This patchset introduces a new module called "xdg".
The purpose of this module is to support the XDG locations as mentioned in
the XDG Base Directory Specification [1] by introducing three types
(xdg_data_home_t, xdg_config_home_t and xdg_cache_home_t) with the related
interfaces for dealing with those types.
Within the patch, there are also a few users identified. Most of the "real"
users will come with a more thorough "let me run all applications that have
access to the user home files" investigation, because the XDG locations are
previously just user_home_t types.
However, before doing that investigation, I'm first presenting the module
and its interfaces for feedback gathering.
[1] http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
Wkr,
Sven Vermeulen
The XDG Base Directory specification is an open specification for
dealing with user data in a desktop environment. It is published on
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
and in use by many applications.
In this patch, we introduce the xdg-specific types and give the standard
interfaces for dealing with these types.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/xdg.fc | 3 +
policy/modules/system/xdg.if | 172 ++++++++++++++++++++++++++++++++++++++++++
policy/modules/system/xdg.te | 15 ++++
3 files changed, 190 insertions(+), 0 deletions(-)
create mode 100644 policy/modules/system/xdg.fc
create mode 100644 policy/modules/system/xdg.if
create mode 100644 policy/modules/system/xdg.te
diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc
new file mode 100644
index 0000000..44dc42e
--- /dev/null
+++ b/policy/modules/system/xdg.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
new file mode 100644
index 0000000..f844f10
--- /dev/null
+++ b/policy/modules/system/xdg.if
@@ -0,0 +1,172 @@
+## <summary>Policy for xdg desktop standard</summary>
+
+#######################################
+## <summary>
+## Allow the userdomain full administrative rights on the xdg_* locations
+## </summary>
+## <param name="userdomain">
+## <summary>
+## The user domain
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`xdg_admin',`
+ gen_require(`
+ type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
+ ')
+
+ # full control over the xdg_* directories
+ manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
+########################################
+## <summary>
+## Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_cache_home',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+')
+
+########################################
+## <summary>
+## Read the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_cache_home',`
+ gen_require(`
+ type xdg_cache_home_t;
+ type user_home_dir_t;
+ ')
+
+ list_dirs_pattern($1, user_home_dir_t, xdg_cache_home_t)
+ read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+')
+
+########################################
+## <summary>
+## Manage the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_config_home',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+')
+
+########################################
+## <summary>
+## Read the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_config_home',`
+ gen_require(`
+ type xdg_config_home_t;
+ type user_home_dir_t;
+ ')
+
+ list_dirs_pattern($1, user_home_dir_t, xdg_config_home_t)
+ read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+')
+
+########################################
+## <summary>
+## Manage the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_data_home',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
+########################################
+## <summary>
+## Read the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_data_home',`
+ gen_require(`
+ type xdg_data_home_t;
+ type user_home_dir_t;
+ type user_home_t;
+ ')
+
+ search_dirs_pattern($1, user_home_dir_t, user_home_t)
+ list_dirs_pattern($1, user_home_t, xdg_data_home_t)
+ read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
diff --git a/policy/modules/system/xdg.te b/policy/modules/system/xdg.te
new file mode 100644
index 0000000..3b9b0d9
--- /dev/null
+++ b/policy/modules/system/xdg.te
@@ -0,0 +1,15 @@
+policy_module(xdg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+type xdg_data_home_t;
+userdom_user_home_content(xdg_data_home_t)
+
+type xdg_config_home_t;
+userdom_user_home_content(xdg_config_home_t)
+
+type xdg_cache_home_t;
+userdom_user_home_content(xdg_cache_home_t)
+
--
1.7.3.4
The xdg locations as defined under the xdg module are all within a
users' HOMEDIR.
We allow the user to administer his xdg_* files.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/userdomain.if | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c6d3cc8..c4afffe 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -243,6 +243,9 @@ interface(`userdom_manage_home_role',`
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
+ # manage user xdg locations
+ xdg_admin($2)
+
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
--
1.7.3.4
The dbus domains currently hold userdom_read_user_home_content_files,
partially due to it requiring the xdg data (xdg_data_home_t).
Grant xdg_read_data_home to the dbus domain keeps this. From first looks
of it, other xdg locations are not needed by dbus.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/dbus.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 1a1becd..948aa56 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -151,6 +151,8 @@ template(`dbus_role_template',`
userdom_read_user_home_content_files($1_dbusd_t)
+ xdg_read_data_home($1_dbusd_t)
+
ifdef(`hide_broken_symptoms', `
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
--
1.7.3.4
Mozilla (firefox) reads in xdg data, for instance for the MIME handling
(associating MIME types with applications) as mentioned in
~/.local/share/applications
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/mozilla.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 1039ff2..5083594 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -167,6 +167,8 @@ sysnet_dns_name_resolve(mozilla_t)
userdom_use_user_ptys(mozilla_t)
+xdg_read_data_home(mozilla_t)
+
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
--
1.7.3.4
On 09/04/11 08:13, Sven Vermeulen wrote:
> The XDG Base Directory specification is an open specification for
> dealing with user data in a desktop environment. It is published on
> http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
> and in use by many applications.
>
> In this patch, we introduce the xdg-specific types and give the standard
> interfaces for dealing with these types.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/xdg.fc | 3 +
> policy/modules/system/xdg.if | 172 ++++++++++++++++++++++++++++++++++++++++++
> policy/modules/system/xdg.te | 15 ++++
> 3 files changed, 190 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/system/xdg.fc
> create mode 100644 policy/modules/system/xdg.if
> create mode 100644 policy/modules/system/xdg.te
>
> diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc
> new file mode 100644
> index 0000000..44dc42e
> --- /dev/null
> +++ b/policy/modules/system/xdg.fc
> @@ -0,0 +1,3 @@
> +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0)
> +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0)
> +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0)
This seems to make sense, though I'm not sure it needs to be its own module.
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> new file mode 100644
> index 0000000..f844f10
> --- /dev/null
> +++ b/policy/modules/system/xdg.if
> @@ -0,0 +1,172 @@
> +## <summary>Policy for xdg desktop standard</summary>
> +
> +#######################################
> +## <summary>
> +## Allow the userdomain full administrative rights on the xdg_* locations
> +## </summary>
> +## <param name="userdomain">
> +## <summary>
> +## The user domain
> +## </summary>
> +## </param>
> +## <rolebase/>
> +#
> +interface(`xdg_admin',`
> + gen_require(`
> + type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
> + ')
> +
> + # full control over the xdg_* directories
> + manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +
> + manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +
> + manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +')
Use admin_pattern()
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com