+++ /dev/null
-## <summary>GNU network object model environment (GNOME)</summary>
-
-###########################################################
-## <summary>
-## Role access for gnome
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role
-## </summary>
-## </param>
-#
-interface(`gnome_role',`
- gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
- ')
-
- role $1 types gconfd_t;
-
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-
- ps_process_pattern($2, gconfd_t)
-
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
-')
-
-######################################
-## <summary>
-## The role template for the gnome-keyring-daemon.
-## </summary>
-## <param name="user_prefix">
-## <summary>
-## The user prefix.
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The user role.
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The user domain associated with the role.
-## </summary>
-## </param>
-#
-interface(`gnome_role_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
- attribute gnomedomain;
- type gnome_home_t;
- type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
- class dbus send_msg;
- ')
-
- type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
- typealias $1_gkeyringd_t alias gkeyringd_$1_t;
- application_domain($1_gkeyringd_t, gkeyringd_exec_t)
- ubac_constrained($1_gkeyringd_t)
- domain_user_exemption_target($1_gkeyringd_t)
-
- userdom_home_manager($1_gkeyringd_t)
-
- role $2 types $1_gkeyringd_t;
-
- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
-
- allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
- allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
-
- allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
- allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
-
- corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
- corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
- allow $1_gkeyringd_t $3:process sigkill;
- allow $3 $1_gkeyringd_t:fd use;
- allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
-
- ps_process_pattern($1_gkeyringd_t, $3)
-
- auth_use_nsswitch($1_gkeyringd_t)
-
- ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process signal_perms;
- dontaudit $3 gkeyringd_exec_t:file entrypoint;
-
- stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
-
- allow $1_gkeyringd_t $3:dbus send_msg;
- allow $3 $1_gkeyringd_t:dbus send_msg;
- optional_policy(`
- dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
- dbus_session_bus_client($1_gkeyringd_t)
- gnome_home_dir_filetrans($1_gkeyringd_t)
- gnome_manage_generic_home_dirs($1_gkeyringd_t)
- gnome_read_generic_data_home_files($1_gkeyringd_t)
- ')
-')
-
-########################################
-## <summary>
-## gconf connection template.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_stream_connect_gconf',`
- gen_require(`
- type gconfd_t, gconf_tmp_t;
- ')
-
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Connect to gkeyringd with a unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_stream_connect_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
- type gkeyringd_tmp_t;
- type gconf_tmp_t;
- ')
-
- allow $1 gconf_tmp_t:dir search_dir_perms;
- stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
-')
-
-########################################
-## <summary>
-## Connect to gkeyringd with a unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_stream_connect_all_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
- type gkeyringd_tmp_t;
- type gconf_tmp_t;
- ')
-
- allow $1 gconf_tmp_t:dir search_dir_perms;
- stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
-')
-
-########################################
-## <summary>
-## Run gconfd in gconfd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_domtrans_gconfd',`
- gen_require(`
- type gconfd_t, gconfd_exec_t;
- ')
-
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-')
-
-########################################
-## <summary>
-## Dontaudit read gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`gnome_dontaudit_read_config',`
- gen_require(`
- attribute gnome_home_type;
- ')
-
- dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
-')
-
-########################################
-## <summary>
-## Dontaudit search gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`gnome_dontaudit_search_config',`
- gen_require(`
- attribute gnome_home_type;
- ')
-
- dontaudit $1 gnome_home_type:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Dontaudit write gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`gnome_dontaudit_write_config_files',`
- gen_require(`
- attribute gnome_home_type;
- ')
-
- dontaudit $1 gnome_home_type:file write;
-')
-
-########################################
-## <summary>
-## manage gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_config',`
- gen_require(`
- attribute gnome_home_type;
- ')
-
- allow $1 gnome_home_type:dir manage_dir_perms;
- allow $1 gnome_home_type:file manage_file_perms;
- allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## Send general signals to all gconf domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_signal_all',`
- gen_require(`
- attribute gnomedomain;
- ')
-
- allow $1 gnomedomain:process signal;
-')
-
-########################################
-## <summary>
-## Create objects in a Gnome cache home directory
-## with an automatic type transition to
-## a specified private type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private_type">
-## <summary>
-## The type of the object to create.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The class of the object to be created.
-## </summary>
-## </param>
-#
-interface(`gnome_cache_filetrans',`
- gen_require(`
- type cache_home_t;
- ')
-
- filetrans_pattern($1, cache_home_t, $2, $3, $4)
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## Create objects in a Gnome cache home directory
-## with an automatic type transition to
-## a specified private type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private_type">
-## <summary>
-## The type of the object to create.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The class of the object to be created.
-## </summary>
-## </param>
-#
-interface(`gnome_config_filetrans',`
- gen_require(`
- type config_home_t;
- ')
-
- filetrans_pattern($1, config_home_t, $2, $3, $4)
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## Read generic cache home files (.cache)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_generic_cache_files',`
- gen_require(`
- type cache_home_t;
- ')
-
- read_files_pattern($1, cache_home_t, cache_home_t)
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## Set attributes of cache home dir (.cache)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_setattr_cache_home_dir',`
- gen_require(`
- type cache_home_t;
- ')
-
- setattr_dirs_pattern($1, cache_home_t, cache_home_t)
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## append to generic cache home files (.cache)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_append_generic_cache_files',`
- gen_require(`
- type cache_home_t;
- ')
-
- append_files_pattern($1, cache_home_t, cache_home_t)
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## write to generic cache home files (.cache)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_write_generic_cache_files',`
- gen_require(`
- type cache_home_t;
- ')
-
- write_files_pattern($1, cache_home_t, cache_home_t)
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## Dontaudit read/write to generic cache home files (.cache)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`gnome_dontaudit_rw_generic_cache_files',`
- gen_require(`
- type cache_home_t;
- ')
-
- dontaudit $1 cache_home_t:file rw_inherited_file_perms;
-')
-
-########################################
-## <summary>
-## read gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_config',`
- gen_require(`
- attribute gnome_home_type;
- ')
-
- list_dirs_pattern($1, gnome_home_type, gnome_home_type)
- read_files_pattern($1, gnome_home_type, gnome_home_type)
- read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
-')
-
-########################################
-## <summary>
-## Create objects in a Gnome gconf home directory
-## with an automatic type transition to
-## a specified private type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private_type">
-## <summary>
-## The type of the object to create.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The class of the object to be created.
-## </summary>
-## </param>
-#
-interface(`gnome_data_filetrans',`
- gen_require(`
- type data_home_t;
- ')
-
- filetrans_pattern($1, data_home_t, $2, $3, $4)
- gnome_search_gconf($1)
-')
-
-#######################################
-## <summary>
-## Read generic data home files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_generic_data_home_files',`
- gen_require(`
- type data_home_t, gconf_home_t;
- ')
-
- read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
-')
-
-#######################################
-## <summary>
-## Manage gconf data home files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_data',`
- gen_require(`
- type data_home_t;
- type gconf_home_t;
- ')
-
- allow $1 gconf_home_t:dir search_dir_perms;
- manage_dirs_pattern($1, data_home_t, data_home_t)
- manage_files_pattern($1, data_home_t, data_home_t)
- manage_lnk_files_pattern($1, data_home_t, data_home_t)
-')
-
-########################################
-## <summary>
-## Read icc data home content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_home_icc_data_content',`
- gen_require(`
- type icc_data_home_t, gconf_home_t, data_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
- list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
- read_files_pattern($1, icc_data_home_t, icc_data_home_t)
- read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
-')
-
-########################################
-## <summary>
-## Read inherited icc data home files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_inherited_home_icc_data_files',`
- gen_require(`
- type icc_data_home_t;
- ')
-
- allow $1 icc_data_home_t:file read_inherited_file_perms;
-')
-
-########################################
-## <summary>
-## Create gconf_home_t objects in the /root directory
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The class of the object to be created.
