policy/modules/apps/gnome.if

   1 ## <summary>GNU network object model environment (GNOME)</summary>
   2
   3 ############################################################
   4 ## <summary>
   5 ##      Role access for gnome
   6 ## </summary>
   7 ## <param name="role">
   8 ##      <summary>
   9 ##      Role allowed access
  10 ##      </summary>
  11 ## </param>
  12 ## <param name="domain">
  13 ##      <summary>
  14 ##      User domain for the role
  15 ##      </summary>
  16 ## </param>
  17 #
  18 interface(`gnome_role',`
  19         gen_require(`
  20                 type gconfd_t, gconfd_exec_t;
  21                 type gconf_tmp_t;
  22         ')
  23
  24         role $1 types gconfd_t;
  25
  26         domain_auto_trans($2, gconfd_exec_t, gconfd_t)
  27         allow gconfd_t $2:fd use;
  28         allow gconfd_t $2:fifo_file write;
  29         allow gconfd_t $2:unix_stream_socket connectto;
  30
  31         ps_process_pattern($2, gconfd_t)
  32
  33         #gnome_stream_connect_gconf_template($1, $2)
  34         read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
  35         allow $2 gconfd_t:unix_stream_socket connectto;
  36 ')
  37
  38 ########################################
  39 ## <summary>
  40 ##      gconf connection template.
  41 ## </summary>
  42 ## <param name="domain">
  43 ##      <summary>
  44 ##      Domain allowed access.
  45 ##      </summary>
  46 ## </param>
  47 #
  48 interface(`gnome_stream_connect_gconf',`
  49         gen_require(`
  50                 type gconfd_t, gconf_tmp_t;
  51         ')
  52
  53         read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
  54         allow $1 gconfd_t:unix_stream_socket connectto;
  55 ')
  56
  57 ########################################
  58 ## <summary>
  59 ##      Run gconfd in gconfd domain.
  60 ## </summary>
  61 ## <param name="domain">
  62 ##      <summary>
  63 ##      Domain allowed access.
  64 ##      </summary>
  65 ## </param>
  66 #
  67 interface(`gnome_domtrans_gconfd',`
  68         gen_require(`
  69                 type gconfd_t, gconfd_exec_t;
  70         ')
  71
  72         domtrans_pattern($1, gconfd_exec_t, gconfd_t)
  73 ')
  74
  75 ########################################
  76 ## <summary>
  77 ##      Dontaudit search gnome homedir content (.config)
  78 ## </summary>
  79 ## <param name="domain">
  80 ##      <summary>
  81 ##      Domain allowed access.
  82 ##      </summary>
  83 ## </param>
  84 #
  85 interface(`gnome_dontaudit_search_config',`
  86         gen_require(`
  87                 attribute gnome_home_type;
  88         ')
  89
  90         dontaudit $1 gnome_home_type:dir search_dir_perms;
  91 ')
  92
  93 ########################################
  94 ## <summary>
  95 ##      manage gnome homedir content (.config)
  96 ## </summary>
  97 ## <param name="domain">
  98 ##      <summary>
  99 ##      Domain allowed access.
 100 ##      </summary>
 101 ## </param>
 102 #
 103 interface(`gnome_manage_config',`
 104         gen_require(`
 105                 attribute gnome_home_type;
 106         ')
 107
 108         allow $1 gnome_home_type:dir manage_dir_perms;
 109         allow $1 gnome_home_type:file manage_file_perms;
 110         allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
 111         userdom_search_user_home_dirs($1)
 112 ')
 113
 114 ########################################
 115 ## <summary>
 116 ##      Send general signals to all gconf domains.
 117 ## </summary>
 118 ## <param name="domain">
 119 ##      <summary>
 120 ##      Domain allowed access.
 121 ##      </summary>
 122 ## </param>
 123 #
 124 interface(`gnome_signal_all',`
 125         gen_require(`
 126                 attribute gnomedomain;
 127         ')
 128
 129         allow $1 gnomedomain:process signal;
 130 ')
 131
 132 ########################################
 133 ## <summary>
 134 ##      Create objects in a Gnome cache home directory
 135 ##      with an automatic type transition to
 136 ##      a specified private type.
 137 ## </summary>
 138 ## <param name="domain">
 139 ##      <summary>
 140 ##      Domain allowed access.
 141 ##      </summary>
 142 ## </param>
 143 ## <param name="private_type">
 144 ##      <summary>
 145 ##      The type of the object to create.
 146 ##      </summary>
 147 ## </param>
 148 ## <param name="object_class">
 149 ##      <summary>
 150 ##      The class of the object to be created.
