>
367## Set attributes of cache home dir (.cache)
368## </summary>
369## <param name="domain">
370## <summary>
371## Domain allowed access.
372## </summary>
373## </param>
374#
375interface(`gnome_setattr_cache_home_dir',`
376 gen_require(`
377 type cache_home_t;
378 ')
379
380 setattr_dirs_pattern($1, cache_home_t, cache_home_t)
381 userdom_search_user_home_dirs($1)
382')
383
c71f02c0
DW		 384########################################
385## <summary>
386## append to generic cache home files (.cache)
387## </summary>
388## <param name="domain">
389## <summary>
390## Domain allowed access.
391## </summary>
392## </param>
393#
394interface(`gnome_append_generic_cache_files',`
395 gen_require(`
396 type cache_home_t;
397 ')
398
399 append_files_pattern($1, cache_home_t, cache_home_t)
400 userdom_search_user_home_dirs($1)
401')
402
3eaa9939
DW		 403########################################
404## <summary>
405## write to generic cache home files (.cache)
406## </summary>
407## <param name="domain">
408## <summary>
409## Domain allowed access.
410## </summary>
411## </param>
412#
413interface(`gnome_write_generic_cache_files',`
414 gen_require(`
415 type cache_home_t;
416 ')
417
418 write_files_pattern($1, cache_home_t, cache_home_t)
419 userdom_search_user_home_dirs($1)
420')
421
24280f35
DW		 422########################################
423## <summary>
424## Dontaudit read/write to generic cache home files (.cache)
425## </summary>
426## <param name="domain">
427## <summary>
428## Domain to not audit.
429## </summary>
430## </param>
431#
432interface(`gnome_dontaudit_rw_generic_cache_files',`
433 gen_require(`
434 type cache_home_t;
435 ')
436
437 dontaudit $1 cache_home_t:file rw_inherited_file_perms;
438')
439
a947daf6
DW		 440########################################
441## <summary>
442## read gnome homedir content (.config)
443## </summary>
aa760a23 444## <param name="domain">
a947daf6 445## <summary>
aa760a23 446## Domain allowed access.
a947daf6
DW		 447## </summary>
448## </param>
449#
efa04715 450interface(`gnome_read_config',`
a947daf6
DW		 451 gen_require(`
452 attribute gnome_home_type;
453 ')
454
455 list_dirs_pattern($1, gnome_home_type, gnome_home_type)
456 read_files_pattern($1, gnome_home_type, gnome_home_type)
457 read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
458')
459
3eaa9939
DW		 460########################################
461## <summary>
462## Create objects in a Gnome gconf home directory
463## with an automatic type transition to
464## a specified private type.
465## </summary>
466## <param name="domain">
467## <summary>
468## Domain allowed access.
469## </summary>
470## </param>
471## <param name="private_type">
472## <summary>
473## The type of the object to create.
474## </summary>
475## </param>
476## <param name="object_class">
477## <summary>
478## The class of the object to be created.
479## </summary>
480## </param>
481#
482interface(`gnome_data_filetrans',`
483 gen_require(`
484 type data_home_t;
485 ')
486
2ea29241 487 filetrans_pattern($1, data_home_t, $2, $3, $4)
3eaa9939
DW		 488 gnome_search_gconf($1)
489')
490
4b7fe5b4
DW		 491#######################################
492## <summary>
c98bb1bc 493## Read generic data home files.
4b7fe5b4
DW		 494## </summary>
495## <param name="domain">
c98bb1bc
DG		 496## <summary>
497## Domain allowed access.
498## </summary>
499## </param>
500#
501interface(`gnome_read_generic_data_home_files',`
502 gen_require(`
503 type data_home_t, gconf_home_t;
504 ')
505
506 read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
507')
508
509#######################################
510## <summary>
511## Manage gconf data home files
512## </summary>
513## <param name="domain">
514## <summary>
515## Domain allowed access.
