Navigation

← Previous Changeset
Next Changeset →

Changeset 2680

Timestamp:

05/12/08 10:56:59 (7 months ago)

Author:

pebenito

Message:

rbacsep: basic copy and paste collapsing of most apps modules. does not build.

Files:

branches/rbacsep/policy/modules/apps/cdrecord.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/ethereal.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/evolution.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/gift.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/gnome.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/gpg.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/irc.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/lockdev.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/mozilla.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/rssh.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/screen.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/thunderbird.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/tvtime.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/uml.te (modified) (2 diffs)
branches/rbacsep/policy/modules/apps/userhelper.te (modified) (1 diff)
branches/rbacsep/policy/modules/apps/wireshark.te (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/apps/cdrecord.te

r2553	r2680
16	16	gen_tunable(cdrecord_read_content,false)
17	17
	18	type cdrecord_t;
	19	application_domain(cdrecord_t, cdrecord_exec_t)
	20
18	21	type cdrecord_exec_t;
19	22	application_executable_file(cdrecord_exec_t)
	23
	24	########################################
	25	#
	26	# Local policy
	27	#
	28
	29	allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
	30	allow cdrecord_t self:process { getsched setsched sigkill };
	31	allow cdrecord_t self:unix_dgram_socket create_socket_perms;
	32	allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
	33
	34	allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
	35
	36	# allow ps to show cdrecord and allow the user to kill it
	37	ps_process_pattern($2, cdrecord_t)
	38	allow $2 cdrecord_t:process signal;
	39
	40	# Transition from the user domain to the derived domain.
	41	domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
	42
	43	# allow searching for cdrom-drive
	44	dev_list_all_dev_nodes(cdrecord_t)
	45
	46	domain_interactive_fd(cdrecord_t)
	47	domain_use_interactive_fds(cdrecord_t)
	48
	49	files_read_etc_files(cdrecord_t)
	50
	51	term_use_controlling_term(cdrecord_t)
	52	term_list_ptys(cdrecord_t)
	53
	54	# allow cdrecord to write the CD
	55	storage_raw_write_removable_device(cdrecord_t)
	56	storage_write_scsi_generic(cdrecord_t)
	57
	58	libs_use_ld_so(cdrecord_t)
	59	libs_use_shared_libs(cdrecord_t)
	60
	61	logging_send_syslog_msg(cdrecord_t)
	62
	63	miscfiles_read_localization(cdrecord_t)
	64
	65	# write to the user domain tty.
	66	userdom_use_user_terminals($1, cdrecord_t)
	67	userdom_use_user_terminals($1, $2)
	68
	69	userdom_read_user_home_content_files($1, cdrecord_t)
	70
	71	# Handle nfs home dirs
	72	tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
	73	fs_list_auto_mountpoints(cdrecord_t)
	74	files_list_home(cdrecord_t)
	75	fs_read_nfs_files(cdrecord_t)
	76	fs_read_nfs_symlinks(cdrecord_t)
	77
	78	',`
	79	files_dontaudit_list_home(cdrecord_t)
	80	fs_dontaudit_list_auto_mountpoints(cdrecord_t)
	81	fs_dontaudit_read_nfs_files(cdrecord_t)
	82	fs_dontaudit_list_nfs(cdrecord_t)
	83	')
	84	# Handle samba home dirs
	85	tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
	86	fs_list_auto_mountpoints(cdrecord_t)
	87	files_list_home(cdrecord_t)
	88	fs_read_cifs_files(cdrecord_t)
	89	fs_read_cifs_symlinks(cdrecord_t)
	90	',`
	91	files_dontaudit_list_home(cdrecord_t)
	92	fs_dontaudit_list_auto_mountpoints(cdrecord_t)
	93	fs_dontaudit_read_cifs_files(cdrecord_t)
	94	fs_dontaudit_list_cifs(cdrecord_t)
	95	')
	96
	97	# Handle removable media, /tmp, and /home
	98	tunable_policy(`cdrecord_read_content',`
	99	userdom_list_user_tmp($1, cdrecord_t)
	100	userdom_read_user_tmp_files($1, drecord_t)
	101	userdom_read_user_tmp_symlinks($1, cdrecord_t)
	102	userdom_search_user_home_dirs($1, cdrecord_t)
	103	userdom_read_user_home_content_files($1, cdrecord_t)
	104	userdom_read_user_home_content_symlinks($1, cdrecord_t)
	105
	106	ifdef(`enable_mls',`
	107	',`
	108	fs_search_removable(cdrecord_t)
	109	fs_read_removable_files(cdrecord_t)
	110	fs_read_removable_symlinks(cdrecord_t)
	111	')
	112	',`
	113	files_dontaudit_list_tmp(cdrecord_t)
	114	files_dontaudit_list_home(cdrecord_t)
	115	fs_dontaudit_list_removable(cdrecord_t)
	116	fs_dontaudit_read_removable_files(cdrecord_t)
	117	userdom_dontaudit_list_user_tmp($1, cdrecord_t)
	118	userdom_dontaudit_read_user_tmp_files($1, cdrecord_t)
	119	userdom_dontaudit_list_user_home_dirs($1, cdrecord_t)
	120	userdom_dontaudit_read_user_home_content_files($1, cdrecord_t)
	121	')
	122
	123	# Handle default_t content
	124	tunable_policy(`cdrecord_read_content && read_default_t',`
	125	files_list_default(cdrecord_t)
	126	files_read_default_files(cdrecord_t)
	127	files_read_default_symlinks(cdrecord_t)
	128	',`
	129	files_dontaudit_read_default_files(cdrecord_t)
	130	files_dontaudit_list_default(cdrecord_t)
	131	')
	132
	133	# Handle untrusted content
	134	tunable_policy(`cdrecord_read_content && read_untrusted_content',`
	135	files_list_tmp(cdrecord_t)
	136	files_list_home(cdrecord_t)
	137	userdom_search_user_home_dirs($1, cdrecord_t)
	138
	139	userdom_list_user_untrusted_content($1, cdrecord_t)
	140	userdom_read_user_untrusted_content_files($1, cdrecord_t)
	141	userdom_read_user_untrusted_content_symlinks($1, cdrecord_t)
	142	userdom_list_user_tmp_untrusted_content($1, cdrecord_t)
	143	userdom_read_user_tmp_untrusted_content_files($1, cdrecord_t)
	144	userdom_read_user_tmp_untrusted_content_symlinks($1, cdrecord_t)
	145	',`
	146	files_dontaudit_list_tmp(cdrecord_t)
	147	files_dontaudit_list_home(cdrecord_t)
	148	userdom_dontaudit_list_user_home_dirs($1, cdrecord_t)
	149	userdom_dontaudit_list_user_untrusted_content($1, cdrecord_t)
	150	userdom_dontaudit_read_user_untrusted_content_files($1, cdrecord_t)
	151	userdom_dontaudit_list_user_tmp_untrusted_content($1, cdrecord_t)
	152	userdom_dontaudit_read_user_tmp_untrusted_content_files($1, cdrecord_t)
	153	')
	154
	155	tunable_policy(`use_nfs_home_dirs',`
	156	files_search_mnt(cdrecord_t)
	157	fs_read_nfs_files(cdrecord_t)
	158	fs_read_nfs_symlinks(cdrecord_t)
	159	')
	160
	161	optional_policy(`
	162	resmgr_stream_connect(cdrecord_t)
	163	')

branches/rbacsep/policy/modules/apps/ethereal.te

r2675	r2680
7	7	#
8	8
	9	type ethereal_t;
9	10	type ethereal_exec_t;
10		application_executable_file(ethereal_exec_t)
	11	application_domain(ethereal_t, ethereal_exec_t)
	12
	13	type ethereal_home_t;
	14	files_poly_member(ethereal_home_t)
	15	userdom_user_home_content($1, ethereal_home_t)
	16
	17	type ethereal_tmp_t;
	18	files_tmp_file(ethereal_tmp_t)
	19
	20	type ethereal_tmpfs_t;
	21	files_tmpfs_file(ethereal_tmpfs_t)
11	22
12	23	type tethereal_t;
13	24	type tethereal_exec_t;
14		application_domain(tethereal_t,tethereal_exec_t)
	25	application_domain(tethereal_t, tethereal_exec_t)
15	26
16	27	type tethereal_tmp_t;
17	28	files_tmp_file(tethereal_tmp_t)
	29
	30	##############################
	31	#
	32	# Local Policy
	33	#
	34
	35	allow ethereal_t self:capability { net_admin net_raw setgid };
	36	allow ethereal_t self:process { signal getsched };
	37	allow ethereal_t self:fifo_file { getattr read write };
	38	allow ethereal_t self:shm destroy;
	39	allow ethereal_t self:shm create_shm_perms;
	40	allow ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
	41	allow ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
	42	allow ethereal_t self:tcp_socket create_socket_perms;
	43	allow ethereal_t self:udp_socket create_socket_perms;
	44
	45	# Re-execute itself (why?)
	46	can_exec(ethereal_t, ethereal_exec_t)
	47	corecmd_search_bin(ethereal_t)
	48
	49	# /home/.ethereal
	50	manage_dirs_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
	51	manage_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
	52	manage_lnk_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
	53	userdom_user_home_dir_filetrans($1, ethereal_t, ethereal_home_t, dir)
	54
	55	# Store temporary files
	56	manage_dirs_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
	57	manage_files_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
	58	files_tmp_filetrans(ethereal_t, ethereal_tmp_t, { dir file })
	59
	60	manage_dirs_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
	61	manage_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
	62	manage_lnk_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
	63	manage_sock_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
	64	manage_fifo_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
	65	fs_tmpfs_filetrans(ethereal_t, ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	66
	67	domain_auto_trans($2, ethereal_exec_t, ethereal_t)
	68	allow ethereal_t $2:fd use;
	69	allow ethereal_t $2:process sigchld;
	70
	71	manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
	72	manage_files_pattern($2, ethereal_home_t, ethereal_home_t)
	73	manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
	74	relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
	75	relabel_files_pattern($2, ethereal_home_t, ethereal_home_t)
	76	relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
	77
	78	kernel_read_kernel_sysctls(ethereal_t)
	79	kernel_read_system_state(ethereal_t)
	80	kernel_read_sysctl(ethereal_t)
	81
	82	corecmd_search_bin(ethereal_t)
	83
	84	corenet_tcp_connect_generic_port(ethereal_t)
	85	corenet_tcp_sendrecv_generic_if(ethereal_t)
	86
	87	dev_read_urand(ethereal_t)
	88
	89	files_read_etc_files(ethereal_t)
	90	files_read_usr_files(ethereal_t)
	91
	92	fs_list_inotifyfs(ethereal_t)
	93	fs_search_auto_mountpoints(ethereal_t)
	94
	95	libs_read_lib_files(ethereal_t)
	96	libs_use_ld_so(ethereal_t)
	97	libs_use_shared_libs(ethereal_t)
	98
	99	miscfiles_read_fonts(ethereal_t)
	100	miscfiles_read_localization(ethereal_t)
	101
	102	seutil_use_newrole_fds(ethereal_t)
	103
	104	sysnet_read_config(ethereal_t)
	105
	106	userdom_manage_user_home_content_files($1, ethereal_t)
	107
	108	tunable_policy(`use_nfs_home_dirs',`
	109	fs_manage_nfs_dirs(ethereal_t)
	110	fs_manage_nfs_files(ethereal_t)
	111	fs_manage_nfs_symlinks(ethereal_t)
	112	')
	113
	114	tunable_policy(`use_samba_home_dirs',`
	115	fs_manage_cifs_dirs(ethereal_t)
	116	fs_manage_cifs_files(ethereal_t)
	117	fs_manage_cifs_symlinks(ethereal_t)
	118	')
	119
	120	optional_policy(`
	121	nscd_socket_use(ethereal_t)
	122	')
	123
	124	# Manual transition from userhelper
	125	optional_policy(`
	126	userhelper_use_user_fd($1, ethereal_t)
	127	userhelper_sigchld_user($1, ethereal_t)
	128	')
	129
	130	optional_policy(`
	131	xserver_user_x_domain_template($1, ethereal, ethereal_t, ethereal_tmpfs_t)
	132	xserver_create_xdm_tmp_sockets(ethereal_t)
	133	')
18	134
19	135	########################################

