From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 13 Aug 2016 22:11:01 +0200 (CEST)
Subject: [refpolicy] [PATCH] Update the colord module
Message-ID: <1723933090.942512.1471119061166.JavaMail.open-xchange@popper02.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Update the colord module:

- add support for writing colord subdirectories of /usr/share;
- add support for reading colord subdirectories of /home (e.g.
  ICC profiles).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/colord.fc |    5 +++++
 policy/modules/contrib/colord.te |   13 +++++++++++++
 2 files changed, 18 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/contrib/colord.fc	2016-08-06
21:27:11.337094143 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/colord.fc	2016-08-13
17:39:07.096980948 +0200
@@ -1,3 +1,5 @@
+HOME_DIR/\.local/share/icc(/.*)?
gen_context(system_u:object_r:colord_home_t,s0)
+
 /usr/lib/colord/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
 /usr/lib/colord/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
 
@@ -7,5 +9,8 @@
 /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
 /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
 
+/usr/share/color(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
+/usr/share/colord(/.*)?	gen_context(system_u:object_r:colord_usr_lib_t,s0)
+
 /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
 /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/colord.te	2016-08-06
21:27:11.338094155 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/colord.te	2016-08-13
22:01:26.485422418 +0200
@@ -9,12 +9,18 @@ type colord_t;
 type colord_exec_t;
 dbus_system_domain(colord_t, colord_exec_t)
 
+type colord_home_t;
+userdom_user_home_content(colord_home_t);
+
 type colord_tmp_t;
 files_tmp_file(colord_tmp_t)
 
 type colord_tmpfs_t;
 files_tmpfs_file(colord_tmpfs_t)
 
+type colord_usr_lib_t;
+files_type(colord_usr_lib_t)
+
 type colord_var_lib_t;
 files_type(colord_var_lib_t)
 
@@ -31,6 +37,10 @@ allow colord_t self:netlink_kobject_ueve
 allow colord_t self:tcp_socket { accept listen };
 allow colord_t self:shm create_shm_perms;
 
+allow colord_t colord_home_t:dir list_dir_perms;
+allow colord_t colord_home_t:file read_file_perms;
+allow colord_t colord_home_t:lnk_file read_lnk_file_perms;
+
 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
@@ -39,6 +49,9 @@ manage_dirs_pattern(colord_t, colord_tmp
 manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
 fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
 
+manage_dirs_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
+manage_files_pattern(colord_t, colord_usr_lib_t, colord_usr_lib_t)
+
 manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)