From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 3 Oct 2012 17:12:35 +0200
Subject: [refpolicy] [REVIEW REQUEST] Changes to the gnome policy module
Message-ID: <1349277155-3545-1-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
The below is ported from Fedora with (considerable) changes.
The changes are pretty far reaching and so i would like comments on it.
Some of the changes are:
Creating new types for ~/.cache, ~/.config, ~/.local/share and various generic gstreamer content ( see the HOME_DIR file contexts )
These types arent specific to gnome but Fedora threats the gnome module as if it were a module for any desktop environment.
The config, cache and data types are from the freedesktop specification and are used by any desktop ( at least that is the idea behind this standard )
This patch also implements a config_usr_t type which is basically for KDE
The gnome keyring daemon needs to be prefixed since it needs to be able to transition back to the user domain.
Therefore i created a separate gnome_role_template_gkeyringd rather than stuffing it in a generic gnome_role (gconfd and others might not need to be prefixed)
You will notice that i have enclosed plenty of gnome transition interfaces.
I expect that those will be needed (i know they will) and to make sure they are proper, i decided to create them beforehand.
I also created interfaces that should be called in the user domain, to allow users to create generic gnome content with the proper file transition and to allow them to relabel and manage the content
gnome_manage_all_generic_home_content
gnome_relabel_all_generic_home_content
gnome_filetrans_all_generic_home
These are supposed to end up in the userdom_manage_home_role ( in a optional policy block)
There is also a inteface that allows callers to execute all generic gnome home files (this should be added to the userdom_exec_home_files interface so that this can be allowed conditionally
The policy builds, and allows users calling gnome_role_template_keyringd to domain transition (both via their session bus type or userdomain type)
By calling the gnome_role_template_keyringd you will depend on the dbus role (it needs to be nested in the dbus_role_template). example:
optional_policy(`
dbus_role_template(user, user_r, user_t)
optional_policy(`
gnome_role_template_gkeyringd(user, user_r, user_t)
')
optional_policy(`
wm_role_template(user, user_r, user_t)
')
')
There is one big difference between fedora and refpolicy. Fedora wants selinux to make unconfined users run their dbus session in the unconfined_dbusd_t domain.
Refpolicy allows unconfined users to run their dbus session in the unconfined_t domain
I favor refpolicies solution as i believe that ideally unconfined_t should never transition out of unconfined_t. ( the argument that unconfined_t needs to transition in order to be able to create files with the proper type is not longer valid since we now have named file transitions)
I think fedora also wants selinux to make xdm runs its debus session in the xdm_dbusd_t session bus type (not sure) i think that would be a bad idea as well.
Anyways the policy builds and it installs, i did some basic checks and it works as expected as far as i have tested.
But i know from experience that it *might* get ugly (i think dwalsh might understand what i am talking about)
Nonetheless, sooner or later we will have to confront it so it might as well be now
I just want to throw this in the group because i still hope one day we are all on the same page when it comes to dealing with issues that this patch aims to deal with
diff --git a/gnome.fc b/gnome.fc
index 00a19e3..a8580f1 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,9 +1,27 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
+HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.grl-bookmarks -- gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-metadata-store -- gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-podcasts -- gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-0\.10(/.)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.Xdefaults -- gen_context(system_u:object_r:config_home_t,s0)
-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
diff --git a/gnome.if b/gnome.if
index f5afe78..f8a96df 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,271 @@
-## GNU network object model environment (GNOME)
+## GNU network object model environment.
-############################################################
+########################################
##
-## Role access for gnome
+## Role access for gnome. (Deprecated)
##
##
##
-## Role allowed access
+## Role allowed access.
##
##
##
##
-## User domain for the role
+## User domain for the role.
##
##
#
interface(`gnome_role',`
- gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
- ')
-
- role $1 types gconfd_t;
-
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-
- ps_process_pattern($2, gconfd_t)
-
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
+ refpolicywarn(`$0($*) has been deprecated, use gnome_role_gconfd() instead.')
+ gnome_role_gconfd($1, $2)
')
########################################
##
-## Execute gconf programs in
-## in the caller domain.
+## Role access for gconfd.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+##
+## User domain for the role.
