FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-02-2010, 09:09 PM
Dominick Grift
 
Default policy for vino server (based on current rawhide policy)

I create policy for vino server today. I tested it a few times and it
works. You can either use it by enabling remote desktop or via empathy.

It requires many patches etc though. I attached what i think is related.
I might have missed some.

Its also on my git repository ( i maintain it there )

git clone git://82.197.205.60/selinux-modules.git

You will have to some vnc tube ports (vnc_port_t) there is a comment
about it in vino.te.



HOME_DIR/.local/share/vino(/.*)? gen_context(system_ubject_r:vino_server_data_hom e_t, s0)

/usr/libexec/vino-server -- gen_context(system_ubject_r:vino_server_exec_t, s0)
HOME_DIR/.mission-control(/.*)? gen_context(system_ubject_r:tp_mission_control_h ome_t, s0)
HOME_DIR/.cache/.mc_connections -- gen_context(system_ubject_r:tp_mission_control_h ome_t, s0)

/usr/libexec/mission-control-5 -- gen_context(system_ubject_r:tp_mission_control_e xec_t, s0)

/usr/libexec/telepathy-butterfly -- gen_context(system_ubject_r:tp_butterfly_exec_t, s0)
/usr/libexec/telepathy-gabble -- gen_context(system_ubject_r:tp_gabble_exec_t, s0)
/usr/libexec/telepathy-haze -- gen_context(system_ubject_r:tp_haze_exec_t, s0)
/usr/libexec/telepathy-idle -- gen_context(system_ubject_r:tp_idle_exec_t, s0)
/usr/libexec/telepathy-salut -- gen_context(system_ubject_r:tp_salut_exec_t, s0)
/usr/libexec/telepathy-sofiasip -- gen_context(system_ubject_r:tp_sofiasip_exec_t, s0)
/usr/libexec/telepathy-stream-engine -- gen_context(system_ubject_r:tp_stream_engine_exe c_t, s0)
## <summary>Telepathy framework.</summary>
## <desc>
## <p>
## The Telepathy project is building a unified framework
## for many different kinds of real-time communications.
## It uses the D-Bus messaging system to provide a simple
## interface for client applications, allowing them to
## quickly take advantage of Telepathys benefits.
## </p>
## <p>
## Mission Control, or MC, is a Telepathy component
## providing a way for "end-user" applications to abstract
## some of the details of connection managers, to provide
## a simple way to manipulate a bunch of connection
## managers at once, and to remove the need to have in each
## program the account definitions and credentials.
## </p>
## </desc>

#######################################
## <summary>
## The role template for the Telepathy module.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`telepathy_role_template', `
gen_require(`
attribute tp_domains;

type tp_butterfly_t, tp_gabble_t, tp_haze_t;
type tp_idle_t, tp_mission_control_t, tp_salut_t;
type tp_sofiasip_t, tp_stream_engine_t;

type tp_butterfly_exec_t, tp_gabble_exec_t, tp_haze_exec_t;
type tp_idle_exec_t, tp_mission_control_exec_t, tp_salut_exec_t;
type tp_sofiasip_exec_t, tp_stream_engine_exec_t;

type tp_butterfly_tmp_t, tp_haze_tmp_t;
type tp_salut_tmp_t;
')

########################################
#
# Telepathy global shared declarations.
#

########################################
#
# Telepathy Butterfly shared declarations.
#

dbus_session_domain($1, tp_butterfly_t, tp_butterfly_exec_t)

role $2 types tp_butterfly_t;

########################################
#
# Telepathy Gabble shared declarations.
#

dbus_session_domain($1, tp_gabble_t, tp_gabble_exec_t)

role $2 types tp_gabble_t;

########################################
#
# Telepathy Haze shared declarations.
#

dbus_session_domain($1, tp_haze_t, tp_haze_exec_t)

role $2 types tp_haze_t;

########################################
#
# Telepathy Idle shared declarations.
#

dbus_session_domain($1, tp_idle_t, tp_idle_exec_t)

role $2 types tp_idle_t;

########################################
#
# Telepathy Mission-Control shared declarations.
#

dbus_session_domain($1, tp_mission_control_t, tp_mission_control_exec_t)

role $2 types tp_mission_control_t;

