]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/apps/gnome.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Remove module for gnomeclock.
[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.if
1 ## <summary>GNU network object model environment (GNOME)</summary>
2
3 ###########################################################
4 ## <summary>
5 ## Role access for gnome
6 ## </summary>
7 ## <param name="role">
8 ## <summary>
9 ## Role allowed access
10 ## </summary>
11 ## </param>
12 ## <param name="domain">
13 ## <summary>
14 ## User domain for the role
15 ## </summary>
16 ## </param>
17 #
18 interface(`gnome_role',`
19 gen_require(`
20 type gconfd_t, gconfd_exec_t;
21 type gconf_tmp_t;
22 ')
23
24 role $1 types gconfd_t;
25
26 domain_auto_trans($2, gconfd_exec_t, gconfd_t)
27 allow gconfd_t $2:fd use;
28 allow gconfd_t $2:fifo_file write;
29 allow gconfd_t $2:unix_stream_socket connectto;
30
31 ps_process_pattern($2, gconfd_t)
32
33 #gnome_stream_connect_gconf_template($1, $2)
34 read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
35 allow $2 gconfd_t:unix_stream_socket connectto;
36 ')
37
38 ######################################
39 ## <summary>
40 ## The role template for the gnome-keyring-daemon.
41 ## </summary>
42 ## <param name="user_prefix">
43 ## <summary>
44 ## The user prefix.
45 ## </summary>
46 ## </param>
47 ## <param name="user_role">
48 ## <summary>
49 ## The user role.
50 ## </summary>
51 ## </param>
52 ## <param name="user_domain">
53 ## <summary>
54 ## The user domain associated with the role.
55 ## </summary>
56 ## </param>
57 #
58 interface(`gnome_role_gkeyringd',`
59 gen_require(`
60 attribute gkeyringd_domain;
61 attribute gnomedomain;
62 type gnome_home_t;
63 type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
64 class dbus send_msg;
65 ')
66
67 type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
68 typealias $1_gkeyringd_t alias gkeyringd_$1_t;
69 application_domain($1_gkeyringd_t, gkeyringd_exec_t)
70 ubac_constrained($1_gkeyringd_t)
71 domain_user_exemption_target($1_gkeyringd_t)
72
73 userdom_home_manager($1_gkeyringd_t)
74
75 role $2 types $1_gkeyringd_t;
76
77 domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
78
79 allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
80 allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
81
82 allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
83 allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
84
85 corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
86 corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
87 allow $1_gkeyringd_t $3:process sigkill;
88 allow $3 $1_gkeyringd_t:fd use;
89 allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
90
91 ps_process_pattern($1_gkeyringd_t, $3)
92
93 auth_use_nsswitch($1_gkeyringd_t)
94
95 ps_process_pattern($3, $1_gkeyringd_t)
96 allow $3 $1_gkeyringd_t:process signal_perms;
97 dontaudit $3 gkeyringd_exec_t:file entrypoint;
98
99 stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
100
101 allow $1_gkeyringd_t $3:dbus send_msg;
102 allow $3 $1_gkeyringd_t:dbus send_msg;
103 optional_policy(`
104 dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
105 dbus_session_bus_client($1_gkeyringd_t)
106 gnome_home_dir_filetrans($1_gkeyringd_t)
107 gnome_manage_generic_home_dirs($1_gkeyringd_t)
108 gnome_read_generic_data_home_files($1_gkeyringd_t)
109 ')
110 ')
111
112 ########################################
113 ## <summary>
114 ## gconf connection template.
115 ## </summary>
116 ## <param name="domain">
117 ## <summary>
118 ## Domain allowed access.
119 ## </summary>
120 ## </param>
121 #
122 interface(`gnome_stream_connect_gconf',`
123 gen_require(`
124 type gconfd_t, gconf_tmp_t;
125 ')
126
127 read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
128 allow $1 gconfd_t:unix_stream_socket connectto;
129 ')
130
131 ########################################
132 ## <summary>
133 ## Connect to gkeyringd with a unix stream socket.
134 ## </summary>
135 ## <param name="domain">
136 ## <summary>
137 ## Domain allowed access.
138 ## </summary>
139 ## </param>
140 #
141 interface(`gnome_stream_connect_gkeyringd',`
142 gen_require(`
143 attribute gkeyringd_domain;
144 type gkeyringd_tmp_t;
145 type gconf_tmp_t;
146 ')
147
148 allow $1 gconf_tmp_t:dir search_dir_perms;
149 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
150 ')
151
152 ########################################
153 ## <summary>
154 ## Connect to gkeyringd with a unix stream socket.
