selinux-refpolicy/policy/modules/apps/gnome.if

## <summary>GNU network object model environment.</summary>

#######################################
## <summary>
##	The role template for gnome.
## </summary>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The role associated with the user domain.
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The type of the user domain.
##	</summary>
## </param>
#
template(`gnome_role_template',`
	gen_require(`
		attribute gnomedomain, gkeyringd_domain;
		attribute_role gconfd_roles;
		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
		type gconf_home_t, gnome_home_t;
	')

	########################################
	#
	# Gconf declarations
	#

	roleattribute $2 gconfd_roles;

	########################################
	#
	# Gkeyringd declarations
	#

	type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
	userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
	domain_user_exemption_target($1_gkeyringd_t)

	role $2 types $1_gkeyringd_t;

	########################################
	#
	# Gconf policy
	#

	domtrans_pattern($3, gconfd_exec_t, gconfd_t)

	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
	allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")

	allow $3 gconfd_t:process { ptrace signal_perms };
	ps_process_pattern($3, gconfd_t)

	########################################
	#
	# Gkeyringd policy
	#

	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)

	allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
	allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };

	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")

	gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")

	allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };

	ps_process_pattern($3, $1_gkeyringd_t)
	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };

	corecmd_bin_domtrans($1_gkeyringd_t, $3)
	corecmd_shell_domtrans($1_gkeyringd_t, $3)

	gnome_stream_connect_gkeyringd($1, $3)

	optional_policy(`
		dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
		dbus_system_bus_client($1_gkeyringd_t)

		optional_policy(`
			evolution_dbus_chat($1_gkeyringd_t)
		')

		optional_policy(`
			gnome_dbus_chat_gconfd($3)
			gnome_dbus_chat_gkeyringd($1, $3)
		')

		optional_policy(`
			wm_dbus_chat($1, $1_gkeyringd_t)
		')
	')
')

########################################
## <summary>
##	Execute gconf in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_exec_gconf',`
	gen_require(`
		type gconfd_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, gconfd_exec_t)
')

########################################
## <summary>
##	Read gconf configuration content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_read_gconf_config',`
	gen_require(`
		type gconf_etc_t;
	')

	files_search_etc($1)
	allow $1 gconf_etc_t:dir list_dir_perms;
	allow $1 gconf_etc_t:file read_file_perms;
	allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read
##	inherited gconf configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
	gen_require(`
		type gconf_etc_t;
	')

	dontaudit $1 gconf_etc_t:file read;
')

#######################################
## <summary>
##	Create, read, write, and delete
##	gconf configuration content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_manage_gconf_config',`
	gen_require(`
		type gconf_etc_t;
	')

	files_search_etc($1)
	allow $1 gconf_etc_t:dir manage_dir_perms;
	allow $1 gconf_etc_t:file manage_file_perms;
	allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
')

########################################
## <summary>
##	Connect to gconf using a unix
##	domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_stream_connect_gconf',`
	gen_require(`
		type gconfd_t, gconf_tmp_t;
	')

	files_search_tmp($1)
	stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
')

########################################
## <summary>
##	Run gconfd in gconfd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`gnome_domtrans_gconfd',`
	gen_require(`
		type gconfd_t, gconfd_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')

########################################
## <summary>
##	Create generic gnome home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_create_generic_home_dirs',`
	gen_require(`
		type gnome_home_t;
	')

	allow $1 gnome_home_t:dir create_dir_perms;
')

########################################
## <summary>
##	Set attributes of generic gnome
##	user home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_setattr_generic_home_dirs',`
	gen_require(`
		type gnome_home_t;
	')

	userdom_search_user_home_dirs($1)
	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
')

########################################
## <summary>
##	Read generic gnome home content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_read_generic_home_content',`
	gen_require(`
		type gnome_home_t;
	')

	userdom_search_user_home_dirs($1)
	allow $1 gnome_home_t:dir list_dir_perms;
	allow $1 gnome_home_t:file { read_file_perms map };
	allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
	allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
	allow $1 gnome_home_t:sock_file read_sock_file_perms;
')

########################################
## <summary>
##	Create, read, write, and delete
##	generic gnome home content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_manage_generic_home_content',`
	gen_require(`
		type gnome_home_t;
	')

	userdom_search_user_home_dirs($1)
	allow $1 gnome_home_t:dir manage_dir_perms;
	allow $1 gnome_home_t:file manage_file_perms;
	allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
	allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
	allow $1 gnome_home_t:sock_file manage_sock_file_perms;
')

