1d8333d7a7
When SECMARK or Netlabel packet labeling is used, it's useful to forbid receiving and sending unlabeled packets. If packet labeling is not active, there's no effect. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
459 lines
14 KiB
Plaintext
459 lines
14 KiB
Plaintext
policy_module(telepathy, 1.10.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether telepathy connection
|
|
## managers can connect to generic tcp ports.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether telepathy connection
|
|
## managers can connect to any port.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(telepathy_connect_all_ports, false)
|
|
|
|
attribute telepathy_domain;
|
|
attribute telepathy_executable;
|
|
attribute telepathy_tmp_content;
|
|
|
|
telepathy_domain_template(gabble)
|
|
|
|
type telepathy_xdg_cache_t;
|
|
xdg_cache_content(telepathy_xdg_cache_t)
|
|
|
|
type telepathy_gabble_xdg_cache_t;
|
|
xdg_cache_content(telepathy_gabble_xdg_cache_t)
|
|
|
|
telepathy_domain_template(idle)
|
|
telepathy_domain_template(logger)
|
|
|
|
type telepathy_xdg_data_t;
|
|
xdg_data_content(telepathy_xdg_data_t)
|
|
|
|
type telepathy_logger_xdg_cache_t;
|
|
xdg_cache_content(telepathy_logger_xdg_cache_t)
|
|
|
|
type telepathy_logger_xdg_data_t;
|
|
xdg_data_content(telepathy_logger_xdg_data_t)
|
|
|
|
telepathy_domain_template(mission_control)
|
|
|
|
type telepathy_mission_control_home_t;
|
|
userdom_user_home_content(telepathy_mission_control_home_t)
|
|
|
|
type telepathy_mission_control_xdg_data_t;
|
|
xdg_data_content(telepathy_mission_control_xdg_data_t)
|
|
|
|
type telepathy_mission_control_xdg_cache_t;
|
|
xdg_cache_content(telepathy_mission_control_xdg_cache_t)
|
|
|
|
telepathy_domain_template(msn)
|
|
telepathy_domain_template(salut)
|
|
telepathy_domain_template(sofiasip)
|
|
telepathy_domain_template(stream_engine)
|
|
telepathy_domain_template(sunshine)
|
|
|
|
type telepathy_sunshine_home_t;
|
|
userdom_user_home_content(telepathy_sunshine_home_t)
|
|
|
|
#######################################
|
|
#
|
|
# Gabble local policy
|
|
#
|
|
|
|
allow telepathy_gabble_t self:tcp_socket { accept listen };
|
|
allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
|
|
# ~/.cache/telepathy/gabble/caps-cache.db-journal
|
|
manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
|
|
manage_files_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
|
|
filetrans_pattern(telepathy_gabble_t, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble")
|
|
# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, dir, "wocky")
|
|
|
|
manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
|
|
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
|
|
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
|
|
|
|
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
|
|
|
|
corenet_sendrecv_http_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_http_port(telepathy_gabble_t)
|
|
|
|
corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
|
|
|
|
corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_vnc_port(telepathy_gabble_t)
|
|
|
|
dev_read_rand(telepathy_gabble_t)
|
|
|
|
files_read_config_files(telepathy_gabble_t)
|
|
files_read_usr_files(telepathy_gabble_t)
|
|
|
|
miscfiles_read_all_certs(telepathy_gabble_t)
|
|
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
corenet_sendrecv_all_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_all_ports(telepathy_gabble_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_generic_port(telepathy_gabble_t)
|
|
')
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(telepathy_gabble_t)
|
|
fs_manage_nfs_files(telepathy_gabble_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(telepathy_gabble_t)
|
|
fs_manage_cifs_files(telepathy_gabble_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(telepathy_gabble_t)
|
|
')
|
|
|
|
# optional_policy(`
|
|
# ~/.config/dconf/user
|
|
# gnome_manage_generic_home_content(telepathy_gabble_t)
|
|
# ')
|
|
|
|
#######################################
|
|
#
|
|
# Idle local policy
|
|
#
|
|
|
|
corenet_all_recvfrom_netlabel(telepathy_idle_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
|
|
|
|
corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t)
|
|
corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
|
|
|
|
corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
|
|
corenet_tcp_connect_ircd_port(telepathy_idle_t)
|
|
|
|
dev_read_rand(telepathy_idle_t)
|
|
|
|
files_read_usr_files(telepathy_idle_t)
|
|
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
corenet_sendrecv_all_client_packets(telepathy_idle_t)
