From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 22 May 2017 20:02:48 -0400 Subject: [refpolicy] [PATCH 00/19] X Desktop Group location support and reduced user content access privileges, contrib part In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be> References: <20170522161155.9648-1-sven.vermeulen@siphos.be> Message-ID: <07acc0ba-0f9b-d38a-5b4a-e2a1fc46358a@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/22/2017 12:11 PM, Sven Vermeulen via refpolicy wrote: > This is the patch set that implements the more granular approach to user > resources (files, directories) in the users' home directory. It requires > the first patch set (which introduces the support for this more granular > approach) which has been submitted earlier on. > > To recap, the first patch set introduces a number of additional types > and attributes to support the XDG related resource locations, divided in > two sets: > - The main XDG locations used for user-specific application data (in > ~/.local, marked as xdg_data_home_t), user-specific cache data (in > ~/.cache, marked as xdg_cache_hone_t), and user-specific application > configuration data (in ~/.config, marked as xdg_config_home_t). > It also enables support for application/domain-specific types within > (such as mozilla_xdg_config_home_t). > - End user resource locations tailored to the common resource types. It > enables the "Documents/" location to be marked with xdg_documents_t, > "Downloads/" with xdg_downloads_t, "Pictures/" with xdg_pictures_t, > "Music/" with xdg_music_t and "Videos/" with xdg_videos_t. > > This patchset updates a number of application domains to support > these locations. Note that not all of Guido's work (who retriggered > the upstreaming of this patch set) is included here, as some of the > suggested changes were harder for me to review or confirm. However, > these can be easily reapplied if needed. I looked through only some of these, because of the comments on the main XDG patch set. I didn't notice anything that jumped out at me except for what seemed to be unnecessary type renaming in the telepathy module. > Sven Vermeulen (19): > Enhance evolution domain with XDG privilege sets > Enhance gnome domains with XDG privilege sets > Enhance minidlna domain with XDG privilege sets > Enhance mozilla domain with XDG privilege sets > Enhance mplayer domains with XDG privilege sets > Enhance pulseaudio domain with XDG privilege sets > Enhance telepathy domains with XDG privilege sets > Enhance thunderbird domain with XDG privilege sets > Make cron user content access optional > Make firstboot user content access optional > Make gpg user content access optional > Make i18n_input user content access optional > Make irc user content access optional > Make java user content access optional > Make openoffice user content access optional > Make postfix user content access optional > Make wireshark user content access optional > Make xscreensever user content access optional > Switch syncthing to XDG config types and make user content access > optional > > cron.te | 49 +++++++++++++++++++++++++++++++--------- > evolution.fc | 3 +++ > evolution.te | 61 +++++++++++++++++++++++++++++++++++++++++++------ > firstboot.te | 42 +++++++++++++++++++++++++++++----- > gnome.fc | 5 +++++ > gnome.te | 34 ++++++++++++++++++++++++++++ > gpg.te | 34 ++++++++++++++++++++++++++-- > i18n_input.te | 24 +++++++++++++++++++- > irc.te | 34 +++++++++++++++++++++++++--- > java.te | 41 ++++++++++++++++++++++++++++----- > minidlna.te | 4 ++++ > mozilla.fc | 1 + > mozilla.te | 46 +++++++++++++++++++++++++++++++++---- > mplayer.te | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++----- > openoffice.te | 37 +++++++++++++++++++++++++----- > postfix.te | 34 +++++++++++++++++++++++----- > pulseaudio.fc | 2 +- > pulseaudio.te | 11 +++++++++ > syncthing.fc | 2 +- > syncthing.if | 8 +++---- > syncthing.te | 47 +++++++++++++++++++++++++++++--------- > telepathy.fc | 18 +++++++-------- > telepathy.if | 24 ++++++++++---------- > telepathy.te | 70 ++++++++++++++++++++++++++++----------------------------- > thunderbird.te | 43 +++++++++++++++++++++++++++++++---- > wireshark.te | 33 +++++++++++++++++++++++++-- > xscreensaver.te | 26 ++++++++++++++++++++- > 27 files changed, 667 insertions(+), 136 deletions(-) > -- Chris PeBenito