Changeset 2724
- Timestamp:
- 06/19/08 15:55:10 (4 months ago)
- Files:
-
- branches/rbacsep/policy/modules/admin/rpm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/admin/su.te (modified) (1 diff)
- branches/rbacsep/policy/modules/admin/updfstab.te (modified) (1 diff)
- branches/rbacsep/policy/modules/admin/vpn.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/cdrecord.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/ethereal.if (modified) (2 diffs)
- branches/rbacsep/policy/modules/apps/ethereal.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/evolution.if (modified) (7 diffs)
- branches/rbacsep/policy/modules/apps/evolution.te (modified) (12 diffs)
- branches/rbacsep/policy/modules/apps/games.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/gift.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/gnome.if (modified) (5 diffs)
- branches/rbacsep/policy/modules/apps/gpg.if (modified) (4 diffs)
- branches/rbacsep/policy/modules/apps/gpg.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/java.if (modified) (4 diffs)
- branches/rbacsep/policy/modules/apps/java.te (modified) (3 diffs)
- branches/rbacsep/policy/modules/apps/lockdev.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/lockdev.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/mozilla.if (modified) (9 diffs)
- branches/rbacsep/policy/modules/apps/mozilla.te (modified) (5 diffs)
- branches/rbacsep/policy/modules/apps/mplayer.if (modified) (5 diffs)
- branches/rbacsep/policy/modules/apps/mplayer.te (modified) (4 diffs)
- branches/rbacsep/policy/modules/apps/rssh.if (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/rssh.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/thunderbird.if (modified) (2 diffs)
- branches/rbacsep/policy/modules/apps/thunderbird.te (modified) (3 diffs)
- branches/rbacsep/policy/modules/apps/tvtime.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/userhelper.if (modified) (4 diffs)
- branches/rbacsep/policy/modules/apps/userhelper.te (modified) (2 diffs)
- branches/rbacsep/policy/modules/apps/vmware.te (modified) (1 diff)
- branches/rbacsep/policy/modules/apps/wireshark.if (modified) (2 diffs)
- branches/rbacsep/policy/modules/apps/wireshark.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/apache.if (modified) (3 diffs)
- branches/rbacsep/policy/modules/services/apm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/avahi.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/bind.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/bluetooth.te (modified) (3 diffs)
- branches/rbacsep/policy/modules/services/consolekit.te (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/cron.te (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/cups.te (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/dbus.if (modified) (6 diffs)
- branches/rbacsep/policy/modules/services/dhcp.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/hal.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/kerneloops.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/lpd.if (modified) (4 diffs)
- branches/rbacsep/policy/modules/services/lpd.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/networkmanager.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/oddjob.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/openvpn.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/rhgb.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/ricci.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/setroubleshoot.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/spamassassin.if (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/spamassassin.te (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/ssh.te (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/xserver.if (modified) (2 diffs)
- branches/rbacsep/policy/modules/services/xserver.te (modified) (4 diffs)
- branches/rbacsep/policy/modules/system/hotplug.te (modified) (1 diff)
- branches/rbacsep/policy/modules/system/init.te (modified) (1 diff)
- branches/rbacsep/policy/modules/system/locallogin.te (modified) (1 diff)
- branches/rbacsep/policy/modules/system/modutils.te (modified) (1 diff)
- branches/rbacsep/policy/modules/system/sysnetwork.te (modified) (1 diff)
- branches/rbacsep/policy/modules/system/udev.te (modified) (1 diff)
- branches/rbacsep/policy/modules/system/unconfined.te (modified) (2 diffs)
- branches/rbacsep/policy/modules/system/userdomain.if (modified) (11 diffs)
- branches/rbacsep/policy/modules/system/userdomain.te (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/rbacsep/policy/modules/admin/rpm.te
r2553 r2724 345 345 346 346 optional_policy(` 347 java_domtrans (rpm_script_t)347 java_domtrans_unconfined(rpm_script_t) 348 348 ') 349 349 branches/rbacsep/policy/modules/admin/su.te
r2720 r2724 129 129 # Modify .Xauthority file (via xauth program). 130 130 optional_policy(` 131 xserver_user_home_dir_filetrans_user_xauth( $1,su_t)132 xserver_domtrans_ user_xauth($1,su_t)131 xserver_user_home_dir_filetrans_user_xauth(su_t) 132 xserver_domtrans_xauth(su_t) 133 133 ') branches/rbacsep/policy/modules/admin/updfstab.te
r2553 r2724 90 90 init_dbus_chat_script(updfstab_t) 91 91 92 dbus_system_bus_client _template(updfstab,updfstab_t)92 dbus_system_bus_client(updfstab_t) 93 93 ') 94 94 branches/rbacsep/policy/modules/admin/vpn.te
r2675 r2724 111 111 112 112 optional_policy(` 113 dbus_system_bus_client _template(vpnc,vpnc_t)113 dbus_system_bus_client(vpnc_t) 114 114 115 115 optional_policy(` branches/rbacsep/policy/modules/apps/cdrecord.te
r2720 r2724 118 118 ') 119 119 120 # Handle untrusted content121 tunable_policy(`cdrecord_read_content && read_untrusted_content',`122 files_list_tmp(cdrecord_t)123 files_list_home(cdrecord_t)124 userdom_search_user_home_dirs($1, cdrecord_t)125 126 userdom_list_user_untrusted_content($1, cdrecord_t)127 userdom_read_user_untrusted_content_files($1, cdrecord_t)128 userdom_read_user_untrusted_content_symlinks($1, cdrecord_t)129 userdom_list_user_tmp_untrusted_content($1, cdrecord_t)130 userdom_read_user_tmp_untrusted_content_files($1, cdrecord_t)131 userdom_read_user_tmp_untrusted_content_symlinks($1, cdrecord_t)132 ',`133 files_dontaudit_list_tmp(cdrecord_t)134 files_dontaudit_list_home(cdrecord_t)135 userdom_dontaudit_list_user_home_dirs($1, cdrecord_t)136 userdom_dontaudit_list_user_untrusted_content($1, cdrecord_t)137 userdom_dontaudit_read_user_untrusted_content_files($1, cdrecord_t)138 userdom_dontaudit_list_user_tmp_untrusted_content($1, cdrecord_t)139 userdom_dontaudit_read_user_tmp_untrusted_content_files($1, cdrecord_t)140 ')141 142 120 tunable_policy(`use_nfs_home_dirs',` 143 121 files_search_mnt(cdrecord_t) branches/rbacsep/policy/modules/apps/ethereal.if
r2705 r2724 251 251 ## Run ethereal in ethereal domain. 252 252 ## </summary> 253 ## <desc>254 ## <p>255 ## Run ethereal in ethereal domain.256 ## </p>257 ## <p>258 ## This is a templated interface, and should only259 ## be called from a per-userdomain template.260 ## </p>261 ## </desc>262 ## <param name="userdomain_prefix">263 ## <summary>264 ## The prefix of the user domain (e.g., user265 ## is the prefix for user_t).266 ## </summary>267 ## </param>268 253 ## <param name="domain"> 269 254 ## <summary> … … 272 257 ## </param> 273 258 # 274 template(`ethereal_domtrans_user_ethereal',`275 gen_require(` 276 type $1_ethereal_t, ethereal_exec_t;277 ') 278 279 domtrans_pattern($ 2,ethereal_exec_t,$1_ethereal_t)259 interface(`ethereal_domtrans',` 260 gen_require(` 261 type ethereal_t, ethereal_exec_t; 262 ') 263 264 domtrans_pattern($1, ethereal_exec_t, ethereal_t) 280 265 ') 281 266 branches/rbacsep/policy/modules/apps/ethereal.te
