From: dominick.grift@gmail.com (Dominick Grift)
Date: Sat,  9 Nov 2013 09:47:05 +0100
Subject: [refpolicy] [RFC] Initial XDG base dir spec policy module
Message-ID: <1383986825-20094-1-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 xdg.fc |   5 +
 xdg.if | 941 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 xdg.te |  21 ++
 3 files changed, 967 insertions(+)
 create mode 100644 xdg.fc
 create mode 100644 xdg.if
 create mode 100644 xdg.te

diff --git a/xdg.fc b/xdg.fc
new file mode 100644
index 0000000..a2b66ac
--- /dev/null
+++ b/xdg.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:xdg_config_home_t,s0)
+HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:xdg_data_home_t,s0)
+
+/etc/xdg(/.*)?	gen_context(system_u:object_r:xdg_conf_t,s0)
diff --git a/xdg.if b/xdg.if
new file mode 100644
index 0000000..cab9411
--- /dev/null
+++ b/xdg.if
@@ -0,0 +1,941 @@
+## <summary>XDG Base Directory Specification.</summary>
+
+########################################
+## <summary>
+##	Make the specified type a XDG configuration
+##	dirs type.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for
+##	XDG configuration dirs.  This will also
+##	make the type usable for configuration
+##	files, making calls to files_config_file(),
+##	redundant.
+##	</p>
+##	<p>
+##	A set of preference ordered base directories
+##	relative to which configuration files should
+##	be searched.  This set of directories is
+##	defined by the environment variable $XDG_CONFIG_DIRS.
+##	</p>
+##	<p>
+##	Defines the preference-ordered set of base
+##	directories to search for configuration files
+##	in addition to the $XDG_CONFIG_HOME base
+##	directory.  The directories in $XDG_CONFIG_DIRS
+##	should be seperated with a colon ':'.
+##	</p>
+##	<p>
+##	If $XDG_CONFIG_DIRS is either not set or empty,
+##	a value equal to /etc/xdg should be used.
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type to be used as XDG configuration dirs.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`xdg_config_file',`
+	gen_require(`
+		attribute xdg_config_dirs_type;
+	')
+
+	files_config_file($1)
+	typeattribute $1 xdg_config_dirs_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type a XDG data
+##	dirs type.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for
+##	XDG data dirs.  This will also
+##	make the type usable for basic
+##	files, making calls to files_type(),
+##	redundant.
+##	</p>
+##	<p>
+##	A set of preference ordered base directories
+##	relative to which data files should be searched.
+##	This set of directories is defined by the
+##	environment variable $XDG_DATA_DIRS.
+##	</p>
+##	<p>
+##	Defines the preference-ordered set of base
+##	directories to search for data files in
+##	addition to the $XDG_DATA_HOME base directory.
+##	The directories in $XDG_DATA_DIRS should be
+##	seperated with a colon ':'.
+##	</p>
+##	<p>
+##	If $XDG_DATA_DIRS is either not set or empty,
+##	a value equal to /usr/local/share/:/usr/share/
+##	should be used.
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type to be used as XDG data dirs.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`xdg_data_file',`
+	gen_require(`
+		attribute xdg_data_dirs_type;
+	')
+
+	files_type($1)
+	typeattribute $1 xdg_data_dirs_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type a XDG runtime
+##	dirs type.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for
+##	XDG runtime dirs.  This will also
+##	make the type usable for basic
+##	user temporary files, making calls to
+##	userdom_user_tmp_file(), redundant.
+##	</p>
+##	<p>
+##	A single base directory relative to which
+##	user-specific runtime files and other file
+##	objects should be placed.  This directory
+##	is defined by the environment variable $XDG_RUNTIME_DIR.
+##	</p>
+##	<p>
+##	Defines the base directory relative to
+##	which user-specific non-essential runtime
+##	files and other file objects (such as
+##	sockets, named pipes, ...) should be stored.
+##	The directory MUST be owned by the user,
+##	and he MUST be the only one having read and
+##	write access to it. Its Unix access mode
+##	MUST be 0700.
+##	</p>
+##	<p>
+##	If $XDG_RUNTIME_DIR is not set applications
+##	should fall back to a replacement directory
+##	with similar capabilities and print a warning
+##	message.  Applications should use this directory
+##	for communication and synchronization purposes
+##	and should not place larger files in it, since it
+##	might reside in runtime memory and cannot
+##	necessarily be swapped out to disk.
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type to be used as XDG runtime dirs.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`xdg_runtime_file',`
+	gen_require(`
+		attribute xdg_runtime_dirs_type;
+	')
+
+	userdom_user_tmp_file($1)
+	typeattribute $1 xdg_runtime_dirs_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type a XDG cache
+##	home type.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for
+##	XDG cache home content.  This will also
+##	make the type usable for user home content
+##	files, making calls to userdom_user_home_content(),
+##	redundant.
+##	</p>
+##	<p>
+##	A single base directory relative to which user
+##	specific non-essential (cached) data should be
+##	written.  This directory is defined by the
+##	environment variable $XDG_CACHE_HOME.
+##	</p>
+##	<p>
+##	Defines the base directory relative to which user
+##	specific non-essential data files should be stored.
+##	</p>
+##	<p>
+##	If $XDG_CACHE_HOME is either not set or empty, a
+##	default equal to $HOME/.cache should be used.
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type to be used as XDG cache home content.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`xdg_cache_home_content',`
+	gen_require(`
+		attribute xdg_cache_home_type;
+	')
+
+	userdom_user_home_content($1)
+	typeattribute $1 xdg_cache_home_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type a XDG config
+##	home type.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for
+##	XDG config home content.  This will also
+##	make the type usable for user home content
+##	files, making calls to userdom_user_home_content(),
+##	redundant.
+##	</p>
+##	<p>
+##	A single base directory relative to which user
+##	specific configuration files should be written.
+##	This directory is defined by the environment
+##	variable $XDG_CONFIG_HOME.
+##	</p>
+##	<p>
+##	Defines the base directory relative to which user
+##	specific configuration files should be stored.
+##	</p>
+##	<p>
+##	If $XDG_CONFIG_HOME is either not set or empty,
+##	a default equal to $HOME/.config should be used.
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type to be used as XDG config home content.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`xdg_config_home_content',`
+	gen_require(`
+		attribute xdg_config_home_type;
+	')
+
+	userdom_user_home_content($1)
+	typeattribute $1 xdg_config_home_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type a XDG data
+##	home type.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for
+##	XDG data home content.  This will also
+##	make the type usable for user home content
+##	files, making calls to userdom_user_home_content(),
+##	redundant.
+##	</p>
+##	<p>
+##	A single base directory relative to which user
+##	specific data files should be written.
+##	This directory is defined by the environment
+##	variable $XDG_DATA_HOME.
+##	</p>
+##	<p>
+##	Defines the base directory relative to which
+##	user specific data files should be stored.
+##	</p>
+##	<p>
+##	If $XDG_DATA_HOME is either not set or empty,  a
+##	default equal to $HOME/.local/share should be used.
