+++ /dev/null
-
-## <summary>policy for thumb</summary>
-
-
-########################################
-## <summary>
-## Transition to thumb.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`thumb_domtrans',`
- gen_require(`
- type thumb_t, thumb_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, thumb_exec_t, thumb_t)
-')
-
-
-########################################
-## <summary>
-## Execute thumb in the thumb domain, and
-## allow the specified role the thumb domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the thumb domain.
-## </summary>
-## </param>
-#
-interface(`thumb_run',`
- gen_require(`
- type thumb_t;
- ')
-
- thumb_domtrans($1)
- role $2 types thumb_t;
-
- allow $1 thumb_t:process signal;
-')
-
-########################################
-## <summary>
-## Role access for thumb
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role
-## </summary>
-## </param>
-#
-interface(`thumb_role',`
- gen_require(`
- type thumb_t;
- class dbus send_msg;
- ')
-
- role $1 types thumb_t;
-
- thumb_domtrans($2)
-
- ps_process_pattern($2, thumb_t)
- allow $2 thumb_t:process signal;
- allow thumb_t $2:unix_stream_socket connectto;
-
- allow $2 thumb_t:dbus send_msg;
- allow thumb_t $2:dbus send_msg;
-')
-
+++ /dev/null
-policy_module(thumb, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type thumb_t;
-type thumb_exec_t;
-application_domain(thumb_t, thumb_exec_t)
-ubac_constrained(thumb_t)
-
-type thumb_tmp_t;
-files_tmp_file(thumb_tmp_t)
-ubac_constrained(thumb_tmp_t)
-
-########################################
-#
-# thumb local policy
-#
-
-allow thumb_t self:process { setsched signal setrlimit };
-
-tunable_policy(`deny_execmem',`',`
- allow thumb_t self:process execmem;
-')
-
-allow thumb_t self:fifo_file manage_fifo_file_perms;
-allow thumb_t self:unix_stream_socket create_stream_socket_perms;
-allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
-allow thumb_t self:udp_socket create_socket_perms;
-allow thumb_t self:tcp_socket create_socket_perms;
-
-manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
-userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
-
-kernel_read_system_state(thumb_t)
-
-domain_use_interactive_fds(thumb_t)
-
-corecmd_exec_bin(thumb_t)
-
-dev_read_sysfs(thumb_t)
-
-domain_use_interactive_fds(thumb_t)
-
-files_read_etc_files(thumb_t)
-files_read_usr_files(thumb_t)
-
-auth_use_nsswitch(thumb_t)
-
-miscfiles_read_fonts(thumb_t)
-miscfiles_read_localization(thumb_t)
-
-sysnet_read_config(thumb_t)
-
-userdom_read_user_tmp_files(thumb_t)
-userdom_read_user_home_content_files(thumb_t)
-userdom_write_user_tmp_files(thumb_t)
-userdom_read_home_audio_files(thumb_t)
-
-userdom_use_inherited_user_ptys(thumb_t)
-
-xserver_read_xdm_home_files(thumb_t)
-xserver_append_xdm_home_files(thumb_t)
-xserver_dontaudit_read_xdm_pid(thumb_t)
-xserver_stream_connect(thumb_t)
-
-optional_policy(`
- dbus_dontaudit_stream_connect_session_bus(thumb_t)
- dbus_dontaudit_chat_session_bus(thumb_t)
-')
-
-optional_policy(`
- # .config
- gnome_dontaudit_search_config(thumb_t)
- gnome_read_generic_data_home_files(thumb_t)
- gnome_manage_gstreamer_home_files(thumb_t)
-')