########################################
#
# Telepathy Salut shared declarations.
#

dbus_session_domain($1, tp_salut_t, tp_salut_exec_t)

role $2 types tp_salut_t;

########################################
#
# Telepathy Sofiasip shared declarations.
#

dbus_session_domain($1, tp_sofiasip_t, tp_sofiasip_exec_t)

role $2 types tp_sofiasip_t;

########################################
#
# Telepathy Stream-Engine shared declarations.
#

dbus_session_domain($1, tp_stream_engine_t, tp_stream_engine_exec_t)

role $2 types tp_stream_engine_t;

########################################
#
# Telepathy global shared policy.
#

allow $3 tp_domainsrocess { ptrace signal_perms };
ps_process_pattern($3, tp_domains)

optional_policy(`
telepathy_dbus_chat($3)
')

########################################
#
# Telepathy Butterfly shared policy.
#

domtrans_pattern($3, tp_butterfly_exec_t, tp_butterfly_t)

manage_files_pattern($3, tp_butterfly_tmp_t, tp_butterfly_tmp_t)

relabel_files_pattern($3, tp_butterfly_tmp_t, tp_butterfly_tmp_t)

libs_run_ldconfig(tp_butterfly_t, $2)

########################################
#
# Telepathy Gabble shared policy.
#

domtrans_pattern($3, tp_gabble_exec_t, tp_gabble_t)

########################################
#
# Telepathy Haze shared policy.
#

domtrans_pattern($3, tp_haze_exec_t, tp_haze_t)

########################################
#
# Telepathy Idle shared policy.
#

domtrans_pattern($3, tp_idle_exec_t, tp_idle_t)

########################################
#
# Telepathy Mission-Control shared policy.
#

domtrans_pattern($3, tp_mission_control_exec_t, tp_mission_control_t)

########################################
#
# Telepathy Salut shared policy.
#

domtrans_pattern($3, tp_salut_exec_t, tp_salut_t)

manage_sock_files_pattern($3, tp_salut_tmp_t, tp_salut_tmp_t)

relabel_sock_files_pattern($3, tp_salut_tmp_t, tp_salut_tmp_t)

telepathy_salut_stream_connect($3)

########################################
#
# Telepathy Sofiasip shared policy.
#

domtrans_pattern($3, tp_sofiasip_exec_t, tp_sofiasip_t)

########################################
#
# Telepathy Stream-Engine shared policy.
#

domtrans_pattern($3, tp_stream_engine_exec_t, tp_stream_engine_t)
')

########################################
## <summary>
## Send DBus messages to and from
## all Telepathy domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_dbus_chat', `
gen_require(`
attribute tp_domains;
class dbus send_msg;
')

allow $1 tp_domains:dbus send_msg;
allow tp_domains $1:dbus send_msg;
')

########################################
## <summary>
## Send DBus messages to and from
## Telepathy Gabble.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_gabble_dbus_chat', `
gen_require(`
type tp_gabble_t;
class dbus send_msg;
')

allow $1 tp_gabble_t:dbus send_msg;
allow tp_gabble_t $1:dbus send_msg;
')

########################################
## <summary>
## Read and write Telepathy Butterfly
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_butterfly_rw_tmp_files', `
gen_require(`
type tp_butterfly_tmp_t;
')

allow $1 tp_butterfly_tmp_t:file rw_file_perms;
files_search_tmp($1)
')

########################################
## <summary>
## Stream connect to Telepathy Salut
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_salut_stream_connect', `
gen_require(`
type tp_salut_t, tp_salut_tmp_t;
')

stream_connect_pattern($1, tp_salut_tmp_t, tp_salut_tmp_t, tp_salut_t)
')

policy_module(telepathy, 1.0.0)

########################################
#
# Telepathy global personal declarations.
#

attribute tp_domains;

########################################
#
# Telepathy Butterfly personal declarations.
#

type tp_butterfly_t, tp_domains;
type tp_butterfly_exec_t;
application_domain(tp_butterfly_t, tp_butterfly_exec_t)
ubac_constrained(tp_butterfly_t)

type tp_butterfly_tmp_t;
files_tmp_file(tp_butterfly_tmp_t)
ubac_constrained(tp_butterfly_tmp_t)

