From 63d7cb71f9382da2e90362856ef2f526e36e6481 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sat, 21 Jan 2012 19:10:53 +0100 Subject: [PATCH] Remove module for gnome. --- policy/modules/admin/firstboot.te | 5 - policy/modules/admin/prelink.te | 5 - policy/modules/apps/gnome.fc | 42 - policy/modules/apps/gnome.if | 1296 --------------------- policy/modules/apps/gnome.te | 263 ----- policy/modules/apps/gpg.te | 15 - policy/modules/apps/mplayer.te | 4 - policy/modules/apps/pulseaudio.te | 5 - policy/modules/apps/sandbox.te | 4 - policy/modules/apps/userhelper.te | 4 - policy/modules/kernel/corecommands.fc | 1 - policy/modules/kernel/domain.te | 4 - policy/modules/kernel/kernel.te | 4 - policy/modules/roles/staff.te | 4 - policy/modules/roles/sysadm.te | 5 - policy/modules/roles/unconfineduser.te | 5 - policy/modules/roles/unprivuser.te | 4 - policy/modules/roles/xguest.te | 4 - policy/modules/services/cobbler.te | 4 - policy/modules/services/colord.te | 6 - policy/modules/services/cups.te | 8 - policy/modules/services/dbus.te | 9 - policy/modules/services/denyhosts.te | 4 - policy/modules/services/devicekit.te | 4 - policy/modules/services/dovecot.te | 8 - policy/modules/services/fail2ban.te | 4 - policy/modules/services/hal.te | 4 - policy/modules/services/mailman.te | 4 - policy/modules/services/networkmanager.te | 4 - policy/modules/services/piranha.te | 4 - policy/modules/services/policykit.te | 4 - policy/modules/services/procmail.te | 4 - policy/modules/services/setroubleshoot.te | 4 - policy/modules/services/ssh.te | 4 - policy/modules/services/tuned.te | 4 - policy/modules/services/xserver.if | 4 - policy/modules/services/xserver.te | 11 - policy/modules/system/init.te | 4 - policy/modules/system/libraries.te | 4 - policy/modules/system/systemd.fc | 1 - policy/modules/system/systemd.te | 13 - policy/modules/system/udev.te | 4 - policy/modules/system/userdomain.if | 16 - policy/modules/system/userdomain.te | 4 - 44 files changed, 1818 deletions(-) delete mode 100644 policy/modules/apps/gnome.fc delete mode 100644 policy/modules/apps/gnome.if delete mode 100644 policy/modules/apps/gnome.te diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index bd59f2e1..69695bcb 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -136,11 +136,6 @@ optional_policy(` usermanage_domtrans_admin_passwd(firstboot_t) ') -optional_policy(` - gnome_admin_home_gconf_filetrans(firstboot_t, dir) - gnome_manage_config(firstboot_t) -') - optional_policy(` xserver_domtrans(firstboot_t) xserver_rw_shm(firstboot_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index 20fd89c1..086ad1aa 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -120,11 +120,6 @@ optional_policy(` cron_system_entry(prelink_t, prelink_exec_t) ') -optional_policy(` - gnome_dontaudit_read_config(prelink_t) - gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) -') - optional_policy(` rpm_manage_tmp_files(prelink_t) ') diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc deleted file mode 100644 index fba11e12..00000000 --- a/policy/modules/apps/gnome.fc +++ /dev/null @@ -1,42 +0,0 @@ -HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) -HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) -HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) -HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) -HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) -HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) -HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) - -/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) - -/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) -/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) -/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) -/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) -/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) -/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) -/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) -/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) -/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) - -/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) - -/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) - -/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0) - -/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) - -# Don't use because toolchain is broken -#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) - -/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) - -/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if deleted file mode 100644 index 1be6bcd7..00000000 --- a/policy/modules/apps/gnome.if +++ /dev/null @@ -1,1296 +0,0 @@ -## GNU network object model environment (GNOME) - -########################################################### -## -## Role access for gnome -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`gnome_role',` - gen_require(` - type gconfd_t, gconfd_exec_t; - type gconf_tmp_t; - ') - - role $1 types gconfd_t; - - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; - allow gconfd_t $2:unix_stream_socket connectto; - - ps_process_pattern($2, gconfd_t) - - #gnome_stream_connect_gconf_template($1, $2) - read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) - allow $2 gconfd_t:unix_stream_socket connectto; -') - -###################################### -## -## The role template for the gnome-keyring-daemon. -## -## -## -## The user prefix. -## -## -## -## -## The user role. -## -## -## -## -## The user domain associated with the role. -## -## -# -interface(`gnome_role_gkeyringd',` - gen_require(` - attribute gkeyringd_domain; - attribute gnomedomain; - type gnome_home_t; - type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; - class dbus send_msg; - ') - - type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; - typealias $1_gkeyringd_t alias gkeyringd_$1_t; - application_domain($1_gkeyringd_t, gkeyringd_exec_t) - ubac_constrained($1_gkeyringd_t) - domain_user_exemption_target($1_gkeyringd_t) - - userdom_home_manager($1_gkeyringd_t) - - role $2 types $1_gkeyringd_t; - - domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - - allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms }; - allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms }; - - allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms }; - allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; - - corecmd_bin_domtrans($1_gkeyringd_t, $1_t) - corecmd_shell_domtrans($1_gkeyringd_t, $1_t) - allow $1_gkeyringd_t $3:process sigkill; - allow $3 $1_gkeyringd_t:fd use; - allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; - - ps_process_pattern($1_gkeyringd_t, $3) - - auth_use_nsswitch($1_gkeyringd_t) - - ps_process_pattern($3, $1_gkeyringd_t) - allow $3 $1_gkeyringd_t:process signal_perms; - dontaudit $3 gkeyringd_exec_t:file entrypoint; - - stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) - - allow $1_gkeyringd_t $3:dbus send_msg; - allow $3 $1_gkeyringd_t:dbus send_msg; - optional_policy(` - dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) - dbus_session_bus_client($1_gkeyringd_t) - gnome_home_dir_filetrans($1_gkeyringd_t) - gnome_manage_generic_home_dirs($1_gkeyringd_t) - gnome_read_generic_data_home_files($1_gkeyringd_t) - ') -') - -######################################## -## -## gconf connection template. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_stream_connect_gconf',` - gen_require(` - type gconfd_t, gconf_tmp_t; - ') - - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; -') - -######################################## -## -## Connect to gkeyringd with a unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_stream_connect_gkeyringd',` - gen_require(` - attribute gkeyringd_domain; - type gkeyringd_tmp_t; - type gconf_tmp_t; - ') - - allow $1 gconf_tmp_t:dir search_dir_perms; - stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) -') - -######################################## -## -## Connect to gkeyringd with a unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_stream_connect_all_gkeyringd',` - gen_require(` - attribute gkeyringd_domain; - type gkeyringd_tmp_t; - type gconf_tmp_t; - ') - - allow $1 gconf_tmp_t:dir search_dir_perms; - stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) -') - -######################################## -## -## Run gconfd in gconfd domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_domtrans_gconfd',` - gen_require(` - type gconfd_t, gconfd_exec_t; - ') - - domtrans_pattern($1, gconfd_exec_t, gconfd_t) -') - -######################################## -## -## Dontaudit read gnome homedir content (.config) -## -## -## -## Domain to not audit. -## -## -# -interface(`gnome_dontaudit_read_config',` - gen_require(` - attribute gnome_home_type; - ') - - dontaudit $1 gnome_home_type:dir read_inherited_file_perms; -') - -######################################## -## -## Dontaudit search gnome homedir content (.config) -## -## -## -## Domain to not audit. -## -## -# -interface(`gnome_dontaudit_search_config',` - gen_require(` - attribute gnome_home_type; - ') - - dontaudit $1 gnome_home_type:dir search_dir_perms; -') - -######################################## -## -## Dontaudit write gnome homedir content (.config) -## -## -## -## Domain to not audit. -## -## -# -interface(`gnome_dontaudit_write_config_files',` - gen_require(` - attribute gnome_home_type; - ') - - dontaudit $1 gnome_home_type:file write; -') - -######################################## -## -## manage gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_config',` - gen_require(` - attribute gnome_home_type; - ') - - allow $1 gnome_home_type:dir manage_dir_perms; - allow $1 gnome_home_type:file manage_file_perms; - allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Send general signals to all gconf domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_signal_all',` - gen_require(` - attribute gnomedomain; - ') - - allow $1 gnomedomain:process signal; -') - -######################################## -## -## Create objects in a Gnome cache home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`gnome_cache_filetrans',` - gen_require(` - type cache_home_t; - ') - - filetrans_pattern($1, cache_home_t, $2, $3, $4) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Create objects in a Gnome cache home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`gnome_config_filetrans',` - gen_require(` - type config_home_t; - ') - - filetrans_pattern($1, config_home_t, $2, $3, $4) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Read generic cache home files (.cache) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_generic_cache_files',` - gen_require(` - type cache_home_t; - ') - - read_files_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Set attributes of cache home dir (.cache) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_setattr_cache_home_dir',` - gen_require(` - type cache_home_t; - ') - - setattr_dirs_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## append to generic cache home files (.cache) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_append_generic_cache_files',` - gen_require(` - type cache_home_t; - ') - - append_files_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## write to generic cache home files (.cache) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_write_generic_cache_files',` - gen_require(` - type cache_home_t; - ') - - write_files_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Dontaudit read/write to generic cache home files (.cache) -## -## -## -## Domain to not audit. -## -## -# -interface(`gnome_dontaudit_rw_generic_cache_files',` - gen_require(` - type cache_home_t; - ') - - dontaudit $1 cache_home_t:file rw_inherited_file_perms; -') - -######################################## -## -## read gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_config',` - gen_require(` - attribute gnome_home_type; - ') - - list_dirs_pattern($1, gnome_home_type, gnome_home_type) - read_files_pattern($1, gnome_home_type, gnome_home_type) - read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) -') - -######################################## -## -## Create objects in a Gnome gconf home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`gnome_data_filetrans',` - gen_require(` - type data_home_t; - ') - - filetrans_pattern($1, data_home_t, $2, $3, $4) - gnome_search_gconf($1) -') - -####################################### -## -## Read generic data home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_generic_data_home_files',` - gen_require(` - type data_home_t, gconf_home_t; - ') - - read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) -') - -####################################### -## -## Manage gconf data home files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_data',` - gen_require(` - type data_home_t; - type gconf_home_t; - ') - - allow $1 gconf_home_t:dir search_dir_perms; - manage_dirs_pattern($1, data_home_t, data_home_t) - manage_files_pattern($1, data_home_t, data_home_t) - manage_lnk_files_pattern($1, data_home_t, data_home_t) -') - -######################################## -## -## Read icc data home content. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_home_icc_data_content',` - gen_require(` - type icc_data_home_t, gconf_home_t, data_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; - list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) - read_files_pattern($1, icc_data_home_t, icc_data_home_t) - read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) -') - -######################################## -## -## Read inherited icc data home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_inherited_home_icc_data_files',` - gen_require(` - type icc_data_home_t; - ') - - allow $1 icc_data_home_t:file read_inherited_file_perms; -') - -######################################## -## -## Create gconf_home_t objects in the /root directory -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -# -interface(`gnome_admin_home_gconf_filetrans',` - gen_require(` - type gconf_home_t; - ') - - userdom_admin_home_dir_filetrans($1, gconf_home_t, $2) -') - -######################################## -## -## Do not audit attempts to read -## inherited gconf config files. -## -## -## -## Domain to not audit. -## -## -# -interface(`gnome_dontaudit_read_inherited_gconf_config_files',` - gen_require(` - type gconf_etc_t; - ') - - dontaudit $1 gconf_etc_t:file read_inherited_file_perms; -') - -######################################## -## -## read gconf config files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_gconf_config',` - gen_require(` - type gconf_etc_t; - ') - - allow $1 gconf_etc_t:dir list_dir_perms; - read_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) -') - -####################################### -## -## Manage gconf config files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_gconf_config',` - gen_require(` - type gconf_etc_t; - ') - - allow $1 gconf_etc_t:dir list_dir_perms; - manage_files_pattern($1, gconf_etc_t, gconf_etc_t) -') - -######################################## -## -## Execute gconf programs in -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_exec_gconf',` - gen_require(` - type gconfd_exec_t; - ') - - can_exec($1, gconfd_exec_t) -') - -######################################## -## -## Execute gnome keyringd in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_exec_keyringd',` - gen_require(` - type gkeyringd_exec_t; - ') - - can_exec($1, gkeyringd_exec_t) - corecmd_search_bin($1) -') - -######################################## -## -## Read gconf home files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_gconf_home_files',` - gen_require(` - type gconf_home_t; - type data_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir list_dir_perms; - allow $1 data_home_t:dir list_dir_perms; - read_files_pattern($1, gconf_home_t, gconf_home_t) - read_files_pattern($1, data_home_t, data_home_t) - read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) - read_lnk_files_pattern($1, data_home_t, data_home_t) -') - -######################################## -## -## Search gkeyringd temporary directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_search_gkeyringd_tmp_dirs',` - gen_require(` - type gkeyringd_tmp_t; - ') - - files_search_tmp($1) - allow $1 gkeyringd_tmp_t:dir search_dir_perms; -') - -######################################## -## -## search gconf homedir (.local) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_search_gconf',` - gen_require(` - type gconf_home_t; - ') - - allow $1 gconf_home_t:dir search_dir_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Set attributes of Gnome config dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_setattr_config_dirs',` - gen_require(` - type gnome_home_t; - ') - - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) - files_search_home($1) -') - -######################################## -## -## Manage generic gnome home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_generic_home_files',` - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - manage_files_pattern($1, gnome_home_t, gnome_home_t) -') - -######################################## -## -## Manage generic gnome home directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_generic_home_dirs',` - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir manage_dir_perms; -') - -######################################## -## -## Append gconf home files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_append_gconf_home_files',` - gen_require(` - type gconf_home_t; - ') - - append_files_pattern($1, gconf_home_t, gconf_home_t) -') - -######################################## -## -## manage gconf home files -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_gconf_home_files',` - gen_require(` - type gconf_home_t; - ') - - allow $1 gconf_home_t:dir list_dir_perms; - manage_files_pattern($1, gconf_home_t, gconf_home_t) -') - -######################################## -## -## Connect to gnome over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the user domain. -## -## -# -interface(`gnome_stream_connect',` - gen_require(` - attribute gnome_home_type; - ') - - # Connect to pulseaudit server - stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) -') - -######################################## -## -## list gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_list_home_config',` - gen_require(` - type