516## </summary>
4b7fe5b4
DW		 517## </param>
518#
519interface(`gnome_manage_data',`
c98bb1bc
DG		 520 gen_require(`
521 type data_home_t;
522 type gconf_home_t;
523 ')
4b7fe5b4 524
ceacf954 525 allow $1 gconf_home_t:dir search_dir_perms;
a768052f 526 manage_dirs_pattern($1, data_home_t, data_home_t)
c98bb1bc 527 manage_files_pattern($1, data_home_t, data_home_t)
a768052f 528 manage_lnk_files_pattern($1, data_home_t, data_home_t)
4b7fe5b4
DW		 529')
530
290e6f41
DG		 531########################################
532## <summary>
533## Read icc data home content.
534## </summary>
535## <param name="domain">
536## <summary>
537## Domain allowed access.
538## </summary>
539## </param>
540#
541interface(`gnome_read_home_icc_data_content',`
542 gen_require(`
543 type icc_data_home_t, gconf_home_t, data_home_t;
544 ')
545
546 userdom_search_user_home_dirs($1)
547 allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
548 list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
549 read_files_pattern($1, icc_data_home_t, icc_data_home_t)
550 read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
551')
552
553########################################
554## <summary>
555## Read inherited icc data home files.
556## </summary>
557## <param name="domain">
558## <summary>
559## Domain allowed access.
560## </summary>
561## </param>
562#
563interface(`gnome_read_inherited_home_icc_data_files',`
564 gen_require(`
565 type icc_data_home_t;
566 ')
567
568 allow $1 icc_data_home_t:file read_inherited_file_perms;
569')
570
3eaa9939
DW		 571########################################
572## <summary>
573## Create gconf_home_t objects in the /root directory
574## </summary>
575## <param name="domain">
576## <summary>
577## Domain allowed access.
578## </summary>
579## </param>
580## <param name="object_class">
581## <summary>
582## The class of the object to be created.
583## </summary>
584## </param>
585#
586interface(`gnome_admin_home_gconf_filetrans',`
587 gen_require(`
588 type gconf_home_t;
589 ')
590
591 userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
592')
593
c98dcd43
DG		 594########################################
595## <summary>
596## Do not audit attempts to read
597## inherited gconf config files.
598## </summary>
599## <param name="domain">
600## <summary>
601## Domain to not audit.
602## </summary>
603## </param>
604#
605interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
606 gen_require(`
607 type gconf_etc_t;
608 ')
609
610 dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
611')
612
3eaa9939
DW		 613########################################
614## <summary>
615## read gconf config files
ab8f919e 616## </summary>
aa760a23 617## <param name="domain">
ab8f919e 618## <summary>
aa760a23 619## Domain allowed access.
3eaa9939
DW		 620## </summary>
621## </param>
622#
d15b40a5 623interface(`gnome_read_gconf_config',`
3eaa9939
DW		 624 gen_require(`
625 type gconf_etc_t;
626 ')
627
628 allow $1 gconf_etc_t:dir list_dir_perms;
629 read_files_pattern($1, gconf_etc_t, gconf_etc_t)
f33c5066 630 files_search_etc($1)
3eaa9939
DW		 631')
632
633#######################################
634## <summary>
635## Manage gconf config files
636## </summary>
637## <param name="domain">
638## <summary>
639## Domain allowed access.
640## </summary>
641## </param>
642#
643interface(`gnome_manage_gconf_config',`
644 gen_require(`
645 type gconf_etc_t;
646 ')
647
648 allow $1 gconf_etc_t:dir list_dir_perms;
649 manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
650')
651
652########################################
653## <summary>
654## Execute gconf programs in
655## in the caller domain.
656## </summary>
657## <param name="domain">
658## <summary>
ab8f919e
CP		 659## Domain allowed access.
660## </summary>
661## </param>
662#
3eaa9939
DW		 663interface(`gnome_exec_gconf',`
664 gen_require(`
665 type gconfd_exec_t;
666 ')
667
668 can_exec($1, gconfd_exec_t)
669')
670
ca9e8850
DW		 671########################################
672## <summary>
673## Execute gnome keyringd in the caller domain.
674## </summary>
675## <param name="domain">
676## <summary>
677## Domain allowed access.
