Add colord and allow user_t and staff_t to dbus chat with it

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index e4d46e9fc78d8984cd643b874ea28dfb3458334f..d519104618d889902bab95859c26f8981549ea6d 100644 (file)
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -67,6 +67,10 @@ optional_policy(`
        accountsd_read_lib_files(staff_t)
 ')
 
+optional_policy(`
+       colord_dbus_chat(staff_t)
+')
+
 optional_policy(`
        gnomeclock_dbus_chat(staff_t)
 ')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 54ea4f5f7cdf4879cbda49df4a4fb52f4577e153..10d03a303670d0ff985bb3d2dc37220270c84ace 100644 (file)
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -26,6 +26,10 @@ optional_policy(`
        apache_role(user_r, user_t)
 ')
 
+optional_policy(`
+       colord_dbus_chat(user_t)
+')
+
 optional_policy(`
        gnome_role(user_r, user_t)
 ')

diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
new file mode 100644 (file)
index 0000000..7a01ff6
--- /dev/null
+++ b/policy/modules/services/colord.fc
@@ -0,0 +1,4 @@
+
+/usr/libexec/colord            --      gen_context(system_u:object_r:colord_exec_t,s0)
+
+/var/lib/colord(/.*)?                  gen_context(system_u:object_r:colord_var_lib_t,s0)

diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
new file mode 100644 (file)
index 0000000..38cb883
--- /dev/null
+++ b/policy/modules/services/colord.if
@@ -0,0 +1,42 @@
+
+## <summary>policy for colord</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run colord.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`colord_domtrans',`
+       gen_require(`
+               type colord_t, colord_exec_t;
+       ')
+
+       domtrans_pattern($1, colord_exec_t, colord_t)
+')
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     colord over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`colord_dbus_chat',`
+       gen_require(`
+               type colord_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 colord_t:dbus send_msg;
+       allow colord_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644 (file)
index 0000000..fd633bf
--- /dev/null
+++ b/policy/modules/services/colord.te
@@ -0,0 +1,67 @@
+policy_module(colord,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type colord_t;
+type colord_exec_t;
+dbus_system_domain(colord_t, colord_exec_t)
+
+type colord_var_lib_t;
+files_type(colord_var_lib_t)
+
+type colord_tmp_t;
+files_tmp_file(colord_tmp_t)
+
+permissive colord_t;
+
+########################################
+#
+# colord local policy
+#
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket { bind create setopt getattr };
+allow colord_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
+
+manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+
+kernel_read_device_sysctls(colord_t)
+
+corenet_udp_bind_generic_node(colord_t)
+corenet_udp_bind_ipp_port(colord_t)
+
+dev_read_raw_memory(colord_t)
+dev_write_raw_memory(colord_t)
+dev_read_video_dev(colord_t)
+dev_write_video_dev(colord_t)
+dev_read_rand(colord_t)
+dev_read_sysfs(colord_t)
+dev_read_urand(colord_t)
+dev_list_sysfs(colord_t)
+dev_read_generic_usb_dev(colord_t)
+
+domain_use_interactive_fds(colord_t)
+
+files_read_etc_files(colord_t)
+files_read_usr_files(colord_t)
+
+miscfiles_read_localization(colord_t)
+
+sysnet_dns_name_resolve(colord_t)
+
+optional_policy(`
+       cups_read_rw_config(colord_t)
+       cups_stream_connect(colord_t)
+')
+
+optional_policy(`
+       udev_read_db(colord_t)
+')

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 9a289e228166204e87469f728cba83cee8386438..9a7c2aefda7288a5eeb846f7e039e61e2c5450f3 100644 (file)
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -206,6 +206,10 @@ tunable_policy(`user_tcp_server',`
        corenet_tcp_bind_generic_node(ssh_t)
 ')
 
+optional_policy(`
+       gnome_stream_connect_all_gkeyringd(ssh_t)
+')
+
 optional_policy(`
        xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
        xserver_domtrans_xauth(ssh_t)