The below is ported from Fedora with (considerable) changes.
The changes are pretty far reaching and so i would like comments on it.
Some of the changes are:
Creating new types for ~/.cache, ~/.config, ~/.local/share and various generic gstreamer content ( see the HOME_DIR file contexts )
These types arent specific to gnome but Fedora threats the gnome module as if it were a module for any desktop environment.
The config, cache and data types are from the freedesktop specification and are used by any desktop ( at least that is the idea behind this standard )
This patch also implements a config_usr_t type which is basically for KDE
The gnome keyring daemon needs to be prefixed since it needs to be able to transition back to the user domain.
Therefore i created a separate gnome_role_template_gkeyringd rather than stuffing it in a generic gnome_role (gconfd and others might not need to be prefixed)
You will notice that i have enclosed plenty of gnome transition interfaces.
I expect that those will be needed (i know they will) and to make sure they are proper, i decided to create them beforehand.
I also created interfaces that should be called in the user domain, to allow users to create generic gnome content with the proper file transition and to allow them to relabel and manage the content
gnome_manage_all_generic_home_content
gnome_relabel_all_generic_home_content
gnome_filetrans_all_generic_home
These are supposed to end up in the userdom_manage_home_role ( in a optional policy block)
There is also a inteface that allows callers to execute all generic gnome home files (this should be added to the userdom_exec_home_files interface so that this can be allowed conditionally
The policy builds, and allows users calling gnome_role_template_keyringd to domain transition (both via their session bus type or userdomain type)
By calling the gnome_role_template_keyringd you will depend on the dbus role (it needs to be nested in the dbus_role_template). example:
optional_policy(`
dbus_role_template(user, user_r, user_t)
optional_policy(`
gnome_role_template_gkeyringd(user, user_r, user_t)
')
optional_policy(`
wm_role_template(user, user_r, user_t)
')
')
There is one big difference between fedora and refpolicy. Fedora wants selinux to make unconfined users run their dbus session in the unconfined_dbusd_t domain.
Refpolicy allows unconfined users to run their dbus session in the unconfined_t domain
I favor refpolicies solution as i believe that ideally unconfined_t should never transition out of unconfined_t. ( the argument that unconfined_t needs to transition in order to be able to create files with the proper type is not longer valid since we now have named file transitions)
I think fedora also wants selinux to make xdm runs its debus session in the xdm_dbusd_t session bus type (not sure) i think that would be a bad idea as well.
Anyways the policy builds and it installs, i did some basic checks and it works as expected as far as i have tested.
But i know from experience that it *might* get ugly (i think dwalsh might understand what i am talking about)
Nonetheless, sooner or later we will have to confront it so it might as well be now
I just want to throw this in the group because i still hope one day we are all on the same page when it comes to dealing with issues that this patch aims to deal with
diff --git a/gnome.fc b/gnome.fc
index 00a19e3..a8580f1 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,9 +1,27 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
+HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.grl-bookmarks -- gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-metadata-store -- gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-podcasts -- gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-0\.10(/.)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.Xdefaults -- gen_context(system_u:object_r:config_home_t,s0)
-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
diff --git a/gnome.if b/gnome.if
index f5afe78..f8a96df 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,271 @@
-## <summary>GNU network object model environment (GNOME)</summary>
+## <summary>GNU network object model environment.</summary>
-############################################################
+########################################
## <summary>
-## Role access for gnome
+## Role access for gnome. (Deprecated)
## </summary>
## <param name="role">
## <summary>
-## Role allowed access
+## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
-## User domain for the role
+## User domain for the role.
## </summary>
## </param>
#
interface(`gnome_role',`
- gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
- ')
-
- role $1 types gconfd_t;
-
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-
- ps_process_pattern($2, gconfd_t)
-
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
+ refpolicywarn(`$0($*) has been deprecated, use gnome_role_gconfd() instead.')
+ gnome_role_gconfd($1, $2)
')
########################################
## <summary>
-## Execute gconf programs in
-## in the caller domain.
+## Role access for gconfd.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`gnome_role_gconfd',`
+ gen_require(`
+ attribute_role gconfd_roles;
+ type gconfd_t, gconfd_exec_t, gconf_tmp_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 gconfd_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, gconfd_exec_t, gconfd_t)
+
+ allow $2 gconfd_t:process { ptrace signal_perms };
+ ps_process_pattern($2, gconfd_t)
+')
+
+#######################################
+## <summary>
+## The role template for gnome keyringd.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_role_template_gkeyringd',`
+ gen_require(`
+ attribute gnomedomain, gkeyringd_domain;
+ type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
+ userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+ domain_user_exemption_target($1_gkeyringd_t)
+
+ role $2 types $1_gkeyringd_t;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+
+ allow $3 gnome_keyring_home_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gnome_keyring_home_t:file { relabel_file_perms manage_file_perms };
+
+ allow $3 gnome_keyring_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+
+ ps_process_pattern($3, $1_gkeyringd_t)
+ allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+
+ corecmd_bin_domtrans($1_gkeyringd_t, $3)
+ corecmd_shell_domtrans($1_gkeyringd_t, $3)
+
+ gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+
+ gnome_stream_connect_gkeyringd($1, $3)
+
+ optional_policy(`
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_bus_client($1, $1_gkeyringd_t)
+
+ gnome_dbus_chat_gkeyringd($1, $3)
+ ')
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## all generic gnome user home content.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`gnome_manage_all_generic_home_content',`
+ gen_require(`
+ type cache_home_t, config_home_t, data_home_t;
+ type gconf_home_t, gnome_home_t, gstreamer_home_t;
+ ')
+
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:dir manage_dir_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:file manage_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:lnk_file manage_lnk_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:sock_file manage_sock_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:fifo_file manage_fifo_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ fs_manage_nfs_symlinks($1)
+ fs_manage_nfs_named_sockets($1)
+ fs_manage_nfs_named_pipes($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ fs_manage_cifs_symlinks($1)
+ fs_manage_cifs_named_sockets($1)
+ fs_manage_cifs_named_pipes($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Relabel all generic gnome user
+## home content.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`gnome_relabel_all_generic_home_content',`
+ gen_require(`
+ type cache_home_t, config_home_t, data_home_t;
+ type gconf_home_t, gnome_home_t, gstreamer_home_t;
+ ')
+
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:dir relabel_dir_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:file relabel_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:lnk_file relabel_lnk_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:sock_file relabel_sock_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:fifo_file relabel_fifo_file_perms;
+')
+
+#######################################
+## <summary>
+## Create objects in user home
+## directories with the generic all
+## generic home types.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`gnome_filetrans_all_generic_home',`
+ gen_require(`
+ type cache_home_t, config_home_t, data_home_t;
+ type gconf_home_t, gnome_home_t, gstreamer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2_private")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+')
+
+########################################
+## <summary>
+## Execute all generic gnome generic
+## user home files.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gnome_exec_all_generic_home_files',`
+ gen_require(`
+ type cache_home_t, config_home_t, data_home_t;
+ type gconf_home_t, gnome_home_t, gstreamer_home_t;
+ ')
+
+ userdom_search_user_home_dir($1)
+ exec_files_pattern($1, { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t gstreamer_home_t }, { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t gstreamer_home_t })
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute gconf in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -51,20 +278,64 @@
type gconfd_exec_t;
')
+ corecmd_search_bin($1)
can_exec($1, gconfd_exec_t)
')
-########################################
+######################################
## <summary>
-## Read gconf config files.
+## Read gnome config user content.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_gconf_config',`
+interface(`gnome_read_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, config_usr_t, config_usr_t)
+ read_files_pattern($1, config_usr_t, config_usr_t)
+ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## gnome config user content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ manage_dirs_pattern($1, config_usr_t, config_usr_t)
+ manage_files_pattern($1, config_usr_t, config_usr_t)
+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+########################################
+## <summary>
+## Read gconf configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
')
@@ -76,7 +347,8 @@
#######################################
## <summary>
-## Create, read, write, and delete gconf config files.
+## Create, read, write, and delete
+## gconf configuration files.
## </summary>
## <param name="domain">
## <summary>
@@ -95,9 +367,10 @@
########################################
## <summary>
-## gconf connection template.
+## Connect to gconf using a unix
+## domain stream socket.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
@@ -108,8 +381,8 @@
type gconfd_t, gconf_tmp_t;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
+ files_search_tmp($1)
+ stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
')
########################################
@@ -118,7 +391,7 @@
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
@@ -127,12 +400,32 @@
type gconfd_t, gconfd_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
########################################
## <summary>
-## Set attributes of Gnome config dirs.
+## Create generic gnome home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ allow $1 gnome_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Set attributes of generic gnome
+## user home directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -141,50 +434,1032 @@
## </param>
#
interface(`gnome_setattr_config_dirs',`
- gen_require(`
- type gnome_home_t;
- ')
-
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
+ refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
+ gnome_setattr_generic_home_dirs($1)
')
########################################
## <summary>
-## Read gnome homedir content (.config)
+## Set attributes of generic gnome
+## user home directories.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_config',`
+interface(`gnome_setattr_generic_home_dirs',`
gen_require(`
type gnome_home_t;
')
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+ userdom_search_user_home_dirs($1)
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
')
########################################
## <summary>
-## manage gnome homedir content (.config)
+## Read generic gnome user home content. (Deprecated)
## </summary>
-## <param name="user_domain">
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_config',`
+ refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
+ gnome_read_generic_home_content($1)
+')
+
+########################################
+## <summary>
+## Read generic gnome home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_home_content',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir list_dir_perms;
+ allow $1 gnome_home_t:file read_file_perms;
+ allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
+ allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
+ allow $1 gnome_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic gnome user home content. (Deprecated)
+## </summary>
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_manage_config',`
+ refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
+ gnome_manage_generic_home_content($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic gnome home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_content',`
gen_require(`
type gnome_home_t;
')
+ userdom_search_user_home_dirs($1)
allow $1 gnome_home_t:dir manage_dir_perms;
allow $1 gnome_home_t:file manage_file_perms;
+ allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic gnome home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_generic_home',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in gnome user home
+## directories with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans',`
+ gen_require(`
+ type gnome_home_t, config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, gnome_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create generic cache home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_cache_home_dirs',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ allow $1 cache_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic cache home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_cache_home_content',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 cache_home_t:dir list_dir_perms;
+ allow $1 cache_home_t:file read_file_perms;
+ allow $1 cache_home_t:fifo_file read_fifo_file_perms;
+ allow $1 cache_home_t:lnk_file read_lnk_file_perms;
+ allow $1 cache_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic cache home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_cache_home_content',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 cache_home_t:dir manage_dir_perms;
+ allow $1 cache_home_t:file manage_file_perms;
+ allow $1 cache_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 cache_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 cache_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic cache home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_generic_cache_home',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 cache_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the generic cache
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_cache_home',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, cache_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create generic config home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_config_home_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create generic config home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_config_home_files',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:file create_files_perms;
+')
+
+########################################
+## <summary>
+## Read generic config home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_config_home_content',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 config_home_t:dir list_dir_perms;
+ allow $1 config_home_t:file read_file_perms;
+ allow $1 config_home_t:fifo_file read_fifo_file_perms;
+ allow $1 config_home_t:lnk_file read_lnk_file_perms;
+ allow $1 config_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic config home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_config_home_content',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 config_home_t:dir manage_dir_perms;
+ allow $1 config_home_t:file manage_file_perms;
+ allow $1 config_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 config_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 config_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic config home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_generic_config_home',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 config_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the generic config
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_config_home',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, config_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create generic data home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_data_home_dirs',`
+ gen_require(`
+ type data_home_t;
+ ')
+
+ allow $1 data_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic data home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_data_home_content',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ allow $1 data_home_t:file read_file_perms;
+ allow $1 data_home_t:fifo_file read_fifo_file_perms;
+ allow $1 data_home_t:lnk_file read_lnk_file_perms;
+ allow $1 data_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic data home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_data_home_content',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ allow $1 data_home_t:dir manage_dir_perms;
+ allow $1 data_home_t:file manage_file_perms;
+ allow $1 data_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 data_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 data_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic data home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_generic_data_home',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the generic data
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_data_home',`
+ gen_require(`
+ type data_home_t;
+ ')
+
+ gnome_gconf_home_filetrans($1, data_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create generic gconf home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_gconf_home_dirs',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic gconf home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_gconf_home_content',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 gconf_home_t:file read_file_perms;
+ allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
+ allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
+ allow $1 gconf_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic gconf home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_gconf_home_content',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir manage_dir_perms;
+ allow $1 gconf_home_t:file manage_file_perms;
+ allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 gconf_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic gconf home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_generic_gconf_home',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the generic gconf
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_gconf_home',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the generic gnome
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_gnome_home',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create generic gstreamer home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_gstreamer_home_dirs',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ allow $1 gstreamer_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create generic gstreamer home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ allow $1 gstreamer_home_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Read generic gstreamer home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_gstreamer_home_content',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gstreamer_home_t:dir list_dir_perms;
+ allow $1 gstreamer_home_t:file read_file_perms;
+ allow $1 gstreamer_home_t:fifo_file read_fifo_file_perms;
+ allow $1 gstreamer_home_t:lnk_file read_lnk_file_perms;
+ allow $1 gstreamer_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic gstreamer home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_gstreamer_home_content',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gstreamer_home_t:dir manage_dir_perms;
+ allow $1 gstreamer_home_t:file manage_file_perms;
+ allow $1 gstreamer_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 gstreamer_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 gstreamer_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic gstreamer home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_generic_gstreamer_home',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gstreamer_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the generic gstreamer
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_gstreamer_home',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in gnome cache home
+## directories with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_cache_home_filetrans',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create objects in gnome config home
+## directories with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_config_home_filetrans',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, config_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create objects in gnome data home
+## directories with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_data_home_filetrans',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create objects in gnome gconf home
+## directories with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_gconf_home_filetrans',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gnome keyring daemon over dbus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+ type $1_gkeyringd_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_gkeyringd_t:dbus send_msg;
+ allow $1_gkeyringd_t $2:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from all
+## gnome keyring daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to gnome keyring daemon
+## with a unix stream socket.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_gkeyringd',`
+ gen_require(`
+ type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+')
+
+########################################
+## <summary>
+## Connect to all gnome keyring daemon
+## with a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gnome_keyring_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
diff --git a/gnome.te b/gnome.te
index 783c5fb..72fcc0c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,11 +1,25 @@
-policy_module(gnome, 2.2.0)
+policy_module(gnome, 2.2.2)
##############################
#
# Declarations
#
+attribute gkeyringd_domain;
attribute gnomedomain;
+attribute_role gconfd_roles;
+
+type cache_home_t;
+userdom_user_home_content(cache_home_t)
+
+type config_home_t;
+userdom_user_home_content(config_home_t)
+
+type config_usr_t;
+files_type(config_usr_t)
+
+type data_home_t;
+userdom_user_home_content(data_home_t)
type gconf_etc_t;
files_config_file(gconf_etc_t)
@@ -27,6 +41,7 @@
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
+role gconfd_roles types gconfd_t;
type gnome_home_t;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
@@ -34,13 +49,45 @@
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
+type gkeyringd_exec_t;
+application_executable_file(gkeyringd_exec_t)
+
+type gnome_keyring_home_t;
+userdom_user_home_content(gnome_keyring_home_t)
+
+type gnome_keyring_tmp_t;
+userdom_user_tmp_file(gnome_keyring_tmp_t)
+
+type gstreamer_home_t;
+userdom_user_home_content(gstreamer_home_t)
+
##############################
#
-# Local Policy
+# Common local Policy
#
-allow gconfd_t self:process getsched;
-allow gconfd_t self:fifo_file rw_fifo_file_perms;
+allow gnomedomain self:process { getsched signal };
+allow gnomedomain self:fifo_file rw_fifo_file_perms;
+
+dev_read_urand(gconfd_t)
+
+domain_use_interactive_fds(gnomedomain)
+
+files_read_etc_files(gnomedomain)
+
+miscfiles_read_localization(gnomedomain)
+
+logging_send_syslog_msg(gnomedomain)
+
+userdom_use_user_terminals(gnomedomain)
+
+##############################
+#
+# Gconf local Policy
+#
+
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
@@ -50,18 +97,6 @@
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
-
-dev_read_urand(gconfd_t)
-
-files_read_etc_files(gconfd_t)
-
-miscfiles_read_localization(gconfd_t)
-
-logging_send_syslog_msg(gconfd_t)
-
-userdom_manage_user_tmp_sockets(gconfd_t)
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
@@ -73,3 +108,50 @@
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
+
+##############################
+#
+# Gkeyring-daemon local policy
+#
+
+allow gkeyringd_domain self:capability ipc_lock;
+allow gkeyringd_domain self:process { getcap setcap };
+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
+manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
+manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
+gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+
+manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+
+kernel_read_system_state(gkeyringd_domain)
+kernel_read_crypto_sysctls(gkeyringd_domain)
+
+dev_read_rand(gkeyringd_domain)
+dev_read_sysfs(gkeyringd_domain)
+
+files_read_usr_files(gkeyringd_domain)
+
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
+
+selinux_getattr_fs(gkeyringd_domain)
+
+optional_policy(`
+ gnome_create_generic_home_dirs(gkeyringd_domain)
+ gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
+')
+
+optional_policy(`
+ ssh_read_user_home_files(gkeyringd_domain)
+')
+
+optional_policy(`
+ telepathy_mission_control_read_state(gkeyringd_domain)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gkeyringd_domain)
+')
On Wed, 2012-10-03 at 17:12 +0200, Dominick Grift wrote:
> +#######################################
> +## <summary>
> +## Create, read, write, and delete
> +## all generic gnome user home content.