155 ## </summary>
156 ## <param name="domain">
157 ## <summary>
158 ## Domain allowed access.
159 ## </summary>
160 ## </param>
161 #
162 interface(`gnome_stream_connect_all_gkeyringd',`
163 gen_require(`
164 attribute gkeyringd_domain;
165 type gkeyringd_tmp_t;
166 type gconf_tmp_t;
167 ')
168
169 allow $1 gconf_tmp_t:dir search_dir_perms;
170 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
171 ')
172
173 ########################################
174 ## <summary>
175 ## Run gconfd in gconfd domain.
176 ## </summary>
177 ## <param name="domain">
178 ## <summary>
179 ## Domain allowed access.
180 ## </summary>
181 ## </param>
182 #
183 interface(`gnome_domtrans_gconfd',`
184 gen_require(`
185 type gconfd_t, gconfd_exec_t;
186 ')
187
188 domtrans_pattern($1, gconfd_exec_t, gconfd_t)
189 ')
190
191 ########################################
192 ## <summary>
193 ## Dontaudit read gnome homedir content (.config)
194 ## </summary>
195 ## <param name="domain">
196 ## <summary>
197 ## Domain to not audit.
198 ## </summary>
199 ## </param>
200 #
201 interface(`gnome_dontaudit_read_config',`
202 gen_require(`
203 attribute gnome_home_type;
204 ')
205
206 dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
207 ')
208
209 ########################################
210 ## <summary>
211 ## Dontaudit search gnome homedir content (.config)
212 ## </summary>
213 ## <param name="domain">
214 ## <summary>
215 ## Domain to not audit.
216 ## </summary>
217 ## </param>
218 #
219 interface(`gnome_dontaudit_search_config',`
220 gen_require(`
221 attribute gnome_home_type;
222 ')
223
224 dontaudit $1 gnome_home_type:dir search_dir_perms;
225 ')
226
227 ########################################
228 ## <summary>
229 ## Dontaudit write gnome homedir content (.config)
230 ## </summary>
231 ## <param name="domain">
232 ## <summary>
233 ## Domain to not audit.
234 ## </summary>
235 ## </param>
236 #
237 interface(`gnome_dontaudit_write_config_files',`
238 gen_require(`
239 attribute gnome_home_type;
240 ')
241
242 dontaudit $1 gnome_home_type:file write;
243 ')
244
245 ########################################
246 ## <summary>
247 ## manage gnome homedir content (.config)
248 ## </summary>
249 ## <param name="domain">
250 ## <summary>
251 ## Domain allowed access.
252 ## </summary>
253 ## </param>
254 #
255 interface(`gnome_manage_config',`
256 gen_require(`
257 attribute gnome_home_type;
258 ')
259
260 allow $1 gnome_home_type:dir manage_dir_perms;
261 allow $1 gnome_home_type:file manage_file_perms;
262 allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
263 userdom_search_user_home_dirs($1)
264 ')
265
266 ########################################
267 ## <summary>
268 ## Send general signals to all gconf domains.
269 ## </summary>
270 ## <param name="domain">
271 ## <summary>
272 ## Domain allowed access.
273 ## </summary>
274 ## </param>
275 #
276 interface(`gnome_signal_all',`
277 gen_require(`
278 attribute gnomedomain;
279 ')
280
281 allow $1 gnomedomain:process signal;
282 ')
283
284 ########################################
285 ## <summary>
286 ## Create objects in a Gnome cache home directory
287 ## with an automatic type transition to
288 ## a specified private type.
289 ## </summary>
290 ## <param name="domain">
291 ## <summary>
292 ## Domain allowed access.
293 ## </summary>
294 ## </param>
295 ## <param name="private_type">
296 ## <summary>
297 ## The type of the object to create.
298 ## </summary>
299 ## </param>
300 ## <param name="object_class">
301 ## <summary>
302 ## The class of the object to be created.
303 ## </summary>
304 ## </param>
305 #
306 interface(`gnome_cache_filetrans',`
307 gen_require(`
308 type cache_home_t;
309 ')
310
311 filetrans_pattern($1, cache_home_t, $2, $3, $4)
312 userdom_search_user_home_dirs($1)
313 ')
314
315 ########################################
316 ## <summary>
317 ## Create objects in a Gnome cache home directory
318 ## with an automatic type transition to
319 ## a specified private type.
320 ## </summary>
321 ## <param name="domain">
322 ## <summary>
323 ## Domain allowed access.
324 ## </summary>
325 ## </param>
326 ## <param name="private_type">
327 ## <summary>
328 ## The type of the object to create.
329 ## </summary>
330 ## </param>
331 ## <param name="object_class">
332 ## <summary>
333 ## The class of the object to be created.
334 ## </summary>
335 ## </param>
336 #
337 interface(`gnome_config_filetrans',`
338 gen_require(`
339 type config_home_t;
340 ')
341
342 filetrans_pattern($1, config_home_t, $2, $3, $4)
343 userdom_search_user_home_dirs($1)
344 ')
345
346 ########################################
347 ## <summary>
348 ## Read generic cache home files (.cache)
349 ## </summary>
350 ## <param name="domain">
351 ## <summary>
352 ## Domain allowed access.
353 ## </summary>
354 ## </param>
355 #
356 interface(`gnome_read_generic_cache_files',`
357 gen_require(`
358 type cache_home_t;
359 ')
360
361 read_files_pattern($1, cache_home_t, cache_home_t)
362 userdom_search_user_home_dirs($1)
363 ')
364
365 ########################################
366 ## <summary>
367 ## Set attributes of cache home dir (.cache)
368 ## </summary>
369 ## <param name="domain">
370 ## <summary>
371 ## Domain allowed access.
372 ## </summary>
373 ## </param>
374 #
375 interface(`gnome_setattr_cache_home_dir',`
376 gen_require(`
377 type cache_home_t;
378 ')
379
380 setattr_dirs_pattern($1, cache_home_t, cache_home_t)
381 userdom_search_user_home_dirs($1)
382 ')
383
384 ########################################
385 ## <summary>
386 ## append to generic cache home files (.cache)
387 ## </summary>
388 ## <param name="domain">
389 ## <summary>
390 ## Domain allowed access.
391 ## </summary>
392 ## </param>
393 #
394 interface(`gnome_append_generic_cache_files',`
395 gen_require(`
396 type cache_home_t;
397 ')
398
399 append_files_pattern($1, cache_home_t, cache_home_t)
400 userdom_search_user_home_dirs($1)
401 ')
402
403 ########################################
404 ## <summary>
405 ## write to generic cache home files (.cache)
406 ## </summary>
407 ## <param name="domain">
408 ## <summary>
409 ## Domain allowed access.
410 ## </summary>
411 ## </param>
412 #
413 interface(`gnome_write_generic_cache_files',`
414 gen_require(`
415 type cache_home_t;
416 ')
417
418 write_files_pattern($1, cache_home_t, cache_home_t)
419 userdom_search_user_home_dirs($1)
420 ')
421
422 ########################################
423 ## <summary>
424 ## Dontaudit read/write to generic cache home files (.cache)
425 ## </summary>
426 ## <param name="domain">
427 ## <summary>
428 ## Domain to not audit.
429 ## </summary>
430 ## </param>
431 #
432 interface(`gnome_dontaudit_rw_generic_cache_files',`
433 gen_require(`
434 type cache_home_t;
435 ')
436
437 dontaudit $1 cache_home_t:file rw_inherited_file_perms;
438 ')
439
440 ########################################
441 ## <summary>
442 ## read gnome homedir content (.config)
443 ## </summary>
444 ## <param name="domain">
445 ## <summary>
446 ## Domain allowed access.
447 ## </summary>
448 ## </param>
449 #
450 interface(`gnome_read_config',`
451 gen_require(`
452 attribute gnome_home_type;
453 ')
454
455 list_dirs_pattern($1, gnome_home_type, gnome_home_type)
456 read_files_pattern($1, gnome_home_type, gnome_home_type)
457 read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
458 ')
459
460 ########################################
461 ## <summary>
462 ## Create objects in a Gnome gconf home directory
463 ## with an automatic type transition to
464 ## a specified private type.
465 ## </summary>
466 ## <param name="domain">
467 ## <summary>
468 ## Domain allowed access.
469 ## </summary>
470 ## </param>
471 ## <param name="private_type">
472 ## <summary>
473 ## The type of the object to create.
