selinux-refpolicy/policy/modules/apps/gnome.if
Kenton Groombridge 7cd14e0c49 gnome, roles: use user exec domain attribute
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-10-13 19:07:34 -04:00

817 lines
17 KiB
Plaintext

## <summary>GNU network object model environment.</summary>
#######################################
## <summary>
## The role template for gnome.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
## <param name="user_exec_domain">
## <summary>
## User exec domain for execute and transition access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
#
template(`gnome_role_template',`
gen_require(`
attribute gnomedomain, gkeyringd_domain;
attribute_role gconfd_roles;
type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
type gconf_home_t, gnome_home_t;
')
########################################
#
# Gconf declarations
#
roleattribute $4 gconfd_roles;
########################################
#
# Gkeyringd declarations
#
type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
domain_user_exemption_target($1_gkeyringd_t)
role $4 types $1_gkeyringd_t;
########################################
#
# Gconf policy
#
domtrans_pattern($3, gconfd_exec_t, gconfd_t)
allow $2 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
userdom_user_home_dir_filetrans($2, gconf_home_t, dir, ".gconf")
userdom_user_home_dir_filetrans($2, gconf_home_t, dir, ".gconfd")
allow $3 gconfd_t:process { ptrace signal_perms };
ps_process_pattern($3, gconfd_t)
optional_policy(`
systemd_user_app_status($1, gconfd_t)
')
########################################
#
# Gkeyringd policy
#
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
allow $2 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
allow $2 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
userdom_user_home_dir_filetrans($2, gnome_home_t, dir, ".gnome")
userdom_user_home_dir_filetrans($2, gnome_home_t, dir, ".gnome2")
userdom_user_home_dir_filetrans($2, gnome_home_t, dir, ".gnome2_private")
gnome_home_filetrans($2, gnome_keyring_home_t, dir, "keyrings")
allow $2 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ps_process_pattern($3, $1_gkeyringd_t)
allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
corecmd_bin_domtrans($1_gkeyringd_t, $2)
corecmd_shell_domtrans($1_gkeyringd_t, $2)
gnome_stream_connect_gkeyringd($1, $3)
optional_policy(`
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
dbus_system_bus_client($1_gkeyringd_t)
optional_policy(`
evolution_dbus_chat($1_gkeyringd_t)
')
optional_policy(`
gnome_dbus_chat_gconfd($3)
gnome_dbus_chat_gkeyringd($1, $3)
')
optional_policy(`
wm_dbus_chat($1, $1_gkeyringd_t)
')
')
optional_policy(`
systemd_user_app_status($1, $1_gkeyringd_t)
')
')
########################################
## <summary>
## Execute gconf in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_exec_gconf',`
gen_require(`
type gconfd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, gconfd_exec_t)
')
########################################
## <summary>
## Read gconf configuration content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
')
files_search_etc($1)
allow $1 gconf_etc_t:dir list_dir_perms;
allow $1 gconf_etc_t:file read_file_perms;
allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read
## inherited gconf configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
type gconf_etc_t;
')
dontaudit $1 gconf_etc_t:file read;
')
#######################################
## <summary>
## Create, read, write, and delete
## gconf configuration content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_manage_gconf_config',`
gen_require(`
type gconf_etc_t;
')
files_search_etc($1)
allow $1 gconf_etc_t:dir manage_dir_perms;
allow $1 gconf_etc_t:file manage_file_perms;
allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
')
########################################
## <summary>
## Connect to gconf using a unix
## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_stream_connect_gconf',`
gen_require(`
type gconfd_t, gconf_tmp_t;
')
files_search_tmp($1)
stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
')
########################################
## <summary>
## Run gconfd in gconfd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`gnome_domtrans_gconfd',`
gen_require(`
type gconfd_t, gconfd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
########################################
## <summary>
## Create generic gnome home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_create_generic_home_dirs',`
gen_require(`
type gnome_home_t;
')
allow $1 gnome_home_t:dir create_dir_perms;
')
########################################
## <summary>
## Set attributes of generic gnome
## user home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_setattr_generic_home_dirs',`
gen_require(`
type gnome_home_t;
')
userdom_search_user_home_dirs($1)
setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
')
########################################
## <summary>
## Read generic gnome home content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_read_generic_home_content',`
gen_require(`
type gnome_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gnome_home_t:dir list_dir_perms;
allow $1 gnome_home_t:file { read_file_perms map };
allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
allow $1 gnome_home_t:sock_file read_sock_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## generic gnome home content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_manage_generic_home_content',`
gen_require(`
type gnome_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gnome_home_t:dir manage_dir_perms;
allow $1 gnome_home_t:file manage_file_perms;
allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
allow $1 gnome_home_t:sock_file manage_sock_file_perms;
')
########################################
## <summary>
## Search generic gnome home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_search_generic_home',`
gen_require(`
type gnome_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gnome_home_t:dir search_dir_perms;
')
########################################
## <summary>
## Create objects in gnome user home
## directories with a private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## Private file type.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## Class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`gnome_home_filetrans',`
gen_require(`
