From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 23 Oct 2011 16:30:28 +0200 Subject: [refpolicy] [PATCH 1/2] Support the console/graphical links browser In-Reply-To: <20111023142947.GA17397@siphos.be> References: <20111023142947.GA17397@siphos.be> Message-ID: <20111023143028.GB17397@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Introduce the links_t domain for the links browser, which is an ncurses/svgalib/X11 browser (so supports both commandline-only as well as GUI environments) Signed-off-by: Sven Vermeulen --- links.fc | 6 ++++++ links.if | 36 ++++++++++++++++++++++++++++++++++++ links.te | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+), 0 deletions(-) create mode 100644 links.fc create mode 100644 links.if create mode 100644 links.te diff --git a/links.fc b/links.fc new file mode 100644 index 0000000..5749b58 --- /dev/null +++ b/links.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.links(/.*)? gen_context(system_u:object_r:links_home_t,s0) + +# +# /usr +# +/usr/bin/links -- gen_context(system_u:object_r:links_exec_t,s0) diff --git a/links.if b/links.if new file mode 100644 index 0000000..bf3e20a --- /dev/null +++ b/links.if @@ -0,0 +1,36 @@ +## Links web browser + +####################################### +## +## The role interface for the links module. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`links_role',` + gen_require(` + type links_t, links_exec_t, links_tmpfs_t, links_home_t; + ') + + role $1 types links_t; + + manage_dirs_pattern($2, links_home_t, links_home_t) + manage_files_pattern($2, links_home_t, links_home_t) + manage_lnk_files_pattern($2, links_home_t, links_home_t) + + relabel_dirs_pattern($2, links_home_t, links_home_t) + relabel_files_pattern($2, links_home_t, links_home_t) + relabel_lnk_files_pattern($2, links_home_t, links_home_t) + + domtrans_pattern($2, links_exec_t, links_t) + + ps_process_pattern($2, links_t) +') diff --git a/links.te b/links.te new file mode 100644 index 0000000..6289570 --- /dev/null +++ b/links.te @@ -0,0 +1,57 @@ +policy_module(links, 1.0.0) + +############################ +# +# Declarations +# + +type links_t; +type links_exec_t; +application_domain(links_t, links_exec_t) + +type links_home_t; +typealias links_home_t alias { user_links_home_t staff_links_home_t sysadm_links_home_t }; +userdom_user_home_content(links_home_t) + +type links_tmpfs_t; +typealias links_tmpfs_t alias { user_links_tmpfs_t staff_links_tmpfs_t sysadm_links_tmpfs_t }; +files_tmpfs_file(links_tmpfs_t) +ubac_constrained(links_tmpfs_t) + +############################ +# +# Policy +# + +allow links_t self:process signal_perms; +allow links_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(links_t, links_home_t, links_home_t) +manage_files_pattern(links_t, links_home_t, links_home_t) +manage_lnk_files_pattern(links_t, links_home_t, links_home_t) +manage_sock_files_pattern(links_t, links_home_t, links_home_t) +manage_fifo_files_pattern(links_t, links_home_t, links_home_t) + +manage_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +manage_lnk_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +manage_fifo_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +manage_sock_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +fs_tmpfs_filetrans(links_t, links_tmpfs_t, { file lnk_file sock_file fifo_file }) + +userdom_user_home_dir_filetrans(links_t, links_home_t, dir) + +corenet_tcp_connect_http_port(links_t) + +domain_use_interactive_fds(links_t) + +auth_use_nsswitch(links_t) + +miscfiles_read_localization(links_t) + +userdom_manage_user_home_content_dirs(links_t) +userdom_manage_user_home_content_files(links_t) +userdom_use_user_terminals(links_t) + +optional_policy(` + xserver_user_x_domain_template(links, links_t, links_tmpfs_t) +') -- 1.7.3.4