interface(`gnome_role_gkeyringd',`
gen_require(`
attribute gkeyringd_domain;
- attribute gnome_domain;
+ attribute gnomedomain;
type gnome_home_t;
type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
class dbus send_msg;
')
- type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
+ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
typealias $1_gkeyringd_t alias gkeyringd_$1_t;
application_domain($1_gkeyringd_t, gkeyringd_exec_t)
ubac_constrained($1_gkeyringd_t)
domain_user_exemption_target($1_gkeyringd_t)
+ userdom_home_manager($1_gkeyringd_t)
+
role $2 types $1_gkeyringd_t;
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
auth_use_nsswitch($1_gkeyringd_t)
ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
-
+ allow $3 $1_gkeyringd_t:process signal_perms;
dontaudit $3 gkeyringd_exec_t:file entrypoint;
stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
dbus_session_bus_client($1_gkeyringd_t)
gnome_home_dir_filetrans($1_gkeyringd_t)
gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
optional_policy(`
telepathy_mission_control_read_state($1_gkeyringd_t)
dontaudit $1 gnome_home_type:dir search_dir_perms;
')
+########################################
+## <summary>
+## Dontaudit write gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_write_config_files',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:file write;
+')
+
########################################
## <summary>
## manage gnome homedir content (.config)
#
interface(`gnome_signal_all',`
gen_require(`
- attribute gnome_domain;
+ attribute gnomedomain;
')
- allow $1 gnome_domain:process signal;
+ allow $1 gnomedomain:process signal;
')
########################################
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`gnome_config_filetrans',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ filetrans_pattern($1, config_home_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
+')
+
########################################
## <summary>
## Read generic cache home files (.cache)
#######################################
## <summary>
-## Manage gconf data home files
+## Read generic data home files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_data_home_files',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+')
+
+#######################################
+## <summary>
+## Manage gconf data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`gnome_manage_data',`
- gen_require(`
- type data_home_t;
- type gconf_home_t;
- ')
+ gen_require(`
+ type data_home_t;
+ type gconf_home_t;
+ ')
allow $1 gconf_home_t:dir search_dir_perms;
manage_dirs_pattern($1, data_home_t, data_home_t)
- manage_files_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
manage_lnk_files_pattern($1, data_home_t, data_home_t)
')
read_lnk_files_pattern($1, config_home_t, config_home_t)
')
+#######################################
+## <summary>
+## delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_delete_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+## <summary>
+## setattr gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+')
+
########################################
## <summary>
## manage gnome homedir content (.config)
manage_files_pattern($1, config_home_t, config_home_t)
')
+#######################################
+## <summary>
+## delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_delete_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ delete_dirs_pattern($1, config_home_t, config_home_t)
+')
+
########################################
## <summary>
## manage gnome homedir content (.config)
allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
')
-
########################################
## <summary>
## Create gnome content in the user home directory