config_home_t; - ') - - allow $1 config_home_t:dir list_dir_perms; -') - -######################################## -## -## Set attributes of gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_setattr_home_config',` - gen_require(` - type config_home_t; - ') - - setattr_dirs_pattern($1, config_home_t, config_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## read gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_home_config',` - gen_require(` - type config_home_t; - ') - - list_dirs_pattern($1, config_home_t, config_home_t) - read_files_pattern($1, config_home_t, config_home_t) - read_lnk_files_pattern($1, config_home_t, config_home_t) -') - -####################################### -## -## delete gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_delete_home_config',` - gen_require(` - type config_home_t; - ') - - delete_files_pattern($1, config_home_t, config_home_t) -') - -####################################### -## -## setattr gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_setattr_home_config_dirs',` - gen_require(` - type config_home_t; - ') - - setattr_dirs_pattern($1, config_home_t, config_home_t) -') - -######################################## -## -## manage gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_home_config',` - gen_require(` - type config_home_t; - ') - - manage_files_pattern($1, config_home_t, config_home_t) -') - -####################################### -## -## delete gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_delete_home_config_dirs',` - gen_require(` - type config_home_t; - ') - - delete_dirs_pattern($1, config_home_t, config_home_t) -') - -######################################## -## -## manage gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_home_config_dirs',` - gen_require(` - type config_home_t; - ') - - manage_dirs_pattern($1, config_home_t, config_home_t) -') - -######################################## -## -## manage gstreamer home content files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_gstreamer_home_files',` - gen_require(` - type gstreamer_home_t; - ') - - manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t) -') - -######################################## -## -## Read/Write all inherited gnome home config -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_rw_inherited_config',` - gen_require(` - attribute gnome_home_type; - ') - - allow $1 gnome_home_type:file rw_inherited_file_perms; -') - -######################################## -## -## Send and receive messages from -## gconf system service over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_dbus_chat_gconfdefault',` - gen_require(` - type gconfdefaultsm_t; - class dbus send_msg; - ') - - allow $1 gconfdefaultsm_t:dbus send_msg; - allow gconfdefaultsm_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## gkeyringd over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_dbus_chat_gkeyringd',` - gen_require(` - attribute gkeyringd_domain; - class dbus send_msg; - ') - - allow $1 gkeyringd_domain:dbus send_msg; - allow gkeyringd_domain $1:dbus send_msg; -') - -######################################## -## -## Send signull signal to gkeyringd processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_signull_gkeyringd',` - gen_require(` - attribute gkeyringd_domain; - ') - - allow $1 gkeyringd_domain:process signull; -') - -######################################## -## -## Allow the domain to read gkeyringd state files in /proc. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_read_gkeyringd_state',` - gen_require(` - attribute gkeyringd_domain; - ') - - ps_process_pattern($1, gkeyringd_domain) -') - -######################################## -## -## Create directories in user home directories -## with the gnome home file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_home_dir_filetrans',` - gen_require(` - type gnome_home_t; - ') - - userdom_user_home_dir_filetrans($1, gnome_home_t, dir) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Execute gnome-keyring in the user gkeyring domain -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the gkeyring domain. -## -## -# -interface(`gnome_transition_gkeyringd',` - gen_require(` - attribute gkeyringd_domain; - ') - - allow $1 gkeyringd_domain:process transition; - dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh }; - allow gkeyringd_domain $1:process { sigchld signull }; - allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Create gnome content in the user home directory -## with an correct label. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_filetrans_home_content',` - -gen_require(` - type config_home_t; - type cache_home_t; - type gstreamer_home_t; - type gconf_home_t; - type gnome_home_t; - type data_home_t, icc_data_home_t; - type gkeyringd_gnome_home_t; -') - - userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config") - userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") - userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine") - userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") - userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") - userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") - userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local") - userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") - userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") - userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") - # ~/.color/icc: legacy - userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc") - filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") - filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share") - filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc") - userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf") -') - -######################################## -## -## Create gnome directory in the /root directory -## with an correct label. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_filetrans_admin_home_content',` - -gen_require(` - type config_home_t; - type cache_home_t; - type gstreamer_home_t; - type gconf_home_t; - type gnome_home_t; - type icc_data_home_t; -') - - userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") - userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine") - userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache") - userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") - userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") - userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local") - userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") - userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") - userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") - # /root/.color/icc: legacy - userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc") -') - -###################################### -## -## Execute gnome-keyring executable -## in the specified domain. -## -## -##