678## </summary>
679## </param>
680#
681interface(`gnome_exec_keyringd',`
682 gen_require(`
683 type gkeyringd_exec_t;
684 ')
685
686 can_exec($1, gkeyringd_exec_t)
687 corecmd_search_bin($1)
688')
689
3eaa9939
DW		 690########################################
691## <summary>
692## Read gconf home files
693## </summary>
694## <param name="domain">
695## <summary>
696## Domain allowed access.
697## </summary>
698## </param>
699#
700interface(`gnome_read_gconf_home_files',`
701 gen_require(`
702 type gconf_home_t;
703 type data_home_t;
704 ')
705
78ea2abe 706 userdom_search_user_home_dirs($1)
3eaa9939
DW		 707 allow $1 gconf_home_t:dir list_dir_perms;
708 allow $1 data_home_t:dir list_dir_perms;
709 read_files_pattern($1, gconf_home_t, gconf_home_t)
710 read_files_pattern($1, data_home_t, data_home_t)
3d21c02c
DW		 711 read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
712 read_lnk_files_pattern($1, data_home_t, data_home_t)
3eaa9939
DW		 713')
714
ca9e8850
DW		 715########################################
716## <summary>
717## Search gkeyringd temporary directories.
718## </summary>
719## <param name="domain">
720## <summary>
721## Domain allowed access.
722## </summary>
723## </param>
724#
725interface(`gnome_search_gkeyringd_tmp_dirs',`
726 gen_require(`
727 type gkeyringd_tmp_t;
728 ')
729
730 files_search_tmp($1)
731 allow $1 gkeyringd_tmp_t:dir search_dir_perms;
732')
733
3eaa9939
DW		 734########################################
735## <summary>
736## search gconf homedir (.local)
737## </summary>
aa760a23 738## <param name="domain">
3eaa9939 739## <summary>
aa760a23 740## Domain allowed access.
3eaa9939
DW		 741## </summary>
742## </param>
743#
744interface(`gnome_search_gconf',`
745 gen_require(`
746 type gconf_home_t;
747 ')
748
749 allow $1 gconf_home_t:dir search_dir_perms;
750 userdom_search_user_home_dirs($1)
751')
752
4251ae10
DW		 753########################################
754## <summary>
755## Set attributes of Gnome config dirs.
756## </summary>
757## <param name="domain">
758## <summary>
759## Domain allowed access.
760## </summary>
761## </param>
762#
763interface(`gnome_setattr_config_dirs',`
764 gen_require(`
765 type gnome_home_t;
766 ')
767
768 setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
769 files_search_home($1)
770')
771
ca9e8850
DW		 772########################################
773## <summary>
774## Manage generic gnome home files.
775## </summary>
776## <param name="domain">
777## <summary>
778## Domain allowed access.
779## </summary>
780## </param>
781#
782interface(`gnome_manage_generic_home_files',`
783 gen_require(`
784 type gnome_home_t;
785 ')
786
787 userdom_search_user_home_dirs($1)
788 manage_files_pattern($1, gnome_home_t, gnome_home_t)
789')
790
791########################################
792## <summary>
793## Manage generic gnome home directories.
794## </summary>
795## <param name="domain">
796## <summary>
797## Domain allowed access.
798## </summary>
799## </param>
800#
801interface(`gnome_manage_generic_home_dirs',`
802 gen_require(`
803 type gnome_home_t;
804 ')
805
806 userdom_search_user_home_dirs($1)
807 allow $1 gnome_home_t:dir manage_dir_perms;
808')
809
3eaa9939
DW		 810########################################
811## <summary>
812## Append gconf home files
813## </summary>
814## <param name="domain">
815## <summary>
816## Domain allowed access.
817## </summary>
818## </param>
819#
820interface(`gnome_append_gconf_home_files',`
821 gen_require(`
822 type gconf_home_t;
823 ')
824
825 append_files_pattern($1, gconf_home_t, gconf_home_t)
826')
827
828########################################
829## <summary>
830## manage gconf home files
831## </summary>
832## <param name="domain">
833## <summary>
834## Domain allowed access.
835## </summary>
836## </param>
837#
838interface(`gnome_manage_gconf_home_files',`
839 gen_require(`
840 type gconf_home_t;
841 ')
842
843 allow $1 gconf_home_t:dir list_dir_perms;
844 manage_files_pattern($1, gconf_home_t, gconf_home_t)
845')
846
847########################################
848## <summary>
849## Connect to gnome over an unix stream socket.