type gnome_home_t;
')
userdom_search_user_home_dirs($1)
filetrans_pattern($1, gnome_home_t, $2, $3, $4)
')
########################################
## <summary>
## Create generic gconf home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_create_generic_gconf_home_dirs',`
gen_require(`
type gconf_home_t;
')
allow $1 gconf_home_t:dir create_dir_perms;
')
########################################
## <summary>
## Read generic gconf home content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_read_generic_gconf_home_content',`
gen_require(`
type gconf_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gconf_home_t:dir list_dir_perms;
allow $1 gconf_home_t:file read_file_perms;
allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
allow $1 gconf_home_t:sock_file read_sock_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## generic gconf home content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_manage_generic_gconf_home_content',`
gen_require(`
type gconf_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gconf_home_t:dir manage_dir_perms;
allow $1 gconf_home_t:file manage_file_perms;
allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
allow $1 gconf_home_t:sock_file manage_sock_file_perms;
')
########################################
## <summary>
## Search generic gconf home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_search_generic_gconf_home',`
gen_require(`
type gconf_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gconf_home_t:dir search_dir_perms;
')
########################################
## <summary>
## Create objects in user home
## directories with the generic gconf
## home type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## Class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`gnome_home_filetrans_gconf_home',`
gen_require(`
type gconf_home_t;
')
userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
')
########################################
## <summary>
## Create objects in user home
## directories with the generic gnome
## home type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## Class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`gnome_home_filetrans_gnome_home',`
gen_require(`
type gnome_home_t;
')
userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
')
########################################
## <summary>
## Create objects in gnome gconf home
## directories with a private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## Private file type.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## Class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`gnome_gconf_home_filetrans',`
gen_require(`
type gconf_home_t;
')
userdom_search_user_home_dirs($1)
filetrans_pattern($1, gconf_home_t, $2, $3, $4)
')
########################################
## <summary>
## Create objects in user home
## directories with the gstreamer
## orcexec type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## Class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
gen_require(`
type gstreamer_orcexec_t;
')
userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
')
########################################
## <summary>
## Create objects in the user
## runtime directories with the
## gstreamer orcexec type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## Class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
gen_require(`
type gstreamer_orcexec_t;
')
userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
')
########################################
## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_read_keyring_home_files',`
gen_require(`
type gnome_home_t, gnome_keyring_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
')
########################################
## <summary>
## Send and receive messages from
## gnome configuration daemon over
## dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_dbus_chat_gconfd',`
gen_require(`
type gconfd_t;
class dbus send_msg;
')
allow $1 gconfd_t:dbus send_msg;
allow gconfd_t $1:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## gnome keyring daemon over dbus.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`gnome_dbus_chat_gkeyringd',`
gen_require(`
type $1_gkeyringd_t;
class dbus send_msg;
')
allow $2 $1_gkeyringd_t:dbus send_msg;
allow $1_gkeyringd_t $2:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from all
## gnome keyring daemon over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_dbus_chat_all_gkeyringd',`
gen_require(`
attribute gkeyringd_domain;
class dbus send_msg;
')
allow $1 gkeyringd_domain:dbus send_msg;
allow gkeyringd_domain $1:dbus send_msg;
')
########################################
## <summary>
## Run all gkeyringd in gkeyringd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`gnome_spec_domtrans_all_gkeyringd',`
gen_require(`
attribute gkeyringd_domain;
type gkeyringd_exec_t;
')
corecmd_search_bin($1)
spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain)
')
########################################
## <summary>
## Connect to gnome keyring daemon
## with a unix stream socket.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`gnome_stream_connect_gkeyringd',`
gen_require(`
type $1_gkeyringd_t, gnome_keyring_tmp_t;
')
files_search_tmp($2)
userdom_search_user_runtime($2)
stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
')
########################################
## <summary>
## Connect to all gnome keyring daemon
## with a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_stream_connect_all_gkeyringd',`
gen_require(`
attribute gkeyringd_domain;
type gnome_keyring_tmp_t;
')
files_search_tmp($1)
userdom_search_user_runtime($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
########################################
## <summary>
## Manage gstreamer ORC optimized
## code.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_manage_gstreamer_orcexec',`
gen_require(`
type gstreamer_orcexec_t;
')
allow $1 gstreamer_orcexec_t:file manage_file_perms;
')
########################################
## <summary>
## Mmap gstreamer ORC optimized
## code.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_mmap_gstreamer_orcexec',`
gen_require(`
type gstreamer_orcexec_t;
')
allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
')