+##
+##
+#
+interface(`gnome_role_gconfd',`
+ gen_require(`
+ attribute_role gconfd_roles;
+ type gconfd_t, gconfd_exec_t, gconf_tmp_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 gconfd_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, gconfd_exec_t, gconfd_t)
+
+ allow $2 gconfd_t:process { ptrace signal_perms };
+ ps_process_pattern($2, gconfd_t)
+')
+
+#######################################
+##
+## The role template for gnome keyringd.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`gnome_role_template_gkeyringd',`
+ gen_require(`
+ attribute gnomedomain, gkeyringd_domain;
+ type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
+ userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+ domain_user_exemption_target($1_gkeyringd_t)
+
+ role $2 types $1_gkeyringd_t;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+
+ allow $3 gnome_keyring_home_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gnome_keyring_home_t:file { relabel_file_perms manage_file_perms };
+
+ allow $3 gnome_keyring_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+
+ ps_process_pattern($3, $1_gkeyringd_t)
+ allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+
+ corecmd_bin_domtrans($1_gkeyringd_t, $3)
+ corecmd_shell_domtrans($1_gkeyringd_t, $3)
+
+ gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+
+ gnome_stream_connect_gkeyringd($1, $3)
+
+ optional_policy(`
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_bus_client($1, $1_gkeyringd_t)
+
+ gnome_dbus_chat_gkeyringd($1, $3)
+ ')
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## all generic gnome user home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`gnome_manage_all_generic_home_content',`
+ gen_require(`
+ type cache_home_t, config_home_t, data_home_t;
+ type gconf_home_t, gnome_home_t, gstreamer_home_t;
+ ')
+
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:dir manage_dir_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:file manage_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:lnk_file manage_lnk_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:sock_file manage_sock_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:fifo_file manage_fifo_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ fs_manage_nfs_symlinks($1)
+ fs_manage_nfs_named_sockets($1)
+ fs_manage_nfs_named_pipes($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ fs_manage_cifs_symlinks($1)
+ fs_manage_cifs_named_sockets($1)
+ fs_manage_cifs_named_pipes($1)
+ ')
+')
+
+#######################################
+##
+## Relabel all generic gnome user
+## home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`gnome_relabel_all_generic_home_content',`
+ gen_require(`
+ type cache_home_t, config_home_t, data_home_t;
+ type gconf_home_t, gnome_home_t, gstreamer_home_t;
+ ')
+
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:dir relabel_dir_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:file relabel_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:lnk_file relabel_lnk_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:sock_file relabel_sock_file_perms;
+ allow $1 { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t }:fifo_file relabel_fifo_file_perms;
+')
+
+#######################################
+##
+## Create objects in user home
+## directories with the generic all
+## generic home types.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`gnome_filetrans_all_generic_home',`
+ gen_require(`
+ type cache_home_t, config_home_t, data_home_t;
+ type gconf_home_t, gnome_home_t, gstreamer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2_private")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+')
+
+########################################
+##
+## Execute all generic gnome generic
+## user home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`gnome_exec_all_generic_home_files',`
+ gen_require(`
+ type cache_home_t, config_home_t, data_home_t;
+ type gconf_home_t, gnome_home_t, gstreamer_home_t;
+ ')
+
+ userdom_search_user_home_dir($1)
+ exec_files_pattern($1, { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t gstreamer_home_t }, { cache_home_t config_home_t data_home_t gconf_home_t gnome_home_t gstreamer_home_t })
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1)
+ ')
+')
+
+########################################
+##
+## Execute gconf in the caller domain.
##
##
##
@@ -51,20 +278,64 @@
type gconfd_exec_t;
')
+ corecmd_search_bin($1)
can_exec($1, gconfd_exec_t)
')
-########################################
+######################################
##
-## Read gconf config files.
+## Read gnome config user content.
##
-##
+##
##
## Domain allowed access.
##
##
#
-template(`gnome_read_gconf_config',`
+interface(`gnome_read_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, config_usr_t, config_usr_t)
+ read_files_pattern($1, config_usr_t, config_usr_t)
+ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## gnome config user content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_usr_config',`
+ gen_require(`
+ type config_usr_t;
+ ')
+
+ files_search_usr($1)
+ manage_dirs_pattern($1, config_usr_t, config_usr_t)
+ manage_files_pattern($1, config_usr_t, config_usr_t)
+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+########################################
+##
+## Read gconf configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
')
@@ -76,7 +347,8 @@
#######################################
##
-## Create, read, write, and delete gconf config files.
