## Openoffice suite.
############################################################
##
## Role access for openoffice.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
interface(`ooffice_role',`
gen_require(`
attribute_role ooffice_roles;
type ooffice_t, ooffice_exec_t;
')
roleattribute $1 ooffice_roles;
allow ooffice_t $2:unix_stream_socket connectto;
domtrans_pattern($2, ooffice_exec_t, ooffice_t)
allow $2 ooffice_t:process { ptrace signal_perms };
ps_process_pattern($2, ooffice_t)
optional_policy(`
ooffice_dbus_chat($2)
')
')
########################################
##
## Run openoffice in its own domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`ooffice_domtrans',`
gen_require(`
type ooffice_t, ooffice_exec_t;
')
domtrans_pattern($1, ooffice_exec_t, ooffice_t)
')
########################################
##
## Do not audit attempts to execute
## files in temporary directories.
##
##
##
## Domain to not audit.
##
##
#
interface(`ooffice_dontaudit_exec_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
dontaudit $1 ooffice_tmp_t:file exec_file_perms;
')
########################################
##
## Read and write temporary
## openoffice files.
##
##
##
## Domain allowed access.
##
##
#
interface(`ooffice_rw_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
#######################################
##
## Send and receive dbus messages
## from and to the openoffice
## domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`ooffice_dbus_chat',`
gen_require(`
type ooffice_t;
class dbus send_msg;
')
allow $1 ooffice_t:dbus send_msg;
allow ooffice_t $1:dbus send_msg;
')
########################################
##
## Connect to openoffice using a
## unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`ooffice_stream_connect',`
gen_require(`
type ooffice_t, ooffice_tmp_t;
')
files_search_tmp($1)
stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t)
')