This is the patch set that implements the more granular approach to user
resources (files, directories) in the users' home directory. It requires
the first patch set (which introduces the support for this more granular
approach) which has been submitted earlier on.
To recap, the first patch set introduces a number of additional types
and attributes to support the XDG related resource locations, divided in
two sets:
- The main XDG locations used for user-specific application data (in
~/.local, marked as xdg_data_t), user-specific cache data (in
~/.cache, marked as xdg_cache_t), and user-specific application
configuration data (in ~/.config, marked as xdg_config_t).
It also enables support for application/domain-specific types within
(such as mozilla_xdg_config_t).
- End user resource locations tailored to the common resource types. It
enables the "Documents/" location to be marked with xdg_documents_t,
"Downloads/" with xdg_downloads_t, "Pictures/" with xdg_pictures_t,
"Music/" with xdg_music_t and "Videos/" with xdg_videos_t.
This patchset updates a number of application domains to support
these locations. Note that not all of Guido's work (who retriggered
the upstreaming of this patch set) is included here, as some of the
suggested changes were harder for me to review or confirm. However,
these can be easily reapplied if needed.
Changes since v1:
- Drop _home_ from type/attribute declarations and interface names
- Move tunable definitions inside template
Sven Vermeulen (19):
Enhance evolution domain with XDG privilege sets
Enhance gnome domains with XDG privilege sets
Enhance minidlna domain with XDG privilege sets
Enhance mozilla domain with XDG privilege sets
Enhance mplayer domains with XDG privilege sets
Enhance pulseaudio domain with XDG privilege sets
Enhance telepathy domains with XDG privilege sets
Enhance thunderbird domain with XDG privilege sets
Make cron user content access optional
Make firstboot user content access optional
Make gpg user content access optional
Make i18n_input user content access optional
Make irc user content access optional
Make java user content access optional
Make openoffice user content access optional
Make postfix user content access optional
Make wireshark user content access optional
Make xscreensaver user content access optional
Switch syncthing to XDG config types and make user content access
optional
cron.te | 20 ++++++++---------
evolution.fc | 3 +++
evolution.te | 33 +++++++++++++++++++++------
firstboot.te | 14 +++++++-----
gnome.fc | 5 +++++
gnome.te | 34 ++++++++++++++++++++++++++++
gpg.te | 6 +++--
i18n_input.te | 24 +++++++++++++++++++-
irc.te | 6 ++---
java.te | 13 ++++++-----
minidlna.te | 4 ++++
mozilla.fc | 1 +
mozilla.te | 18 +++++++++++----
mplayer.te | 14 +++++++-----
openoffice.te | 12 ++++------
postfix.te | 6 +----
pulseaudio.fc | 2 +-
pulseaudio.te | 11 +++++++++
syncthing.fc | 2 +-
syncthing.if | 8 +++----
syncthing.te | 19 +++++++---------
telepathy.fc | 18 +++++++--------
telepathy.if | 24 ++++++++++----------
telepathy.te | 70 ++++++++++++++++++++++++++++-----------------------------
thunderbird.te | 14 ++++++++----
wireshark.te | 5 +++--
xscreensaver.te | 26 ++++++++++++++++++++-
27 files changed, 273 insertions(+), 139 deletions(-)
--
2.13.6
The Evolution e-mail client uses all XDG locations, which have been
switched from the regular end user type (user_home_t) toward the XDG
related ones. In this patch, the evolution_t domain now supports
accessing the newly defined types.
Next to the XDG changes, the user content accesses are now also made
optional through the evolution_{read,manage}_{generic,all}_user_content
booleans.
The mail client does have manage rights on the Downloads location.
