This patchset introduces a new module called "xdg".
The purpose of this module is to support the XDG locations as mentioned in
the XDG Base Directory Specification [1] by introducing three types
(xdg_data_home_t, xdg_config_home_t and xdg_cache_home_t) with the related
interfaces for dealing with those types.
I opted to keep this as a separate module, rather than integrate it in an
existing domain, most notably userdomain. The main reason I have is that XDG
is targeting desktops more than servers, whereas userdomain is part of the
base policy and as such available on all (server + desktop). If this is
wrong of me, just tell me which module to use and I'll send an updated
patchset.
[1] http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
Wkr,
Sven Vermeulen
The XDG Base Directory specification is an open specification for
dealing with user data in a desktop environment. It is published on
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
and in use by many applications.
In this patch, we introduce the xdg-specific types and give the standard
interfaces for dealing with these types.
I opted for a separate module instead of userdomain since it is
targeting desktop users more than servers.
Signed-off-by: Sven Vermeulen <[email protected]>
---
xdg.fc | 3 +
xdg.if | 143 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
xdg.te | 15 +++++++
3 files changed, 161 insertions(+), 0 deletions(-)
create mode 100644 xdg.fc
create mode 100644 xdg.if
create mode 100644 xdg.te
diff --git a/xdg.fc b/xdg.fc
new file mode 100644
index 0000000..44dc42e
--- /dev/null
+++ b/xdg.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0)
diff --git a/xdg.if b/xdg.if
new file mode 100644
index 0000000..23930df
--- /dev/null
+++ b/xdg.if
@@ -0,0 +1,143 @@
+## <summary>Policy for xdg desktop standard</summary>
+
+#######################################
+## <summary>
+## Allow the userdomain full administrative rights on the xdg_* locations
+## </summary>
+## <param name="userdomain">
+## <summary>
+## The user domain
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`xdg_admin',`
+ gen_require(`
+ type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
+ ')
+
+ # full control over the xdg_* directories
+ admin_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ admin_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ admin_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
+########################################
+## <summary>
+## Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_cache_home',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+')
+
+########################################
+## <summary>
+## Read the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_cache_home',`
+ gen_require(`
+ type xdg_cache_home_t;
+ type user_home_dir_t;
+ ')
+
+ list_dirs_pattern($1, user_home_dir_t, xdg_cache_home_t)
+ read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+')
+
+########################################
+## <summary>
+## Manage the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_config_home',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+')
+
+########################################
+## <summary>
+## Read the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_config_home',`
+ gen_require(`
+ type xdg_config_home_t;
+ type user_home_dir_t;
+ ')
+
+ list_dirs_pattern($1, user_home_dir_t, xdg_config_home_t)
+ read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+')
+
+########################################
+## <summary>
+## Manage the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_data_home',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
+########################################
+## <summary>
+## Read the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_data_home',`
+ gen_require(`
+ type xdg_data_home_t;
+ type user_home_dir_t;
+ type user_home_t;
+ ')
+
+ search_dirs_pattern($1, user_home_dir_t, user_home_t)
+ list_dirs_pattern($1, user_home_t, xdg_data_home_t)
+ read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
diff --git a/xdg.te b/xdg.te
new file mode 100644
index 0000000..3b9b0d9
--- /dev/null
+++ b/xdg.te
@@ -0,0 +1,15 @@
+policy_module(xdg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+type xdg_data_home_t;
+userdom_user_home_content(xdg_data_home_t)
+
+type xdg_config_home_t;
+userdom_user_home_content(xdg_config_home_t)
+
+type xdg_cache_home_t;
+userdom_user_home_content(xdg_cache_home_t)
+
--
1.7.3.4
The dbus domains currently hold userdom_read_user_home_content_files,
partially due to it requiring the xdg data (xdg_data_home_t).
Grant xdg_read_data_home to the dbus domain keeps this. From first looks
of it, other xdg locations are not needed by dbus.
Signed-off-by: Sven Vermeulen <[email protected]>
---
dbus.if | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/dbus.if b/dbus.if
index 1a1becd..f963ea8 100644
--- a/dbus.if
+++ b/dbus.if
@@ -160,6 +160,10 @@ template(`dbus_role_template',`
')
optional_policy(`
+ xdg_read_data_home($1_dbus_t)
+ ')
+
+ optional_policy(`
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
--
1.7.3.4
Mozilla (firefox) reads in xdg data, for instance for the MIME handling
(associating MIME types with applications) as mentioned in
~/.local/share/applications
Signed-off-by: Sven Vermeulen <[email protected]>
---
mozilla.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/mozilla.te b/mozilla.te
index b9ea50f..dc784ef 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -296,6 +296,10 @@ optional_policy(`
thunderbird_domtrans(mozilla_t)
')
+optional_policy(`
+ xdg_read_data_home(mozilla_t)
+')
+
########################################
#
# mozilla_plugin local policy
--
1.7.3.4
The xdg locations as defined under the xdg module are all within a
users' HOMEDIR.
We allow the user to administer his xdg_* files.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/userdomain.if | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c6d3cc8..f7f7d44 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -267,6 +267,10 @@ interface(`userdom_manage_home_role',`
fs_dontaudit_manage_cifs_dirs($2)
fs_dontaudit_manage_cifs_files($2)
')
+
+ optional_policy(`
+ xdg_admin($2)
+ ')
')
#######################################
--
1.7.3.4