selinux-policy/policy/modules/apps/gnome.if

191 lines
3.8 KiB
Plaintext
Raw Normal View History

This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
## <summary>GNU network object model environment (GNOME)</summary>
2008-11-05 16:10:46 +00:00
############################################################
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
## <summary>
2008-11-05 16:10:46 +00:00
## Role access for gnome
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
## </summary>
2008-11-05 16:10:46 +00:00
## <param name="role">
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
## <summary>
2008-11-05 16:10:46 +00:00
## Role allowed access
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
## </summary>
## </param>
2008-11-05 16:10:46 +00:00
## <param name="domain">
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
## <summary>
2008-11-05 16:10:46 +00:00
## User domain for the role
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
## </summary>
## </param>
#
2008-11-05 16:10:46 +00:00
interface(`gnome_role',`
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
gen_require(`
2008-11-05 16:10:46 +00:00
type gconfd_t, gconfd_exec_t;
type gconf_tmp_t;
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
')
2008-11-05 16:10:46 +00:00
role $1 types gconfd_t;
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
2008-11-05 16:10:46 +00:00
domain_auto_trans($2, gconfd_exec_t, gconfd_t)
allow gconfd_t $2:fd use;
allow gconfd_t $2:fifo_file write;
allow gconfd_t $2:unix_stream_socket connectto;
2008-11-05 16:10:46 +00:00
ps_process_pattern($2, gconfd_t)
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
2008-11-05 16:10:46 +00:00
#gnome_stream_connect_gconf_template($1, $2)
read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
allow $2 gconfd_t:unix_stream_socket connectto;
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
')
2008-10-17 15:52:39 +00:00
2010-08-12 13:21:36 +00:00
########################################
## <summary>
## Execute gconf programs in
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_exec_gconf',`
gen_require(`
type gconfd_exec_t;
')
can_exec($1, gconfd_exec_t)
')
########################################
## <summary>
## Read gconf config files.
## </summary>
## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
')
allow $1 gconf_etc_t:dir list_dir_perms;
read_files_pattern($1, gconf_etc_t, gconf_etc_t)
files_search_etc($1)
')
#######################################
## <summary>
## Create, read, write, and delete gconf config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_manage_gconf_config',`
gen_require(`
type gconf_etc_t;
')
manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
files_search_etc($1)
')
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
########################################
## <summary>
## gconf connection template.
## </summary>
## <param name="user_domain">
## <summary>
## Domain allowed access.
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
## </summary>
## </param>
#
2008-11-05 16:10:46 +00:00
interface(`gnome_stream_connect_gconf',`
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
gen_require(`
2008-11-05 16:10:46 +00:00
type gconfd_t, gconf_tmp_t;
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
')
2008-11-05 16:10:46 +00:00
read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
allow $1 gconfd_t:unix_stream_socket connectto;
')
########################################
## <summary>
2008-11-05 16:10:46 +00:00
## Run gconfd in gconfd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2008-11-05 16:10:46 +00:00
interface(`gnome_domtrans_gconfd',`
gen_require(`
2008-11-05 16:10:46 +00:00
type gconfd_t, gconfd_exec_t;
')
2008-11-05 16:10:46 +00:00
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
2010-08-12 13:21:36 +00:00
########################################
## <summary>
## Set attributes of Gnome config dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_setattr_config_dirs',`
gen_require(`
type gnome_home_t;
')
setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
files_search_home($1)
')
########################################
## <summary>
## Read gnome homedir content (.config)
## </summary>
## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`gnome_read_config',`
gen_require(`
type gnome_home_t;
')
list_dirs_pattern($1, gnome_home_t, gnome_home_t)
read_files_pattern($1, gnome_home_t, gnome_home_t)
read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
')
########################################
## <summary>
## manage gnome homedir content (.config)
## </summary>
## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
2008-11-05 16:10:46 +00:00
interface(`gnome_manage_config',`
gen_require(`
2008-11-05 16:10:46 +00:00
type gnome_home_t;
')
2008-11-05 16:10:46 +00:00
allow $1 gnome_home_t:dir manage_dir_perms;
allow $1 gnome_home_t:file manage_file_perms;
userdom_search_user_home_dirs($1)
This patch adds a GConf policy to refpolicy. This policy is much tighter than the GConf policy from the old example policy. It only allows gconfd to access configuration data stored by GConf. Users can modify configuration data using gconftool-2 or gconf-editor, both of which use gconfd. GConf manages multiple configuration sources, so gconfd should be used to make any changes anyway. Normal users who aren't trying to directly edit the configuration data of GConf won't notice anything different. There is also a difference between this policy and the old example policy in handling directories in /tmp. The old example policy labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no use of the file_type_auto_trans macro, if that directory was deleted gconfd would create one labeled as tmp_t. This policy uses the files_tmp-filetrans macro to cause a directory in /tmp created by gconfd to be labeled as $1_tmp_t. It is not labeled with $1_gconf_tmp_t, because if /tmp/orbit-USER is deleted, gconfd will create it (through use of ORBit) and it would get the $1_gconf_tmp_t label. By having gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and directories in directories labeled with $1_tmp_t, it can control its data without requiring any future bonobo or Gnome policies to have access to $1_gconf_tmp_t. This patch is related to work that I am doing in making gconfd an userspace object manager. If any user program can modify the configuration data that GConf stores, than making gconfd an userspace object manager would be useless. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
')