########################################
#
# Telepathy Gabble personal declarations.
#

type tp_gabble_t, tp_domains;
type tp_gabble_exec_t;
application_domain(tp_gabble_t, tp_gabble_exec_t)
ubac_constrained(tp_gabble_t)

########################################
#
# Telepathy Haze personal declarations.
#

type tp_haze_t, tp_domains;
type tp_haze_exec_t;
application_domain(tp_haze_t, tp_haze_exec_t)
ubac_constrained(tp_haze_t)

type tp_haze_tmp_t;
files_tmp_file(tp_haze_tmp_t)
ubac_constrained(tp_haze_tmp_t)

########################################
#
# Telepathy Idle personal declarations.
#

type tp_idle_t, tp_domains;
type tp_idle_exec_t;
application_domain(tp_idle_t, tp_idle_exec_t)
ubac_constrained(tp_idle_t)

########################################
#
# Telepathy Mission-Control personal declarations.
#

type tp_mission_control_t, tp_domains;
type tp_mission_control_exec_t;
application_domain(tp_mission_control_t, tp_mission_control_exec_t)
ubac_constrained(tp_mission_control_t)

type tp_mission_control_home_t;
userdom_user_home_content(tp_mission_control_home_ t)

########################################
#
# Telepathy Salut personal declarations.
#

type tp_salut_t, tp_domains;
type tp_salut_exec_t;
application_domain(tp_salut_t, tp_salut_exec_t)
ubac_constrained(tp_salut_t)

type tp_salut_tmp_t;
files_tmp_file(tp_salut_tmp_t)
ubac_constrained(tp_salut_tmp_t)

########################################
#
# Telepathy Sofiasip personal declarations.
#

type tp_sofiasip_t, tp_domains;
type tp_sofiasip_exec_t;
application_domain(tp_sofiasip_t, tp_sofiasip_exec_t)
ubac_constrained(tp_sofiasip_t)

########################################
#
# Telepathy Stream-Engine personal declarations.
#

type tp_stream_engine_t, tp_domains;
type tp_stream_engine_exec_t;
application_domain(tp_stream_engine_t, tp_stream_engine_exec_t)
ubac_constrained(tp_stream_engine_t)

########################################
#
# Telepathy global personal policy.
#

allow tp_domains selfrocess { getsched signal };
allow tp_domains self:fifo_file rw_fifo_file_perms;

corenet_all_recvfrom_netlabel(tp_domains)
corenet_all_recvfrom_unlabeled(tp_domains)

corenet_tcp_bind_generic_node(tp_domains)

corenet_tcp_sendrecv_generic_if(tp_domains)
corenet_tcp_sendrecv_generic_node(tp_domains)

fs_search_auto_mountpoints(tp_domains)

miscfiles_read_localization(tp_domains)

# This interface seems too coarse. We do not want to search user_tmp_t dirs
# or write sock_files user_tmp_t. We just want :unix_stream_socket connectto;
# Besides even if we wanted to, we could not, because this interface does not
# facilitate files_search_tmp which appears to be a bug.
userdom_stream_connect(tp_domains)
userdom_use_user_terminals(tp_domains)

optional_policy(`
nis_use_ypbind(tp_domains)
')

optional_policy(`
nscd_read_pid(tp_domains)
')

optional_policy(`
telepathy_dbus_chat(tp_domains)
')

optional_policy(`
# These are dontaudited.
xserver_rw_xdm_pipes(tp_domains)
')

########################################
#
# Telepathy Butterfly personal policy.
#

allow tp_butterfly_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_butterfly_t self:tcp_socket create_socket_perms;
allow tp_butterfly_t self:udp_socket create_socket_perms;
allow tp_butterfly_t self:unix_dgram_socket { write create connect };

manage_files_pattern(tp_butterfly_t, tp_butterfly_tmp_t, tp_butterfly_tmp_t)
exec_files_pattern(tp_butterfly_t, tp_butterfly_tmp_t, tp_butterfly_tmp_t)
files_tmp_filetrans(tp_butterfly_t, tp_butterfly_tmp_t, file)

corenet_sendrecv_http_client_packets(tp_butterfly_ t)
corenet_sendrecv_msnp_client_packets(tp_butterfly_ t)

corenet_tcp_connect_http_port(tp_butterfly_t)
corenet_tcp_connect_msnp_port(tp_butterfly_t)

# uname.
corecmd_exec_bin(tp_butterfly_t)
corecmd_exec_shell(tp_butterfly_t)
corecmd_read_bin_symlinks(tp_butterfly_t)

dev_read_urand(tp_butterfly_t)

files_read_etc_files(tp_butterfly_t)

kernel_read_system_state(tp_butterfly_t)

logging_send_syslog_msg(tp_butterfly_t)

sysnet_read_config(tp_butterfly_t)

optional_policy(`
abrt_read_config(tp_butterfly_t)
')

optional_policy(`
automount_dontaudit_getattr_tmp_dirs(tp_butterfly_ t)
')

optional_policy(`
gnome_read_gconf_home_files(tp_butterfly_t)
')

########################################
#
# Telepathy Gabble personal policy.
#

allow tp_gabble_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_gabble_t self:tcp_socket create_socket_perms;
allow tp_gabble_t self:udp_socket create_socket_perms;
allow tp_gabble_t self:unix_dgram_socket { write read create getattr sendto };

corenet_sendrecv_jabber_client_client_packets(tp_g abble_t)
corenet_tcp_connect_jabber_client_port(tp_gabble_t )

corenet_sendrecv_http_client_packets(tp_gabble_t)
corenet_tcp_connect_http_port(tp_gabble_t)

corenet_sendrecv_vnc_client_packets(tp_gabble_t)
corenet_tcp_connect_vnc_port(tp_gabble_t)

dev_read_rand(tp_gabble_t)
dev_read_urand(tp_gabble_t)

files_read_etc_files(tp_gabble_t)

miscfiles_read_certs(tp_gabble_t)

sysnet_read_config(tp_gabble_t)

optional_policy(`
dbus_system_bus_client(tp_gabble_t)
')

########################################
#
# Telepathy Haze personal policy.
#

# There are two Telepathy connection managers that support MSN:
# Butterfly, which is an MSN-specific CM built on pymsn, and Haze,
# which uses libpurple.

# Prior to libpurple 2.5.0, Haze's MSN support was rudimentary, but
# libpurple 2.5.0 and newer reduce the gap between Haze and Butterfly considerably.
# Still, you will probably have a better experience if you use Butterfly.

# semanage fcontext -a -t tp_butterfly_exec_t /usr/libexec/telepathy-haze.

########################################
#
# Telepathy Idle personal policy.
#

allow tp_idle_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_idle_t self:tcp_socket create_socket_perms;
allow tp_idle_t self:udp_socket create_socket_perms;

corenet_sendrecv_ircd_client_packets(tp_idle_t)
corenet_tcp_connect_ircd_port(tp_idle_t)

files_read_etc_files(tp_idle_t)

sysnet_read_config(tp_idle_t)

########################################
#
# Telepathy Mission-Control personal policy.
#

manage_dirs_pattern(tp_mission_control_t, tp_mission_control_home_t, tp_mission_control_home_t)
manage_files_pattern(tp_mission_control_t, tp_mission_control_home_t, tp_mission_control_home_t)
userdom_user_home_dir_filetrans(tp_mission_control _t, tp_mission_control_home_t, { dir file })
userdom_search_user_home_dirs(tp_mission_control_t )

# ~/.cache/.mc_connections.
optional_policy(`
manage_files_pattern(tp_mission_control_t, tp_mission_control_home_t, tp_mission_control_home_t)
gnome_config_filetrans(tp_mission_control_t, tp_mission_control_home_t, file)
')

files_read_etc_files(tp_mission_control_t)
files_read_usr_files(tp_mission_control_t)