> +## </summary>
> +## <param name="user_domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolebase/>
> +#
> +interface(`gnome_manage_all_generic_home_content',`
> + gen_require(`
> + type cache_home_t, config_home_t, data_home_t;
> + type gconf_home_t, gnome_home_t, gstreamer_home_t;
> + ')
> +
> + allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:dir manage_dir_perms;
> + allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:file manage_file_perms;
> + allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:lnk_file manage_lnk_file_perms;
> + allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:sock_file manage_sock_file_perms;
> + allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:fifo_file manage_fifo_file_perms;
I added gstreamer_home_t to the above. ( i forgot that)
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_manage_nfs_dirs($1)
> + fs_manage_nfs_files($1)
> + fs_manage_nfs_symlinks($1)
> + fs_manage_nfs_named_sockets($1)
> + fs_manage_nfs_named_pipes($1)
> + ')
> +
> + tunable_policy(`use_samba_home_dirs',`
> + fs_manage_cifs_dirs($1)
> + fs_manage_cifs_files($1)
> + fs_manage_cifs_symlinks($1)
> + fs_manage_cifs_named_sockets($1)
> + fs_manage_cifs_named_pipes($1)
> + ')
> +')
On Wed, 2012-10-03 at 17:12 +0200, Dominick Grift wrote:
> +
> +dev_read_urand(gconfd_t)
> +
bug: i changed that to:
dev_read_urand(gnomedomain)
> +domain_use_interactive_fds(gnomedomain)
> +
> +files_read_etc_files(gnomedomain)
> +
> +miscfiles_read_localization(gnomedomain)
> +
> +logging_send_syslog_msg(gnomedomain)
> +
> +userdom_use_user_terminals(gnomedomain)
> +
> +##############################
> +#
> +# Gconf local Policy
> +#
On Wed, Oct 3, 2012 at 5:12 PM, Dominick Grift <[email protected]> wrote:
> Creating new types for ~/.cache, ~/.config, ~/.local/share and various generic gstreamer content ( see the HOME_DIR file contexts )
> These types arent specific to gnome but Fedora threats the gnome module as if it were a module for any desktop environment.
>
> The config, cache and data types are from the freedesktop specification and are used by any desktop ( at least that is the idea behind this standard )
[...]
I would rather see them being either separate (like the xdg patches I
suggested twice on the mailinglist) or part of userdom. But with great
preference to separate. I don't see a reason to put it in a module
that might not always be loaded, nor am I a proponent of having
modules named one thing and meaning something else (gnome versus "any
desktop related stuff", or apache versus "any web server stuff").
In the XDG policy we use in Gentoo, we have xdg_cache_home_t,
xdg_config_home_t, xdg_data_home_t and xdg_runtime_home_t (for
/run/user/USER stuff). It also supports file transitions for
applications that make specific locations therein (like
~/.config/chromium, ~/.config/epdfview, ...) as to isolate (confine)
the applications more.
I'm even going as far as providing user location types (that, if the
sysadmin wants, the user can label his content with) for downloads
(xdg_downloads_home_t), documents, music, pictures and videos (I don't
see the need for documents yet, the rest allows me to confine the user
apps pretty good). Of course, not all administrators want this
granularity of MAC so a few booleans suffice to stay with the standard
"all user content" privileges.
Still, I see a definite need for decent user application confinement.
Many attacks are targeting user applications (the browser is one of
the prime examples, but don't forget the adobe flash vulnerabilities
and so on). For browsers alone I am already happy that my browsers
both have their own domain and are not allowed to read any of my files
beyond their own xdg-related locations and, for browser, the
xdg_downloads_home_t stuff.
> I also created interfaces that should be called in the user domain, to allow users to create generic gnome content with the proper file transition and to allow them to relabel and manage the content
>
> gnome_manage_all_generic_home_content
> gnome_relabel_all_generic_home_content
> gnome_filetrans_all_generic_home
>
> These are supposed to end up in the userdom_manage_home_role ( in a optional policy block)
Shouldn't those be "userdom_manage_all_generic_home_content" instead?
Also, I think it would be wise to use an attribute to label the user
home content with, and work on the attribute. Newly created types
(like specific ~/.config/* stuff) can then be marked as such as well
and automatically take part in the privilege setting.
[...]
> There is one big difference between fedora and refpolicy. Fedora wants selinux to make unconfined users run their dbus session in the unconfined_dbusd_t domain.
> Refpolicy allows unconfined users to run their dbus session in the unconfined_t domain
>
> I favor refpolicies solution as i believe that ideally unconfined_t should never transition out of unconfined_t. ( the argument that unconfined_t needs to transition in order to be able to create files with the proper type is not longer valid since we now have named file transitions)
I find unconfined confusing exactly for that reason: when to
transition away from an unconfined setting? Never seems like a valid
choice (and is at least simple to understand ;-) However, don't mind
me on this part - I do not use unconfined domains.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/03/2012 02:16 PM, Sven Vermeulen wrote:
I have no problem going to xdg. We have very few domains that transition out
of unconfined_t. The problem with this is what I often want to provide some
protection for the bulk of users who run with unconfined_t. Currently we try
to add protection to chrome/firefox plugins and thumb_t. Most of the rest are
either historic, to keep labeling correct. Or probably not needed.
