]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/apps/gnome.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
[people/stevee/selinux-policy.git] / policy / modules / apps / gnome.if
1 ## <summary>GNU network object model environment (GNOME)</summary>
2
3 ###########################################################
4 ## <summary>
5 ## Role access for gnome
6 ## </summary>
7 ## <param name="role">
8 ## <summary>
9 ## Role allowed access
10 ## </summary>
11 ## </param>
12 ## <param name="domain">
13 ## <summary>
14 ## User domain for the role
15 ## </summary>
16 ## </param>
17 #
18 interface(`gnome_role',`
19 gen_require(`
20 type gconfd_t, gconfd_exec_t;
21 type gconf_tmp_t;
22 ')
23
24 role $1 types gconfd_t;
25
26 domain_auto_trans($2, gconfd_exec_t, gconfd_t)
27 allow gconfd_t $2:fd use;
28 allow gconfd_t $2:fifo_file write;
29 allow gconfd_t $2:unix_stream_socket connectto;
30
31 ps_process_pattern($2, gconfd_t)
32
33 #gnome_stream_connect_gconf_template($1, $2)
34 read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
35 allow $2 gconfd_t:unix_stream_socket connectto;
36 ')
37
38 ######################################
39 ## <summary>
40 ## The role template for the gnome-keyring-daemon.
41 ## </summary>
42 ## <param name="user_prefix">
43 ## <summary>
44 ## The user prefix.
45 ## </summary>
46 ## </param>
47 ## <param name="user_role">
48 ## <summary>
49 ## The user role.
50 ## </summary>
51 ## </param>
52 ## <param name="user_domain">
53 ## <summary>
54 ## The user domain associated with the role.
55 ## </summary>
56 ## </param>
57 #
58 interface(`gnome_role_gkeyringd',`
59 gen_require(`
60 attribute gkeyringd_domain;
61 attribute gnomedomain;
62 type gnome_home_t;
63 type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
64 class dbus send_msg;
65 ')
66
67 type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
68 typealias $1_gkeyringd_t alias gkeyringd_$1_t;
69 application_domain($1_gkeyringd_t, gkeyringd_exec_t)
70 ubac_constrained($1_gkeyringd_t)
71 domain_user_exemption_target($1_gkeyringd_t)
72
73 userdom_home_manager($1_gkeyringd_t)
74
75 role $2 types $1_gkeyringd_t;
76
77 domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
78
79 allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
80 allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
81
82 allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
83 allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
84
85 corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
86 corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
87 allow $1_gkeyringd_t $3:process sigkill;
88 allow $3 $1_gkeyringd_t:fd use;
89 allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
90
91 ps_process_pattern($1_gkeyringd_t, $3)
92
93 auth_use_nsswitch($1_gkeyringd_t)
94
95 ps_process_pattern($3, $1_gkeyringd_t)
96 allow $3 $1_gkeyringd_t:process signal_perms;
97 dontaudit $3 gkeyringd_exec_t:file entrypoint;
98
99 stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
100
101 allow $1_gkeyringd_t $3:dbus send_msg;
102 allow $3 $1_gkeyringd_t:dbus send_msg;
103 optional_policy(`
104 dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
105 dbus_session_bus_client($1_gkeyringd_t)
106 gnome_home_dir_filetrans($1_gkeyringd_t)
107 gnome_manage_generic_home_dirs($1_gkeyringd_t)
108 gnome_read_generic_data_home_files($1_gkeyringd_t)
109
110 optional_policy(`
111 telepathy_mission_control_read_state($1_gkeyringd_t)
112 ')
113 ')
114 ')
115
116 ########################################
117 ## <summary>
118 ## gconf connection template.
119 ## </summary>
120 ## <param name="domain">
121 ## <summary>
122 ## Domain allowed access.
123 ## </summary>
124 ## </param>
125 #
126 interface(`gnome_stream_connect_gconf',`
127 gen_require(`
128 type gconfd_t, gconf_tmp_t;
129 ')
130
131 read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
132 allow $1 gconfd_t:unix_stream_socket connectto;
133 ')
134
135 ########################################
136 ## <summary>
137 ## Connect to gkeyringd with a unix stream socket.
138 ## </summary>
139 ## <param name="domain">
140 ## <summary>
141 ## Domain allowed access.