# It tries to setattr to ~/.cache (700), which is none of its business.
# For now audit attempts because it may need similar permission for legit purposes.
# userdom_dontaudit_setattr_user_home_content_dirs(t p_mission_control_t)

tunable_policy(`use_nfs_home_dirs', `
fs_manage_nfs_dirs(tp_mission_control_t)
fs_manage_nfs_files(tp_mission_control_t)
')

tunable_policy(`use_samba_home_dirs', `
fs_manage_cifs_dirs(tp_mission_control_t)
fs_manage_cifs_files(tp_mission_control_t)
')

optional_policy(`
gnome_read_gconf_home_files(tp_mission_control_t)
')

########################################
#
# Telepathy Salut personal policy.
#

allow tp_salut_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_salut_t self:tcp_socket { create_socket_perms accept listen };
allow tp_salut_t self:udp_socket create_socket_perms;

manage_sock_files_pattern(tp_salut_t, tp_salut_tmp_t, tp_salut_tmp_t)
files_tmp_filetrans(tp_salut_t, tp_salut_tmp_t, sock_file)

corenet_sendrecv_presence_server_packets(tp_salut_ t)
corenet_tcp_bind_presence_port(tp_salut_t)
corenet_tcp_connect_presence_port(tp_salut_t)

# Needs to connect to (port_t) 50176:tcp (does not seem to be a random port) for file transfers.

dev_read_urand(tp_salut_t)

files_read_etc_files(tp_salut_t)

sysnet_read_config(tp_salut_t)

optional_policy(`
avahi_dbus_chat(tp_salut_t)
')

optional_policy(`
dbus_system_bus_client(tp_salut_t)
')

########################################
#
# Telepathy Sofiasip personal policy.
#

allow tp_sofiasip_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_sofiasip_t self:rawip_socket { create_socket_perms listen };
allow tp_sofiasip_t self:tcp_socket { create_socket_perms listen };
allow tp_sofiasip_t self:udp_socket create_socket_perms;

corenet_sendrecv_sip_client_packets(tp_sofiasip_t)
corenet_tcp_connect_sip_port(tp_sofiasip_t)

corenet_raw_bind_generic_node(tp_sofiasip_t)
corenet_udp_bind_generic_node(tp_sofiasip_t)

dev_read_urand(tp_sofiasip_t)

kernel_request_load_module(tp_sofiasip_t)

sysnet_read_config(tp_sofiasip_t)

########################################
#
# Telepathy Stream-Engine personal policy.
#
## <summary>Vino. The Remote Desktop Project. Take 2.</summary>
## <desc>
## <p>
## The primary goal of Vino was originally to provide a
## mechanism by which system administrators could remotely
## connect to a desktop machine and resolve basic problems
## for users.
## </p>
## </desc>

########################################
## <summary>
## Role access for Vino.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
#
interface(`vino_role', `
gen_require(`
type vino_server_t, vino_server_exec_t;
')

########################################
#
# Vino server shared declarations.
#

dbus_session_domain($1, vino_server_t, vino_server_exec_t)

role $2 types vino_server_t;

########################################
#
# Vino server shared policy.
#

domtrans_pattern($3, vino_server_exec_t, vino_server_t)

allow $3 vino_server_trocess { ptrace signal_perms };
ps_process_pattern($3, vino_server_t)

vino_server_dbus_chat($3)

vino_server_read_tmpfs_files($3)
vino_server_stream_connect($3)
')

########################################
## <summary>
## Send DBus messages to and from
## Vino server.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`vino_server_dbus_chat', `
gen_require(`
type vino_server_t;
class dbus send_msg;
')

allow $1 vino_server_t:dbus send_msg;
allow vino_server_t $1:dbus send_msg;
')

########################################
## <summary>
## Stream connect to Vino server.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`vino_server_stream_connect', `
gen_require(`
type vino_server_t, vino_server_tmp_t;
')

stream_connect_pattern($1, vino_server_tmp_t, vino_server_tmp_t, vino_server_t)
')

########################################
## <summary>
## Stream connect to Vino server.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`vino_server_read_tmpfs_files', `
gen_require(`
type vino_server_tmpfs_t;
')

allow $1 vino_server_tmpfs_t:file { read_file_perms unlink };
')


policy_module(vino, 1.0.0)