########################################
## <summary>
##	Search generic gnome home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_search_generic_home',`
	gen_require(`
		type gnome_home_t;
	')

	userdom_search_user_home_dirs($1)
	allow $1 gnome_home_t:dir search_dir_perms;
')

########################################
## <summary>
##	Create objects in gnome user home
##	directories with a private type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="private_type">
##	<summary>
##	Private file type.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	Class of the object being created.
##	</summary>
## </param>
## <param name="name" optional="true">
##	<summary>
##	The name of the object being created.
##	</summary>
## </param>
#
interface(`gnome_home_filetrans',`
	gen_require(`
		type gnome_home_t;
	')

	userdom_search_user_home_dirs($1)
	filetrans_pattern($1, gnome_home_t, $2, $3, $4)
')

########################################
## <summary>
##	Create generic gconf home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_create_generic_gconf_home_dirs',`
	gen_require(`
		type gconf_home_t;
	')

	allow $1 gconf_home_t:dir create_dir_perms;
')

########################################
## <summary>
##	Read generic gconf home content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_read_generic_gconf_home_content',`
	gen_require(`
		type gconf_home_t;
	')

	userdom_search_user_home_dirs($1)
	allow $1 gconf_home_t:dir list_dir_perms;
	allow $1 gconf_home_t:file read_file_perms;
	allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
	allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
	allow $1 gconf_home_t:sock_file read_sock_file_perms;
')

########################################
## <summary>
##	Create, read, write, and delete
##	generic gconf home content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_manage_generic_gconf_home_content',`
	gen_require(`
		type gconf_home_t;
	')

	userdom_search_user_home_dirs($1)
	allow $1 gconf_home_t:dir manage_dir_perms;
	allow $1 gconf_home_t:file manage_file_perms;
	allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
	allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
	allow $1 gconf_home_t:sock_file manage_sock_file_perms;
')

########################################
## <summary>
##	Search generic gconf home directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_search_generic_gconf_home',`
	gen_require(`
		type gconf_home_t;
	')

	userdom_search_user_home_dirs($1)
	allow $1 gconf_home_t:dir search_dir_perms;
')

########################################
## <summary>
##	Create objects in user home
##	directories with the generic gconf
##	home type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	Class of the object being created.
##	</summary>
## </param>
## <param name="name" optional="true">
##	<summary>
##	The name of the object being created.
##	</summary>
## </param>
#
interface(`gnome_home_filetrans_gconf_home',`
	gen_require(`
		type gconf_home_t;
	')

	userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
')

########################################
## <summary>
##	Create objects in user home
##	directories with the generic gnome
##	home type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	Class of the object being created.
##	</summary>
## </param>
## <param name="name" optional="true">
##	<summary>
##	The name of the object being created.
##	</summary>
## </param>
#
interface(`gnome_home_filetrans_gnome_home',`
	gen_require(`
		type gnome_home_t;
	')

	userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
')

########################################
## <summary>
##	Create objects in gnome gconf home
##	directories with a private type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="private_type">
##	<summary>
##	Private file type.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	Class of the object being created.
##	</summary>
## </param>
## <param name="name" optional="true">
##	<summary>
##	The name of the object being created.
##	</summary>
## </param>
#
interface(`gnome_gconf_home_filetrans',`
	gen_require(`
		type gconf_home_t;
	')

	userdom_search_user_home_dirs($1)
	filetrans_pattern($1, gconf_home_t, $2, $3, $4)
')

########################################
## <summary>
##	Create objects in user home
##	directories with the gstreamer
##	orcexec type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	Class of the object being created.
##	</summary>
## </param>
## <param name="name" optional="true">
##	<summary>
##	The name of the object being created.
##	</summary>
## </param>
#
interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
	gen_require(`
		type gstreamer_orcexec_t;
	')

	userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
')

########################################
## <summary>
##	Create objects in the user
##	runtime directories with the
##	gstreamer orcexec type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	Class of the object being created.
##	</summary>
## </param>
## <param name="name" optional="true">
##	<summary>
##	The name of the object being created.
##	</summary>
## </param>
#
interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
	gen_require(`
		type gstreamer_orcexec_t;
	')

	userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
')