r2720 r2724 113 113 # Manual transition from userhelper 114 114 optional_policy(` 115 userhelper_use_ user_fd($1,ethereal_t)116 userhelper_sigchld _user($1,ethereal_t)115 userhelper_use_fd(ethereal_t) 116 userhelper_sigchld(ethereal_t) 117 117 ') 118 118 119 119 optional_policy(` 120 xserver_user_x_domain_template( $1,ethereal, ethereal_t, ethereal_tmpfs_t)120 xserver_user_x_domain_template(ethereal, ethereal_t, ethereal_tmpfs_t) 121 121 xserver_create_xdm_tmp_sockets(ethereal_t) 122 122 ') branches/rbacsep/policy/modules/apps/evolution.if
r2705 r2724 866 866 ## Create objects in users evolution home folders. 867 867 ## </summary> 868 ## <desc>869 ## <p>870 ## This is a templated interface, and should only871 ## be called from a per-userdomain template.872 ## </p>873 ## </desc>874 ## <param name="prefix">875 ## <summary>876 ## The prefix of the user domain (e.g., user877 ## is the prefix for user_t).878 ## </summary>879 ## </param>880 868 ## <param name="domain"> 881 869 ## <summary> … … 890 878 ## <param name="class"> 891 879 ## <summary> 892 ## The object class of the object being created. If 893 ## no class is specified, dir will be used. 880 ## The object class of the object being created. 894 881 ## </summary> 895 882 ## </param> 896 883 # 897 template(`evolution_home_filetrans',`884 interface(`evolution_home_filetrans',` 898 885 gen_require(` 899 type $1_evolution_home_t;900 ') 901 902 allow $ 2 $1_evolution_home_t:dir rw_dir_perms;903 type_transition $ 2 $1_evolution_home_t:$4 $3;886 type evolution_home_t; 887 ') 888 889 allow $1 evolution_home_t:dir rw_dir_perms; 890 type_transition $1 evolution_home_t:$3 $2; 904 891 ') 905 892 906 893 ######################################## 907 894 ## <summary> 908 ## Connect to userevolution unix stream socket.895 ## Connect to evolution unix stream socket. 909 896 ## </summary> 910 ## <desc>911 ## <p>912 ## Connect to user evolution unix stream socket.913 ## </p>914 ## <p>915 ## This is a templated interface, and should only916 ## be called from a per-userdomain template.917 ## </p>918 ## </desc>919 ## <param name="userdomain_prefix">920 ## <summary>921 ## The prefix of the user domain (e.g., user922 ## is the prefix for user_t).923 ## </summary>924 ## </param>925 897 ## <param name="domain"> 926 898 ## <summary> … … 929 901 ## </param> 930 902 # 931 template(`evolution_stream_connect',`903 interface(`evolution_stream_connect',` 932 904 gen_require(` 933 type $1_evolution_t, $1_evolution_home_t;934 ') 935 936 allow $ 2 $1_evolution_t:unix_stream_socket connectto;937 allow $ 2 $1_evolution_home_t:dir search;905 type evolution_t, evolution_home_t; 906 ') 907 908 allow $1 evolution_t:unix_stream_socket connectto; 909 allow $1 evolution_home_t:dir search; 938 910 ') 939 911 … … 943 915 ## evolution over dbus. 944 916 ## </summary> 945 ## <param name="userdomain_prefix">946 ## <summary>947 ## The prefix of the user domain (e.g., user948 ## is the prefix for user_t).949 ## </summary>950 ## </param>951 917 ## <param name="domain"> 952 918 ## <summary> … … 957 923 interface(`evolution_dbus_chat',` 958 924 gen_require(` 959 type $1_evolution_t;925 type evolution_t; 960 926 class dbus send_msg; 961 927 ') 962 928 963 allow $ 2 $1_evolution_t:dbus send_msg;964 allow $1_evolution_t $2:dbus send_msg;929 allow $1 evolution_t:dbus send_msg; 930 allow evolution_t $1:dbus send_msg; 965 931 ') 966 932 … … 970 936 ## evolution_alarm over dbus. 971 937 ## </summary> 972 ## <param name="userdomain_prefix">973 ## <summary>974 ## The prefix of the user domain (e.g., user975 ## is the prefix for user_t).976 ## </summary>977 ## </param>978 938 ## <param name="domain"> 979 939 ## <summary> … … 984 944 interface(`evolution_alarm_dbus_chat',` 985 945 gen_require(` 986 type $1_evolution_alarm_t;946 type evolution_alarm_t; 987 947 class dbus send_msg; 988 948 ') 989 949 990 allow $ 2 $1_evolution_alarm_t:dbus send_msg;991 allow $1_evolution_alarm_t $2:dbus send_msg;950 allow $1 evolution_alarm_t:dbus send_msg; 951 allow evolution_alarm_t $1:dbus send_msg; 992 952 ') branches/rbacsep/policy/modules/apps/evolution.te