Changes since v1:
- Moved tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
evolution.fc | 3 +++
evolution.te | 33 ++++++++++++++++++++++++++-------
2 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/evolution.fc b/evolution.fc
index efe7e1f..7f5e898 100644
--- a/evolution.fc
+++ b/evolution.fc
@@ -1,5 +1,8 @@
HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.config/evolution(/.*)? gen_context(system_u:object_r:evolution_xdg_config_t,s0)
HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.local/share/evolution(/.*)? gen_context(system_u:object_r:evolution_xdg_config_t,s0)
+HOME_DIR/\.local/share/camel_certs(/.*)? gen_context(system_u:object_r:evolution_xdg_config_t,s0)
/tmp/\.exchange-%{USERNAME}(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
diff --git a/evolution.te b/evolution.te
index e31a843..79ea79d 100644
--- a/evolution.te
+++ b/evolution.te
@@ -105,6 +105,15 @@ typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_e
typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
userdom_user_tmpfs_file(evolution_webcal_tmpfs_t)
+type evolution_xdg_cache_t;
+xdg_cache_content(evolution_xdg_cache_t)
+
+type evolution_xdg_config_t;
+xdg_config_content(evolution_xdg_config_t)
+
+type evolution_xdg_data_t;
+xdg_data_content(evolution_xdg_data_t)
+
########################################
#
# Local policy
@@ -142,6 +151,18 @@ stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm
stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
+manage_files_pattern(evolution_t, evolution_xdg_cache_t, evolution_xdg_cache_t)
+manage_dirs_pattern(evolution_t, evolution_xdg_cache_t, evolution_xdg_cache_t)
+xdg_cache_filetrans(evolution_t, evolution_xdg_cache_t, { dir file } )
+
+manage_files_pattern(evolution_t, evolution_xdg_config_t, evolution_xdg_config_t)
+manage_dirs_pattern(evolution_t, evolution_xdg_config_t, evolution_xdg_config_t)
+xdg_config_filetrans(evolution_t, evolution_xdg_config_t, { dir file } )
+
+manage_files_pattern(evolution_t, evolution_xdg_data_t, evolution_xdg_data_t)
+manage_dirs_pattern(evolution_t, evolution_xdg_data_t, evolution_xdg_data_t)
+xdg_data_filetrans(evolution_t, evolution_xdg_data_t, { dir file } )
+
can_exec(evolution_t, { evolution_alarm_exec_t evolution_server_exec_t })
kernel_read_kernel_sysctls(evolution_t)
@@ -201,6 +222,7 @@ udev_read_state(evolution_t)
userdom_use_user_terminals(evolution_t)
+
tunable_policy(`evolution_manage_user_certs',`
userdom_manage_user_certs(evolution_t)
',`
@@ -208,17 +230,14 @@ tunable_policy(`evolution_manage_user_certs',`
userdom_read_user_certs(evolution_t)
')
-userdom_manage_user_tmp_dirs(evolution_t)
-userdom_manage_user_tmp_files(evolution_t)
-
-userdom_manage_user_home_content_dirs(evolution_t)
-userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
-
userdom_write_user_tmp_sockets(evolution_t)
+userdom_user_content_access_template(evolution, evolution_t)
+
mta_read_config(evolution_t)
+xdg_manage_downloads(evolution_t)
+
xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
xserver_read_xdm_tmp_files(evolution_t)
--
2.13.6
Many of the GNOME domains make full use of all the basic XDG locations.
With the introduction of support for these (~/.cache, ~/.local and
~/.config) the appropriate GNOME XDG type definitions are added, together
with the necessary privileges for accessing these types.
Signed-off-by: Sven Vermeulen <[email protected]>
---
gnome.fc | 5 +++++
gnome.te | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+)
diff --git a/gnome.fc b/gnome.fc
index 744ff68..1c0dd43 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,9 +1,14 @@
+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_t,s0)
+HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_t,s0)
+HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_t,s0)
+HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_xdg_config_t,s0)
HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gnome_xdg_data_t,s0)
HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
diff --git a/gnome.te b/gnome.te
index d87daab..b3800e7 100644
--- a/gnome.te
+++ b/gnome.te
@@ -46,6 +46,15 @@ userdom_user_home_content(gnome_keyring_home_t)
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gnome_xdg_cache_t;
+xdg_cache_content(gnome_xdg_cache_t)
+
+type gnome_xdg_config_t;
+xdg_config_content(gnome_xdg_config_t)
+
+type gnome_xdg_data_t;
+xdg_data_content(gnome_xdg_data_t)
+
type gstreamer_orcexec_t;
application_executable_file(gstreamer_orcexec_t)
@@ -91,6 +100,18 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+manage_dirs_pattern(gconfd_t, gnome_xdg_cache_t, gnome_xdg_cache_t)
+manage_files_pattern(gconfd_t, gnome_xdg_cache_t, gnome_xdg_cache_t)
+xdg_cache_filetrans(gconfd_t, gnome_xdg_cache_t, dir)
+
+manage_dirs_pattern(gconfd_t, gnome_xdg_config_t, gnome_xdg_config_t)
+manage_files_pattern(gconfd_t, gnome_xdg_config_t, gnome_xdg_config_t)
+xdg_config_filetrans(gconfd_t, gnome_xdg_config_t, dir)
+
+manage_dirs_pattern(gconfd_t, gnome_xdg_data_t, gnome_xdg_data_t)
+manage_files_pattern(gconfd_t, gnome_xdg_data_t, gnome_xdg_data_t)
+xdg_data_filetrans(gconfd_t, gnome_xdg_data_t, dir)
+
# for /proc/filesystems
kernel_read_system_state(gconfd_t)
@@ -145,6 +166,19 @@ manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_t
files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t)
+manage_files_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t)
+manage_sock_files_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t)
+xdg_cache_filetrans(gkeyringd_domain, gnome_xdg_cache_t, dir)
+
+manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_t, gnome_xdg_config_t)
+manage_files_pattern(gkeyringd_domain, gnome_xdg_config_t, gnome_xdg_config_t)
+xdg_config_filetrans(gkeyringd_domain, gnome_xdg_config_t, dir)
+
+manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t)
+manage_files_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t)
+xdg_data_filetrans(gkeyringd_domain, gnome_xdg_data_t, dir)
+
kernel_read_crypto_sysctls(gkeyringd_domain)
kernel_read_kernel_sysctls(gkeyringd_domain)
kernel_read_system_state(gkeyringd_domain)
--
2.13.6
The minidlna domain is meant for the minidlna media server. Hence, its
primary duties is to present pictures, videos and music. With these
types of data in the user home directory now being marked as
xdg_pictures_t, xdg_videos_t and xdg_music_t, the minidlna_t domain is
granted read access to these resources.
Signed-off-by: Sven Vermeulen <[email protected]>
---
minidlna.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/minidlna.te b/minidlna.te
index a8b88c5..bb96114 100644
--- a/minidlna.te
+++ b/minidlna.te
@@ -85,6 +85,10 @@ logging_search_logs(minidlna_t)
miscfiles_read_localization(minidlna_t)
miscfiles_read_public_files(minidlna_t)
+xdg_read_music(minidlna_t)
+xdg_read_pictures(minidlna_t)
+xdg_read_videos(minidlna_t)
+
tunable_policy(`minidlna_read_generic_user_content',`
userdom_list_user_tmp(minidlna_t)
userdom_read_user_home_content_files(minidlna_t)
--
2.13.6
The mozilla-style browsers, such as Firefox, should not by default have
manage rights on end user content. These privileges are now moved under
the support of the booleans
(mozilla_{read,manage}_{generic,all}_user_content), with read access
being enabled by default on the generic user content.
The browsers are granted manage rights on the Downloads/ location
through the xdg_manage_downloads() privileges.
Additionally, these browsers do use the ~/.cache/mozilla location for
their user-specific application cache data. Hence, the
mozilla_xdg_cache_t type is introduced and the necessary privileges
are provided for the mozilla- and mozilla plugin domains.
Changes since v1:
- Moved tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
mozilla.fc | 1 +
mozilla.te | 18 ++++++++++++++----
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/mozilla.fc b/mozilla.fc
index e5d2fa7..3a60e5e 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,3 +1,4 @@
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_xdg_cache_t,s0)
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
diff --git a/mozilla.te b/mozilla.te
index 9da14b1..d47da33 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -71,6 +71,9 @@ optional_policy(`
pulseaudio_tmpfs_content(mozilla_tmpfs_t)
')
+type mozilla_xdg_cache_t;
+xdg_cache_content(mozilla_xdg_cache_t)
+
########################################
#
# Local policy
@@ -115,6 +118,10 @@ allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
+manage_files_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
+manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
+xdg_cache_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla")
+
can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
kernel_read_kernel_sysctls(mozilla_t)
@@ -199,8 +206,7 @@ userdom_use_user_ptys(mozilla_t)
userdom_manage_user_tmp_dirs(mozilla_t)
userdom_manage_user_tmp_files(mozilla_t)
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
+userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t })
userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
userdom_write_user_tmp_sockets(mozilla_t)
@@ -208,6 +214,10 @@ userdom_write_user_tmp_sockets(mozilla_t)
mozilla_run_plugin(mozilla_t, mozilla_roles)
mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+xdg_read_config_files(mozilla_t)
+xdg_read_data_files(mozilla_t)
+xdg_manage_downloads(mozilla_t)
+
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
@@ -505,14 +515,14 @@ miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
userdom_manage_user_tmp_dirs(mozilla_plugin_t)
userdom_manage_user_tmp_files(mozilla_plugin_t)
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
userdom_write_user_tmp_sockets(mozilla_plugin_t)
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+xdg_read_config_files(mozilla_plugin_t)
+
ifndef(`enable_mls',`
fs_list_dos(mozilla_plugin_t)
fs_read_dos_files(mozilla_plugin_t)
--
2.13.6
The mplayer application, and its accompanying mencoder application,
should not by default hold manage rights on the end user data. Instead,
the mplayer_t domain gets read access on music and videos, while
mencoder_t gets manage access on music and videos.
The manage rights on the user content is then moved under the support of
the booleans (*_read_generic_user_content, *_read_all_user_content,
*_manage_generic_user_content and *_manage_all_user_content). The
booleans are made available for both domains (so one set for mplayer and
one set for mencoder).
Changes since v1:
- Moved tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
mplayer.te | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/mplayer.te b/mplayer.te
index 50b313e..08448a2 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -84,9 +84,10 @@ userdom_use_user_terminals(mencoder_t)
userdom_manage_user_tmp_dirs(mencoder_t)
userdom_manage_user_tmp_files(mencoder_t)
-userdom_manage_user_home_content_dirs(mencoder_t)
-userdom_manage_user_home_content_files(mencoder_t)
-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
+userdom_user_content_access_template(mplayer_mencoder, mencoder_t)
+
+xdg_manage_music(mencoder_t)
+xdg_manage_videos(mencoder_t)
ifndef(`enable_mls',`
fs_list_dos(mencoder_t)
@@ -207,12 +208,13 @@ userdom_manage_user_tmp_files(mplayer_t)
userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
-userdom_manage_user_home_content_dirs(mplayer_t)
-userdom_manage_user_home_content_files(mplayer_t)
-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
+userdom_user_content_access_template(mplayer, mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
+xdg_read_music(mplayer_t)
+xdg_read_videos(mplayer_t)
+
xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
ifndef(`enable_mls',`
--
2.13.6
The pulseaudio domain was configured to use the ~/.config/pulse/
location as pulseaudio_home_t. With the introduction of the XDG-based
types, this can now be switched to pulseaudio_xdg_config_t.