-## Execute a telepathy executable -## in the specified domain. This allows -## the specified domain to execute any file -## on these filesystems in the specified -## domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## the ssh-agent policy. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# -interface(`gnome_command_domtrans_gkeyringd', ` - gen_require(` - type gkeyringd_exec_t; - ') - - allow $2 gkeyringd_exec_t:file entrypoint; - domain_transition_pattern($1, gkeyringd_exec_t, $2) - type_transition $1 gkeyringd_exec_t:process $2; -') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te deleted file mode 100644 index 3c5d7921..00000000 --- a/policy/modules/apps/gnome.te +++ /dev/null @@ -1,263 +0,0 @@ -policy_module(gnome, 2.1.0) - -############################## -# -# Declarations -# - -attribute gnomedomain; -attribute gnome_home_type; -attribute gkeyringd_domain; - -type gconf_etc_t; -files_config_file(gconf_etc_t) - -type data_home_t, gnome_home_type; -userdom_user_home_content(data_home_t) - -type config_home_t, gnome_home_type; -userdom_user_home_content(config_home_t) - -type cache_home_t, gnome_home_type; -userdom_user_home_content(cache_home_t) - -type gstreamer_home_t, gnome_home_type; -userdom_user_home_content(gstreamer_home_t) - -type icc_data_home_t, gnome_home_type; -userdom_user_home_content(icc_data_home_t) - -type gconf_home_t, gnome_home_type; -typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; -typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; -typealias gconf_home_t alias unconfined_gconf_home_t; -userdom_user_home_content(gconf_home_t) - -type gconf_tmp_t; -typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; -typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; -typealias gconf_tmp_t alias unconfined_gconf_tmp_t; -files_tmp_file(gconf_tmp_t) -ubac_constrained(gconf_tmp_t) - -type gconfd_t, gnomedomain; -type gconfd_exec_t; -typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; -typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; -application_domain(gconfd_t, gconfd_exec_t) -ubac_constrained(gconfd_t) - -type gnome_home_t, gnome_home_type; -typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; -typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; -typealias gnome_home_t alias unconfined_gnome_home_t; -userdom_user_home_content(gnome_home_t) - -# type KDE /usr/share/config files -type config_usr_t; -files_type(config_usr_t) - -type gkeyringd_exec_t; -corecmd_executable_file(gkeyringd_exec_t) - -type gkeyringd_gnome_home_t; -userdom_user_home_content(gkeyringd_gnome_home_t) - -type gkeyringd_tmp_t; -userdom_user_tmp_content(gkeyringd_tmp_t) - -type gconfdefaultsm_t; -type gconfdefaultsm_exec_t; -dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) - -type gnomesystemmm_t; -type gnomesystemmm_exec_t; -dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t) - -############################## -# -# Local Policy -# - -allow gconfd_t self:process getsched; -allow gconfd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) -manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) -userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) - -manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) - -allow gconfd_t gconf_etc_t:dir list_dir_perms; -read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) - -dev_read_urand(gconfd_t) - -files_read_etc_files(gconfd_t) - -miscfiles_read_localization(gconfd_t) - -logging_send_syslog_msg(gconfd_t) - -userdom_manage_user_tmp_sockets(gconfd_t) -userdom_manage_user_tmp_dirs(gconfd_t) -userdom_tmp_filetrans_user_tmp(gconfd_t, dir) - -optional_policy(` - nscd_dontaudit_search_pid(gconfd_t) -') - -optional_policy(` - xserver_use_xdm_fds(gconfd_t) - xserver_rw_xdm_pipes(gconfd_t) -') - -####################################### -# -# gconf-defaults-mechanisms local policy -# - -allow gconfdefaultsm_t self:capability { dac_override sys_nice }; -allow gconfdefaultsm_t self:process getsched; -allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; - -corecmd_search_bin(gconfdefaultsm_t) - -files_read_etc_files(gconfdefaultsm_t) -files_read_usr_files(gconfdefaultsm_t) - -miscfiles_read_localization(gconfdefaultsm_t) - -gnome_manage_gconf_home_files(gconfdefaultsm_t) -gnome_manage_gconf_config(gconfdefaultsm_t) - -userdom_read_all_users_state(gconfdefaultsm_t) -userdom_search_user_home_dirs(gconfdefaultsm_t) - -userdom_dontaudit_search_admin_dir(gconfdefaultsm_t) - -optional_policy(` - consolekit_dbus_chat(gconfdefaultsm_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(gconfdefaultsm_t) -') - -optional_policy(` - policykit_domtrans_auth(gconfdefaultsm_t) - policykit_dbus_chat(gconfdefaultsm_t) - policykit_read_lib(gconfdefaultsm_t) - policykit_read_reload(gconfdefaultsm_t) -') - -userdom_home_manager(gconfdefaultsm_t) - -####################################### -# -# gnome-system-monitor-mechanisms local policy -# - -allow gnomesystemmm_t self:capability