policy/modules/apps/gnome.if

   1 ## <summary>GNU network object model environment (GNOME)</summary>
   2
   3 ###########################################################
   4 ## <summary>
   5 ##  Role access for gnome
   6 ## </summary>
   7 ## <param name="role">
   8 ##  <summary>
   9 ##  Role allowed access
  10 ##  </summary>
  11 ## </param>
  12 ## <param name="domain">
  13 ##  <summary>
  14 ##  User domain for the role
  15 ##  </summary>
  16 ## </param>
  17 #
  18 interface(`gnome_role',`
  19     gen_require(`
  20         type gconfd_t, gconfd_exec_t;
  21         type gconf_tmp_t;
  22     ')
  23
  24     role $1 types gconfd_t;
  25
  26     domain_auto_trans($2, gconfd_exec_t, gconfd_t)
  27     allow gconfd_t $2:fd use;
  28     allow gconfd_t $2:fifo_file write;
  29     allow gconfd_t $2:unix_stream_socket connectto;
  30
  31     ps_process_pattern($2, gconfd_t)
  32
  33         #gnome_stream_connect_gconf_template($1, $2)
  34         read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
  35         allow $2 gconfd_t:unix_stream_socket connectto;
  36 ')
  37
  38 ######################################
  39 ## <summary>
  40 ##      The role template for the gnome-keyring-daemon.
  41 ## </summary>
  42 ## <param name="user_prefix">
  43 ##      <summary>
  44 ##      The user prefix.
  45 ##      </summary>
  46 ## </param>
  47 ## <param name="user_role">
  48 ##      <summary>
  49 ##      The user role.
  50 ##      </summary>
  51 ## </param>
  52 ## <param name="user_domain">
  53 ##      <summary>
  54 ##      The user domain associated with the role.
  55 ##      </summary>
  56 ## </param>
  57 #
  58 interface(`gnome_role_gkeyringd',`
  59         gen_require(`
  60                 attribute gkeyringd_domain;
  61                 attribute gnome_domain;
  62                 type gnome_home_t;
  63                 type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
  64                 class dbus send_msg;
  65         ')
  66
  67         type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
  68         typealias $1_gkeyringd_t alias gkeyrind_$1_t;
  69         application_domain($1_gkeyringd_t, gkeyringd_exec_t)
  70         ubac_constrained($1_gkeyringd_t)
  71         domain_user_exemption_target($1_gkeyringd_t)
  72
  73         role $2 types $1_gkeyringd_t;
  74
  75         domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
  76
  77         allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
  78         allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
  79
  80         allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
  81         allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
  82
  83         corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
  84         corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
  85         allow $1_gkeyringd_t $3:process sigkill;
  86         allow $3 $1_gkeyringd_t:fd use;
  87         allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
  88
  89         ps_process_pattern($1_gkeyringd_t, $3)
  90
  91         ps_process_pattern($3, $1_gkeyringd_t)
  92         allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
  93
  94         dontaudit $3 gkeyringd_exec_t:file entrypoint;
  95
  96         stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
  97
  98         allow $1_gkeyringd_t $3:dbus send_msg;
  99         allow $3 $1_gkeyringd_t:dbus send_msg;
 100         optional_policy(`
 101                 dbus_session_domain($1_gkeyringd_t, gkeyringd_exec_t)
 102                 dbus_session_bus_client($1_gkeyringd_t)
 103                 gnome_home_dir_filetrans($1_gkeyringd_t)
 104                 gnome_manage_generic_home_dirs($1_gkeyringd_t)
 105
 106                 optional_policy(`
 107                         telepathy_mission_control_read_state($1_gkeyringd_t)
 108                 ')
 109         ')
 110 ')
 111
 112 ########################################
 113 ## <summary>
 114 ##      gconf connection template.
 115 ## </summary>
 116 ## <param name="domain">
 117 ##      <summary>
 118 ##      Domain allowed access.
 119 ##      </summary>
 120 ## </param>
 121 #
 122 interface(`gnome_stream_connect_gconf',`
 123         gen_require(`
 124                 type gconfd_t, gconf_tmp_t;
 125         ')
 126
 127         read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
 128         allow $1 gconfd_t:unix_stream_socket connectto;
 129 ')
 130
 131 ########################################
 132 ## <summary>
 133 ##      Connect to gkeyringd with a unix stream socket.
