## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
+###########################################################
## <summary>
-## Role access for gnome
+## Role access for gnome
## </summary>
## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
+## <summary>
+## Role allowed access
+## </summary>
## </param>
## <param name="domain">
-## <summary>
-## User domain for the role
-## </summary>
+## <summary>
+## User domain for the role
+## </summary>
## </param>
#
interface(`gnome_role',`
- gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
- ')
+ gen_require(`
+ type gconfd_t, gconfd_exec_t;
+ type gconf_tmp_t;
+ ')
- role $1 types gconfd_t;
+ role $1 types gconfd_t;
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
+ domain_auto_trans($2, gconfd_exec_t, gconfd_t)
+ allow gconfd_t $2:fd use;
+ allow gconfd_t $2:fifo_file write;
+ allow gconfd_t $2:unix_stream_socket connectto;
- ps_process_pattern($2, gconfd_t)
+ ps_process_pattern($2, gconfd_t)
#gnome_stream_connect_gconf_template($1, $2)
read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
allow $2 gconfd_t:unix_stream_socket connectto;
')
+######################################
+## <summary>
+## The role template for the gnome-keyring-daemon.
+## </summary>
+## <param name="user_prefix">
+## <summary>
+## The user prefix.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The user role.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The user domain associated with the role.
+## </summary>
+## </param>
+#
+interface(`gnome_role_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ attribute gnomedomain;
+ type gnome_home_t;
+ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
+ class dbus send_msg;
+ ')
+
+ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
+ typealias $1_gkeyringd_t alias gkeyringd_$1_t;
+ application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+ ubac_constrained($1_gkeyringd_t)
+ domain_user_exemption_target($1_gkeyringd_t)
+
+ userdom_home_manager($1_gkeyringd_t)
+
+ role $2 types $1_gkeyringd_t;
+
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+
+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
+
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+
+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
+ allow $1_gkeyringd_t $3:process sigkill;
+ allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+
+ ps_process_pattern($1_gkeyringd_t, $3)
+
+ auth_use_nsswitch($1_gkeyringd_t)
+
+ ps_process_pattern($3, $1_gkeyringd_t)
+ allow $3 $1_gkeyringd_t:process signal_perms;
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+
+ allow $1_gkeyringd_t $3:dbus send_msg;
+ allow $3 $1_gkeyringd_t:dbus send_msg;
+ optional_policy(`
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_bus_client($1_gkeyringd_t)
+ gnome_home_dir_filetrans($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+
+ optional_policy(`
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ ')
+ ')
+')
+
########################################
## <summary>
## gconf connection template.
allow $1 gconfd_t:unix_stream_socket connectto;
')
+########################################
+## <summary>
+## Connect to gkeyringd with a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
+ ')
+
+ allow $1 gconf_tmp_t:dir search_dir_perms;
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+## Connect to gkeyringd with a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
+ ')
+
+ allow $1 gconf_tmp_t:dir search_dir_perms;
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+')