 151 ##      </summary>
 152 ## </param>
 153 #
 154 interface(`gnome_cache_filetrans',`
 155         gen_require(`
 156                 type cache_home_t;
 157         ')
 158
 159         filetrans_pattern($1, cache_home_t, $2, $3)
 160         userdom_search_user_home_dirs($1)
 161 ')
 162
 163 ########################################
 164 ## <summary>
 165 ##      Read generic cache home files (.cache)
 166 ## </summary>
 167 ## <param name="domain">
 168 ##      <summary>
 169 ##      Domain allowed access.
 170 ##      </summary>
 171 ## </param>
 172 #
 173 interface(`gnome_read_generic_cache_files',`
 174         gen_require(`
 175                 type cache_home_t;
 176         ')
 177
 178         read_files_pattern($1, cache_home_t, cache_home_t)
 179         userdom_search_user_home_dirs($1)
 180 ')
 181
 182 ########################################
 183 ## <summary>
 184 ##      Set attributes of cache home dir (.cache)
 185 ## </summary>
 186 ## <param name="domain">
 187 ##      <summary>
 188 ##      Domain allowed access.
 189 ##      </summary>
 190 ## </param>
 191 #
 192 interface(`gnome_setattr_cache_home_dir',`
 193         gen_require(`
 194                 type cache_home_t;
 195         ')
 196
 197         setattr_dirs_pattern($1, cache_home_t, cache_home_t)
 198         userdom_search_user_home_dirs($1)
 199 ')
 200
 201 ########################################
 202 ## <summary>
 203 ##      append to generic cache home files (.cache)
 204 ## </summary>
 205 ## <param name="domain">
 206 ##      <summary>
 207 ##      Domain allowed access.
 208 ##      </summary>
 209 ## </param>
 210 #
 211 interface(`gnome_append_generic_cache_files',`
 212         gen_require(`
 213                 type cache_home_t;
 214         ')
 215
 216         append_files_pattern($1, cache_home_t, cache_home_t)
 217         userdom_search_user_home_dirs($1)
 218 ')
 219
 220 ########################################
 221 ## <summary>
 222 ##      write to generic cache home files (.cache)
 223 ## </summary>
 224 ## <param name="domain">
 225 ##      <summary>
 226 ##      Domain allowed access.
 227 ##      </summary>
 228 ## </param>
 229 #
 230 interface(`gnome_write_generic_cache_files',`
 231         gen_require(`
 232                 type cache_home_t;
 233         ')
 234
 235         write_files_pattern($1, cache_home_t, cache_home_t)
 236         userdom_search_user_home_dirs($1)
 237 ')
 238
 239 ########################################
 240 ## <summary>
 241 ##      read gnome homedir content (.config)
 242 ## </summary>
 243 ## <param name="domain">
 244 ##      <summary>
 245 ##      Domain allowed access.
 246 ##      </summary>
 247 ## </param>
 248 #
 249 template(`gnome_read_config',`
 250         gen_require(`
 251                 attribute gnome_home_type;
 252         ')
 253
 254         list_dirs_pattern($1, gnome_home_type, gnome_home_type)
 255         read_files_pattern($1, gnome_home_type, gnome_home_type)
 256         read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
 257 ')
 258
 259 ########################################
 260 ## <summary>
 261 ##      Create objects in a Gnome gconf home directory
 262 ##      with an automatic type transition to
 263 ##      a specified private type.
 264 ## </summary>
 265 ## <param name="domain">
 266 ##      <summary>
 267 ##      Domain allowed access.
 268 ##      </summary>
 269 ## </param>
 270 ## <param name="private_type">
 271 ##      <summary>
 272 ##      The type of the object to create.
 273 ##      </summary>
 274 ## </param>
 275 ## <param name="object_class">
 276 ##      <summary>
 277 ##      The class of the object to be created.
 278 ##      </summary>
 279 ## </param>
 280 #
 281 interface(`gnome_data_filetrans',`
 282         gen_require(`
 283                 type data_home_t;
 284         ')
 285
 286         filetrans_pattern($1, data_home_t, $2, $3)
 287         gnome_search_gconf($1)
 288 ')
 289
 290 #######################################
 291 ## <summary>
 292 ##      Manage gconf data home files
 293 ## </summary>
 294 ## <param name="domain">
 295 ##      <summary>
 296 ##      Domain allowed access.