|
|
corenet_tcp_connect_all_ports(telepathy_idle_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
corenet_sendrecv_generic_client_packets(telepathy_idle_t)
|
|
corenet_tcp_connect_generic_port(telepathy_idle_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# Logger local policy
|
|
#
|
|
|
|
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t)
|
|
manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t)
|
|
filetrans_pattern(telepathy_logger_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger")
|
|
|
|
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t)
|
|
manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t)
|
|
# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_xdg_data_t, dir, "TpLogger")
|
|
|
|
files_read_usr_files(telepathy_logger_t)
|
|
files_search_pids(telepathy_logger_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(telepathy_logger_t)
|
|
fs_manage_nfs_files(telepathy_logger_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(telepathy_logger_t)
|
|
fs_manage_cifs_files(telepathy_logger_t)
|
|
')
|
|
|
|
# optional_policy(`
|
|
# ~/.config/dconf/user
|
|
# gnome_manage_generic_home_content(telepathy_logger_t)
|
|
# ')
|
|
|
|
#######################################
|
|
#
|
|
# Mission-Control local policy
|
|
#
|
|
|
|
allow telepathy_mission_control_t self:process setsched;
|
|
|
|
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
|
|
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
|
|
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
|
|
|
|
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t)
|
|
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t)
|
|
filetrans_pattern(telepathy_mission_control_t, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control")
|
|
|
|
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, telepathy_mission_control_xdg_cache_t)
|
|
# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, file, ".mc_connections")
|
|
|
|
manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
|
|
manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
|
|
|
|
dev_read_rand(telepathy_mission_control_t)
|
|
|
|
files_list_tmp(telepathy_mission_control_t)
|
|
files_read_usr_files(telepathy_mission_control_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(telepathy_mission_control_t)
|
|
fs_manage_nfs_files(telepathy_mission_control_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(telepathy_mission_control_t)
|
|
fs_manage_cifs_files(telepathy_mission_control_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(telepathy_mission_control_t)
|
|
|
|
optional_policy(`
|
|
devicekit_dbus_chat_power(telepathy_mission_control_t)
|
|
')
|
|
optional_policy(`
|
|
gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t)
|
|
')
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(telepathy_mission_control_t)
|
|
')
|
|
')
|
|
|
|
# optional_policy(`
|
|
# ~/.config/dconf/user
|
|
# gnome_manage_generic_home_content(telepathy_mission_control_t)
|
|
# ')
|
|
|
|
#######################################
|
|
#
|
|
# Butterfly and Haze local policy
|
|
#
|
|
|
|
allow telepathy_msn_t self:process setsched;
|
|
|
|
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
|
|
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
|
|
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
|
|
files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
|
|
|
|
userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
|
|
|
|
can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
|
|
|
|
corenet_all_recvfrom_netlabel(telepathy_msn_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
|
|
|
|
corenet_sendrecv_http_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_http_port(telepathy_msn_t)
|
|
|
|
corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_mmcc_port(telepathy_msn_t)
|
|
|
|
corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_msnp_port(telepathy_msn_t)
|
|
|
|
corenet_sendrecv_sip_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_sip_port(telepathy_msn_t)
|
|
|
|
corecmd_exec_bin(telepathy_msn_t)
|
|
corecmd_exec_shell(telepathy_msn_t)
|
|
|
|
files_read_usr_files(telepathy_msn_t)
|
|
|
|
init_read_state(telepathy_msn_t)
|
|
|
|
libs_exec_ldconfig(telepathy_msn_t)
|
|
|
|
logging_send_syslog_msg(telepathy_msn_t)
|
|
|
|
miscfiles_read_all_certs(telepathy_msn_t)
|
|
|
|
# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
|
|
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
corenet_sendrecv_all_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_all_ports(telepathy_msn_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
