From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 14 Sep 2011 08:24:19 -0400 Subject: [refpolicy] [PATCH/RFC 1/4] Introduce xdg types In-Reply-To: <20110904121302.GB11390@siphos.be> References: <20110904121223.GA11390@siphos.be> <20110904121302.GB11390@siphos.be> Message-ID: <4E709CF3.7010305@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/04/11 08:13, Sven Vermeulen wrote: > The XDG Base Directory specification is an open specification for > dealing with user data in a desktop environment. It is published on > http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html > and in use by many applications. > > In this patch, we introduce the xdg-specific types and give the standard > interfaces for dealing with these types. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/xdg.fc | 3 + > policy/modules/system/xdg.if | 172 ++++++++++++++++++++++++++++++++++++++++++ > policy/modules/system/xdg.te | 15 ++++ > 3 files changed, 190 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/system/xdg.fc > create mode 100644 policy/modules/system/xdg.if > create mode 100644 policy/modules/system/xdg.te > > diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc > new file mode 100644 > index 0000000..44dc42e > --- /dev/null > +++ b/policy/modules/system/xdg.fc > @@ -0,0 +1,3 @@ > +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0) > +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0) > +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0) This seems to make sense, though I'm not sure it needs to be its own module. > diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if > new file mode 100644 > index 0000000..f844f10 > --- /dev/null > +++ b/policy/modules/system/xdg.if > @@ -0,0 +1,172 @@ > +## Policy for xdg desktop standard > + > +####################################### > +## > +## Allow the userdomain full administrative rights on the xdg_* locations > +## > +## > +## > +## The user domain > +## > +## > +## > +# > +interface(`xdg_admin',` > + gen_require(` > + type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t; > + ') > + > + # full control over the xdg_* directories > + manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + > + manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) > + manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) > + relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + > + manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) > + manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) > + relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > +') Use admin_pattern() -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com