branches/rbacsep/policy/modules/apps/evolution.te

r2675	r2680
7	7	#
8	8
	9	type evolution_t;
9	10	type evolution_exec_t;
10		application_executable_file(evolution_exec_t)
11
	11	application_domain(evolution_t, evolution_exec_t)
	12
	13	type evolution_alarm_t;
12	14	type evolution_alarm_exec_t;
13		application_executable_file(evolution_alarm_exec_t)
14
	15	application_domain(evolution_alarm_t, evolution_alarm_exec_t)
	16
	17	type evolution_alarm_tmpfs_t;
	18	files_tmpfs_file(evolution_alarm_tmpfs_t)
	19
	20	type evolution_alarm_orbit_tmp_t;
	21	files_tmp_file(evolution_alarm_orbit_tmp_t)
	22
	23	type evolution_exchange_t;
15	24	type evolution_exchange_exec_t;
16		application_executable_file(evolution_exchange_exec_t)
17
	25	application_domain(evolution_exchange_t, evolution_exchange_exec_t)
	26
	27	type evolution_exchange_tmpfs_t;
	28	files_tmpfs_file(evolution_exchange_tmpfs_t)
	29
	30	type evolution_exchange_tmp_t;
	31	files_tmp_file(evolution_exchange_tmp_t)
	32
	33	type evolution_exchange_orbit_tmp_t;
	34	files_tmp_file(evolution_exchange_orbit_tmp_t)
	35
	36	type evolution_home_t;
	37	files_poly_member(evolution_home_t)
	38	userdom_user_home_content($1, evolution_home_t)
	39
	40	type evolution_orbit_tmp_t;
	41	files_tmp_file(evolution_orbit_tmp_t)
	42
	43	type evolution_server_t;
18	44	type evolution_server_exec_t;
19		application_executable_file(evolution_server_exec_t)
20
	45	application_domain(evolution_server_t, evolution_server_exec_t)
	46
	47	type evolution_server_orbit_tmp_t;
	48	files_tmp_file(evolution_server_orbit_tmp_t)
	49
	50	type evolution_tmpfs_t;
	51	files_tmpfs_file(evolution_tmpfs_t)
	52
	53	type evolution_webcal_t;
21	54	type evolution_webcal_exec_t;
22		application_executable_file(evolution_webcal_exec_t)
	55	application_domain(evolution_webcal_t, evolution_webcal_exec_t)
	56
	57	type evolution_webcal_tmpfs_t;
	58	files_tmpfs_file(evolution_webcal_tmpfs_t)
	59
	60	########################################
	61	#
	62	# Evolution local policy
	63	#
	64
	65	allow evolution_t self:capability { setuid setgid sys_nice };
	66	allow evolution_t self:process { signal getsched setsched };
	67	allow evolution_t self:fifo_file rw_file_perms;
	68	allow evolution_t self:tcp_socket create_socket_perms;
	69	allow evolution_t self:udp_socket create_socket_perms;
	70
	71	allow evolution_t evolution_alarm_t:dir search_dir_perms;
	72	allow evolution_t evolution_alarm_t:file read;
	73
	74	allow evolution_t evolution_alarm_t:unix_stream_socket connectto;
	75	allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write;
	76
	77	can_exec(evolution_t, evolution_alarm_exec_t)
	78
	79	allow evolution_t evolution_exchange_t:unix_stream_socket connectto;
	80	allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write;
	81
	82	allow evolution_t evolution_home_t:dir manage_dir_perms;
	83	allow evolution_t evolution_home_t:file manage_file_perms;
	84	allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
	85
	86	allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
	87	allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
	88	files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
	89
	90	allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
	91	allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
	92	files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
	93
	94	allow evolution_t evolution_server_t:dir search_dir_perms;
	95	allow evolution_t evolution_server_t:file read;
	96
	97	allow evolution_t evolution_server_t:unix_stream_socket connectto;
	98	allow evolution_t evolution_server_orbit_tmp_t:sock_file write;
	99
	100	can_exec(evolution_t, evolution_server_exec_t)
	101
	102	allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
	103	allow evolution_t evolution_tmpfs_t:file manage_file_perms;
	104	allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
	105	allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
	106	allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
	107	fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	108
	109	allow evolution_t $2:dir search;
	110	allow evolution_t $2:fd use;
	111	allow evolution_t $2:file read;
	112	allow evolution_t $2:lnk_file read;
	113	allow evolution_t $2:process sigchld;
	114	allow evolution_t $2:unix_stream_socket connectto;
	115	allow evolution_t $2:dir search;
	116	allow evolution_t $2:file read;
	117
	118	domain_auto_trans($2, evolution_exec_t, evolution_t)
	119
	120	allow $2 evolution_t:unix_stream_socket connectto;
	121	allow $2 evolution_t:process noatsecure;
	122	allow $2 evolution_t:process signal_perms;
	123
	124	# Access .evolution
	125	allow $2 evolution_home_t:dir manage_dir_perms;
	126	allow $2 evolution_home_t:file manage_file_perms;
	127	allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
	128	allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
	129	userdom_search_user_home_dirs($1, evolution_t)
	130
	131	# Allow the user domain to signal/ps.
	132	allow $2 evolution_t:dir { search getattr read };
	133	allow $2 evolution_t:{ file lnk_file } { read getattr };
	134	allow $2 evolution_t:process getattr;
	135
	136	domain_dontaudit_read_all_domains_state(evolution_t)
	137
	138	#FIXME check to see if really needed
	139	kernel_read_kernel_sysctls(evolution_t)
	140	kernel_read_system_state(evolution_t)
