selinux-refpolicy/policy/modules/system/xdg.te

39 lines
769 B
Plaintext
Raw Normal View History

policy_module(xdg, 1.2.0)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
########################################
#
# Declarations
#
attribute xdg_cache_type;
attribute xdg_config_type;
attribute xdg_data_type;
type xdg_cache_t;
xdg_cache_content(xdg_cache_t)
type xdg_config_t;
xdg_config_content(xdg_config_t)
type xdg_data_t;
xdg_data_content(xdg_data_t)
# Various user location types (see ~/.config/user-dirs.dirs)
type xdg_documents_t; # customizable
userdom_user_home_content(xdg_documents_t)
type xdg_downloads_t; # customizable
userdom_user_home_content(xdg_downloads_t)
type xdg_music_t; # customizable
userdom_user_home_content(xdg_music_t)
type xdg_pictures_t; # customizable
userdom_user_home_content(xdg_pictures_t)
type xdg_videos_t; # customizable
userdom_user_home_content(xdg_videos_t)