850## </summary>
851## <param name="domain">
852## <summary>
853## Domain allowed access.
854## </summary>
855## </param>
856## <param name="user_domain">
857## <summary>
858## The type of the user domain.
859## </summary>
860## </param>
861#
862interface(`gnome_stream_connect',`
863 gen_require(`
864 attribute gnome_home_type;
865 ')
866
867 # Connect to pulseaudit server
868 stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
869')
870
871########################################
872## <summary>
2d4a79a0 873## list gnome homedir content (.config)
3eaa9939 874## </summary>
aa760a23 875## <param name="domain">
3eaa9939 876## <summary>
aa760a23 877## Domain allowed access.
3eaa9939
DW		 878## </summary>
879## </param>
880#
d15b40a5 881interface(`gnome_list_home_config',`
3eaa9939
DW		 882 gen_require(`
883 type config_home_t;
884 ')
885
886 allow $1 config_home_t:dir list_dir_perms;
887')
888
5ef740e5
DW		 889########################################
890## <summary>
891## Set attributes of gnome homedir content (.config)
892## </summary>
893## <param name="domain">
894## <summary>
895## Domain allowed access.
896## </summary>
897## </param>
898#
448d2cf1 899interface(`gnome_setattr_home_config',`
5ef740e5
DW		 900 gen_require(`
901 type config_home_t;
902 ')
903
904 setattr_dirs_pattern($1, config_home_t, config_home_t)
905 userdom_search_user_home_dirs($1)
906')
907
2d4a79a0
DW		 908########################################
909## <summary>
910## read gnome homedir content (.config)
911## </summary>
aa760a23 912## <param name="domain">
2d4a79a0 913## <summary>
aa760a23 914## Domain allowed access.
2d4a79a0
DW		 915## </summary>
916## </param>
917#
d15b40a5 918interface(`gnome_read_home_config',`
2d4a79a0
DW		 919 gen_require(`
920 type config_home_t;
921 ')
922
b533b084 923 list_dirs_pattern($1, config_home_t, config_home_t)
2d4a79a0 924 read_files_pattern($1, config_home_t, config_home_t)
6f93adfa 925 read_lnk_files_pattern($1, config_home_t, config_home_t)
2d4a79a0
DW		 926')
927
93b53615
MG		 928#######################################
929## <summary>
930## delete gnome homedir content (.config)
931## </summary>
932## <param name="domain">
933## <summary>
934## Domain allowed access.
935## </summary>
936## </param>
937#
938interface(`gnome_delete_home_config',`
939 gen_require(`
940 type config_home_t;
941 ')
942
943 delete_files_pattern($1, config_home_t, config_home_t)
944')
945
464aa685
MG		 946#######################################
947## <summary>
948## setattr gnome homedir content (.config)
949## </summary>
950## <param name="domain">
951## <summary>
952## Domain allowed access.
953## </summary>
954## </param>
955#
956interface(`gnome_setattr_home_config_dirs',`
957 gen_require(`
958 type config_home_t;
959 ')
960
961 setattr_dirs_pattern($1, config_home_t, config_home_t)
962')
963
f5b49a5e
DW		 964########################################
965## <summary>
966## manage gnome homedir content (.config)
967## </summary>
aa760a23 968## <param name="domain">
f5b49a5e 969## <summary>
aa760a23 970## Domain allowed access.
f5b49a5e
DW		 971## </summary>
972## </param>
973#
448d2cf1 974interface(`gnome_manage_home_config',`
f5b49a5e
DW		 975 gen_require(`
976 type config_home_t;
977 ')
978
979 manage_files_pattern($1, config_home_t, config_home_t)
980')
981
93b53615
MG		 982#######################################
983## <summary>
984## delete gnome homedir content (.config)
985## </summary>
986## <param name="domain">
987## <summary>
988## Domain allowed access.
989## </summary>
990## </param>
991#
992interface(`gnome_delete_home_config_dirs',`
993 gen_require(`
994 type config_home_t;
995 ')
996
997 delete_dirs_pattern($1, config_home_t, config_home_t)
998')
999
63c324b2
MG		 1000########################################
1001## <summary>
1002## manage gnome homedir content (.config)
1003## </summary>
1004## <param name="domain">
1005## <summary>
1006## Domain allowed access.
