policy/modules/apps/thumb.te

   1 policy_module(thumb, 1.0.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type thumb_t;
   9 type thumb_exec_t;
  10 application_domain(thumb_t, thumb_exec_t)
  11 ubac_constrained(thumb_t)
  12
  13 type thumb_tmp_t;
  14 files_tmp_file(thumb_tmp_t)
  15 ubac_constrained(thumb_tmp_t)
  16
  17 ########################################
  18 #
  19 # thumb local policy
  20 #
  21
  22 allow thumb_t self:process { setsched signal setrlimit };
  23
  24 tunable_policy(`deny_execmem',`',`
  25         allow thumb_t self:process execmem;
  26 ')
  27
  28 allow thumb_t self:fifo_file manage_fifo_file_perms;
  29 allow thumb_t self:unix_stream_socket create_stream_socket_perms;
  30 allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
  31 allow thumb_t self:udp_socket create_socket_perms;
  32 allow thumb_t self:tcp_socket create_socket_perms;
  33
  34 manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
  35 manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
  36 exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
  37 files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
  38 userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
  39
  40 kernel_read_system_state(thumb_t)
  41
  42 domain_use_interactive_fds(thumb_t)
  43
  44 corecmd_exec_bin(thumb_t)
  45
  46 dev_read_sysfs(thumb_t)
  47
  48 domain_use_interactive_fds(thumb_t)
  49
  50 files_read_etc_files(thumb_t)
  51 files_read_usr_files(thumb_t)
  52
  53 auth_use_nsswitch(thumb_t)
  54
  55 miscfiles_read_fonts(thumb_t)
  56 miscfiles_read_localization(thumb_t)
  57
  58 sysnet_read_config(thumb_t)
  59
  60 userdom_read_user_tmp_files(thumb_t)
  61 userdom_read_user_home_content_files(thumb_t)
  62 userdom_write_user_tmp_files(thumb_t)
  63 userdom_read_home_audio_files(thumb_t)
  64
  65 userdom_use_inherited_user_ptys(thumb_t)
  66
  67 xserver_read_xdm_home_files(thumb_t)
  68 xserver_append_xdm_home_files(thumb_t)
  69 xserver_dontaudit_read_xdm_pid(thumb_t)
  70 xserver_stream_connect(thumb_t)
  71
  72 optional_policy(`
  73         dbus_dontaudit_stream_connect_session_bus(thumb_t)
  74         dbus_dontaudit_chat_session_bus(thumb_t)
  75 ')
  76
  77 optional_policy(`
  78         # .config
  79         gnome_dontaudit_search_config(thumb_t)
  80         gnome_read_generic_data_home_files(thumb_t)
  81         gnome_manage_gstreamer_home_files(thumb_t)
  82 ')