policy_module(openoffice, 1.4.1)

##############################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether openoffice can
##	download software updates from the
##	network (application and/or
##	extensions).
##	</p>
## </desc>
gen_tunable(openoffice_allow_update, true)

## <desc>
##	<p>
##	Determine whether openoffice writer
##	can send emails directly (print to
##	email). This is different from the
##	functionality of sending emails
##	through external clients which is
##	always enabled.
##	</p>
## </desc>
gen_tunable(openoffice_allow_email, false)

attribute_role ooffice_roles;

type ooffice_t;
type ooffice_exec_t;
userdom_user_application_domain(ooffice_t, ooffice_exec_t)
role ooffice_roles types ooffice_t;

optional_policy(`
	wm_application_domain(ooffice_t, ooffice_exec_t)
')

type ooffice_home_t;
userdom_user_home_content(ooffice_home_t)

type ooffice_tmp_t;
files_tmp_file(ooffice_tmp_t)

##############################
#
# Openoffice local policy
#

allow ooffice_t self:process { execmem getsched signal };
allow ooffice_t self:shm create_shm_perms;
allow ooffice_t self:fifo_file rw_fifo_file_perms;
allow ooffice_t self:unix_stream_socket connectto;

allow ooffice_t ooffice_home_t:dir manage_dir_perms;
allow ooffice_t ooffice_home_t:file manage_file_perms;
allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")

manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })

can_exec(ooffice_t, ooffice_exec_t)

kernel_dontaudit_read_system_state(ooffice_t)

corecmd_exec_bin(ooffice_t)
corecmd_exec_shell(ooffice_t)

dev_read_sysfs(ooffice_t)
dev_read_urand(ooffice_t)

domain_use_interactive_fds(ooffice_t)

files_getattr_all_dirs(ooffice_t)
files_getattr_all_files(ooffice_t)
files_getattr_all_symlinks(ooffice_t)
files_read_etc_files(ooffice_t)
files_map_usr_files(ooffice_t)
files_read_usr_files(ooffice_t)

fs_getattr_xattr_fs(ooffice_t)

miscfiles_read_fonts(ooffice_t)
miscfiles_read_localization(ooffice_t)

ooffice_dontaudit_exec_tmp_files(ooffice_t)

sysnet_dns_name_resolve(ooffice_t)

userdom_dontaudit_exec_user_home_content_files(ooffice_t)
userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
userdom_manage_user_tmp_dirs(ooffice_t)
userdom_manage_user_tmp_sockets(ooffice_t)
userdom_use_inherited_user_terminals(ooffice_t)

userdom_user_content_access_template(openoffice, ooffice_t)

xdg_manage_documents(ooffice_t)

tunable_policy(`openoffice_allow_update',`
	corenet_tcp_connect_http_port(ooffice_t)
')

tunable_policy(`openoffice_allow_email',`
	corenet_tcp_connect_smtp_port(ooffice_t)
	corenet_tcp_sendrecv_smtp_port(ooffice_t)
	corenet_sendrecv_smtp_client_packets(ooffice_t)
')

optional_policy(`
	cups_read_config(ooffice_t)
	cups_stream_connect(ooffice_t)
')

optional_policy(`
	dbus_all_session_bus_client(ooffice_t)
')

optional_policy(`
	evolution_domtrans(ooffice_t)
	evolution_read_home_files(ooffice_t)
')

optional_policy(`
	gnome_dbus_chat_gconfd(ooffice_t)
	gnome_stream_connect_gconf(ooffice_t)
')

optional_policy(`
	hostname_exec(ooffice_t)
')

optional_policy(`
	java_exec(ooffice_t)
')

optional_policy(`
	mozilla_domtrans(ooffice_t)
	mozilla_read_tmp_files(ooffice_t)
')

optional_policy(`
	thunderbird_domtrans(ooffice_t)
')

optional_policy(`
	xserver_rw_xsession_log(ooffice_t)
	xserver_read_user_iceauth(ooffice_t)
	xserver_read_user_xauth(ooffice_t)
	xserver_read_xdm_tmp_files(ooffice_t)
	xserver_stream_connect(ooffice_t)
	xserver_stream_connect_xdm(ooffice_t)
')