Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Macros for giFT
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# gift_domains(domain_prefix)
Chris PeBenito 31b7c0
# declares a domain for giftui and giftd
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#########################
Chris PeBenito 31b7c0
#  gift_domain(user)    #
Chris PeBenito 31b7c0
#########################
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
define(`gift_domain', `
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Type transition
Chris PeBenito 31b7c0
type $1_gift_t, domain, nscd_client_domain;
Chris PeBenito 31b7c0
domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
Chris PeBenito 31b7c0
role $1_r types $1_gift_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# X access, Home files, GNOME, /tmp
Chris PeBenito 31b7c0
x_client_domain($1_gift, $1)
Chris PeBenito 31b7c0
gnome_application($1_gift, $1)
Chris PeBenito 31b7c0
home_domain($1, gift)
Chris PeBenito 31b7c0
file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Allow the user domain to signal/ps.
Chris PeBenito 31b7c0
can_ps($1_t, $1_gift_t)
Chris PeBenito 31b7c0
allow $1_t $1_gift_t:process signal_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Launch gift daemon
Chris PeBenito 31b7c0
allow $1_gift_t bin_t:dir search;
Chris PeBenito 31b7c0
domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Connect to gift daemon
Chris PeBenito 31b7c0
can_network_client_tcp($1_gift_t, giftd_port_t)
Chris PeBenito 31b7c0
allow $1_gift_t giftd_port_t:tcp_socket name_connect;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Read /proc/meminfo
Chris PeBenito 31b7c0
allow $1_gift_t proc_t:dir search;
Chris PeBenito 31b7c0
allow $1_gift_t proc_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# giftui looks in .icons, .themes.
Chris PeBenito 31b7c0
dontaudit $1_gift_t $1_home_t:dir { getattr read search };
Chris PeBenito 31b7c0
dontaudit $1_gift_t $1_home_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
') dnl gift_domain
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
##########################
Chris PeBenito 31b7c0
#  giftd_domain(user)    #
Chris PeBenito 31b7c0
##########################
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
define(`giftd_domain', `
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
type $1_giftd_t, domain;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Transition from user type
Chris PeBenito 31b7c0
domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t)
Chris PeBenito 31b7c0
role $1_r types $1_giftd_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Self permissions, allow fork
Chris PeBenito 31b7c0
allow $1_giftd_t self:process { fork signal sigchld setsched };
Chris PeBenito 31b7c0
allow $1_giftd_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
read_sysctl($1_giftd_t)
Chris PeBenito 31b7c0
read_locale($1_giftd_t)
Chris PeBenito 31b7c0
uses_shlib($1_giftd_t)
Chris PeBenito 31b7c0
access_terminal($1_giftd_t, $1)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Read /proc/meminfo
Chris PeBenito 31b7c0
allow $1_giftd_t proc_t:dir search;
Chris PeBenito 31b7c0
allow $1_giftd_t proc_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Read /etc/mtab
Chris PeBenito 31b7c0
allow $1_giftd_t etc_runtime_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Access home domain
Chris PeBenito 31b7c0
home_domain_access($1_giftd_t, $1, gift)
Chris PeBenito 31b7c0
file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Serve content on various p2p networks. Ports can be random.
Chris PeBenito 31b7c0
can_network_server($1_giftd_t)
Chris PeBenito 31b7c0
allow $1_giftd_t self:udp_socket listen;
Chris PeBenito 31b7c0
allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Connect to various p2p networks. Ports can be random.
Chris PeBenito 31b7c0
can_network_client($1_giftd_t)
Chris PeBenito 31b7c0
allow $1_giftd_t port_type:tcp_socket name_connect;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Plugins
Chris PeBenito 31b7c0
r_dir_file($1_giftd_t, usr_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Connect to xdm
Chris PeBenito 31b7c0
can_pipe_xdm($1_giftd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
') dnl giftd_domain
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
##########################
Chris PeBenito 31b7c0
#  gift_domains(user)    #
Chris PeBenito 31b7c0
##########################
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
define(`gift_domains', `
Chris PeBenito 31b7c0
gift_domain($1)
Chris PeBenito 31b7c0
giftd_domain($1)
Chris PeBenito 31b7c0
') dnl gift_domains