From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 3 Oct 2011 21:46:53 +0200
Subject: [refpolicy] [PATCH 1/4] Introduce xdg types
In-Reply-To: <20111003194606.GA7129@siphos.be>
References: <20111003194606.GA7129@siphos.be>
Message-ID: <20111003194653.GB7129@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


The XDG Base Directory specification is an open specification for
dealing with user data in a desktop environment. It is published on
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
and in use by many applications.

In this patch, we introduce the xdg-specific types and give the standard
interfaces for dealing with these types.

I opted for a separate module instead of userdomain since it is
targeting desktop users more than servers.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 xdg.fc |    3 +
 xdg.if |  143 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 xdg.te |   15 +++++++
 3 files changed, 161 insertions(+), 0 deletions(-)
 create mode 100644 xdg.fc
 create mode 100644 xdg.if
 create mode 100644 xdg.te

diff --git a/xdg.fc b/xdg.fc
new file mode 100644
index 0000000..44dc42e
--- /dev/null
+++ b/xdg.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.cache(/.*)?		gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)?		gen_context(system_u:object_r:xdg_config_home_t,s0)
+HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:xdg_data_home_t,s0)
diff --git a/xdg.if b/xdg.if
new file mode 100644
index 0000000..23930df
--- /dev/null
+++ b/xdg.if
@@ -0,0 +1,143 @@
+## <summary>Policy for xdg desktop standard</summary>
+
+#######################################
+## <summary>
+##   Allow the userdomain full administrative rights on the xdg_* locations
+## </summary>
+## <param name="userdomain">
+##	<summary>
+##	The user domain
+##	</summary>
+## </param>
+## <rolebase/>
+#
+interface(`xdg_admin',`
+	gen_require(`
+		type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
+	')
+
+	# full control over the xdg_* directories
+	admin_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	admin_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	admin_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
+########################################
+## <summary>
+##	Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_cache_home',`
+	gen_require(`
+		type xdg_cache_home_t;	
+	')
+
+	manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+')
+
+########################################
+## <summary>
+##	Read the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_cache_home',`
+	gen_require(`
+		type xdg_cache_home_t;	
+		type user_home_dir_t;
+	')
+
+	list_dirs_pattern($1, user_home_dir_t, xdg_cache_home_t)
+	read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+')
+
+########################################
+## <summary>
+##	Manage the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_config_home',`
+	gen_require(`
+		type xdg_config_home_t;	
+	')
+
+	manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+')
+
+########################################
+## <summary>
+##	Read the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_config_home',`
+	gen_require(`
+		type xdg_config_home_t;	
+		type user_home_dir_t;
+	')
+
+	list_dirs_pattern($1, user_home_dir_t, xdg_config_home_t)
+	read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+')
+
+########################################
+## <summary>
+##	Manage the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_data_home',`
+	gen_require(`
+		type xdg_data_home_t;	
+	')
+
+	manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
+########################################
+## <summary>
+##	Read the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_data_home',`
+	gen_require(`
+		type xdg_data_home_t;	
+		type user_home_dir_t;
+		type user_home_t;
+	')
+
+	search_dirs_pattern($1, user_home_dir_t, user_home_t)
+	list_dirs_pattern($1, user_home_t, xdg_data_home_t)
+	read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+')
+
diff --git a/xdg.te b/xdg.te
new file mode 100644
index 0000000..3b9b0d9
--- /dev/null
+++ b/xdg.te
@@ -0,0 +1,15 @@
+policy_module(xdg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+type xdg_data_home_t;
+userdom_user_home_content(xdg_data_home_t)
+
+type xdg_config_home_t;
+userdom_user_home_content(xdg_config_home_t)
+
+type xdg_cache_home_t;
+userdom_user_home_content(xdg_cache_home_t)
+
-- 
1.7.3.4