########################################
#
# Vino server personal declarations.
#

type vino_server_t;
type vino_server_exec_t;
application_domain(vino_server_t, vino_server_exec_t)
ubac_constrained(vino_server_t)

type vino_server_data_home_t;
userdom_user_home_content(vino_server_data_home_t)

type vino_server_tmp_t;
files_tmp_file(vino_server_tmp_t)
ubac_constrained(vino_server_tmp_t)

type vino_server_tmpfs_t;
files_tmpfs_file(vino_server_tmpfs_t)
ubac_constrained(vino_server_tmpfs_t)

#tcp:26570-26575

########################################
#
# Vino server personal policy.
#

allow vino_server_t selfrocess { getsched signal signull };
allow vino_server_t self:fifo_file rw_fifo_file_perms;
allow vino_server_t self:netlink_route_socket create_netlink_socket_perms;
allow vino_server_t self:shm create_shm_perms;
allow vino_server_t self:tcp_socket create_stream_socket_perms;
allow vino_server_t self:udp_socket create_stream_socket_perms;
allow vino_server_t self:unix_dgram_socket create_socket_perms;
allow vino_server_t self:unix_stream_socket create_socket_perms;

# ~/.local/share/vino/vino-server.lock.
optional_policy(`
manage_dirs_pattern(vino_server_t, vino_server_data_home_t, vino_server_data_home_t)
manage_files_pattern(vino_server_t, vino_server_data_home_t, vino_server_data_home_t)
gnome_data_filetrans(vino_server_t, vino_server_data_home_t, { dir file })
')

manage_sock_files_pattern(vino_server_t, vino_server_tmp_t, vino_server_tmp_t)
files_tmp_filetrans(vino_server_t, vino_server_tmp_t, sock_file)

manage_files_pattern(vino_server_t, vino_server_tmpfs_t, vino_server_tmpfs_t)
fs_tmpfs_filetrans(vino_server_t, vino_server_tmpfs_t, file)

corenet_all_recvfrom_netlabel(vino_server_t)
corenet_all_recvfrom_unlabeled(vino_server_t)
corenet_sendrecv_http_client_packets(vino_server_t )
corenet_sendrecv_vnc_server_packets(vino_server_t)
corenet_tcp_bind_generic_node(vino_server_t)
corenet_tcp_bind_vnc_port(vino_server_t)
corenet_tcp_connect_http_port(vino_server_t)
corenet_tcp_sendrecv_generic_if(vino_server_t)
corenet_tcp_sendrecv_generic_node(vino_server_t)
corenet_tcp_sendrecv_generic_port(vino_server_t)

# /usr/bin/vino-preferences
corecmd_exec_bin(vino_server_t)

dev_read_urand(vino_server_t)

# /etc/nsswitch.conf
files_read_etc_files(vino_server_t)
files_read_usr_files(vino_server_t)

fs_getattr_tmpfs(vino_server_t)
fs_search_auto_mountpoints(vino_server_t)

kernel_read_network_state(vino_server_t)

miscfiles_read_localization(vino_server_t)

sysnet_read_config(vino_server_t)

# We need a non-generic type for ~/.icons
userdom_dontaudit_read_user_home_content_files(vin o_server_t)

userdom_stream_connect(vino_server_t)
userdom_use_user_terminals(vino_server_t)
userdom_read_user_tmpfs_files(vino_server_t)
# Bug: user pulseaudio files need open,read and unlink:
allow vino_server_t user_tmpfs_t:file unlink;
userdom_signull_unpriv_users(vino_server_t)
# This sucks: we need a type for orbit-$USER so that we can do a gnome_orbit_filetrans()
# avc: denied { create } for pid=5641 comm="vino-server" name="linc-1609-0-1586984db4146"
# scontext=staff_u:staff_r:vino_server_t:s0 tcontext=staff_ubject_r:user_tmp_t:s0 tclass=sock_file
userdom_manage_user_tmp_sockets(vino_server_t)
# orbit-$USER dir.
userdom_setattr_user_tmp_dirs(vino_server_t)

tunable_policy(`use_nfs_home_dirs', `
fs_manage_nfs_dirs(vino_server_t)
fs_manage_nfs_files(vino_server_t)
fs_manage_nfs_named_sockets(vino_server_t)
')

