rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   8d9352340942286dd52f6beba48518ed50552d17
  2.   strict
  3.   macros
  4.   program
  5.   gift_macros.te
Blob Blame History Raw 
#
# Macros for giFT
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#
# gift_domains(domain_prefix)
# declares a domain for giftui and giftd

#########################
#  gift_domain(user)    #
#########################

define(`gift_domain', `

# Connect to X
x_client_domain($1, gift, `')	

# Transition
domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
can_exec($1_gift_t, gift_exec_t)
role $1_r types $1_gift_t;

# Self permissions
allow $1_gift_t self:process getsched;

# Home files
home_domain($1, gift)

# Fonts, icons
r_dir_file($1_gift_t, usr_t)
r_dir_file($1_gift_t, fonts_t)

# Launch gift daemon
allow $1_gift_t self:process fork;
domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)

# Connect to gift daemon
can_network($1_gift_t)

# Read /proc/meminfo
allow $1_gift_t proc_t:dir search;
allow $1_gift_t proc_t:file { getattr read };

# Tmp/ORBit
tmp_domain($1_gift)
file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
can_unix_connect($1_t, $1_gift_t)
can_unix_connect($1_gift_t, $1_t)
allow $1_t $1_gift_tmp_t:sock_file write;
allow $1_gift_t $1_tmp_t:file { getattr read write lock };
allow $1_gift_t $1_tmp_t:sock_file { read write };
dontaudit $1_gift_t $1_tmp_t:dir setattr;

# Access random device
allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl };

# giftui looks in .icons, .themes, .fonts-cache.
dontaudit $1_gift_t $1_home_t:dir { getattr read search };
dontaudit $1_gift_t $1_home_t:file { getattr read };

') dnl gift_domain

##########################
#  giftd_domain(user)    #
##########################

define(`giftd_domain', `

type $1_giftd_t, domain;

# Transition from user type
domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t)
role $1_r types $1_giftd_t;

# Self permissions, allow fork
allow $1_giftd_t self:process { fork signal sigchld setsched };
allow $1_giftd_t self:unix_stream_socket create_socket_perms;

read_sysctl($1_giftd_t)
read_locale($1_giftd_t)
uses_shlib($1_giftd_t)

# Access home domain
home_domain_access($1_giftd_t, $1, gift)
	
# Allow networking
allow $1_giftd_t port_t:tcp_socket name_bind;
allow $1_giftd_t port_t:udp_socket name_bind;
can_network_server($1_giftd_t)
can_network_client($1_giftd_t)

# FIXME: ???
dontaudit $1_giftd_t self:udp_socket listen;

# Plugins
r_dir_file($1_giftd_t, usr_t)

# Connect to xdm
ifdef(`xdm.te', `
allow $1_giftd_t xdm_t:fd use;
allow $1_giftd_t xdm_t:fifo_file write;
') 

') dnl giftd_domain

##########################
#  gift_domains(user)    #
##########################

define(`gift_domains', `
gift_domain($1)
giftd_domain($1)
') dnl gift_domains

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation