Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Mon, 29 Oct 2012 14:55:28
Message-Id: 1351522132.2a274de5c9f12ef2f903762e935bf216de8b1e59.SwifT@gentoo
1 commit: 2a274de5c9f12ef2f903762e935bf216de8b1e59
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Mon Oct 29 11:28:02 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Mon Oct 29 14:48:52 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2a274de5
7
8 Changes to the telepathy policy module
9
10 Ported from Fedora with changes
11
12 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14 ---
15 policy/modules/contrib/telepathy.fc | 31 +++---
16 policy/modules/contrib/telepathy.if | 146 +++++++++++++---------
17 policy/modules/contrib/telepathy.te | 233 +++++++++++++++++++++++++----------
18 3 files changed, 273 insertions(+), 137 deletions(-)
19
20 diff --git a/policy/modules/contrib/telepathy.fc b/policy/modules/contrib/telepathy.fc
21 index 28a63f3..c7de0cf 100644
22 --- a/policy/modules/contrib/telepathy.fc
23 +++ b/policy/modules/contrib/telepathy.fc
24 @@ -1,24 +1,14 @@
25 HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
26 -HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
27 +HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
28 +HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
29 HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
30 HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
31 HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
32 +HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
33 +HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0)
34 HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0)
35 HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
36
37 -/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
38 -/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
39 -/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
40 -/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
41 -/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
42 -/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
43 -/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
44 -/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
45 -/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
46 -/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
47 -/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
48 -
49 -ifdef(`distro_debian',`
50 /usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
51 /usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
52 /usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
53 @@ -30,4 +20,15 @@ ifdef(`distro_debian',`
54 /usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
55 /usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
56 /usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
57 -')
58 +
59 +/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
60 +/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
61 +/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
62 +/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
63 +/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
64 +/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
65 +/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
66 +/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
67 +/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
68 +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
69 +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
70
71 diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
72 index 20ebd35..42946bc 100644
73 --- a/policy/modules/contrib/telepathy.if
74 +++ b/policy/modules/contrib/telepathy.if
75 @@ -2,38 +2,45 @@
76
77 #######################################
78 ## <summary>
79 -## Creates basic types for telepathy
80 -## domain
81 +## The template to define a telepathy domain.
82 ## </summary>
83 -## <param name="prefix">
84 +## <param name="domain_prefix">
85 ## <summary>
86 -## Prefix for the domain.
87 +## Domain prefix to be used.
88 ## </summary>
89 ## </param>
90 #
91 -#
92 template(`telepathy_domain_template',`
93 gen_require(`
94 - attribute telepathy_domain;
95 - attribute telepathy_executable;
96 + attribute telepathy_domain, telepathy_executable, telepathy_tmp_content;
97 ')
98
99 type telepathy_$1_t, telepathy_domain;
100 type telepathy_$1_exec_t, telepathy_executable;
101 userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
102
103 - type telepathy_$1_tmp_t;
104 + type telepathy_$1_tmp_t, telepathy_tmp_content;
105 userdom_user_tmp_file(telepathy_$1_tmp_t)
106
107 auth_use_nsswitch(telepathy_$1_t)
108 -
109 ')
110
111 #######################################
112 ## <summary>
113 -## Role access for telepathy domains
114 -### that executes via dbus-session
115 +## The role template for the telepathy module.
116 ## </summary>
117 +## <desc>
118 +## <p>
119 +## This template creates a derived domains which are used
120 +## for window manager applications.
121 +## </p>
122 +## </desc>
123 +## <param name="role_prefix">
124 +## <summary>
125 +## The prefix of the user domain (e.g., user
126 +## is the prefix for user_t).
127 +## </summary>
128 +## </param>
129 ## <param name="user_role">
130 ## <summary>
131 ## The role associated with the user domain.
132 @@ -44,16 +51,10 @@ template(`telepathy_domain_template',`
133 ## The type of the user domain.
134 ## </summary>
135 ## </param>
136 -## <param name="role_prefix">
137 -## <summary>
138 -## The prefix of the user role (e.g., user
139 -## is the prefix for user_r).