tunable_policy(`use_samba_home_dirs', `
fs_manage_cifs_dirs(vino_server_t)
fs_manage_cifs_files(vino_server_t)
fs_manage_cifs_named_sockets(vino_server_t)
')

optional_policy(`
automount_dontaudit_getattr_tmp_dirs(vino_server_t )
')

optional_policy(`
dbus_system_bus_client(vino_server_t)
')

optional_policy(`
gnome_rw_generic_cache(vino_server_t)
')

optional_policy(`
nis_use_ypbind(vino_server_t)
')

optional_policy(`
pulseaudio_stream_connect(vino_server_t)
pulseaudio_signull(vino_server_t)
pulseaudio_rw_home_files(vino_server_t)
')

optional_policy(`
telepathy_gabble_dbus_chat(vino_server_t)
')

optional_policy(`
xserver_user_x_domain_template(vino_server, vino_server_t, vino_server_tmpfs_t)
')

## <summary>Desktop messaging bus</summary>

########################################
## <summary>
## Allow a application domain to be started
## by the session dbus
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an
## entry point to this domain.
## </summary>
## </param>
#
interface(`dbus_session_domain', `
gen_require(`
type $1_dbusd_t;
')

domtrans_pattern($1_dbusd_t, $3, $2)

dbus_session_bus_client($2)
dbus_connect_session_bus($2)

optional_policy(`
# If unconfined_t wants to start a dbus_session_domain.
# unconfined_dbusd_t should get implemented for F13.
# Can just remove this when it is.
unconfined_dbus_connect($2)
')
')
## <summary>Basic filesystem types and interfaces.</summary>

########################################
## <summary>
## Read all tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_read_all_tmpfs_files', `
gen_require(`
attribute tmpfsfile;
')

read_files_pattern($1, tmpfsfile, tmpfsfile)
fs_search_tmpfs($1)
')
## <summary>Patch to gnome module</summary>
## <desc>
## <p>
## This will allow tp_mission-control_t to create files
## with type tp_mission-control_home_t in ~/.cache.
## </p>
## </desc>

########################################
## <summary>
## Create objects in a Gnome home directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`gnome_config_filetrans', `
gen_require(`
type config_home_t;
')

filetrans_pattern($1, config_home_t, $2, $3)
userdom_search_user_home_dirs($1)
')

########################################
## <summary>
## Create objects in a Gnome home directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`gnome_data_filetrans', `
gen_require(`
type data_home_t;
')

filetrans_pattern($1, data_home_t, $2, $3)
gnome_search_gconf($1)
')

########################################
## <summary>
## search gconf homedir (.local)
## </summary>
## <param name="user_domain">
## <summary>
## The type of the domain.
## </summary>
## </param>
#
interface(`gnome_search_gconf',`
gen_require(`
type gconf_home_t;
')

allow $1 gconf_home_t:dir search_dir_perms;
userdom_search_user_home_dirs($1)
')

########################################
## <summary>
## manage generic cache home files (.cache)
## </summary>
## <param name="user_domain">
## <summary>
## The type of the domain.
## </summary>
## </param>
#
interface(`gnome_rw_generic_cache',`
gen_require(`
type cache_home_t;
')

rw_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
')
## <summary></summary>

########################################
## <summary>
## Set attributes of Gnome home dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_setattr_home_dirs', `
gen_require(`
type gnome_home_t;
')

setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
files_search_home($1)
')
## <summary>Pulse Audio.</summary>

########################################
## <summary>
## Send signull signals to pulseaudio
## processes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_signull', `
gen_require(`
type pulseaudio_t;
')

allow $1 pulseaudio_trocess signull;
')

########################################
## <summary>
## Read and write Pulse Audio files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_rw_home_files', `
gen_require(`
type pulseaudio_home_t;
')

allow $1 pulseaudio_home_t:file rw_file_perms;
')
## <summary>User Domains.</summary>

########################################
## <summary>
## Set attributes of user temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_setattr_user_tmp_dirs', `
gen_require(`
type user_tmp_t;
')

allow $1 user_tmp_t:dir setattr;
files_search_tmp($1)
')
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 09:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org