policy/modules/apps/openoffice.if

   1 ## <summary>Openoffice</summary>
   2
   3 #######################################
   4 ## <summary>
   5 ##      The per role template for the openoffice module.
   6 ## </summary>
   7 ## <param name="user_domain">
   8 ##      <summary>
   9 ##      The type of the user domain.
  10 ##      </summary>
  11 ## </param>
  12 #
  13 interface(`openoffice_plugin_role',`
  14         gen_require(`
  15                 type openoffice_exec_t;
  16                 type openoffice_t;
  17         ')
  18
  19         ########################################
  20         #
  21         # Local policy
  22         #
  23
  24         domtrans_pattern($1, openoffice_exec_t, openoffice_t)
  25         allow $1 openoffice_t:process { signal sigkill };
  26 ')
  27
  28 #######################################
  29 ## <summary>
  30 ##      role for openoffice
  31 ## </summary>
  32 ## <desc>
  33 ##      <p>
  34 ##      This template creates a derived domains which are used
  35 ##      for java applications.
  36 ##      </p>
  37 ## </desc>
  38 ## <param name="role_prefix">
  39 ##      <summary>
  40 ##      The prefix of the user domain (e.g., user
  41 ##      is the prefix for user_t).
  42 ##      </summary>
  43 ## </param>
  44 ## <param name="user_role">
  45 ##      <summary>
  46 ##      The role associated with the user domain.
  47 ##      </summary>
  48 ## </param>
  49 ## <param name="user_domain">
  50 ##      <summary>
  51 ##      The type of the user domain.
  52 ##      </summary>
  53 ## </param>
  54 #
  55 interface(`openoffice_role_template',`
  56         gen_require(`
  57                 type openoffice_exec_t;
  58         ')
  59
  60         role $2 types $1_openoffice_t;
  61
  62         type $1_openoffice_t;
  63         domain_type($1_openoffice_t)
  64         domain_entry_file($1_openoffice_t, openoffice_exec_t)
  65         domain_interactive_fd($1_openoffice_t)
  66
  67         userdom_unpriv_usertype($1, $1_openoffice_t)
  68         userdom_exec_user_home_content_files($1_openoffice_t)
  69
  70         allow $1_openoffice_t self:process { getsched sigkill execmem execstack };
  71
  72         allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
  73         allow $1_openoffice_t $3:tcp_socket { read write };
  74
  75         domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
  76
  77         dev_read_urand($1_openoffice_t)
  78         dev_read_rand($1_openoffice_t)
  79
  80         fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
  81
  82         allow $3 $1_openoffice_t:process { signal sigkill };
  83         allow $1_openoffice_t $3:unix_stream_socket connectto;
  84
  85         optional_policy(`
  86                 xserver_role($2, $1_openoffice_t)
  87         ')
  88 ')
  89
  90 ########################################
  91 ## <summary>
  92 ##      Execute openoffice_exec_t
  93 ##      in the specified domain.
  94 ## </summary>
  95 ## <desc>
  96 ##      <p>
  97 ##      Execute a openoffice_exec_t
  98 ##      in the specified domain.
  99 ##      </p>
 100 ##      <p>
 101 ##      No interprocess communication (signals, pipes,
 102 ##      etc.) is provided by this interface since
 103 ##      the domains are not owned by this module.
 104 ##      </p>
 105 ## </desc>
 106 ## <param name="domain">
 107 ##      <summary>
 108 ##      Domain allowed access.
 109 ##      </summary>
 110 ## </param>
 111 ## <param name="target_domain">
 112 ##      <summary>
 113 ##      The type of the new process.
 114 ##      </summary>
 115 ## </param>
 116 #
 117 interface(`openoffice_exec_domtrans',`
 118         gen_require(`
 119                 type openoffice_exec_t;
 120         ')
 121
 122         allow $2 openoffice_exec_t:file entrypoint;
 123         domtrans_pattern($1, openoffice_exec_t, $2)
 124 ')