140 -## </summary>
141 -## </param>
142 #
143 -template(`telepathy_role', `
144 +template(`telepathy_role_template',`
145 gen_require(`
146 - attribute telepathy_domain;
147 + attribute telepathy_domain, telepathy_tmp_content;
148 type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
149 type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
150 type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
151 @@ -62,59 +63,91 @@ template(`telepathy_role', `
152 type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
153 type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
154 type telepathy_msn_exec_t;
155 +
156 + type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t;
157 + type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t;
158 + type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t;
159 ')
160
161 - role $1 types telepathy_domain;
162 + role $2 types telepathy_domain;
163 +
164 + allow $3 telepathy_domain:process { ptrace signal_perms };
165 + ps_process_pattern($3, telepathy_domain)
166 +
167 + telepathy_gabble_stream_connect($3)
168 + telepathy_msn_stream_connect($3)
169 + telepathy_salut_stream_connect($3)
170 +
171 + dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
172 + dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
173 + dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
174 + dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t)
175 + dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t)
176 + dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t)
177 + dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
178 + dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
179 + dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
180 +
181 + allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
182 + allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
183 + allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
184 +
185 + allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
186 + allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
187 + allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
188
189 - allow $2 telepathy_domain:process signal_perms;
190 - ps_process_pattern($2, telepathy_domain)
191 + filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
192 + # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
193
194 - telepathy_gabble_stream_connect($2)
195 - telepathy_msn_stream_connect($2)
196 - telepathy_salut_stream_connect($2)
197 + filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
198 + # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
199
200 - dbus_spec_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
201 - dbus_spec_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
202 - dbus_spec_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
203 - dbus_spec_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
204 - dbus_spec_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
205 - dbus_spec_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
206 - dbus_spec_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
207 - dbus_spec_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
208 - dbus_spec_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
209 + userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
210 + filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
211 + # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
212 +
213 + userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
214 +
215 + # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy")
216 + # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy")
217 +
218 + allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms };
219 + allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms };
220 + allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms };
221 ')
222
223 ########################################
224 ## <summary>
225 -## Stream connect to Telepathy Gabble
226 +## Connect to gabble with a unix
227 +## domain stream socket.
228 ## </summary>
229 ## <param name="domain">
230 -## <summary>
231 +## <summary>
232 ## Domain allowed access.
233 ## </summary>
234 ## </param>
235 #
236 -interface(`telepathy_gabble_stream_connect', `
237 +interface(`telepathy_gabble_stream_connect',`
238 gen_require(`
239 type telepathy_gabble_t, telepathy_gabble_tmp_t;
240 ')
241
242 - stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
243 files_search_tmp($1)
244 + stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
245 ')
246
247 ########################################
248 ## <summary>
249 -## Send DBus messages to and from
250 -## Telepathy Gabble.
251 +## Send dbus messages to and from
252 +## gabble.
253 ## </summary>
254 ## <param name="domain">
255 -## <summary>
256 +## <summary>
257 ## Domain allowed access.
258 ## </summary>
259 ## </param>
260 #
261 -interface(`telepathy_gabble_dbus_chat', `
262 +interface(`telepathy_gabble_dbus_chat',`
263 gen_require(`
264 type telepathy_gabble_t;
265 class dbus send_msg;
266 @@ -126,15 +159,10 @@ interface(`telepathy_gabble_dbus_chat', `
267
268 ########################################
269 ## <summary>
270 -## Read telepathy mission control state.
271 +## Read mission control process state files.
272 ## </summary>
273 -## <param name="role_prefix">
274 -## <summary>
275 -## Prefix to be used.
276 -## </summary>
277 -## </param>
278 ## <param name="domain">
279 -## <summary>
280 +## <summary>
281 ## Domain allowed access.
282 ## </summary>
283 ## </param>
284 @@ -145,12 +173,15 @@ interface(`telepathy_mission_control_read_state',`
285 ')
286
287 kernel_search_proc($1)
288 - ps_process_pattern($1, telepathy_mission_control_t)
289 + allow $1 telepathy_mission_control_t:dir list_dir_perms;
290 + allow $1 telepathy_mission_control_t:file read_file_perms;
291 + allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms;
292 ')
293
294 #######################################
295 ## <summary>
296 -## Stream connect to telepathy MSN managers
297 +## Connect to msn with a unix
298 +## domain stream socket.
299 ## </summary>
300 ## <param name="domain">
301 ## <summary>
302 @@ -158,30 +189,31 @@ interface(`telepathy_mission_control_read_state',`
303 ## </summary>
304 ## </param>
305 #
306 -interface(`telepathy_msn_stream_connect', `
307 +interface(`telepathy_msn_stream_connect',`
308 gen_require(`
309 type telepathy_msn_t, telepathy_msn_tmp_t;
310 ')
311
312 - stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
313 files_search_tmp($1)
314 + stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
315 ')
316
317 ########################################
318 ## <summary>
319 -## Stream connect to Telepathy Salut
320 +## Connect to salut with a unix
321 +## domain stream socket.
