From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 13 Oct 2011 16:06:14 +0200 Subject: [refpolicy] [PATCH/RFC v3] Introduce xdg types Message-ID: <20111013140614.GA3116@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com With some delay (busy days at work), the XDG module with the feedback from Dominick integrated. Changes since v2 include - Rename of interfaces to be more in lign with naming conventions - Use of userdom_search_... instead of userdom_list_... - Add the lnk_file and fifo_file classes in the xdg_manage_* interfaces - Drop the xdg_admin interface - Add a few TODOs that need to be written when named file transitions are supported (didn't want to include it as comments since M4 doesn't like that) Wkr, Sven Vermeulen +++ The XDG Base Directory specification is an open specification for dealing with user data in a desktop environment. It is published on http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html and in use by many applications. In this patch, we introduce the xdg-specific types and give the standard interfaces for dealing with these types. We also provide a typeattribute for each of the xdg-specific locations, allowing applications that create files therein to mark these files as the appropriate xdg type. Signed-off-by: Sven Vermeulen --- xdg.fc | 8 + xdg.if | 577 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xdg.te | 26 +++ 3 files changed, 611 insertions(+), 0 deletions(-) create mode 100644 xdg.fc create mode 100644 xdg.if create mode 100644 xdg.te diff --git a/xdg.fc b/xdg.fc new file mode 100644 index 0000000..49a52d9 --- /dev/null +++ b/xdg.fc @@ -0,0 +1,8 @@ +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0) +HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0) + +# +# /run +# +/run/user/USER(/.*)? gen_context(system_u:object_r:xdg_runtime_home_t,s0) diff --git a/xdg.if b/xdg.if new file mode 100644 index 0000000..36e0425 --- /dev/null +++ b/xdg.if @@ -0,0 +1,577 @@ +## Policy for xdg desktop standard + +######################################## +## +## Mark the selected type as an xdg_data_home_type +## +## +## +## Type to give the xdg_data_home_type attribute to +## +## +# +interface(`xdg_data_home_content',` + gen_require(` + attribute xdg_data_home_type; + ') + + typeattribute $1 xdg_data_home_type; + + userdom_user_home_content($1) +') + +######################################## +## +## Create objects in an xdg_data_home directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`xdg_data_home_spec_filetrans',` + gen_require(` + type xdg_data_home_t; + ') + + filetrans_pattern($1, xdg_data_home_t, $2, $3) + + userdom_search_user_home_dirs($1) +') + +# TODO Introduce xdg_data_home_filetrans when named file transitions are supported +# to support a filetrans from user_home_dir_t to xdg_data_home_t (~/.local) + +######################################## +## +## Mark the selected type as an xdg_cache_home_type +## +## +## +## Type to give the xdg_cache_home_type attribute to +## +## +# +interface(`xdg_cache_home_content',` + gen_require(` + attribute xdg_cache_home_type; + ') + + typeattribute $1 xdg_cache_home_type; + + userdom_user_home_content($1) +') + +######################################## +## +## Create objects in an xdg_cache_home directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`xdg_cache_home_spec_filetrans',` + gen_require(` + type xdg_cache_home_t; + ') + + filetrans_pattern($1, xdg_cache_home_t, $2, $3) + + userdom_search_user_home_dirs($1) +') + +# TODO Introduce xdg_cache_home_filetrans when named file transitions are supported +# to support a filetrans from user_home_dir_t to xdg_cache_home_t (~/.cache) + +######################################## +## +## Mark the selected type as an xdg_config_home_type +## +## +## +## Type to give the xdg_config_home_type attribute to +## +## +# +interface(`xdg_config_home_content',` + gen_require(` + attribute xdg_config_home_type; + ') + + typeattribute $1 xdg_config_home_type; + + userdom_user_home_content($1) +') + +######################################## +## +## Create objects in an xdg_config_home directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`xdg_config_home_spec_filetrans',` + gen_require(` + type xdg_config_home_t; + ') + + filetrans_pattern($1, xdg_config_home_t, $2, $3) + + userdom_search_user_home_dirs($1) +') + +# TODO Introduce xdg_config_home_filetrans when named file transitions are supported +# to support a filetrans from user_home_dir_t to xdg_config_home_t (~/.config) + +# +######################################## +## +## Mark the selected type as an xdg_runtime_home_type +## +## +## +## Type to give the xdg_runtime_home_type attribute to +## +## +# +interface(`xdg_runtime_home_content',` + gen_require(` + attribute xdg_runtime_home_type; + ') + + typeattribute $1 xdg_runtime_home_type; + + userdom_user_home_content($1) +') + +######################################## +## +## Create objects in an xdg_runtime_home directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`xdg_runtime_home_spec_filetrans',` + gen_require(` + type xdg_runtime_home_t; + ') + + filetrans_pattern($1, xdg_runtime_home_t, $2, $3) + + files_search_pids($1) +') + +# TODO Introduce