From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 22 May 2017 18:11:37 +0200
Subject: [refpolicy] [PATCH 01/19] Enhance evolution domain with XDG
	privilege sets
In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be>
References: <20170522161155.9648-1-sven.vermeulen@siphos.be>
Message-ID: <20170522161155.9648-2-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The Evolution e-mail client uses all XDG locations, which have been
switched from the regular end user type (user_home_t) toward the XDG
related ones. In this patch, the evolution_t domain now supports
accessing the newly defined types.

Next to the XDG changes, the user content accesses are now also made
optional through the evolution_{read,manage}_{generic,all}_user_content
booleans.

The mail client does have manage rights on the Downloads location.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 evolution.fc |  3 +++
 evolution.te | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 57 insertions(+), 7 deletions(-)

diff --git a/evolution.fc b/evolution.fc
index efe7e1f..834c6e2 100644
--- a/evolution.fc
+++ b/evolution.fc
@@ -1,5 +1,8 @@
 HOME_DIR/\.camel_certs(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.config/evolution(/.*)?	gen_context(system_u:object_r:evolution_xdg_config_home_t,s0)
 HOME_DIR/\.evolution(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.local/share/evolution(/.*)?	gen_context(system_u:object_r:evolution_xdg_config_home_t,s0)
+HOME_DIR/\.local/share/camel_certs(/.*)?	gen_context(system_u:object_r:evolution_xdg_config_home_t,s0)
 
 /tmp/\.exchange-%{USERNAME}(/.*)?	gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
 
diff --git a/evolution.te b/evolution.te
index f97985e..de75d39 100644
--- a/evolution.te
+++ b/evolution.te
@@ -14,6 +14,34 @@ policy_module(evolution, 2.6.3)
 ## </desc>
 gen_tunable(evolution_manage_user_certs, false)
 
+## <desc>
+##	<p>
+##	Grant the evolution domains read access to generic user content
+##	</p>
+## </desc>
+gen_tunable(`evolution_read_generic_user_content', true)
+
+## <desc>
+##	<p>
+##	Grant the evolution domains read access to all user content
+##	</p>
+## </desc>
+gen_tunable(`evolution_read_all_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the evolution domains manage rights on generic user content
+##	</p>
+## </desc>
+gen_tunable(`evolution_manage_generic_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the evolution domains manage rights on all user content
+##	</p>
+## </desc>
+gen_tunable(`evolution_manage_all_user_content', false)
+
 attribute_role evolution_roles;
 
 type evolution_t;
@@ -105,6 +133,15 @@ typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_e
 typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
 userdom_user_tmpfs_file(evolution_webcal_tmpfs_t)
 
+type evolution_xdg_cache_home_t;
+xdg_cache_home_content(evolution_xdg_cache_home_t)
+
+type evolution_xdg_config_home_t;
+xdg_config_home_content(evolution_xdg_config_home_t)
+
+type evolution_xdg_data_home_t;
+xdg_data_home_content(evolution_xdg_data_home_t)
+
 ########################################
 #
 # Local policy
@@ -142,6 +179,18 @@ stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm
 stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
 stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
 
+manage_files_pattern(evolution_t, evolution_xdg_cache_home_t, evolution_xdg_cache_home_t)
+manage_dirs_pattern(evolution_t, evolution_xdg_cache_home_t, evolution_xdg_cache_home_t)
+xdg_cache_home_filetrans(evolution_t, evolution_xdg_cache_home_t, { dir file } )
+
+manage_files_pattern(evolution_t, evolution_xdg_config_home_t, evolution_xdg_config_home_t)
+manage_dirs_pattern(evolution_t, evolution_xdg_config_home_t, evolution_xdg_config_home_t)
+xdg_config_home_filetrans(evolution_t, evolution_xdg_config_home_t, { dir file } )
+
+manage_files_pattern(evolution_t, evolution_xdg_data_home_t, evolution_xdg_data_home_t)
+manage_dirs_pattern(evolution_t, evolution_xdg_data_home_t, evolution_xdg_data_home_t)
+xdg_data_home_filetrans(evolution_t, evolution_xdg_data_home_t, { dir file } )
+
 can_exec(evolution_t, { evolution_alarm_exec_t evolution_server_exec_t })
 
 kernel_read_kernel_sysctls(evolution_t)
@@ -200,6 +249,7 @@ udev_read_state(evolution_t)
 
 userdom_use_user_terminals(evolution_t)
 
+
 tunable_policy(`evolution_manage_user_certs',`
 	userdom_manage_user_certs(evolution_t)
 ',`
@@ -207,17 +257,14 @@ tunable_policy(`evolution_manage_user_certs',`
 	userdom_read_user_certs(evolution_t)
 ')
 
-userdom_manage_user_tmp_dirs(evolution_t)
-userdom_manage_user_tmp_files(evolution_t)
-
-userdom_manage_user_home_content_dirs(evolution_t)
-userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
-
 userdom_write_user_tmp_sockets(evolution_t)
 
+userdom_user_content_access_template(evolution, evolution_t)
+
 mta_read_config(evolution_t)
 
+xdg_manage_downloads(evolution_t)
+
 xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
 xserver_read_xdm_tmp_files(evolution_t)
 
-- 
2.13.0