Signed-off-by: Sven Vermeulen <[email protected]>
---
pulseaudio.fc | 2 +-
pulseaudio.te | 11 +++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 146b5a7..0d9bc35 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -1,7 +1,7 @@
HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
-HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_xdg_config_t,s0)
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/pulseaudio.te b/pulseaudio.te
index 441d058..0900646 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -39,6 +39,9 @@ files_type(pulseaudio_var_lib_t)
type pulseaudio_var_run_t;
files_pid_file(pulseaudio_var_run_t)
+type pulseaudio_xdg_config_t;
+xdg_config_content(pulseaudio_xdg_config_t)
+
########################################
#
# Local policy
@@ -86,6 +89,10 @@ manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+xdg_config_filetrans(pulseaudio_t, pulseaudio_xdg_config_t, dir, "pulse")
+
allow pulseaudio_t pulseaudio_client:process signull;
ps_process_pattern(pulseaudio_t, pulseaudio_client)
@@ -246,6 +253,10 @@ rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t },
allow pulseaudio_client pulseaudio_tmpfs_t:file map;
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
+manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+manage_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+xdg_config_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
+
fs_getattr_tmpfs(pulseaudio_client)
corenet_all_recvfrom_unlabeled(pulseaudio_client)
--
2.13.6
The telepathy domain already had some support for the XDG-style
locations (cache, config and data). In this patch the rules are updated
to use the XDG-style approach (naming) as well as include the necessary
file transitions.
Signed-off-by: Sven Vermeulen <[email protected]>
---
telepathy.fc | 18 ++++++++--------
telepathy.if | 24 ++++++++++-----------
telepathy.te | 70 ++++++++++++++++++++++++++++++------------------------------
3 files changed, 56 insertions(+), 56 deletions(-)
diff --git a/telepathy.fc b/telepathy.fc
index 6c7f8f8..4600d81 100644
--- a/telepathy.fc
+++ b/telepathy.fc
@@ -1,14 +1,14 @@
-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
-HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_xdg_cache_t,s0)
+HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_cache_t, s0)
+HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t, s0)
+HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_cache_t,s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0)
+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0)
HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
-HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
-HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0)
+HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_data_t,s0)
+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_xdg_data_t,s0)
HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0)
-HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_data_t,s0)
/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
diff --git a/telepathy.if b/telepathy.if
index 2a11a70..03f4f51 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -68,9 +68,9 @@ template(`telepathy_role_template',`
type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
type telepathy_msn_exec_t;
- type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t;
- type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t;
- type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t;
+ type telepathy_mission_control_xdg_cache_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t;
+ type telepathy_gabble_xdg_cache_t, telepathy_mission_control_t, telepathy_xdg_data_t;
+ type telepathy_mission_control_xdg_data_t, telepathy_sunshine_home_t, telepathy_logger_xdg_data_t;
')
role $2 types telepathy_domain;
@@ -92,22 +92,22 @@ template(`telepathy_role_template',`
dbus_spec_session_domain($1, telepathy_stream_engine_t, telepathy_stream_engine_exec_t)
dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t)
- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:file { manage_file_perms relabel_file_perms };
- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
+ filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble")
# gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+ filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger")
# gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+ filetrans_pattern($3, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control")
# gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
diff --git a/telepathy.te b/telepathy.te
index f1bee7f..5a05159 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -27,34 +27,34 @@ attribute telepathy_tmp_content;
telepathy_domain_template(gabble)
-type telepathy_cache_home_t;
-userdom_user_home_content(telepathy_cache_home_t)
+type telepathy_xdg_cache_t alias telepathy_cache_home_t;
+xdg_cache_content(telepathy_xdg_cache_t)
-type telepathy_gabble_cache_home_t;
-userdom_user_home_content(telepathy_gabble_cache_home_t)
+type telepathy_gabble_xdg_cache_t alias telepathy_gabble_cache_home_t;
+xdg_cache_content(telepathy_gabble_xdg_cache_t)
telepathy_domain_template(idle)
telepathy_domain_template(logger)
-type telepathy_data_home_t;
-userdom_user_home_content(telepathy_data_home_t)
+type telepathy_xdg_data_t alias telepathy_data_home_t;
+xdg_data_content(telepathy_xdg_data_t)
-type telepathy_logger_cache_home_t;
-userdom_user_home_content(telepathy_logger_cache_home_t)
+type telepathy_logger_xdg_cache_t alias telepathy_logger_cache_home_t;
+xdg_cache_content(telepathy_logger_xdg_cache_t)
-type telepathy_logger_data_home_t;
-userdom_user_home_content(telepathy_logger_data_home_t)
+type telepathy_logger_xdg_data_t alias telepathy_logger_data_home_t;
+xdg_data_content(telepathy_logger_xdg_data_t)
telepathy_domain_template(mission_control)
type telepathy_mission_control_home_t;
userdom_user_home_content(telepathy_mission_control_home_t)
-type telepathy_mission_control_data_home_t;
-userdom_user_home_content(telepathy_mission_control_data_home_t)
+type telepathy_mission_control_xdg_data_t alias telepathy_mission_control_data_home_t;
+xdg_data_content(telepathy_mission_control_xdg_data_t)
-type telepathy_mission_control_cache_home_t;
-userdom_user_home_content(telepathy_mission_control_cache_home_t)
+type telepathy_mission_control_xdg_cache_t alias telepathy_mission_control_cache_home_t;
+xdg_cache_content(telepathy_mission_control_xdg_cache_t)
telepathy_domain_template(msn)
telepathy_domain_template(salut)
@@ -74,10 +74,10 @@ allow telepathy_gabble_t self:tcp_socket { accept listen };
allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
# ~/.cache/telepathy/gabble/caps-cache.db-journal
-manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
-# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky")
+manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+manage_files_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+filetrans_pattern(telepathy_gabble_t, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble")
+# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, dir, "wocky")
manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
@@ -179,13 +179,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
-manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t)
+manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t)
+filetrans_pattern(telepathy_logger_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger")
-manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
-manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
-# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger")
+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t)
+manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t)
+# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_xdg_data_t, dir, "TpLogger")
files_read_usr_files(telepathy_logger_t)
files_search_pids(telepathy_logger_t)
@@ -216,15 +216,15 @@ manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t)
+filetrans_pattern(telepathy_mission_control_t, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control")
-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, telepathy_mission_control_xdg_cache_t)
+# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, file, ".mc_connections")
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
dev_read_rand(telepathy_mission_control_t)
@@ -461,11 +461,11 @@ optional_policy(`
allow telepathy_domain self:process { getsched signal sigkill };
allow telepathy_domain self:fifo_file rw_fifo_file_perms;
-manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
-# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
+manage_dirs_pattern(telepathy_domain, telepathy_xdg_cache_t, telepathy_xdg_cache_t)
+xdg_cache_filetrans(telepathy_domain, telepathy_xdg_cache_t, dir, "telepathy")
-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t)
-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy")
+manage_dirs_pattern(telepathy_domain, telepathy_xdg_data_t, telepathy_xdg_data_t)
+xdg_data_filetrans(telepathy_domain, telepathy_xdg_data_t, dir, "telepathy")
dev_read_urand(telepathy_domain)
--
2.13.6
Thunderbird makes use of the ~/.cache/thunderbird location for its
application cache data. The other XDG main locations do not seem to be
used actively, although it does require read access on the
~/.local/share location.
The standard manage rights on the user content are removed and replaced
with the tunable blocks. Manage rights on the temporary user files is
retained as it is used for drafting e-mails.
Changes since v1:
- Move tunable definitions inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
thunderbird.te | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/thunderbird.te b/thunderbird.te
index abc1c95..b8dbcd5 100644
--- a/thunderbird.te
+++ b/thunderbird.te
@@ -24,6 +24,9 @@ typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird
typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
userdom_user_tmpfs_file(thunderbird_tmpfs_t)
+type thunderbird_xdg_cache_t;
+xdg_cache_content(thunderbird_xdg_cache_t)
+
optional_policy(`
wm_application_domain(thunderbird_t, thunderbird_exec_t)
')
@@ -51,6 +54,10 @@ manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_
manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t)
+manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t)
+xdg_cache_filetrans(thunderbird_t, thunderbird_xdg_cache_t, dir, "thunderbird")
+
kernel_read_network_state(thunderbird_t)
kernel_read_net_sysctls(thunderbird_t)
kernel_read_system_state(thunderbird_t)
@@ -106,13 +113,12 @@ miscfiles_read_fonts(thunderbird_t)
miscfiles_read_localization(thunderbird_t)
userdom_write_user_tmp_sockets(thunderbird_t)
-
userdom_manage_user_tmp_dirs(thunderbird_t)
userdom_manage_user_tmp_files(thunderbird_t)
+userdom_user_content_access_template(thunderbird, thunderbird_t)
-userdom_manage_user_home_content_dirs(thunderbird_t)
-userdom_manage_user_home_content_files(thunderbird_t)
-userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file })
+xdg_read_data_files(thunderbird_t)
+xdg_manage_downloads(thunderbird_t)
xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
xserver_read_xdm_tmp_files(thunderbird_t)
--
2.13.6
Cron has two modus operandi for handling cron jobs: either the cron jobs
run in the generic cronjob_t domain, or they run in the users' main
domain.
The generic cronjob_t domain had manage rights on the user content. With
this change, this is made optional under support of the necessary
booleans (cron_{read,manage}_{generic,all}_user_content).