corenet_sendrecv_generic_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_generic_port(telepathy_msn_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(telepathy_msn_t)
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(telepathy_msn_t)
|
|
')
|
|
')
|
|
|
|
# optional_policy(`
|
|
# ~/.config/dconf/user
|
|
# gnome_manage_generic_home_content(telepathy_msn_t)
|
|
# ')
|
|
|
|
#######################################
|
|
#
|
|
# Salut local policy
|
|
#
|
|
|
|
allow telepathy_salut_t self:tcp_socket { accept listen };
|
|
|
|
manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
|
|
files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
|
|
|
|
corenet_all_recvfrom_netlabel(telepathy_salut_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
|
|
corenet_tcp_bind_generic_node(telepathy_salut_t)
|
|
|
|
corenet_sendrecv_presence_server_packets(telepathy_salut_t)
|
|
corenet_tcp_bind_presence_port(telepathy_salut_t)
|
|
corenet_sendrecv_presence_client_packets(telepathy_salut_t)
|
|
corenet_tcp_connect_presence_port(telepathy_salut_t)
|
|
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
corenet_sendrecv_all_client_packets(telepathy_salut_t)
|
|
corenet_tcp_connect_all_ports(telepathy_salut_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
corenet_sendrecv_generic_client_packets(telepathy_salut_t)
|
|
corenet_tcp_connect_generic_port(telepathy_salut_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(telepathy_salut_t)
|
|
|
|
optional_policy(`
|
|
avahi_dbus_chat(telepathy_salut_t)
|
|
')
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# Sofiasip local policy
|
|
#
|
|
|
|
allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms;
|
|
allow telepathy_sofiasip_t self:tcp_socket { accept listen };
|
|
|
|
corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
|
|
corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
|
|
corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t)
|
|
corenet_tcp_bind_generic_node(telepathy_sofiasip_t)
|
|
corenet_raw_bind_generic_node(telepathy_sofiasip_t)
|
|
|
|
corenet_sendrecv_all_server_packets(telepathy_sofiasip_t)
|
|
corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
|
|
|
|
corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
|
|
|
|
corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
|
|
corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
|
|
|
|
kernel_request_load_module(telepathy_sofiasip_t)
|
|
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
corenet_sendrecv_all_client_packets(telepathy_sofiasip_t)
|
|
corenet_tcp_connect_all_ports(telepathy_sofiasip_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
|
|
corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# Sunshine local policy
|
|
#
|
|
|
|
manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
|
|
manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
|
|
userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
|
|
|
|
manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
|
|
files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
|
|
|
|
can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t)
|
|
|
|
corecmd_exec_bin(telepathy_sunshine_t)
|
|
|
|
files_read_usr_files(telepathy_sunshine_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(telepathy_sunshine_t)
|
|
fs_manage_nfs_files(telepathy_sunshine_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(telepathy_sunshine_t)
|
|
fs_manage_cifs_files(telepathy_sunshine_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_read_xdm_pid(telepathy_sunshine_t)
|
|
xserver_stream_connect(telepathy_sunshine_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# Common telepathy domain local policy
|
|
#
|
|
|
|
allow telepathy_domain self:process { getsched signal sigkill };
|
|
allow telepathy_domain self:fifo_file rw_fifo_file_perms;
|
|
|
|
manage_dirs_pattern(telepathy_domain, telepathy_xdg_cache_t, telepathy_xdg_cache_t)
|
|
xdg_cache_filetrans(telepathy_domain, telepathy_xdg_cache_t, dir, "telepathy")
|
|
|
|
manage_dirs_pattern(telepathy_domain, telepathy_xdg_data_t, telepathy_xdg_data_t)
|
|
xdg_data_filetrans(telepathy_domain, telepathy_xdg_data_t, dir, "telepathy")
|
|
|
|
dev_read_urand(telepathy_domain)
|
|
|
|
kernel_read_system_state(telepathy_domain)
|
|
|
|
fs_getattr_all_fs(telepathy_domain)
|
|
fs_search_auto_mountpoints(telepathy_domain)
|
|
|
|
miscfiles_read_localization(telepathy_domain)
|
|
|
|
optional_policy(`
|
|
automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_rw_xdm_pipes(telepathy_domain)
|
|
')
|