sys_nice; -allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(gnomesystemmm_t) - -corecmd_search_bin(gnomesystemmm_t) - -domain_kill_all_domains(gnomesystemmm_t) -domain_search_all_domains_state(gnomesystemmm_t) -domain_setpriority_all_domains(gnomesystemmm_t) -domain_signal_all_domains(gnomesystemmm_t) -domain_sigstop_all_domains(gnomesystemmm_t) - -files_read_etc_files(gnomesystemmm_t) -files_read_usr_files(gnomesystemmm_t) - -fs_getattr_xattr_fs(gnomesystemmm_t) - -miscfiles_read_localization(gnomesystemmm_t) - -userdom_read_all_users_state(gnomesystemmm_t) -userdom_dontaudit_search_admin_dir(gnomesystemmm_t) - -optional_policy(` - consolekit_dbus_chat(gnomesystemmm_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(gnomesystemmm_t) -') - -optional_policy(` - policykit_dbus_chat(gnomesystemmm_t) - policykit_domtrans_auth(gnomesystemmm_t) - policykit_read_lib(gnomesystemmm_t) - policykit_read_reload(gnomesystemmm_t) -') - -###################################### -# -# gnome-keyring-daemon local policy -# - -allow gkeyringd_domain self:capability ipc_lock; -allow gkeyringd_domain self:process { getcap getsched setcap signal }; -allow gkeyringd_domain self:fifo_file rw_fifo_file_perms; -allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; - -userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir) - -manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) -manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) -filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir) - -manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) -manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) -files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) - -kernel_read_system_state(gkeyringd_domain) -kernel_read_crypto_sysctls(gkeyringd_domain) - -corecmd_search_bin(gkeyringd_domain) - -dev_read_rand(gkeyringd_domain) -dev_read_urand(gkeyringd_domain) -dev_read_sysfs(gkeyringd_domain) - -files_read_etc_files(gkeyringd_domain) -files_read_usr_files(gkeyringd_domain) -# for nscd? -files_search_pids(gkeyringd_domain) - -fs_getattr_xattr_fs(gkeyringd_domain) -fs_getattr_tmpfs(gkeyringd_domain) - -selinux_getattr_fs(gkeyringd_domain) - -logging_send_syslog_msg(gkeyringd_domain) - -miscfiles_read_localization(gkeyringd_domain) - -optional_policy(` - xserver_append_xdm_home_files(gkeyringd_domain) - xserver_read_xdm_home_files(gkeyringd_domain) - xserver_use_xdm_fds(gkeyringd_domain) -') - -optional_policy(` - gnome_read_home_config(gkeyringd_domain) - gnome_read_generic_cache_files(gkeyringd_domain) - gnome_write_generic_cache_files(gkeyringd_domain) -') - -optional_policy(` - ssh_read_user_home_files(gkeyringd_domain) -') - -domain_use_interactive_fds(gnomedomain) - -userdom_use_inherited_user_terminals(gnomedomain) - diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 9e7ad4b8..ba69f86a 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -152,11 +152,6 @@ mta_write_config(gpg_t) userdom_home_manager(gpg_t) -optional_policy(` - gnome_read_config(gpg_t) - gnome_stream_connect_gkeyringd(gpg_t) -') - optional_policy(` mta_read_spool(gpg_t) ') @@ -346,21 +341,11 @@ userdom_use_user_terminals(gpg_pinentry_t) userdom_home_reader(gpg_pinentry_t) -optional_policy(` - gnome_read_home_config(gpg_pinentry_t) -') - optional_policy(` dbus_session_bus_client(gpg_pinentry_t) dbus_system_bus_client(gpg_pinentry_t) ') -optional_policy(` - gnome_write_generic_cache_files(gpg_pinentry_t) - gnome_read_generic_cache_files(gpg_pinentry_t) - gnome_read_gconf_home_files(gpg_pinentry_t) -') - optional_policy(` pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index 320963be..64bd5daf 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -237,10 +237,6 @@ optional_policy(` alsa_read_rw_config(mplayer_t) ') -optional_policy(` - gnome_setattr_config_dirs(mplayer_t) -') - optional_policy(` pulseaudio_exec(mplayer_t) pulseaudio_stream_connect(mplayer_t) diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 48673c79..ba094177 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -150,11 +150,6 @@ optional_policy(` ') ') -optional_policy(` - gnome_read_gkeyringd_state(pulseaudio_t) - gnome_signull_gkeyringd(pulseaudio_t) -') - optional_policy(` rtkit_scheduled(pulseaudio_t) ') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te index f5cb481a..a3df5fe1 100644 --- a/policy/modules/apps/sandbox.te +++ b/policy/modules/apps/sandbox.te @@ -286,10 +286,6 @@ optional_policy(` devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain) ') -optional_policy(` - gnome_read_gconf_config(sandbox_x_domain) -') - optional_policy(` nscd_dontaudit_search_pid(sandbox_x_domain) ') diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te index 8ce85771..bd4bf16f 100644 --- a/policy/modules/apps/userhelper.te +++ b/policy/modules/apps/userhelper.te @@ -66,10 +66,6 @@ userdom_use_user_ptys(consolehelper_domain) userdom_use_user_ttys(consolehelper_domain) userdom_read_user_home_content_files(consolehelper_domain) -optional_policy(` - gnome_read_gconf_home_files(consolehelper_domain) -') - optional_policy(` xserver_read_home_fonts(consolehelper_domain) xserver_stream_connect(consolehelper_domain) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 7441b558..1c718356 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -230,7 +230,6 @@ ifdef(`distro_gentoo',` /usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index facd6a8f..8308597c 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -226,10 +226,6 @@ optional_policy(` bootloader_filetrans_config(unconfined_domain_type) ') -optional_policy(` - gnome_filetrans_admin_home_content(unconfined_domain_type) -') - optional_policy(` devicekit_filetrans_named_content(unconfined_domain_type) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 88525351..7183acd9 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -313,10 +313,6 @@ optional_policy(` apache_filetrans_home_content(kernel_t) ') -optional_policy(` - gnome_filetrans_home_content(kernel_t) -') - optional_policy(` kerberos_filetrans_home_content(kernel_t) ') diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 24a9df64..9e0b520a 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -82,10 +82,6 @@ optional_policy(` colord_dbus_chat(staff_t) ') -optional_policy(` - gnome_role(staff_r, staff_t) -') - optional_policy(` irc_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index d6b4ce70..a06ae865 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -498,11 +498,6 @@ ifndef(`distro_redhat',` dbus_role_template(sysadm, sysadm_r, sysadm_t) ') - optional_policy(` - gnome_role(sysadm_r, sysadm_t) - gnome_filetrans_admin_home_content(sysadm_t) - ') - optional_policy(` gpg_role(sysadm_r, sysadm_t) ') diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te index edb36f1d..9b1ee919 100644 --- a/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te @@ -219,11 +219,6 @@ optional_policy(` fprintd_dbus_chat(unconfined_t) ') - optional_policy(` - gnome_dbus_chat_gconfdefault(unconfined_t) - gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) - ') - optional_policy(` ipsec_mgmt_dbus_chat(unconfined_t) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 15ab923f..93574cc1 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -38,10 +38,6 @@ optional_policy(` colord_dbus_chat(user_t) ') -optional_policy(` - gnome_role(user_r, user_t) -') - optional_policy(` irc_role(user_r, user_t) ') diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te index 6185b837..014350ed 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -99,10 +99,6 @@ optional_policy(` apache_role(xguest_r, xguest_t) ') -optional_policy(` - gnome_role(xguest_r, xguest_t) -') - optional_policy(` pcscd_read_pub_files(xguest_t) pcscd_stream_connect(xguest_t) diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te index 1328a63c..20349ec8 100644 --- a/policy/modules/services/cobbler.te +++ b/policy/modules/services/cobbler.te @@ -206,10 +206,6 @@ optional_policy(` dnsmasq_systemctl(cobblerd_t) ') -optional_policy(` - gnome_dontaudit_search_config(cobblerd_t) -') - optional_policy(` puppet_domtrans_puppetca(cobblerd_t) ') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te index be3683b9..1a9f2272 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te @@ -112,12 +112,6 @@ optional_policy(` cups_dbus_chat(colord_t) ') -optional_policy(` - gnome_read_home_icc_data_content(colord_t) - # Fixes lots of breakage in F16 on upgrade - gnome_read_generic_data_home_files(colord_t) -') - optional_policy(` policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 3bc4cfd4..71463e33 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -470,10 +470,6 @@ optional_policy(` ') ') -optional_policy(` - gnome_dontaudit_search_config(cupsd_config_t) -') - optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -627,10 +623,6 @@ optional_policy(` userdom_home_manager(cups_pdf_t) -optional_policy(` - gnome_read_config(cups_pdf_t) -') - ######################################## # # HPLIP local policy diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index c9396dbf..125e2ee5 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -149,11 +149,6 @@ optional_policy(` bind_domtrans(system_dbusd_t) ') -optional_policy(` - gnome_exec_gconf(system_dbusd_t) - gnome_read_inherited_home_icc_data_files(system_dbusd_t) -') - optional_policy(` cpufreqselector_dbus_chat(system_dbusd_t) ') @@ -303,10 +298,6 @@ userdom_manage_user_home_content_dirs(session_bus_type) userdom_manage_user_home_content_files(session_bus_type) userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file }) -optional_policy(` - gnome_read_gconf_home_files(session_bus_type) -') - optional_policy(` hal_dbus_chat(session_bus_type) ') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te index b10da2c0..49a6ea0f 100644 --- a/policy/modules/services/denyhosts.te +++ b/policy/modules/services/denyhosts.te @@ -75,7 +75,3 @@ sysnet_etc_filetrans_config(denyhosts_t) optional_policy(` cron_system_entry(denyhosts_t, denyhosts_exec_t) ') - -optional_policy(` - gnome_dontaudit_search_config(denyhosts_t) -') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index f277ea62..af825394 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -305,10 +305,6 @@ optional_policy(` fstools_domtrans(devicekit_power_t) ') -optional_policy(` - gnome_manage_home_config(devicekit_power_t) -') - optional_policy(` hal_domtrans_mac(devicekit_power_t) hal_manage_pid_dirs(devicekit_power_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 47969fef..a0d949d9 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -169,10 +169,6 @@ optional_policy(` kerberos_keytab_template(dovecot, dovecot_t) ') -optional_policy(` - gnome_manage_data(dovecot_t) -') - optional_policy(` postfix_manage_private_sockets(dovecot_t) postfix_search_spool(dovecot_t) @@ -334,10 +330,6 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file userdom_home_manager(dovecot_deliver_t) -optional_policy(` - gnome_manage_data(dovecot_deliver_t) -') - optional_policy(` mta_manage_spool(dovecot_deliver_t) mta_read_queue(dovecot_deliver_t) diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index c7a0911b..a9c294ca 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -109,10 +109,6 @@ optional_policy(` ftp_read_log(fail2ban_t) ') -optional_policy(` - gnome_dontaudit_search_config(fail2ban_t) -') - optional_policy(` iptables_domtrans(fail2ban_t) ') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index bd85b8f8..4eba8b76 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -280,10 +280,6 @@ optional_policy(` dmidecode_domtrans(hald_t) ') -optional_policy(` - gnome_read_config(hald_t) -') - optional_policy(` gpm_dontaudit_getattr_gpmctl(hald_t) ') diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index 0c0925ec..05fb8a2b 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -93,10 +93,6 @@ optional_policy(` courier_read_spool(mailman_mail_t) ') -optional_policy(` - gnome_dontaudit_search_config(mailman_mail_t) -') - optional_policy(` cron_read_pipes(mailman_mail_t) ') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index be38b9dd..f19f6d2f 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -246,10 +246,6 @@ optional_policy(` howl_signal(NetworkManager_t) ') -optional_policy(` - gnome_dontaudit_search_config(NetworkManager_t) -') - optional_policy(` ipsec_domtrans_mgmt(NetworkManager_t) ipsec_kill_mgmt(NetworkManager_t) diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te index 1c69a1a9..66d047c9 100644 --- a/policy/modules/services/piranha.te +++ b/policy/modules/services/piranha.te @@ -122,10 +122,6 @@ optional_policy(` apache_exec(piranha_web_t) ') -optional_policy(` - gnome_dontaudit_search_config(piranha_web_t) -') - optional_policy(` sasl_connect(piranha_web_t) ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index c2771dd9..ce30ca50 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -118,10 +118,6 @@ optional_policy(` consolekit_read_pid_files(policykit_t) ') -optional_policy(` - gnome_read_config(policykit_t) -') - ######################################## # # polkit_auth local policy diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index 999b9863..4c188f99 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -117,10 +117,6 @@ optional_policy(` clamav_search_lib(procmail_t) ') -optional_policy(` - gnome_manage_data(procmail_t) -') - optional_policy(` munin_dontaudit_search_lib(procmail_t) ') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index a181f019..53e4a57f 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -190,10 +190,6 @@ miscfiles_read_localization(setroubleshoot_fixit_t) userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) userdom_signull_unpriv_users(setroubleshoot_fixit_t) -optional_policy(` - gnome_dontaudit_search_config(setroubleshoot_fixit_t) -') - optional_policy(` rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index aadaa2cb..d3b746c9 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -212,10 +212,6 @@ tunable_policy(`user_tcp_server',` corenet_tcp_bind_generic_node(ssh_t) ') -optional_policy(` - gnome_stream_connect_all_gkeyringd(ssh_t) -') - optional_policy(` xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) xserver_domtrans_xauth(ssh_t) diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te index 1aebd234..bbb59f2a 100644 --- a/policy/modules/services/tuned.te +++ b/policy/modules/services/tuned.te @@ -59,10 +59,6 @@ optional_policy(` fstools_domtrans(tuned_t) ') -optional_policy(` - gnome_dontaudit_search_config(tuned_t) -') - # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 351ed062..b35ff341 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -132,10 +132,6 @@ interface(`xserver_restricted_role',` tunable_policy(`user_direct_dri',` dev_rw_dri($2) ') - - optional_policy(` - gnome_read_gconf_config($2) - ') ') ######################################## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 2bf72dde..3f981bbb 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -765,17 +765,6 @@ optional_policy(` gpm_setattr_gpmctl(xdm_t) ') -optional_policy(` - gnome_exec_keyringd(xdm_t) - gnome_manage_config(xdm_t) - gnome_manage_gconf_home_files(xdm_t) - gnome_filetrans_home_content(xdm_t) - gnome_read_config(xdm_t) - gnome_read_usr_config(xdm_t) - gnome_read_gconf_config(xdm_t) - gnome_transition_gkeyringd(xdm_t) -') - optional_policy(` hostname_exec(xdm_t) ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8146289d..c9a13efb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -780,10 +780,6 @@ ifdef(`distro_redhat',` dirsrv_manage_var_run(initrc_t) ') - optional_policy(` - gnome_manage_gconf_config(initrc_t) - ') - optional_policy(` ldap_read_db_files(initrc_t) ') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index eae94270..48c21c3a 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -141,10 +141,6 @@ optional_policy(` apt_use_ptys(ldconfig_t) ') -optional_policy(` - gnome_append_generic_cache_files(ldconfig_t) -') - optional_policy(` puppet_rw_tmp(ldconfig_t) ') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 0d3e625d..7b95654f 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -4,7 +4,6 @@ /bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) /usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) -/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) /usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 9e081257..67355e82 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -129,12 +129,6 @@ optional_policy(` cron_read_state_crond(systemd_logind_t) ') -optional_policy(` - # we label /run/user/$USER/dconf as config_home_t - gnome_manage_home_config_dirs(systemd_logind_t) - gnome_manage_home_config(systemd_logind_t) -') - optional_policy(` # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file xserver_search_xdm_tmp_dirs(systemd_logind_t) @@ -281,13 +275,6 @@ optional_policy(` auth_rw_login_records(systemd_tmpfiles_t) ') -optional_policy(` - # we have /run/user/$USER/dconf - gnome_delete_home_config(systemd_tmpfiles_t) - gnome_delete_home_config_dirs(systemd_tmpfiles_t) - gnome_setattr_home_config_dirs(systemd_tmpfiles_t) -') - optional_policy(` rpm_read_db(systemd_tmpfiles_t) rpm_delete_db(systemd_tmpfiles_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 6a93c644..8654d1ef 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -262,10 +262,6 @@ optional_policy(` devicekit_domtrans_disk(udev_t) ') -optional_policy(` - gnome_read_home_config(udev_t) -') - optional_policy(` gpsd_domtrans(udev_t) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 1523a511..0e662c89 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -719,10 +719,6 @@ template(`userdom_common_user_template',` devicekit_dbus_chat_disk($1_usertype) ') - optional_policy(` - gnome_dbus_chat_gconfdefault($1_usertype) - ') - optional_policy(` hal_dbus_chat($1_usertype) ') @@ -1084,13 +1080,6 @@ template(`userdom_restricted_xwindows_user_template',` alsa_read_rw_config($1_usertype) ') - # cjp: needed by KDE apps - # bug: #682499 - optional_policy(` - gnome_read_usr_config($1_usertype) - gnome_role_gkeyringd($1, $1_r, $1_usertype) - ') - optional_policy(` dbus_role_template($1, $1_r, $1_usertype) dbus_system_bus_client($1_usertype) @@ -5067,11 +5056,6 @@ interface(`userdom_filetrans_home_content',` userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") - gnome_config_filetrans($1, home_cert_t, dir, "certificates") - - #optional_policy(` - # gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin") - #') ') ######################################## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 63f769a5..34536f31 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -160,10 +160,6 @@ optional_policy(` alsa_relabel_home_files(unpriv_userdomain) ') -optional_policy(` - gnome_filetrans_home_content(userdomain) -') - optional_policy(` ssh_filetrans_home_content(userdomain) ') -- 2.47.3