selinux-refpolicy/policy/modules/apps/openoffice.if

135 lines
2.5 KiB
Plaintext

## <summary>Openoffice suite.</summary>
############################################################
## <summary>
## Role access for openoffice.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
#
interface(`ooffice_role',`
gen_require(`
attribute_role ooffice_roles;
type ooffice_t, ooffice_exec_t;
')
roleattribute $1 ooffice_roles;
allow ooffice_t $2:unix_stream_socket connectto;
domtrans_pattern($2, ooffice_exec_t, ooffice_t)
allow $2 ooffice_t:process { ptrace signal_perms };
ps_process_pattern($2, ooffice_t)
optional_policy(`
ooffice_dbus_chat($2)
')
')
########################################
## <summary>
## Run openoffice in its own domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`ooffice_domtrans',`
gen_require(`
type ooffice_t, ooffice_exec_t;
')
domtrans_pattern($1, ooffice_exec_t, ooffice_t)
')
########################################
## <summary>
## Do not audit attempts to execute
## files in temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`ooffice_dontaudit_exec_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
dontaudit $1 ooffice_tmp_t:file exec_file_perms;
')
########################################
## <summary>
## Read and write temporary
## openoffice files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ooffice_rw_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
#######################################
## <summary>
## Send and receive dbus messages
## from and to the openoffice
## domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ooffice_dbus_chat',`
gen_require(`
type ooffice_t;
class dbus send_msg;
')
allow $1 ooffice_t:dbus send_msg;
allow ooffice_t $1:dbus send_msg;
')
########################################
## <summary>
## Connect to openoffice using a
## unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ooffice_stream_connect',`
gen_require(`
type ooffice_t, ooffice_tmp_t;
')
files_search_tmp($1)
stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t)
')