[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.te

policy_module(gnome, 2.1.0)

##############################
#
# Declarations
#

attribute gnomedomain;
attribute gnome_home_type;
attribute gkeyringd_domain;

type gconf_etc_t;
files_config_file(gconf_etc_t)

type data_home_t, gnome_home_type;
userdom_user_home_content(data_home_t)

type config_home_t, gnome_home_type;
userdom_user_home_content(config_home_t)

type cache_home_t, gnome_home_type;
userdom_user_home_content(cache_home_t)

type gstreamer_home_t, gnome_home_type;
userdom_user_home_content(gstreamer_home_t)

type icc_data_home_t, gnome_home_type;
userdom_user_home_content(icc_data_home_t)

type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
userdom_user_home_content(gconf_home_t)

type gconf_tmp_t;
typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
files_tmp_file(gconf_tmp_t)
ubac_constrained(gconf_tmp_t)

type gconfd_t, gnomedomain;
type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)

type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)

# type KDE /usr/share/config files
type config_usr_t;
files_type(config_usr_t)

type gkeyringd_exec_t;
corecmd_executable_file(gkeyringd_exec_t)

type gkeyringd_gnome_home_t;
userdom_user_home_content(gkeyringd_gnome_home_t)

type gkeyringd_tmp_t;
userdom_user_tmp_content(gkeyringd_tmp_t)

type gconfdefaultsm_t;
type gconfdefaultsm_exec_t;
dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)

type gnomesystemmm_t;
type gnomesystemmm_exec_t;
dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)

##############################
#
# Local Policy
#

allow gconfd_t self:process getsched;
allow gconfd_t self:fifo_file rw_fifo_file_perms;

manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)

manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })

allow gconfd_t gconf_etc_t:dir list_dir_perms;
read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)

dev_read_urand(gconfd_t)

files_read_etc_files(gconfd_t)

miscfiles_read_localization(gconfd_t)

logging_send_syslog_msg(gconfd_t)

userdom_manage_user_tmp_sockets(gconfd_t)
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)

optional_policy(`
	nscd_dontaudit_search_pid(gconfd_t)
')

optional_policy(`
	xserver_use_xdm_fds(gconfd_t)
	xserver_rw_xdm_pipes(gconfd_t)
')

#######################################
#
# gconf-defaults-mechanisms local policy
#

allow gconfdefaultsm_t self:capability { dac_override sys_nice };
allow gconfdefaultsm_t self:process getsched;
allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;

corecmd_search_bin(gconfdefaultsm_t)

files_read_etc_files(gconfdefaultsm_t)
files_read_usr_files(gconfdefaultsm_t)

miscfiles_read_localization(gconfdefaultsm_t)

gnome_manage_gconf_home_files(gconfdefaultsm_t)
gnome_manage_gconf_config(gconfdefaultsm_t)

userdom_read_all_users_state(gconfdefaultsm_t)
userdom_search_user_home_dirs(gconfdefaultsm_t)

userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)

optional_policy(`
	consolekit_dbus_chat(gconfdefaultsm_t)
')

optional_policy(`
	nscd_dontaudit_search_pid(gconfdefaultsm_t)
')

optional_policy(`
	policykit_domtrans_auth(gconfdefaultsm_t)
	policykit_dbus_chat(gconfdefaultsm_t)
	policykit_read_lib(gconfdefaultsm_t)
	policykit_read_reload(gconfdefaultsm_t)
')

userdom_home_manager(gconfdefaultsm_t)

#######################################
#
# gnome-system-monitor-mechanisms local policy
#

allow gnomesystemmm_t self:capability sys_nice;
allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;

kernel_read_system_state(gnomesystemmm_t)

corecmd_search_bin(gnomesystemmm_t)

domain_kill_all_domains(gnomesystemmm_t)
domain_search_all_domains_state(gnomesystemmm_t)
domain_setpriority_all_domains(gnomesystemmm_t)
domain_signal_all_domains(gnomesystemmm_t)
domain_sigstop_all_domains(gnomesystemmm_t)

files_read_etc_files(gnomesystemmm_t)
files_read_usr_files(gnomesystemmm_t)

fs_getattr_xattr_fs(gnomesystemmm_t)

miscfiles_read_localization(gnomesystemmm_t)

userdom_read_all_users_state(gnomesystemmm_t)
userdom_dontaudit_search_admin_dir(gnomesystemmm_t)

optional_policy(`
	consolekit_dbus_chat(gnomesystemmm_t)
')

optional_policy(`
	nscd_dontaudit_search_pid(gnomesystemmm_t)
')

optional_policy(`
	policykit_dbus_chat(gnomesystemmm_t)
	policykit_domtrans_auth(gnomesystemmm_t)
	policykit_read_lib(gnomesystemmm_t)
	policykit_read_reload(gnomesystemmm_t)
')