For Fedora 19 I will make an effort to remove as many as possible.
sesearch -T -s unconfined_t -c process -C | grep -v initrc_t | wc -l
38
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBstpwACgkQrlYvE4MpobPs6ACeNQaEpa5S1nLuzGRLqXkuSaeZ
yzMAoLW6N/YwIOQRND09SLwy4iuhl/i9
=lsj4
-----END PGP SIGNATURE-----
On Wed, 2012-10-03 at 20:16 +0200, Sven Vermeulen wrote:
> In the XDG policy we use in Gentoo, we have xdg_cache_home_t,
> xdg_config_home_t, xdg_data_home_t and xdg_runtime_home_t (for
> /run/user/USER stuff). It also supports file transitions for
> applications that make specific locations therein (like
> ~/.config/chromium, ~/.config/epdfview, ...) as to isolate (confine)
> the applications more.
The $XDG_RUNTIME_DIR is indeed something we need to discus in my view
Fedora currently labels /run/user type user_tmp_t
This is probably the easiest solution but not the prettiest.
The /run/user/UID directory has various content that use to go into
either $TMP or $HOME
It can be considered the pid dir for users.
Problem with Fedora's solution, i think, is that she just added a file
context spec for and did not take care of the type transition. Instead
relying on systemd to use setfscreate or reset the file context to what
is specified.
In that light i do not really like that /run/user ( root owned ) as well
as /run/user/UID (user owned) are labeled user_tmp_t.
I think i would rather prefer something similar to how we deal with user
home dirs.
/home (home_root_t)
/home/USER (user_home_dir_t)
/run/user (home_root_t)
/run/user/UID (user_home_dir_t)
In the current gnome patch however i have totally neglected
XDG_RUNTIME_DIR. Bear in mind that not every system has that variable
set and that various programs and libraries fall back to either $TMP or
$HOME(/\.cache)?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/04/2012 07:01 AM, Dominick Grift wrote:
>
>
> On Wed, 2012-10-03 at 20:16 +0200, Sven Vermeulen wrote:
>
>> In the XDG policy we use in Gentoo, we have xdg_cache_home_t,
>> xdg_config_home_t, xdg_data_home_t and xdg_runtime_home_t (for
>> /run/user/USER stuff). It also supports file transitions for applications
>> that make specific locations therein (like ~/.config/chromium,
>> ~/.config/epdfview, ...) as to isolate (confine) the applications more.
>
> The $XDG_RUNTIME_DIR is indeed something we need to discus in my view
>
> Fedora currently labels /run/user type user_tmp_t
>
> This is probably the easiest solution but not the prettiest.
>
> The /run/user/UID directory has various content that use to go into either
> $TMP or $HOME
>
> It can be considered the pid dir for users.
>
> Problem with Fedora's solution, i think, is that she just added a file
> context spec for and did not take care of the type transition. Instead
> relying on systemd to use setfscreate or reset the file context to what is
> specified.
>
> In that light i do not really like that /run/user ( root owned ) as well as
> /run/user/UID (user owned) are labeled user_tmp_t.
>
> I think i would rather prefer something similar to how we deal with user
> home dirs.
>
> /home (home_root_t) /home/USER (user_home_dir_t)
>
> /run/user (home_root_t) /run/user/UID (user_home_dir_t)
>
> In the current gnome patch however i have totally neglected
> XDG_RUNTIME_DIR. Bear in mind that not every system has that variable set
> and that various programs and libraries fall back to either $TMP or
> $HOME(/\.cache)?
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
That is fine, and something we can try out in Fedora 19.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBtouQACgkQrlYvE4MpobP5NQCg0Y+HozBVrdJUutYC75M+xq0S
ydwAoItB+ikzRMx9KSsqfvJDVPPgyBWR
=qHwT
-----END PGP SIGNATURE-----
On Thu, 2012-10-04 at 10:53 -0400, Daniel J Walsh wrote:
> That is fine, and something we can try out in Fedora 19.
I think we should should extend the userdomain policy module to reflect
the freedesktop changes
That means deal appropriately with /run/user/UID, $HOME/.cache
$HOME/.config and $HOME/.local/share in the userdomain policy module
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/04/2012 11:24 AM, Dominick Grift wrote:
>
>
> On Thu, 2012-10-04 at 10:53 -0400, Daniel J Walsh wrote:
>
>> That is fine, and something we can try out in Fedora 19.
>
> I think we should should extend the userdomain policy module to reflect the
> freedesktop changes
>
> That means deal appropriately with /run/user/UID, $HOME/.cache
> $HOME/.config and $HOME/.local/share in the userdomain policy module
>
I am fine with this.
Is it enought to just add an equivalence from /run/user -> /home
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBtxSEACgkQrlYvE4MpobO0AQCgw/QQJoo72tP+DBA0JpJO7PL8
16cAoL/WdijXdW7c39xJ/0lYgXrRMhs1
=IBsU
-----END PGP SIGNATURE-----
> Is it enought to just add an equivalence from /run/user -> /home
>
The have changed from /run/user/USER to /run/user/UID so i do not think
genhomedircon will work (?).
On Thu, 2012-10-04 at 19:39 +0200, Dominick Grift wrote:
>
>
> > Is it enought to just add an equivalence from /run/user -> /home
> >
>
> The have changed from /run/user/USER to /run/user/UID so i do not think
> genhomedircon will work (?).
>
But anyway , i guess we could do that. I haven't really thought about
that. What do you think would be best?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/04/2012 01:46 PM, Dominick Grift wrote:
>
>
> On Thu, 2012-10-04 at 19:39 +0200, Dominick Grift wrote:
>>
>>
>>> Is it enought to just add an equivalence from /run/user -> /home
>>>
>>
>> The have changed from /run/user/USER to /run/user/UID so i do not think
>> genhomedircon will work (?).
>>
>
> But anyway , i guess we could do that. I haven't really thought about that.
> What do you think would be best?
>
>
>
Well also the content in this directory does not match correctly for the file
context.
/run/user/3267/dconf/ versus /home/dwalsh/.config/dconf?
Kerberos keyring is there now also there which used to be labeled user_tmp_t.
Gkeyringd_tmp_t content is there which also used to be in /tmp.
X11-display seems to be moving here also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBt3cgACgkQrlYvE4MpobOQbwCfSRNWqvG8kswUq1b/AmnmK0wa
1/wAnR5cnIDYU/SunckKVVdMLBHjE5dW
=WstD
-----END PGP SIGNATURE-----
On Thu, 2012-10-04 at 15:04 -0400, Daniel J Walsh wrote:
> >
>
> Well also the content in this directory does not match correctly for the file
> context.
>
> /run/user/3267/dconf/ versus /home/dwalsh/.config/dconf?
>
> Kerberos keyring is there now also there which used to be labeled user_tmp_t.
>
> Gkeyringd_tmp_t content is there which also used to be in /tmp.
>
> X11-display seems to be moving here also.
>
.orc and gvfs matches with $HOME.
Nonetheless we should consider things like UBAC, MLS, poly-instantiation
etc.
I know Redhat does not enable UBAC by default but i am pretty sure she
would want this technology to be supported at least in a minimal way (or
let me put it this way: i dont think she would want ubac enablement to
totally break selinux in redhat distros) to give customers the freedom
to enable it if they so desire.
UBAC requires that /run/user/UID has the proper selinux identity set,
else users will not be able to create content in that dir (currently it
is system_u).
But that aside, upstream will have to deal with that and to diverge
from, or ignore upstream would be counter productive for all parties
involved in the long run.
I think that the current labeling may not be good enough
On Thu, 2012-10-04 at 21:30 +0200, Dominick Grift wrote:
>
> On Thu, 2012-10-04 at 15:04 -0400, Daniel J Walsh wrote:
>
> > >
> >
> > Well also the content in this directory does not match correctly for the file
> > context.
> >
> > /run/user/3267/dconf/ versus /home/dwalsh/.config/dconf?
> >
> > Kerberos keyring is there now also there which used to be labeled user_tmp_t.
> >
> > Gkeyringd_tmp_t content is there which also used to be in /tmp.
> >
> > X11-display seems to be moving here also.
> >
>
> .orc and gvfs matches with $HOME.
>
> Nonetheless we should consider things like UBAC, MLS, poly-instantiation
> etc.
>
> I know Redhat does not enable UBAC by default but i am pretty sure she
> would want this technology to be supported at least in a minimal way (or
> let me put it this way: i dont think she would want ubac enablement to
> totally break selinux in redhat distros) to give customers the freedom
> to enable it if they so desire.
>
> UBAC requires that /run/user/UID has the proper selinux identity set,
> else users will not be able to create content in that dir (currently it
> is system_u).
>
> But that aside, upstream will have to deal with that and to diverge
> from, or ignore upstream would be counter productive for all parties
> involved in the long run.
>
> I think that the current labeling may not be good enough
>
The above comment of me was on second thought probably exaggeration.
system_u is ubac exempt and user_tmp_t is or can be easily made to
supported poly instantiation.
i guess it could work unless i am overlooking something
>
On 10/04/12 17:14, Dominick Grift wrote:
>
>
> On Thu, 2012-10-04 at 21:30 +0200, Dominick Grift wrote:
>>
>> On Thu, 2012-10-04 at 15:04 -0400, Daniel J Walsh wrote:
>>
>>>>
>>>
>>> Well also the content in this directory does not match correctly for the file
>>> context.
