## GNU network object model environment. ####################################### ## ## The role template for gnome. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## User domain for the role. ## ## ## ## ## User exec domain for execute and transition access. ## ## ## ## ## Role allowed access ## ## # template(`gnome_role_template',` gen_require(` attribute gnomedomain, gkeyringd_domain; attribute_role gconfd_roles; type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; type gconf_home_t, gnome_home_t; ') ######################################## # # Gconf declarations # roleattribute $4 gconfd_roles; ######################################## # # Gkeyringd declarations # type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t) domain_user_exemption_target($1_gkeyringd_t) role $4 types $1_gkeyringd_t; ######################################## # # Gconf policy # domtrans_pattern($3, gconfd_exec_t, gconfd_t) allow $2 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; userdom_user_home_dir_filetrans($2, gconf_home_t, dir, ".gconf") userdom_user_home_dir_filetrans($2, gconf_home_t, dir, ".gconfd") allow $3 gconfd_t:process { ptrace signal_perms }; ps_process_pattern($3, gconfd_t) optional_policy(` systemd_user_app_status($1, gconfd_t) ') ######################################## # # Gkeyringd policy # domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) allow $2 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; allow $2 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; userdom_user_home_dir_filetrans($2, gnome_home_t, dir, ".gnome") userdom_user_home_dir_filetrans($2, gnome_home_t, dir, ".gnome2") userdom_user_home_dir_filetrans($2, gnome_home_t, dir, ".gnome2_private") gnome_home_filetrans($2, gnome_keyring_home_t, dir, "keyrings") allow $2 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; corecmd_bin_domtrans($1_gkeyringd_t, $2) corecmd_shell_domtrans($1_gkeyringd_t, $2) gnome_stream_connect_gkeyringd($1, $3) optional_policy(` dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) dbus_system_bus_client($1_gkeyringd_t) optional_policy(` evolution_dbus_chat($1_gkeyringd_t) ') optional_policy(` gnome_dbus_chat_gconfd($3) gnome_dbus_chat_gkeyringd($1, $3) ') optional_policy(` wm_dbus_chat($1, $1_gkeyringd_t) ') ') optional_policy(` systemd_user_app_status($1, $1_gkeyringd_t) ') ') ######################################## ## ## Execute gconf in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_exec_gconf',` gen_require(` type gconfd_exec_t; ') corecmd_search_bin($1) can_exec($1, gconfd_exec_t) ') ######################################## ## ## Read gconf configuration content. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_read_gconf_config',` gen_require(` type gconf_etc_t; ') files_search_etc($1) allow $1 gconf_etc_t:dir list_dir_perms; allow $1 gconf_etc_t:file read_file_perms; allow $1 gconf_etc_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Do not audit attempts to read ## inherited gconf configuration files. ## ## ## ## Domain to not audit. ## ## # interface(`gnome_dontaudit_read_inherited_gconf_config_files',` gen_require(` type gconf_etc_t; ') dontaudit $1 gconf_etc_t:file read; ') ####################################### ## ## Create, read, write, and delete ## gconf configuration content. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_manage_gconf_config',` gen_require(` type gconf_etc_t; ') files_search_etc($1) allow $1 gconf_etc_t:dir manage_dir_perms; allow $1 gconf_etc_t:file manage_file_perms; allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms; ') ######################################## ## ## Connect to gconf using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_stream_connect_gconf',` gen_require(` type gconfd_t, gconf_tmp_t; ') files_search_tmp($1) stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t) ') ######################################## ## ## Run gconfd in gconfd domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`gnome_domtrans_gconfd',` gen_require(` type gconfd_t, gconfd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, gconfd_exec_t, gconfd_t) ') ######################################## ## ## Create generic gnome home directories. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_create_generic_home_dirs',` gen_require(` type gnome_home_t; ') allow $1 gnome_home_t:dir create_dir_perms; ') ######################################## ## ## Set attributes of generic gnome ## user home directories. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_setattr_generic_home_dirs',` gen_require(` type gnome_home_t; ') userdom_search_user_home_dirs($1) setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) ') ######################################## ## ## Read generic gnome home content. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_read_generic_home_content',` gen_require(` type gnome_home_t; ') userdom_search_user_home_dirs($1) allow $1 gnome_home_t:dir list_dir_perms; allow $1 gnome_home_t:file { read_file_perms map }; allow $1 gnome_home_t:fifo_file read_fifo_file_perms; allow $1 gnome_home_t:lnk_file read_lnk_file_perms; allow $1 gnome_home_t:sock_file read_sock_file_perms; ') ######################################## ## ## Create, read, write, and delete ## generic gnome home content. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_manage_generic_home_content',` gen_require(` type gnome_home_t; ') userdom_search_user_home_dirs($1) allow $1 gnome_home_t:dir manage_dir_perms; allow $1 gnome_home_t:file manage_file_perms; allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; allow $1 gnome_home_t:sock_file manage_sock_file_perms; ') ######################################## ## ## Search generic gnome home directories. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_search_generic_home',` gen_require(` type gnome_home_t; ') userdom_search_user_home_dirs($1) allow $1 gnome_home_t:dir search_dir_perms; ') ######################################## ## ## Create objects in gnome user home ## directories with a private type. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`gnome_home_filetrans',` gen_require(` type gnome_home_t; ') userdom_search_user_home_dirs($1) filetrans_pattern($1, gnome_home_t, $2, $3, $4) ') ######################################## ## ## Create generic gconf home directories. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_create_generic_gconf_home_dirs',` gen_require(` type gconf_home_t; ') allow $1 gconf_home_t:dir create_dir_perms; ') ######################################## ## ## Read generic gconf home content. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_read_generic_gconf_home_content',` gen_require(` type gconf_home_t; ') userdom_search_user_home_dirs($1) allow $1 gconf_home_t:dir list_dir_perms; allow $1 gconf_home_t:file read_file_perms; allow $1 gconf_home_t:fifo_file read_fifo_file_perms; allow $1 gconf_home_t:lnk_file read_lnk_file_perms; allow $1 gconf_home_t:sock_file read_sock_file_perms; ') ######################################## ## ## Create, read, write, and delete ## generic gconf home content. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_manage_generic_gconf_home_content',` gen_require(` type gconf_home_t; ') userdom_search_user_home_dirs($1) allow $1 gconf_home_t:dir manage_dir_perms; allow $1 gconf_home_t:file manage_file_perms; allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; allow $1 gconf_home_t:sock_file manage_sock_file_perms; ') ######################################## ## ## Search generic gconf home directories. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_search_generic_gconf_home',` gen_require(` type gconf_home_t; ') userdom_search_user_home_dirs($1) allow $1 gconf_home_t:dir search_dir_perms; ') ######################################## ## ## Create objects in user home ## directories with the generic gconf ## home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`gnome_home_filetrans_gconf_home',` gen_require(` type gconf_home_t; ') userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) ') ######################################## ## ## Create objects in user home ## directories with the generic gnome ## home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`gnome_home_filetrans_gnome_home',` gen_require(` type gnome_home_t; ') userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) ') ######################################## ## ## Create objects in gnome gconf home ## directories with a private type. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`gnome_gconf_home_filetrans',` gen_require(` type gconf_home_t; ') userdom_search_user_home_dirs($1) filetrans_pattern($1, gconf_home_t, $2, $3, $4) ') ######################################## ## ## Create objects in user home ## directories with the gstreamer ## orcexec type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` gen_require(` type gstreamer_orcexec_t; ') userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) ') ######################################## ## ## Create objects in the user ## runtime directories with the ## gstreamer orcexec type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` gen_require(` type gstreamer_orcexec_t; ') userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) ') ######################################## ## ## Read generic gnome keyring home files. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_read_keyring_home_files',` gen_require(` type gnome_home_t, gnome_keyring_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) ') ######################################## ## ## Send and receive messages from ## gnome configuration daemon over ## dbus. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_dbus_chat_gconfd',` gen_require(` type gconfd_t; class dbus send_msg; ') allow $1 gconfd_t:dbus send_msg; allow gconfd_t $1:dbus send_msg; ') ######################################## ## ## Send and receive messages from ## gnome keyring daemon over dbus. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## # template(`gnome_dbus_chat_gkeyringd',` gen_require(` type $1_gkeyringd_t; class dbus send_msg; ') allow $2 $1_gkeyringd_t:dbus send_msg; allow $1_gkeyringd_t $2:dbus send_msg; ') ######################################## ## ## Send and receive messages from all ## gnome keyring daemon over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_dbus_chat_all_gkeyringd',` gen_require(` attribute gkeyringd_domain; class dbus send_msg; ') allow $1 gkeyringd_domain:dbus send_msg; allow gkeyringd_domain $1:dbus send_msg; ') ######################################## ## ## Run all gkeyringd in gkeyringd domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`gnome_spec_domtrans_all_gkeyringd',` gen_require(` attribute gkeyringd_domain; type gkeyringd_exec_t; ') corecmd_search_bin($1) spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain) ') ######################################## ## ## Connect to gnome keyring daemon ## with a unix stream socket. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## # template(`gnome_stream_connect_gkeyringd',` gen_require(` type $1_gkeyringd_t, gnome_keyring_tmp_t; ') files_search_tmp($2) userdom_search_user_runtime($2) stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) ') ######################################## ## ## Connect to all gnome keyring daemon ## with a unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_stream_connect_all_gkeyringd',` gen_require(` attribute gkeyringd_domain; type gnome_keyring_tmp_t; ') files_search_tmp($1) userdom_search_user_runtime($1) stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ') ######################################## ## ## Manage gstreamer ORC optimized ## code. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_manage_gstreamer_orcexec',` gen_require(` type gstreamer_orcexec_t; ') allow $1 gstreamer_orcexec_t:file manage_file_perms; ') ######################################## ## ## Mmap gstreamer ORC optimized ## code. ## ## ## ## Domain allowed access. ## ## # interface(`gnome_mmap_gstreamer_orcexec',` gen_require(` type gstreamer_orcexec_t; ') allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms; ')