Changes since v1:
- Move tunable definitions inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.te | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/cron.te b/cron.te
index 13c9ada..7fbc4d6 100644
--- a/cron.te
+++ b/cron.te
@@ -187,8 +187,6 @@ seutil_read_config(crontab_domain)
userdom_manage_user_tmp_dirs(crontab_domain)
userdom_manage_user_tmp_files(crontab_domain)
userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
tunable_policy(`fcron_crond',`
dontaudit crontab_domain crond_t:process signal;
@@ -711,15 +709,15 @@ seutil_read_config(cronjob_t)
miscfiles_read_localization(cronjob_t)
-userdom_manage_user_tmp_files(cronjob_t)
-userdom_manage_user_tmp_symlinks(cronjob_t)
-userdom_manage_user_tmp_pipes(cronjob_t)
-userdom_manage_user_tmp_sockets(cronjob_t)
-userdom_exec_user_home_content_files(cronjob_t)
-userdom_manage_user_home_content_files(cronjob_t)
-userdom_manage_user_home_content_symlinks(cronjob_t)
-userdom_manage_user_home_content_pipes(cronjob_t)
-userdom_manage_user_home_content_sockets(cronjob_t)
+userdom_user_content_access_template(cron, { cronjob_t crontab_domain })
+
+tunable_policy(`cron_manage_generic_user_content',`
+ userdom_manage_user_tmp_pipes(cronjob_t)
+ userdom_manage_user_tmp_sockets(cronjob_t)
+ userdom_exec_user_home_content_files(cronjob_t)
+ userdom_manage_user_home_content_pipes(cronjob_t)
+ userdom_manage_user_home_content_sockets(cronjob_t)
+')
tunable_policy(`cron_userdomain_transition',`
dontaudit cronjob_t crond_t:fd use;
--
2.13.6
The firstboot service does not really need user content access in the
majority of cases. It is meant to initialize the system after first
boot, which is primarily a non-user-related service approach.
To still support the off cases where user content access is needed, the
necessarily privileges are made optional through support of the
firstboot_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
firstboot.te | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/firstboot.te b/firstboot.te
index 3c93467..d5fed3e 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -78,13 +78,15 @@ miscfiles_read_localization(firstboot_t)
sysnet_dns_name_resolve(firstboot_t)
userdom_use_user_terminals(firstboot_t)
-userdom_manage_user_home_content_dirs(firstboot_t)
-userdom_manage_user_home_content_files(firstboot_t)
-userdom_manage_user_home_content_symlinks(firstboot_t)
-userdom_manage_user_home_content_pipes(firstboot_t)
-userdom_manage_user_home_content_sockets(firstboot_t)
userdom_home_filetrans_user_home_dir(firstboot_t)
-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+
+userdom_user_content_access_template(firstboot, firstboot_t)
+
+tunable_policy(`firstboot_manage_generic_user_content',`
+ userdom_manage_user_home_content_pipes(firstboot_t)
+ userdom_manage_user_home_content_sockets(firstboot_t)
+ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+')
optional_policy(`
dbus_system_bus_client(firstboot_t)
--
2.13.6
The GnuPG application does not require access to users data in all
situations. When used through plugins it only accesses user temporary
data for instance. However, in most cases, access to end user data is
still preferred.
Hence, the read- and manage rights on the generic user content is moved
under support of the right booleans, but with a default value allowing
these privileges.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
gpg.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/gpg.te b/gpg.te
index 619fdb4..4c5e89f 100644
--- a/gpg.te
+++ b/gpg.te
@@ -133,8 +133,8 @@ userdom_use_user_terminals(gpg_t)
userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
-userdom_manage_user_home_content_files(gpg_t)
-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+
+userdom_user_content_access_template(gpg, gpg_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_t)
@@ -353,6 +353,8 @@ miscfiles_read_localization(gpg_pinentry_t)
userdom_use_user_terminals(gpg_pinentry_t)
+xdg_read_data_home_files(gpg_pinentry_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
')
--
2.13.6
the i18n_input domains (be it iiimd or htt_server) do not always need
read access on user domains. Make these privileges optional under the
i18n_input_read_generic_user_content boolean.
Signed-off-by: Sven Vermeulen <[email protected]>
---
i18n_input.te | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/i18n_input.te b/i18n_input.te
index a61725b..ac49949 100644
--- a/i18n_input.te
+++ b/i18n_input.te
@@ -5,6 +5,13 @@ policy_module(i18n_input, 1.12.0)
# Declarations
#
+## <desc>
+## <p>
+## Grant the i18n_input domains read access to generic user content
+## </p>
+## </desc>
+gen_tunable(`i18n_input_read_generic_user_content', true)
+
type i18n_input_t;
type i18n_input_exec_t;
init_daemon_domain(i18n_input_t, i18n_input_exec_t)
@@ -79,7 +86,22 @@ logging_send_syslog_msg(i18n_input_t)
miscfiles_read_localization(i18n_input_t)
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
-userdom_read_user_home_content_files(i18n_input_t)
+
+tunable_policy(`i18n_input_read_generic_user_content',`
+ userdom_list_user_tmp(i18n_input_t)
+ userdom_list_user_home_content(i18n_input_t)
+ userdom_read_user_home_content_files(i18n_input_t)
+ userdom_read_user_home_content_symlinks(i18n_input_t)
+ userdom_read_user_tmp_files(i18n_input_t)
+',`
+ files_dontaudit_list_home(i18n_input_t)
+ files_dontaudit_list_tmp(i18n_input_t)
+
+ userdom_dontaudit_list_user_home_dirs(i18n_input_t)
+ userdom_dontaudit_list_user_tmp(i18n_input_t)
+ userdom_dontaudit_read_user_home_content_files(i18n_input_t)
+ userdom_dontaudit_read_user_tmp_files(i18n_input_t)
+')
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(i18n_input_t)
--
2.13.6
IRC clients do not need to have manage rights on user content at all
times. We make this optional, under the support of the
irc_{read,manage}_{generic,all}_user_content booleans.
To enable simple IRC-based upload/downloads, the irc_t domain does get
manage rights on the xdg_downloads_t type (~/Downloads).
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
irc.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/irc.te b/irc.te
index d07bfb8..7f34e53 100644
--- a/irc.te
+++ b/irc.te
@@ -114,9 +114,9 @@ miscfiles_read_localization(irc_t)
userdom_use_user_terminals(irc_t)
-userdom_manage_user_home_content_dirs(irc_t)
-userdom_manage_user_home_content_files(irc_t)
-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
+userdom_user_content_access_template(irc, irc_t)
+
+xdg_manage_downloads(irc_t)
tunable_policy(`irc_use_any_tcp_ports',`
allow irc_t self:tcp_socket { accept listen };
--
2.13.6
The java_domain attribute covers many java related domains.
Historically, the privileges on the java domain have been quite open,
including the access to the users' personal files. However, this should
not be the case at all times - some administrators might want to reduce
this scope, and only grant specific domains (rather than the generic
java ones) the necessary accesses.
In this patch, the manage rights on the user content is moved under
support of specific java-related booleans.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
java.te | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/java.te b/java.te
index 88cead9..2634d4e 100644
--- a/java.te
+++ b/java.te
@@ -109,15 +109,16 @@ miscfiles_read_fonts(java_domain)
userdom_dontaudit_use_user_terminals(java_domain)
userdom_dontaudit_exec_user_home_content_files(java_domain)
-userdom_manage_user_home_content_dirs(java_domain)
-userdom_manage_user_home_content_files(java_domain)
-userdom_manage_user_home_content_symlinks(java_domain)
-userdom_manage_user_home_content_pipes(java_domain)
-userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
+userdom_user_content_access_template(java, java_domain)
userdom_write_user_tmp_sockets(java_domain)
+tunable_policy(`java_manage_generic_user_content',`
+ userdom_manage_user_home_content_pipes(java_domain)
+ userdom_manage_user_home_content_sockets(java_domain)
+ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
+')
+
tunable_policy(`allow_java_execstack',`
allow java_domain self:process { execmem execstack };
--
2.13.6
The openoffice domain should not have full manage rights on all user
content. Instead, it is granted manage rights on the documents
(xdg_documents_t) while the other privileges are made optional through
the openoffice_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definitions inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
openoffice.te | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/openoffice.te b/openoffice.te
index fd4f79d..b4dbbc3 100644
--- a/openoffice.te
+++ b/openoffice.te
@@ -94,18 +94,14 @@ sysnet_dns_name_resolve(ooffice_t)
userdom_dontaudit_exec_user_home_content_files(ooffice_t)
userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
-
-userdom_read_user_tmp_files(ooffice_t)
-userdom_manage_user_home_content_dirs(ooffice_t)
-userdom_manage_user_home_content_files(ooffice_t)
-userdom_manage_user_home_content_symlinks(ooffice_t)
-userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
-
userdom_manage_user_tmp_dirs(ooffice_t)
userdom_manage_user_tmp_sockets(ooffice_t)
-
userdom_use_inherited_user_terminals(ooffice_t)
+userdom_user_content_access_template(openoffice, ooffice_t)
+
+xdg_manage_documents(ooffice_t)
+
tunable_policy(`openoffice_allow_update',`
corenet_tcp_connect_http_port(ooffice_t)
')
--
2.13.6
The postfix virtual domain does not always need full manage rights on
the users' home directories and content. We make these rights optional
through the postfix_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.te | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/postfix.te b/postfix.te
index 53de122..7c8b96d 100644
--- a/postfix.te
+++ b/postfix.te
@@ -826,8 +826,4 @@ mta_delete_spool(postfix_virtual_t)
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
-userdom_manage_user_home_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_files(postfix_virtual_t)
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
+userdom_user_content_access_template(postfix, postfix_virtual_t)
--
2.13.6
The wireshark application does not need full manage rights on user
content. Hence, we make these privileges optional through support of the
wireshark_*_user_content booleans.
To allow wireshark to read recorded network traffic, wireshark is
granted read access on the downloads location.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
wireshark.te | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/wireshark.te b/wireshark.te
index 40de930..8bfd5c5 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -102,8 +102,9 @@ miscfiles_read_localization(wireshark_t)
userdom_use_user_terminals(wireshark_t)
-userdom_manage_user_home_content_files(wireshark_t)
-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
+userdom_user_content_access_template(wireshark, wireshark_t)
+
+xdg_read_downloads(wireshark_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(wireshark_t)
--
2.13.6
The xscreensaver application currently has the privileges to read user
content, to display images stored in the users' home directory. We now
grant this through xdg_pictures_t access, and make the generic user
content access optional.
Signed-off-by: Sven Vermeulen <[email protected]>
---
xscreensaver.te | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/xscreensaver.te b/xscreensaver.te
index 1f58110..e6f5e64 100644
--- a/xscreensaver.te
+++ b/xscreensaver.te
@@ -5,6 +5,13 @@ policy_module(xscreensaver, 1.3.0)
# Declarations
#
+## <desc>
+## <p>
+## Grant the xscreensaver domains read access to generic user content
+## </p>
+## </desc>
+gen_tunable(`xscreensaver_read_generic_user_content', true)
+
attribute_role xscreensaver_roles;
attribute_role xscreensaver_helper_roles;
@@ -56,11 +63,28 @@ logging_send_syslog_msg(xscreensaver_t)
miscfiles_read_localization(xscreensaver_t)
userdom_use_user_terminals(xscreensaver_t)
-userdom_read_user_home_content_files(xscreensaver_t)
+
+xdg_read_pictures(xscreensaver_t)
xserver_rw_xsession_log(xscreensaver_t)
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+tunable_policy(`xscreensaver_read_generic_user_content',`
+ userdom_list_user_tmp(xscreensaver_t)
+ userdom_list_user_home_content(xscreensaver_t)
+ userdom_read_user_home_content_files(xscreensaver_t)
+ userdom_read_user_home_content_symlinks(xscreensaver_t)
+ userdom_read_user_tmp_files(xscreensaver_t)
+',`
+ files_dontaudit_list_home(xscreensaver_t)
+ files_dontaudit_list_tmp(xscreensaver_t)
+
+ userdom_dontaudit_list_user_home_dirs(xscreensaver_t)
+ userdom_dontaudit_list_user_tmp(xscreensaver_t)
+ userdom_dontaudit_read_user_home_content_files(xscreensaver_t)
+ userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
+')
+
########################################
#
# Helper local policy
--
2.13.6
The syncthing application can, but does not have to, be used for
synchronizing end user data. Hence, the user data access is made
optional through the support of the syncthing_*_user_content booleans.
Also, the syncthing_config_home_t type is renamed to
syncthing_xdg_config_t to be aligned with the XDG setup. An alias
is put in place to allow for a transitional period before
syncthing_config_home_t is completely phaded out.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <[email protected]>
---
syncthing.fc | 2 +-
syncthing.if | 8 ++++----
syncthing.te | 19 ++++++++-----------
3 files changed, 13 insertions(+), 16 deletions(-)
diff --git a/syncthing.fc b/syncthing.fc
index 4f7f53e..e95b451 100644
--- a/syncthing.fc
+++ b/syncthing.fc
@@ -1,3 +1,3 @@
/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
-HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_config_home_t,s0)
+HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_xdg_config_t,s0)
diff --git a/syncthing.if b/syncthing.if
index 065800a..2c0eb24 100644
--- a/syncthing.if
+++ b/syncthing.if
@@ -18,14 +18,14 @@
interface(`syncthing_role', `
gen_require(`
attribute_role syncthing_roles;
- type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+ type syncthing_t, syncthing_exec_t, syncthing_xdg_config_t;
')
roleattribute $1 syncthing_roles;
domtrans_pattern($2, syncthing_exec_t, syncthing_t)
- allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 syncthing_xdg_config_t:file { manage_file_perms relabel_file_perms };
+ allow $2 syncthing_xdg_config_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 syncthing_xdg_config_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
')
diff --git a/syncthing.te b/syncthing.te
index 92d0bf5..e267575 100644
--- a/syncthing.te
+++ b/syncthing.te
@@ -13,8 +13,8 @@ type syncthing_exec_t;
init_daemon_domain(syncthing_t, syncthing_exec_t)
userdom_user_application_domain(syncthing_t, syncthing_exec_t)
-type syncthing_config_home_t;
-userdom_user_home_content(syncthing_config_home_t)
+type syncthing_xdg_config_t alias syncthing_config_home_t;
+xdg_config_content(syncthing_xdg_config_t)
########################################
#
@@ -27,9 +27,10 @@ allow syncthing_t self:tcp_socket { listen accept };
can_exec(syncthing_t, syncthing_exec_t)
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)
kernel_read_kernel_sysctls(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
@@ -58,13 +59,9 @@ auth_use_nsswitch(syncthing_t)
miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)
-userdom_manage_user_home_content_files(syncthing_t)
-userdom_manage_user_home_content_dirs(syncthing_t)
-userdom_manage_user_home_content_symlinks(syncthing_t)
-userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+userdom_user_content_access_template(syncthing_t)
+
userdom_use_user_terminals(syncthing_t)
-# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
-userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
optional_policy(`
# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
--
2.13.6