1 ## <summary>GNU network object model environment (GNOME)</summary>
3 ###########################################################
5 ## Role access for gnome
12 ## <param name="domain">
14 ## User domain for the role
18 interface(`gnome_role',`
20 type gconfd_t, gconfd_exec_t;
24 role $1 types gconfd_t;
26 domain_auto_trans($2, gconfd_exec_t, gconfd_t)
27 allow gconfd_t $2:fd use;
28 allow gconfd_t $2:fifo_file write;
29 allow gconfd_t $2:unix_stream_socket connectto;
31 ps_process_pattern($2, gconfd_t)
33 #gnome_stream_connect_gconf_template($1, $2)
34 read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
35 allow $2 gconfd_t:unix_stream_socket connectto;
38 ######################################
40 ## The role template for the gnome-keyring-daemon.
42 ## <param name="user_prefix">
47 ## <param name="user_role">
52 ## <param name="user_domain">
54 ## The user domain associated with the role.
58 interface(`gnome_role_gkeyringd',`
60 attribute gkeyringd_domain;
61 attribute gnome_domain;
63 type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
67 type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
68 typealias $1_gkeyringd_t alias gkeyrind_$1_t;
69 application_domain($1_gkeyringd_t, gkeyringd_exec_t)
70 ubac_constrained($1_gkeyringd_t)
71 domain_user_exemption_target($1_gkeyringd_t)
73 role $2 types $1_gkeyringd_t;
75 domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
77 allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
78 allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
80 allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
81 allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
83 corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
84 corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
85 allow $1_gkeyringd_t $3:process sigkill;
86 allow $3 $1_gkeyringd_t:fd use;
87 allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
89 ps_process_pattern($1_gkeyringd_t, $3)
91 ps_process_pattern($3, $1_gkeyringd_t)
92 allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
94 dontaudit $3 gkeyringd_exec_t:file entrypoint;
96 stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
98 allow $1_gkeyringd_t $3:dbus send_msg;
99 allow $3 $1_gkeyringd_t:dbus send_msg;
101 dbus_session_domain($1_gkeyringd_t, gkeyringd_exec_t)
102 dbus_session_bus_client($1_gkeyringd_t)
103 gnome_home_dir_filetrans($1_gkeyringd_t)
104 gnome_manage_generic_home_dirs($1_gkeyringd_t)
107 telepathy_mission_control_read_state($1_gkeyringd_t)
112 ########################################
114 ## gconf connection template.
116 ## <param name="domain">
118 ## Domain allowed access.
122 interface(`gnome_stream_connect_gconf',`
124 type gconfd_t, gconf_tmp_t;
127 read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
128 allow $1 gconfd_t:unix_stream_socket connectto;
131 ########################################
133 ## Connect to gkeyringd with a unix stream socket.
135 ## <param name="role_prefix">
140 ## <param name="domain">
142 ## Domain allowed access.
146 interface(`gnome_stream_connect_gkeyringd',`
148 attribute gkeyringd_domain;
149 type gkeyringd_tmp_t;
153 allow $1 gconf_tmp_t:dir search_dir_perms;
154 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
157 ########################################
159 ## Connect to gkeyringd with a unix stream socket.
161 ## <param name="role_prefix">
166 ## <param name="domain">
168 ## Domain allowed access.
172 interface(`gnome_stream_connect_all_gkeyringd',`
174 attribute gkeyringd_domain;
175 type gkeyringd_tmp_t;
179 allow $1 gconf_tmp_t:dir search_dir_perms;
180 stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
183 ########################################
185 ## Run gconfd in gconfd domain.
187 ## <param name="domain">
189 ## Domain allowed access.
193 interface(`gnome_domtrans_gconfd',`
195 type gconfd_t, gconfd_exec_t;
198 domtrans_pattern($1, gconfd_exec_t, gconfd_t)
201 ########################################
203 ## Dontaudit read gnome homedir content (.config)
205 ## <param name="domain">
207 ## Domain allowed access.
211 interface(`gnome_dontaudit_read_config',`
213 attribute gnome_home_type;
216 dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
219 ########################################
221 ## Dontaudit search gnome homedir content (.config)
223 ## <param name="domain">
225 ## Domain allowed access.
229 interface(`gnome_dontaudit_search_config',`
231 attribute gnome_home_type;
234 dontaudit $1 gnome_home_type:dir search_dir_perms;
237 ########################################
239 ## manage gnome homedir content (.config)
241 ## <param name="domain">
243 ## Domain allowed access.
247 interface(`gnome_manage_config',`
249 attribute gnome_home_type;
252 allow $1 gnome_home_type:dir manage_dir_perms;
253 allow $1 gnome_home_type:file manage_file_perms;
254 allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
255 userdom_search_user_home_dirs($1)
258 ########################################
260 ## Send general signals to all gconf domains.
262 ## <param name="domain">
264 ## Domain allowed access.
268 interface(`gnome_signal_all',`
270 attribute gnome_domain;
273 allow $1 gnome_domain:process signal;
276 ########################################
278 ## Create objects in a Gnome cache home directory
279 ## with an automatic type transition to
280 ## a specified private type.
282 ## <param name="domain">
284 ## Domain allowed access.
287 ## <param name="private_type">
289 ## The type of the object to create.
292 ## <param name="object_class">
294 ## The class of the object to be created.
298 interface(`gnome_cache_filetrans',`
303 filetrans_pattern($1, cache_home_t, $2, $3)
304 userdom_search_user_home_dirs($1)
307 ########################################
309 ## Read generic cache home files (.cache)
311 ## <param name="domain">
313 ## Domain allowed access.
317 interface(`gnome_read_generic_cache_files',`
322 read_files_pattern($1, cache_home_t, cache_home_t)
323 userdom_search_user_home_dirs($1)
326 ########################################
328 ## Set attributes of cache home dir (.cache)
330 ## <param name="domain">
332 ## Domain allowed access.
336 interface(`gnome_setattr_cache_home_dir',`
341 setattr_dirs_pattern($1, cache_home_t, cache_home_t)
342 userdom_search_user_home_dirs($1)
345 ########################################
347 ## append to generic cache home files (.cache)
349 ## <param name="domain">
351 ## Domain allowed access.
355 interface(`gnome_append_generic_cache_files',`
360 append_files_pattern($1, cache_home_t, cache_home_t)
361 userdom_search_user_home_dirs($1)
364 ########################################
366 ## write to generic cache home files (.cache)
368 ## <param name="domain">
370 ## Domain allowed access.
374 interface(`gnome_write_generic_cache_files',`
379 write_files_pattern($1, cache_home_t, cache_home_t)
380 userdom_search_user_home_dirs($1)
383 ########################################
385 ## read gnome homedir content (.config)
387 ## <param name="domain">
389 ## Domain allowed access.
393 interface(`gnome_read_config',`
395 attribute gnome_home_type;
398 list_dirs_pattern($1, gnome_home_type, gnome_home_type)
399 read_files_pattern($1, gnome_home_type, gnome_home_type)
400 read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
403 ########################################
405 ## Create objects in a Gnome gconf home directory
406 ## with an automatic type transition to
407 ## a specified private type.
409 ## <param name="domain">
411 ## Domain allowed access.
414 ## <param name="private_type">
416 ## The type of the object to create.
419 ## <param name="object_class">
421 ## The class of the object to be created.
425 interface(`gnome_data_filetrans',`
430 filetrans_pattern($1, data_home_t, $2, $3)
431 gnome_search_gconf($1)
434 #######################################
436 ## Manage gconf data home files
438 ## <param name="domain">
440 ## Domain allowed access.
444 interface(`gnome_manage_data',`
450 allow $1 gconf_home_t:dir search_dir_perms;
451 manage_dirs_pattern($1, data_home_t, data_home_t)
452 manage_files_pattern($1, data_home_t, data_home_t)
453 manage_lnk_files_pattern($1, data_home_t, data_home_t)
456 ########################################
458 ## Create gconf_home_t objects in the /root directory
460 ## <param name="domain">
462 ## Domain allowed access.
