[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.te

policy_module(gnome, 2.0.1)

##############################
#
# Declarations
#

attribute gnomedomain;
attribute gnome_home_type;

type gconf_etc_t;
files_config_file(gconf_etc_t)

type data_home_t, gnome_home_type;
userdom_user_home_content(data_home_t)

type config_home_t, gnome_home_type;
userdom_user_home_content(config_home_t)

type cache_home_t, gnome_home_type;
userdom_user_home_content(cache_home_t)

type gstreamer_home_t, gnome_home_type;
userdom_user_home_content(gstreamer_home_t)

type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
userdom_user_home_content(gconf_home_t)

type gconf_tmp_t;
typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
files_tmp_file(gconf_tmp_t)
ubac_constrained(gconf_tmp_t)

type gconfd_t, gnomedomain;
type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)

type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)

type gconfdefaultsm_t;
type gconfdefaultsm_exec_t;
dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)

type gnomesystemmm_t;
type gnomesystemmm_exec_t;
dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)

##############################
#
# Local Policy
#

allow gconfd_t self:process getsched;
allow gconfd_t self:fifo_file rw_fifo_file_perms;

manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)

manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })

allow gconfd_t gconf_etc_t:dir list_dir_perms;
read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)

dev_read_urand(gconfd_t)

files_read_etc_files(gconfd_t)

miscfiles_read_localization(gconfd_t)

logging_send_syslog_msg(gconfd_t)

userdom_manage_user_tmp_sockets(gconfd_t)
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)

optional_policy(`
	nscd_dontaudit_search_pid(gconfd_t)
')

optional_policy(`
	xserver_use_xdm_fds(gconfd_t)
	xserver_rw_xdm_pipes(gconfd_t)
')

tunable_policy(`use_nfs_home_dirs',`
        fs_manage_nfs_dirs(gconfdefaultsm_t)
        fs_manage_nfs_files(gconfdefaultsm_t)
')

tunable_policy(`use_samba_home_dirs',`
        fs_manage_cifs_dirs(gconfdefaultsm_t)
        fs_manage_cifs_files(gconfdefaultsm_t)
')

#######################################
#
# gconf-defaults-mechanisms local policy
#

allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
allow gconfdefaultsm_t self:process getsched;
allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;

corecmd_search_bin(gconfdefaultsm_t)

files_read_etc_files(gconfdefaultsm_t)
files_read_usr_files(gconfdefaultsm_t)

miscfiles_read_localization(gconfdefaultsm_t)

gnome_manage_gconf_home_files(gconfdefaultsm_t)
gnome_manage_gconf_config(gconfdefaultsm_t)

userdom_read_all_users_state(gconfdefaultsm_t)
userdom_search_user_home_dirs(gconfdefaultsm_t)

userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)

optional_policy(`
        consolekit_dbus_chat(gconfdefaultsm_t)
')

optional_policy(`
        nscd_dontaudit_search_pid(gconfdefaultsm_t)
')

optional_policy(`
        policykit_domtrans_auth(gconfdefaultsm_t)
        policykit_dbus_chat(gconfdefaultsm_t)
        policykit_read_lib(gconfdefaultsm_t)
        policykit_read_reload(gconfdefaultsm_t)
')

#######################################
#
# gnome-system-monitor-mechanisms local policy
#

allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;

corecmd_search_bin(gnomesystemmm_t)

domain_kill_all_domains(gnomesystemmm_t)
domain_search_all_domains_state(gnomesystemmm_t)
domain_setpriority_all_domains(gnomesystemmm_t)
domain_signal_all_domains(gnomesystemmm_t)
domain_sigstop_all_domains(gnomesystemmm_t)

files_read_etc_files(gnomesystemmm_t)
files_read_usr_files(gnomesystemmm_t)

miscfiles_read_localization(gnomesystemmm_t)

userdom_read_all_users_state(gnomesystemmm_t)
userdom_dontaudit_search_admin_dir(gnomesystemmm_t)

optional_policy(`
        consolekit_dbus_chat(gnomesystemmm_t)
')

optional_policy(`
        nscd_dontaudit_search_pid(gnomesystemmm_t)
')