>>>
>>> /run/user/3267/dconf/ versus /home/dwalsh/.config/dconf?
>>>
>>> Kerberos keyring is there now also there which used to be labeled user_tmp_t.
>>>
>>> Gkeyringd_tmp_t content is there which also used to be in /tmp.
>>>
>>> X11-display seems to be moving here also.
>>>
>>
>> .orc and gvfs matches with $HOME.
>>
>> Nonetheless we should consider things like UBAC, MLS, poly-instantiation
>> etc.
>>
>> I know Redhat does not enable UBAC by default but i am pretty sure she
>> would want this technology to be supported at least in a minimal way (or
>> let me put it this way: i dont think she would want ubac enablement to
>> totally break selinux in redhat distros) to give customers the freedom
>> to enable it if they so desire.
>>
>> UBAC requires that /run/user/UID has the proper selinux identity set,
>> else users will not be able to create content in that dir (currently it
>> is system_u).
>>
>> But that aside, upstream will have to deal with that and to diverge
>> from, or ignore upstream would be counter productive for all parties
>> involved in the long run.
>>
>> I think that the current labeling may not be good enough
>>
>
> The above comment of me was on second thought probably exaggeration.
>
> system_u is ubac exempt and user_tmp_t is or can be easily made to
> supported poly instantiation.
>
> i guess it could work unless i am overlooking something
My suspicion is that in the long run genhomedircon would need to be enhanced to support a UID substitution like it has a USER substitution. That would yield the most flexibility. Otherwise, in the mean time, labeling /run/user/ as user_tmp_t would probably work.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 10/04/12 11:24, Dominick Grift wrote:
>
>
> On Thu, 2012-10-04 at 10:53 -0400, Daniel J Walsh wrote:
>
>> That is fine, and something we can try out in Fedora 19.
>
> I think we should should extend the userdomain policy module to reflect
> the freedesktop changes
>
> That means deal appropriately with /run/user/UID, $HOME/.cache
> $HOME/.config and $HOME/.local/share in the userdomain policy module
My understanding is that freedesktop is oriented towards X desktops, so it would seem that enhancing xserver_role() would be more appropriate.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, 2012-10-09 at 09:44 -0400, Christopher J. PeBenito wrote:
> On 10/04/12 11:24, Dominick Grift wrote:
> >
> >
> > On Thu, 2012-10-04 at 10:53 -0400, Daniel J Walsh wrote:
> >
> >> That is fine, and something we can try out in Fedora 19.
> >
> > I think we should should extend the userdomain policy module to reflect
> > the freedesktop changes
> >
> > That means deal appropriately with /run/user/UID, $HOME/.cache
> > $HOME/.config and $HOME/.local/share in the userdomain policy module
>
> My understanding is that freedesktop is oriented towards X desktops, so it would seem that enhancing xserver_role() would be more appropriate.
>
More (or less) specifically "free desktops"
The problem is that for example the XDG runtime dir, is always created,
whether you have xserver installed or not.
So then you will depend on the xserver policy for proper labeling
That is assuming that we implement a user_runtime_t. Which is another
thing we need to consider:
What to label /run/user and /run/user/UID? ( fedora has /run/user(/.*)?
user_tmp_t )
On 10/09/12 09:52, Dominick Grift wrote:
>
>
> On Tue, 2012-10-09 at 09:44 -0400, Christopher J. PeBenito wrote:
>> On 10/04/12 11:24, Dominick Grift wrote:
>>>
>>>
>>> On Thu, 2012-10-04 at 10:53 -0400, Daniel J Walsh wrote:
>>>
>>>> That is fine, and something we can try out in Fedora 19.
>>>
>>> I think we should should extend the userdomain policy module to reflect
>>> the freedesktop changes
>>>
>>> That means deal appropriately with /run/user/UID, $HOME/.cache
>>> $HOME/.config and $HOME/.local/share in the userdomain policy module
>>
>> My understanding is that freedesktop is oriented towards X desktops, so it would seem that enhancing xserver_role() would be more appropriate.
>>
>
> More (or less) specifically "free desktops"
>
> The problem is that for example the XDG runtime dir, is always created,
> whether you have xserver installed or not.
>
> So then you will depend on the xserver policy for proper labeling
>
> That is assuming that we implement a user_runtime_t. Which is another
> thing we need to consider:
>
> What to label /run/user and /run/user/UID? ( fedora has /run/user(/.*)?
> user_tmp_t )
user_tmp_t, as I said in my other email in this thread.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com