322 ## </summary>
323 ## <param name="domain">
324 -## <summary>
325 +## <summary>
326 ## Domain allowed access.
327 ## </summary>
328 ## </param>
329 #
330 -interface(`telepathy_salut_stream_connect', `
331 +interface(`telepathy_salut_stream_connect',`
332 gen_require(`
333 type telepathy_salut_t, telepathy_salut_tmp_t;
334 ')
335
336 - stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
337 files_search_tmp($1)
338 + stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
339 ')
340
341 diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
342 index a3c9320..e9c0964 100644
343 --- a/policy/modules/contrib/telepathy.te
344 +++ b/policy/modules/contrib/telepathy.te
345 @@ -1,37 +1,44 @@
346 -policy_module(telepathy, 1.3.4)
347 +policy_module(telepathy, 1.3.5)
348
349 ########################################
350 #
351 -# Declarations.
352 +# Declarations
353 #
354
355 ## <desc>
356 -## <p>
357 -## Allow the Telepathy connection managers
358 -## to connect to any generic TCP port.
359 -## </p>
360 +## <p>
361 +## Determine whether telepathy connection
362 +## managers can connect to generic tcp ports.
363 +## </p>
364 ## </desc>
365 gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
366
367 ## <desc>
368 -## <p>
369 -## Allow the Telepathy connection managers
370 -## to connect to any network port.
371 -## </p>
372 +## <p>
373 +## Determine whether telepathy connection
374 +## managers can connect to any port.
375 +## </p>
376 ## </desc>
377 gen_tunable(telepathy_connect_all_ports, false)
378
379 attribute telepathy_domain;
380 attribute telepathy_executable;
381 +attribute telepathy_tmp_content;
382
383 telepathy_domain_template(gabble)
384
385 +type telepathy_cache_home_t;
386 +userdom_user_home_content(telepathy_cache_home_t)
387 +
388 type telepathy_gabble_cache_home_t;
389 userdom_user_home_content(telepathy_gabble_cache_home_t)
390
391 telepathy_domain_template(idle)
392 telepathy_domain_template(logger)
393
394 +type telepathy_data_home_t;
395 +userdom_user_home_content(telepathy_data_home_t)
396 +
397 type telepathy_logger_cache_home_t;
398 userdom_user_home_content(telepathy_logger_cache_home_t)
399
400 @@ -43,6 +50,9 @@ telepathy_domain_template(mission_control)
401 type telepathy_mission_control_home_t;
402 userdom_user_home_content(telepathy_mission_control_home_t)
403
404 +type telepathy_mission_control_data_home_t;
405 +userdom_user_home_content(telepathy_mission_control_data_home_t)
406 +
407 type telepathy_mission_control_cache_home_t;
408 userdom_user_home_content(telepathy_mission_control_cache_home_t)
409
410 @@ -57,45 +67,56 @@ userdom_user_home_content(telepathy_sunshine_home_t)
411
412 #######################################
413 #
414 -# Telepathy Gabble local policy.
415 +# Gabble local policy
416 #
417
418 -allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms;
419 +allow telepathy_gabble_t self:tcp_socket { accept listen };
420 allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
421
422 +# ~/.cache/telepathy/gabble/caps-cache.db-journal
423 +manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
424 +manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
425 +filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
426 +# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky")
427 +
428 manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
429 manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
430 files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
431
432 -corenet_all_recvfrom_netlabel(telepathy_gabble_t)
433 corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
434 +corenet_all_recvfrom_netlabel(telepathy_gabble_t)
435 corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
436 corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
437 -corenet_tcp_connect_http_port(telepathy_gabble_t)
438 -corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
439 -corenet_tcp_connect_vnc_port(telepathy_gabble_t)
440 +
441 corenet_sendrecv_http_client_packets(telepathy_gabble_t)
442 +corenet_tcp_connect_http_port(telepathy_gabble_t)
443 +corenet_tcp_sendrecv_http_port(telepathy_gabble_t)
444 +
445 corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
446 +corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
447 +corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t)
448 +
449 corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
450 +corenet_tcp_connect_vnc_port(telepathy_gabble_t)
451 +corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t)
452
453 dev_read_rand(telepathy_gabble_t)
454
455 files_read_config_files(telepathy_gabble_t)
456 files_read_usr_files(telepathy_gabble_t)
457
458 -fs_getattr_all_fs(telepathy_gabble_t)
459 -
460 miscfiles_read_all_certs(telepathy_gabble_t)
461
462 tunable_policy(`telepathy_connect_all_ports',`
463 + corenet_sendrecv_all_client_packets(telepathy_gabble_t)
464 corenet_tcp_connect_all_ports(telepathy_gabble_t)
465 corenet_tcp_sendrecv_all_ports(telepathy_gabble_t)
466 - corenet_udp_sendrecv_all_ports(telepathy_gabble_t)
467 ')
468
469 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
470 - corenet_tcp_connect_generic_port(telepathy_gabble_t)
471 corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
472 + corenet_tcp_connect_generic_port(telepathy_gabble_t)
473 + corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
474 ')
475
476 tunable_policy(`use_nfs_home_dirs',`
477 @@ -112,53 +133,63 @@ optional_policy(`
478 dbus_system_bus_client(telepathy_gabble_t)
479 ')
480
481 +# optional_policy(`
482 + # ~/.config/dconf/user
483 + # gnome_manage_generic_home_content(telepathy_gabble_t)
484 +# ')
485 +
486 #######################################
487 #
488 -# Telepathy Idle local policy.