optional_policy(`
        policykit_dbus_chat(gnomesystemmm_t)
        policykit_domtrans_auth(gnomesystemmm_t)
        policykit_read_lib(gnomesystemmm_t)
        policykit_read_reload(gnomesystemmm_t)
')
Commit	Line	Data
ab8f919e	1	policy_module(gnome, 2.0.1)
00219064 CP	2
	3	##############################
	4	#
	5	# Declarations
	6	#
	7
6b19be33	8	attribute gnomedomain;
3eaa9939	9	attribute gnome_home_type;
6b19be33	10
00219064	11	type gconf_etc_t;
ab8f919e	12	files_config_file(gconf_etc_t)
00219064	13
3eaa9939 DW	14	type data_home_t, gnome_home_type;
	15	userdom_user_home_content(data_home_t)
	16
	17	type config_home_t, gnome_home_type;
	18	userdom_user_home_content(config_home_t)
	19
	20	type cache_home_t, gnome_home_type;
	21	userdom_user_home_content(cache_home_t)
	22
	23	type gstreamer_home_t, gnome_home_type;
	24	userdom_user_home_content(gstreamer_home_t)
	25
	26	type gconf_home_t, gnome_home_type;
296273a7 CP	27	typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
296273a7 CP	28	typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
ab8f919e	29	typealias gconf_home_t alias unconfined_gconf_home_t;
296273a7 CP	30	userdom_user_home_content(gconf_home_t)
	31
	32	type gconf_tmp_t;
	33	typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
	34	typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
ab8f919e	35	typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
296273a7 CP	36	files_tmp_file(gconf_tmp_t)
	37	ubac_constrained(gconf_tmp_t)
	38
	39	type gconfd_t, gnomedomain;
00219064	40	type gconfd_exec_t;
296273a7 CP	41	typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
	42	typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
	43	application_domain(gconfd_t, gconfd_exec_t)
	44	ubac_constrained(gconfd_t)
	45
3eaa9939	46	type gnome_home_t, gnome_home_type;
296273a7 CP	47	typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
296273a7 CP	48	typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
ab8f919e	49	typealias gnome_home_t alias unconfined_gnome_home_t;
296273a7 CP	50	userdom_user_home_content(gnome_home_t)
296273a7 CP	51
3eaa9939 DW	52	type gconfdefaultsm_t;
	53	type gconfdefaultsm_exec_t;
	54	dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
	55
	56	type gnomesystemmm_t;
	57	type gnomesystemmm_exec_t;
	58	dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
	59
296273a7 CP	60	##############################
	61	#
	62	# Local Policy
	63	#
	64
	65	allow gconfd_t self:process getsched;
	66	allow gconfd_t self:fifo_file rw_fifo_file_perms;
	67
	68	manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
	69	manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
	70	userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
	71
	72	manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
	73	manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
	74	userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
	75
	76	allow gconfd_t gconf_etc_t:dir list_dir_perms;
	77	read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
	78
	79	dev_read_urand(gconfd_t)
	80
	81	files_read_etc_files(gconfd_t)
	82
	83	miscfiles_read_localization(gconfd_t)
	84
	85	logging_send_syslog_msg(gconfd_t)
	86
	87	userdom_manage_user_tmp_sockets(gconfd_t)
	88	userdom_manage_user_tmp_dirs(gconfd_t)
	89	userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
	90
	91	optional_policy(`
	92	nscd_dontaudit_search_pid(gconfd_t)
	93	')
	94
	95	optional_policy(`
	96	xserver_use_xdm_fds(gconfd_t)
	97	xserver_rw_xdm_pipes(gconfd_t)
	98	')
3eaa9939 DW	99
	100	tunable_policy(`use_nfs_home_dirs',`
	101	fs_manage_nfs_dirs(gconfdefaultsm_t)
	102	fs_manage_nfs_files(gconfdefaultsm_t)
	103	')
	104
	105	tunable_policy(`use_samba_home_dirs',`
	106	fs_manage_cifs_dirs(gconfdefaultsm_t)
	107	fs_manage_cifs_files(gconfdefaultsm_t)
	108	')
	109
	110	#######################################
	111	#
	112	# gconf-defaults-mechanisms local policy
	113	#
	114
	115	allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
	116	allow gconfdefaultsm_t self:process getsched;
	117	allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
	118
	119	corecmd_search_bin(gconfdefaultsm_t)
	120
	121	files_read_etc_files(gconfdefaultsm_t)
	122	files_read_usr_files(gconfdefaultsm_t)
	123
	124	miscfiles_read_localization(gconfdefaultsm_t)
	125
	126	gnome_manage_gconf_home_files(gconfdefaultsm_t)
	127	gnome_manage_gconf_config(gconfdefaultsm_t)
	128
	129	userdom_read_all_users_state(gconfdefaultsm_t)
	130	userdom_search_user_home_dirs(gconfdefaultsm_t)
	131
	132	userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
	133
	134	optional_policy(`
	135	consolekit_dbus_chat(gconfdefaultsm_t)
	136	')
	137
	138	optional_policy(`
	139	nscd_dontaudit_search_pid(gconfdefaultsm_t)
	140	')
	141
	142	optional_policy(`
	143	policykit_domtrans_auth(gconfdefaultsm_t)
	144	policykit_dbus_chat(gconfdefaultsm_t)
	145	policykit_read_lib(gconfdefaultsm_t)
	146	policykit_read_reload(gconfdefaultsm_t)
	147	')
	148
	149	#######################################
	150	#
	151	# gnome-system-monitor-mechanisms local policy
	152	#
	153
	154	allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
	155	allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
	156
	157	corecmd_search_bin(gnomesystemmm_t)
	158
	159	domain_kill_all_domains(gnomesystemmm_t)
	160	domain_search_all_domains_state(gnomesystemmm_t)
	161	domain_setpriority_all_domains(gnomesystemmm_t)
	162	domain_signal_all_domains(gnomesystemmm_t)
163	domain_sigstop_all_domains(gnomesystemmm_t)
164
165	files_read_etc_files(gnomesystemmm_t)
166	files_read_usr_files(gnomesystemmm_t)
167
168	miscfiles_read_localization(gnomesystemmm_t)
169
170	userdom_read_all_users_state(gnomesystemmm_t)
171	userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
172
173	optional_policy(`
174	consolekit_dbus_chat(gnomesystemmm_t)
175	')
176
177	optional_policy(`
178	nscd_dontaudit_search_pid(gnomesystemmm_t)
179	')
180
181	optional_policy(`
182	policykit_dbus_chat(gnomesystemmm_t)
183	policykit_domtrans_auth(gnomesystemmm_t)
184	policykit_read_lib(gnomesystemmm_t)
185	policykit_read_reload(gnomesystemmm_t)
186	')