From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 13 Nov 2011 10:37:51 +0100 Subject: [refpolicy] [PATCH v2 1/2] Support the console/graphical links browser In-Reply-To: <20111113093714.GA16792@siphos.be> References: <20111113093714.GA16792@siphos.be> Message-ID: <20111113093751.GB16792@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Introduce the links_t domain for the links browser, which is an ncurses/svgalib/X11 browser (so supports both commandline-only as well as GUI environments) Signed-off-by: Sven Vermeulen --- links.fc | 6 +++++ links.if | 36 +++++++++++++++++++++++++++++++++++ links.te | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+), 0 deletions(-) create mode 100644 links.fc create mode 100644 links.if create mode 100644 links.te diff --git a/links.fc b/links.fc new file mode 100644 index 0000000..5749b58 --- /dev/null +++ b/links.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.links(/.*)? gen_context(system_u:object_r:links_home_t,s0) + +# +# /usr +# +/usr/bin/links -- gen_context(system_u:object_r:links_exec_t,s0) diff --git a/links.if b/links.if new file mode 100644 index 0000000..bf3e20a --- /dev/null +++ b/links.if @@ -0,0 +1,36 @@ +## Links web browser + +####################################### +## +## The role interface for the links module. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`links_role',` + gen_require(` + type links_t, links_exec_t, links_tmpfs_t, links_home_t; + ') + + role $1 types links_t; + + manage_dirs_pattern($2, links_home_t, links_home_t) + manage_files_pattern($2, links_home_t, links_home_t) + manage_lnk_files_pattern($2, links_home_t, links_home_t) + + relabel_dirs_pattern($2, links_home_t, links_home_t) + relabel_files_pattern($2, links_home_t, links_home_t) + relabel_lnk_files_pattern($2, links_home_t, links_home_t) + + domtrans_pattern($2, links_exec_t, links_t) + + ps_process_pattern($2, links_t) +') diff --git a/links.te b/links.te new file mode 100644 index 0000000..7c9d03f --- /dev/null +++ b/links.te @@ -0,0 +1,63 @@ +policy_module(links, 1.0.0) + +############################ +# +# Declarations +# + +## +##

+## Allow links to manage files in users home directories (download files) +##

+## +gen_tunable(links_manage_user_files, false) + +type links_t; +type links_exec_t; +userdom_user_application_domain(links_t, links_exec_t) + +type links_home_t; +userdom_user_home_content(links_home_t) + +type links_tmpfs_t; +userdom_user_tmpfs_file(links_tmpfs_t) + +############################ +# +# Policy +# + +allow links_t self:process signal_perms; +allow links_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(links_t, links_home_t, links_home_t) +manage_files_pattern(links_t, links_home_t, links_home_t) +manage_lnk_files_pattern(links_t, links_home_t, links_home_t) +manage_sock_files_pattern(links_t, links_home_t, links_home_t) +manage_fifo_files_pattern(links_t, links_home_t, links_home_t) +userdom_user_home_dir_filetrans(links_t, links_home_t, dir) + +manage_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +manage_lnk_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +manage_fifo_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +manage_sock_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +fs_tmpfs_filetrans(links_t, links_tmpfs_t, { file lnk_file sock_file fifo_file }) + +corenet_tcp_connect_http_port(links_t) + +domain_use_interactive_fds(links_t) + +auth_use_nsswitch(links_t) + +miscfiles_read_localization(links_t) + +userdom_use_user_terminals(links_t) + +tunable_policy(`links_manage_user_files',` + userdom_manage_user_home_content_dirs(links_t) + userdom_manage_user_home_content_files(links_t) +') + +optional_policy(` + xserver_user_x_domain_template(links, links_t, links_tmpfs_t) +') -- 1.7.3.4