[refpolicy] [PATCH/RFC 1/4] Introduce xdg types

Christopher J. PeBenito cpebenito at tresys.com
Wed Sep 14 07:24:19 CDT 2011


On 09/04/11 08:13, Sven Vermeulen wrote:
> The XDG Base Directory specification is an open specification for
> dealing with user data in a desktop environment. It is published on
> http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
> and in use by many applications.
> 
> In this patch, we introduce the xdg-specific types and give the standard
> interfaces for dealing with these types.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
>  policy/modules/system/xdg.fc |    3 +
>  policy/modules/system/xdg.if |  172 ++++++++++++++++++++++++++++++++++++++++++
>  policy/modules/system/xdg.te |   15 ++++
>  3 files changed, 190 insertions(+), 0 deletions(-)
>  create mode 100644 policy/modules/system/xdg.fc
>  create mode 100644 policy/modules/system/xdg.if
>  create mode 100644 policy/modules/system/xdg.te
> 
> diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc
> new file mode 100644
> index 0000000..44dc42e
> --- /dev/null
> +++ b/policy/modules/system/xdg.fc
> @@ -0,0 +1,3 @@
> +HOME_DIR/\.cache(/.*)?		gen_context(system_u:object_r:xdg_cache_home_t,s0)
> +HOME_DIR/\.config(/.*)?		gen_context(system_u:object_r:xdg_config_home_t,s0)
> +HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:xdg_data_home_t,s0)

This seems to make sense, though I'm not sure it needs to be its own module.

> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> new file mode 100644
> index 0000000..f844f10
> --- /dev/null
> +++ b/policy/modules/system/xdg.if
> @@ -0,0 +1,172 @@
> +## <summary>Policy for xdg desktop standard</summary>
> +
> +#######################################
> +## <summary>
> +##   Allow the userdomain full administrative rights on the xdg_* locations
> +## </summary>
> +## <param name="userdomain">
> +##	<summary>
> +##	The user domain
> +##	</summary>
> +## </param>
> +## <rolebase/>
> +#
> +interface(`xdg_admin',`
> +	gen_require(`
> +		type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
> +	')
> +
> +	# full control over the xdg_* directories
> +	manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +	manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +	manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +	manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +	manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +	relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +	relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +	relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +	relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +	relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +
> +	manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +	manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +	manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +	manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +	manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +	relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +	relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +	relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +	relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +	relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +
> +	manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +	manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +	manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +	manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +	manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +	relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +	relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +	relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +	relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +	relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +')

Use admin_pattern()

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list