From ab8f919e6f741b82a403be1bb9d5cdb443ae9c00 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 12 Aug 2010 09:21:36 -0400 Subject: [PATCH] Part of gnome patch from Dan Walsh. --- policy/modules/apps/gnome.fc | 1 + policy/modules/apps/gnome.if | 97 ++++++++++++++++++++++++++++++++++++ policy/modules/apps/gnome.te | 7 ++- 3 files changed, 103 insertions(+), 2 deletions(-) diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc index 223a9d1e6..00a19e3c4 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc @@ -1,5 +1,6 @@ HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index b7bcad49c..f5afe78db 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -35,6 +35,64 @@ interface(`gnome_role',` allow $2 gconfd_t:unix_stream_socket connectto; ') +######################################## +## +## Execute gconf programs in +## in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_exec_gconf',` + gen_require(` + type gconfd_exec_t; + ') + + can_exec($1, gconfd_exec_t) +') + +######################################## +## +## Read gconf config files. +## +## +## +## Domain allowed access. +## +## +# +template(`gnome_read_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + allow $1 gconf_etc_t:dir list_dir_perms; + read_files_pattern($1, gconf_etc_t, gconf_etc_t) + files_search_etc($1) +') + +####################################### +## +## Create, read, write, and delete gconf config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_manage_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + manage_files_pattern($1, gconf_etc_t, gconf_etc_t) + files_search_etc($1) +') + ######################################## ## ## gconf connection template. @@ -72,6 +130,45 @@ interface(`gnome_domtrans_gconfd',` domtrans_pattern($1, gconfd_exec_t, gconfd_t) ') +######################################## +## +## Set attributes of Gnome config dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_setattr_config_dirs',` + gen_require(` + type gnome_home_t; + ') + + setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) + files_search_home($1) +') + +######################################## +## +## Read gnome homedir content (.config) +## +## +## +## Domain allowed access. +## +## +# +template(`gnome_read_config',` + gen_require(` + type gnome_home_t; + ') + + list_dirs_pattern($1, gnome_home_t, gnome_home_t) + read_files_pattern($1, gnome_home_t, gnome_home_t) + read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) +') + ######################################## ## ## manage gnome homedir content (.config) diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 4bebd9dca..35f748636 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -1,4 +1,4 @@ -policy_module(gnome, 2.0.0) +policy_module(gnome, 2.0.1) ############################## # @@ -8,16 +8,18 @@ policy_module(gnome, 2.0.0) attribute gnomedomain; type gconf_etc_t; -files_type(gconf_etc_t) +files_config_file(gconf_etc_t) type gconf_home_t; typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; +typealias gconf_home_t alias unconfined_gconf_home_t; userdom_user_home_content(gconf_home_t) type gconf_tmp_t; typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; +typealias gconf_tmp_t alias unconfined_gconf_tmp_t; files_tmp_file(gconf_tmp_t) ubac_constrained(gconf_tmp_t) @@ -31,6 +33,7 @@ ubac_constrained(gconfd_t) type gnome_home_t; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; +typealias gnome_home_t alias unconfined_gnome_home_t; userdom_user_home_content(gnome_home_t) ##############################