+## Create, read, write, and delete
+## gconf configuration files.
##
##
##
@@ -95,9 +367,10 @@
########################################
##
-## gconf connection template.
+## Connect to gconf using a unix
+## domain stream socket.
##
-##
+##
##
## Domain allowed access.
##
@@ -108,8 +381,8 @@
type gconfd_t, gconf_tmp_t;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
+ files_search_tmp($1)
+ stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
')
########################################
@@ -118,7 +391,7 @@
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
@@ -127,12 +400,32 @@
type gconfd_t, gconfd_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
########################################
##
-## Set attributes of Gnome config dirs.
+## Create generic gnome home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_create_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ allow $1 gnome_home_t:dir create_dir_perms;
+')
+
+########################################
+##
+## Set attributes of generic gnome
+## user home directories. (Deprecated)
##
##
##
@@ -141,50 +434,1032 @@
##
#
interface(`gnome_setattr_config_dirs',`
- gen_require(`
- type gnome_home_t;
- ')
-
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
+ refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
+ gnome_setattr_generic_home_dirs($1)
')
########################################
##
-## Read gnome homedir content (.config)
+## Set attributes of generic gnome
+## user home directories.
##
-##
+##
##
## Domain allowed access.
##
##
#
-template(`gnome_read_config',`
+interface(`gnome_setattr_generic_home_dirs',`
gen_require(`
type gnome_home_t;
')
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+ userdom_search_user_home_dirs($1)
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
')
########################################
##
-## manage gnome homedir content (.config)
+## Read generic gnome user home content. (Deprecated)
##
-##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_config',`
+ refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
+ gnome_read_generic_home_content($1)
+')
+
+########################################
+##
+## Read generic gnome home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_generic_home_content',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir list_dir_perms;
+ allow $1 gnome_home_t:file read_file_perms;
+ allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
+ allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
+ allow $1 gnome_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## generic gnome user home content. (Deprecated)
+##
+##
##
## Domain allowed access.
##
##
#
interface(`gnome_manage_config',`
+ refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
+ gnome_manage_generic_home_content($1)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## generic gnome home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_home_content',`
gen_require(`
type gnome_home_t;
')
+ userdom_search_user_home_dirs($1)
allow $1 gnome_home_t:dir manage_dir_perms;
allow $1 gnome_home_t:file manage_file_perms;
+ allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+##
+## Search generic gnome home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_generic_home',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Create objects in gnome user home
+## directories with a private type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Private file type.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_home_filetrans',`
+ gen_require(`
+ type gnome_home_t, config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, gnome_home_t, $2, $3, $4)
+')
+
+########################################
+##
+## Create generic cache home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_create_generic_cache_home_dirs',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ allow $1 cache_home_t:dir create_dir_perms;
+')
+
+########################################
+##
+## Read generic cache home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_generic_cache_home_content',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 cache_home_t:dir list_dir_perms;
+ allow $1 cache_home_t:file read_file_perms;
+ allow $1 cache_home_t:fifo_file read_fifo_file_perms;
+ allow $1 cache_home_t:lnk_file read_lnk_file_perms;
+ allow $1 cache_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## generic cache home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_cache_home_content',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 cache_home_t:dir manage_dir_perms;
+ allow $1 cache_home_t:file manage_file_perms;
+ allow $1 cache_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 cache_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 cache_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+##
+## Search generic cache home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_generic_cache_home',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 cache_home_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Create objects in user home
+## directories with the generic cache
+## home type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_home_filetrans_cache_home',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, cache_home_t, $2, $3)
+')
+
+########################################
+##
+## Create generic config home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_create_generic_config_home_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir create_dir_perms;
+')
+
+########################################
+##
+## Create generic config home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_create_generic_config_home_files',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:file create_files_perms;
+')
+
+########################################
+##
+## Read generic config home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_generic_config_home_content',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 config_home_t:dir list_dir_perms;