r2720 r2724 185 185 mta_read_config(evolution_t) 186 186 187 xserver_user_x_domain_template( $1, evolution,evolution_t, evolution_tmpfs_t)187 xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t) 188 188 xserver_read_xdm_tmp_files(evolution_t) 189 189 … … 257 257 ') 258 258 259 tunable_policy(`mail_read_content && read_untrusted_content',`260 files_list_tmp(evolution_t)261 files_list_home(evolution_t)262 userdom_search_user_home_dirs($1, evolution_t)263 264 userdom_list_user_untrusted_content($1, evolution_t)265 userdom_read_user_untrusted_content_files($1, evolution_t)266 userdom_read_user_untrusted_content_symlinks($1, evolution_t)267 userdom_list_user_tmp_untrusted_content($1, evolution_t)268 userdom_read_user_tmp_untrusted_content_files($1, evolution_t)269 userdom_read_user_tmp_untrusted_content_symlinks($1, evolution_t)270 ',`271 files_dontaudit_list_tmp(evolution_t)272 files_dontaudit_list_home(evolution_t)273 userdom_dontaudit_list_user_home_dirs($1, evolution_t)274 userdom_dontaudit_list_user_untrusted_content($1, evolution_t)275 userdom_dontaudit_read_user_untrusted_content_files($1, evolution_t)276 userdom_dontaudit_list_user_tmp_untrusted_content($1, evolution_t)277 userdom_dontaudit_read_user_tmp_untrusted_content_files($1, evolution_t)278 ')279 280 tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`281 files_search_home(evolution_t)282 283 fs_search_auto_mountpoints(evolution_t)284 fs_manage_nfs_dirs(evolution_t)285 fs_manage_nfs_files(evolution_t)286 fs_manage_nfs_symlinks(evolution_t)287 ',`288 fs_dontaudit_list_auto_mountpoints(evolution_t)289 fs_dontaudit_manage_nfs_dirs(evolution_t)290 fs_dontaudit_manage_nfs_files(evolution_t)291 ')292 293 tunable_policy(`write_untrusted_content && use_samba_home_dirs',`294 files_search_home(evolution_t)295 296 fs_search_auto_mountpoints(evolution_t)297 fs_manage_cifs_dirs(evolution_t)298 fs_manage_cifs_files(evolution_t)299 fs_manage_cifs_symlinks(evolution_t)300 ',`301 fs_dontaudit_list_auto_mountpoints(evolution_t)302 fs_dontaudit_manage_cifs_dirs(evolution_t)303 fs_dontaudit_manage_cifs_files(evolution_t)304 ')305 306 tunable_policy(`write_untrusted_content',`307 files_search_home(evolution_t)308 309 userdom_manage_user_untrusted_content_files($1, evolution_t)310 userdom_user_home_dir_filetrans($1, evolution_t,untrusted_content_tmp_t, { file dir })311 userdom_user_home_content_filetrans($1, evolution_t,untrusted_content_tmp_t, { file dir })312 313 ',`314 files_dontaudit_list_home(evolution_t)315 files_dontaudit_list_tmp(evolution_t)316 317 userdom_dontaudit_list_user_home_dirs($1, evolution_t)318 #userdom_dontaudit_manage_user_tmp($1, evolution_t)319 #userdom_dontaudit_manage_user_tmp_files($1, evolution_t)320 #userdom_dontaudit_manage_user_home_subdirs($1, evolution_t)321 ')322 323 259 optional_policy(` 324 260 automount_read_state(evolution_t) … … 331 267 332 268 optional_policy(` 333 dbus_system_bus_client _template(evolution,evolution_t)334 dbus_ user_bus_client_template($1, evolution,evolution_t)335 ') 336 337 optional_policy(` 338 gnome_stream_connect_gconf _template($1,evolution_t)269 dbus_system_bus_client(evolution_t) 270 dbus_session_bus_client(evolution_t) 271 ') 272 273 optional_policy(` 274 gnome_stream_connect_gconf(evolution_t) 339 275 ') 340 276 341 277 # Encrypt mail 342 278 optional_policy(` 343 gpg_domtrans _user_gpg($1,evolution_t)344 gpg_signal _user_gpg($1,evolution_t)345 ') 346 347 optional_policy(` 348 lpd_domtrans_ user_lpr($1,evolution_t)349 ') 350 351 optional_policy(` 352 mozilla_read_user_home_files( $1,evolution_t)353 mozilla_domtrans _user_mozilla($1,evolution_t)279 gpg_domtrans(evolution_t) 280 gpg_signal(evolution_t) 281 ') 282 283 optional_policy(` 284 lpd_domtrans_lpr(evolution_t) 285 ') 286 287 optional_policy(` 288 mozilla_read_user_home_files(evolution_t) 289 mozilla_domtrans(evolution_t) 354 290 ') 355 291 … … 366 302 optional_policy(` 367 303 spamassassin_exec_spamd(evolution_t) 368 spamassassin_domtrans_ user_client($1,evolution_t)369 spamassassin_domtrans_ user_local_client($1,evolution_t)304 spamassassin_domtrans_client(evolution_t) 305 spamassassin_domtrans_local_client(evolution_t) 370 306 # Allow evolution to signal the daemon 371 307 # FIXME: Now evolution can read spamd temp files … … 423 359 userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) 424 360 425 xserver_user_x_domain_template( $1, evolution_alarm,evolution_alarm_t, evolution_alarm_tmpfs_t)361 xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) 426 362 427 363 # Access evolution home … … 435 371 436 372 optional_policy(` 437 dbus_ user_bus_client_template($1, evolution_alarm,evolution_alarm_t)438 ') 439 440 optional_policy(` 441 gnome_stream_connect_gconf _template($1,evolution_alarm_t)373 dbus_session_bus_client(evolution_alarm_t) 374 ') 375 376 optional_policy(` 377 gnome_stream_connect_gconf(evolution_alarm_t) 442 378 ') 443 379 … … 483 419 fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) 484 420 485 allow evolution_exchange_t $1_tmp_t:sock_file write;486 487 421 kernel_read_network_state(evolution_exchange_t) 488 422 kernel_read_net_sysctls(evolution_exchange_t) … … 504 438 miscfiles_read_localization(evolution_exchange_t) 505 439 440 userdom_write_user_tmp_sockets(evolution_exchange_t) 506 441 # Access evolution home 507 442 userdom_search_user_home_dirs(evolution_exchange_t) … … 511 446 userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) 512 447 513 xserver_user_x_domain_template( $1,evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t)448 xserver_user_x_domain_template(evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t) 514 449 515 450 # Access evolution home … … 523 458 524 459 optional_policy(` 525 gnome_stream_connect_gconf _template($1,evolution_exchange_t)460 gnome_stream_connect_gconf(evolution_exchange_t) 526 461 ') 527 462 … … 610 545 611 546 optional_policy(` 612 gnome_stream_connect_gconf _template($1,evolution_server_t)547 gnome_stream_connect_gconf(evolution_server_t) 613 548 ') 614 549 … … 656 591 userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) 657 592 658 xserver_user_x_domain_template( $1,evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)593 xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) 659 594 660 595 optional_policy(` branches/rbacsep/policy/modules/apps/games.te
r2720 r2724 168 168 169 169 optional_policy(` 170 xserver_user_x_domain_template( $1,games,games_t, games_tmpfs_t)170 xserver_user_x_domain_template(games, games_t, games_tmpfs_t) 171 171 xserver_create_xdm_tmp_sockets(games_t) 172 172 xserver_read_xdm_lib_files(games_t) branches/rbacsep/policy/modules/apps/gift.te
r2720 r2724 79 79 80 80 optional_policy(` 81 xserver_user_x_domain_template( $1,gift, gift_t, gift_tmpfs_t)81 xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) 82 82 ') 83 83 branches/rbacsep/policy/modules/apps/gnome.if