142 ## </summary>
143 ## </param>
144 #
145 interface(`gnome_stream_connect_gkeyringd',`
146 gen_require(`
147 attribute gkeyringd_domain;
148 type gkeyringd_tmp_t;
149 type gconf_tmp_t;
150 ')
151
152 allow $1 gconf_tmp_t:dir search_dir_perms;
153 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
154 ')
155
156 ########################################
157 ## <summary>
158 ## Connect to gkeyringd with a unix stream socket.
159 ## </summary>
160 ## <param name="domain">
161 ## <summary>
162 ## Domain allowed access.
163 ## </summary>
164 ## </param>
165 #
166 interface(`gnome_stream_connect_all_gkeyringd',`
167 gen_require(`
168 attribute gkeyringd_domain;
169 type gkeyringd_tmp_t;
170 type gconf_tmp_t;
171 ')
172
173 allow $1 gconf_tmp_t:dir search_dir_perms;
174 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
175 ')
176
177 ########################################
178 ## <summary>
179 ## Run gconfd in gconfd domain.
180 ## </summary>
181 ## <param name="domain">
182 ## <summary>
183 ## Domain allowed access.
184 ## </summary>
185 ## </param>
186 #
187 interface(`gnome_domtrans_gconfd',`
188 gen_require(`
189 type gconfd_t, gconfd_exec_t;
190 ')
191
192 domtrans_pattern($1, gconfd_exec_t, gconfd_t)
193 ')
194
195 ########################################
196 ## <summary>
197 ## Dontaudit read gnome homedir content (.config)
198 ## </summary>
199 ## <param name="domain">
200 ## <summary>
201 ## Domain to not audit.
202 ## </summary>
203 ## </param>
204 #
205 interface(`gnome_dontaudit_read_config',`
206 gen_require(`
207 attribute gnome_home_type;
208 ')
209
210 dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
211 ')
212
213 ########################################
214 ## <summary>
215 ## Dontaudit search gnome homedir content (.config)
216 ## </summary>
217 ## <param name="domain">
218 ## <summary>
219 ## Domain to not audit.
220 ## </summary>
221 ## </param>
222 #
223 interface(`gnome_dontaudit_search_config',`
224 gen_require(`
225 attribute gnome_home_type;
226 ')
227
228 dontaudit $1 gnome_home_type:dir search_dir_perms;
229 ')
230
231 ########################################
232 ## <summary>
233 ## manage gnome homedir content (.config)
234 ## </summary>
235 ## <param name="domain">
236 ## <summary>
237 ## Domain allowed access.
238 ## </summary>
239 ## </param>
240 #
241 interface(`gnome_manage_config',`
242 gen_require(`
243 attribute gnome_home_type;
244 ')
245
246 allow $1 gnome_home_type:dir manage_dir_perms;
247 allow $1 gnome_home_type:file manage_file_perms;
248 allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
249 userdom_search_user_home_dirs($1)
250 ')
251
252 ########################################
253 ## <summary>
254 ## Send general signals to all gconf domains.
255 ## </summary>
256 ## <param name="domain">
257 ## <summary>
258 ## Domain allowed access.
259 ## </summary>
260 ## </param>
261 #
262 interface(`gnome_signal_all',`
263 gen_require(`
264 attribute gnomedomain;
265 ')
266
267 allow $1 gnomedomain:process signal;
268 ')
269
270 ########################################
271 ## <summary>
272 ## Create objects in a Gnome cache home directory
273 ## with an automatic type transition to
274 ## a specified private type.
275 ## </summary>
276 ## <param name="domain">
277 ## <summary>
278 ## Domain allowed access.
279 ## </summary>
280 ## </param>
281 ## <param name="private_type">
282 ## <summary>
283 ## The type of the object to create.
284 ## </summary>
285 ## </param>
286 ## <param name="object_class">
287 ## <summary>
288 ## The class of the object to be created.
289 ## </summary>
290 ## </param>
291 #
292 interface(`gnome_cache_filetrans',`
293 gen_require(`
294 type cache_home_t;
295 ')
296
297 filetrans_pattern($1, cache_home_t, $2, $3, $4)
298 userdom_search_user_home_dirs($1)
299 ')
300
301 ########################################
302 ## <summary>
303 ## Create objects in a Gnome cache home directory
304 ## with an automatic type transition to
305 ## a specified private type.
306 ## </summary>
307 ## <param name="domain">
308 ## <summary>
309 ## Domain allowed access.
310 ## </summary>
311 ## </param>
312 ## <param name="private_type">
313 ## <summary>
314 ## The type of the object to create.
315 ## </summary>
316 ## </param>
317 ## <param name="object_class">
318 ## <summary>
319 ## The class of the object to be created.
320 ## </summary>
321 ## </param>
322 #
323 interface(`gnome_config_filetrans',`
324 gen_require(`
325 type config_home_t;
326 ')
327
328 filetrans_pattern($1, config_home_t, $2, $3, $4)
329 userdom_search_user_home_dirs($1)
330 ')
331
332 ########################################
333 ## <summary>
334 ## Read generic cache home files (.cache)
335 ## </summary>
336 ## <param name="domain">
337 ## <summary>
338 ## Domain allowed access.
339 ## </summary>
340 ## </param>
341 #
342 interface(`gnome_read_generic_cache_files',`
343 gen_require(`
344 type cache_home_t;
345 ')
346
347 read_files_pattern($1, cache_home_t, cache_home_t)
348 userdom_search_user_home_dirs($1)
349 ')
350
351 ########################################
352 ## <summary>
353 ## Set attributes of cache home dir (.cache)
354 ## </summary>
355 ## <param name="domain">
356 ## <summary>
357 ## Domain allowed access.
358 ## </summary>
359 ## </param>
360 #
361 interface(`gnome_setattr_cache_home_dir',`
362 gen_require(`
363 type cache_home_t;
364 ')
365
366 setattr_dirs_pattern($1, cache_home_t, cache_home_t)
367 userdom_search_user_home_dirs($1)
368 ')
369
370 ########################################
371 ## <summary>
372 ## append to generic cache home files (.cache)
373 ## </summary>
374 ## <param name="domain">
375 ## <summary>
376 ## Domain allowed access.
377 ## </summary>
378 ## </param>
379 #
380 interface(`gnome_append_generic_cache_files',`
381 gen_require(`
382 type cache_home_t;
383 ')
384
385 append_files_pattern($1, cache_home_t, cache_home_t)
386 userdom_search_user_home_dirs($1)
387 ')
388
389 ########################################
390 ## <summary>
391 ## write to generic cache home files (.cache)
392 ## </summary>
393 ## <param name="domain">
394 ## <summary>
395 ## Domain allowed access.
396 ## </summary>
397 ## </param>
398 #
399 interface(`gnome_write_generic_cache_files',`
400 gen_require(`
401 type cache_home_t;
402 ')
403
404 write_files_pattern($1, cache_home_t, cache_home_t)
405 userdom_search_user_home_dirs($1)
406 ')
407
408 ########################################
409 ## <summary>
410 ## Dontaudit read/write to generic cache home files (.cache)
411 ## </summary>
412 ## <param name="domain">
413 ## <summary>
414 ## Domain to not audit.
415 ## </summary>
416 ## </param>
417 #
418 interface(`gnome_dontaudit_rw_generic_cache_files',`
419 gen_require(`
420 type cache_home_t;
421 ')
422
423 dontaudit $1 cache_home_t:file rw_inherited_file_perms;
424 ')
425
426 ########################################
427 ## <summary>
428 ## read gnome homedir content (.config)
429 ## </summary>
430 ## <param name="domain">
431 ## <summary>
432 ## Domain allowed access.
433 ## </summary>
434 ## </param>
435 #
436 interface(`gnome_read_config',`
437 gen_require(`
438 attribute gnome_home_type;
439 ')
440
441 list_dirs_pattern($1, gnome_home_type, gnome_home_type)
442 read_files_pattern($1, gnome_home_type, gnome_home_type)
443 read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
444 ')
445
446 ########################################
447 ## <summary>
448 ## Create objects in a Gnome gconf home directory
449 ## with an automatic type transition to
450 ## a specified private type.
451 ## </summary>
452 ## <param name="domain">
453 ## <summary>
454 ## Domain allowed access.
455 ## </summary>
456 ## </param>
457 ## <param name="private_type">
458 ## <summary>
459 ## The type of the object to create.
460 ## </summary>
461 ## </param>
462 ## <param name="object_class">
463 ## <summary>
464 ## The class of the object to be created.
465 ## </summary>
466 ## </param>
467 #
468 interface(`gnome_data_filetrans',`
469 gen_require(`
470 type data_home_t;
471 ')
472
473 filetrans_pattern($1, data_home_t, $2, $3, $4)
474 gnome_search_gconf($1)
475 ')
476
477 #######################################
478 ## <summary>
479 ## Read generic data home files.
480 ## </summary>
481 ## <param name="domain">
482 ## <summary>
483 ## Domain allowed access.
484 ## </summary>
485 ## </param>
486 #
487 interface(`gnome_read_generic_data_home_files',`
488 gen_require(`
489 type data_home_t, gconf_home_t;
490 ')
491
492 read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
493 ')
494
495 #######################################
496 ## <summary>
497 ## Manage gconf data home files
498 ## </summary>
499 ## <param name="domain">
500 ## <summary>
501 ## Domain allowed access.
502 ## </summary>
503 ## </param>
504 #
505 interface(`gnome_manage_data',`
506 gen_require(`
507 type data_home_t;
508 type gconf_home_t;
509 ')
510
511 allow $1 gconf_home_t:dir search_dir_perms;
512 manage_dirs_pattern($1, data_home_t, data_home_t)
513 manage_files_pattern($1, data_home_t, data_home_t)
514 manage_lnk_files_pattern($1, data_home_t, data_home_t)
515 ')
516
517 ########################################
518 ## <summary>
519 ## Read icc data home content.
520 ## </summary>
521 ## <param name="domain">
522 ## <summary>
523 ## Domain allowed access.
524 ## </summary>
525 ## </param>
526 #
527 interface(`gnome_read_home_icc_data_content',`
528 gen_require(`
529 type icc_data_home_t, gconf_home_t, data_home_t;
530 ')
531
532 userdom_search_user_home_dirs($1)
533 allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
534 list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
535 read_files_pattern($1, icc_data_home_t, icc_data_home_t)
536 read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
537 ')
538
539 ########################################
540 ## <summary>
541 ## Read inherited icc data home files.
542 ## </summary>
543 ## <param name="domain">
544 ## <summary>
545 ## Domain allowed access.
546 ## </summary>
547 ## </param>
548 #
549 interface(`gnome_read_inherited_home_icc_data_files',`
550 gen_require(`
551 type icc_data_home_t;
552 ')
553
554 allow $1 icc_data_home_t:file read_inherited_file_perms;
555 ')
556
557 ########################################
558 ## <summary>
559 ## Create gconf_home_t objects in the /root directory
560 ## </summary>
561 ## <param name="domain">
562 ## <summary>
563 ## Domain allowed access.
564 ## </summary>
565 ## </param>
566 ## <param name="object_class">
567 ## <summary>
568 ## The class of the object to be created.
569 ## </summary>
570 ## </param>
571 #
572 interface(`gnome_admin_home_gconf_filetrans',`
573 gen_require(`
574 type gconf_home_t;
575 ')
576
577 userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
578 ')
579
580 ########################################
581 ## <summary>
582 ## Do not audit attempts to read
583 ## inherited gconf config files.
584 ## </summary>
585 ## <param name="domain">
586 ## <summary>
587 ## Domain to not audit.
588 ## </summary>
589 ## </param>
590 #
591 interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
592 gen_require(`
593 type gconf_etc_t;
594 ')
595
596 dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
597 ')
598
599 ########################################
600 ## <summary>
601 ## read gconf config files
602 ## </summary>
603 ## <param name="domain">
604 ## <summary>
605 ## Domain allowed access.
606 ## </summary>
607 ## </param>
608 #
609 interface(`gnome_read_gconf_config',`
610 gen_require(`
611 type gconf_etc_t;
612 ')
613
614 allow $1 gconf_etc_t:dir list_dir_perms;
615 read_files_pattern($1, gconf_etc_t, gconf_etc_t)
616 files_search_etc($1)
617 ')
618
619 #######################################
620 ## <summary>
621 ## Manage gconf config files
622 ## </summary>
623 ## <param name="domain">
624 ## <summary>
625 ## Domain allowed access.
626 ## </summary>
627 ## </param>
628 #
629 interface(`gnome_manage_gconf_config',`
630 gen_require(`
631 type gconf_etc_t;
632 ')
633
634 allow $1 gconf_etc_t:dir list_dir_perms;
635 manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
636 ')
637
638 ########################################
639 ## <summary>
640 ## Execute gconf programs in
641 ## in the caller domain.
642 ## </summary>
643 ## <param name="domain">
644 ## <summary>
645 ## Domain allowed access.
646 ## </summary>
647 ## </param>
648 #
649 interface(`gnome_exec_gconf',`
650 gen_require(`
651 type gconfd_exec_t;
652 ')
653
654 can_exec($1, gconfd_exec_t)
655 ')
656
657 ########################################
658 ## <summary>
659 ## Execute gnome keyringd in the caller domain.
660 ## </summary>
661 ## <param name="domain">
662 ## <summary>
663 ## Domain allowed access.