+ allow $1 config_home_t:file read_file_perms;
+ allow $1 config_home_t:fifo_file read_fifo_file_perms;
+ allow $1 config_home_t:lnk_file read_lnk_file_perms;
+ allow $1 config_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## generic config home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_config_home_content',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 config_home_t:dir manage_dir_perms;
+ allow $1 config_home_t:file manage_file_perms;
+ allow $1 config_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 config_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 config_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+##
+## Search generic config home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_generic_config_home',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 config_home_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Create objects in user home
+## directories with the generic config
+## home type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_home_filetrans_config_home',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, config_home_t, $2, $3)
+')
+
+########################################
+##
+## Create generic data home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_create_generic_data_home_dirs',`
+ gen_require(`
+ type data_home_t;
+ ')
+
+ allow $1 data_home_t:dir create_dir_perms;
+')
+
+########################################
+##
+## Read generic data home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_generic_data_home_content',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ allow $1 data_home_t:file read_file_perms;
+ allow $1 data_home_t:fifo_file read_fifo_file_perms;
+ allow $1 data_home_t:lnk_file read_lnk_file_perms;
+ allow $1 data_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## generic data home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_data_home_content',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ allow $1 data_home_t:dir manage_dir_perms;
+ allow $1 data_home_t:file manage_file_perms;
+ allow $1 data_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 data_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 data_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+##
+## Search generic data home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_generic_data_home',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+')
+
+########################################
+##
+## Create objects in user home
+## directories with the generic data
+## home type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_home_filetrans_data_home',`
+ gen_require(`
+ type data_home_t;
+ ')
+
+ gnome_gconf_home_filetrans($1, data_home_t, $2, $3)
+')
+
+########################################
+##
+## Create generic gconf home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_create_generic_gconf_home_dirs',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir create_dir_perms;
+')
+
+########################################
+##
+## Read generic gconf home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_generic_gconf_home_content',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 gconf_home_t:file read_file_perms;
+ allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
+ allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
+ allow $1 gconf_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## generic gconf home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_gconf_home_content',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir manage_dir_perms;
+ allow $1 gconf_home_t:file manage_file_perms;
+ allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 gconf_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+##
+## Search generic gconf home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_generic_gconf_home',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Create objects in user home
+## directories with the generic gconf
+## home type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_home_filetrans_gconf_home',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
+##
+## Create objects in user home
+## directories with the generic gnome
+## home type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_home_filetrans_gnome_home',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+')
+
+########################################
+##
+## Create generic gstreamer home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_create_generic_gstreamer_home_dirs',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ allow $1 gstreamer_home_t:dir create_dir_perms;
+')
+
+########################################
+##
+## Create generic gstreamer home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_create_generic_gstreamer_home_files',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ allow $1 gstreamer_home_t:file create_file_perms;
+')
+
+########################################
+##
+## Read generic gstreamer home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_generic_gstreamer_home_content',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gstreamer_home_t:dir list_dir_perms;
+ allow $1 gstreamer_home_t:file read_file_perms;
+ allow $1 gstreamer_home_t:fifo_file read_fifo_file_perms;
+ allow $1 gstreamer_home_t:lnk_file read_lnk_file_perms;
+ allow $1 gstreamer_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## generic gstreamer home content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_generic_gstreamer_home_content',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gstreamer_home_t:dir manage_dir_perms;
+ allow $1 gstreamer_home_t:file manage_file_perms;
+ allow $1 gstreamer_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 gstreamer_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 gstreamer_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+##
+## Search generic gstreamer home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_search_generic_gstreamer_home',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gstreamer_home_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Create objects in user home
