projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| 41a828ed DW |
1 | policy_module(thumb, 1.0.0) |
| 2 | ||
| 3 | ######################################## | |
| 4 | # | |
| 5 | # Declarations | |
| 6 | # | |
| 7 | ||
| 8 | type thumb_t; | |
| 9 | type thumb_exec_t; | |
| 10 | application_domain(thumb_t, thumb_exec_t) | |
| 0b71fec3 DG |
11 | ubac_constrained(thumb_t) |
| 12 | ||
| 41a828ed DW |
13 | type thumb_tmp_t; |
| 14 | files_tmp_file(thumb_tmp_t) | |
| 0b71fec3 | 15 | ubac_constrained(thumb_tmp_t) |
| 41a828ed DW |
16 | |
| 17 | ######################################## | |
| 18 | # | |
| 19 | # thumb local policy | |
| 20 | # | |
| 21 | ||
| 4a093096 | 22 | allow thumb_t self:process { setsched signal setrlimit }; |
| 23 | ||
| 24 | tunable_policy(`deny_execmem',`',` | |
| 25 | allow thumb_t self:process execmem; | |
| 26 | ') | |
| 27 | ||
| 41a828ed DW |
28 | allow thumb_t self:fifo_file manage_fifo_file_perms; |
| 29 | allow thumb_t self:unix_stream_socket create_stream_socket_perms; | |
| 0b71fec3 DG |
30 | allow thumb_t self:netlink_route_socket r_netlink_socket_perms; |
| 31 | allow thumb_t self:udp_socket create_socket_perms; | |
| 32 | allow thumb_t self:tcp_socket create_socket_perms; | |
| 33 | ||
| 0b71fec3 DG |
34 | manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) |
| 35 | manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) | |
| 36 | exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) | |
| 0b71fec3 | 37 | files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir }) |
| 1c61a166 | 38 | userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir }) |
| 41a828ed DW |
39 | |
| 40 | kernel_read_system_state(thumb_t) | |
| 41 | ||
| 27c0413e DW |
42 | domain_use_interactive_fds(thumb_t) |
| 43 | ||
| 0b71fec3 DG |
44 | corecmd_exec_bin(thumb_t) |
| 45 | ||
| 0b71fec3 DG |
46 | dev_read_sysfs(thumb_t) |
| 47 | ||
| 48 | domain_use_interactive_fds(thumb_t) | |
| 49 | ||
| 41a828ed DW |
50 | files_read_etc_files(thumb_t) |
| 51 | files_read_usr_files(thumb_t) | |
| 52 | ||
| b6031f23 DW |
53 | auth_use_nsswitch(thumb_t) |
| 54 | ||
| c884ef36 | 55 | miscfiles_read_fonts(thumb_t) |
| 41a828ed DW |
56 | miscfiles_read_localization(thumb_t) |
| 57 | ||
| 0b71fec3 DG |
58 | sysnet_read_config(thumb_t) |
| 59 | ||
| c884ef36 | 60 | userdom_read_user_tmp_files(thumb_t) |
| 41a828ed | 61 | userdom_read_user_home_content_files(thumb_t) |
| 0b71fec3 | 62 | userdom_write_user_tmp_files(thumb_t) |
| b6031f23 | 63 | userdom_read_home_audio_files(thumb_t) |
| 0b71fec3 | 64 | |
| 41a828ed | 65 | userdom_use_inherited_user_ptys(thumb_t) |
| 27c0413e | 66 | |
| 0b71fec3 DG |
67 | xserver_read_xdm_home_files(thumb_t) |
| 68 | xserver_append_xdm_home_files(thumb_t) | |
| 0b71fec3 | 69 | xserver_dontaudit_read_xdm_pid(thumb_t) |
| 0b71fec3 DG |
70 | xserver_stream_connect(thumb_t) |
| 71 | ||
| 4864ffb0 | 72 | optional_policy(` |
| 4864ffb0 | 73 | dbus_dontaudit_stream_connect_session_bus(thumb_t) |
| c98bb1bc | 74 | dbus_dontaudit_chat_session_bus(thumb_t) |
| 4864ffb0 | 75 | ') |
| 0b71fec3 DG |
76 | |
| 77 | optional_policy(` | |
| 86ae568b DG |
78 | # .config |
| 79 | gnome_dontaudit_search_config(thumb_t) | |
| c98bb1bc | 80 | gnome_read_generic_data_home_files(thumb_t) |
| 0b71fec3 DG |
81 | gnome_manage_gstreamer_home_files(thumb_t) |
| 82 | ') |