 134 ## </summary>
 135 ## <param name="role_prefix">
 136 ##      <summary>
 137 ##      Role prefix.
 138 ##      </summary>
 139 ## </param>
 140 ## <param name="domain">
 141 ##      <summary>
 142 ##      Domain allowed access.
 143 ##      </summary>
 144 ## </param>
 145 #
 146 interface(`gnome_stream_connect_gkeyringd',`
 147         gen_require(`
 148                         attribute gkeyringd_domain;
 149                         type gkeyringd_tmp_t;
 150                         type gconf_tmp_t;
 151         ')
 152
 153         allow $1 gconf_tmp_t:dir search_dir_perms;
 154         stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
 155 ')
 156
 157 ########################################
 158 ## <summary>
 159 ##      Connect to gkeyringd with a unix stream socket.
 160 ## </summary>
 161 ## <param name="role_prefix">
 162 ##      <summary>
 163 ##      Role prefix.
 164 ##      </summary>
 165 ## </param>
 166 ## <param name="domain">
 167 ##      <summary>
 168 ##      Domain allowed access.
 169 ##      </summary>
 170 ## </param>
 171 #
 172 interface(`gnome_stream_connect_all_gkeyringd',`
 173         gen_require(`
 174                 attribute gkeyringd_domain;
 175                 type gkeyringd_tmp_t;
 176                 type gconf_tmp_t;
 177         ')
 178
 179         allow $1 gconf_tmp_t:dir search_dir_perms;
 180         stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
 181 ')
 182
 183 ########################################
 184 ## <summary>
 185 ##      Run gconfd in gconfd domain.
 186 ## </summary>
 187 ## <param name="domain">
 188 ##      <summary>
 189 ##      Domain allowed access.
 190 ##      </summary>
 191 ## </param>
 192 #
 193 interface(`gnome_domtrans_gconfd',`
 194         gen_require(`
 195                 type gconfd_t, gconfd_exec_t;
 196         ')
 197
 198         domtrans_pattern($1, gconfd_exec_t, gconfd_t)
 199 ')
 200
 201 ########################################
 202 ## <summary>
 203 ##      Dontaudit read gnome homedir content (.config)
 204 ## </summary>
 205 ## <param name="domain">
 206 ##      <summary>
 207 ##      Domain allowed access.
 208 ##      </summary>
 209 ## </param>
 210 #
 211 interface(`gnome_dontaudit_read_config',`
 212         gen_require(`
 213                 attribute gnome_home_type;
 214         ')
 215
 216         dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
 217 ')
 218
 219 ########################################
 220 ## <summary>
 221 ##      Dontaudit search gnome homedir content (.config)
 222 ## </summary>
 223 ## <param name="domain">
 224 ##      <summary>
 225 ##      Domain allowed access.
 226 ##      </summary>
 227 ## </param>
 228 #
 229 interface(`gnome_dontaudit_search_config',`
 230         gen_require(`
 231                 attribute gnome_home_type;
 232         ')
 233
 234         dontaudit $1 gnome_home_type:dir search_dir_perms;
 235 ')
 236
 237 ########################################
 238 ## <summary>
 239 ##      manage gnome homedir content (.config)
 240 ## </summary>
 241 ## <param name="domain">
 242 ##      <summary>
 243 ##      Domain allowed access.
 244 ##      </summary>
 245 ## </param>
 246 #
 247 interface(`gnome_manage_config',`
 248         gen_require(`
 249                 attribute gnome_home_type;
 250         ')
 251
 252         allow $1 gnome_home_type:dir manage_dir_perms;
 253         allow $1 gnome_home_type:file manage_file_perms;
 254         allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
 255         userdom_search_user_home_dirs($1)
 256 ')
 257
 258 ########################################
 259 ## <summary>
 260 ##      Send general signals to all gconf domains.
 261 ## </summary>
 262 ## <param name="domain">
 263 ##      <summary>
 264 ##      Domain allowed access.