664 ## </summary>
665 ## </param>
666 #
667 interface(`gnome_exec_keyringd',`
668 gen_require(`
669 type gkeyringd_exec_t;
670 ')
671
672 can_exec($1, gkeyringd_exec_t)
673 corecmd_search_bin($1)
674 ')
675
676 ########################################
677 ## <summary>
678 ## Read gconf home files
679 ## </summary>
680 ## <param name="domain">
681 ## <summary>
682 ## Domain allowed access.
683 ## </summary>
684 ## </param>
685 #
686 interface(`gnome_read_gconf_home_files',`
687 gen_require(`
688 type gconf_home_t;
689 type data_home_t;
690 ')
691
692 userdom_search_user_home_dirs($1)
693 allow $1 gconf_home_t:dir list_dir_perms;
694 allow $1 data_home_t:dir list_dir_perms;
695 read_files_pattern($1, gconf_home_t, gconf_home_t)
696 read_files_pattern($1, data_home_t, data_home_t)
697 read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
698 read_lnk_files_pattern($1, data_home_t, data_home_t)
699 ')
700
701 ########################################
702 ## <summary>
703 ## Search gkeyringd temporary directories.
704 ## </summary>
705 ## <param name="domain">
706 ## <summary>
707 ## Domain allowed access.
708 ## </summary>
709 ## </param>
710 #
711 interface(`gnome_search_gkeyringd_tmp_dirs',`
712 gen_require(`
713 type gkeyringd_tmp_t;
714 ')
715
716 files_search_tmp($1)
717 allow $1 gkeyringd_tmp_t:dir search_dir_perms;
718 ')
719
720 ########################################
721 ## <summary>
722 ## search gconf homedir (.local)
723 ## </summary>
724 ## <param name="domain">
725 ## <summary>
726 ## Domain allowed access.
727 ## </summary>
728 ## </param>
729 #
730 interface(`gnome_search_gconf',`
731 gen_require(`
732 type gconf_home_t;
733 ')
734
735 allow $1 gconf_home_t:dir search_dir_perms;
736 userdom_search_user_home_dirs($1)
737 ')
738
739 ########################################
740 ## <summary>
741 ## Set attributes of Gnome config dirs.
742 ## </summary>
743 ## <param name="domain">
744 ## <summary>
745 ## Domain allowed access.
746 ## </summary>
747 ## </param>
748 #
749 interface(`gnome_setattr_config_dirs',`
750 gen_require(`
751 type gnome_home_t;
752 ')
753
754 setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
755 files_search_home($1)
756 ')
757
758 ########################################
759 ## <summary>
760 ## Manage generic gnome home files.
761 ## </summary>
762 ## <param name="domain">
763 ## <summary>
764 ## Domain allowed access.
765 ## </summary>
766 ## </param>
767 #
768 interface(`gnome_manage_generic_home_files',`
769 gen_require(`
770 type gnome_home_t;
771 ')
772
773 userdom_search_user_home_dirs($1)
774 manage_files_pattern($1, gnome_home_t, gnome_home_t)
775 ')
776
777 ########################################
778 ## <summary>
779 ## Manage generic gnome home directories.
780 ## </summary>
781 ## <param name="domain">
782 ## <summary>
783 ## Domain allowed access.
784 ## </summary>
785 ## </param>
786 #
787 interface(`gnome_manage_generic_home_dirs',`
788 gen_require(`
789 type gnome_home_t;
790 ')
791
792 userdom_search_user_home_dirs($1)
793 allow $1 gnome_home_t:dir manage_dir_perms;
794 ')
795
796 ########################################
797 ## <summary>
798 ## Append gconf home files
799 ## </summary>
800 ## <param name="domain">
801 ## <summary>
802 ## Domain allowed access.
803 ## </summary>
804 ## </param>
805 #
806 interface(`gnome_append_gconf_home_files',`
807 gen_require(`
808 type gconf_home_t;
809 ')
810
811 append_files_pattern($1, gconf_home_t, gconf_home_t)
812 ')
813
814 ########################################
815 ## <summary>
816 ## manage gconf home files
817 ## </summary>
818 ## <param name="domain">
819 ## <summary>
820 ## Domain allowed access.
821 ## </summary>
822 ## </param>
823 #
824 interface(`gnome_manage_gconf_home_files',`
825 gen_require(`
826 type gconf_home_t;
827 ')
828
829 allow $1 gconf_home_t:dir list_dir_perms;
830 manage_files_pattern($1, gconf_home_t, gconf_home_t)
831 ')
832
833 ########################################
834 ## <summary>
835 ## Connect to gnome over an unix stream socket.
