Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# Bonobo
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# bonobo_domain(role_prefix) - invoke per role
Chris PeBenito 2705f9
# bonobo_client(app_prefix, role_prefix) - invoke per client app
Chris PeBenito 2705f9
# bonobo_connect(type1_prefix, type2_prefix) - 
Chris PeBenito 2705f9
# 	connect two bonobo clients, the channel is bidirectional
Chris PeBenito 2705f9
Chris PeBenito 2705f9
######################
Chris PeBenito 2705f9
Chris PeBenito 2705f9
define(`bonobo_domain', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Protect against double inclusion for faster compile
Chris PeBenito 2705f9
ifdef(`bonobo_domain_$1', `', `
Chris PeBenito 2705f9
define(`bonobo_domain_$1')
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Type for daemon
Chris PeBenito 2705f9
type $1_bonobo_t, domain, nscd_client_domain;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Transition from caller
Chris PeBenito 2705f9
domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t)
Chris PeBenito 2705f9
role $1_r types $1_bonobo_t;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Shared libraries, gconv-modules
Chris PeBenito 2705f9
uses_shlib($1_bonobo_t)
Chris PeBenito 2705f9
allow $1_bonobo_t lib_t:file r_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
read_locale($1_bonobo_t)
Chris PeBenito 2705f9
read_sysctl($1_bonobo_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Session management 
Chris PeBenito 2705f9
# FIXME: More specific context is needed for gnome-session
Chris PeBenito 2705f9
ice_connect($1_bonobo, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# nsswitch.conf
Chris PeBenito 2705f9
allow $1_bonobo_t etc_t:file { read getattr };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Fork to start apps
Chris PeBenito 2705f9
allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal };
Chris PeBenito 2705f9
allow $1_bonobo_t self:fifo_file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# ??? 
Chris PeBenito 2705f9
allow $1_bonobo_t root_t:dir search;
Chris PeBenito 2705f9
allow $1_bonobo_t home_root_t:dir search;
Chris PeBenito 2705f9
allow $1_bonobo_t $1_home_dir_t:dir search;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# libexec ??? 
Chris PeBenito 2705f9
allow $1_bonobo_t bin_t:dir search;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# ORBit sockets for bonobo
Chris PeBenito 2705f9
orbit_domain($1_bonobo, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Bonobo can launch evolution
Chris PeBenito 2705f9
ifdef(`evolution.te', `
Chris PeBenito 2705f9
domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t)
Chris PeBenito 2705f9
domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
Chris PeBenito 2705f9
domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
Chris PeBenito 2705f9
domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t)
Chris PeBenito 2705f9
domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
Chris PeBenito 2705f9
')
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Bonobo can launch GNOME vfs daemon
Chris PeBenito 2705f9
ifdef(`gnome_vfs.te', `
Chris PeBenito 2705f9
domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
Chris PeBenito 2705f9
')
Chris PeBenito 2705f9
  
Chris PeBenito 2705f9
# Transition to ROLE_t on bin_t apps
Chris PeBenito 2705f9
# FIXME: The goal is to get rid of this rule, as it
Chris PeBenito 2705f9
# defeats the purpose of a separate domain. It is only
Chris PeBenito 2705f9
# here temporarily, since bonobo runs as ROLE_t by default anyway
Chris PeBenito 2705f9
domain_auto_trans($1_bonobo_t, bin_t, $1_t) 
Chris PeBenito 2705f9
Chris PeBenito 2705f9
ifdef(`xdm.te', `
Chris PeBenito 2705f9
can_pipe_xdm($1_bonobo_t)
Chris PeBenito 2705f9
')
Chris PeBenito 2705f9
  
Chris PeBenito 2705f9
') dnl ifdef bonobo_domain_args
Chris PeBenito 2705f9
') dnl bonobo_domain
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#####################
Chris PeBenito 2705f9
Chris PeBenito 2705f9
define(`bonobo_client', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Protect against double inclusion for faster compile
Chris PeBenito 2705f9
ifdef(`bonobo_client_$1_$2', `', `
Chris PeBenito 2705f9
define(`bonobo_client_$1_$2')
Chris PeBenito 2705f9
# Connect over bonobo
Chris PeBenito 2705f9
bonobo_connect($1, $2_gconfd, $1)
Chris PeBenito 2705f9
 
Chris PeBenito 2705f9
# Create ORBit sockets
Chris PeBenito 2705f9
orbit_domain($1, $2)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Connect to bonobo
Chris PeBenito 2705f9
orbit_connect($1, $2_bonobo)
Chris PeBenito 2705f9
orbit_connect($2_bonobo, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Lock /tmp/bonobo-activation-register.lock
Chris PeBenito 2705f9
# Stat /tmp/bonobo-activation-server.ior
Chris PeBenito 2705f9
# FIXME: this should probably be of type $2_bonobo..
Chris PeBenito 2705f9
# Note that this is file, not sock_file
Chris PeBenito 2705f9
allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
') dnl ifdef bonobo_client_args
Chris PeBenito 2705f9
') dnl bonobo_client
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#####################
Chris PeBenito 2705f9
Chris PeBenito 2705f9
define(`bonobo_connect', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# FIXME: Should there be a macro for unidirectional conn. ?
Chris PeBenito 2705f9
Chris PeBenito 2705f9
orbit_connect($1, $2)
Chris PeBenito 2705f9
orbit_connect($2, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
') dnl bonobo_connect