From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 25 Mar 2018 13:56:57 +0200 Subject: [refpolicy] [PATCH v3 02/19] Enhance gnome domains with XDG privilege sets In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be> References: <20180325115714.5610-1-sven.vermeulen@siphos.be> Message-ID: <20180325115714.5610-3-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Many of the GNOME domains make full use of all the basic XDG locations. With the introduction of support for these (~/.cache, ~/.local and ~/.config) the appropriate GNOME XDG type definitions are added, together with the necessary privileges for accessing these types. Signed-off-by: Sven Vermeulen --- gnome.fc | 5 +++++ gnome.te | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/gnome.fc b/gnome.fc index 744ff68..1c0dd43 100644 --- a/gnome.fc +++ b/gnome.fc @@ -1,9 +1,14 @@ +HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_t,s0) +HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_t,s0) +HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_t,s0) +HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_xdg_config_t,s0) HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gnome_xdg_data_t,s0) HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) diff --git a/gnome.te b/gnome.te index 59c04e0..9b46b49 100644 --- a/gnome.te +++ b/gnome.te @@ -47,6 +47,15 @@ type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) userdom_user_runtime_content(gnome_keyring_tmp_t) +type gnome_xdg_cache_t; +xdg_cache_content(gnome_xdg_cache_t) + +type gnome_xdg_config_t; +xdg_config_content(gnome_xdg_config_t) + +type gnome_xdg_data_t; +xdg_data_content(gnome_xdg_data_t) + type gstreamer_orcexec_t; application_executable_file(gstreamer_orcexec_t) userdom_user_runtime_content(gstreamer_orcexec_t) @@ -93,6 +102,18 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +manage_dirs_pattern(gconfd_t, gnome_xdg_cache_t, gnome_xdg_cache_t) +manage_files_pattern(gconfd_t, gnome_xdg_cache_t, gnome_xdg_cache_t) +xdg_cache_filetrans(gconfd_t, gnome_xdg_cache_t, dir) + +manage_dirs_pattern(gconfd_t, gnome_xdg_config_t, gnome_xdg_config_t) +manage_files_pattern(gconfd_t, gnome_xdg_config_t, gnome_xdg_config_t) +xdg_config_filetrans(gconfd_t, gnome_xdg_config_t, dir) + +manage_dirs_pattern(gconfd_t, gnome_xdg_data_t, gnome_xdg_data_t) +manage_files_pattern(gconfd_t, gnome_xdg_data_t, gnome_xdg_data_t) +xdg_data_filetrans(gconfd_t, gnome_xdg_data_t, dir) + # for /proc/filesystems kernel_read_system_state(gconfd_t) @@ -147,6 +168,19 @@ manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_t files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) +manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t) +manage_files_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t) +manage_sock_files_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t) +xdg_cache_filetrans(gkeyringd_domain, gnome_xdg_cache_t, dir) + +manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_t, gnome_xdg_config_t) +manage_files_pattern(gkeyringd_domain, gnome_xdg_config_t, gnome_xdg_config_t) +xdg_config_filetrans(gkeyringd_domain, gnome_xdg_config_t, dir) + +manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t) +manage_files_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t) +xdg_data_filetrans(gkeyringd_domain, gnome_xdg_data_t, dir) + kernel_read_crypto_sysctls(gkeyringd_domain) kernel_read_kernel_sysctls(gkeyringd_domain) kernel_read_system_state(gkeyringd_domain) -- 2.16.1