rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/macros/program/gnome_macros.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   a3e785d58256bd4cabf6f33f65f391ed04a03ef9
  2.   strict
  3.   macros
  4.   program
  5.   gnome_macros.te
Blob History Raw
Chris PeBenito 2705f9 
#
Chris PeBenito 2705f9 
# GNOME related types
Chris PeBenito 2705f9 
#
Chris PeBenito 2705f9 
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
Chris PeBenito 2705f9 
#
Chris PeBenito 2705f9 
# gnome_domain(role_prefix) - create GNOME domain (run for each role)
Chris PeBenito 2705f9 
# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps
Chris PeBenito 2705f9 
# gnome_file_dialog(role_prefix) - gnome file dialog rules
Chris PeBenito 2705f9 
# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
define(`gnome_domain', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Types for .gnome2 and .gnome2_private.
Chris PeBenito 2705f9 
# For backwards compatibility, allow unrestricted
Chris PeBenito 2705f9 
# access from ROLE_t. However, content inside
Chris PeBenito 2705f9 
# *should* be labeled per application eventually.
Chris PeBenito 2705f9 
# For .gnome2_private, use the private_store macro below.
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile;
Chris PeBenito 2705f9 
create_dir_file($1_t, $1_gnome_settings_t)
Chris PeBenito 2705f9 
allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto };
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile;
Chris PeBenito 2705f9 
create_dir_file($1_t, $1_gnome_secret_t)
Chris PeBenito 2705f9 
allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto };
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# GConf domain
Chris PeBenito 2705f9 
gconfd_domain($1)
Chris PeBenito 2705f9 
gconf_client($1, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Bonobo-activation-server
Chris PeBenito 2705f9 
bonobo_domain($1)
Chris PeBenito 2705f9 
bonobo_client($1, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# GNOME vfs daemon
Chris PeBenito 2705f9 
gnome_vfs_domain($1)
Chris PeBenito 2705f9 
gnome_vfs_client($1, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# ICE is necessary for session management
Chris PeBenito 2705f9 
ice_domain($1, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
')
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
#################################
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
define(`gnome_application', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# If launched from a terminal
Chris PeBenito 2705f9 
access_terminal($1_t, $2)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Forking is generally okay
Chris PeBenito 2705f9 
allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork };
Chris PeBenito 2705f9 
allow $1_t self:fifo_file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Shlib, locale, sysctl, proc
Chris PeBenito 2705f9 
uses_shlib($1_t)
Chris PeBenito 2705f9 
read_locale($1_t)
Chris PeBenito 2705f9 
read_sysctl($1_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
allow $1_t { self proc_t }:dir { search read getattr };
Chris PeBenito 2705f9 
allow $1_t { self proc_t }:{ file lnk_file } { read getattr };
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Most gnome apps use bonobo
Chris PeBenito 2705f9 
bonobo_client($1, $2)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Within-process bonobo-activation of components
Chris PeBenito 2705f9 
bonobo_connect($1, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Session management happens over ICE
Chris PeBenito 2705f9 
# FIXME: More specific context is needed for gnome-session
Chris PeBenito 2705f9 
ice_connect($1, $2)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Most talk to GConf
Chris PeBenito 2705f9 
gconf_client($1, $2)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Allow getattr/read/search of .gnome2 and .gnome2_private
Chris PeBenito 2705f9 
# Reading files should *not* be allowed - instead, more specific
Chris PeBenito 2705f9 
# types should be created to handle such requests
Chris PeBenito 2705f9 
allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Access /etc/mtab, /etc/nsswitch.conf
Chris PeBenito 2705f9 
allow $1_t etc_t:file { read getattr };
Chris PeBenito 2705f9 
allow $1_t etc_runtime_t:file { read getattr };
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Themes, gtkrc
Chris PeBenito 2705f9 
allow $1_t usr_t:{ file lnk_file } r_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
') dnl gnome_application
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
################################
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
define(`gnome_file_dialog', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# GNOME Open/Save As dialogs
Chris PeBenito 2705f9 
dontaudit_getattr($1_t)
Chris PeBenito 2705f9 
dontaudit_search_dir($1_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Bonobo connection to gnome_vfs daemon
Chris PeBenito 2705f9 
bonobo_connect($1, $2_gnome_vfs)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
') dnl gnome_file_dialog
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
################################
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
define(`gnome_private_store', `
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Type for storing secret data
Chris PeBenito 2705f9 
# (different from home, not directly accessible from ROLE_t)
Chris PeBenito 2705f9 
type $1_secret_t, file_type, $2_file_type, sysadmfile;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Put secret files in .gnome2_private
Chris PeBenito 2705f9 
file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file);
Chris PeBenito 2705f9 
allow $2_t $1_secret_t:file unlink;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
') dnl gnome_private_store

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation