From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 20 Nov 2017 14:29:33 +0100 Subject: [refpolicy] [PATCH v2 4/7] freedesktop location support In-Reply-To: <20171120132936.25695-1-sven.vermeulen@siphos.be> References: <20171120132936.25695-1-sven.vermeulen@siphos.be> Message-ID: <20171120132936.25695-5-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen --- policy/modules/system/xdg.fc | 8 + policy/modules/system/xdg.if | 1231 ++++++++++++++++++++++++++++++++++++++++++ policy/modules/system/xdg.te | 38 ++ 3 files changed, 1277 insertions(+) create mode 100644 policy/modules/system/xdg.fc create mode 100644 policy/modules/system/xdg.if create mode 100644 policy/modules/system/xdg.te diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc new file mode 100644 index 00000000..7e8d8760 --- /dev/null +++ b/policy/modules/system/xdg.fc @@ -0,0 +1,8 @@ +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_t,s0) +HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_t,s0) +HOME_DIR/Documents(/.*)? gen_context(system_u:object_r:xdg_documents_t,s0) +HOME_DIR/Downloads(/.*)? gen_context(system_u:object_r:xdg_downloads_t,s0) +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:xdg_music_t,s0) +HOME_DIR/Pictures(/.*)? gen_context(system_u:object_r:xdg_pictures_t,s0) +HOME_DIR/Videos(/.*)? gen_context(system_u:object_r:xdg_videos_t,s0) diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if new file mode 100644 index 00000000..9b4e0083 --- /dev/null +++ b/policy/modules/system/xdg.if @@ -0,0 +1,1231 @@ +## +## Freedesktop standard locations (formerly known as X Desktop Group) +## + + +######################################## +## +## Mark the selected type as an xdg_cache_type +## +## +## +## Type to give the xdg_cache_type attribute to +## +## +# +interface(`xdg_cache_content',` + gen_require(` + attribute xdg_cache_type; + ') + + typeattribute $1 xdg_cache_type; + + userdom_user_home_content($1) +') + +######################################## +## +## Mark the selected type as an xdg_config_type +## +## +## +## Type to give the xdg_config_type attribute to +## +## +# +interface(`xdg_config_content',` + gen_require(` + attribute xdg_config_type; + ') + + typeattribute $1 xdg_config_type; + + userdom_user_home_content($1) +') + +######################################## +## +## Mark the selected type as an xdg_data_type +## +## +## +## Type to give the xdg_data_type attribute to +## +## +# +interface(`xdg_data_content',` + gen_require(` + attribute xdg_data_type; + ') + + typeattribute $1 xdg_data_type; + + userdom_user_home_content($1) +') + + +######################################## +## +## Read the xdg cache home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_cache_files',` + gen_require(` + type xdg_cache_t; + ') + + read_files_pattern($1, xdg_cache_t, xdg_cache_t) + list_dirs_pattern($1, xdg_cache_t, xdg_cache_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read all xdg_cache_type files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_all_cache_files',` + gen_require(` + attribute xdg_cache_type; + ') + + read_files_pattern($1, xdg_cache_type, xdg_cache_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Create objects in an xdg_cache directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the file or directory created +## +## +# +interface(`xdg_cache_filetrans',` + gen_require(` + type xdg_cache_t; + ') + + userdom_search_user_home_dirs($1) + + filetrans_pattern($1, xdg_cache_t, $2, $3, $4) + + xdg_create_cache_dirs($1) + xdg_generic_user_home_dir_filetrans_cache($1, dir, ".cache") +') + +######################################## +## +## Create objects in the user home dir with an automatic type transition to +## the xdg_cache_t type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the directory created +## +## +# +interface(`xdg_generic_user_home_dir_filetrans_cache',` + gen_require(` + type xdg_cache_t; + ') + + userdom_user_home_dir_filetrans($1, xdg_cache_t, $2, $3) +') + +######################################## +## +## Create xdg cache home directories +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_create_cache_dirs',` + gen_require(` + type xdg_cache_t; + ') + + allow $1 xdg_cache_t:dir create_dir_perms; +') + +######################################## +## +## Manage the xdg cache home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_cache',` + gen_require(` + type xdg_cache_t; + ') + + manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t) + manage_files_pattern($1, xdg_cache_t, xdg_cache_t) + manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t) + manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t) + manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Manage all the xdg cache home files regardless of their specific type +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_all_cache',` + gen_require(` + attribute xdg_cache_type; + ') + + manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type) + manage_files_pattern($1, xdg_cache_type, xdg_cache_type) + manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type) + manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type) + manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Allow relabeling the xdg cache home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_cache',` + gen_require(` + type xdg_cache_t; + ') + + relabel_dirs_pattern($1, xdg_cache_t, xdg_cache_t) + relabel_files_pattern($1, xdg_cache_t, xdg_cache_t) + relabel_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t) + relabel_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t) + relabel_sock_files_pattern($1, xdg_cache_t, xdg_cache_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Allow