465 ## <param name="object_class">
467 ## The class of the object to be created.
471 interface(`gnome_admin_home_gconf_filetrans',`
476 userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
479 ########################################
481 ## read gconf config files
483 ## <param name="domain">
485 ## Domain allowed access.
489 interface(`gnome_read_gconf_config',`
494 allow $1 gconf_etc_t:dir list_dir_perms;
495 read_files_pattern($1, gconf_etc_t, gconf_etc_t)
499 #######################################
501 ## Manage gconf config files
503 ## <param name="domain">
505 ## Domain allowed access.
509 interface(`gnome_manage_gconf_config',`
514 allow $1 gconf_etc_t:dir list_dir_perms;
515 manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
518 ########################################
520 ## Execute gconf programs in
521 ## in the caller domain.
523 ## <param name="domain">
525 ## Domain allowed access.
529 interface(`gnome_exec_gconf',`
534 can_exec($1, gconfd_exec_t)
537 ########################################
539 ## Execute gnome keyringd in the caller domain.
541 ## <param name="domain">
543 ## Domain allowed access.
547 interface(`gnome_exec_keyringd',`
549 type gkeyringd_exec_t;
552 can_exec($1, gkeyringd_exec_t)
553 corecmd_search_bin($1)
556 ########################################
558 ## Read gconf home files
560 ## <param name="domain">
562 ## Domain allowed access.
566 interface(`gnome_read_gconf_home_files',`
572 userdom_search_user_home_dirs($1)
573 allow $1 gconf_home_t:dir list_dir_perms;
574 allow $1 data_home_t:dir list_dir_perms;
575 read_files_pattern($1, gconf_home_t, gconf_home_t)
576 read_files_pattern($1, data_home_t, data_home_t)
577 read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
578 read_lnk_files_pattern($1, data_home_t, data_home_t)
581 ########################################
583 ## Search gkeyringd temporary directories.
585 ## <param name="domain">
587 ## Domain allowed access.
591 interface(`gnome_search_gkeyringd_tmp_dirs',`
593 type gkeyringd_tmp_t;
597 allow $1 gkeyringd_tmp_t:dir search_dir_perms;
600 ########################################
602 ## search gconf homedir (.local)
604 ## <param name="domain">
606 ## Domain allowed access.
610 interface(`gnome_search_gconf',`
615 allow $1 gconf_home_t:dir search_dir_perms;
616 userdom_search_user_home_dirs($1)
619 ########################################
621 ## Set attributes of Gnome config dirs.
623 ## <param name="domain">
625 ## Domain allowed access.
629 interface(`gnome_setattr_config_dirs',`
634 setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
635 files_search_home($1)
638 ########################################
640 ## Manage generic gnome home files.
642 ## <param name="domain">
644 ## Domain allowed access.
648 interface(`gnome_manage_generic_home_files',`
653 userdom_search_user_home_dirs($1)
654 manage_files_pattern($1, gnome_home_t, gnome_home_t)
657 ########################################
659 ## Manage generic gnome home directories.
661 ## <param name="domain">
663 ## Domain allowed access.
667 interface(`gnome_manage_generic_home_dirs',`
672 userdom_search_user_home_dirs($1)
673 allow $1 gnome_home_t:dir manage_dir_perms;
676 ########################################
678 ## Append gconf home files
680 ## <param name="domain">
682 ## Domain allowed access.
686 interface(`gnome_append_gconf_home_files',`
691 append_files_pattern($1, gconf_home_t, gconf_home_t)
694 ########################################
696 ## manage gconf home files
698 ## <param name="domain">
700 ## Domain allowed access.
704 interface(`gnome_manage_gconf_home_files',`
709 allow $1 gconf_home_t:dir list_dir_perms;
710 manage_files_pattern($1, gconf_home_t, gconf_home_t)
713 ########################################
715 ## Connect to gnome over an unix stream socket.