836 ## </summary>
837 ## <param name="domain">
838 ## <summary>
839 ## Domain allowed access.
840 ## </summary>
841 ## </param>
842 ## <param name="user_domain">
843 ## <summary>
844 ## The type of the user domain.
845 ## </summary>
846 ## </param>
847 #
848 interface(`gnome_stream_connect',`
849 gen_require(`
850 attribute gnome_home_type;
851 ')
852
853 # Connect to pulseaudit server
854 stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
855 ')
856
857 ########################################
858 ## <summary>
859 ## list gnome homedir content (.config)
860 ## </summary>
861 ## <param name="domain">
862 ## <summary>
863 ## Domain allowed access.
864 ## </summary>
865 ## </param>
866 #
867 interface(`gnome_list_home_config',`
868 gen_require(`
869 type config_home_t;
870 ')
871
872 allow $1 config_home_t:dir list_dir_perms;
873 ')
874
875 ########################################
876 ## <summary>
877 ## Set attributes of gnome homedir content (.config)
878 ## </summary>
879 ## <param name="domain">
880 ## <summary>
881 ## Domain allowed access.
882 ## </summary>
883 ## </param>
884 #
885 interface(`gnome_setattr_home_config',`
886 gen_require(`
887 type config_home_t;
888 ')
889
890 setattr_dirs_pattern($1, config_home_t, config_home_t)
891 userdom_search_user_home_dirs($1)
892 ')
893
894 ########################################
895 ## <summary>
896 ## read gnome homedir content (.config)
897 ## </summary>
898 ## <param name="domain">
899 ## <summary>
900 ## Domain allowed access.
901 ## </summary>
902 ## </param>
903 #
904 interface(`gnome_read_home_config',`
905 gen_require(`
906 type config_home_t;
907 ')
908
909 list_dirs_pattern($1, config_home_t, config_home_t)
910 read_files_pattern($1, config_home_t, config_home_t)
911 read_lnk_files_pattern($1, config_home_t, config_home_t)
912 ')
913
914 #######################################
915 ## <summary>
916 ## delete gnome homedir content (.config)
917 ## </summary>
918 ## <param name="domain">
919 ## <summary>
920 ## Domain allowed access.
921 ## </summary>
922 ## </param>
923 #
924 interface(`gnome_delete_home_config',`
925 gen_require(`
926 type config_home_t;
927 ')
928
929 delete_files_pattern($1, config_home_t, config_home_t)
930 ')
931
932 #######################################
933 ## <summary>
934 ## setattr gnome homedir content (.config)
935 ## </summary>
936 ## <param name="domain">
937 ## <summary>
938 ## Domain allowed access.
939 ## </summary>
940 ## </param>
941 #
942 interface(`gnome_setattr_home_config_dirs',`
943 gen_require(`
944 type config_home_t;
945 ')
946
947 setattr_dirs_pattern($1, config_home_t, config_home_t)
948 ')
949
950 ########################################
951 ## <summary>
952 ## manage gnome homedir content (.config)
953 ## </summary>
954 ## <param name="domain">
955 ## <summary>
956 ## Domain allowed access.
957 ## </summary>
958 ## </param>
959 #
960 interface(`gnome_manage_home_config',`
961 gen_require(`
962 type config_home_t;
963 ')
964
965 manage_files_pattern($1, config_home_t, config_home_t)
966 ')
967
968 #######################################
969 ## <summary>
970 ## delete gnome homedir content (.config)
971 ## </summary>
972 ## <param name="domain">
973 ## <summary>
974 ## Domain allowed access.
975 ## </summary>
976 ## </param>
977 #
978 interface(`gnome_delete_home_config_dirs',`
979 gen_require(`
980 type config_home_t;
981 ')
982
983 delete_dirs_pattern($1, config_home_t, config_home_t)
984 ')
985
986 ########################################
987 ## <summary>
988 ## manage gnome homedir content (.config)
989 ## </summary>
990 ## <param name="domain">
991 ## <summary>
992 ## Domain allowed access.
993 ## </summary>
994 ## </param>
995 #
996 interface(`gnome_manage_home_config_dirs',`
997 gen_require(`
998 type config_home_t;
999 ')
1000
1001 manage_dirs_pattern($1, config_home_t, config_home_t)
1002 ')
1003
1004 ########################################
1005 ## <summary>
1006 ## manage gstreamer home content files.
