permissive glance_api_t;
')
+optional_policy(`
+ gen_require(`
+ type thumb_t;
+ ')
+
+ permissive thumb_t;
+')
+
--- /dev/null
+
+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
--- /dev/null
+
+## <summary>policy for thumb</summary>
+
+
+########################################
+## <summary>
+## Transition to thumb.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`thumb_domtrans',`
+ gen_require(`
+ type thumb_t, thumb_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, thumb_exec_t, thumb_t)
+')
+
+
+########################################
+## <summary>
+## Execute thumb in the thumb domain, and
+## allow the specified role the thumb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the thumb domain.
+## </summary>
+## </param>
+#
+interface(`thumb_run',`
+ gen_require(`
+ type thumb_t;
+ ')
+
+ thumb_domtrans($1)
+ role $2 types thumb_t;
+')
+
+########################################
+## <summary>
+## Role access for thumb
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`thumb_role',`
+ gen_require(`
+ type thumb_t;
+ ')
+
+ role $1 types thumb_t;
+
+ thumb_domtrans($2)
+
+ ps_process_pattern($2, thumb_t)
+ allow $2 thumb_t:process signal;
+')
+
--- /dev/null
+policy_module(thumb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type thumb_t;
+type thumb_exec_t;
+application_domain(thumb_t, thumb_exec_t)
+role system_r types thumb_t;
+
+type thumb_tmp_t;
+files_tmp_file(thumb_tmp_t)
+
+########################################
+#
+# thumb local policy
+#
+
+allow thumb_t self:fifo_file manage_fifo_file_perms;
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(thumb_t)
+
+kernel_read_system_state(thumb_t)
+
+files_read_etc_files(thumb_t)
+files_read_usr_files(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
+
+miscfiles_read_localization(thumb_t)
+
+userdom_read_user_home_content_files(thumb_t)
+userdom_use_inherited_user_ptys(thumb_t)
slrnpull_search_spool($1_usertype)
')
+ optional_policy(`
+ thumb_role($1_r, $1_usertype)
+ ')
')
#######################################