From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v3 07/19] Enhance telepathy domains with XDG privilege sets
Date: Sun, 25 Mar 2018 13:57:02 +0200 [thread overview]
Message-ID: <20180325115714.5610-8-sven.vermeulen@siphos.be> (raw)
In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be>
The telepathy domain already had some support for the XDG-style
locations (cache, config and data). In this patch the rules are updated
to use the XDG-style approach (naming) as well as include the necessary
file transitions.
Changes since v2:
- Add telepathy_mission_control_home_t as required type in the role
declaration
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
telepathy.fc | 18 ++++++++--------
telepathy.if | 25 +++++++++++-----------
telepathy.te | 70 ++++++++++++++++++++++++++++++------------------------------
3 files changed, 57 insertions(+), 56 deletions(-)
diff --git a/telepathy.fc b/telepathy.fc
index 6c7f8f8..4600d81 100644
--- a/telepathy.fc
+++ b/telepathy.fc
@@ -1,14 +1,14 @@
-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
-HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_xdg_cache_t,s0)
+HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_cache_t, s0)
+HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t, s0)
+HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_cache_t,s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0)
+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0)
HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
-HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
-HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0)
+HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_data_t,s0)
+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_xdg_data_t,s0)
HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0)
-HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_data_t,s0)
/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
diff --git a/telepathy.if b/telepathy.if
index 2a11a70..d81dc19 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -68,9 +68,10 @@ template(`telepathy_role_template',`
type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
type telepathy_msn_exec_t;
- type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t;
- type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t;
- type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t;
+ type telepathy_mission_control_xdg_cache_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t;
+ type telepathy_gabble_xdg_cache_t, telepathy_mission_control_t, telepathy_xdg_data_t;
+ type telepathy_mission_control_xdg_data_t, telepathy_sunshine_home_t, telepathy_logger_xdg_data_t;
+ type telepathy_mission_control_home_t;
')
role $2 types telepathy_domain;
@@ -92,22 +93,22 @@ template(`telepathy_role_template',`
dbus_spec_session_domain($1, telepathy_stream_engine_t, telepathy_stream_engine_exec_t)
dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t)
- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:file { manage_file_perms relabel_file_perms };
- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
+ filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble")
# gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+ filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger")
# gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+ filetrans_pattern($3, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control")
# gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
diff --git a/telepathy.te b/telepathy.te
index f1bee7f..5a05159 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -27,34 +27,34 @@ attribute telepathy_tmp_content;
telepathy_domain_template(gabble)
-type telepathy_cache_home_t;
-userdom_user_home_content(telepathy_cache_home_t)
+type telepathy_xdg_cache_t alias telepathy_cache_home_t;
+xdg_cache_content(telepathy_xdg_cache_t)
-type telepathy_gabble_cache_home_t;
-userdom_user_home_content(telepathy_gabble_cache_home_t)
+type telepathy_gabble_xdg_cache_t alias telepathy_gabble_cache_home_t;
+xdg_cache_content(telepathy_gabble_xdg_cache_t)
telepathy_domain_template(idle)
telepathy_domain_template(logger)
-type telepathy_data_home_t;
-userdom_user_home_content(telepathy_data_home_t)
+type telepathy_xdg_data_t alias telepathy_data_home_t;
+xdg_data_content(telepathy_xdg_data_t)
-type telepathy_logger_cache_home_t;
-userdom_user_home_content(telepathy_logger_cache_home_t)
+type telepathy_logger_xdg_cache_t alias telepathy_logger_cache_home_t;
+xdg_cache_content(telepathy_logger_xdg_cache_t)
-type telepathy_logger_data_home_t;
-userdom_user_home_content(telepathy_logger_data_home_t)
+type telepathy_logger_xdg_data_t alias telepathy_logger_data_home_t;
+xdg_data_content(telepathy_logger_xdg_data_t)
telepathy_domain_template(mission_control)
type telepathy_mission_control_home_t;
userdom_user_home_content(telepathy_mission_control_home_t)
-type telepathy_mission_control_data_home_t;
-userdom_user_home_content(telepathy_mission_control_data_home_t)
+type telepathy_mission_control_xdg_data_t alias telepathy_mission_control_data_home_t;
+xdg_data_content(telepathy_mission_control_xdg_data_t)
-type telepathy_mission_control_cache_home_t;
-userdom_user_home_content(telepathy_mission_control_cache_home_t)
+type telepathy_mission_control_xdg_cache_t alias telepathy_mission_control_cache_home_t;
+xdg_cache_content(telepathy_mission_control_xdg_cache_t)
telepathy_domain_template(msn)
telepathy_domain_template(salut)
@@ -74,10 +74,10 @@ allow telepathy_gabble_t self:tcp_socket { accept listen };
allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
# ~/.cache/telepathy/gabble/caps-cache.db-journal
-manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
-# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky")
+manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+manage_files_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+filetrans_pattern(telepathy_gabble_t, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble")
+# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, dir, "wocky")
manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
@@ -179,13 +179,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
-manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t)
+manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t)
+filetrans_pattern(telepathy_logger_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger")
-manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
-manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
-# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger")
+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t)
+manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t)
+# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_xdg_data_t, dir, "TpLogger")
files_read_usr_files(telepathy_logger_t)
files_search_pids(telepathy_logger_t)
@@ -216,15 +216,15 @@ manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t)
+filetrans_pattern(telepathy_mission_control_t, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control")
-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, telepathy_mission_control_xdg_cache_t)
+# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, file, ".mc_connections")
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
dev_read_rand(telepathy_mission_control_t)
@@ -461,11 +461,11 @@ optional_policy(`
allow telepathy_domain self:process { getsched signal sigkill };
allow telepathy_domain self:fifo_file rw_fifo_file_perms;
-manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
-# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
+manage_dirs_pattern(telepathy_domain, telepathy_xdg_cache_t, telepathy_xdg_cache_t)
+xdg_cache_filetrans(telepathy_domain, telepathy_xdg_cache_t, dir, "telepathy")
-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t)
-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy")
+manage_dirs_pattern(telepathy_domain, telepathy_xdg_data_t, telepathy_xdg_data_t)
+xdg_data_filetrans(telepathy_domain, telepathy_xdg_data_t, dir, "telepathy")
dev_read_urand(telepathy_domain)
--
2.16.1
next prev parent reply other threads:[~2018-03-25 11:57 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-25 11:56 [refpolicy] [PATCH v3 00/19] X Desktop Group location support and reduced user content access privileges, contrib part Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 01/19] Enhance evolution domain with XDG privilege sets Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 02/19] Enhance gnome domains " Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 03/19] Enhance minidlna domain " Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 04/19] Enhance mozilla " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 05/19] Enhance mplayer domains " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 06/19] Enhance pulseaudio domain " Sven Vermeulen
2018-03-25 11:57 ` Sven Vermeulen [this message]
2018-03-25 11:57 ` [refpolicy] [PATCH v3 08/19] Enhance thunderbird " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 09/19] Make cron user content access optional Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 10/19] Make firstboot " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 11/19] Make gpg " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 12/19] Make i18n_input " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 13/19] Make irc " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 14/19] Make java " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 15/19] Make openoffice " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 16/19] Make postfix " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 17/19] Make wireshark " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 18/19] Make xscreensaver " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 19/19] Switch syncthing to XDG config types and make " Sven Vermeulen
2018-06-10 17:45 ` [refpolicy] [PATCH v3 00/19] X Desktop Group location support and reduced user content access privileges, contrib part Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180325115714.5610-8-sven.vermeulen@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).