policy for nsplugin

######################################## ##

## Create, read, write, and delete ## nsplugin rw files. ##

## ##

## Domain allowed access. ##

## # interface(`nsplugin_manage_rw_files',` gen_require(` type nsplugin_rw_t; ') allow $1 nsplugin_rw_t:file manage_file_perms; allow $1 nsplugin_rw_t:dir rw_dir_perms; ') ######################################## ##

## Manage nsplugin rw files. ##

## ##

## Domain allowed access. ##

## # interface(`nsplugin_manage_rw',` gen_require(` type nsplugin_rw_t; ') manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ') ####################################### ##

## The per role template for the nsplugin module. ##

## ##

## This template creates a derived domains which are used ## for nsplugin web browser. ##

## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ##

## ## ##

## The role associated with the user domain. ##

## ##

## The type of the user domain. ##

## ## # interface(`nsplugin_role_notrans',` gen_require(` type nsplugin_rw_t; type nsplugin_home_t; type nsplugin_exec_t; type nsplugin_config_exec_t; type nsplugin_t; type nsplugin_config_t; class x_drawable all_x_drawable_perms; class x_resource all_x_resource_perms; class dbus send_msg; ') role $1 types nsplugin_t; role $1 types nsplugin_config_t; allow nsplugin_t $2:process signull; allow nsplugin_t $2:dbus send_msg; allow $2 nsplugin_t:dbus send_msg; list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) can_exec($2, nsplugin_rw_t) #Leaked File Descriptors ifdef(`hide_broken_symptoms', ` dontaudit nsplugin_t $2:socket_class_set { read write }; dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms; dontaudit nsplugin_config_t $2:socket_class_set { read write }; dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms; ') allow nsplugin_t $2:unix_stream_socket connectto; dontaudit nsplugin_t $2:process ptrace; allow nsplugin_t $2:sem rw_sem_perms; allow nsplugin_t $2:shm rw_shm_perms; dontaudit nsplugin_t $2:shm destroy; allow $2 nsplugin_t:sem rw_sem_perms; allow $2 nsplugin_t:process { getattr ptrace signal_perms }; allow $2 nsplugin_t:unix_stream_socket connectto; # Connect to pulseaudit server stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) gnome_stream_connect(nsplugin_t, $2) userdom_use_user_terminals(nsplugin_t) userdom_use_user_terminals(nsplugin_config_t) userdom_dontaudit_setattr_user_home_content_files(nsplugin_t) userdom_manage_tmpfs_role($1, nsplugin_t) optional_policy(` pulseaudio_role($1, nsplugin_t) ') ') ####################################### ##

## Role access for nsplugin ##

## ##

## The prefix of the user domain (e.g., user ## is the prefix for user_t). ##

## ## ##

## The role associated with the user domain. ##

## ## ##

## The type of the user domain. ##

## # interface(`nsplugin_role',` gen_require(` type nsplugin_exec_t; type nsplugin_config_exec_t; type nsplugin_t; type nsplugin_config_t; ') nsplugin_role_notrans($1, $2) domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) ') ####################################### ##

## The per role template for the nsplugin module. ##

## ##

## The type of the user domain. ##

## # interface(`nsplugin_domtrans',` gen_require(` type nsplugin_exec_t; type nsplugin_t; ') domtrans_pattern($1, nsplugin_exec_t, nsplugin_t) allow $1 nsplugin_t:unix_stream_socket connectto; allow nsplugin_t $1:process signal; ') ####################################### ##

## The per role template for the nsplugin module. ##

## ##

## The type of the user domain. ##

## # interface(`nsplugin_domtrans_config',` gen_require(` type nsplugin_config_exec_t; type nsplugin_config_t; ') domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t) ') ######################################## ##

## Search nsplugin rw directories. ##

## ##

## Domain allowed access. ##

## # interface(`nsplugin_search_rw_dir',` gen_require(` type nsplugin_rw_t; ') allow $1 nsplugin_rw_t:dir search_dir_perms; ') ######################################## ##

## Read nsplugin rw files. ##

## ##

## Domain allowed access. ##

## # interface(`nsplugin_read_rw_files',` gen_require(` type nsplugin_rw_t; ') list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ') ######################################## ##

## Read nsplugin home files. ##

## ##

## Domain allowed access. ##

## # interface(`nsplugin_read_home',` gen_require(` type nsplugin_home_t; ') list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) read_files_pattern($1, nsplugin_home_t, nsplugin_home_t) read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t) ') ######################################## ##

## Exec nsplugin rw files. ##

## ##

## Domain allowed access. ##

## # interface(`nsplugin_rw_exec',` gen_require(` type nsplugin_rw_t; ') can_exec($1, nsplugin_rw_t) ') ######################################## ##

## Create, read, write, and delete ## nsplugin home files. ##

## ##

## Domain allowed access. ##

## # interface(`nsplugin_manage_home_files',` gen_require(` type nsplugin_home_t; ') manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t) ') ######################################## ##

## Allow attempts to read and write to ## nsplugin named pipes. ##

## ##

## Domain to not audit. ##

## # interface(`nsplugin_rw_pipes',` gen_require(` type nsplugin_home_t; ') allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; ') ######################################## ##

## Read and write to nsplugin shared memory. ##

## ##

## Domain allowed access. ##

## # interface(`nsplugin_rw_shm',` gen_require(` type nsplugin_t; ') allow $1 nsplugin_t:shm rw_shm_perms; ') ##################################### ##

## Allow read and write access to nsplugin semaphores. ##

## ##

## Domain allowed access. ##

## # interface(`nsplugin_rw_semaphores',` gen_require(` type nsplugin_t; ') allow $1 nsplugin_t:sem rw_sem_perms; ') ######################################## ##

## Execute nsplugin_exec_t ## in the specified domain. ##

## ##

## Execute a nsplugin_exec_t ## in the specified domain. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## ## ##

## Domain allowed access. ##

## ## ##

## The type of the new process. ##

## # interface(`nsplugin_exec_domtrans',` gen_require(` type nsplugin_exec_t; ') allow $2 nsplugin_exec_t:file entrypoint; domtrans_pattern($1, nsplugin_exec_t, $2) ')