userdomain, xserver: move xdg rules to userdom_xdg_user_template
xdg rules are normally set in xserver. But, if a modular policy is being used and the xserver module is not present, the required rules for users to be able to access xdg content are never created and thus these files and directories cannot be interacted with by users. This change adds a new template that can be called to grant these privileges to userdomain types as necessary. Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
0xC0ncord
Kenton Groombridge
parent
fe29a74cad
commit
1d15c9e009
|
|
@ -185,42 +185,6 @@ interface(`xserver_role',`
|
||||||
xserver_read_xkb_libs($2)
|
xserver_read_xkb_libs($2)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
xdg_manage_all_cache($2)
|
|
||||||
xdg_relabel_all_cache($2)
|
|
||||||
xdg_watch_all_cache_dirs($2)
|
|
||||||
xdg_manage_all_config($2)
|
|
||||||
xdg_relabel_all_config($2)
|
|
||||||
xdg_watch_all_config_dirs($2)
|
|
||||||
xdg_manage_all_data($2)
|
|
||||||
xdg_relabel_all_data($2)
|
|
||||||
xdg_watch_all_data_dirs($2)
|
|
||||||
|
|
||||||
xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
|
|
||||||
xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
|
|
||||||
xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
|
|
||||||
|
|
||||||
xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
|
|
||||||
xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
|
|
||||||
xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
|
|
||||||
xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
|
|
||||||
xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
|
|
||||||
|
|
||||||
xdg_manage_documents($2)
|
|
||||||
xdg_relabel_documents($2)
|
|
||||||
xdg_watch_documents_dirs($2)
|
|
||||||
xdg_manage_downloads($2)
|
|
||||||
xdg_relabel_downloads($2)
|
|
||||||
xdg_watch_downloads_dirs($2)
|
|
||||||
xdg_manage_music($2)
|
|
||||||
xdg_relabel_music($2)
|
|
||||||
xdg_watch_music_dirs($2)
|
|
||||||
xdg_manage_pictures($2)
|
|
||||||
xdg_relabel_pictures($2)
|
|
||||||
xdg_watch_pictures_dirs($2)
|
|
||||||
xdg_manage_videos($2)
|
|
||||||
xdg_relabel_videos($2)
|
|
||||||
xdg_watch_videos_dirs($2)
|
|
||||||
|
|
||||||
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
|
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
|
||||||
|
|
@ -1195,6 +1195,9 @@ template(`userdom_unpriv_user_template', `
|
||||||
fs_exec_noxattr($1_t)
|
fs_exec_noxattr($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
# Allow users to manage xdg content in their home directories
|
||||||
|
userdom_xdg_user_template($1_t)
|
||||||
|
|
||||||
# Allow users to run TCP servers (bind to ports and accept connection from
|
# Allow users to run TCP servers (bind to ports and accept connection from
|
||||||
# the same domain and outside users) disabling this forces FTP passive mode
|
# the same domain and outside users) disabling this forces FTP passive mode
|
||||||
# and may change other protocols
|
# and may change other protocols
|
||||||
|
|
@ -1498,6 +1501,65 @@ template(`userdom_security_admin_template',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow user to interact with xdg content types
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create rules to allow a user to manage xdg
|
||||||
|
## content in a user home directory with an
|
||||||
|
## automatic type transition to those types.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_xdg_user_template',`
|
||||||
|
xdg_manage_all_cache($1_t)
|
||||||
|
xdg_relabel_all_cache($1_t)
|
||||||
|
xdg_watch_all_cache_dirs($1_t)
|
||||||
|
xdg_manage_all_config($1_t)
|
||||||
|
xdg_relabel_all_config($1_t)
|
||||||
|
xdg_watch_all_config_dirs($1_t)
|
||||||
|
xdg_manage_all_data($1_t)
|
||||||
|
xdg_relabel_all_data($1_t)
|
||||||
|
xdg_watch_all_data_dirs($1_t)
|
||||||
|
|
||||||
|
xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
|
||||||
|
xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
|
||||||
|
xdg_generic_user_home_dir_filetrans_data($1_t, dir, ".local")
|
||||||
|
|
||||||
|
xdg_generic_user_home_dir_filetrans_documents($1_t, dir, "Documents")
|
||||||
|
xdg_generic_user_home_dir_filetrans_downloads($1_t, dir, "Downloads")
|
||||||
|
xdg_generic_user_home_dir_filetrans_music($1_t, dir, "Music")
|
||||||
|
xdg_generic_user_home_dir_filetrans_pictures($1_t, dir, "Pictures")
|
||||||
|
xdg_generic_user_home_dir_filetrans_videos($1_t, dir, "Videos")
|
||||||
|
|
||||||
|
xdg_manage_documents($1_t)
|
||||||
|
xdg_relabel_documents($1_t)
|
||||||
|
xdg_watch_documents_dirs($1_t)
|
||||||
|
xdg_manage_downloads($1_t)
|
||||||
|
xdg_relabel_downloads($1_t)
|
||||||
|
xdg_watch_downloads_dirs($1_t)
|
||||||
|
xdg_manage_music($1_t)
|
||||||
|
xdg_relabel_music($1_t)
|
||||||
|
xdg_watch_music_dirs($1_t)
|
||||||
|
xdg_manage_pictures($1_t)
|
||||||
|
xdg_relabel_pictures($1_t)
|
||||||
|
xdg_watch_pictures_dirs($1_t)
|
||||||
|
xdg_manage_videos($1_t)
|
||||||
|
xdg_relabel_videos($1_t)
|
||||||
|
xdg_watch_videos_dirs($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make the specified type usable as
|
## Make the specified type usable as
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue