From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 4 Sep 2011 14:13:03 +0200
Subject: [refpolicy] [PATCH/RFC 1/4] Introduce xdg types
In-Reply-To: <20110904121223.GA11390@siphos.be>
References: <20110904121223.GA11390@siphos.be>
Message-ID: <20110904121302.GB11390@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The XDG Base Directory specification is an open specification for
dealing with user data in a desktop environment. It is published on
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
and in use by many applications.

In this patch, we introduce the xdg-specific types and give the standard
interfaces for dealing with these types.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/xdg.fc |    3 +
 policy/modules/system/xdg.if |  172 ++++++++++++++++++++++++++++++++++++++++++
 policy/modules/system/xdg.te |   15 ++++
 3 files changed, 190 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/system/xdg.fc
 create mode 100644 policy/modules/system/xdg.if
 create mode 100644 policy/modules/system/xdg.te

diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc
new file mode 100644
index 0000000..44dc42e
--- /dev/null
+++ b/policy/modules/system/xdg.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.cache(/.*)?		gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)?		gen_context(system_u:object_r:xdg_config_home_t,s0)
+HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:xdg_data_home_t,s0)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
new file mode 100644
index 0000000..f844f10
--- /dev/null
+++ b/policy/modules/system/xdg.if
@@ -0,0 +1,172 @@
+## <summary>Policy for xdg desktop standard</summary>
+
+#######################################
+## <summary>
+##   Allow the userdomain full administrative rights on the xdg_* locations
+## </summary>
+## <param name="userdomain">
+##	<summary>
+##	The user domain
+##	</summary>
+## </param>
+## <rolebase/>
+#
+interface(`xdg_admin',`
+	gen_require(`
+		type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
+	')
+
+	# full control over the xdg_* directories
+	manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+	manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+	manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
+########################################
+## <summary>
+##	Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_cache_home',`
+	gen_require(`
+		type xdg_cache_home_t;	
+	')
+
+	manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+')
+
+########################################
+## <summary>
+##	Read the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_cache_home',`
+	gen_require(`
+		type xdg_cache_home_t;	
+		type user_home_dir_t;
+	')
+
+	list_dirs_pattern($1, user_home_dir_t, xdg_cache_home_t)
+	read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+')
+
+########################################
+## <summary>
+##	Manage the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_config_home',`
+	gen_require(`
+		type xdg_config_home_t;	
+	')
+
+	manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+')
+
+########################################
+## <summary>
+##	Read the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_config_home',`
+	gen_require(`
+		type xdg_config_home_t;	
+		type user_home_dir_t;
+	')
+
+	list_dirs_pattern($1, user_home_dir_t, xdg_config_home_t)
+	read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+')
+
+########################################
+## <summary>
+##	Manage the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_data_home',`
+	gen_require(`
+		type xdg_data_home_t;	
+	')
+
+	manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
+########################################
+## <summary>
+##	Read the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_data_home',`
+	gen_require(`
+		type xdg_data_home_t;	
+		type user_home_dir_t;
+		type user_home_t;
+	')
+
+	search_dirs_pattern($1, user_home_dir_t, user_home_t)
+	list_dirs_pattern($1, user_home_t, xdg_data_home_t)
+	read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
diff --git a/policy/modules/system/xdg.te b/policy/modules/system/xdg.te
new file mode 100644
index 0000000..3b9b0d9
--- /dev/null
+++ b/policy/modules/system/xdg.te
@@ -0,0 +1,15 @@
+policy_module(xdg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+type xdg_data_home_t;
+userdom_user_home_content(xdg_data_home_t)
+
+type xdg_config_home_t;
+userdom_user_home_content(xdg_config_home_t)
+
+type xdg_cache_home_t;
+userdom_user_home_content(xdg_cache_home_t)
+
-- 
1.7.3.4