r2705 r2724 150 150 ## gconf connection template. 151 151 ## </summary> 152 ## <param name="userdomain_prefix">153 ## <summary>154 ## The prefix of the user domain (e.g., user155 ## is the prefix for user_t).156 ## </summary>157 ## </param>158 152 ## <param name="user_domain"> 159 153 ## <summary> … … 162 156 ## </param> 163 157 # 164 template(`gnome_stream_connect_gconf_template',` 165 gen_require(` 166 type $1_gconfd_t; 167 type $1_gconf_tmp_t; 168 ') 169 170 read_files_pattern($2,$1_gconf_tmp_t,$1_gconf_tmp_t) 171 allow $2 $1_gconfd_t:unix_stream_socket connectto; 172 ') 173 174 ######################################## 175 ## <summary> 176 ## Run gconfd in the role-specific gconfd domain. 177 ## </summary> 178 ## <desc> 179 ## <p> 180 ## Run gconfd in the role-specfic gconfd domain. 181 ## </p> 182 ## <p> 183 ## This is a templated interface, and should only 184 ## be called from a per-userdomain template. 185 ## </p> 186 ## </desc> 187 ## <param name="userdomain_prefix"> 188 ## <summary> 189 ## The prefix of the user domain (e.g., user 190 ## is the prefix for user_t). 191 ## </summary> 192 ## </param> 158 interface(`gnome_stream_connect_gconf',` 159 gen_require(` 160 type gconfd_t, gconf_tmp_t; 161 ') 162 163 read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) 164 allow $1 gconfd_t:unix_stream_socket connectto; 165 ') 166 167 ######################################## 168 ## <summary> 169 ## Run gconfd in gconfd domain. 170 ## </summary> 193 171 ## <param name="domain"> 194 172 ## <summary> … … 197 175 ## </param> 198 176 # 199 template(`gnome_domtrans_user_gconf',`200 gen_require(` 201 type $1_gconfd_t, gconfd_exec_t;202 ') 203 204 domtrans_pattern($ 2,gconfd_exec_t,$1_gconfd_t)177 interface(`gnome_domtrans_gconfd',` 178 gen_require(` 179 type gconfd_t, gconfd_exec_t; 180 ') 181 182 domtrans_pattern($1, gconfd_exec_t, gconfd_t) 205 183 ') 206 184 … … 209 187 ## manage gnome homedir content (.config) 210 188 ## </summary> 211 ## <param name="userdomain_prefix">212 ## <summary>213 ## The prefix of the user domain (e.g., user214 ## is the prefix for user_t).215 ## </summary>216 ## </param>217 189 ## <param name="user_domain"> 218 190 ## <summary> … … 221 193 ## </param> 222 194 # 223 template(`gnome_manage_user_gnome_config',` 224 gen_require(` 225 type $1_gnome_home_t; 226 ') 227 228 allow $2 $1_gnome_home_t:dir manage_dir_perms; 229 allow $2 $1_gnome_home_t:file manage_file_perms; 230 ') 195 interface(`gnome_manage_config',` 196 gen_require(` 197 type gnome_home_t; 198 ') 199 200 allow $1 gnome_home_t:dir manage_dir_perms; 201 allow $1 gnome_home_t:file manage_file_perms; 202 userdom_search_user_home_dirs($1) 203 ') branches/rbacsep/policy/modules/apps/gpg.if
r2705 r2724 388 388 ## Transition to a user gpg domain. 389 389 ## </summary> 390 ## <desc>391 ## <p>392 ## Transition to a user gpg domain.393 ## </p>394 ## <p>395 ## This is a templated interface, and should only396 ## be called from a per-userdomain template.397 ## </p>398 ## </desc>399 ## <param name="userdomain_prefix">400 ## <summary>401 ## The prefix of the user domain (e.g., user402 ## is the prefix for user_t).403 ## </summary>404 ## </param>405 390 ## <param name="domain"> 406 391 ## <summary> … … 409 394 ## </param> 410 395 # 411 template(`gpg_domtrans_user_gpg',`396 interface(`gpg_domtrans',` 412 397 gen_require(` 413 type $1_gpg_t, gpg_exec_t;414 ') 415 416 domtrans_pattern($ 2, gpg_exec_t, $1_gpg_t)398 type gpg_t, gpg_exec_t; 399 ') 400 401 domtrans_pattern($1, gpg_exec_t, gpg_t) 417 402 ') 418 403 … … 421 406 ## Send generic signals to user gpg processes. 422 407 ## </summary> 423 ## <desc>424 ## <p>425 ## This is a templated interface, and should only426 ## be called from a per-userdomain template.427 ## </p>428 ## </desc>429 ## <param name="userdomain_prefix">430 ## <summary>431 ## The prefix of the user domain (e.g., user432 ## is the prefix for user_t).433 ## </summary>434 ## </param>435 408 ## <param name="domain"> 436 409 ## <summary> … … 439 412 ## </param> 440 413 # 441 template(`gpg_signal_user_gpg',`414 interface(`gpg_signal',` 442 415 gen_require(` 443 type $1_gpg_t;444 ') 445 446 allow $ 2 $1_gpg_t:process signal;416 type gpg_t; 417 ') 418 419 allow $1 gpg_t:process signal; 447 420 ') branches/rbacsep/policy/modules/apps/gpg.te
r2720 r2724 244 244 245 245 optional_policy(` 246 xserver_stream_connect _xdm_xserver(gpg_pinentry_t)247 ') 246 xserver_stream_connect(gpg_pinentry_t) 247 ') branches/rbacsep/policy/modules/apps/java.if
r2688 r2724 186 186 interface(`java_role',` 187 187 gen_require(` 188 type java plugin_t, java_exec_t;189 type java plugin_tmp_t, javaplugin_tmpfs_t;190 ') 191 192 role $1 types { java plugin_t javaplugin_tmp_t javaplugin_tmpfs_t };188 type java_t, java_exec_t; 189 type java_tmp_t, java_tmpfs_t; 190 ') 191 192 role $1 types { java_t java_tmp_t java_tmpfs_t }; 193 193 194 194 # The user role is authorized for this domain. 195 domtrans_pattern($2, java_exec_t, java plugin_t)196 allow java plugin_t $2:process signull;195 domtrans_pattern($2, java_exec_t, java_t) 196 allow java_t $2:process signull; 197 197 # Unrestricted inheritance from the caller. 198 allow $2 java plugin_t:process { noatsecure siginh rlimitinh };199 200 allow java plugin_t $2:unix_stream_socket connectto;201 allow java plugin_t $2:unix_stream_socket { read write };198 allow $2 java_t:process { noatsecure siginh rlimitinh }; 199 200 allow java_t $2:unix_stream_socket connectto; 201 allow java_t $2:unix_stream_socket { read write }; 202 202 ') 203 203 … … 206 206 ## Run java in javaplugin domain. 207 207 ## </summary> 208 ## <desc>209 ## <p>210 ## Run java in javaplugin domain.211 ## </p>212 ## <p>213 ## This is a templated interface, and should only214 ## be called from a per-userdomain template.215 ## </p>216 ## </desc>217 ## <param name="userdomain_prefix">218 ## <summary>219 ## The prefix of the user domain (e.g., user220 ## is the prefix for user_t).221 ## </summary>222 ## </param>223 208 ## <param name="domain"> 224 209 ## <summary> … … 227 212 ## </param> 228 213 # 229 template(`java_domtrans _user_javaplugin',`230 gen_require(` 231 type $1_javaplugin_t, java_exec_t;232 ') 233 234 domtrans_pattern($ 2,java_exec_t,$1_javaplugin_t)214 template(`java_domtrans',` 215 gen_require(` 216 type java_t, java_exec_t; 217 ') 218 219 domtrans_pattern($1, java_exec_t, java_t) 235 220 ') 236 221 … … 245 230 ## </param> 246 231 # 247 interface(`java_domtrans ',`232 interface(`java_domtrans_unconfined',` 248 233 gen_require(` 249 234 type unconfined_java_t, java_exec_t; branches/rbacsep/policy/modules/apps/java.te
r2720 r2724 29 29 typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; 30 30 typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; 31 32 type unconfined_java_t; 33 init_system_domain(unconfined_java_t, java_exec_t) 31 34 32 35 ######################################## … … 129 132 130 133 optional_policy(` 131 xserver_user_x_domain_template( $1,java,java_t, java_tmpfs_t)134 xserver_user_x_domain_template(java, java_t, java_tmpfs_t) 132 135 ') 133 136 … … 138 141 139 142 optional_policy(` 140 type unconfined_java_t;141 init_system_domain(unconfined_java_t, java_exec_t)142 143 143 # execheap is needed for itanium/BEA jrocket 144 144 allow unconfined_java_t self:process { execstack execmem execheap }; branches/rbacsep/policy/modules/apps/lockdev.if
r2687 r2724 107 107 # Transition from the user domain to the derived domain. 108 108 domtrans_pattern($2, lockdev_exec_t, lockdev_t) 109 109 allow lockdev_t $2:process signull; 110 110 111 # allow ps to show lockdev 111 112 ps_process_pattern($2, lockdev_t) branches/rbacsep/policy/modules/apps/lockdev.te
r2720 r2724 21 21 # Use capabilities. 22 22 allow lockdev_t self:capability setgid; 23 allow lockdev_t $2:process signull;24 23 25 24 allow lockdev_t lockdev_lock_t:file manage_file_perms; branches/rbacsep/policy/modules/apps/mozilla.if
r2687 r2724 431 431 allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; 432 432 allow mozilla_t $2:fd use; 433 allow mozilla_t $2:process sigchld;433 allow mozilla_t $2:process { sigchld signull }; 434 434 allow mozilla_t $2:unix_stream_socket connectto; 435 435 … … 454 454 ######################################## 455 455