######################################
#
# gnome-keyring-daemon local policy
#

allow gkeyringd_domain self:capability ipc_lock;
allow gkeyringd_domain self:process { getcap getsched setcap signal };
allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };

userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)

manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir)

manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)

kernel_read_system_state(gkeyringd_domain)
kernel_read_crypto_sysctls(gkeyringd_domain)

corecmd_search_bin(gkeyringd_domain)

dev_read_rand(gkeyringd_domain)
dev_read_urand(gkeyringd_domain)
dev_read_sysfs(gkeyringd_domain)

files_read_etc_files(gkeyringd_domain)
files_read_usr_files(gkeyringd_domain)
# for nscd?
files_search_pids(gkeyringd_domain)

fs_getattr_xattr_fs(gkeyringd_domain)
fs_getattr_tmpfs(gkeyringd_domain)

selinux_getattr_fs(gkeyringd_domain)

logging_send_syslog_msg(gkeyringd_domain)

miscfiles_read_localization(gkeyringd_domain)

optional_policy(`
	xserver_append_xdm_home_files(gkeyringd_domain)
	xserver_read_xdm_home_files(gkeyringd_domain)
	xserver_use_xdm_fds(gkeyringd_domain)
')

optional_policy(`
	gnome_read_home_config(gkeyringd_domain)
	gnome_read_generic_cache_files(gkeyringd_domain)
	gnome_write_generic_cache_files(gkeyringd_domain)
')

optional_policy(`
	ssh_read_user_home_files(gkeyringd_domain)
')

domain_use_interactive_fds(gnomedomain)

userdom_use_inherited_user_terminals(gnomedomain)
Commit	Line	Data
826d0142	1	policy_module(gnome, 2.1.0)
00219064 CP	2
	3	##############################
	4	#
	5	# Declarations
	6	#
	7
b34d0dd0	8	attribute gnomedomain;
3eaa9939	9	attribute gnome_home_type;
efa04715	10	attribute gkeyringd_domain;
6b19be33	11
00219064	12	type gconf_etc_t;
ab8f919e	13	files_config_file(gconf_etc_t)
00219064	14
3eaa9939 DW	15	type data_home_t, gnome_home_type;
	16	userdom_user_home_content(data_home_t)
	17
	18	type config_home_t, gnome_home_type;
	19	userdom_user_home_content(config_home_t)
	20
	21	type cache_home_t, gnome_home_type;
	22	userdom_user_home_content(cache_home_t)
	23
	24	type gstreamer_home_t, gnome_home_type;
	25	userdom_user_home_content(gstreamer_home_t)
	26
290e6f41 DG	27	type icc_data_home_t, gnome_home_type;
	28	userdom_user_home_content(icc_data_home_t)
	29
3eaa9939	30	type gconf_home_t, gnome_home_type;
296273a7 CP	31	typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
296273a7 CP	32	typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
ab8f919e	33	typealias gconf_home_t alias unconfined_gconf_home_t;
296273a7 CP	34	userdom_user_home_content(gconf_home_t)
	35
	36	type gconf_tmp_t;
	37	typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
	38	typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
ab8f919e	39	typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
296273a7 CP	40	files_tmp_file(gconf_tmp_t)
	41	ubac_constrained(gconf_tmp_t)
	42
b34d0dd0	43	type gconfd_t, gnomedomain;
00219064	44	type gconfd_exec_t;
296273a7 CP	45	typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
	46	typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
	47	application_domain(gconfd_t, gconfd_exec_t)
	48	ubac_constrained(gconfd_t)
	49
3eaa9939	50	type gnome_home_t, gnome_home_type;
296273a7 CP	51	typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
296273a7 CP	52	typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
ab8f919e	53	typealias gnome_home_t alias unconfined_gnome_home_t;
296273a7 CP	54	userdom_user_home_content(gnome_home_t)
296273a7 CP	55
a8183914 MG	56	# type KDE /usr/share/config files
	57	type config_usr_t;
	58	files_type(config_usr_t)
	59
ca9e8850	60	type gkeyringd_exec_t;
efa04715	61	corecmd_executable_file(gkeyringd_exec_t)
ca9e8850 DW	62
	63	type gkeyringd_gnome_home_t;
	64	userdom_user_home_content(gkeyringd_gnome_home_t)
	65
	66	type gkeyringd_tmp_t;
	67	userdom_user_tmp_content(gkeyringd_tmp_t)
	68
3eaa9939 DW	69	type gconfdefaultsm_t;
	70	type gconfdefaultsm_exec_t;
	71	dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
	72
	73	type gnomesystemmm_t;
	74	type gnomesystemmm_exec_t;
	75	dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
	76
296273a7 CP	77	##############################
	78	#
	79	# Local Policy
	80	#
	81
	82	allow gconfd_t self:process getsched;
	83	allow gconfd_t self:fifo_file rw_fifo_file_perms;
	84
	85	manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
	86	manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
	87	userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
	88
	89	manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
	90	manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
	91	userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
	92
	93	allow gconfd_t gconf_etc_t:dir list_dir_perms;
	94	read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
	95
	96	dev_read_urand(gconfd_t)
	97
	98	files_read_etc_files(gconfd_t)
	99
	100	miscfiles_read_localization(gconfd_t)
	101
	102	logging_send_syslog_msg(gconfd_t)
	103
	104	userdom_manage_user_tmp_sockets(gconfd_t)
	105	userdom_manage_user_tmp_dirs(gconfd_t)
	106	userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
	107
	108	optional_policy(`
	109	nscd_dontaudit_search_pid(gconfd_t)
	110	')
	111
	112	optional_policy(`
	113	xserver_use_xdm_fds(gconfd_t)
	114	xserver_rw_xdm_pipes(gconfd_t)
	115	')
3eaa9939	116
3eaa9939 DW	117	#######################################
	118	#
	119	# gconf-defaults-mechanisms local policy
	120	#
	121
995bdbb1	122	allow gconfdefaultsm_t self:capability { dac_override sys_nice };
3eaa9939 DW	123	allow gconfdefaultsm_t self:process getsched;
	124	allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
	125
	126	corecmd_search_bin(gconfdefaultsm_t)
	127
	128	files_read_etc_files(gconfdefaultsm_t)
	129	files_read_usr_files(gconfdefaultsm_t)
	130
	131	miscfiles_read_localization(gconfdefaultsm_t)
	132
	133	gnome_manage_gconf_home_files(gconfdefaultsm_t)
	134	gnome_manage_gconf_config(gconfdefaultsm_t)
	135