	141	# Allow netstat
	142	kernel_read_network_state(evolution_t)
	143	kernel_read_net_sysctls(evolution_t)
	144
	145	corecmd_exec_shell(evolution_t)
	146	# Run various programs
	147	corecmd_exec_bin(evolution_t)
	148
	149	corenet_all_recvfrom_unlabeled(evolution_t)
	150	corenet_all_recvfrom_netlabel(evolution_t)
	151	corenet_tcp_sendrecv_generic_if(evolution_t)
	152	corenet_udp_sendrecv_generic_if(evolution_t)
	153	corenet_raw_sendrecv_generic_if(evolution_t)
	154	corenet_tcp_sendrecv_all_nodes(evolution_t)
	155	corenet_udp_sendrecv_all_nodes(evolution_t)
	156	corenet_tcp_sendrecv_pop_port(evolution_t)
	157	corenet_udp_sendrecv_pop_port(evolution_t)
	158	corenet_tcp_sendrecv_smtp_port(evolution_t)
	159	corenet_udp_sendrecv_smtp_port(evolution_t)
	160	corenet_tcp_sendrecv_innd_port(evolution_t)
	161	corenet_udp_sendrecv_innd_port(evolution_t)
	162	corenet_tcp_sendrecv_ldap_port(evolution_t)
	163	corenet_udp_sendrecv_ldap_port(evolution_t)
	164	corenet_tcp_sendrecv_ipp_port(evolution_t)
	165	corenet_udp_sendrecv_ipp_port(evolution_t)
	166	corenet_tcp_connect_pop_port(evolution_t)
	167	corenet_tcp_connect_smtp_port(evolution_t)
	168	corenet_tcp_connect_innd_port(evolution_t)
	169	corenet_tcp_connect_ldap_port(evolution_t)
	170	corenet_tcp_connect_ipp_port(evolution_t)
	171	corenet_sendrecv_pop_client_packets(evolution_t)
	172	corenet_sendrecv_smtp_client_packets(evolution_t)
	173	corenet_sendrecv_innd_client_packets(evolution_t)
	174	corenet_sendrecv_ldap_client_packets(evolution_t)
	175	corenet_sendrecv_ipp_client_packets(evolution_t)
	176	# not sure about this bind
	177	corenet_udp_bind_all_nodes(evolution_t)
	178	corenet_udp_bind_generic_port(evolution_t)
	179
	180	dev_read_urand(evolution_t)
	181
	182	files_read_etc_files(evolution_t)
	183	files_read_usr_files(evolution_t)
	184	files_read_usr_symlinks(evolution_t)
	185	files_read_var_files(evolution_t)
	186
	187	fs_search_auto_mountpoints(evolution_t)
	188
	189	libs_use_ld_so(evolution_t)
	190	libs_use_shared_libs(evolution_t)
	191
	192	logging_send_syslog_msg(evolution_t)
	193
	194	miscfiles_read_localization(evolution_t)
	195
	196	sysnet_read_config(evolution_t)
	197	sysnet_dns_name_resolve(evolution_t)
	198
	199	udev_read_state(evolution_t)
	200
	201	userdom_rw_user_tmp_files($1, evolution_t)
	202	userdom_manage_user_tmp_dirs($1, evolution_t)
	203	userdom_manage_user_tmp_sockets($1, evolution_t)
	204	userdom_manage_user_tmp_files($1, evolution_t)
	205	userdom_use_user_terminals($1, evolution_t)
	206	# FIXME: suppress access to .local/.icons/.themes until properly implemented
	207	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
	208	# until properly implemented
	209	userdom_dontaudit_read_user_home_content_files($1, evolution_t)
	210
	211	mta_read_config(evolution_t)
	212
	213	xserver_user_x_domain_template($1, evolution,evolution_t, evolution_tmpfs_t)
	214	xserver_read_xdm_tmp_files(evolution_t)
	215
	216	tunable_policy(`use_nfs_home_dirs',`
	217	fs_manage_nfs_dirs(evolution_t)
	218	fs_manage_nfs_files(evolution_t)
	219	fs_manage_nfs_symlinks(evolution_t)
	220	')
	221
	222	tunable_policy(`use_samba_home_dirs',`
	223	fs_manage_cifs_dirs(evolution_t)
	224	fs_manage_cifs_files(evolution_t)
	225	fs_manage_cifs_symlinks(evolution_t)
	226	')
	227
	228	tunable_policy(`mail_read_content && use_nfs_home_dirs',`
	229	fs_list_auto_mountpoints(evolution_t)
	230	files_list_home(evolution_t)
	231	fs_read_nfs_files(evolution_t)
	232	fs_read_nfs_symlinks(evolution_t)
	233
	234	',`
	235	files_dontaudit_list_home(evolution_t)
	236	fs_dontaudit_list_auto_mountpoints(evolution_t)
	237	fs_dontaudit_read_nfs_files(evolution_t)
	238	fs_dontaudit_list_nfs(evolution_t)
	239	')
	240
	241	tunable_policy(`mail_read_content && use_samba_home_dirs',`
	242	fs_list_auto_mountpoints(evolution_t)
	243	files_list_home(evolution_t)
	244	fs_read_cifs_files(evolution_t)
	245	fs_read_cifs_symlinks(evolution_t)
	246	',`
	247	files_dontaudit_list_home(evolution_t)
	248	fs_dontaudit_list_auto_mountpoints(evolution_t)
	249	fs_dontaudit_read_cifs_files(evolution_t)
	250	fs_dontaudit_list_cifs(evolution_t)
	251	')
	252
	253	tunable_policy(`mail_read_content',`
	254	userdom_list_user_tmp($1, evolution_t)
	255	userdom_read_user_tmp_files($1, evolution_t)
	256	userdom_read_user_tmp_symlinks($1, evolution_t)
	257	userdom_search_user_home_dirs($1, evolution_t)
	258	userdom_read_user_home_content_files($1, evolution_t)
	259	userdom_read_user_home_content_symlinks($1, evolution_t)
	260
	261	ifndef(`enable_mls',`
	262	fs_search_removable(evolution_t)
	263	fs_read_removable_files(evolution_t)
	264	fs_read_removable_symlinks(evolution_t)
	265	')
	266	',`
	267	files_dontaudit_list_tmp(evolution_t)
	268	files_dontaudit_list_home(evolution_t)
	269	fs_dontaudit_list_removable(evolution_t)
	270	fs_dontaudit_read_removable_files(evolution_t)
	271	userdom_dontaudit_list_user_tmp($1, evolution_t)
	272	userdom_dontaudit_read_user_tmp_files($1, evolution_t)
	273	userdom_dontaudit_list_user_home_dirs($1, evolution_t)
	274	userdom_dontaudit_read_user_home_content_files($1, evolution_t)
	275	')
	276
	277	tunable_policy(`mail_read_content && read_default_t',`
	278	files_list_default(evolution_t)
	279	files_read_default_files(evolution_t)
	280	files_read_default_symlinks(evolution_t)
	281	',`
	282	files_dontaudit_read_default_files(evolution_t)
	283	files_dontaudit_list_default(evolution_t)
	284	')
	285
	286	tunable_policy(`mail_read_content && read_untrusted_content',`
	287	files_list_tmp(evolution_t)
	288	files_list_home(evolution_t)
	289	userdom_search_user_home_dirs($1, evolution_t)
	290
	291	userdom_list_user_untrusted_content($1, evolution_t)
	292	userdom_read_user_untrusted_content_files($1, evolution_t)
	293	userdom_read_user_untrusted_content_symlinks($1, evolution_t)
	294	userdom_list_user_tmp_untrusted_content($1, evolution_t)
	295	userdom_read_user_tmp_untrusted_content_files($1, evolution_t)
	296	userdom_read_user_tmp_untrusted_content_symlinks($1, evolution_t)
	297	',`
	298	files_dontaudit_list_tmp(evolution_t)
	299	files_dontaudit_list_home(evolution_t)
	300	userdom_dontaudit_list_user_home_dirs($1, evolution_t)
	301	userdom_dontaudit_list_user_untrusted_content($1, evolution_t)
	302	userdom_dontaudit_read_user_untrusted_content_files($1, evolution_t)
	303	userdom_dontaudit_list_user_tmp_untrusted_content($1, evolution_t)
	304	userdom_dontaudit_read_user_tmp_untrusted_content_files($1, evolution_t)
	305	')
	306
	307	tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
	308	files_search_home(evolution_t)
	309
	310	fs_search_auto_mountpoints(evolution_t)
	311	fs_manage_nfs_dirs(evolution_t)
	312	fs_manage_nfs_files(evolution_t)
	313	fs_manage_nfs_symlinks(evolution_t)
	314	',`
	315	fs_dontaudit_list_auto_mountpoints(evolution_t)
	316	fs_dontaudit_manage_nfs_dirs(evolution_t)
	317	fs_dontaudit_manage_nfs_files(evolution_t)
	318	')
	319
	320	tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
	321	files_search_home(evolution_t)
	322
	323	fs_search_auto_mountpoints(evolution_t)
	324	fs_manage_cifs_dirs(evolution_t)
	325	fs_manage_cifs_files(evolution_t)
	326	fs_manage_cifs_symlinks(evolution_t)
	327	',`
	328	fs_dontaudit_list_auto_mountpoints(evolution_t)
	329	fs_dontaudit_manage_cifs_dirs(evolution_t)
	330	fs_dontaudit_manage_cifs_files(evolution_t)
	331	')
	332
	333	tunable_policy(`write_untrusted_content',`
	334	files_search_home(evolution_t)
	335
	336	userdom_manage_user_untrusted_content_files($1, evolution_t)
	337	userdom_user_home_dir_filetrans($1, evolution_t,untrusted_content_tmp_t, { file dir })
	338	userdom_user_home_content_filetrans($1, evolution_t,untrusted_content_tmp_t, { file dir })
	339
	340	',`
	341	files_dontaudit_list_home(evolution_t)
	342	files_dontaudit_list_tmp(evolution_t)
	343
	344	userdom_dontaudit_list_user_home_dirs($1, evolution_t)
	345	#userdom_dontaudit_manage_user_tmp($1, evolution_t)
	346	#userdom_dontaudit_manage_user_tmp_files($1, evolution_t)
	347	#userdom_dontaudit_manage_user_home_subdirs($1, evolution_t)
	348	')
	349
	350	optional_policy(`
	351	automount_read_state(evolution_t)
	352	')
	353
	354	# Allow printing the mail
	355	optional_policy(`
	356	cups_read_rw_config(evolution_t)
	357	')
	358
	359	optional_policy(`
	360	dbus_system_bus_client_template(evolution,evolution_t)
	361	dbus_user_bus_client_template($1, evolution,evolution_t)
	362	')
	363
	364	optional_policy(`
	365	gnome_stream_connect_gconf_template($1, evolution_t)
	366	')
	367
	368	# Encrypt mail
	369	optional_policy(`
	370	gpg_domtrans_user_gpg($1, evolution_t)
	371	gpg_signal_user_gpg($1, evolution_t)
	372	')
	373
	374	optional_policy(`
	375	lpd_domtrans_user_lpr($1, evolution_t)
	376	')
	377
	378	optional_policy(`
	379	mozilla_read_user_home_files($1, evolution_t)
	380	mozilla_domtrans_user_mozilla($1, evolution_t)
	381	')
	382
	383	# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
	384	optional_policy(`
	385	nis_use_ypbind(evolution_t)
	386	')
	387
	388	optional_policy(`
	389	nscd_socket_use(evolution_t)
	390	')
	391
	392	### Junk mail filtering (start spamd)
	393	optional_policy(`
	394	spamassassin_exec_spamd(evolution_t)
	395	spamassassin_domtrans_user_client($1, evolution_t)
	396	spamassassin_domtrans_user_local_client($1, evolution_t)
	397	# Allow evolution to signal the daemon
	398	# FIXME: Now evolution can read spamd temp files
	399	spamassassin_read_spamd_tmp_files(evolution_t)
	400	spamassassin_signal_spamd(evolution_t)
	401	spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
	402	')
	403
	404	########################################
	405	#
	406	# Evolution alarm local policy
	407	#
	408
	409	allow evolution_alarm_t self:process { signal getsched };
	410	allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
	411
	412	allow evolution_alarm_t evolution_t:unix_stream_socket connectto;
	413	allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write;
	414
	415	allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
	416	allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
	417	allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
	418	allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
	419	allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
	420	fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	421
	422	allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto;
	423	allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write;
	424
	425	# Access evolution home
	426	allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
	427	allow evolution_alarm_t evolution_home_t:file manage_file_perms;
	428	allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
	429
	430	allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto;
	431	allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
	432
	433	domain_auto_trans($2, evolution_alarm_exec_t, evolution_alarm_t)
	434	allow evolution_alarm_t $2:fd use;
	435
	436	dev_read_urand(evolution_alarm_t)
	437
	438	files_read_etc_files(evolution_alarm_t)
	439	files_read_usr_files(evolution_alarm_t)
	440
	441	fs_search_auto_mountpoints(evolution_alarm_t)
	442
	443	libs_use_ld_so(evolution_alarm_t)
	444	libs_use_shared_libs(evolution_alarm_t)
	445
	446	miscfiles_read_localization(evolution_alarm_t)
	447
	448	# Access evolution home
	449	userdom_search_user_home_dirs($1, evolution_alarm_t)
	450	# FIXME: suppress access to .local/.icons/.themes until properly implemented
	451	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
	452	# until properly implemented
	453	userdom_dontaudit_read_user_home_content_files($1, evolution_alarm_t)
	454
	455	xserver_user_x_domain_template($1, evolution_alarm,evolution_alarm_t, evolution_alarm_tmpfs_t)
	456
	457	# Access evolution home
	458	tunable_policy(`use_nfs_home_dirs',`
	459	fs_manage_nfs_files(evolution_alarm_t)
	460	')
	461
	462	tunable_policy(`use_samba_home_dirs',`
	463	fs_manage_cifs_files(evolution_alarm_t)
	464	')
	465
	466	optional_policy(`
	467	dbus_user_bus_client_template($1, evolution_alarm,evolution_alarm_t)
	468	')
	469
	470	optional_policy(`
	471	gnome_stream_connect_gconf_template($1, evolution_alarm_t)
	472	')
	473
	474	optional_policy(`
	475	nscd_socket_use(evolution_alarm_t)
	476	')
	477
	478	########################################
	479	#
	480	# Evolution exchange connector local policy
	481	#
	482
	483	allow evolution_exchange_t self:process getsched;
	484	allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
	485
	486	allow evolution_exchange_t self:tcp_socket create_socket_perms;
	487	allow evolution_exchange_t self:udp_socket create_socket_perms;
	488
	489	allow evolution_exchange_t evolution_t:unix_stream_socket connectto;
	490	allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write;
	491
	492	allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto;
	493	allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write;
	494
	495	# Access evolution home
	496	allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
	497	allow evolution_exchange_t evolution_home_t:file manage_file_perms;
	498	allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
	499
	500	allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto;
	501	allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write;
	502
	503	# /tmp/.exchange-$USER
	504	allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
	505	allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
	506	files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
	507
	508	allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
	509	allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
	510	allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
	511	allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
	512	allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
	513	fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	514
	515	allow evolution_exchange_t $2:unix_stream_socket connectto;
	516	allow evolution_exchange_t $1_tmp_t:sock_file write;
	517
	518	# Clock applet talks to exchange (FIXME: Needs policy)
	519	allow $2 evolution_exchange_t:unix_stream_socket connectto;
	520	allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
	521
	522	# Transition from user domain
	523	domain_auto_trans($2, evolution_exchange_exec_t, evolution_exchange_t)
	524
	525	kernel_read_network_state(evolution_exchange_t)
	526	kernel_read_net_sysctls(evolution_exchange_t)
	527
	528	# Allow netstat
	529	corecmd_exec_bin(evolution_exchange_t)
	530
	531	dev_read_urand(evolution_exchange_t)
	532
	533	files_read_etc_files(evolution_exchange_t)
	534	files_read_usr_files(evolution_exchange_t)
	535
	536	# Access evolution home
	537	fs_search_auto_mountpoints(evolution_exchange_t)
	538
	539	libs_use_ld_so(evolution_exchange_t)
	540	libs_use_shared_libs(evolution_exchange_t)
	541
	542	miscfiles_read_localization(evolution_exchange_t)
	543
	544	# Access evolution home
	545	userdom_search_user_home_dirs($1, evolution_exchange_t)
	546	# FIXME: suppress access to .local/.icons/.themes until properly implemented
	547	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
	548	# until properly implemented
	549	userdom_dontaudit_read_user_home_content_files($1, evolution_exchange_t)
	550
	551	xserver_user_x_domain_template($1, evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t)
	552
	553	# Access evolution home
	554	tunable_policy(`use_nfs_home_dirs',`
	555	fs_manage_nfs_files(evolution_exchange_t)
	556	')
	557
	558	tunable_policy(`use_samba_home_dirs',`
	559	fs_manage_cifs_files(evolution_exchange_t)
	560	')
	561
	562	optional_policy(`
	563	gnome_stream_connect_gconf_template($1, evolution_exchange_t)
	564	')
	565
	566	optional_policy(`
	567	nscd_socket_use(evolution_exchange_t)
	568	')
	569
	570	########################################
	571	#
	572	# Evolution data server local policy
	573	#
	574
	575	allow evolution_server_t self:process { getsched signal };
	576
	577	allow evolution_server_t self:fifo_file { read write };