1007## </summary>
1008## </param>
1009#
1010interface(`gnome_manage_home_config_dirs',`
1011 gen_require(`
1012 type config_home_t;
1013 ')
1014
1015 manage_dirs_pattern($1, config_home_t, config_home_t)
1016')
1017
0b71fec3
DG		 1018########################################
1019## <summary>
1020## manage gstreamer home content files.
1021## </summary>
1022## <param name="domain">
1023## <summary>
1024## Domain allowed access.
1025## </summary>
1026## </param>
1027#
1028interface(`gnome_manage_gstreamer_home_files',`
1029 gen_require(`
1030 type gstreamer_home_t;
1031 ')
1032
1033 manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
1034')
1035
3eaa9939
DW		 1036########################################
1037## <summary>
1038## Read/Write all inherited gnome home config
1039## </summary>
1040## <param name="domain">
1041## <summary>
1042## Domain allowed access.
1043## </summary>
1044## </param>
1045#
1046interface(`gnome_rw_inherited_config',`
1047 gen_require(`
1048 attribute gnome_home_type;
1049 ')
1050
1051 allow $1 gnome_home_type:file rw_inherited_file_perms;
1052')
1053
1054########################################
1055## <summary>
1056## Send and receive messages from
1057## gconf system service over dbus.
1058## </summary>
1059## <param name="domain">
1060## <summary>
1061## Domain allowed access.
1062## </summary>
1063## </param>
1064#
1065interface(`gnome_dbus_chat_gconfdefault',`
1066 gen_require(`
1067 type gconfdefaultsm_t;
1068 class dbus send_msg;
1069 ')
1070
1071 allow $1 gconfdefaultsm_t:dbus send_msg;
1072 allow gconfdefaultsm_t $1:dbus send_msg;
1073')
ca9e8850
DW		 1074
1075########################################
1076## <summary>
1077## Send and receive messages from
1078## gkeyringd over dbus.
1079## </summary>
ca9e8850
DW		 1080## <param name="domain">
1081## <summary>
1082## Domain allowed access.
1083## </summary>
1084## </param>
1085#
1086interface(`gnome_dbus_chat_gkeyringd',`
1087 gen_require(`
31f04122 1088 attribute gkeyringd_domain;
ca9e8850
DW		 1089 class dbus send_msg;
1090 ')
1091
f80308f9
MG		 1092 allow $1 gkeyringd_domain:dbus send_msg;
1093 allow gkeyringd_domain $1:dbus send_msg;
ca9e8850 1094')
31f04122 1095
b094d593
DW		 1096########################################
1097## <summary>
1098## Send signull signal to gkeyringd processes.
1099## </summary>
1100## <param name="domain">
1101## <summary>
1102## Domain allowed access.
1103## </summary>
1104## </param>
1105#
1106interface(`gnome_signull_gkeyringd',`
1107 gen_require(`
1108 attribute gkeyringd_domain;
1109 ')
1110
1111 allow $1 gkeyringd_domain:process signull;
1112')
1113
1114########################################
1115## <summary>
1116## Allow the domain to read gkeyringd state files in /proc.
1117## </summary>
1118## <param name="domain">
1119## <summary>
1120## Domain allowed access.
1121## </summary>
1122## </param>
1123#
1124interface(`gnome_read_gkeyringd_state',`
1125 gen_require(`
1126 attribute gkeyringd_domain;
1127 ')
1128
1129 ps_process_pattern($1, gkeyringd_domain)
1130')
1131
ca9e8850
DW		 1132########################################
1133## <summary>
1134## Create directories in user home directories
1135## with the gnome home file type.
1136## </summary>
1137## <param name="domain">
1138## <summary>
1139## Domain allowed access.