 265 ##      </summary>
 266 ## </param>
 267 #
 268 interface(`gnome_signal_all',`
 269         gen_require(`
 270                 attribute gnome_domain;
 271         ')
 272
 273         allow $1 gnome_domain:process signal;
 274 ')
 275
 276 ########################################
 277 ## <summary>
 278 ##      Create objects in a Gnome cache home directory
 279 ##      with an automatic type transition to
 280 ##      a specified private type.
 281 ## </summary>
 282 ## <param name="domain">
 283 ##      <summary>
 284 ##      Domain allowed access.
 285 ##      </summary>
 286 ## </param>
 287 ## <param name="private_type">
 288 ##      <summary>
 289 ##      The type of the object to create.
 290 ##      </summary>
 291 ## </param>
 292 ## <param name="object_class">
 293 ##      <summary>
 294 ##      The class of the object to be created.
 295 ##      </summary>
 296 ## </param>
 297 #
 298 interface(`gnome_cache_filetrans',`
 299         gen_require(`
 300                 type cache_home_t;
 301         ')
 302
 303         filetrans_pattern($1, cache_home_t, $2, $3)
 304         userdom_search_user_home_dirs($1)
 305 ')
 306
 307 ########################################
 308 ## <summary>
 309 ##      Read generic cache home files (.cache)
 310 ## </summary>
 311 ## <param name="domain">
 312 ##      <summary>
 313 ##      Domain allowed access.
 314 ##      </summary>
 315 ## </param>
 316 #
 317 interface(`gnome_read_generic_cache_files',`
 318         gen_require(`
 319                 type cache_home_t;
 320         ')
 321
 322         read_files_pattern($1, cache_home_t, cache_home_t)
 323         userdom_search_user_home_dirs($1)
 324 ')
 325
 326 ########################################
 327 ## <summary>
 328 ##      Set attributes of cache home dir (.cache)
 329 ## </summary>
 330 ## <param name="domain">
 331 ##      <summary>
 332 ##      Domain allowed access.
 333 ##      </summary>
 334 ## </param>
 335 #
 336 interface(`gnome_setattr_cache_home_dir',`
 337         gen_require(`
 338                 type cache_home_t;
 339         ')
 340
 341         setattr_dirs_pattern($1, cache_home_t, cache_home_t)
 342         userdom_search_user_home_dirs($1)
 343 ')
 344
 345 ########################################
 346 ## <summary>
 347 ##      append to generic cache home files (.cache)
 348 ## </summary>
 349 ## <param name="domain">
 350 ##      <summary>
 351 ##      Domain allowed access.
 352 ##      </summary>
 353 ## </param>
 354 #
 355 interface(`gnome_append_generic_cache_files',`
 356         gen_require(`
 357                 type cache_home_t;
 358         ')
 359
 360         append_files_pattern($1, cache_home_t, cache_home_t)
 361         userdom_search_user_home_dirs($1)
 362 ')
 363
 364 ########################################
 365 ## <summary>
 366 ##      write to generic cache home files (.cache)
 367 ## </summary>
 368 ## <param name="domain">
 369 ##      <summary>
 370 ##      Domain allowed access.
 371 ##      </summary>
 372 ## </param>
 373 #
 374 interface(`gnome_write_generic_cache_files',`
 375         gen_require(`
 376                 type cache_home_t;
 377         ')
 378
 379         write_files_pattern($1, cache_home_t, cache_home_t)
 380         userdom_search_user_home_dirs($1)
 381 ')
 382
 383 ########################################
 384 ## <summary>
 385 ##      read gnome homedir content (.config)
 386 ## </summary>
 387 ## <param name="domain">
 388 ##      <summary>
 389 ##      Domain allowed access.
 390 ##      </summary>
 391 ## </param>
 392 #
 393 interface(`gnome_read_config',`
 394         gen_require(`
 395                 attribute gnome_home_type;
 396         ')
 397
 398         list_dirs_pattern($1, gnome_home_type, gnome_home_type)
 399         read_files_pattern($1, gnome_home_type, gnome_home_type)
 400         read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
 401 ')
 402
 403 ########################################
 404 ## <summary>
 405 ##      Create objects in a Gnome gconf home directory
 406 ##      with an automatic type transition to
 407 ##      a specified private type.
