From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 22 May 2017 19:37:02 -0400 Subject: [refpolicy] [PATCH 1/4] freedesktop location support In-Reply-To: <20170522161139.9602-2-sven.vermeulen@siphos.be> References: <20170522161139.9602-1-sven.vermeulen@siphos.be> <20170522161139.9602-2-sven.vermeulen@siphos.be> Message-ID: <58c6d054-b801-cccd-2233-1cfae3a2b46f@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/22/2017 12:11 PM, Sven Vermeulen via refpolicy wrote: > Introduce various freedesktop locations, based on the base directory > specification [1]. The new locations are introduced as a separate module > to keep the rules related to these specifications isolated from the main > user domain (which is already one of the biggest modules code-wise). > > Right now, two distinct location groups are provided, one being the set > of locations that will have domain-specific types, and one that remains > generic for end users. > > The first set of types are: > - XDG Cache location, meant for non-essential cached data. The base type > here is xdg_cache_home_t, which is generally at $HOME/.cache > - XDG Data location, for user-specific data. The base type here is > xdg_data_home_t, which is generally at $HOME/.local > - XDG Config location, for user-specific configuration files. The base > type here is xdg_config_home_t, which is generally at $HOME/.config > > The idea here is to provide support for domain-specific files as well. > For instance, Chromium has its user-specific configuration files in > ~/.config/chromium, which is then marked as chromium_xdg_config_home_t. > > This allows for isolation of potentially sensitive information from > regular user application domains. Firefox for instance should not be > able to read user configuration data from unrelated applications. > > The second set of types are: > - User documents, with xdg_documents_t as the type. This is > generally for the ~/Documents location. > - User downloads, with xdg_downloads_t as the type. This is > generally for the ~/Downloads location. > - User music, with xdg_music_t as the type. This is generally for > the ~/Music location. > - User pictures, with xdg_pictures_t as the type. This is generally > for the ~/Pictures location. > - User videos, with xdg_videos_t as the type. This is generally for > the ~/Videos location. > > Alongside the type definitions, a number of access interfaces are > defined to support the use of these types, and for the first set to > enable the necessary file transitions. I don't think I have any issues with this, except for some naming. It's so big that I'll leave it open for comment first, before resolving the naming. > [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html > > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/xdg.fc | 8 + > policy/modules/system/xdg.if | 1231 ++++++++++++++++++++++++++++++++++++++++++ > policy/modules/system/xdg.te | 38 ++ > 3 files changed, 1277 insertions(+) > create mode 100644 policy/modules/system/xdg.fc > create mode 100644 policy/modules/system/xdg.if > create mode 100644 policy/modules/system/xdg.te > > diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc > new file mode 100644 > index 00000000..f3ae93a2 > --- /dev/null > +++ b/policy/modules/system/xdg.fc > @@ -0,0 +1,8 @@ > +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0) > +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0) > +HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0) > +HOME_DIR/Documents(/.*)? gen_context(system_u:object_r:xdg_documents_t,s0) > +HOME_DIR/Downloads(/.*)? gen_context(system_u:object_r:xdg_downloads_t,s0) > +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:xdg_music_t,s0) > +HOME_DIR/Pictures(/.*)? gen_context(system_u:object_r:xdg_pictures_t,s0) > +HOME_DIR/Videos(/.*)? gen_context(system_u:object_r:xdg_videos_t,s0) > diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if > new file mode 100644 > index 00000000..010b7d26 > --- /dev/null > +++ b/policy/modules/system/xdg.if > @@ -0,0 +1,1231 @@ > +## > +## Freedesktop standard locations (formerly known as X Desktop Group) > +## > + > + > +######################################## > +## > +## Mark the selected type as an xdg_cache_home_type > +## > +## > +## > +## Type to give the xdg_cache_home_type attribute to > +## > +## > +# > +interface(`xdg_cache_home_content',` > + gen_require(` > + attribute xdg_cache_home_type; > + ') > + > + typeattribute $1 xdg_cache_home_type; > + > + userdom_user_home_content($1) > +') > + > +######################################## > +## > +## Mark the selected type as an xdg_config_home_type > +## > +## > +## > +## Type to give the xdg_config_home_type attribute to > +## > +## > +# > +interface(`xdg_config_home_content',` > + gen_require(` > + attribute xdg_config_home_type; > + ') > + > + typeattribute $1 xdg_config_home_type; > + > + userdom_user_home_content($1) > +') > + > +######################################## > +## > +## Mark the selected type as an xdg_data_home_type > +## > +## > +## > +## Type to give the xdg_data_home_type attribute to > +## > +## > +# > +interface(`xdg_data_home_content',` > + gen_require(` > + attribute xdg_data_home_type; > + ') > + > + typeattribute $1 xdg_data_home_type; > + > + userdom_user_home_content($1) > +') > + > + > +######################################## > +## > +## Read the xdg cache home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_read_cache_home_files',` > + gen_require(` > + type xdg_cache_home_t; > + ') > + > + read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Read all xdg_cache_home_type files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_read_all_cache_home_files',` > + gen_require(` > + attribute xdg_cache_home_type; > + ') > + > + read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Create objects in an xdg_cache_home directory > +## with an automatic type transition to > +## a specified private type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to create. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the file or directory created > +## > +## > +# > +interface(`xdg_cache_home_filetrans',` > + gen_require(` > + type xdg_cache_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + > + filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4) > + > + xdg_create_cache_home_dirs($1) > + xdg_generic_user_home_dir_filetrans_cache_home($1, dir, ".cache") > +') > + > +######################################## > +## > +## Create objects in the user home dir with an automatic type transition to > +## the xdg_cache_home_t type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the directory created > +## > +## > +# > +interface(`xdg_generic_user_home_dir_filetrans_cache_home',` > + gen_require(` > + type xdg_cache_home_t; > + ') > + > + userdom_user_home_dir_filetrans($1, xdg_cache_home_t, $2, $3) > +') > + > +######################################## > +## > +## Create xdg cache home directories > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_create_cache_home_dirs',` > + gen_require(` > + type xdg_cache_home_t; > + ') > + > + allow $1 xdg_cache_home_t:dir create_dir_perms; > +') > + > +######################################## > +## > +## Manage the xdg cache home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_manage_cache_home',` > + gen_require(` > + type xdg_cache_home_t; > + ') > + > + manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Manage all the xdg cache home files regardless of their specific type > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_manage_all_cache_home',` > + gen_require(` > + attribute xdg_cache_home_type; > + ') > + > + manage_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + manage_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + manage_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + manage_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + manage_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Allow relabeling the xdg cache home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_cache_home',` > + gen_require(` > + type xdg_cache_home_t; > + ') > + > + relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Allow relabeling the xdg cache home files, regardless of their specific type > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_all_cache_home',` > + gen_require(` > + attribute xdg_cache_home_type; > + ') > + > + relabel_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + relabel_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + relabel_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + relabel_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + relabel_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Search through the xdg config home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_search_config_home_dirs',` > + gen_require(` > + type xdg_config_home_t; > + ') > + > + search_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Read the xdg config home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_read_config_home_files',` > + gen_require(` > + type xdg_config_home_t; > + ') > + > + read_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Read all xdg_config_home_type files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_read_all_config_home_files',` > + gen_require(` > + attribute xdg_config_home_type; > + ') > + > + read_files_pattern($1, xdg_config_home_type, xdg_config_home_type) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Create objects in an xdg_config_home directory > +## with an automatic type transition to > +## a specified private type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to create. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the file or directory created > +## > +## > +# > +interface(`xdg_config_home_filetrans',` > + gen_require(` > + type xdg_config_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + > + filetrans_pattern($1, xdg_config_home_t, $2, $3, $4) > + > + xdg_create_config_home_dirs($1) > + xdg_generic_user_home_dir_filetrans_config_home($1, dir, ".config") > + > +') > + > +######################################## > +## > +## Create objects in the user home dir with an automatic type transition to > +## the xdg_config_home_t type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the directory created > +## > +## > +# > +interface(`xdg_generic_user_home_dir_filetrans_config_home',` > + gen_require(` > + type xdg_config_home_t; > + ') > + > + userdom_user_home_dir_filetrans($1, xdg_config_home_t, $2, $3) > +') > + > +######################################## > +## > +## Create xdg config home directories > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_create_config_home_dirs',` > + gen_require(` > + type xdg_config_home_t; > + ') > + > + allow $1 xdg_config_home_t:dir create_dir_perms; > +') > + > +######################################## > +## > +## Manage the xdg config home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_manage_config_home',` > + gen_require(` > + type xdg_config_home_t; > + ') > + > + manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) > + manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Manage all the xdg config home files regardless of their specific type > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_manage_all_config_home',` > + gen_require(` > + attribute xdg_config_home_type; > + ') > + > + manage_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type) > + manage_files_pattern($1, xdg_config_home_type, xdg_config_home_type) > + manage_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type) > + manage_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type) > + manage_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Allow relabeling the xdg config home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_config_home',` > + gen_require(` > + type xdg_config_home_t; > + ') > + > + relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) > + relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Allow relabeling the xdg config home files, regardless of their specific type > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_all_config_home',` > + gen_require(` > + attribute xdg_config_home_type; > + ') > + > + relabel_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type) > + relabel_files_pattern($1, xdg_config_home_type, xdg_config_home_type) > + relabel_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type) > + relabel_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type) > + relabel_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Read the xdg data home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_read_data_home_files',` > + gen_require(` > + type xdg_data_home_t; > + ') > + > + read_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Read all xdg_data_home_type files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_read_all_data_home_files',` > + gen_require(` > + attribute xdg_data_home_type; > + ') > + > + read_files_pattern($1, xdg_data_home_type, xdg_data_home_type) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Create objects in an xdg_data_home directory > +## with an automatic type transition to > +## a specified private type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to create. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Optional name of the file or directory created > +## > +## > +# > +interface(`xdg_data_home_filetrans',` > + gen_require(` > + type xdg_data_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + > + filetrans_pattern($1, xdg_data_home_t, $2, $3, $4) > + > + xdg_create_data_home_dirs($1) > + xdg_generic_user_home_dir_filetrans_data_home($1, dir, ".local") > +') > + > +######################################## > +## > +## Create objects in the user home dir with an automatic type transition to > +## the xdg_data_home_t type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the directory created > +## > +## > +# > +interface(`xdg_generic_user_home_dir_filetrans_data_home',` > + gen_require(` > + type xdg_data_home_t; > + ') > + > + userdom_user_home_dir_filetrans($1, xdg_data_home_t, $2, $3) > +') > + > +######################################## > +## > +## Create xdg data home directories > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_create_data_home_dirs',` > + gen_require(` > + type xdg_data_home_t; > + ') > + > + allow $1 xdg_data_home_t:dir create_dir_perms; > +') > + > +######################################## > +## > +## Manage the xdg data home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_manage_data_home',` > + gen_require(` > + type xdg_data_home_t; > + ') > + > + manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) > + manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Manage all the xdg data home files, regardless of their specific type > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_manage_all_data_home',` > + gen_require(` > + attribute xdg_data_home_type; > + ') > + > + manage_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type) > + manage_files_pattern($1, xdg_data_home_type, xdg_data_home_type) > + manage_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type) > + manage_fifo_files_pattern($1, xdg_data_home_type, xdg_data_home_type) > + manage_sock_files_pattern($1, xdg_data_home_type, xdg_data_home_type) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Allow relabeling the xdg data home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_data_home',` > + gen_require(` > + type xdg_data_home_t; > + ') > + > + relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) > + relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Allow relabeling the xdg data home files, regardless of their type > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_all_data_home',` > + gen_require(` > + attribute xdg_data_home_type; > + ') > + > + relabel_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type) > + relabel_files_pattern($1, xdg_data_home_type, xdg_data_home_type) > + relabel_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type) > + relabel_fifo_files_pattern($1, xdg_data_home_type, xdg_data_home_type) > + relabel_sock_files_pattern($1, xdg_data_home_type, xdg_data_home_type) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Create objects in the user home dir with an automatic type transition to > +## the xdg_documents_t type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the directory created > +## > +## > +# > +interface(`xdg_generic_user_home_dir_filetrans_documents',` > + gen_require(` > + type xdg_documents_t; > + ') > + > + userdom_user_home_dir_filetrans($1, xdg_documents_t, $2, $3) > +') > + > +######################################### > +## > +## Manage documents content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_manage_documents',` > + gen_require(` > + type xdg_documents_t; > + ') > + > + manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t) > + manage_files_pattern($1, xdg_documents_t, xdg_documents_t) > +') > + > +######################################## > +## > +## Allow relabeling the documents resources > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_documents',` > + gen_require(` > + type xdg_documents_t; > + ') > + > + relabel_dirs_pattern($1, xdg_documents_t, xdg_documents_t) > + relabel_files_pattern($1, xdg_documents_t, xdg_documents_t) > + relabel_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################### > +## > +## Read downloaded content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_read_downloads',` > + gen_require(` > + type xdg_downloads_t; > + ') > + > + read_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################### > +## > +## Create downloaded content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_create_downloads',` > + gen_require(` > + type xdg_downloads_t; > + ') > + > + create_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################### > +## > +## Write downloaded content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_write_downloads',` > + gen_require(` > + type xdg_downloads_t; > + ') > + > + write_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Create objects in the user home dir with an automatic type transition to > +## the xdg_downloads_t type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the directory created > +## > +## > +# > +interface(`xdg_generic_user_home_dir_filetrans_downloads',` > + gen_require(` > + type xdg_downloads_t; > + ') > + > + userdom_user_home_dir_filetrans($1, xdg_downloads_t, $2, $3) > +') > + > +######################################### > +## > +## Manage downloaded content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_manage_downloads',` > + gen_require(` > + type