717 ## <param name="domain">
719 ## Domain allowed access.
722 ## <param name="user_domain">
724 ## The type of the user domain.
728 interface(`gnome_stream_connect',`
730 attribute gnome_home_type;
733 # Connect to pulseaudit server
734 stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
737 ########################################
739 ## list gnome homedir content (.config)
741 ## <param name="domain">
743 ## Domain allowed access.
747 interface(`gnome_list_home_config',`
752 allow $1 config_home_t:dir list_dir_perms;
755 ########################################
757 ## Set attributes of gnome homedir content (.config)
759 ## <param name="domain">
761 ## Domain allowed access.
765 template(`gnome_setattr_home_config',`
770 setattr_dirs_pattern($1, config_home_t, config_home_t)
771 userdom_search_user_home_dirs($1)
774 ########################################
776 ## read gnome homedir content (.config)
778 ## <param name="domain">
780 ## Domain allowed access.
784 interface(`gnome_read_home_config',`
789 list_dirs_pattern($1, config_home_t, config_home_t)
790 read_files_pattern($1, config_home_t, config_home_t)
791 read_lnk_files_pattern($1, config_home_t, config_home_t)
794 ########################################
796 ## manage gnome homedir content (.config)
798 ## <param name="domain">
800 ## Domain allowed access.
804 template(`gnome_manage_home_config',`
809 manage_files_pattern($1, config_home_t, config_home_t)
812 ########################################
814 ## Read/Write all inherited gnome home config
816 ## <param name="domain">
818 ## Domain allowed access.
822 interface(`gnome_rw_inherited_config',`
824 attribute gnome_home_type;
827 allow $1 gnome_home_type:file rw_inherited_file_perms;
830 ########################################
832 ## Send and receive messages from
833 ## gconf system service over dbus.
835 ## <param name="domain">
837 ## Domain allowed access.
841 interface(`gnome_dbus_chat_gconfdefault',`
843 type gconfdefaultsm_t;
847 allow $1 gconfdefaultsm_t:dbus send_msg;
848 allow gconfdefaultsm_t $1:dbus send_msg;
851 ########################################
853 ## Send and receive messages from
854 ## gkeyringd over dbus.
856 ## <param name="role_prefix">
861 ## <param name="domain">
863 ## Domain allowed access.
867 interface(`gnome_dbus_chat_gkeyringd',`
869 attribute gkeyringd_domain;
873 allow $1 gkeyringd_domain:dbus send_msg;
874 allow gkeyringd_domain $1:dbus send_msg;
877 ########################################
879 ## Create directories in user home directories
880 ## with the gnome home file type.
882 ## <param name="domain">
884 ## Domain allowed access.
888 interface(`gnome_home_dir_filetrans',`
893 userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
894 userdom_search_user_home_dirs($1)
897 ######################################
899 ## Allow read kde config content
901 ## <param name="domain">
903 ## Domain allowed access.
907 interface(`gnome_read_usr_config',`
913 list_dirs_pattern($1, config_usr_t, config_usr_t)
914 read_files_pattern($1, config_usr_t, config_usr_t)
915 read_lnk_files_pattern($1, config_usr_t, config_usr_t)
918 #######################################
920 ## Allow manage kde config content
922 ## <param name="domain">
924 ## Domain allowed access.
928 interface(`gnome_manage_usr_config',`
934 manage_dirs_pattern($1, config_usr_t, config_usr_t)
935 manage_files_pattern($1, config_usr_t, config_usr_t)
936 manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
939 ########################################
941 ## Execute gnome-keyring in the user gkeyring domain
943 ## <param name="domain">
945 ## Domain allowed access
948 ## <param name="role">
950 ## The role to be allowed the gkeyring domain.
954 interface(`gnome_transition_gkeyringd',`
956 attribute gkeyringd_domain;
959 allow $1 gkeyringd_domain:process transition;
960 dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
961 allow gkeyringd_domain $1:process { sigchld signull };
962 allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;