489 +# Idle local policy
490 #
491
492 corenet_all_recvfrom_netlabel(telepathy_idle_t)
493 corenet_all_recvfrom_unlabeled(telepathy_idle_t)
494 corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
495 corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
496 +
497 +corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t)
498 corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
499 -corenet_tcp_connect_ircd_port(telepathy_idle_t)
500 +corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t)
501 +
502 corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
503 +corenet_tcp_connect_ircd_port(telepathy_idle_t)
504 +corenet_tcp_sendrecv_ircd_port(telepathy_idle_t)
505
506 dev_read_rand(telepathy_idle_t)
507
508 -files_read_etc_files(telepathy_idle_t)
509 files_read_usr_files(telepathy_idle_t)
510
511 tunable_policy(`telepathy_connect_all_ports',`
512 + corenet_sendrecv_all_client_packets(telepathy_idle_t)
513 corenet_tcp_connect_all_ports(telepathy_idle_t)
514 corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
515 - corenet_udp_sendrecv_all_ports(telepathy_idle_t)
516 ')
517
518 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
519 - corenet_tcp_connect_generic_port(telepathy_idle_t)
520 corenet_sendrecv_generic_client_packets(telepathy_idle_t)
521 + corenet_tcp_connect_generic_port(telepathy_idle_t)
522 + corenet_tcp_sendrecv_generic_port(telepathy_idle_t)
523 ')
524
525 #######################################
526 #
527 -# Telepathy Logger local policy.
528 +# Logger local policy
529 #
530
531 allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
532
533 +manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
534 manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
535 +filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
536
537 manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
538 manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
539 +# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger")
540
541 -files_read_etc_files(telepathy_logger_t)
542 files_read_usr_files(telepathy_logger_t)
543 files_search_pids(telepathy_logger_t)
544
545 -fs_getattr_all_fs(telepathy_logger_t)
546 -
547 tunable_policy(`use_nfs_home_dirs',`
548 fs_manage_nfs_dirs(telepathy_logger_t)
549 fs_manage_nfs_files(telepathy_logger_t)
550 @@ -169,20 +200,32 @@ tunable_policy(`use_samba_home_dirs',`
551 fs_manage_cifs_files(telepathy_logger_t)
552 ')
553
554 +# optional_policy(`
555 + # ~/.config/dconf/user
556 + # gnome_manage_generic_home_content(telepathy_logger_t)
557 +# ')
558 +
559 #######################################
560 #
561 -# Telepathy Mission-Control local policy.
562 +# Mission-Control local policy
563 #
564
565 +allow telepathy_mission_control_t self:process setsched;
566 +
567 manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
568 manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
569 -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
570 +userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
571
572 -dev_read_rand(telepathy_mission_control_t)
573 +manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
574 +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
575 +filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
576
577 -fs_getattr_all_fs(telepathy_mission_control_t)
578 +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
579 +# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
580 +
581 +dev_read_rand(telepathy_mission_control_t)
582
583 -files_read_etc_files(telepathy_mission_control_t)
584 +files_list_tmp(telepathy_mission_control_t)
585 files_read_usr_files(telepathy_mission_control_t)
586
587 tunable_policy(`use_nfs_home_dirs',`
588 @@ -195,55 +238,87 @@ tunable_policy(`use_samba_home_dirs',`
589 fs_manage_cifs_files(telepathy_mission_control_t)
590 ')
591
592 +optional_policy(`
593 + dbus_system_bus_client(telepathy_mission_control_t)
594 +
595 + optional_policy(`
596 + devicekit_dbus_chat_power(telepathy_mission_control_t)
597 + ')
598 + optional_policy(`
599 + gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t)
600 + ')
601 + optional_policy(`
602 + networkmanager_dbus_chat(telepathy_mission_control_t)
603 + ')
604 +')
605 +
606 +# optional_policy(`
607 + # ~/.config/dconf/user
608 + # gnome_manage_generic_home_content(telepathy_mission_control_t)
609 +# ')
610 +
611 #######################################
612 #
613 -# Telepathy Butterfly and Haze local policy.
614 +# Butterfly and Haze local policy
615 #
616
617 allow telepathy_msn_t self:process setsched;
618 -allow telepathy_msn_t self:unix_dgram_socket { write create connect };
619
620 manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
621 manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
622 manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
623 files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
624 +
625 userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
626
627 +can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
628 +
629 corenet_all_recvfrom_netlabel(telepathy_msn_t)
630 corenet_all_recvfrom_unlabeled(telepathy_msn_t)
631 corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
632 corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
633 -corenet_tcp_bind_generic_node(telepathy_msn_t)
634 +
635 +corenet_sendrecv_http_client_packets(telepathy_msn_t)
636 corenet_tcp_connect_http_port(telepathy_msn_t)
637 +corenet_tcp_sendrecv_http_port(telepathy_msn_t)
638 +
639 +corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
640 corenet_tcp_connect_mmcc_port(telepathy_msn_t)
641 +corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t)
642 +
643 +corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
644 corenet_tcp_connect_msnp_port(telepathy_msn_t)
645 +corenet_tcp_sendrecv_msnp_port(telepathy_msn_t)
646 +
647 +corenet_sendrecv_sip_client_packets(telepathy_msn_t)
648 corenet_tcp_connect_sip_port(telepathy_msn_t)
649 -corenet_sendrecv_http_client_packets(telepathy_msn_t)
650 -corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
651 -corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
652 +corenet_tcp_sendrecv_sip_port(telepathy_msn_t)
653
654 corecmd_exec_bin(telepathy_msn_t)
655 corecmd_exec_shell(telepathy_msn_t)
656 -corecmd_read_bin_symlinks(telepathy_msn_t)
657
658 -files_read_etc_files(telepathy_msn_t)
659 files_read_usr_files(telepathy_msn_t)
660
661 +init_read_state(telepathy_msn_t)
662 +
663 libs_exec_ldconfig(telepathy_msn_t)
664
665 logging_send_syslog_msg(telepathy_msn_t)
666
667 miscfiles_read_all_certs(telepathy_msn_t)
668
669 +# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
670 +
671 tunable_policy(`telepathy_connect_all_ports',`
672 + corenet_sendrecv_all_client_packets(telepathy_msn_t)
673 corenet_tcp_connect_all_ports(telepathy_msn_t)
674 corenet_tcp_sendrecv_all_ports(telepathy_msn_t)
675 - corenet_udp_sendrecv_all_ports(telepathy_msn_t)
676 ')
677
678 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
679 - corenet_tcp_connect_generic_port(telepathy_msn_t)
680 corenet_sendrecv_generic_client_packets(telepathy_msn_t)
681 + corenet_tcp_connect_generic_port(telepathy_msn_t)
682 + corenet_tcp_sendrecv_generic_port(telepathy_msn_t)
683 ')
684
685 optional_policy(`
686 @@ -254,12 +329,17 @@ optional_policy(`
687 ')
688 ')
689
690 +# optional_policy(`
691 + # ~/.config/dconf/user
692 + # gnome_manage_generic_home_content(telepathy_msn_t)
693 +# ')
694 +
695 #######################################
696 #
697 -# Telepathy Salut local policy.
698 +# Salut local policy
699 #
700
701 -allow telepathy_salut_t self:tcp_socket create_stream_socket_perms;
702 +allow telepathy_salut_t self:tcp_socket { accept listen };
703
704 manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
705 files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
706 @@ -269,21 +349,23 @@ corenet_all_recvfrom_unlabeled(telepathy_salut_t)
707 corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
708 corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
709 corenet_tcp_bind_generic_node(telepathy_salut_t)
710 +
711 +corenet_sendrecv_presence_server_packets(telepathy_salut_t)
712 corenet_tcp_bind_presence_port(telepathy_salut_t)
713 +corenet_sendrecv_presence_client_packets(telepathy_salut_t)
714 corenet_tcp_connect_presence_port(telepathy_salut_t)
715 -corenet_sendrecv_presence_server_packets(telepathy_salut_t)
716 -
717 -files_read_etc_files(telepathy_salut_t)
718 +corenet_tcp_sendrecv_presence_port(telepathy_salut_t)
719
720 tunable_policy(`telepathy_connect_all_ports',`
721 + corenet_sendrecv_all_client_packets(telepathy_salut_t)
722 corenet_tcp_connect_all_ports(telepathy_salut_t)
723 corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
724 - corenet_udp_sendrecv_all_ports(telepathy_salut_t)
725 ')
726
727 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
728 - corenet_tcp_connect_generic_port(telepathy_salut_t)
729 corenet_sendrecv_generic_client_packets(telepathy_salut_t)
730 + corenet_tcp_connect_generic_port(telepathy_salut_t)
731 + corenet_tcp_sendrecv_generic_port(telepathy_salut_t)
732 ')
733
734 optional_policy(`
735 @@ -296,11 +378,11 @@ optional_policy(`
736
737 #######################################
738 #
739 -# Telepathy Sofiasip local policy.
740 +# Sofiasip local policy
741 #
742
743 -allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
744 -allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
745 +allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms;
746 +allow telepathy_sofiasip_t self:tcp_socket { accept listen };
747
748 corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
749 corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
750 @@ -310,43 +392,59 @@ corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
751 corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t)
752 corenet_tcp_bind_generic_node(telepathy_sofiasip_t)
753 corenet_raw_bind_generic_node(telepathy_sofiasip_t)
754 +
755 +corenet_sendrecv_all_server_packets(telepathy_sofiasip_t)
756 corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
757 +corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
758 +
759 corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
760 -corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
761 +
762 corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
763 +corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
764 +corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t)
765
766 kernel_request_load_module(telepathy_sofiasip_t)
767
768 tunable_policy(`telepathy_connect_all_ports',`
769 + corenet_sendrecv_all_client_packets(telepathy_sofiasip_t)
770 corenet_tcp_connect_all_ports(telepathy_sofiasip_t)
771 corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
772 - corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t)
773 ')
774
775 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
776 - corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
777 corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
778 + corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
779 + corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t)
780 ')
781
782 #######################################
783 #
784 -# Telepathy Sunshine local policy.
785 +# Sunshine local policy
786 #
787
788 manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
789 manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
790 -userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
791 -userdom_search_user_home_dirs(telepathy_sunshine_t)
792 +userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
793
794 manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
795 -exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
796 files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
797
798 +can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t)
799 +
800 corecmd_exec_bin(telepathy_sunshine_t)
801
802 -files_read_etc_files(telepathy_sunshine_t)
803 files_read_usr_files(telepathy_sunshine_t)
804
805 +tunable_policy(`use_nfs_home_dirs',`
806 + fs_manage_nfs_dirs(telepathy_sunshine_t)
807 + fs_manage_nfs_files(telepathy_sunshine_t)
808 +')
809 +
810 +tunable_policy(`use_samba_home_dirs',`
811 + fs_manage_cifs_dirs(telepathy_sunshine_t)
812 + fs_manage_cifs_files(telepathy_sunshine_t)
813 +')
814 +
815 optional_policy(`
816 xserver_read_xdm_pid(telepathy_sunshine_t)
817 xserver_stream_connect(telepathy_sunshine_t)
818 @@ -354,18 +452,23 @@ optional_policy(`
819
820 #######################################
821 #
822 -# telepathy domains common policy
823 +# Common telepathy domain local policy
824 #
825
826 allow telepathy_domain self:process { getsched signal sigkill };
827 allow telepathy_domain self:fifo_file rw_fifo_file_perms;
828 -allow telepathy_domain self:tcp_socket create_socket_perms;
829 -allow telepathy_domain self:udp_socket create_socket_perms;
830 +
831 +manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
832 +# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
833 +
834 +manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t)
835 +# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy")
836
837 dev_read_urand(telepathy_domain)
838
839 kernel_read_system_state(telepathy_domain)
840
841 +fs_getattr_all_fs(telepathy_domain)
842 fs_search_auto_mountpoints(telepathy_domain)
843
844 miscfiles_read_localization(telepathy_domain)
Report Message
Find on MARC Find on Google Groups