 408 ## </summary>
 409 ## <param name="domain">
 410 ##      <summary>
 411 ##      Domain allowed access.
 412 ##      </summary>
 413 ## </param>
 414 ## <param name="private_type">
 415 ##      <summary>
 416 ##      The type of the object to create.
 417 ##      </summary>
 418 ## </param>
 419 ## <param name="object_class">
 420 ##      <summary>
 421 ##      The class of the object to be created.
 422 ##      </summary>
 423 ## </param>
 424 #
 425 interface(`gnome_data_filetrans',`
 426         gen_require(`
 427                 type data_home_t;
 428         ')
 429
 430         filetrans_pattern($1, data_home_t, $2, $3)
 431         gnome_search_gconf($1)
 432 ')
 433
 434 #######################################
 435 ## <summary>
 436 ##      Manage gconf data home files
 437 ## </summary>
 438 ## <param name="domain">
 439 ##      <summary>
 440 ##      Domain allowed access.
 441 ##      </summary>
 442 ## </param>
 443 #
 444 interface(`gnome_manage_data',`
 445         gen_require(`
 446                 type data_home_t;
 447                                 type gconf_home_t;
 448         ')
 449
 450                 allow $1 gconf_home_t:dir search_dir_perms;
 451                 manage_dirs_pattern($1, data_home_t, data_home_t)
 452         manage_files_pattern($1, data_home_t, data_home_t)
 453                 manage_lnk_files_pattern($1, data_home_t, data_home_t)
 454 ')
 455
 456 ########################################
 457 ## <summary>
 458 ##      Create gconf_home_t objects in the /root directory
 459 ## </summary>
 460 ## <param name="domain">
 461 ##      <summary>
 462 ##      Domain allowed access.
 463 ##      </summary>
 464 ## </param>
 465 ## <param name="object_class">
 466 ##      <summary>
 467 ##      The class of the object to be created.
 468 ##      </summary>
 469 ## </param>
 470 #
 471 interface(`gnome_admin_home_gconf_filetrans',`
 472         gen_require(`
 473                 type gconf_home_t;
 474         ')
 475
 476         userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
 477 ')
 478
 479 ########################################
 480 ## <summary>
 481 ##      read gconf config files
 482 ## </summary>
 483 ## <param name="domain">
 484 ##      <summary>
 485 ##      Domain allowed access.
 486 ##      </summary>
 487 ## </param>
 488 #
 489 interface(`gnome_read_gconf_config',`
 490         gen_require(`
 491                 type gconf_etc_t;
 492         ')
 493
 494         allow $1 gconf_etc_t:dir list_dir_perms;
 495         read_files_pattern($1, gconf_etc_t, gconf_etc_t)
 496         files_search_etc($1)
 497 ')
 498
 499 #######################################
 500 ## <summary>
 501 ##      Manage gconf config files
 502 ## </summary>
 503 ## <param name="domain">
 504 ##      <summary>
 505 ##      Domain allowed access.
 506 ##      </summary>
 507 ## </param>
 508 #
 509 interface(`gnome_manage_gconf_config',`
 510         gen_require(`
 511                 type gconf_etc_t;
 512         ')
 513
 514         allow $1 gconf_etc_t:dir list_dir_perms;
 515         manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
 516 ')
 517
 518 ########################################
 519 ## <summary>
 520 ##      Execute gconf programs in
 521 ##      in the caller domain.
 522 ## </summary>
 523 ## <param name="domain">
 524 ##      <summary>
 525 ##      Domain allowed access.
 526 ##      </summary>
 527 ## </param>
 528 #
 529 interface(`gnome_exec_gconf',`
 530         gen_require(`
 531                 type gconfd_exec_t;
 532         ')
 533
 534         can_exec($1, gconfd_exec_t)
 535 ')
 536
 537 ########################################
 538 ## <summary>
 539 ##      Execute gnome keyringd in the caller domain.
 540 ## </summary>
 541 ## <param name="domain">
 542 ##      <summary>
 543 ##      Domain allowed access.