xdg_downloads_t; > + ') > + > + manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) > + manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > +') > + > +######################################## > +## > +## Allow relabeling the downloads resources > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_downloads',` > + gen_require(` > + type xdg_downloads_t; > + ') > + > + relabel_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) > + relabel_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > + relabel_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################### > +## > +## Read user pictures content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_read_pictures',` > + gen_require(` > + type xdg_pictures_t; > + ') > + > + read_files_pattern($1, xdg_pictures_t, xdg_pictures_t) > + list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Create objects in the user home dir with an automatic type transition to > +## the xdg_pictures_t type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the directory created > +## > +## > +# > +interface(`xdg_generic_user_home_dir_filetrans_pictures',` > + gen_require(` > + type xdg_pictures_t; > + ') > + > + userdom_user_home_dir_filetrans($1, xdg_pictures_t, $2, $3) > +') > + > +######################################### > +## > +## Manage pictures content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_manage_pictures',` > + gen_require(` > + type xdg_pictures_t; > + ') > + > + manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) > + manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t) > +') > + > +######################################## > +## > +## Allow relabeling the pictures resources > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_pictures',` > + gen_require(` > + type xdg_pictures_t; > + ') > + > + relabel_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) > + relabel_files_pattern($1, xdg_pictures_t, xdg_pictures_t) > + relabel_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################### > +## > +## Read user music content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_read_music',` > + gen_require(` > + type xdg_music_t; > + ') > + > + read_files_pattern($1, xdg_music_t, xdg_music_t) > + list_dirs_pattern($1, xdg_music_t, xdg_music_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Create objects in the user home dir with an automatic type transition to > +## the xdg_pictures_t type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the directory created > +## > +## > +# > +interface(`xdg_generic_user_home_dir_filetrans_music',` > + gen_require(` > + type xdg_music_t; > + ') > + > + userdom_user_home_dir_filetrans($1, xdg_music_t, $2, $3) > +') > + > +######################################### > +## > +## Manage music content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_manage_music',` > + gen_require(` > + type xdg_music_t; > + ') > + > + manage_dirs_pattern($1, xdg_music_t, xdg_music_t) > + manage_files_pattern($1, xdg_music_t, xdg_music_t) > +') > + > +######################################## > +## > +## Allow relabeling the music resources > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_music',` > + gen_require(` > + type xdg_music_t; > + ') > + > + relabel_dirs_pattern($1, xdg_music_t, xdg_music_t) > + relabel_files_pattern($1, xdg_music_t, xdg_music_t) > + relabel_lnk_files_pattern($1, xdg_music_t, xdg_music_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################### > +## > +## Read user video content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_read_videos',` > + gen_require(` > + type xdg_videos_t; > + ') > + > + read_files_pattern($1, xdg_videos_t, xdg_videos_t) > + list_dirs_pattern($1, xdg_videos_t, xdg_videos_t) > + > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Create objects in the user home dir with an automatic type transition to > +## the xdg_videos_t type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The class of the object to be created. > +## > +## > +## > +## > +## Name of the directory created > +## > +## > +# > +interface(`xdg_generic_user_home_dir_filetrans_videos',` > + gen_require(` > + type xdg_videos_t; > + ') > + > + userdom_user_home_dir_filetrans($1, xdg_videos_t, $2, $3) > +') > + > +######################################### > +## > +## Manage video content > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`xdg_manage_videos',` > + gen_require(` > + type xdg_videos_t; > + ') > + > + manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t) > + manage_files_pattern($1, xdg_videos_t, xdg_videos_t) > +') > + > +######################################## > +## > +## Allow relabeling the videos resources > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_relabel_videos',` > + gen_require(` > + type xdg_videos_t; > + ') > + > + relabel_dirs_pattern($1, xdg_videos_t, xdg_videos_t) > + relabel_files_pattern($1, xdg_videos_t, xdg_videos_t) > + relabel_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t) > + > + userdom_search_user_home_dirs($1) > +') > diff --git a/policy/modules/system/xdg.te b/policy/modules/system/xdg.te > new file mode 100644 > index 00000000..43a90fc2 > --- /dev/null > +++ b/policy/modules/system/xdg.te > @@ -0,0 +1,38 @@ > +policy_module(xdg, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +attribute xdg_cache_home_type; > + > +attribute xdg_config_home_type; > + > +attribute xdg_data_home_type; > + > + > +type xdg_cache_home_t; > +xdg_cache_home_content(xdg_cache_home_t) > + > +type xdg_config_home_t; > +xdg_config_home_content(xdg_config_home_t) > + > +type xdg_data_home_t; > +xdg_data_home_content(xdg_data_home_t) > + > +# Various user location types (see ~/.config/user-dirs.dirs) > +type xdg_documents_t; # customizable > +userdom_user_home_content(xdg_documents_t) > + > +type xdg_downloads_t; # customizable > +userdom_user_home_content(xdg_downloads_t) > + > +type xdg_music_t; # customizable > +userdom_user_home_content(xdg_music_t) > + > +type xdg_pictures_t; # customizable > +userdom_user_home_content(xdg_pictures_t) > + > +type xdg_videos_t; # customizable > +userdom_user_home_content(xdg_videos_t) > -- Chris PeBenito