relabeling the xdg cache home files, regardless of their specific type +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_all_cache',` + gen_require(` + attribute xdg_cache_type; + ') + + relabel_dirs_pattern($1, xdg_cache_type, xdg_cache_type) + relabel_files_pattern($1, xdg_cache_type, xdg_cache_type) + relabel_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type) + relabel_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type) + relabel_sock_files_pattern($1, xdg_cache_type, xdg_cache_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Search through the xdg config home directories +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_search_config_dirs',` + gen_require(` + type xdg_config_t; + ') + + search_dirs_pattern($1, xdg_config_t, xdg_config_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read the xdg config home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_config_files',` + gen_require(` + type xdg_config_t; + ') + + read_files_pattern($1, xdg_config_t, xdg_config_t) + list_dirs_pattern($1, xdg_config_t, xdg_config_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read all xdg_config_type files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_all_config_files',` + gen_require(` + attribute xdg_config_type; + ') + + read_files_pattern($1, xdg_config_type, xdg_config_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Create objects in an xdg_config directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the file or directory created +## +## +# +interface(`xdg_config_filetrans',` + gen_require(` + type xdg_config_t; + ') + + userdom_search_user_home_dirs($1) + + filetrans_pattern($1, xdg_config_t, $2, $3, $4) + + xdg_create_config_dirs($1) + xdg_generic_user_home_dir_filetrans_config($1, dir, ".config") + +') + +######################################## +## +## Create objects in the user home dir with an automatic type transition to +## the xdg_config_t type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the directory created +## +## +# +interface(`xdg_generic_user_home_dir_filetrans_config',` + gen_require(` + type xdg_config_t; + ') + + userdom_user_home_dir_filetrans($1, xdg_config_t, $2, $3) +') + +######################################## +## +## Create xdg config home directories +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_create_config_dirs',` + gen_require(` + type xdg_config_t; + ') + + allow $1 xdg_config_t:dir create_dir_perms; +') + +######################################## +## +## Manage the xdg config home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_config',` + gen_require(` + type xdg_config_t; + ') + + manage_dirs_pattern($1, xdg_config_t, xdg_config_t) + manage_files_pattern($1, xdg_config_t, xdg_config_t) + manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t) + manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t) + manage_sock_files_pattern($1, xdg_config_t, xdg_config_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Manage all the xdg config home files regardless of their specific type +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_all_config',` + gen_require(` + attribute xdg_config_type; + ') + + manage_dirs_pattern($1, xdg_config_type, xdg_config_type) + manage_files_pattern($1, xdg_config_type, xdg_config_type) + manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type) + manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type) + manage_sock_files_pattern($1, xdg_config_type, xdg_config_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Allow relabeling the xdg config home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_config',` + gen_require(` + type xdg_config_t; + ') + + relabel_dirs_pattern($1, xdg_config_t, xdg_config_t) + relabel_files_pattern($1, xdg_config_t, xdg_config_t) + relabel_lnk_files_pattern($1, xdg_config_t, xdg_config_t) + relabel_fifo_files_pattern($1, xdg_config_t, xdg_config_t) + relabel_sock_files_pattern($1, xdg_config_t, xdg_config_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Allow relabeling the xdg config home files, regardless of their specific type +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_all_config',` + gen_require(` + attribute xdg_config_type; + ') + + relabel_dirs_pattern($1, xdg_config_type, xdg_config_type) + relabel_files_pattern($1, xdg_config_type, xdg_config_type) + relabel_lnk_files_pattern($1, xdg_config_type, xdg_config_type) + relabel_fifo_files_pattern($1, xdg_config_type, xdg_config_type) + relabel_sock_files_pattern($1, xdg_config_type, xdg_config_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read the xdg data home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_data_files',` + gen_require(` + type xdg_data_t; + ') + + read_files_pattern($1, xdg_data_t, xdg_data_t) + list_dirs_pattern($1, xdg_data_t, xdg_data_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read all xdg_data_type files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_read_all_data_files',` + gen_require(` + attribute xdg_data_type; + ') + + read_files_pattern($1, xdg_data_type, xdg_data_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Create objects in an xdg_data directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Optional name of the file or directory created +## +## +# +interface(`xdg_data_filetrans',` + gen_require(` + type xdg_data_t; + ') + + userdom_search_user_home_dirs($1) + + filetrans_pattern($1, xdg_data_t, $2, $3, $4) + + xdg_create_data_dirs($1) + xdg_generic_user_home_dir_filetrans_data($1, dir, ".local") +') + +######################################## +## +## Create