# # Macros for giFT # # Author: Ivan Gyurdiev # # gift_domains(domain_prefix) # declares a domain for giftui and giftd ######################### # gift_domain(user) # ######################### define(`gift_domain', ` # Connect to X x_client_domain($1, gift, `') # Transition domain_auto_trans($1_t, gift_exec_t, $1_gift_t) can_exec($1_gift_t, gift_exec_t) role $1_r types $1_gift_t; # Self permissions allow $1_gift_t self:process getsched; # Home files home_domain($1, gift) # Fonts, icons r_dir_file($1_gift_t, usr_t) r_dir_file($1_gift_t, fonts_t) # Launch gift daemon allow $1_gift_t self:process fork; domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t) # Connect to gift daemon can_network($1_gift_t) # Read /proc/meminfo allow $1_gift_t proc_t:dir search; allow $1_gift_t proc_t:file { getattr read }; # Tmp/ORBit tmp_domain($1_gift) file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t) can_unix_connect($1_t, $1_gift_t) can_unix_connect($1_gift_t, $1_t) allow $1_t $1_gift_tmp_t:sock_file write; allow $1_gift_t $1_tmp_t:file { getattr read write lock }; allow $1_gift_t $1_tmp_t:sock_file { read write }; dontaudit $1_gift_t $1_tmp_t:dir setattr; # Access random device allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl }; # giftui looks in .icons, .themes, .fonts-cache. dontaudit $1_gift_t $1_home_t:dir { getattr read search }; dontaudit $1_gift_t $1_home_t:file { getattr read }; ') dnl gift_domain ########################## # giftd_domain(user) # ########################## define(`giftd_domain', ` type $1_giftd_t, domain; # Transition from user type domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t) role $1_r types $1_giftd_t; # Self permissions, allow fork allow $1_giftd_t self:process { fork signal sigchld setsched }; allow $1_giftd_t self:unix_stream_socket create_socket_perms; read_sysctl($1_giftd_t) read_locale($1_giftd_t) uses_shlib($1_giftd_t) # Access home domain home_domain_access($1_giftd_t, $1, gift) # Allow networking allow $1_giftd_t port_t:tcp_socket name_bind; allow $1_giftd_t port_t:udp_socket name_bind; can_network_server($1_giftd_t) can_network_client($1_giftd_t) # FIXME: ??? dontaudit $1_giftd_t self:udp_socket listen; # Plugins r_dir_file($1_giftd_t, usr_t) # Connect to xdm ifdef(`xdm.te', ` allow $1_giftd_t xdm_t:fd use; allow $1_giftd_t xdm_t:fifo_file write; ') ') dnl giftd_domain ########################## # gift_domains(user) # ########################## define(`gift_domains', ` gift_domain($1) giftd_domain($1) ') dnl gift_domains