	136	userdom_read_all_users_state(gconfdefaultsm_t)
	137	userdom_search_user_home_dirs(gconfdefaultsm_t)
	138
	139	userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
	140
	141	optional_policy(`
1c0528ed	142	consolekit_dbus_chat(gconfdefaultsm_t)
3eaa9939 DW	143	')
	144
	145	optional_policy(`
1c0528ed	146	nscd_dontaudit_search_pid(gconfdefaultsm_t)
3eaa9939 DW	147	')
	148
	149	optional_policy(`
1c0528ed DG	150	policykit_domtrans_auth(gconfdefaultsm_t)
	151	policykit_dbus_chat(gconfdefaultsm_t)
	152	policykit_read_lib(gconfdefaultsm_t)
	153	policykit_read_reload(gconfdefaultsm_t)
3eaa9939 DW	154	')
3eaa9939 DW	155
ed2ac112	156	userdom_home_manager(gconfdefaultsm_t)
ca9e8850	157
3eaa9939 DW	158	#######################################
	159	#
	160	# gnome-system-monitor-mechanisms local policy
	161	#
	162
995bdbb1	163	allow gnomesystemmm_t self:capability sys_nice;
3eaa9939 DW	164	allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
3eaa9939 DW	165
453a4bec MG	166	kernel_read_system_state(gnomesystemmm_t)
453a4bec MG	167
3eaa9939 DW	168	corecmd_search_bin(gnomesystemmm_t)
	169
	170	domain_kill_all_domains(gnomesystemmm_t)
	171	domain_search_all_domains_state(gnomesystemmm_t)
	172	domain_setpriority_all_domains(gnomesystemmm_t)
	173	domain_signal_all_domains(gnomesystemmm_t)
	174	domain_sigstop_all_domains(gnomesystemmm_t)
	175
	176	files_read_etc_files(gnomesystemmm_t)
	177	files_read_usr_files(gnomesystemmm_t)
	178
fcd9ffac MG	179	fs_getattr_xattr_fs(gnomesystemmm_t)
fcd9ffac MG	180
3eaa9939 DW	181	miscfiles_read_localization(gnomesystemmm_t)
	182
	183	userdom_read_all_users_state(gnomesystemmm_t)
	184	userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
	185
	186	optional_policy(`
1c0528ed	187	consolekit_dbus_chat(gnomesystemmm_t)
3eaa9939 DW	188	')
	189
	190	optional_policy(`
1c0528ed	191	nscd_dontaudit_search_pid(gnomesystemmm_t)
3eaa9939 DW	192	')
	193
	194	optional_policy(`
1c0528ed DG	195	policykit_dbus_chat(gnomesystemmm_t)
	196	policykit_domtrans_auth(gnomesystemmm_t)
	197	policykit_read_lib(gnomesystemmm_t)
	198	policykit_read_reload(gnomesystemmm_t)
3eaa9939	199	')
ca9e8850	200
efa04715 MG	201	######################################
	202	#
	203	# gnome-keyring-daemon local policy
	204	#
ca9e8850	205
efa04715	206	allow gkeyringd_domain self:capability ipc_lock;
1c0528ed	207	allow gkeyringd_domain self:process { getcap getsched setcap signal };
efa04715 MG	208	allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
efa04715 MG	209	allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
ca9e8850	210
efa04715	211	userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
ca9e8850	212
efa04715 MG	213	manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
	214	manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
	215	filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir)
ca9e8850	216
efa04715 MG	217	manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
	218	manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
	219	files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
ca9e8850	220
35a8e37c	221	kernel_read_system_state(gkeyringd_domain)
efa04715	222	kernel_read_crypto_sysctls(gkeyringd_domain)
ca9e8850	223
efa04715	224	corecmd_search_bin(gkeyringd_domain)
ca9e8850	225
efa04715 MG	226	dev_read_rand(gkeyringd_domain)
efa04715 MG	227	dev_read_urand(gkeyringd_domain)
27c6cfe0	228	dev_read_sysfs(gkeyringd_domain)
efa04715 MG	229
	230	files_read_etc_files(gkeyringd_domain)
	231	files_read_usr_files(gkeyringd_domain)
ca9e8850	232	# for nscd?
efa04715	233	files_search_pids(gkeyringd_domain)
ca9e8850	234
efa04715	235	fs_getattr_xattr_fs(gkeyringd_domain)
e2dc385c	236	fs_getattr_tmpfs(gkeyringd_domain)
ca9e8850	237
efa04715	238	selinux_getattr_fs(gkeyringd_domain)
ca9e8850	239
efa04715	240	logging_send_syslog_msg(gkeyringd_domain)
ca9e8850	241
efa04715	242	miscfiles_read_localization(gkeyringd_domain)
ca9e8850	243
4d5b8bcd MG	244	optional_policy(`
	245	xserver_append_xdm_home_files(gkeyringd_domain)
	246	xserver_read_xdm_home_files(gkeyringd_domain)
	247	xserver_use_xdm_fds(gkeyringd_domain)
	248	')
ca9e8850 DW	249
ca9e8850 DW	250	optional_policy(`
efa04715 MG	251	gnome_read_home_config(gkeyringd_domain)
	252	gnome_read_generic_cache_files(gkeyringd_domain)
	253	gnome_write_generic_cache_files(gkeyringd_domain)
ca9e8850 DW	254	')
	255
	256	optional_policy(`
efa04715	257	ssh_read_user_home_files(gkeyringd_domain)
ca9e8850 DW	258	')
ca9e8850 DW	259
b34d0dd0	260	domain_use_interactive_fds(gnomedomain)
31c44114	261
b34d0dd0	262	userdom_use_inherited_user_terminals(gnomedomain)
dca588f2	263