 297 ##      </summary>
 298 ## </param>
 299 #
 300 interface(`gnome_manage_data',`
 301         gen_require(`
 302                 type data_home_t;
 303                                 type gconf_home_t;
 304         ')
 305
 306                 allow $1 gconf_home_t:dir search_dir_perms;
 307         manage_files_pattern($1, data_home_t, data_home_t)
 308 ')
 309
 310 ########################################
 311 ## <summary>
 312 ##      Create gconf_home_t objects in the /root directory
 313 ## </summary>
 314 ## <param name="domain">
 315 ##      <summary>
 316 ##      Domain allowed access.
 317 ##      </summary>
 318 ## </param>
 319 ## <param name="object_class">
 320 ##      <summary>
 321 ##      The class of the object to be created.
 322 ##      </summary>
 323 ## </param>
 324 #
 325 interface(`gnome_admin_home_gconf_filetrans',`
 326         gen_require(`
 327                 type gconf_home_t;
 328         ')
 329
 330         userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
 331 ')
 332
 333 ########################################
 334 ## <summary>
 335 ##      read gconf config files
 336 ## </summary>
 337 ## <param name="domain">
 338 ##      <summary>
 339 ##      Domain allowed access.
 340 ##      </summary>
 341 ## </param>
 342 #
 343 interface(`gnome_read_gconf_config',`
 344         gen_require(`
 345                 type gconf_etc_t;
 346         ')
 347
 348         allow $1 gconf_etc_t:dir list_dir_perms;
 349         read_files_pattern($1, gconf_etc_t, gconf_etc_t)
 350         files_search_etc($1)
 351 ')
 352
 353 #######################################
 354 ## <summary>
 355 ##      Manage gconf config files
 356 ## </summary>
 357 ## <param name="domain">
 358 ##      <summary>
 359 ##      Domain allowed access.
 360 ##      </summary>
 361 ## </param>
 362 #
 363 interface(`gnome_manage_gconf_config',`
 364         gen_require(`
 365                 type gconf_etc_t;
 366         ')
 367
 368         allow $1 gconf_etc_t:dir list_dir_perms;
 369         manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
 370 ')
 371
 372 ########################################
 373 ## <summary>
 374 ##      Execute gconf programs in
 375 ##      in the caller domain.
 376 ## </summary>
 377 ## <param name="domain">
 378 ##      <summary>
 379 ##      Domain allowed access.
 380 ##      </summary>
 381 ## </param>
 382 #
 383 interface(`gnome_exec_gconf',`
 384         gen_require(`
 385                 type gconfd_exec_t;
 386         ')
 387
 388         can_exec($1, gconfd_exec_t)
 389 ')
 390
 391 ########################################
 392 ## <summary>
 393 ##      Read gconf home files
 394 ## </summary>
 395 ## <param name="domain">
 396 ##      <summary>
 397 ##      Domain allowed access.
 398 ##      </summary>
 399 ## </param>
 400 #
 401 interface(`gnome_read_gconf_home_files',`
 402         gen_require(`
 403                 type gconf_home_t;
 404                 type data_home_t;
 405         ')
 406
 407         userdom_search_user_home_dirs($1)
 408         allow $1 gconf_home_t:dir list_dir_perms;
 409         allow $1 data_home_t:dir list_dir_perms;
 410         read_files_pattern($1, gconf_home_t, gconf_home_t)
 411         read_files_pattern($1, data_home_t, data_home_t)
 412 ')
 413
 414 ########################################
 415 ## <summary>
 416 ##      search gconf homedir (.local)
 417 ## </summary>
 418 ## <param name="domain">
 419 ##      <summary>
 420 ##      Domain allowed access.
 421 ##      </summary>
 422 ## </param>
 423 #
 424 interface(`gnome_search_gconf',`
 425         gen_require(`
 426                 type gconf_home_t;
 427         ')
 428
 429         allow $1 gconf_home_t:dir search_dir_perms;
 430         userdom_search_user_home_dirs($1)
 431 ')
 432
 433 ########################################
 434 ## <summary>
 435 ##      Set attributes of Gnome config dirs.
 436 ## </summary>
 437 ## <param name="domain">
 438 ##      <summary>
 439 ##      Domain allowed access.
 440 ##      </summary>
 441 ## </param>
 442 #
 443 interface(`gnome_setattr_config_dirs',`
 444         gen_require(`
 445                 type gnome_home_t;
 446         ')
 447
 448         setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
 449         files_search_home($1)
 450 ')
 451
 452 ########################################
 453 ## <summary>
 454 ##      Append gconf home files
 455 ## </summary>
 456 ## <param name="domain">
 457 ##      <summary>
 458 ##      Domain allowed access.
 459 ##      </summary>
 460 ## </param>
 461 #
 462 interface(`gnome_append_gconf_home_files',`
 463         gen_require(`
 464                 type gconf_home_t;
 465         ')
 466
 467         append_files_pattern($1, gconf_home_t, gconf_home_t)
 468 ')
 469
 470 ########################################
 471 ## <summary>
 472 ##      manage gconf home files
 473 ## </summary>
 474 ## <param name="domain">
 475 ##      <summary>
 476 ##      Domain allowed access.
 477 ##      </summary>
 478 ## </param>
 479 #
 480 interface(`gnome_manage_gconf_home_files',`
 481         gen_require(`
 482                 type gconf_home_t;
 483         ')
 484
 485         allow $1 gconf_home_t:dir list_dir_perms;
 486         manage_files_pattern($1, gconf_home_t, gconf_home_t)
 487 ')
 488
 489 ########################################
 490 ## <summary>
 491 ##      Connect to gnome over an unix stream socket.
 492 ## </summary>
 493 ## <param name="domain">
 494 ##      <summary>
 495 ##      Domain allowed access.
 496 ##      </summary>
 497 ## </param>
 498 ## <param name="user_domain">
 499 ##      <summary>
 500 ##      The type of the user domain.
 501 ##      </summary>
 502 ## </param>
 503 #
 504 interface(`gnome_stream_connect',`
 505         gen_require(`
 506                 attribute gnome_home_type;
 507         ')
 508
 509         # Connect to pulseaudit server
 510         stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
 511 ')
 512
 513 ########################################
 514 ## <summary>
 515 ##      list gnome homedir content (.config)
 516 ## </summary>
 517 ## <param name="domain">
 518 ##      <summary>
 519 ##      Domain allowed access.
 520 ##      </summary>
 521 ## </param>
 522 #
 523 interface(`gnome_list_home_config',`
 524         gen_require(`
 525                 type config_home_t;
 526         ')
 527
 528         allow $1 config_home_t:dir list_dir_perms;
 529 ')
 530
 531 ########################################
 532 ## <summary>
 533 ##      Set attributes of gnome homedir content (.config)
 534 ## </summary>
 535 ## <param name="domain">
 536 ##      <summary>
 537 ##      Domain allowed access.
 538 ##      </summary>
 539 ## </param>
 540 #
 541 template(`gnome_setattr_home_config',`
 542         gen_require(`
 543                 type config_home_t;
 544         ')
 545
 546         setattr_dirs_pattern($1, config_home_t, config_home_t)
 547         userdom_search_user_home_dirs($1)
 548 ')
 549
 550 ########################################
 551 ## <summary>
 552 ##      read gnome homedir content (.config)
 553 ## </summary>
 554 ## <param name="domain">
 555 ##      <summary>
 556 ##      Domain allowed access.
 557 ##      </summary>
 558 ## </param>
 559 #
 560 interface(`gnome_read_home_config',`
 561         gen_require(`
 562                 type config_home_t;
 563         ')
 564
 565         read_files_pattern($1, config_home_t, config_home_t)
 566 ')
 567
 568 ########################################
 569 ## <summary>
 570 ##      manage gnome homedir content (.config)
 571 ## </summary>
 572 ## <param name="domain">
 573 ##      <summary>
 574 ##      Domain allowed access.
 575 ##      </summary>
 576 ## </param>
 577 #
 578 template(`gnome_manage_home_config',`
 579         gen_require(`
 580                 type config_home_t;
 581         ')
 582
 583         manage_files_pattern($1, config_home_t, config_home_t)
 584 ')
 585
 586 ########################################
 587 ## <summary>
 588 ##      Read/Write all inherited gnome home config
 589 ## </summary>
 590 ## <param name="domain">
 591 ##      <summary>
 592 ##      Domain allowed access.
 593 ##      </summary>
 594 ## </param>
 595 #
 596 interface(`gnome_rw_inherited_config',`
 597         gen_require(`
 598                 attribute gnome_home_type;
 599         ')
 600
 601         allow $1 gnome_home_type:file rw_inherited_file_perms;
 602 ')
 603
 604 ########################################
 605 ## <summary>
 606 ##      Send and receive messages from
 607 ##      gconf system service over dbus.
 608 ## </summary>
 609 ## <param name="domain">
 610 ##      <summary>
 611 ##      Domain allowed access.
 612 ##      </summary>
 613 ## </param>
 614 #
 615 interface(`gnome_dbus_chat_gconfdefault',`
 616         gen_require(`
 617                 type gconfdefaultsm_t;
 618                 class dbus send_msg;
 619         ')
 620
 621         allow $1 gconfdefaultsm_t:dbus send_msg;
 622         allow gconfdefaultsm_t $1:dbus send_msg;
 623 ')