-## </summary>
-## </param>
-#
-interface(`gnome_admin_home_gconf_filetrans',`
- gen_require(`
- type gconf_home_t;
- ')
-
- userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read
-## inherited gconf config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
- gen_require(`
- type gconf_etc_t;
- ')
-
- dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
-')
-
-########################################
-## <summary>
-## read gconf config files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_gconf_config',`
- gen_require(`
- type gconf_etc_t;
- ')
-
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-')
-
-#######################################
-## <summary>
-## Manage gconf config files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_gconf_config',`
- gen_require(`
- type gconf_etc_t;
- ')
-
- allow $1 gconf_etc_t:dir list_dir_perms;
- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
-')
-
-########################################
-## <summary>
-## Execute gconf programs in
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_exec_gconf',`
- gen_require(`
- type gconfd_exec_t;
- ')
-
- can_exec($1, gconfd_exec_t)
-')
-
-########################################
-## <summary>
-## Execute gnome keyringd in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_exec_keyringd',`
- gen_require(`
- type gkeyringd_exec_t;
- ')
-
- can_exec($1, gkeyringd_exec_t)
- corecmd_search_bin($1)
-')
-
-########################################
-## <summary>
-## Read gconf home files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_gconf_home_files',`
- gen_require(`
- type gconf_home_t;
- type data_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir list_dir_perms;
- allow $1 data_home_t:dir list_dir_perms;
- read_files_pattern($1, gconf_home_t, gconf_home_t)
- read_files_pattern($1, data_home_t, data_home_t)
- read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
- read_lnk_files_pattern($1, data_home_t, data_home_t)
-')
-
-########################################
-## <summary>
-## Search gkeyringd temporary directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_search_gkeyringd_tmp_dirs',`
- gen_require(`
- type gkeyringd_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 gkeyringd_tmp_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## search gconf homedir (.local)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_search_gconf',`
- gen_require(`
- type gconf_home_t;
- ')
-
- allow $1 gconf_home_t:dir search_dir_perms;
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## Set attributes of Gnome config dirs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_setattr_config_dirs',`
- gen_require(`
- type gnome_home_t;
- ')
-
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
-')
-
-########################################
-## <summary>
-## Manage generic gnome home files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_generic_home_files',`
- gen_require(`
- type gnome_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- manage_files_pattern($1, gnome_home_t, gnome_home_t)
-')
-
-########################################
-## <summary>
-## Manage generic gnome home directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_generic_home_dirs',`
- gen_require(`
- type gnome_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 gnome_home_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-## Append gconf home files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_append_gconf_home_files',`
- gen_require(`
- type gconf_home_t;
- ')
-
- append_files_pattern($1, gconf_home_t, gconf_home_t)
-')
-
-########################################
-## <summary>
-## manage gconf home files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_gconf_home_files',`
- gen_require(`
- type gconf_home_t;
- ')
-
- allow $1 gconf_home_t:dir list_dir_perms;
- manage_files_pattern($1, gconf_home_t, gconf_home_t)
-')
-
-########################################
-## <summary>
-## Connect to gnome over an unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-#
-interface(`gnome_stream_connect',`
- gen_require(`
- attribute gnome_home_type;
- ')
-
- # Connect to pulseaudit server
- stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
-')
-
-########################################
-## <summary>
-## list gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_list_home_config',`
- gen_require(`
- type config_home_t;
- ')
-
- allow $1 config_home_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Set attributes of gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_setattr_home_config',`
- gen_require(`
- type config_home_t;
- ')
-
- setattr_dirs_pattern($1, config_home_t, config_home_t)
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## read gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_home_config',`
- gen_require(`
- type config_home_t;
- ')
-
- list_dirs_pattern($1, config_home_t, config_home_t)
- read_files_pattern($1, config_home_t, config_home_t)
- read_lnk_files_pattern($1, config_home_t, config_home_t)
-')
-
-#######################################
-## <summary>
-## delete gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_delete_home_config',`
- gen_require(`
- type config_home_t;
- ')
-
- delete_files_pattern($1, config_home_t, config_home_t)
-')
-
-#######################################
-## <summary>
-## setattr gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_setattr_home_config_dirs',`
- gen_require(`
- type config_home_t;
- ')
-
- setattr_dirs_pattern($1, config_home_t, config_home_t)
-')
-
-########################################
-## <summary>
-## manage gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_home_config',`
- gen_require(`
- type config_home_t;
- ')
-
- manage_files_pattern($1, config_home_t, config_home_t)
-')
-
-#######################################
-## <summary>
