[selinux-policy: 2812/3172] Part of gnome patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:10:18 UTC 2010 

commit ab8f919e6f741b82a403be1bb9d5cdb443ae9c00
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Aug 12 09:21:36 2010 -0400

    Part of gnome patch from Dan Walsh.

 policy/modules/apps/gnome.fc |    1 +
 policy/modules/apps/gnome.if |   97 ++++++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/gnome.te |    7 ++-
 3 files changed, 103 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index 223a9d1..00a19e3 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
@@ -1,5 +1,6 @@
 HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
 HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 
 /etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
 
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index b7bcad4..f5afe78 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,6 +37,64 @@ interface(`gnome_role',`
 
 ########################################
 ## <summary>
+##	Execute gconf programs in
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+	gen_require(`
+		type gconfd_exec_t;
+	')
+
+	can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+##	Read gconf config files.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`gnome_read_gconf_config',`
+	gen_require(`
+		type gconf_etc_t;
+	')
+
+	allow $1 gconf_etc_t:dir list_dir_perms;
+	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+	files_search_etc($1)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete gconf config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+	gen_require(`
+		type gconf_etc_t;
+	')
+
+	manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
 ##	gconf connection template.
 ## </summary>
 ## <param name="user_domain">
@@ -74,6 +132,45 @@ interface(`gnome_domtrans_gconfd',`
 
 ########################################
 ## <summary>
+##	Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Read gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`gnome_read_config',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	read_files_pattern($1, gnome_home_t, gnome_home_t)
+	read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
 ##	manage gnome homedir content (.config)
 ## </summary>
 ## <param name="user_domain">
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 4bebd9d..35f7486 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.0.0)
+policy_module(gnome, 2.0.1)
 
 ##############################
 #
@@ -8,16 +8,18 @@ policy_module(gnome, 2.0.0)
 attribute gnomedomain;
 
 type gconf_etc_t;
-files_type(gconf_etc_t)
+files_config_file(gconf_etc_t)
 
 type gconf_home_t;
 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
 typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+typealias gconf_home_t alias unconfined_gconf_home_t;
 userdom_user_home_content(gconf_home_t)
 
 type gconf_tmp_t;
 typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
 typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
+typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
 files_tmp_file(gconf_tmp_t)
 ubac_constrained(gconf_tmp_t)
 
@@ -31,6 +33,7 @@ ubac_constrained(gconfd_t)
 type gnome_home_t;
 typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
 typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+typealias gnome_home_t alias unconfined_gnome_home_t;
 userdom_user_home_content(gnome_home_t)
 
 ##############################

More information about the scm-commits mailing list