	578	allow evolution_server_t self:unix_stream_socket { accept connectto };
	579	# Talk to ldap (address book),
	580	# Obtain weather data via http (read server name from xml file in /usr)
	581	allow evolution_server_t self:tcp_socket create_socket_perms;
	582
	583	allow evolution_server_t evolution_t:unix_stream_socket connectto;
	584	allow evolution_server_t evolution_orbit_tmp_t:sock_file write;
	585
	586	allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto;
	587	allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write;
	588
	589	# Access evolution home
	590	allow evolution_server_t evolution_home_t:dir manage_dir_perms;
	591	allow evolution_server_t evolution_home_t:file manage_file_perms;
	592	allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
	593
	594	allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
	595	allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
	596
	597	# Transition from user type
	598	domain_auto_trans($2, evolution_server_exec_t, evolution_server_t)
	599
	600	kernel_read_system_state(evolution_server_t)
	601
	602	corecmd_exec_shell(evolution_server_t)
	603
	604	# Obtain weather data via http (read server name from xml file in /usr)
	605	corenet_all_recvfrom_unlabeled(evolution_server_t)
	606	corenet_all_recvfrom_netlabel(evolution_server_t)
	607	corenet_tcp_sendrecv_generic_if(evolution_server_t)
	608	corenet_tcp_sendrecv_all_nodes(evolution_server_t)
	609	corenet_tcp_sendrecv_http_port(evolution_server_t)
	610	corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
	611	corenet_tcp_connect_http_cache_port(evolution_server_t)
	612	corenet_tcp_connect_http_port(evolution_server_t)
	613	corenet_sendrecv_http_client_packets(evolution_server_t)
	614	corenet_sendrecv_http_cache_client_packets(evolution_server_t)
	615
	616	dev_read_urand(evolution_server_t)
	617
	618	files_read_etc_files(evolution_server_t)
	619	# Obtain weather data via http (read server name from xml file in /usr)
	620	files_read_usr_files(evolution_server_t)
	621
	622	fs_search_auto_mountpoints(evolution_server_t)
	623
	624	libs_use_ld_so(evolution_server_t)
	625	libs_use_shared_libs(evolution_server_t)
	626
	627	miscfiles_read_localization(evolution_server_t)
	628	# Look in /etc/pki
	629	miscfiles_read_certs(evolution_server_t)
	630
	631	# Talk to ldap (address book)
	632	sysnet_read_config(evolution_server_t)
	633	sysnet_dns_name_resolve(evolution_server_t)
	634	sysnet_use_ldap(evolution_server_t)
	635
	636	# Access evolution home
	637	userdom_search_user_home_dirs($1, evolution_server_t)
	638	# FIXME: suppress access to .local/.icons/.themes until properly implemented
	639	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
	640	# until properly implemented
	641	userdom_dontaudit_read_user_home_content_files($1, evolution_server_t)
	642
	643	# Access evolution home
	644	tunable_policy(`use_nfs_home_dirs',`
	645	fs_manage_nfs_files(evolution_server_t)
	646	')
	647
	648	tunable_policy(`use_samba_home_dirs',`
	649	fs_manage_cifs_files(evolution_server_t)
	650	')
	651
	652	optional_policy(`
	653	gnome_stream_connect_gconf_template($1, evolution_server_t)
	654	')
	655
	656	optional_policy(`
	657	nscd_socket_use(evolution_server_t)
	658	')
	659
	660	########################################
	661	#
	662	# Evolution webcal local policy
	663	#
	664
	665	allow evolution_webcal_t self:tcp_socket create_socket_perms;
	666
	667	# X/evolution common stuff
	668	allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
	669	allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
	670	allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
	671	allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
	672	allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
	673	fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	674
	675	# Transition from user type
	676	domain_auto_trans($2, evolution_webcal_exec_t, evolution_webcal_t)
	677
	678	corenet_all_recvfrom_unlabeled(evolution_webcal_t)
	679	corenet_all_recvfrom_netlabel(evolution_webcal_t)
	680	corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
	681	corenet_raw_sendrecv_generic_if(evolution_webcal_t)
	682	corenet_tcp_sendrecv_all_nodes(evolution_webcal_t)
	683	corenet_raw_sendrecv_all_nodes(evolution_webcal_t)
	684	corenet_tcp_sendrecv_http_port(evolution_webcal_t)
	685	corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
	686	corenet_tcp_connect_http_cache_port(evolution_webcal_t)
	687	corenet_tcp_connect_http_port(evolution_webcal_t)
	688	corenet_sendrecv_http_client_packets(evolution_webcal_t)
	689	corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
	690
	691	# Networking capability - connect to website and handle ics link
	692	sysnet_read_config(evolution_webcal_t)
	693	sysnet_dns_name_resolve(evolution_webcal_t)
	694
	695	# Search home directory (?)
	696	userdom_search_user_home_dirs($1, evolution_webcal_t)
	697	# FIXME: suppress access to .local/.icons/.themes until properly implemented
	698	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
	699	# until properly implemented
	700	userdom_dontaudit_read_user_home_content_files($1, evolution_webcal_t)
	701
	702	xserver_user_x_domain_template($1, evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
	703
	704	optional_policy(`
	705	nscd_socket_use(evolution_webcal_t)
	706	')