 544 ##      </summary>
 545 ## </param>
 546 #
 547 interface(`gnome_exec_keyringd',`
 548         gen_require(`
 549                 type gkeyringd_exec_t;
 550         ')
 551
 552         can_exec($1, gkeyringd_exec_t)
 553         corecmd_search_bin($1)
 554 ')
 555
 556 ########################################
 557 ## <summary>
 558 ##      Read gconf home files
 559 ## </summary>
 560 ## <param name="domain">
 561 ##      <summary>
 562 ##      Domain allowed access.
 563 ##      </summary>
 564 ## </param>
 565 #
 566 interface(`gnome_read_gconf_home_files',`
 567         gen_require(`
 568                 type gconf_home_t;
 569                 type data_home_t;
 570         ')
 571
 572         userdom_search_user_home_dirs($1)
 573         allow $1 gconf_home_t:dir list_dir_perms;
 574         allow $1 data_home_t:dir list_dir_perms;
 575         read_files_pattern($1, gconf_home_t, gconf_home_t)
 576         read_files_pattern($1, data_home_t, data_home_t)
 577         read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
 578         read_lnk_files_pattern($1, data_home_t, data_home_t)
 579 ')
 580
 581 ########################################
 582 ## <summary>
 583 ##      Search gkeyringd temporary directories.
 584 ## </summary>
 585 ## <param name="domain">
 586 ##      <summary>
 587 ##      Domain allowed access.
 588 ##      </summary>
 589 ## </param>
 590 #
 591 interface(`gnome_search_gkeyringd_tmp_dirs',`
 592         gen_require(`
 593                 type gkeyringd_tmp_t;
 594         ')
 595
 596         files_search_tmp($1)
 597         allow $1 gkeyringd_tmp_t:dir search_dir_perms;
 598 ')
 599
 600 ########################################
 601 ## <summary>
 602 ##      search gconf homedir (.local)
 603 ## </summary>
 604 ## <param name="domain">
 605 ##      <summary>
 606 ##      Domain allowed access.
 607 ##      </summary>
 608 ## </param>
 609 #
 610 interface(`gnome_search_gconf',`
 611         gen_require(`
 612                 type gconf_home_t;
 613         ')
 614
 615         allow $1 gconf_home_t:dir search_dir_perms;
 616         userdom_search_user_home_dirs($1)
 617 ')
 618
 619 ########################################
 620 ## <summary>
 621 ##      Set attributes of Gnome config dirs.
 622 ## </summary>
 623 ## <param name="domain">
 624 ##      <summary>
 625 ##      Domain allowed access.
 626 ##      </summary>
 627 ## </param>
 628 #
 629 interface(`gnome_setattr_config_dirs',`
 630         gen_require(`
 631                 type gnome_home_t;
 632         ')
 633
 634         setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
 635         files_search_home($1)
 636 ')
 637
 638 ########################################
 639 ## <summary>
 640 ##      Manage generic gnome home files.
 641 ## </summary>
 642 ## <param name="domain">
 643 ##      <summary>
 644 ##      Domain allowed access.
 645 ##      </summary>
 646 ## </param>
 647 #
 648 interface(`gnome_manage_generic_home_files',`
 649         gen_require(`
 650                 type gnome_home_t;
 651         ')
 652
 653         userdom_search_user_home_dirs($1)
 654         manage_files_pattern($1, gnome_home_t, gnome_home_t)
 655 ')
 656
 657 ########################################
 658 ## <summary>
 659 ##      Manage generic gnome home directories.
 660 ## </summary>
 661 ## <param name="domain">
 662 ##      <summary>
 663 ##      Domain allowed access.
 664 ##      </summary>
 665 ## </param>
 666 #
 667 interface(`gnome_manage_generic_home_dirs',`
 668         gen_require(`
 669                 type gnome_home_t;
 670         ')
 671
 672         userdom_search_user_home_dirs($1)
 673         allow $1 gnome_home_t:dir manage_dir_perms;
 674 ')
 675
 676 ########################################
 677 ## <summary>
 678 ##      Append gconf home files
 679 ## </summary>
 680 ## <param name="domain">
 681 ##      <summary>
 682 ##      Domain allowed access.