xdg_runtime_home_filetrans (if applicable) when named file transitions are supported +# to support a filetrans from whatever /run/user is to xdg_config_home_t + +######################################## +## +## Read the xdg cache home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_generic_cache_home_files',` + gen_require(` + type xdg_cache_home_t; + ') + + read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read all xdg_cache_home_type files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_all_cache_home_files',` + gen_require(` + attribute xdg_cache_home_type; + ') + + read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Allow relabeling the xdg cache home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_generic_cache_home_content',` + gen_require(` + type xdg_cache_home_t; + ') + + relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + + userdom_search_user_home_dirs($1) +') + + +######################################## +## +## Manage the xdg cache home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_generic_cache_home_content',` + gen_require(` + type xdg_cache_home_t; + ') + + manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read the xdg config home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_generic_config_home_files',` + gen_require(` + type xdg_config_home_t; + ') + + read_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read all xdg_config_home_type files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_all_config_home_files',` + gen_require(` + attribute xdg_config_home_type; + ') + + read_files_pattern($1, xdg_config_home_type, xdg_config_home_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Allow relabeling the xdg config home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_generic_config_home_content',` + gen_require(` + type xdg_config_home_t; + ') + + relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) + relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + + userdom_search_user_home_dirs($1) +') + + +######################################## +## +## Manage the xdg config home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_generic_config_home_content',` + gen_require(` + type xdg_config_home_t; + ') + + manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) + manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read the xdg data home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_generic_data_home_files',` + gen_require(` + type xdg_data_home_t; + ') + + read_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read all xdg_data_home_type files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_all_data_home_files',` + gen_require(` + attribute xdg_data_home_type; + ') + + read_files_pattern($1, xdg_data_home_type, xdg_data_home_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Allow relabeling the xdg data home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_generic_data_home_content',` + gen_require(` + type xdg_data_home_t; + ') + + relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) + relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Manage the xdg data home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_generic_data_home_content',` + gen_require(` + type xdg_data_home_t; + ') + + manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) + manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read the xdg runtime home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_generic_runtime_home_files',` + gen_require(` + type xdg_runtime_home_t; + ') + + read_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + + files_search_pids($1) +') + +######################################## +## +## Read all xdg_runtime_home_type files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_all_runtime_home_files',` + gen_require(` + attribute xdg_runtime_home_type; + ') + + read_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) + + files_search_pids($1) +') + +######################################## +## +## Allow relabeling the xdg runtime home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_generic_runtime_home_content',` + gen_require(` + type xdg_runtime_home_t; + ') + + relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + + files_search_pids($1) +') + +######################################## +## +## Manage the xdg runtime home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_generic_runtime_home_content',` + gen_require(` + type xdg_runtime_home_t; + ') + + manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + + files_search_pids($1) +') + diff --git a/xdg.te b/xdg.te new file mode 100644 index 0000000..f9088b4 --- /dev/null +++ b/xdg.te @@ -0,0 +1,26 @@ +policy_module(xdg, 1.0.0) + +######################################## +# +# Declarations +# + +attribute xdg_data_home_type; + +attribute xdg_config_home_type; + +attribute xdg_cache_home_type; + +attribute xdg_runtime_home_type; + +type xdg_data_home_t; +xdg_data_home_content(xdg_data_home_t) + +type xdg_config_home_t; +xdg_config_home_content(xdg_config_home_t) + +type xdg_cache_home_t; +xdg_cache_home_content(xdg_cache_home_t) + +type xdg_runtime_home_t; +xdg_runtime_home_content(xdg_runtime_home_t) -- 1.7.3.4