1007 ## </summary>
1008 ## <param name="domain">
1009 ## <summary>
1010 ## Domain allowed access.
1011 ## </summary>
1012 ## </param>
1013 #
1014 interface(`gnome_manage_gstreamer_home_files',`
1015 gen_require(`
1016 type gstreamer_home_t;
1017 ')
1018
1019 manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
1020 ')
1021
1022 ########################################
1023 ## <summary>
1024 ## Read/Write all inherited gnome home config
1025 ## </summary>
1026 ## <param name="domain">
1027 ## <summary>
1028 ## Domain allowed access.
1029 ## </summary>
1030 ## </param>
1031 #
1032 interface(`gnome_rw_inherited_config',`
1033 gen_require(`
1034 attribute gnome_home_type;
1035 ')
1036
1037 allow $1 gnome_home_type:file rw_inherited_file_perms;
1038 ')
1039
1040 ########################################
1041 ## <summary>
1042 ## Send and receive messages from
1043 ## gconf system service over dbus.
1044 ## </summary>
1045 ## <param name="domain">
1046 ## <summary>
1047 ## Domain allowed access.
1048 ## </summary>
1049 ## </param>
1050 #
1051 interface(`gnome_dbus_chat_gconfdefault',`
1052 gen_require(`
1053 type gconfdefaultsm_t;
1054 class dbus send_msg;
1055 ')
1056
1057 allow $1 gconfdefaultsm_t:dbus send_msg;
1058 allow gconfdefaultsm_t $1:dbus send_msg;
1059 ')
1060
1061 ########################################
1062 ## <summary>
1063 ## Send and receive messages from
1064 ## gkeyringd over dbus.
1065 ## </summary>
1066 ## <param name="domain">
1067 ## <summary>
1068 ## Domain allowed access.
1069 ## </summary>
1070 ## </param>
1071 #
1072 interface(`gnome_dbus_chat_gkeyringd',`
1073 gen_require(`
1074 attribute gkeyringd_domain;
1075 class dbus send_msg;
1076 ')
1077
1078 allow $1 gkeyringd_domain:dbus send_msg;
1079 allow gkeyringd_domain $1:dbus send_msg;
1080 ')
1081
1082 ########################################
1083 ## <summary>
1084 ## Send signull signal to gkeyringd processes.
1085 ## </summary>
1086 ## <param name="domain">
1087 ## <summary>
1088 ## Domain allowed access.
1089 ## </summary>
1090 ## </param>
1091 #
1092 interface(`gnome_signull_gkeyringd',`
1093 gen_require(`
1094 attribute gkeyringd_domain;
1095 ')
1096
1097 allow $1 gkeyringd_domain:process signull;
1098 ')
1099
1100 ########################################
1101 ## <summary>
1102 ## Allow the domain to read gkeyringd state files in /proc.
1103 ## </summary>
1104 ## <param name="domain">
1105 ## <summary>
1106 ## Domain allowed access.
1107 ## </summary>
1108 ## </param>
1109 #
1110 interface(`gnome_read_gkeyringd_state',`
1111 gen_require(`
1112 attribute gkeyringd_domain;
1113 ')
1114
1115 ps_process_pattern($1, gkeyringd_domain)
1116 ')
1117
1118 ########################################
1119 ## <summary>
1120 ## Create directories in user home directories
1121 ## with the gnome home file type.
1122 ## </summary>
1123 ## <param name="domain">
1124 ## <summary>
1125 ## Domain allowed access.
1126 ## </summary>
1127 ## </param>
1128 #
1129 interface(`gnome_home_dir_filetrans',`
1130 gen_require(`
1131 type gnome_home_t;
1132 ')
1133
1134 userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
1135 userdom_search_user_home_dirs($1)
1136 ')
1137
1138 ######################################
1139 ## <summary>
1140 ## Allow read kde config content
1141 ## </summary>
1142 ## <param name="domain">
1143 ## <summary>
1144 ## Domain allowed access.
1145 ## </summary>
1146 ## </param>
1147 #
1148 interface(`gnome_read_usr_config',`
1149 gen_require(`
1150 type config_usr_t;
1151 ')
1152
1153 files_search_usr($1)
1154 list_dirs_pattern($1, config_usr_t, config_usr_t)
1155 read_files_pattern($1, config_usr_t, config_usr_t)
1156 read_lnk_files_pattern($1, config_usr_t, config_usr_t)
1157 ')
1158
1159 #######################################
1160 ## <summary>
1161 ## Allow manage kde config content
1162 ## </summary>
1163 ## <param name="domain">
1164 ## <summary>
1165 ## Domain allowed access.
