#

# Macros for giFT

#

# Author: Ivan Gyurdiev <ivg2@cornell.edu>

#

# gift_domains(domain_prefix)

# declares a domain for giftui and giftd

#########################

#  gift_domain(user)    #

#########################

define(`gift_domain', `

# Connect to X

x_client_domain($1, gift, `')	

# Transition

domain_auto_trans($1_t, gift_exec_t, $1_gift_t)

can_exec($1_gift_t, gift_exec_t)

role $1_r types $1_gift_t;

# Self permissions

allow $1_gift_t self:process getsched;

# Home files

home_domain($1, gift)

# Fonts, icons

r_dir_file($1_gift_t, usr_t)

r_dir_file($1_gift_t, fonts_t)

# Launch gift daemon

allow $1_gift_t self:process fork;

domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)

# Connect to gift daemon

can_network($1_gift_t)

# Read /proc/meminfo

allow $1_gift_t proc_t:dir search;

allow $1_gift_t proc_t:file { getattr read };

# Tmp/ORBit

tmp_domain($1_gift)

file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)

can_unix_connect($1_t, $1_gift_t)

can_unix_connect($1_gift_t, $1_t)

allow $1_t $1_gift_tmp_t:sock_file write;

allow $1_gift_t $1_tmp_t:file { getattr read write lock };

allow $1_gift_t $1_tmp_t:sock_file { read write };

dontaudit $1_gift_t $1_tmp_t:dir setattr;

# Access random device

allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl };

# giftui looks in .icons, .themes, .fonts-cache.

dontaudit $1_gift_t $1_home_t:dir { getattr read search };

dontaudit $1_gift_t $1_home_t:file { getattr read };

') dnl gift_domain

##########################

#  giftd_domain(user)    #

##########################

define(`giftd_domain', `

type $1_giftd_t, domain;

# Transition from user type

domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t)

role $1_r types $1_giftd_t;

# Self permissions, allow fork

allow $1_giftd_t self:process { fork signal sigchld setsched };

allow $1_giftd_t self:unix_stream_socket create_socket_perms;

read_sysctl($1_giftd_t)

read_locale($1_giftd_t)

uses_shlib($1_giftd_t)

# Access home domain

home_domain_access($1_giftd_t, $1, gift)

# Allow networking

allow $1_giftd_t port_t:tcp_socket name_bind;

allow $1_giftd_t port_t:udp_socket name_bind;

can_network_server($1_giftd_t)

can_network_client($1_giftd_t)

# FIXME: ???

dontaudit $1_giftd_t self:udp_socket listen;

# Plugins

r_dir_file($1_giftd_t, usr_t)

# Connect to xdm

ifdef(`xdm.te', `

allow $1_giftd_t xdm_t:fd use;

allow $1_giftd_t xdm_t:fifo_file write;

') 

') dnl giftd_domain

##########################

#  gift_domains(user)    #

##########################

define(`gift_domains', `

gift_domain($1)

giftd_domain($1)

') dnl gift_domains