 683 ##      </summary>
 684 ## </param>
 685 #
 686 interface(`gnome_append_gconf_home_files',`
 687         gen_require(`
 688                 type gconf_home_t;
 689         ')
 690
 691         append_files_pattern($1, gconf_home_t, gconf_home_t)
 692 ')
 693
 694 ########################################
 695 ## <summary>
 696 ##      manage gconf home files
 697 ## </summary>
 698 ## <param name="domain">
 699 ##      <summary>
 700 ##      Domain allowed access.
 701 ##      </summary>
 702 ## </param>
 703 #
 704 interface(`gnome_manage_gconf_home_files',`
 705         gen_require(`
 706                 type gconf_home_t;
 707         ')
 708
 709         allow $1 gconf_home_t:dir list_dir_perms;
 710         manage_files_pattern($1, gconf_home_t, gconf_home_t)
 711 ')
 712
 713 ########################################
 714 ## <summary>
 715 ##      Connect to gnome over an unix stream socket.
 716 ## </summary>
 717 ## <param name="domain">
 718 ##      <summary>
 719 ##      Domain allowed access.
 720 ##      </summary>
 721 ## </param>
 722 ## <param name="user_domain">
 723 ##      <summary>
 724 ##      The type of the user domain.
 725 ##      </summary>
 726 ## </param>
 727 #
 728 interface(`gnome_stream_connect',`
 729         gen_require(`
 730                 attribute gnome_home_type;
 731         ')
 732
 733         # Connect to pulseaudit server
 734         stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
 735 ')
 736
 737 ########################################
 738 ## <summary>
 739 ##      list gnome homedir content (.config)
 740 ## </summary>
 741 ## <param name="domain">
 742 ##      <summary>
 743 ##      Domain allowed access.
 744 ##      </summary>
 745 ## </param>
 746 #
 747 interface(`gnome_list_home_config',`
 748         gen_require(`
 749                 type config_home_t;
 750         ')
 751
 752         allow $1 config_home_t:dir list_dir_perms;
 753 ')
 754
 755 ########################################
 756 ## <summary>
 757 ##      Set attributes of gnome homedir content (.config)
 758 ## </summary>
 759 ## <param name="domain">
 760 ##      <summary>
 761 ##      Domain allowed access.
 762 ##      </summary>
 763 ## </param>
 764 #
 765 template(`gnome_setattr_home_config',`
 766         gen_require(`
 767                 type config_home_t;
 768         ')
 769
 770         setattr_dirs_pattern($1, config_home_t, config_home_t)
 771         userdom_search_user_home_dirs($1)
 772 ')
 773
 774 ########################################
 775 ## <summary>
 776 ##      read gnome homedir content (.config)
 777 ## </summary>
 778 ## <param name="domain">
 779 ##      <summary>
 780 ##      Domain allowed access.
 781 ##      </summary>
 782 ## </param>
 783 #
 784 interface(`gnome_read_home_config',`
 785         gen_require(`
 786                 type config_home_t;
 787         ')
 788
 789         list_dirs_pattern($1, config_home_t, config_home_t)
 790         read_files_pattern($1, config_home_t, config_home_t)
 791         read_lnk_files_pattern($1, config_home_t, config_home_t)
 792 ')
 793
 794 ########################################
 795 ## <summary>
 796 ##      manage gnome homedir content (.config)
 797 ## </summary>
 798 ## <param name="domain">
 799 ##      <summary>
 800 ##      Domain allowed access.
 801 ##      </summary>
 802 ## </param>
 803 #
 804 template(`gnome_manage_home_config',`
 805         gen_require(`
 806                 type config_home_t;
 807         ')
 808
 809         manage_files_pattern($1, config_home_t, config_home_t)
 810 ')
 811
 812 ########################################
 813 ## <summary>
 814 ##      Read/Write all inherited gnome home config
 815 ## </summary>
 816 ## <param name="domain">
 817 ##      <summary>
 818 ##      Domain allowed access.
 819 ##      </summary>
 820 ## </param>
 821 #
 822 interface(`gnome_rw_inherited_config',`
 823         gen_require(`
 824                 attribute gnome_home_type;
 825         ')
 826
 827         allow $1 gnome_home_type:file rw_inherited_file_perms;
 828 ')
 829
 830 ########################################
 831 ## <summary>
 832 ##      Send and receive messages from
 833 ##      gconf system service over dbus.