1166 ## </summary>
1167 ## </param>
1168 #
1169 interface(`gnome_manage_usr_config',`
1170 gen_require(`
1171 type config_usr_t;
1172 ')
1173
1174 files_search_usr($1)
1175 manage_dirs_pattern($1, config_usr_t, config_usr_t)
1176 manage_files_pattern($1, config_usr_t, config_usr_t)
1177 manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
1178 ')
1179
1180 ########################################
1181 ## <summary>
1182 ## Execute gnome-keyring in the user gkeyring domain
1183 ## </summary>
1184 ## <param name="domain">
1185 ## <summary>
1186 ## Domain allowed access
1187 ## </summary>
1188 ## </param>
1189 ## <param name="role">
1190 ## <summary>
1191 ## The role to be allowed the gkeyring domain.
1192 ## </summary>
1193 ## </param>
1194 #
1195 interface(`gnome_transition_gkeyringd',`
1196 gen_require(`
1197 attribute gkeyringd_domain;
1198 ')
1199
1200 allow $1 gkeyringd_domain:process transition;
1201 dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
1202 allow gkeyringd_domain $1:process { sigchld signull };
1203 allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
1204 ')
1205
1206
1207 ########################################
1208 ## <summary>
1209 ## Create gnome content in the user home directory
1210 ## with an correct label.
1211 ## </summary>
1212 ## <param name="domain">
1213 ## <summary>
1214 ## Domain allowed access.
1215 ## </summary>
1216 ## </param>
1217 #
1218 interface(`gnome_filetrans_home_content',`
1219
1220 gen_require(`
1221 type config_home_t;
1222 type cache_home_t;
1223 type gstreamer_home_t;
1224 type gconf_home_t;
1225 type gnome_home_t;
1226 type data_home_t, icc_data_home_t;
1227 type gkeyringd_gnome_home_t;
1228 ')
1229
1230 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
1231 userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1232 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
1233 userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1234 userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
1235 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1236 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1237 userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1238 userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1239 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1240 userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
1241 # ~/.color/icc: legacy
1242 userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
1243 filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
1244 filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
1245 filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
1246 userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
1247 ')
1248
1249 ########################################
1250 ## <summary>
1251 ## Create gnome directory in the /root directory
1252 ## with an correct label.
1253 ## </summary>
1254 ## <param name="domain">
1255 ## <summary>
1256 ## Domain allowed access.
1257 ## </summary>
1258 ## </param>
1259 #
1260 interface(`gnome_filetrans_admin_home_content',`
1261
1262 gen_require(`
1263 type config_home_t;
1264 type cache_home_t;
1265 type gstreamer_home_t;
1266 type gconf_home_t;
1267 type gnome_home_t;
1268 type icc_data_home_t;
1269 ')
1270
1271 userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
1272 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
1273 userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
1274 userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
1275 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
1276 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
1277 userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
1278 userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
1279 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
1280 userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
1281 # /root/.color/icc: legacy
1282 userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
1283 ')
1284
1285 ######################################
1286 ## <summary>
1287 ## Execute gnome-keyring executable
1288 ## in the specified domain.
1289 ## </summary>
1290 ## <desc>
1291 ## <p>
1292 ## Execute a telepathy executable
1293 ## in the specified domain. This allows
1294 ## the specified domain to execute any file
1295 ## on these filesystems in the specified
1296 ## domain.
1297 ## </p>
1298 ## <p>
1299 ## No interprocess communication (signals, pipes,
1300 ## etc.) is provided by this interface since
1301 ## the domains are not owned by this module.
1302 ## </p>
1303 ## <p>
1304 ## This interface was added to handle
1305 ## the ssh-agent policy.
1306 ## </p>
1307 ## </desc>
1308 ## <param name="domain">
1309 ## <summary>
1310 ## Domain allowed to transition.
1311 ## </summary>
1312 ## </param>
1313 ## <param name="target_domain">
1314 ## <summary>
1315 ## The type of the new process.
1316 ## </summary>
1317 ## </param>
1318 #
1319 interface(`gnome_command_domtrans_gkeyringd', `
1320 gen_require(`
1321 type gkeyringd_exec_t;
1322 ')
1323
1324 allow $2 gkeyringd_exec_t:file entrypoint;
1325 domain_transition_pattern($1, gkeyringd_exec_t, $2)
1326 type_transition $1 gkeyringd_exec_t:process $2;
1327 ')
The IPFire selinux policy.