From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 10 Jun 2018 13:45:07 -0400 Subject: [refpolicy] [PATCH v3 00/19] X Desktop Group location support and reduced user content access privileges, contrib part In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be> References: <20180325115714.5610-1-sven.vermeulen@siphos.be> Message-ID: <23b4f8f5-8b0b-8661-716b-1edc41e62989@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/25/2018 07:56 AM, Sven Vermeulen via refpolicy wrote: > This is the patch set that implements the more granular approach to user > resources (files, directories) in the users' home directory. It requires > the first patch set (which introduces the support for this more granular > approach) which has been submitted earlier on. > > To recap, the first patch set introduces a number of additional types > and attributes to support the XDG related resource locations, divided in > two sets: > - The main XDG locations used for user-specific application data (in > ~/.local, marked as xdg_data_t), user-specific cache data (in > ~/.cache, marked as xdg_cache_t), and user-specific application > configuration data (in ~/.config, marked as xdg_config_t). > It also enables support for application/domain-specific types within > (such as mozilla_xdg_config_t). > - End user resource locations tailored to the common resource types. It > enables the "Documents/" location to be marked with xdg_documents_t, > "Downloads/" with xdg_downloads_t, "Pictures/" with xdg_pictures_t, > "Music/" with xdg_music_t and "Videos/" with xdg_videos_t. > > This patchset updates a number of application domains to support > these locations. Note that not all of Guido's work (who retriggered > the upstreaming of this patch set) is included here, as some of the > suggested changes were harder for me to review or confirm. However, > these can be easily reapplied if needed. This set is merged. > Changes since v2: > - Keep userdom_exec_user_home_content_files in cron's main block as it > contains a tunable block which means it cannot be called from > within another tunable block > - Fix telepathy role interface to require the telepathy_mission_control_home_t > type > - Fix typo in gpg call to xdg_read_data_files > - Fix typo in call to userdom_user_content_access_template in syncthing.te > Changes since v1: > - Drop _home_ from type/attribute declarations and interface names > - Move tunable definitions inside template > > Sven Vermeulen (19): > Enhance evolution domain with XDG privilege sets > Enhance gnome domains with XDG privilege sets > Enhance minidlna domain with XDG privilege sets > Enhance mozilla domain with XDG privilege sets > Enhance mplayer domains with XDG privilege sets > Enhance pulseaudio domain with XDG privilege sets > Enhance telepathy domains with XDG privilege sets > Enhance thunderbird domain with XDG privilege sets > Make cron user content access optional > Make firstboot user content access optional > Make gpg user content access optional > Make i18n_input user content access optional > Make irc user content access optional > Make java user content access optional > Make openoffice user content access optional > Make postfix user content access optional > Make wireshark user content access optional > Make xscreensaver user content access optional > Switch syncthing to XDG config types and make user content access > optional > > cron.te | 18 +++++++-------- > evolution.fc | 3 +++ > evolution.te | 33 +++++++++++++++++++++------ > firstboot.te | 14 +++++++----- > gnome.fc | 5 +++++ > gnome.te | 34 ++++++++++++++++++++++++++++ > gpg.te | 6 +++-- > i18n_input.te | 24 +++++++++++++++++++- > irc.te | 6 ++--- > java.te | 13 ++++++----- > minidlna.te | 4 ++++ > mozilla.fc | 1 + > mozilla.te | 18 +++++++++++---- > mplayer.te | 14 +++++++----- > openoffice.te | 12 ++++------ > postfix.te | 6 +---- > pulseaudio.fc | 2 +- > pulseaudio.te | 11 +++++++++ > syncthing.fc | 2 +- > syncthing.if | 8 +++---- > syncthing.te | 19 +++++++--------- > telepathy.fc | 18 +++++++-------- > telepathy.if | 25 +++++++++++---------- > telepathy.te | 70 ++++++++++++++++++++++++++++----------------------------- > thunderbird.te | 14 ++++++++---- > wireshark.te | 5 +++-- > xscreensaver.te | 26 ++++++++++++++++++++- > 27 files changed, 273 insertions(+), 138 deletions(-) > -- Chris PeBenito