474 ## </summary>
475 ## </param>
476 ## <param name="object_class">
477 ## <summary>
478 ## The class of the object to be created.
479 ## </summary>
480 ## </param>
481 #
482 interface(`gnome_data_filetrans',`
483 gen_require(`
484 type data_home_t;
485 ')
486
487 filetrans_pattern($1, data_home_t, $2, $3, $4)
488 gnome_search_gconf($1)
489 ')
490
491 #######################################
492 ## <summary>
493 ## Read generic data home files.
494 ## </summary>
495 ## <param name="domain">
496 ## <summary>
497 ## Domain allowed access.
498 ## </summary>
499 ## </param>
500 #
501 interface(`gnome_read_generic_data_home_files',`
502 gen_require(`
503 type data_home_t, gconf_home_t;
504 ')
505
506 read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
507 ')
508
509 #######################################
510 ## <summary>
511 ## Manage gconf data home files
512 ## </summary>
513 ## <param name="domain">
514 ## <summary>
515 ## Domain allowed access.
516 ## </summary>
517 ## </param>
518 #
519 interface(`gnome_manage_data',`
520 gen_require(`
521 type data_home_t;
522 type gconf_home_t;
523 ')
524
525 allow $1 gconf_home_t:dir search_dir_perms;
526 manage_dirs_pattern($1, data_home_t, data_home_t)
527 manage_files_pattern($1, data_home_t, data_home_t)
528 manage_lnk_files_pattern($1, data_home_t, data_home_t)
529 ')
530
531 ########################################
532 ## <summary>
533 ## Read icc data home content.
534 ## </summary>
535 ## <param name="domain">
536 ## <summary>
537 ## Domain allowed access.
538 ## </summary>
539 ## </param>
540 #
541 interface(`gnome_read_home_icc_data_content',`
542 gen_require(`
543 type icc_data_home_t, gconf_home_t, data_home_t;
544 ')
545
546 userdom_search_user_home_dirs($1)
547 allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
548 list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
549 read_files_pattern($1, icc_data_home_t, icc_data_home_t)
550 read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
551 ')
552
553 ########################################
554 ## <summary>
555 ## Read inherited icc data home files.
556 ## </summary>
557 ## <param name="domain">
558 ## <summary>
559 ## Domain allowed access.
560 ## </summary>
561 ## </param>
562 #
563 interface(`gnome_read_inherited_home_icc_data_files',`
564 gen_require(`
565 type icc_data_home_t;
566 ')
567
568 allow $1 icc_data_home_t:file read_inherited_file_perms;
569 ')
570
571 ########################################
572 ## <summary>
573 ## Create gconf_home_t objects in the /root directory
574 ## </summary>
575 ## <param name="domain">
576 ## <summary>
577 ## Domain allowed access.
578 ## </summary>
579 ## </param>
580 ## <param name="object_class">
581 ## <summary>
582 ## The class of the object to be created.
583 ## </summary>
584 ## </param>
585 #
586 interface(`gnome_admin_home_gconf_filetrans',`
587 gen_require(`
588 type gconf_home_t;
589 ')
590
591 userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
592 ')
593
594 ########################################
595 ## <summary>
596 ## Do not audit attempts to read
597 ## inherited gconf config files.
598 ## </summary>
599 ## <param name="domain">
600 ## <summary>
601 ## Domain to not audit.
602 ## </summary>
603 ## </param>
604 #
605 interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
606 gen_require(`
607 type gconf_etc_t;
608 ')
609
610 dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
611 ')
612
613 ########################################
614 ## <summary>
615 ## read gconf config files
616 ## </summary>
617 ## <param name="domain">
618 ## <summary>
619 ## Domain allowed access.
620 ## </summary>
621 ## </param>
622 #
623 interface(`gnome_read_gconf_config',`
624 gen_require(`
625 type gconf_etc_t;
626 ')
627
628 allow $1 gconf_etc_t:dir list_dir_perms;
629 read_files_pattern($1, gconf_etc_t, gconf_etc_t)
630 files_search_etc($1)
631 ')
632
633 #######################################
634 ## <summary>
635 ## Manage gconf config files
636 ## </summary>
637 ## <param name="domain">
638 ## <summary>
639 ## Domain allowed access.