branches/rbacsep/policy/modules/apps/gift.te

r2675	r2680
7	7	#
8	8
	9	type gift_t;
9	10	type gift_exec_t;
10		application_~~executable_file(~~gift_exec_t)
	11	application_domain(gift_t, gift_exec_t)
11	12
	13	type gift_home_t;
	14	files_poly_member(gift_home_t)
	15	userdom_user_home_content($1, gift_home_t)
	16
	17	type gift_tmpfs_t;
	18	files_tmpfs_file(gift_tmpfs_t)
	19
	20	type giftd_t;
12	21	type giftd_exec_t;
13		application_executable_file(giftd_exec_t)
	22	application_domain(giftd_t, giftd_exec_t)
	23
	24	##############################
	25	#
	26	# giFT user interface local policy
	27	#
	28
	29	allow gift_t self:tcp_socket create_socket_perms;
	30
	31	manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
	32	manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
	33	manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
	34	manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
	35	fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
	36
	37	manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
	38	manage_files_pattern(gift_t, gift_home_t, gift_home_t)
	39	manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
	40	userdom_user_home_dir_filetrans($1, gift_t, gift_home_t,dir)
	41
	42	# Launch gift daemon
	43	domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
	44
	45	# transition from user domain
	46	domtrans_pattern($2, gift_exec_t, gift_t)
	47
	48	# user managed content
	49	manage_dirs_pattern($2,gift_home_t, gift_home_t)
	50	manage_files_pattern($2,gift_home_t, gift_home_t)
	51	manage_lnk_files_pattern($2,gift_home_t, gift_home_t)
	52	relabel_dirs_pattern($2,gift_home_t, gift_home_t)
	53	relabel_files_pattern($2,gift_home_t, gift_home_t)
	54	relabel_lnk_files_pattern($2,gift_home_t, gift_home_t)
	55
	56	# Allow the user domain to signal/ps.
	57	ps_process_pattern($2,gift_t)
	58	allow $2 gift_t:process signal_perms;
	59
	60	# Read /proc/meminfo
	61	kernel_read_system_state(giftd_t)
	62
	63	# Connect to gift daemon
	64	corenet_all_recvfrom_unlabeled(gift_t)
	65	corenet_all_recvfrom_netlabel(gift_t)
	66	corenet_tcp_sendrecv_generic_if(gift_t)
	67	corenet_tcp_sendrecv_all_nodes(gift_t)
	68	corenet_tcp_sendrecv_giftd_port(gift_t)
	69	corenet_tcp_connect_giftd_port(gift_t)
	70	corenet_sendrecv_giftd_client_packets(gift_t)
	71
	72	fs_search_auto_mountpoints(gift_t)
	73
	74	sysnet_read_config(gift_t)
	75
	76	# giftui looks in .icons, .themes.
	77	userdom_dontaudit_read_user_home_content_files($1, gift_t)
	78
	79	tunable_policy(`use_nfs_home_dirs',`
	80	fs_manage_nfs_dirs(gift_t)
	81	fs_manage_nfs_files(gift_t)
	82	fs_manage_nfs_symlinks(gift_t)
	83	')
	84
	85	tunable_policy(`use_samba_home_dirs',`
	86	fs_manage_cifs_dirs(gift_t)
	87	fs_manage_cifs_files(gift_t)
	88	fs_manage_cifs_symlinks(gift_t)
	89	')
	90
	91	optional_policy(`
	92	nscd_socket_use(gift_t)
	93	')
	94
	95	optional_policy(`
	96	xserver_user_x_domain_template($1, gift, gift_t, gift_tmpfs_t)
	97	')
	98
	99	##############################
	100	#
	101	# giFT server local policy
	102	#
	103
	104	allow giftd_t self:process { signal setsched };
	105	allow giftd_t self:unix_stream_socket create_socket_perms;
	106	allow giftd_t self:tcp_socket create_stream_socket_perms;
	107	allow giftd_t self:udp_socket create_socket_perms;
	108
	109	manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
	110	manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
	111	manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
	112	userdom_user_home_dir_filetrans($1, giftd_t, gift_home_t, dir)
	113
	114	domtrans_pattern($2, giftd_exec_t, giftd_t)
	115
	116	kernel_read_system_state(giftd_t)
	117	kernel_read_kernel_sysctls(giftd_t)
	118
	119	# Serve content on various p2p networks. Ports can be random.
	120	corenet_all_recvfrom_unlabeled(giftd_t)
	121	corenet_all_recvfrom_netlabel(giftd_t)
	122	corenet_tcp_sendrecv_generic_if(giftd_t)
	123	corenet_udp_sendrecv_generic_if(giftd_t)
	124	corenet_tcp_sendrecv_all_nodes(giftd_t)
	125	corenet_udp_sendrecv_all_nodes(giftd_t)
	126	corenet_tcp_sendrecv_all_ports(giftd_t)
	127	corenet_udp_sendrecv_all_ports(giftd_t)
	128	corenet_tcp_bind_all_nodes(giftd_t)
	129	corenet_udp_bind_all_nodes(giftd_t)
	130	corenet_tcp_bind_all_ports(giftd_t)
	131	corenet_udp_bind_all_ports(giftd_t)
	132	corenet_tcp_connect_all_ports(giftd_t)
	133	corenet_sendrecv_all_client_packets(giftd_t)
	134
	135	files_read_usr_files(giftd_t)
	136	# Read /etc/mtab
	137	files_read_etc_runtime_files(giftd_t)
	138
	139	libs_use_ld_so(giftd_t)
	140	libs_use_shared_libs(giftd_t)
	141
	142	miscfiles_read_localization(giftd_t)
	143
	144	sysnet_read_config(giftd_t)
	145
	146	userdom_use_user_terminals($1, giftd_t)
	147
	148	tunable_policy(`use_nfs_home_dirs',`
	149	fs_manage_nfs_dirs(giftd_t)
	150	fs_manage_nfs_files(giftd_t)
	151	fs_manage_nfs_symlinks(giftd_t)
	152	')
	153
	154	tunable_policy(`use_samba_home_dirs',`
	155	fs_manage_cifs_dirs(giftd_t)
	156	fs_manage_cifs_files(giftd_t)
	157	fs_manage_cifs_symlinks(giftd_t)
	158	')

branches/rbacsep/policy/modules