[refpolicy] [PATCH v2 1/2] Support the console/graphical links browser

[Sven Vermeulen]

Introduce the links_t domain for the links browser, which is an
ncurses/svgalib/X11 browser (so supports both commandline-only as
well as GUI environments)

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 links.fc |    6 +++++
 links.if |   36 +++++++++++++++++++++++++++++++++++
 links.te |   63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 0 deletions(-)
 create mode 100644 links.fc
 create mode 100644 links.if
 create mode 100644 links.te

diff --git a/links.fc b/links.fc
new file mode 100644
index 0000000..5749b58
--- /dev/null
+++ b/links.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.links(/.*)?    gen_context(system_u:object_r:links_home_t,s0)
+
+# 
+# /usr
+#
+/usr/bin/links         -- gen_context(system_u:object_r:links_exec_t,s0)
diff --git a/links.if b/links.if
new file mode 100644
index 0000000..bf3e20a
--- /dev/null
+++ b/links.if
@@ -0,0 +1,36 @@
+## <summary>Links web browser</summary>
+
+#######################################
+## <summary>
+##      The role interface for the links module.
+## </summary>
+## <param name="user_role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##      The type of the user domain.
+##      </summary>
+## </param>
+#
+interface(`links_role',`
+	gen_require(`
+		type links_t, links_exec_t, links_tmpfs_t, links_home_t;
+	')
+
+	role $1 types links_t;
+
+	manage_dirs_pattern($2, links_home_t, links_home_t)
+	manage_files_pattern($2, links_home_t, links_home_t)
+	manage_lnk_files_pattern($2, links_home_t, links_home_t)
+
+	relabel_dirs_pattern($2, links_home_t, links_home_t)
+	relabel_files_pattern($2, links_home_t, links_home_t)
+	relabel_lnk_files_pattern($2, links_home_t, links_home_t)
+
+	domtrans_pattern($2, links_exec_t, links_t)
+
+	ps_process_pattern($2, links_t)
+')	
diff --git a/links.te b/links.te
new file mode 100644
index 0000000..7c9d03f
--- /dev/null
+++ b/links.te
@@ -0,0 +1,63 @@
+policy_module(links, 1.0.0)
+
+############################
+# 
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow links to manage files in users home directories (download files)
+## </p>
+## </desc>
+gen_tunable(links_manage_user_files, false)
+
+type links_t;
+type links_exec_t;
+userdom_user_application_domain(links_t, links_exec_t)
+
+type links_home_t;
+userdom_user_home_content(links_home_t)
+
+type links_tmpfs_t;
+userdom_user_tmpfs_file(links_tmpfs_t)
+
+############################
+#
+# Policy
+#
+
+allow links_t self:process signal_perms;
+allow links_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(links_t, links_home_t, links_home_t)
+manage_files_pattern(links_t, links_home_t, links_home_t)
+manage_lnk_files_pattern(links_t, links_home_t, links_home_t)
+manage_sock_files_pattern(links_t, links_home_t, links_home_t)
+manage_fifo_files_pattern(links_t, links_home_t, links_home_t)
+userdom_user_home_dir_filetrans(links_t, links_home_t, dir)
+
+manage_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
+manage_lnk_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
+manage_fifo_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
+manage_sock_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
+fs_tmpfs_filetrans(links_t, links_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+corenet_tcp_connect_http_port(links_t)
+
+domain_use_interactive_fds(links_t)
+
+auth_use_nsswitch(links_t)
+
+miscfiles_read_localization(links_t)
+
+userdom_use_user_terminals(links_t)
+
+tunable_policy(`links_manage_user_files',`
+	userdom_manage_user_home_content_dirs(links_t)
+	userdom_manage_user_home_content_files(links_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(links, links_t, links_tmpfs_t)
+')
-- 
1.7.3.4