From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 25 Mar 2018 13:57:02 +0200 Subject: [refpolicy] [PATCH v3 07/19] Enhance telepathy domains with XDG privilege sets In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be> References: <20180325115714.5610-1-sven.vermeulen@siphos.be> Message-ID: <20180325115714.5610-8-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The telepathy domain already had some support for the XDG-style locations (cache, config and data). In this patch the rules are updated to use the XDG-style approach (naming) as well as include the necessary file transitions. Changes since v2: - Add telepathy_mission_control_home_t as required type in the role declaration Signed-off-by: Sven Vermeulen --- telepathy.fc | 18 ++++++++-------- telepathy.if | 25 +++++++++++----------- telepathy.te | 70 ++++++++++++++++++++++++++++++------------------------------ 3 files changed, 57 insertions(+), 56 deletions(-) diff --git a/telepathy.fc b/telepathy.fc index 6c7f8f8..4600d81 100644 --- a/telepathy.fc +++ b/telepathy.fc @@ -1,14 +1,14 @@ -HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0) -HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) -HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) -HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) -HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) +HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_xdg_cache_t,s0) +HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_cache_t, s0) +HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t, s0) +HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_cache_t,s0) +HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0) +HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0) HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0) -HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0) -HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0) +HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_data_t,s0) +HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_xdg_data_t,s0) HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0) -HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) +HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_data_t,s0) /usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) /usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) diff --git a/telepathy.if b/telepathy.if index 2a11a70..d81dc19 100644 --- a/telepathy.if +++ b/telepathy.if @@ -68,9 +68,10 @@ template(`telepathy_role_template',` type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; type telepathy_msn_exec_t; - type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t; - type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t; - type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t; + type telepathy_mission_control_xdg_cache_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t; + type telepathy_gabble_xdg_cache_t, telepathy_mission_control_t, telepathy_xdg_data_t; + type telepathy_mission_control_xdg_data_t, telepathy_sunshine_home_t, telepathy_logger_xdg_data_t; + type telepathy_mission_control_home_t; ') role $2 types telepathy_domain; @@ -92,22 +93,22 @@ template(`telepathy_role_template',` dbus_spec_session_domain($1, telepathy_stream_engine_t, telepathy_stream_engine_exec_t) dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t) - allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; - allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; - allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; + allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:file { manage_file_perms relabel_file_perms }; + allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:file { manage_file_perms relabel_file_perms }; + allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:file { manage_file_perms relabel_file_perms }; - filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") + filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble") # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") - filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") + filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger") # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") - filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") + filetrans_pattern($3, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control") # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") diff --git a/telepathy.te b/telepathy.te index f1bee7f..5a05159 100644 --- a/telepathy.te +++ b/telepathy.te @@ -27,34 +27,34 @@ attribute telepathy_tmp_content; telepathy_domain_template(gabble) -type telepathy_cache_home_t; -userdom_user_home_content(telepathy_cache_home_t) +type telepathy_xdg_cache_t alias telepathy_cache_home_t; +xdg_cache_content(telepathy_xdg_cache_t) -type telepathy_gabble_cache_home_t; -userdom_user_home_content(telepathy_gabble_cache_home_t) +type telepathy_gabble_xdg_cache_t alias telepathy_gabble_cache_home_t; +xdg_cache_content(telepathy_gabble_xdg_cache_t) telepathy_domain_template(idle) telepathy_domain_template(logger) -type telepathy_data_home_t; -userdom_user_home_content(telepathy_data_home_t) +type telepathy_xdg_data_t alias telepathy_data_home_t; +xdg_data_content(telepathy_xdg_data_t) -type telepathy_logger_cache_home_t; -userdom_user_home_content(telepathy_logger_cache_home_t) +type telepathy_logger_xdg_cache_t alias telepathy_logger_cache_home_t; +xdg_cache_content(telepathy_logger_xdg_cache_t) -type telepathy_logger_data_home_t; -userdom_user_home_content(telepathy_logger_data_home_t) +type telepathy_logger_xdg_data_t alias telepathy_logger_data_home_t; +xdg_data_content(telepathy_logger_xdg_data_t) telepathy_domain_template(mission_control) type telepathy_mission_control_home_t; userdom_user_home_content(telepathy_mission_control_home_t) -type telepathy_mission_control_data_home_t; -userdom_user_home_content(telepathy_mission_control_data_home_t) +type telepathy_mission_control_xdg_data_t alias telepathy_mission_control_data_home_t; +xdg_data_content(telepathy_mission_control_xdg_data_t) -type telepathy_mission_control_cache_home_t; -userdom_user_home_content(telepathy_mission_control_cache_home_t) +type telepathy_mission_control_xdg_cache_t alias telepathy_mission_control_cache_home_t; +xdg_cache_content(telepathy_mission_control_xdg_cache_t) telepathy_domain_template(msn) telepathy_domain_template(salut) @@ -74,10 +74,10 @@ allow telepathy_gabble_t self:tcp_socket { accept listen }; allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto }; # ~/.cache/telepathy/gabble/caps-cache.db-journal -manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") -# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky") +manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t) +manage_files_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t) +filetrans_pattern(telepathy_gabble_t, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble") +# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, dir, "wocky") manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) @@ -179,13 +179,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` allow telepathy_logger_t self:unix_stream_socket create_socket_perms; -manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) -manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) -filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") +manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t) +manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t) +filetrans_pattern(telepathy_logger_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger") -manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) -manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) -# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger") +manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t) +manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t) +# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_xdg_data_t, dir, "TpLogger") files_read_usr_files(telepathy_logger_t) files_search_pids(telepathy_logger_t) @@ -216,15 +216,15 @@ manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) -manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) -filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") +manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t) +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t) +filetrans_pattern(telepathy_mission_control_t, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control") -manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) -# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections") +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, telepathy_mission_control_xdg_cache_t) +# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, file, ".mc_connections") -manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) +manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t) +manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t) dev_read_rand(telepathy_mission_control_t) @@ -461,11 +461,11 @@ optional_policy(` allow telepathy_domain self:process { getsched signal sigkill }; allow telepathy_domain self:fifo_file rw_fifo_file_perms; -manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) -# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") +manage_dirs_pattern(telepathy_domain, telepathy_xdg_cache_t, telepathy_xdg_cache_t) +xdg_cache_filetrans(telepathy_domain, telepathy_xdg_cache_t, dir, "telepathy") -manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t) -# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy") +manage_dirs_pattern(telepathy_domain, telepathy_xdg_data_t, telepathy_xdg_data_t) +xdg_data_filetrans(telepathy_domain, telepathy_xdg_data_t, dir, "telepathy") dev_read_urand(telepathy_domain) -- 2.16.1