+## directories with the generic gstreamer
+## home type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_home_filetrans_gstreamer_home',`
+ gen_require(`
+ type gstreamer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, $2, $3)
+')
+
+########################################
+##
+## Create objects in gnome cache home
+## directories with a private type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Private file type.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_cache_home_filetrans',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+')
+
+########################################
+##
+## Create objects in gnome config home
+## directories with a private type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Private file type.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_config_home_filetrans',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, config_home_t, $2, $3, $4)
+')
+
+########################################
+##
+## Create objects in gnome data home
+## directories with a private type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Private file type.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_data_home_filetrans',`
+ gen_require(`
+ type data_home_t, gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+')
+
+########################################
+##
+## Create objects in gnome gconf home
+## directories with a private type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Private file type.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`gnome_gconf_home_filetrans',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+')
+
+########################################
+##
+## Send and receive messages from
+## gnome keyring daemon over dbus.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+ type $1_gkeyringd_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_gkeyringd_t:dbus send_msg;
+ allow $1_gkeyringd_t $2:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from all
+## gnome keyring daemon over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_dbus_chat_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+##
+## Connect to gnome keyring daemon
+## with a unix stream socket.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_stream_connect_gkeyringd',`
+ gen_require(`
+ type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+')
+
+########################################
+##
+## Connect to all gnome keyring daemon
+## with a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_stream_connect_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gnome_keyring_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
diff --git a/gnome.te b/gnome.te
index 783c5fb..72fcc0c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,11 +1,25 @@
-policy_module(gnome, 2.2.0)
+policy_module(gnome, 2.2.2)
##############################
#
# Declarations
#
+attribute gkeyringd_domain;
attribute gnomedomain;
+attribute_role gconfd_roles;
+
+type cache_home_t;
+userdom_user_home_content(cache_home_t)
+
+type config_home_t;
+userdom_user_home_content(config_home_t)
+
+type config_usr_t;
+files_type(config_usr_t)
+
+type data_home_t;
+userdom_user_home_content(data_home_t)
type gconf_etc_t;
files_config_file(gconf_etc_t)
@@ -27,6 +41,7 @@
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
+role gconfd_roles types gconfd_t;
type gnome_home_t;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
@@ -34,13 +49,45 @@
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
+type gkeyringd_exec_t;
+application_executable_file(gkeyringd_exec_t)
+
+type gnome_keyring_home_t;
+userdom_user_home_content(gnome_keyring_home_t)
+
+type gnome_keyring_tmp_t;
+userdom_user_tmp_file(gnome_keyring_tmp_t)
+
+type gstreamer_home_t;
+userdom_user_home_content(gstreamer_home_t)
+
##############################
#
-# Local Policy
+# Common local Policy
#
-allow gconfd_t self:process getsched;
-allow gconfd_t self:fifo_file rw_fifo_file_perms;
+allow gnomedomain self:process { getsched signal };
+allow gnomedomain self:fifo_file rw_fifo_file_perms;
+
+dev_read_urand(gconfd_t)
+
+domain_use_interactive_fds(gnomedomain)
+
+files_read_etc_files(gnomedomain)
+
+miscfiles_read_localization(gnomedomain)
+
+logging_send_syslog_msg(gnomedomain)
+
+userdom_use_user_terminals(gnomedomain)
+
+##############################
+#
+# Gconf local Policy
+#
+
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
@@ -50,18 +97,6 @@
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
-
-dev_read_urand(gconfd_t)
-
-files_read_etc_files(gconfd_t)
-
-miscfiles_read_localization(gconfd_t)
-
-logging_send_syslog_msg(gconfd_t)
-
-userdom_manage_user_tmp_sockets(gconfd_t)
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
@@ -73,3 +108,50 @@
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
+
+##############################
+#
+# Gkeyring-daemon local policy
+#
+
+allow gkeyringd_domain self:capability ipc_lock;
+allow gkeyringd_domain self:process { getcap setcap };
+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
+manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
+manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
+gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+
+manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+
+kernel_read_system_state(gkeyringd_domain)
+kernel_read_crypto_sysctls(gkeyringd_domain)
+
+dev_read_rand(gkeyringd_domain)
+dev_read_sysfs(gkeyringd_domain)
+
+files_read_usr_files(gkeyringd_domain)
+
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
+
+selinux_getattr_fs(gkeyringd_domain)
+
+optional_policy(`
+ gnome_create_generic_home_dirs(gkeyringd_domain)
+ gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
+')
+
+optional_policy(`
+ ssh_read_user_home_files(gkeyringd_domain)
+')
+
+optional_policy(`
+ telepathy_mission_control_read_state(gkeyringd_domain)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gkeyringd_domain)
+')