-## delete gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_delete_home_config_dirs',`
- gen_require(`
- type config_home_t;
- ')
-
- delete_dirs_pattern($1, config_home_t, config_home_t)
-')
-
-########################################
-## <summary>
-## manage gnome homedir content (.config)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_home_config_dirs',`
- gen_require(`
- type config_home_t;
- ')
-
- manage_dirs_pattern($1, config_home_t, config_home_t)
-')
-
-########################################
-## <summary>
-## manage gstreamer home content files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_gstreamer_home_files',`
- gen_require(`
- type gstreamer_home_t;
- ')
-
- manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
-')
-
-########################################
-## <summary>
-## Read/Write all inherited gnome home config
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_rw_inherited_config',`
- gen_require(`
- attribute gnome_home_type;
- ')
-
- allow $1 gnome_home_type:file rw_inherited_file_perms;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## gconf system service over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_dbus_chat_gconfdefault',`
- gen_require(`
- type gconfdefaultsm_t;
- class dbus send_msg;
- ')
-
- allow $1 gconfdefaultsm_t:dbus send_msg;
- allow gconfdefaultsm_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## gkeyringd over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_dbus_chat_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
- class dbus send_msg;
- ')
-
- allow $1 gkeyringd_domain:dbus send_msg;
- allow gkeyringd_domain $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Send signull signal to gkeyringd processes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_signull_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
- ')
-
- allow $1 gkeyringd_domain:process signull;
-')
-
-########################################
-## <summary>
-## Allow the domain to read gkeyringd state files in /proc.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_gkeyringd_state',`
- gen_require(`
- attribute gkeyringd_domain;
- ')
-
- ps_process_pattern($1, gkeyringd_domain)
-')
-
-########################################
-## <summary>
-## Create directories in user home directories
-## with the gnome home file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_home_dir_filetrans',`
- gen_require(`
- type gnome_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
- userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-## Execute gnome-keyring in the user gkeyring domain
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the gkeyring domain.
-## </summary>
-## </param>
-#
-interface(`gnome_transition_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
- ')
-
- allow $1 gkeyringd_domain:process transition;
- dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
- allow gkeyringd_domain $1:process { sigchld signull };
- allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
-')
-
-########################################
-## <summary>
-## Create gnome content in the user home directory
-## with an correct label.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_filetrans_home_content',`
-
-gen_require(`
- type config_home_t;
- type cache_home_t;
- type gstreamer_home_t;
- type gconf_home_t;
- type gnome_home_t;
- type data_home_t, icc_data_home_t;
- type gkeyringd_gnome_home_t;
-')
-
- userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
- userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
- userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
- userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
- userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
- userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
- userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
- userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
- userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
- # ~/.color/icc: legacy
- userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
- filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
- filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
- filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
- userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
-')
-
-########################################
-## <summary>
-## Create gnome directory in the /root directory
-## with an correct label.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_filetrans_admin_home_content',`
-
-gen_require(`
- type config_home_t;
- type cache_home_t;
- type gstreamer_home_t;
- type gconf_home_t;
- type gnome_home_t;
- type icc_data_home_t;
-')
-
- userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
- userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
- userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
- userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
- userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
- userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
- userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
- userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
- userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
- # /root/.color/icc: legacy
- userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
-')
-
-######################################
-## <summary>
-## Execute gnome-keyring executable
-## in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a telepathy executable
-## in the specified domain. This allows
-## the specified domain to execute any file
-## on these filesystems in the specified
-## domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This interface was added to handle
-## the ssh-agent policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="target_domain">
-## <summary>
-## The type of the new process.
-## </summary>
-## </param>
-#
-interface(`gnome_command_domtrans_gkeyringd', `
- gen_require(`
- type gkeyringd_exec_t;
- ')
-
- allow $2 gkeyringd_exec_t:file entrypoint;
- domain_transition_pattern($1, gkeyringd_exec_t, $2)
- type_transition $1 gkeyringd_exec_t:process $2;
-')
+++ /dev/null
-policy_module(gnome, 2.1.0)
-
-##############################
-#
-# Declarations
-#
-
-attribute gnomedomain;
-attribute gnome_home_type;
-attribute gkeyringd_domain;
-
-type gconf_etc_t;
-files_config_file(gconf_etc_t)
-
-type data_home_t, gnome_home_type;
-userdom_user_home_content(data_home_t)
-
-type config_home_t, gnome_home_type;
-userdom_user_home_content(config_home_t)
-
-type cache_home_t, gnome_home_type;
-userdom_user_home_content(cache_home_t)
-
-type gstreamer_home_t, gnome_home_type;
-userdom_user_home_content(gstreamer_home_t)
-
-type icc_data_home_t, gnome_home_type;
-userdom_user_home_content(icc_data_home_t)
-
-type gconf_home_t, gnome_home_type;
-typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
-typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
-typealias gconf_home_t alias unconfined_gconf_home_t;
-userdom_user_home_content(gconf_home_t)
-
-type gconf_tmp_t;
-typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
-typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
-typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
-files_tmp_file(gconf_tmp_t)
-ubac_constrained(gconf_tmp_t)
-
-type gconfd_t, gnomedomain;
-type gconfd_exec_t;
-typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
-typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
-application_domain(gconfd_t, gconfd_exec_t)
-ubac_constrained(gconfd_t)
-
-type gnome_home_t, gnome_home_type;
-typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
-typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
-typealias gnome_home_t alias unconfined_gnome_home_t;
-userdom_user_home_content(gnome_home_t)
-
-# type KDE /usr/share/config files
-type config_usr_t;
-files_type(config_usr_t)
-
-type gkeyringd_exec_t;
-corecmd_executable_file(gkeyringd_exec_t)
-
-type gkeyringd_gnome_home_t;
-userdom_user_home_content(gkeyringd_gnome_home_t)
-
-type gkeyringd_tmp_t;
-userdom_user_tmp_content(gkeyringd_tmp_t)
-
-type gconfdefaultsm_t;
-type gconfdefaultsm_exec_t;
-dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
-
-type gnomesystemmm_t;
-type gnomesystemmm_exec_t;
-dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
-
-##############################
-#
-# Local Policy
-#
-
-allow gconfd_t self:process getsched;
-allow gconfd_t self:fifo_file rw_fifo_file_perms;
-
-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
-
-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
-
-dev_read_urand(gconfd_t)
-
-files_read_etc_files(gconfd_t)
-
-miscfiles_read_localization(gconfd_t)
-
-logging_send_syslog_msg(gconfd_t)
-
-userdom_manage_user_tmp_sockets(gconfd_t)
-userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
-
-optional_policy(`
- nscd_dontaudit_search_pid(gconfd_t)
-')
-
-optional_policy(`
- xserver_use_xdm_fds(gconfd_t)
- xserver_rw_xdm_pipes(gconfd_t)
-')
-
-#######################################
-#
-# gconf-defaults-mechanisms local policy
-#
-
-allow gconfdefaultsm_t self:capability { dac_override sys_nice };
-allow gconfdefaultsm_t self:process getsched;
-allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
-
-corecmd_search_bin(gconfdefaultsm_t)
-
-files_read_etc_files(gconfdefaultsm_t)
-files_read_usr_files(gconfdefaultsm_t)
-
-miscfiles_read_localization(gconfdefaultsm_t)
-
-gnome_manage_gconf_home_files(gconfdefaultsm_t)
-gnome_manage_gconf_config(gconfdefaultsm_t)
-
-userdom_read_all_users_state(gconfdefaultsm_t)
-userdom_search_user_home_dirs(gconfdefaultsm_t)
-
-userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
-
-optional_policy(`
- consolekit_dbus_chat(gconfdefaultsm_t)
-')
-
-optional_policy(`
- nscd_dontaudit_search_pid(gconfdefaultsm_t)
-')
-
-optional_policy(`
- policykit_domtrans_auth(gconfdefaultsm_t)
- policykit_dbus_chat(gconfdefaultsm_t)
- policykit_read_lib(gconfdefaultsm_t)
- policykit_read_reload(gconfdefaultsm_t)
-')
-
-userdom_home_manager(gconfdefaultsm_t)
-
-#######################################
-#
-# gnome-system-monitor-mechanisms local policy
-#
-
-allow gnomesystemmm_t self:capability sys_nice;
-allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
-
-kernel_read_system_state(gnomesystemmm_t)
-
-corecmd_search_bin(gnomesystemmm_t)
-
-domain_kill_all_domains(gnomesystemmm_t)
-domain_search_all_domains_state(gnomesystemmm_t)
-domain_setpriority_all_domains(gnomesystemmm_t)
-domain_signal_all_domains(gnomesystemmm_t)
-domain_sigstop_all_domains(gnomesystemmm_t)
-
-files_read_etc_files(gnomesystemmm_t)
-files_read_usr_files(gnomesystemmm_t)
-
-fs_getattr_xattr_fs(gnomesystemmm_t)
-
-miscfiles_read_localization(gnomesystemmm_t)
-
-userdom_read_all_users_state(gnomesystemmm_t)
-userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
-
-optional_policy(`
- consolekit_dbus_chat(gnomesystemmm_t)
-')
-
-optional_policy(`
- nscd_dontaudit_search_pid(gnomesystemmm_t)
-')
-
-optional_policy(`
- policykit_dbus_chat(gnomesystemmm_t)
- policykit_domtrans_auth(gnomesystemmm_t)
- policykit_read_lib(gnomesystemmm_t)
- policykit_read_reload(gnomesystemmm_t)
-')
-
-######################################
-#
-# gnome-keyring-daemon local policy
-#
-
-allow gkeyringd_domain self:capability ipc_lock;
-allow gkeyringd_domain self:process { getcap getsched setcap signal };
-allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
-allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
-
-userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
-
-manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
-manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
-filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir)
-
-manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
-files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
-
-kernel_read_system_state(gkeyringd_domain)
-kernel_read_crypto_sysctls(gkeyringd_domain)
-
-corecmd_search_bin(gkeyringd_domain)
-
-dev_read_rand(gkeyringd_domain)
-dev_read_urand(gkeyringd_domain)
-dev_read_sysfs(gkeyringd_domain)
-
-files_read_etc_files(gkeyringd_domain)
-files_read_usr_files(gkeyringd_domain)
-# for nscd?
-files_search_pids(gkeyringd_domain)
-
-fs_getattr_xattr_fs(gkeyringd_domain)
-fs_getattr_tmpfs(gkeyringd_domain)
-
-selinux_getattr_fs(gkeyringd_domain)
-
-logging_send_syslog_msg(gkeyringd_domain)
-
-miscfiles_read_localization(gkeyringd_domain)
-
-optional_policy(`
- xserver_append_xdm_home_files(gkeyringd_domain)
- xserver_read_xdm_home_files(gkeyringd_domain)
- xserver_use_xdm_fds(gkeyringd_domain)
-')
-
-optional_policy(`
- gnome_read_home_config(gkeyringd_domain)
- gnome_read_generic_cache_files(gkeyringd_domain)
- gnome_write_generic_cache_files(gkeyringd_domain)
-')
-
-optional_policy(`
- ssh_read_user_home_files(gkeyringd_domain)
-')
-
-domain_use_interactive_fds(gnomedomain)
-
-userdom_use_inherited_user_terminals(gnomedomain)
-
projects / people / stevee / selinux-policy.git / commitdiff