640 ## </summary>
641 ## </param>
642 #
643 interface(`gnome_manage_gconf_config',`
644 gen_require(`
645 type gconf_etc_t;
646 ')
647
648 allow $1 gconf_etc_t:dir list_dir_perms;
649 manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
650 ')
651
652 ########################################
653 ## <summary>
654 ## Execute gconf programs in
655 ## in the caller domain.
656 ## </summary>
657 ## <param name="domain">
658 ## <summary>
659 ## Domain allowed access.
660 ## </summary>
661 ## </param>
662 #
663 interface(`gnome_exec_gconf',`
664 gen_require(`
665 type gconfd_exec_t;
666 ')
667
668 can_exec($1, gconfd_exec_t)
669 ')
670
671 ########################################
672 ## <summary>
673 ## Execute gnome keyringd in the caller domain.
674 ## </summary>
675 ## <param name="domain">
676 ## <summary>
677 ## Domain allowed access.
678 ## </summary>
679 ## </param>
680 #
681 interface(`gnome_exec_keyringd',`
682 gen_require(`
683 type gkeyringd_exec_t;
684 ')
685
686 can_exec($1, gkeyringd_exec_t)
687 corecmd_search_bin($1)
688 ')
689
690 ########################################
691 ## <summary>
692 ## Read gconf home files
693 ## </summary>
694 ## <param name="domain">
695 ## <summary>
696 ## Domain allowed access.
697 ## </summary>
698 ## </param>
699 #
700 interface(`gnome_read_gconf_home_files',`
701 gen_require(`
702 type gconf_home_t;
703 type data_home_t;
704 ')
705
706 userdom_search_user_home_dirs($1)
707 allow $1 gconf_home_t:dir list_dir_perms;
708 allow $1 data_home_t:dir list_dir_perms;
709 read_files_pattern($1, gconf_home_t, gconf_home_t)
710 read_files_pattern($1, data_home_t, data_home_t)
711 read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
712 read_lnk_files_pattern($1, data_home_t, data_home_t)
713 ')
714
715 ########################################
716 ## <summary>
717 ## Search gkeyringd temporary directories.
718 ## </summary>
719 ## <param name="domain">
720 ## <summary>
721 ## Domain allowed access.
722 ## </summary>
723 ## </param>
724 #
725 interface(`gnome_search_gkeyringd_tmp_dirs',`
726 gen_require(`
727 type gkeyringd_tmp_t;
728 ')
729
730 files_search_tmp($1)
731 allow $1 gkeyringd_tmp_t:dir search_dir_perms;
732 ')
733
734 ########################################
735 ## <summary>
736 ## search gconf homedir (.local)
737 ## </summary>
738 ## <param name="domain">
739 ## <summary>
740 ## Domain allowed access.
741 ## </summary>
742 ## </param>
743 #
744 interface(`gnome_search_gconf',`
745 gen_require(`
746 type gconf_home_t;
747 ')
748
749 allow $1 gconf_home_t:dir search_dir_perms;
750 userdom_search_user_home_dirs($1)
751 ')
752
753 ########################################
754 ## <summary>
755 ## Set attributes of Gnome config dirs.
756 ## </summary>
757 ## <param name="domain">
758 ## <summary>
759 ## Domain allowed access.
760 ## </summary>
761 ## </param>
762 #
763 interface(`gnome_setattr_config_dirs',`
764 gen_require(`
765 type gnome_home_t;
766 ')
767
768 setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
769 files_search_home($1)
770 ')
771
772 ########################################
773 ## <summary>
774 ## Manage generic gnome home files.
775 ## </summary>
776 ## <param name="domain">
777 ## <summary>
778 ## Domain allowed access.
779 ## </summary>
780 ## </param>
781 #
782 interface(`gnome_manage_generic_home_files',`
783 gen_require(`
784 type gnome_home_t;
785 ')
786
787 userdom_search_user_home_dirs($1)
788 manage_files_pattern($1, gnome_home_t, gnome_home_t)
789 ')
790
791 ########################################
792 ## <summary>
793 ## Manage generic gnome home directories.
794 ## </summary>
795 ## <param name="domain">
796 ## <summary>
797 ## Domain allowed access.
798 ## </summary>
799 ## </param>
800 #
801 interface(`gnome_manage_generic_home_dirs',`
802 gen_require(`
803 type gnome_home_t;
804 ')
805
806 userdom_search_user_home_dirs($1)
807 allow $1 gnome_home_t:dir manage_dir_perms;
808 ')
809
810 ########################################
811 ## <summary>
812 ## Append gconf home files
813 ## </summary>
814 ## <param name="domain">
815 ## <summary>
816 ## Domain allowed access.