objects in the user home dir with an automatic type transition to +## the xdg_data_t type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the directory created +## +## +# +interface(`xdg_generic_user_home_dir_filetrans_data',` + gen_require(` + type xdg_data_t; + ') + + userdom_user_home_dir_filetrans($1, xdg_data_t, $2, $3) +') + +######################################## +## +## Create xdg data home directories +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_create_data_dirs',` + gen_require(` + type xdg_data_t; + ') + + allow $1 xdg_data_t:dir create_dir_perms; +') + +######################################## +## +## Manage the xdg data home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_data',` + gen_require(` + type xdg_data_t; + ') + + manage_dirs_pattern($1, xdg_data_t, xdg_data_t) + manage_files_pattern($1, xdg_data_t, xdg_data_t) + manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t) + manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t) + manage_sock_files_pattern($1, xdg_data_t, xdg_data_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Manage all the xdg data home files, regardless of their specific type +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_manage_all_data',` + gen_require(` + attribute xdg_data_type; + ') + + manage_dirs_pattern($1, xdg_data_type, xdg_data_type) + manage_files_pattern($1, xdg_data_type, xdg_data_type) + manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type) + manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type) + manage_sock_files_pattern($1, xdg_data_type, xdg_data_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Allow relabeling the xdg data home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_data',` + gen_require(` + type xdg_data_t; + ') + + relabel_dirs_pattern($1, xdg_data_t, xdg_data_t) + relabel_files_pattern($1, xdg_data_t, xdg_data_t) + relabel_lnk_files_pattern($1, xdg_data_t, xdg_data_t) + relabel_fifo_files_pattern($1, xdg_data_t, xdg_data_t) + relabel_sock_files_pattern($1, xdg_data_t, xdg_data_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Allow relabeling the xdg data home files, regardless of their type +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_all_data',` + gen_require(` + attribute xdg_data_type; + ') + + relabel_dirs_pattern($1, xdg_data_type, xdg_data_type) + relabel_files_pattern($1, xdg_data_type, xdg_data_type) + relabel_lnk_files_pattern($1, xdg_data_type, xdg_data_type) + relabel_fifo_files_pattern($1, xdg_data_type, xdg_data_type) + relabel_sock_files_pattern($1, xdg_data_type, xdg_data_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Create objects in the user home dir with an automatic type transition to +## the xdg_documents_t type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the directory created +## +## +# +interface(`xdg_generic_user_home_dir_filetrans_documents',` + gen_require(` + type xdg_documents_t; + ') + + userdom_user_home_dir_filetrans($1, xdg_documents_t, $2, $3) +') + +######################################### +## +## Manage documents content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_manage_documents',` + gen_require(` + type xdg_documents_t; + ') + + manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t) + manage_files_pattern($1, xdg_documents_t, xdg_documents_t) +') + +######################################## +## +## Allow relabeling the documents resources +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_documents',` + gen_require(` + type xdg_documents_t; + ') + + relabel_dirs_pattern($1, xdg_documents_t, xdg_documents_t) + relabel_files_pattern($1, xdg_documents_t, xdg_documents_t) + relabel_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t) + + userdom_search_user_home_dirs($1) +') + +######################################### +## +## Read downloaded content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_read_downloads',` + gen_require(` + type xdg_downloads_t; + ') + + read_files_pattern($1, xdg_downloads_t, xdg_downloads_t) + + userdom_search_user_home_dirs($1) +') + +######################################### +## +## Create downloaded content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_create_downloads',` + gen_require(` + type xdg_downloads_t; + ') + + create_files_pattern($1, xdg_downloads_t, xdg_downloads_t) + + userdom_search_user_home_dirs($1) +') + +######################################### +## +## Write downloaded content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_write_downloads',` + gen_require(` + type xdg_downloads_t; + ') + + write_files_pattern($1, xdg_downloads_t, xdg_downloads_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Create objects in the user home dir with an automatic type transition to +## the xdg_downloads_t type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the directory created +## +## +# +interface(`xdg_generic_user_home_dir_filetrans_downloads',` + gen_require(` + type xdg_downloads_t; + ') + + userdom_user_home_dir_filetrans($1, xdg_downloads_t, $2, $3) +') + +######################################### +## +## Manage downloaded content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_manage_downloads',` + gen_require(` + type xdg_downloads_t; + ') + + manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) + manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t) +') + +######################################## +## +## Allow relabeling the downloads resources +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_downloads',` + gen_require(` + type xdg_downloads_t; + ') + + relabel_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) + relabel_files_pattern($1, xdg_downloads_t, xdg_downloads_t) + relabel_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) + + userdom_search_user_home_dirs($1) +') + +######################################### +## +## Read user pictures content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_read_pictures',` + gen_require(` + type xdg_pictures_t; + ') + + read_files_pattern($1, xdg_pictures_t, xdg_pictures_t) + list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Create objects in the user home dir with an automatic type transition to +## the xdg_pictures_t type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the directory created +## +## +# +interface(`xdg_generic_user_home_dir_filetrans_pictures',` + gen_require(` + type xdg_pictures_t; + ') + + userdom_user_home_dir_filetrans($1, xdg_pictures_t, $2, $3) +') + +######################################### +## +## Manage pictures content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_manage_pictures',` + gen_require(` + type xdg_pictures_t; + ') + + manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) + manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t) +') + +######################################## +## +## Allow relabeling the pictures resources +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_pictures',` + gen_require(` + type xdg_pictures_t; + ') + + relabel_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) + relabel_files_pattern($1, xdg_pictures_t, xdg_pictures_t) + relabel_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t) + + userdom_search_user_home_dirs($1) +') + +######################################### +## +## Read user music content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_read_music',` + gen_require(` + type xdg_music_t; + ') + + read_files_pattern($1, xdg_music_t, xdg_music_t) + list_dirs_pattern($1, xdg_music_t, xdg_music_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Create objects in the user home dir with an automatic type transition to +## the xdg_pictures_t type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the directory created +## +## +# +interface(`xdg_generic_user_home_dir_filetrans_music',` + gen_require(` + type xdg_music_t; + ') + + userdom_user_home_dir_filetrans($1, xdg_music_t, $2, $3) +') + +######################################### +## +## Manage music content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_manage_music',` + gen_require(` + type xdg_music_t; + ') + + manage_dirs_pattern($1, xdg_music_t, xdg_music_t) + manage_files_pattern($1, xdg_music_t, xdg_music_t) +') + +######################################## +## +## Allow relabeling the music resources +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_music',` + gen_require(` + type xdg_music_t; + ') + + relabel_dirs_pattern($1, xdg_music_t, xdg_music_t) + relabel_files_pattern($1, xdg_music_t, xdg_music_t) + relabel_lnk_files_pattern($1, xdg_music_t, xdg_music_t) + + userdom_search_user_home_dirs($1) +') + +######################################### +## +## Read user video content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_read_videos',` + gen_require(` + type xdg_videos_t; + ') + + read_files_pattern($1, xdg_videos_t, xdg_videos_t) + list_dirs_pattern($1, xdg_videos_t, xdg_videos_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Create objects in the user home dir with an automatic type transition to +## the xdg_videos_t type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## Name of the directory created +## +## +# +interface(`xdg_generic_user_home_dir_filetrans_videos',` + gen_require(` + type xdg_videos_t; + ') + + userdom_user_home_dir_filetrans($1, xdg_videos_t, $2, $3) +') + +######################################### +## +## Manage video content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_manage_videos',` + gen_require(` + type xdg_videos_t; + ') + + manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t) + manage_files_pattern($1, xdg_videos_t, xdg_videos_t) +') + +######################################## +## +## Allow relabeling the videos resources +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_relabel_videos',` + gen_require(` + type xdg_videos_t; + ') + + relabel_dirs_pattern($1, xdg_videos_t, xdg_videos_t) + relabel_files_pattern($1, xdg_videos_t, xdg_videos_t) + relabel_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t) + + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/system/xdg.te b/policy/modules/system/xdg.te new file mode 100644 index 00000000..df2224f1 --- /dev/null +++ b/policy/modules/system/xdg.te @@ -0,0 +1,38 @@ +policy_module(xdg, 1.0.0) + +######################################## +# +# Declarations +# + +attribute xdg_cache_type; + +attribute xdg_config_type; + +attribute xdg_data_type; + + +type xdg_cache_t; +xdg_cache_content(xdg_cache_t) + +type xdg_config_t; +xdg_config_content(xdg_config_t) + +type xdg_data_t; +xdg_data_content(xdg_data_t) + +# Various user location types (see ~/.config/user-dirs.dirs) +type xdg_documents_t; # customizable +userdom_user_home_content(xdg_documents_t) + +type xdg_downloads_t; # customizable +userdom_user_home_content(xdg_downloads_t) + +type xdg_music_t; # customizable +userdom_user_home_content(xdg_music_t) + +type xdg_pictures_t; # customizable +userdom_user_home_content(xdg_pictures_t) + +type xdg_videos_t; # customizable +userdom_user_home_content(xdg_videos_t) -- 2.13.6