[selinux-policy: 2812/3172] Part of gnome patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:10:18 UTC 2010
commit ab8f919e6f741b82a403be1bb9d5cdb443ae9c00
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Aug 12 09:21:36 2010 -0400
Part of gnome patch from Dan Walsh.
policy/modules/apps/gnome.fc | 1 +
policy/modules/apps/gnome.if | 97 ++++++++++++++++++++++++++++++++++++++++++
policy/modules/apps/gnome.te | 7 ++-
3 files changed, 103 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index 223a9d1..00a19e3 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index b7bcad4..f5afe78 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,6 +37,64 @@ interface(`gnome_role',`
########################################
## <summary>
+## Execute gconf programs in
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+## Read gconf config files.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`gnome_read_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete gconf config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
## gconf connection template.
## </summary>
## <param name="user_domain">
@@ -74,6 +132,45 @@ interface(`gnome_domtrans_gconfd',`
########################################
## <summary>
+## Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Read gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`gnome_read_config',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ read_files_pattern($1, gnome_home_t, gnome_home_t)
+ read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
## manage gnome homedir content (.config)
## </summary>
## <param name="user_domain">
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 4bebd9d..35f7486 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.0.0)
+policy_module(gnome, 2.0.1)
##############################
#
@@ -8,16 +8,18 @@ policy_module(gnome, 2.0.0)
attribute gnomedomain;
type gconf_etc_t;
-files_type(gconf_etc_t)
+files_config_file(gconf_etc_t)
type gconf_home_t;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+typealias gconf_home_t alias unconfined_gconf_home_t;
userdom_user_home_content(gconf_home_t)
type gconf_tmp_t;
typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
+typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
files_tmp_file(gconf_tmp_t)
ubac_constrained(gconf_tmp_t)
@@ -31,6 +33,7 @@ ubac_constrained(gconfd_t)
type gnome_home_t;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
##############################
More information about the scm-commits
mailing list