selinux-policy/policy/modules/system
Chris PeBenito 00219064d7 This patch adds a GConf policy to refpolicy.
This policy is much tighter than the GConf policy from the old example
policy.  It only allows gconfd to access configuration data stored by
GConf.  Users can modify configuration data using gconftool-2 or
gconf-editor, both of which use gconfd.  GConf manages multiple
configuration sources, so gconfd should be used to make any changes
anyway.  Normal users who aren't trying to directly edit the
configuration data of GConf won't notice anything different.

There is also a difference between this policy and the old example
policy in handling directories in /tmp.  The old example policy
labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no
use of the file_type_auto_trans macro, if that directory was deleted
gconfd would create one labeled as tmp_t.  This policy uses the
files_tmp-filetrans macro to cause a directory in /tmp created by gconfd
to be labeled as $1_tmp_t.  It is not labeled with $1_gconf_tmp_t,
because if /tmp/orbit-USER is deleted, gconfd will create it (through
use of ORBit) and it would get the $1_gconf_tmp_t label.  By having
gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and
directories in directories labeled with $1_tmp_t, it can control its
data without requiring any future bonobo or Gnome policies to have
access to $1_gconf_tmp_t.

This patch is related to work that I am doing in making gconfd an
userspace object manager.  If any user program can modify the
configuration data that GConf stores, than making gconfd an userspace
object manager would be useless.

Signed-off-by:  James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
..
authlogin.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
authlogin.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
authlogin.te patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
clock.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
clock.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
clock.te more testing fixes 2006-08-28 02:46:20 +00:00
daemontools.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
daemontools.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
daemontools.te remove extra level of directory 2006-07-12 20:32:27 +00:00
fstools.fc patch from erich Sat, 02 Sep 2006 03:37:44 +0200 2006-09-04 18:22:12 +00:00
fstools.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
fstools.te patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
getty.fc patch from dan Wed, 26 Jul 2006 14:42:46 -0400 2006-07-28 15:13:58 +00:00
getty.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
getty.te gentoo testing fixes 2006-09-19 17:02:29 +00:00
hostname.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
hostname.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
hostname.te patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
hotplug.fc patch to fix escaping of . in file contexts from james athey 2006-07-24 15:43:57 +00:00
hotplug.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
hotplug.te patch from dan Thu, 31 Aug 2006 15:16:30 -0400 2006-09-01 15:52:05 +00:00
init.fc more strict testing fixes 2006-08-23 19:36:04 +00:00
init.if patch from dan Fri, 22 Sep 2006 16:30:34 -0400 2006-09-25 18:53:06 +00:00
init.te patch from dan Mon, 25 Sep 2006 15:46:40 -0400 2006-09-28 14:37:29 +00:00
ipsec.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
ipsec.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
ipsec.te remove extra level of directory 2006-07-12 20:32:27 +00:00
iptables.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
iptables.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
iptables.te remove extra level of directory 2006-07-12 20:32:27 +00:00
libraries.fc patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
libraries.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
libraries.te patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
locallogin.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
locallogin.if remove extra level of directory 2006-07-12 20:32:27 +00:00
locallogin.te patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
logging.fc patch from dan Thu, 31 Aug 2006 15:16:30 -0400 2006-09-01 15:52:05 +00:00
logging.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
logging.te patch from dan Mon, 25 Sep 2006 15:46:40 -0400 2006-09-28 14:37:29 +00:00
lvm.fc patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
lvm.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
lvm.te patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
metadata.xml remove extra level of directory 2006-07-12 20:32:27 +00:00
miscfiles.fc fix up usb.ids per distro 2006-09-05 14:31:27 +00:00
miscfiles.if fix miscfiles_read_localization() 2006-09-13 18:08:17 +00:00
miscfiles.te fix miscfiles_read_localization() 2006-09-13 18:08:17 +00:00
modutils.fc testing fixes 2006-08-18 18:20:22 +00:00
modutils.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
modutils.te gentoo testing fixes 2006-09-19 17:02:29 +00:00
mount.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
mount.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
mount.te misc fixes 2006-09-13 14:23:04 +00:00
pcmcia.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
pcmcia.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
pcmcia.te remove extra level of directory 2006-07-12 20:32:27 +00:00
raid.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
raid.if remove extra level of directory 2006-07-12 20:32:27 +00:00
raid.te patch from dan Mon, 25 Sep 2006 15:46:40 -0400 2006-09-28 14:37:29 +00:00
selinuxutil.fc patch from erich Sat, 02 Sep 2006 03:37:44 +0200 2006-09-04 18:22:12 +00:00
selinuxutil.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
selinuxutil.te patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
setrans.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
setrans.if remove extra level of directory 2006-07-12 20:32:27 +00:00
setrans.te patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
sysnetwork.fc more strict testing fixes 2006-08-23 19:36:04 +00:00
sysnetwork.if add main part of role-o-matic 2006-09-06 22:07:25 +00:00
sysnetwork.te more strict testing fixes 2006-08-23 19:36:04 +00:00
udev.fc patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
udev.if remove extra level of directory 2006-07-12 20:32:27 +00:00
udev.te patch from dan Fri, 22 Sep 2006 16:30:34 -0400 2006-09-25 18:53:06 +00:00
unconfined.fc patch from dan Thu, 31 Aug 2006 15:16:30 -0400 2006-09-01 15:52:05 +00:00
unconfined.if patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
unconfined.te patch from dan Mon, 25 Sep 2006 15:46:40 -0400 2006-09-28 14:37:29 +00:00
userdomain.fc This patch adds a GConf policy to refpolicy. 2006-10-02 15:22:48 +00:00
userdomain.if This patch adds a GConf policy to refpolicy. 2006-10-02 15:22:48 +00:00
userdomain.te This patch adds a GConf policy to refpolicy. 2006-10-02 15:22:48 +00:00
xen.fc patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
xen.if patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
xen.te patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00