+
########################################
## <summary>
## Run gconfd in gconfd domain.
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
+########################################
+## <summary>
+## Dontaudit read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_read_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
+')
+
########################################
## <summary>
## Dontaudit search gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
dontaudit $1 gnome_home_type:dir search_dir_perms;
')
+########################################
+## <summary>
+## Dontaudit write gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_write_config_files',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:file write;
+')
+
########################################
## <summary>
## manage gnome homedir content (.config)
type cache_home_t;
')
- filetrans_pattern($1, cache_home_t, $2, $3)
+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`gnome_config_filetrans',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ filetrans_pattern($1, config_home_t, $2, $3, $4)
userdom_search_user_home_dirs($1)
')
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Dontaudit read/write to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_rw_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
+')
+
########################################
## <summary>
## read gnome homedir content (.config)
## </summary>
## </param>
#
-template(`gnome_read_config',`
+interface(`gnome_read_config',`
gen_require(`
attribute gnome_home_type;
')
type data_home_t;
')
- filetrans_pattern($1, data_home_t, $2, $3)
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
gnome_search_gconf($1)
')
#######################################
## <summary>
-## Manage gconf data home files
+## Read generic data home files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_data_home_files',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+')
+
+#######################################
+## <summary>
+## Manage gconf data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`gnome_manage_data',`
- gen_require(`
- type data_home_t;
- type gconf_home_t;
- ')
+ gen_require(`
+ type data_home_t;
+ type gconf_home_t;
+ ')
allow $1 gconf_home_t:dir search_dir_perms;
- manage_files_pattern($1, data_home_t, data_home_t)
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+## Read icc data home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_home_icc_data_content',`
+ gen_require(`
+ type icc_data_home_t, gconf_home_t, data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
+')
+
+########################################
+## <summary>
+## Read inherited icc data home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_inherited_home_icc_data_files',`
+ gen_require(`
+ type icc_data_home_t;
+ ')
+
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
')
+########################################
+## <summary>
+## Do not audit attempts to read
+## inherited gconf config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
+')
+
########################################
## <summary>
## read gconf config files
can_exec($1, gconfd_exec_t)
')
+########################################
+## <summary>
+## Execute gnome keyringd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_keyringd',`
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
+')
+
########################################
## <summary>
## Read gconf home files
allow $1 data_home_t:dir list_dir_perms;
read_files_pattern($1, gconf_home_t, gconf_home_t)
read_files_pattern($1, data_home_t, data_home_t)
+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+## Search gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
')
########################################
files_search_home($1)
')
+########################################
+## <summary>
+## Manage generic gnome home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_files',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
+## Manage generic gnome home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir manage_dir_perms;
+')
+
########################################
## <summary>
## Append gconf home files
## </summary>
## </param>
#
-template(`gnome_setattr_home_config',`
+interface(`gnome_setattr_home_config',`
gen_require(`
type config_home_t;
')
type config_home_t;
')
+ list_dirs_pattern($1, config_home_t, config_home_t)
read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+## <summary>
+## delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_delete_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+## <summary>
+## setattr gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
')
########################################
## </summary>
## </param>
#
-template(`gnome_manage_home_config',`
+interface(`gnome_manage_home_config',`
gen_require(`
type config_home_t;
')
manage_files_pattern($1, config_home_t, config_home_t)
')
+#######################################
+## <summary>
+## delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_delete_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ manage_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+## manage gstreamer home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
+')
+
########################################
## <summary>
## Read/Write all inherited gnome home config
allow $1 gconfdefaultsm_t:dbus send_msg;
allow gconfdefaultsm_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gkeyringd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send signull signal to gkeyringd processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_signull_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process signull;
+')
+
+########################################
+## <summary>
+## Allow the domain to read gkeyringd state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gkeyringd_state',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ ps_process_pattern($1, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+## Create directories in user home directories
+## with the gnome home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_home_dir_filetrans',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
+ userdom_search_user_home_dirs($1)
+')
+
+######################################
+## <summary>
+## Allow read kde config content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, config_usr_t, config_usr_t)
+ read_files_pattern($1, config_usr_t, config_usr_t)
+ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+#######################################
+## <summary>
+## Allow manage kde config content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ manage_dirs_pattern($1, config_usr_t, config_usr_t)
+ manage_files_pattern($1, config_usr_t, config_usr_t)
+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+########################################
+## <summary>
+## Execute gnome-keyring in the user gkeyring domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the gkeyring domain.
+## </summary>
+## </param>
+#
+interface(`gnome_transition_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ ')
+
+ allow $1 gkeyringd_domain:process transition;
+ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
+ allow gkeyringd_domain $1:process { sigchld signull };
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Create gnome content in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type data_home_t, icc_data_home_t;
+ type gkeyringd_gnome_home_t;
+')
+
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ # ~/.color/icc: legacy
+ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+')
+
+########################################
+## <summary>
+## Create gnome directory in the /root directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_filetrans_admin_home_content',`
+
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type icc_data_home_t;
+')
+
+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ # /root/.color/icc: legacy
+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
+
+######################################
+## <summary>
+## Execute gnome-keyring executable
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a telepathy executable
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`gnome_command_domtrans_gkeyringd', `
+ gen_require(`
+ type gkeyringd_exec_t;
+ ')
+
+ allow $2 gkeyringd_exec_t:file entrypoint;
+ domain_transition_pattern($1, gkeyringd_exec_t, $2)
+ type_transition $1 gkeyringd_exec_t:process $2;
+')