1140## </summary>
1141## </param>
1142#
1143interface(`gnome_home_dir_filetrans',`
1144 gen_require(`
1145 type gnome_home_t;
1146 ')
1147
1148 userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
1149 userdom_search_user_home_dirs($1)
1150')
a8183914 1151
31f04122
DW		 1152########################################
1153## <summary>
1154## Execute gnome-keyring in the user gkeyring domain
1155## </summary>
1156## <param name="domain">
1157## <summary>
1158## Domain allowed access
1159## </summary>
1160## </param>
1161## <param name="role">
1162## <summary>
1163## The role to be allowed the gkeyring domain.
1164## </summary>
1165## </param>
1166#
1167interface(`gnome_transition_gkeyringd',`
1168 gen_require(`
1169 attribute gkeyringd_domain;
1170 ')
1171
1172 allow $1 gkeyringd_domain:process transition;
1173 dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
1174 allow gkeyringd_domain $1:process { sigchld signull };
1175 allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
1176')
1177
15b2e336
DW		 1178########################################
1179## <summary>
c181b91f 1180## Create gnome content in the user home directory
15b2e336
DW		 1181## with an correct label.
1182## </summary>
1183## <param name="domain">
1184## <summary>
1185## Domain allowed access.
1186## </summary>
1187## </param>
1188#
a11cc065 1189interface(`gnome_filetrans_home_content',`
15b2e336
DW		 1190
1191gen_require(`
1192 type config_home_t;
1193 type cache_home_t;
1194 type gstreamer_home_t;
1195 type gconf_home_t;
1196 type gnome_home_t;
290e6f41 1197 type data_home_t, icc_data_home_t;
15b2e336
DW		 1198 type gkeyringd_gnome_home_t;
1199')
1200
c181b91f 1201 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
26a75b33
DW		 1202 userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1203 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
1204 userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
26a75b33
DW		 1205 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1206 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1207 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1208 userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1209 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1210 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
290e6f41
DG		 1211 # ~/.color/icc: legacy
1212 userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
26a75b33
DW		 1213 filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
1214 filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
290e6f41 1215 filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
bf587d64 1216 userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
15b2e336
DW		 1217')
1218
1219########################################
1220## <summary>
1221## Create gnome directory in the /root directory
1222## with an correct label.
1223## </summary>
1224## <param name="domain">
1225## <summary>
1226## Domain allowed access.
1227## </summary>
1228## </param>
1229#
a11cc065 1230interface(`gnome_filetrans_admin_home_content',`
15b2e336
DW		 1231
1232gen_require(`
1233 type config_home_t;
1234 type cache_home_t;
1235 type gstreamer_home_t;
1236 type gconf_home_t;
1237 type gnome_home_t;
290e6f41 1238 type icc_data_home_t;
15b2e336
DW		 1239')
1240
26a75b33
DW		 1241 userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1242 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
1243 userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
26a75b33
DW		 1244 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1245 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1246 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1247 userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1248 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1249 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
290e6f41
DG		 1250 # /root/.color/icc: legacy
1251 userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
15b2e336 1252')
98d519e9 1253
3a7aacc9
MG		 1254######################################
1255## <summary>
1256## Execute gnome-keyring executable
1257## in the specified domain.
1258## </summary>
1259## <desc>
1260## <p>
1261## Execute a telepathy executable
1262## in the specified domain. This allows
1263## the specified domain to execute any file
1264## on these filesystems in the specified
1265## domain.
1266## </p>
1267## <p>
1268## No interprocess communication (signals, pipes,
1269## etc.) is provided by this interface since
1270## the domains are not owned by this module.
1271## </p>
1272## <p>
1273## This interface was added to handle
1274## the ssh-agent policy.
1275## </p>
1276## </desc>
1277## <param name="domain">
1278## <summary>
1279## Domain allowed to transition.
1280## </summary>
1281## </param>
1282## <param name="target_domain">
1283## <summary>
1284## The type of the new process.
1285## </summary>
1286## </param>
1287#
1288interface(`gnome_command_domtrans_gkeyringd', `
1289 gen_require(`
1290 type gkeyringd_exec_t;
1291 ')
1292
1293 allow $2 gkeyringd_exec_t:file entrypoint;
1294 domain_transition_pattern($1, gkeyringd_exec_t, $2)
1295 type_transition $1 gkeyringd_exec_t:process $2;
1296')
The IPFire selinux policy.