########################################
## <summary>
##	Read generic gnome keyring home files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_read_keyring_home_files',`
	gen_require(`
		type gnome_home_t, gnome_keyring_home_t;
	')

	userdom_search_user_home_dirs($1)
	read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
')

########################################
## <summary>
##	Send and receive messages from
##	gnome configuration daemon over
##	dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_dbus_chat_gconfd',`
	gen_require(`
		type gconfd_t;
		class dbus send_msg;
	')

	allow $1 gconfd_t:dbus send_msg;
	allow gconfd_t $1:dbus send_msg;
')

########################################
## <summary>
##	Send and receive messages from
##	gnome keyring daemon over dbus.
## </summary>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
template(`gnome_dbus_chat_gkeyringd',`
	gen_require(`
		type $1_gkeyringd_t;
		class dbus send_msg;
	')

	allow $2 $1_gkeyringd_t:dbus send_msg;
	allow $1_gkeyringd_t $2:dbus send_msg;
')

########################################
## <summary>
##	Send and receive messages from all
##	gnome keyring daemon over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_dbus_chat_all_gkeyringd',`
	gen_require(`
		attribute gkeyringd_domain;
		class dbus send_msg;
	')

	allow $1 gkeyringd_domain:dbus send_msg;
	allow gkeyringd_domain $1:dbus send_msg;
')

########################################
## <summary>
##	Run all gkeyringd in gkeyringd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`gnome_spec_domtrans_all_gkeyringd',`
	gen_require(`
		attribute gkeyringd_domain;
		type gkeyringd_exec_t;
	')

	corecmd_search_bin($1)
	spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain)
')

########################################
## <summary>
##	Connect to gnome keyring daemon
##	with a unix stream socket.
## </summary>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
template(`gnome_stream_connect_gkeyringd',`
	gen_require(`
		type $1_gkeyringd_t, gnome_keyring_tmp_t;
	')

	files_search_tmp($2)
	userdom_search_user_runtime($2)
	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
')

########################################
## <summary>
##	Connect to all gnome keyring daemon
##	with a unix stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_stream_connect_all_gkeyringd',`
	gen_require(`
		attribute gkeyringd_domain;
		type gnome_keyring_tmp_t;
	')

	files_search_tmp($1)
	userdom_search_user_runtime($1)
	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')

########################################
## <summary>
##	Manage gstreamer ORC optimized
##	code.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_manage_gstreamer_orcexec',`
	gen_require(`
		type gstreamer_orcexec_t;
	')

	allow $1 gstreamer_orcexec_t:file manage_file_perms;
')

########################################
## <summary>
##	Mmap gstreamer ORC optimized
##	code.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gnome_mmap_gstreamer_orcexec',`
	gen_require(`
		type gstreamer_orcexec_t;
	')

	allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
')
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`## <summary>GNU network object model environment.</summary>`

			`#######################################`
			`## <summary>`
			`## The role template for gnome.`
			`## </summary>`
			`## <param name="role_prefix">`
			`## <summary>`
			`## The prefix of the user domain (e.g., user`
			`## is the prefix for user_t).`
			`## </summary>`
			`## </param>`
			`## <param name="user_role">`
			`## <summary>`
			`## The role associated with the user domain.`
			`## </summary>`
			`## </param>`
			`## <param name="user_domain">`
			`## <summary>`
			`## The type of the user domain.`
			`## </summary>`
			`## </param>`
			`#`
			template(`gnome_role_template',`
			gen_require(`
			`attribute gnomedomain, gkeyringd_domain;`
			`attribute_role gconfd_roles;`
			`type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;`
			`type gconfd_t, gconfd_exec_t, gconf_tmp_t;`
Add requires to interfaces that reference types or attributes without requiring them Signed-off-by: Daniel Burgener <dburgener@tresys.com> 2020-01-16 13:39:36 +00:00			`type gconf_home_t, gnome_home_t;`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`')`

			`########################################`
			`#`
			`# Gconf declarations`
			`#`

			`roleattribute $2 gconfd_roles;`

			`########################################`
			`#`
			`# Gkeyringd declarations`
			`#`

			`type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;`
			`userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)`
			`domain_user_exemption_target($1_gkeyringd_t)`

