Part of gnome patch from Dan Walsh.
This commit is contained in:
parent
a9539a063b
commit
ab8f919e6f
@ -1,5 +1,6 @@
|
||||
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
|
||||
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
||||
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
||||
|
||||
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
|
||||
|
||||
|
@ -35,6 +35,64 @@ interface(`gnome_role',`
|
||||
allow $2 gconfd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute gconf programs in
|
||||
## in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`gnome_exec_gconf',`
|
||||
gen_require(`
|
||||
type gconfd_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1, gconfd_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read gconf config files.
|
||||
## </summary>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`gnome_read_gconf_config',`
|
||||
gen_require(`
|
||||
type gconf_etc_t;
|
||||
')
|
||||
|
||||
allow $1 gconf_etc_t:dir list_dir_perms;
|
||||
read_files_pattern($1, gconf_etc_t, gconf_etc_t)
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete gconf config files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`gnome_manage_gconf_config',`
|
||||
gen_require(`
|
||||
type gconf_etc_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## gconf connection template.
|
||||
@ -72,6 +130,45 @@ interface(`gnome_domtrans_gconfd',`
|
||||
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set attributes of Gnome config dirs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`gnome_setattr_config_dirs',`
|
||||
gen_require(`
|
||||
type gnome_home_t;
|
||||
')
|
||||
|
||||
setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read gnome homedir content (.config)
|
||||
## </summary>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`gnome_read_config',`
|
||||
gen_require(`
|
||||
type gnome_home_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, gnome_home_t, gnome_home_t)
|
||||
read_files_pattern($1, gnome_home_t, gnome_home_t)
|
||||
read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## manage gnome homedir content (.config)
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(gnome, 2.0.0)
|
||||
policy_module(gnome, 2.0.1)
|
||||
|
||||
##############################
|
||||
#
|
||||
@ -8,16 +8,18 @@ policy_module(gnome, 2.0.0)
|
||||
attribute gnomedomain;
|
||||
|
||||
type gconf_etc_t;
|
||||
files_type(gconf_etc_t)
|
||||
files_config_file(gconf_etc_t)
|
||||
|
||||
type gconf_home_t;
|
||||
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
|
||||
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
|
||||
typealias gconf_home_t alias unconfined_gconf_home_t;
|
||||
userdom_user_home_content(gconf_home_t)
|
||||
|
||||
type gconf_tmp_t;
|
||||
typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
|
||||
typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
|
||||
typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
|
||||
files_tmp_file(gconf_tmp_t)
|
||||
ubac_constrained(gconf_tmp_t)
|
||||
|
||||
@ -31,6 +33,7 @@ ubac_constrained(gconfd_t)
|
||||
type gnome_home_t;
|
||||
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
|
||||
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
|
||||
typealias gnome_home_t alias unconfined_gnome_home_t;
|
||||
userdom_user_home_content(gnome_home_t)
|
||||
|
||||
##############################
|
||||
|
Loading…
Reference in New Issue
Block a user