817 ## </summary>
818 ## </param>
819 #
820 interface(`gnome_append_gconf_home_files',`
821 gen_require(`
822 type gconf_home_t;
823 ')
824
825 append_files_pattern($1, gconf_home_t, gconf_home_t)
826 ')
827
828 ########################################
829 ## <summary>
830 ## manage gconf home files
831 ## </summary>
832 ## <param name="domain">
833 ## <summary>
834 ## Domain allowed access.
835 ## </summary>
836 ## </param>
837 #
838 interface(`gnome_manage_gconf_home_files',`
839 gen_require(`
840 type gconf_home_t;
841 ')
842
843 allow $1 gconf_home_t:dir list_dir_perms;
844 manage_files_pattern($1, gconf_home_t, gconf_home_t)
845 ')
846
847 ########################################
848 ## <summary>
849 ## Connect to gnome over an unix stream socket.
850 ## </summary>
851 ## <param name="domain">
852 ## <summary>
853 ## Domain allowed access.
854 ## </summary>
855 ## </param>
856 ## <param name="user_domain">
857 ## <summary>
858 ## The type of the user domain.
859 ## </summary>
860 ## </param>
861 #
862 interface(`gnome_stream_connect',`
863 gen_require(`
864 attribute gnome_home_type;
865 ')
866
867 # Connect to pulseaudit server
868 stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
869 ')
870
871 ########################################
872 ## <summary>
873 ## list gnome homedir content (.config)
874 ## </summary>
875 ## <param name="domain">
876 ## <summary>
877 ## Domain allowed access.
878 ## </summary>
879 ## </param>
880 #
881 interface(`gnome_list_home_config',`
882 gen_require(`
883 type config_home_t;
884 ')
885
886 allow $1 config_home_t:dir list_dir_perms;
887 ')
888
889 ########################################
890 ## <summary>
891 ## Set attributes of gnome homedir content (.config)
892 ## </summary>
893 ## <param name="domain">
894 ## <summary>
895 ## Domain allowed access.
896 ## </summary>
897 ## </param>
898 #
899 interface(`gnome_setattr_home_config',`
900 gen_require(`
901 type config_home_t;
902 ')
903
904 setattr_dirs_pattern($1, config_home_t, config_home_t)
905 userdom_search_user_home_dirs($1)
906 ')
907
908 ########################################
909 ## <summary>
910 ## read gnome homedir content (.config)
911 ## </summary>
912 ## <param name="domain">
913 ## <summary>
914 ## Domain allowed access.
915 ## </summary>
916 ## </param>
917 #
918 interface(`gnome_read_home_config',`
919 gen_require(`
920 type config_home_t;
921 ')
922
923 list_dirs_pattern($1, config_home_t, config_home_t)
924 read_files_pattern($1, config_home_t, config_home_t)
925 read_lnk_files_pattern($1, config_home_t, config_home_t)
926 ')
927
928 #######################################
929 ## <summary>
930 ## delete gnome homedir content (.config)
931 ## </summary>
932 ## <param name="domain">
933 ## <summary>
934 ## Domain allowed access.
935 ## </summary>
936 ## </param>
937 #
938 interface(`gnome_delete_home_config',`
939 gen_require(`
940 type config_home_t;
941 ')
942
943 delete_files_pattern($1, config_home_t, config_home_t)
944 ')
945
946 #######################################
947 ## <summary>
948 ## setattr gnome homedir content (.config)
949 ## </summary>
950 ## <param name="domain">
951 ## <summary>
952 ## Domain allowed access.
953 ## </summary>
954 ## </param>
955 #
956 interface(`gnome_setattr_home_config_dirs',`
957 gen_require(`
958 type config_home_t;
959 ')
960
961 setattr_dirs_pattern($1, config_home_t, config_home_t)
962 ')
963
964 ########################################
965 ## <summary>
966 ## manage gnome homedir content (.config)
967 ## </summary>
968 ## <param name="domain">
969 ## <summary>
970 ## Domain allowed access.
971 ## </summary>
972 ## </param>
973 #
974 interface(`gnome_manage_home_config',`
975 gen_require(`
976 type config_home_t;
977 ')
978
979 manage_files_pattern($1, config_home_t, config_home_t)
980 ')
981
982 #######################################
983 ## <summary>
984 ## delete gnome homedir content (.config)
985 ## </summary>
986 ## <param name="domain">
987 ## <summary>
988 ## Domain allowed access.
989 ## </summary>
990 ## </param>
991 #
992 interface(`gnome_delete_home_config_dirs',`
993 gen_require(`
994 type config_home_t;
995 ')
996
997 delete_dirs_pattern($1, config_home_t, config_home_t)
998 ')
999
1000 ########################################
1001 ## <summary>
1002 ## manage gnome homedir content (.config)
1003 ## </summary>
1004 ## <param name="domain">
1005 ## <summary>
1006 ## Domain allowed access.
1007 ## </summary>
1008 ## </param>
1009 #
1010 interface(`gnome_manage_home_config_dirs',`
1011 gen_require(`
1012 type config_home_t;
1013 ')
1014
1015 manage_dirs_pattern($1, config_home_t, config_home_t)
1016 ')
1017
1018 ########################################
1019 ## <summary>
1020 ## manage gstreamer home content files.
1021 ## </summary>
1022 ## <param name="domain">
1023 ## <summary>
1024 ## Domain allowed access.
1025 ## </summary>
1026 ## </param>
1027 #
1028 interface(`gnome_manage_gstreamer_home_files',`
1029 gen_require(`
1030 type gstreamer_home_t;
1031 ')
1032
1033 manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
1034 ')
1035
1036 ########################################
1037 ## <summary>
1038 ## Read/Write all inherited gnome home config
1039 ## </summary>
1040 ## <param name="domain">
1041 ## <summary>
1042 ## Domain allowed access.
1043 ## </summary>
1044 ## </param>
1045 #
1046 interface(`gnome_rw_inherited_config',`
1047 gen_require(`
1048 attribute gnome_home_type;
1049 ')
1050
1051 allow $1 gnome_home_type:file rw_inherited_file_perms;
1052 ')
1053
1054 ########################################
1055 ## <summary>
1056 ## Send and receive messages from
1057 ## gconf system service over dbus.
1058 ## </summary>
1059 ## <param name="domain">
1060 ## <summary>
1061 ## Domain allowed access.
1062 ## </summary>
1063 ## </param>
1064 #
1065 interface(`gnome_dbus_chat_gconfdefault',`
1066 gen_require(`
1067 type gconfdefaultsm_t;
1068 class dbus send_msg;
1069 ')
1070
1071 allow $1 gconfdefaultsm_t:dbus send_msg;
1072 allow gconfdefaultsm_t $1:dbus send_msg;
1073 ')
1074
1075 ########################################
1076 ## <summary>
1077 ## Send and receive messages from
1078 ## gkeyringd over dbus.
1079 ## </summary>
1080 ## <param name="domain">
1081 ## <summary>
1082 ## Domain allowed access.
1083 ## </summary>
1084 ## </param>
1085 #
1086 interface(`gnome_dbus_chat_gkeyringd',`
1087 gen_require(`
1088 attribute gkeyringd_domain;
1089 class dbus send_msg;
1090 ')
1091
1092 allow $1 gkeyringd_domain:dbus send_msg;
1093 allow gkeyringd_domain $1:dbus send_msg;
1094 ')
1095
1096 ########################################
1097 ## <summary>
1098 ## Send signull signal to gkeyringd processes.
1099 ## </summary>
1100 ## <param name="domain">
1101 ## <summary>
1102 ## Domain allowed access.
1103 ## </summary>
1104 ## </param>
1105 #
1106 interface(`gnome_signull_gkeyringd',`
1107 gen_require(`
1108 attribute gkeyringd_domain;
1109 ')
1110
1111 allow $1 gkeyringd_domain:process signull;
1112 ')
1113
1114 ########################################
1115 ## <summary>
1116 ## Allow the domain to read gkeyringd state files in /proc.
1117 ## </summary>
1118 ## <param name="domain">
1119 ## <summary>
1120 ## Domain allowed access.
1121 ## </summary>
1122 ## </param>
1123 #
1124 interface(`gnome_read_gkeyringd_state',`
1125 gen_require(`
1126 attribute gkeyringd_domain;
1127 ')
1128
1129 ps_process_pattern($1, gkeyringd_domain)
1130 ')
1131
1132 ########################################
1133 ## <summary>
1134 ## Create directories in user home directories
1135 ## with the gnome home file type.
1136 ## </summary>
1137 ## <param name="domain">
1138 ## <summary>
1139 ## Domain allowed access.
1140 ## </summary>
1141 ## </param>
1142 #
1143 interface(`gnome_home_dir_filetrans',`
1144 gen_require(`
1145 type gnome_home_t;
1146 ')
1147
1148 userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
1149 userdom_search_user_home_dirs($1)
1150 ')
1151
1152 ########################################
1153 ## <summary>
1154 ## Execute gnome-keyring in the user gkeyring domain
1155 ## </summary>
1156 ## <param name="domain">
1157 ## <summary>
1158 ## Domain allowed access
1159 ## </summary>
1160 ## </param>
1161 ## <param name="role">
1162 ## <summary>
1163 ## The role to be allowed the gkeyring domain.
1164 ## </summary>
1165 ## </param>
1166 #
1167 interface(`gnome_transition_gkeyringd',`
1168 gen_require(`
1169 attribute gkeyringd_domain;
1170 ')
1171
1172 allow $1 gkeyringd_domain:process transition;
1173 dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
1174 allow gkeyringd_domain $1:process { sigchld signull };
1175 allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
1176 ')
1177
1178 ########################################
1179 ## <summary>
1180 ## Create gnome content in the user home directory
1181 ## with an correct label.
1182 ## </summary>
1183 ## <param name="domain">
1184 ## <summary>
1185 ## Domain allowed access.
1186 ## </summary>
1187 ## </param>
1188 #
1189 interface(`gnome_filetrans_home_content',`
1190
1191 gen_require(`
1192 type config_home_t;
1193 type cache_home_t;
1194 type gstreamer_home_t;
1195 type gconf_home_t;
1196 type gnome_home_t;
1197 type data_home_t, icc_data_home_t;
1198 type gkeyringd_gnome_home_t;
1199 ')
1200
1201 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
1202 userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1203 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
1204 userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1205 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1206 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1207 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1208 userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1209 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1210 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
1211 # ~/.color/icc: legacy
1212 userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
1213 filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
1214 filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
1215 filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
1216 userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
1217 ')
1218
1219 ########################################
1220 ## <summary>
1221 ## Create gnome directory in the /root directory
1222 ## with an correct label.
1223 ## </summary>
1224 ## <param name="domain">
1225 ## <summary>
1226 ## Domain allowed access.
1227 ## </summary>
1228 ## </param>
1229 #
1230 interface(`gnome_filetrans_admin_home_content',`
1231
1232 gen_require(`
1233 type config_home_t;
1234 type cache_home_t;
1235 type gstreamer_home_t;
1236 type gconf_home_t;
1237 type gnome_home_t;
1238 type icc_data_home_t;
1239 ')
1240
1241 userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1242 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
1243 userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1244 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1245 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1246 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1247 userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1248 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1249 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
1250 # /root/.color/icc: legacy
1251 userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
1252 ')
1253
1254 ######################################
1255 ## <summary>
1256 ## Execute gnome-keyring executable
1257 ## in the specified domain.
1258 ## </summary>
1259 ## <desc>
1260 ## <p>
1261 ## Execute a telepathy executable
1262 ## in the specified domain. This allows
1263 ## the specified domain to execute any file
1264 ## on these filesystems in the specified
1265 ## domain.
1266 ## </p>
1267 ## <p>
1268 ## No interprocess communication (signals, pipes,
1269 ## etc.) is provided by this interface since
1270 ## the domains are not owned by this module.
1271 ## </p>
1272 ## <p>
1273 ## This interface was added to handle
1274 ## the ssh-agent policy.
1275 ## </p>
1276 ## </desc>
1277 ## <param name="domain">
1278 ## <summary>
1279 ## Domain allowed to transition.
1280 ## </summary>
1281 ## </param>
1282 ## <param name="target_domain">
1283 ## <summary>
1284 ## The type of the new process.
1285 ## </summary>
1286 ## </param>
1287 #
1288 interface(`gnome_command_domtrans_gkeyringd', `
1289 gen_require(`
1290 type gkeyringd_exec_t;
1291 ')
1292
1293 allow $2 gkeyringd_exec_t:file entrypoint;
1294 domain_transition_pattern($1, gkeyringd_exec_t, $2)
1295 type_transition $1 gkeyringd_exec_t:process $2;
1296 ')
The IPFire selinux policy.