From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 22 May 2017 18:11:37 +0200 Subject: [refpolicy] [PATCH 2/4] Allow users to manage all xdg resources In-Reply-To: <20170522161139.9602-1-sven.vermeulen@siphos.be> References: <20170522161139.9602-1-sven.vermeulen@siphos.be> Message-ID: <20170522161139.9602-3-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com With the introduction of the freedesktop XDG location support in the policy, end users need to be allowed to manage these locations from their main user domain. The necessary privileges are added to the userdom_manage_home_role() interface, which is in use by the unconfined user domain as well as the userdom_login_user_template() which is used for interactive user domain definitions. The necessary file transitions for the directories are added as well. Signed-off-by: Sven Vermeulen --- policy/modules/system/userdomain.if | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 80c6a272..a8996839 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -272,6 +272,34 @@ interface(`userdom_manage_home_role',` userdom_manage_user_certs($2) userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki") + xdg_manage_all_cache_home($2) + xdg_relabel_all_cache_home($2) + xdg_manage_all_config_home($2) + xdg_relabel_all_config_home($2) + xdg_manage_all_data_home($2) + xdg_relabel_all_data_home($2) + + xdg_generic_user_home_dir_filetrans_cache_home($2, dir, ".cache") + xdg_generic_user_home_dir_filetrans_config_home($2, dir, ".config") + xdg_generic_user_home_dir_filetrans_data_home($2, dir, ".local") + + xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents") + xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads") + xdg_generic_user_home_dir_filetrans_music($2, dir, "Music") + xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures") + xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos") + + xdg_manage_documents($2) + xdg_relabel_documents($2) + xdg_manage_downloads($2) + xdg_relabel_downloads($2) + xdg_manage_music($2) + xdg_relabel_music($2) + xdg_manage_pictures($2) + xdg_relabel_pictures($2) + xdg_manage_videos($2) + xdg_relabel_videos($2) + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($2) fs_manage_nfs_files($2) -- 2.13.0