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type to be used as XDG data home content.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`xdg_data_home_content',`
+	gen_require(`
+		attribute xdg_data_home_type;
+	')
+
+	userdom_user_home_content($1)
+	typeattribute $1 xdg_data_home_type;
+')
+
+########################################
+## <summary>
+##	Create generic XDG cache home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_create_generic_cache_home_dirs',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	allow $1 xdg_cache_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic XDG cache home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:dir list_dir_perms;
+	allow $1 xdg_cache_home_t:file read_file_perms;
+	allow $1 xdg_cache_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_cache_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_cache_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel generic XDG cache home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:notdevfile_class_set { getattr relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic XDG cache home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:dir manage_dir_perms;
+	allow $1 xdg_cache_home_t:file manage_file_perms;
+	allow $1 xdg_cache_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_cache_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_cache_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic XDG cache home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_search_generic_cache_home',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	XDG cache home directories with a
+##	private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xdg_cache_home_content_filetrans',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic XDG
+##	cache home type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xdg_user_home_dir_filetrans_cache_home',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xdg_cache_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create generic XDG config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_create_generic_config_dirs',`
+	gen_require(`
+		type xdg_conf_t;
+	')
+
+	allow $1 xdg_conf_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic XDG config content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_config_content',`
+	gen_require(`
+		type xdg_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 xdg_conf_t:dir list_dir_perms;
+	allow $1 xdg_conf_t:file read_file_perms;
+	allow $1 xdg_conf_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_conf_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_conf_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic XDG config content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_config_content',`
+	gen_require(`
+		type xdg_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 xdg_conf_t:dir manage_dir_perms;
+	allow $1 xdg_conf_t:file manage_file_perms;
+	allow $1 xdg_conf_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_conf_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_conf_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic XDG config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_search_generic_config',`
+	gen_require(`
+		type xdg_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 xdg_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	XDG config directories with a
+##	private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xdg_config_content_filetrans',`
+	gen_require(`
+		type xdg_conf_t;
+	')
+
+	files_search_etc($1)
+	filetrans_pattern($1, xdg_conf_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	configuration directories with the
+##	generic XDG config type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xdg_etc_filetrans_config',`
+	gen_require(`
+		type xdg_conf_t;
+	')
+
+	files_etc_filetrans($1, xdg_conf_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create generic XDG config home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_create_generic_config_home_dirs',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	allow $1 xdg_config_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic XDG config home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:dir list_dir_perms;
+	allow $1 xdg_config_home_t:file read_file_perms;
+	allow $1 xdg_config_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_config_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_config_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel generic XDG config home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:notdevfile_class_set { getattr relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic XDG config home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:dir manage_dir_perms;
+	allow $1 xdg_config_home_t:file manage_file_perms;
+	allow $1 xdg_config_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_config_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_config_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic XDG config home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_search_generic_config_home',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	XDG config home directories with a
+##	private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xdg_config_home_content_filetrans',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic XDG
+##	config home type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xdg_user_home_dir_filetrans_config_home',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xdg_config_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create generic XDG data home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_create_generic_data_home_dirs',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	allow $1 xdg_data_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic XDG data home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_data_home_t:dir list_dir_perms;
+	allow $1 xdg_data_home_t:file read_file_perms;
+	allow $1 xdg_data_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_data_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_data_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel generic XDG data home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_data_home_t:notdevfile_class_set { getattr relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic XDG data home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_data_home_t:dir manage_dir_perms;
+	allow $1 xdg_data_home_t:file manage_file_perms;
+	allow $1 xdg_data_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_data_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_data_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic XDG data home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_search_generic_data_home',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_data_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	XDG data home directories with a
+##	private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xdg_data_home_content_filetrans',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic XDG
+##	data home type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xdg_local_home_filetrans_data_home',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	userdom_local_home_filetrans($1, xdg_data_home_t, $2, $3)
+')
diff --git a/xdg.te b/xdg.te
new file mode 100644
index 0000000..90f869b
--- /dev/null
+++ b/xdg.te
@@ -0,0 +1,21 @@
+policy_module(xdg, 1.0.0)
+
+attribute xdg_config_dirs_type;
+attribute xdg_data_dirs_type;
+attribute xdg_runtime_dirs_type;
+
+attribute xdg_cache_home_type;
+attribute xdg_config_home_type;
+attribute xdg_data_home_type;
+
+type xdg_cache_home_t;
+xdg_cache_home_content(xdg_cache_home_t)
+
+type xdg_conf_t;
+xdg_config_file(xdg_conf_t)
+
+type xdg_config_home_t;
+xdg_config_home_content(xdg_config_home_t)
+
+type xdg_data_home_t;
+xdg_data_home_content(xdg_data_home_t)
-- 
1.8.3.1