			`role $2 types $1_gkeyringd_t;`

			`########################################`
			`#`
			`# Gconf policy`
			`#`

			`domtrans_pattern($3, gconfd_exec_t, gconfd_t)`

			`allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };`
			`allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };`
			`userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")`
			`userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")`

			`allow $3 gconfd_t:process { ptrace signal_perms };`
			`ps_process_pattern($3, gconfd_t)`

			`########################################`
			`#`
			`# Gkeyringd policy`
			`#`

			`domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)`

			`allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };`
			`allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };`

			`userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")`
			`userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")`
			`userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")`

			`gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")`

			`allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };`

			`ps_process_pattern($3, $1_gkeyringd_t)`
			`allow $3 $1_gkeyringd_t:process { ptrace signal_perms };`

			`corecmd_bin_domtrans($1_gkeyringd_t, $3)`
			`corecmd_shell_domtrans($1_gkeyringd_t, $3)`

			`gnome_stream_connect_gkeyringd($1, $3)`

			optional_policy(`
			`dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)`
			`dbus_system_bus_client($1_gkeyringd_t)`

			optional_policy(`
			`evolution_dbus_chat($1_gkeyringd_t)`
			`')`

			optional_policy(`
			`gnome_dbus_chat_gconfd($3)`
			`gnome_dbus_chat_gkeyringd($1, $3)`
			`')`

			optional_policy(`
			`wm_dbus_chat($1, $1_gkeyringd_t)`
			`')`
			`')`
			`')`

			`########################################`
			`## <summary>`
			`## Execute gconf in the caller domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_exec_gconf',`
			gen_require(`
			`type gconfd_exec_t;`
			`')`

			`corecmd_search_bin($1)`
			`can_exec($1, gconfd_exec_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Read gconf configuration content.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_read_gconf_config',`
			gen_require(`
			`type gconf_etc_t;`
			`')`

			`files_search_etc($1)`
			`allow $1 gconf_etc_t:dir list_dir_perms;`
			`allow $1 gconf_etc_t:file read_file_perms;`
			`allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to read`
			`## inherited gconf configuration files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
			gen_require(`
			`type gconf_etc_t;`
			`')`

			`dontaudit $1 gconf_etc_t:file read;`
			`')`

			`#######################################`
			`## <summary>`
			`## Create, read, write, and delete`
			`## gconf configuration content.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_manage_gconf_config',`
			gen_require(`
			`type gconf_etc_t;`
			`')`

			`files_search_etc($1)`
			`allow $1 gconf_etc_t:dir manage_dir_perms;`
			`allow $1 gconf_etc_t:file manage_file_perms;`
			`allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Connect to gconf using a unix`
			`## domain stream socket.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_stream_connect_gconf',`
			gen_require(`
			`type gconfd_t, gconf_tmp_t;`
			`')`

			`files_search_tmp($1)`
			`stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Run gconfd in gconfd domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed to transition.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_domtrans_gconfd',`
			gen_require(`
			`type gconfd_t, gconfd_exec_t;`
			`')`

			`corecmd_search_bin($1)`
			`domtrans_pattern($1, gconfd_exec_t, gconfd_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Create generic gnome home directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_create_generic_home_dirs',`
			gen_require(`
			`type gnome_home_t;`
			`')`

			`allow $1 gnome_home_t:dir create_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Set attributes of generic gnome`
			`## user home directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_setattr_generic_home_dirs',`
			gen_require(`
			`type gnome_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Read generic gnome home content.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_read_generic_home_content',`
			gen_require(`
			`type gnome_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`allow $1 gnome_home_t:dir list_dir_perms;`
			`allow $1 gnome_home_t:file { read_file_perms map };`
			`allow $1 gnome_home_t:fifo_file read_fifo_file_perms;`
			`allow $1 gnome_home_t:lnk_file read_lnk_file_perms;`
			`allow $1 gnome_home_t:sock_file read_sock_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Create, read, write, and delete`
			`## generic gnome home content.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_manage_generic_home_content',`
			gen_require(`
			`type gnome_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`allow $1 gnome_home_t:dir manage_dir_perms;`
			`allow $1 gnome_home_t:file manage_file_perms;`
			`allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;`
			`allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;`
			`allow $1 gnome_home_t:sock_file manage_sock_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Search generic gnome home directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_search_generic_home',`
			gen_require(`
			`type gnome_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`allow $1 gnome_home_t:dir search_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Create objects in gnome user home`
			`## directories with a private type.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="private_type">`
			`## <summary>`
			`## Private file type.`
			`## </summary>`
			`## </param>`
			`## <param name="object_class">`
			`## <summary>`
			`## Class of the object being created.`
			`## </summary>`
			`## </param>`
			`## <param name="name" optional="true">`
			`## <summary>`
			`## The name of the object being created.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_home_filetrans',`
			gen_require(`
			`type gnome_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`filetrans_pattern($1, gnome_home_t, $2, $3, $4)`
			`')`

			`########################################`
			`## <summary>`
			`## Create generic gconf home directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_create_generic_gconf_home_dirs',`
			gen_require(`
			`type gconf_home_t;`
			`')`

			`allow $1 gconf_home_t:dir create_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Read generic gconf home content.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_read_generic_gconf_home_content',`
			gen_require(`
			`type gconf_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`allow $1 gconf_home_t:dir list_dir_perms;`
			`allow $1 gconf_home_t:file read_file_perms;`
			`allow $1 gconf_home_t:fifo_file read_fifo_file_perms;`
			`allow $1 gconf_home_t:lnk_file read_lnk_file_perms;`
			`allow $1 gconf_home_t:sock_file read_sock_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Create, read, write, and delete`
			`## generic gconf home content.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_manage_generic_gconf_home_content',`
			gen_require(`
			`type gconf_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`allow $1 gconf_home_t:dir manage_dir_perms;`
			`allow $1 gconf_home_t:file manage_file_perms;`
			`allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;`
			`allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;`
			`allow $1 gconf_home_t:sock_file manage_sock_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Search generic gconf home directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_search_generic_gconf_home',`
			gen_require(`
			`type gconf_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`allow $1 gconf_home_t:dir search_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Create objects in user home`
			`## directories with the generic gconf`
			`## home type.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="object_class">`
			`## <summary>`
			`## Class of the object being created.`
			`## </summary>`
			`## </param>`
			`## <param name="name" optional="true">`
			`## <summary>`
			`## The name of the object being created.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_home_filetrans_gconf_home',`
			gen_require(`
			`type gconf_home_t;`
			`')`

			`userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)`
			`')`

			`########################################`
			`## <summary>`
			`## Create objects in user home`
			`## directories with the generic gnome`
			`## home type.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="object_class">`
			`## <summary>`
			`## Class of the object being created.`
			`## </summary>`
			`## </param>`
			`## <param name="name" optional="true">`
			`## <summary>`
			`## The name of the object being created.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_home_filetrans_gnome_home',`
			gen_require(`
			`type gnome_home_t;`
			`')`

			`userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)`
			`')`

			`########################################`
			`## <summary>`
			`## Create objects in gnome gconf home`
			`## directories with a private type.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="private_type">`
			`## <summary>`
			`## Private file type.`
			`## </summary>`
			`## </param>`
			`## <param name="object_class">`
			`## <summary>`
			`## Class of the object being created.`
			`## </summary>`
			`## </param>`
			`## <param name="name" optional="true">`
			`## <summary>`
			`## The name of the object being created.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_gconf_home_filetrans',`
			gen_require(`
			`type gconf_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`filetrans_pattern($1, gconf_home_t, $2, $3, $4)`
			`')`

			`########################################`
			`## <summary>`
			`## Create objects in user home`
			`## directories with the gstreamer`
			`## orcexec type.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="object_class">`
			`## <summary>`
			`## Class of the object being created.`
			`## </summary>`
			`## </param>`
			`## <param name="name" optional="true">`
			`## <summary>`
			`## The name of the object being created.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
			gen_require(`
			`type gstreamer_orcexec_t;`
			`')`

			`userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)`
			`')`

			`########################################`
			`## <summary>`
			`## Create objects in the user`
			`## runtime directories with the`
			`## gstreamer orcexec type.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="object_class">`
			`## <summary>`
			`## Class of the object being created.`
			`## </summary>`
			`## </param>`
			`## <param name="name" optional="true">`
			`## <summary>`
			`## The name of the object being created.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
			gen_require(`
			`type gstreamer_orcexec_t;`
			`')`