 834 ## </summary>
 835 ## <param name="domain">
 836 ##      <summary>
 837 ##      Domain allowed access.
 838 ##      </summary>
 839 ## </param>
 840 #
 841 interface(`gnome_dbus_chat_gconfdefault',`
 842         gen_require(`
 843                 type gconfdefaultsm_t;
 844                 class dbus send_msg;
 845         ')
 846
 847         allow $1 gconfdefaultsm_t:dbus send_msg;
 848         allow gconfdefaultsm_t $1:dbus send_msg;
 849 ')
 850
 851 ########################################
 852 ## <summary>
 853 ##      Send and receive messages from
 854 ##      gkeyringd over dbus.
 855 ## </summary>
 856 ## <param name="role_prefix">
 857 ##      <summary>
 858 ##      Role prefix.
 859 ##      </summary>
 860 ## </param>
 861 ## <param name="domain">
 862 ##      <summary>
 863 ##      Domain allowed access.
 864 ##      </summary>
 865 ## </param>
 866 #
 867 interface(`gnome_dbus_chat_gkeyringd',`
 868         gen_require(`
 869                 attribute gkeyringd_domain;
 870                 class dbus send_msg;
 871         ')
 872
 873         allow $1 gkeyringd_domain:dbus send_msg;
 874         allow gkeyringd_domain $1:dbus send_msg;
 875 ')
 876
 877 ########################################
 878 ## <summary>
 879 ##      Create directories in user home directories
 880 ##      with the gnome home file type.
 881 ## </summary>
 882 ## <param name="domain">
 883 ##      <summary>
 884 ##      Domain allowed access.
 885 ##      </summary>
 886 ## </param>
 887 #
 888 interface(`gnome_home_dir_filetrans',`
 889         gen_require(`
 890                 type gnome_home_t;
 891         ')
 892
 893         userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
 894         userdom_search_user_home_dirs($1)
 895 ')
 896
 897 ######################################
 898 ## <summary>
 899 ##      Allow read kde config content
 900 ## </summary>
 901 ## <param name="domain">
 902 ##      <summary>
 903 ##      Domain allowed access.
 904 ##      </summary>
 905 ## </param>
 906 #
 907 interface(`gnome_read_usr_config',`
 908         gen_require(`
 909                 type config_usr_t;
 910         ')
 911
 912         files_search_usr($1)
 913                 list_dirs_pattern($1, config_usr_t, config_usr_t)
 914                 read_files_pattern($1, config_usr_t, config_usr_t)
 915                 read_lnk_files_pattern($1, config_usr_t, config_usr_t)
 916 ')
 917
 918 #######################################
 919 ## <summary>
 920 ##      Allow manage kde config content
 921 ## </summary>
 922 ## <param name="domain">
 923 ##      <summary>
 924 ##      Domain allowed access.
 925 ##      </summary>
 926 ## </param>
 927 #
 928 interface(`gnome_manage_usr_config',`
 929         gen_require(`
 930                 type config_usr_t;
 931         ')
 932
 933         files_search_usr($1)
 934                 manage_dirs_pattern($1, config_usr_t, config_usr_t)
 935                 manage_files_pattern($1, config_usr_t, config_usr_t)
 936                 manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
 937 ')
 938
 939 ########################################
 940 ## <summary>
 941 ##      Execute gnome-keyring in the user gkeyring domain
 942 ## </summary>
 943 ## <param name="domain">
 944 ##      <summary>
 945 ##      Domain allowed access
 946 ##      </summary>
 947 ## </param>
 948 ## <param name="role">
 949 ##      <summary>
 950 ##      The role to be allowed the gkeyring domain.
 951 ##      </summary>
 952 ## </param>
 953 #
 954 interface(`gnome_transition_gkeyringd',`
 955         gen_require(`
 956                 attribute gkeyringd_domain;
 957         ')
 958
 959         allow $1 gkeyringd_domain:process transition;
 960         dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
 961         allow gkeyringd_domain $1:process { sigchld signull };
 962         allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
 963 ')
 964