			`userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)`
			`')`

			`########################################`
			`## <summary>`
			`## Read generic gnome keyring home files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_read_keyring_home_files',`
			gen_require(`
			`type gnome_home_t, gnome_keyring_home_t;`
			`')`

			`userdom_search_user_home_dirs($1)`
			`read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Send and receive messages from`
			`## gnome configuration daemon over`
			`## dbus.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_dbus_chat_gconfd',`
			gen_require(`
			`type gconfd_t;`
			`class dbus send_msg;`
			`')`

			`allow $1 gconfd_t:dbus send_msg;`
			`allow gconfd_t $1:dbus send_msg;`
			`')`

			`########################################`
			`## <summary>`
			`## Send and receive messages from`
			`## gnome keyring daemon over dbus.`
			`## </summary>`
			`## <param name="role_prefix">`
			`## <summary>`
			`## The prefix of the user domain (e.g., user`
			`## is the prefix for user_t).`
			`## </summary>`
			`## </param>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
Use correct interface or template declaration Following the guideline of interfaces not allowed to declare anything and not use prefix parameters, declare interfaces doing so as templates. Also declare templates not using those features and not calling templates themselves as interfaces. These changes originate from the discussion in https://github.com/TresysTechnology/selint/issues/205 and are found by new proposed SELint checks at https://github.com/TresysTechnology/selint/pull/206. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-05-13 15:18:07 +00:00			template(`gnome_dbus_chat_gkeyringd',`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			gen_require(`
			`type $1_gkeyringd_t;`
			`class dbus send_msg;`
			`')`

			`allow $2 $1_gkeyringd_t:dbus send_msg;`
			`allow $1_gkeyringd_t $2:dbus send_msg;`
			`')`

			`########################################`
			`## <summary>`
			`## Send and receive messages from all`
			`## gnome keyring daemon over dbus.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_dbus_chat_all_gkeyringd',`
			gen_require(`
			`attribute gkeyringd_domain;`
			`class dbus send_msg;`
			`')`

			`allow $1 gkeyringd_domain:dbus send_msg;`
			`allow gkeyringd_domain $1:dbus send_msg;`
			`')`

			`########################################`
			`## <summary>`
			`## Run all gkeyringd in gkeyringd domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed to transition.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_spec_domtrans_all_gkeyringd',`
			gen_require(`
			`attribute gkeyringd_domain;`
			`type gkeyringd_exec_t;`
			`')`

			`corecmd_search_bin($1)`
			`spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain)`
			`')`

			`########################################`
			`## <summary>`
			`## Connect to gnome keyring daemon`
			`## with a unix stream socket.`
			`## </summary>`
			`## <param name="role_prefix">`
			`## <summary>`
			`## The prefix of the user domain (e.g., user`
			`## is the prefix for user_t).`
			`## </summary>`
			`## </param>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
Use correct interface or template declaration Following the guideline of interfaces not allowed to declare anything and not use prefix parameters, declare interfaces doing so as templates. Also declare templates not using those features and not calling templates themselves as interfaces. These changes originate from the discussion in https://github.com/TresysTechnology/selint/issues/205 and are found by new proposed SELint checks at https://github.com/TresysTechnology/selint/pull/206. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-05-13 15:18:07 +00:00			template(`gnome_stream_connect_gkeyringd',`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			gen_require(`
			`type $1_gkeyringd_t, gnome_keyring_tmp_t;`
			`')`

			`files_search_tmp($2)`
			`userdom_search_user_runtime($2)`
			`stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Connect to all gnome keyring daemon`
			`## with a unix stream socket.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_stream_connect_all_gkeyringd',`
			gen_require(`
			`attribute gkeyringd_domain;`
			`type gnome_keyring_tmp_t;`
			`')`

			`files_search_tmp($1)`
			`userdom_search_user_runtime($1)`
			`stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)`
			`')`

			`########################################`
			`## <summary>`
			`## Manage gstreamer ORC optimized`
			`## code.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_manage_gstreamer_orcexec',`
			gen_require(`
			`type gstreamer_orcexec_t;`
			`')`

			`allow $1 gstreamer_orcexec_t:file manage_file_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Mmap gstreamer ORC optimized`
			`## code.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`gnome_mmap_gstreamer_orcexec',`
			gen_require(`
			`type gstreamer_orcexec_t;`
			`')`

			`allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;`
			`')`