From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0FBBA138010 for ; Mon, 8 Oct 2012 18:18:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7D233E0441; Mon, 8 Oct 2012 18:17:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 9BAE2E0441 for ; Mon, 8 Oct 2012 18:17:46 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 895EA33C3DD for ; Mon, 8 Oct 2012 18:17:45 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 2694FE5436 for ; Mon, 8 Oct 2012 18:17:44 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349719793.73ea706cae59fef5aebcb71ac63c898b07915d1f.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/gnome.fc policy/modules/contrib/gnome.if policy/modules/contrib/gnome.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 73ea706cae59fef5aebcb71ac63c898b07915d1f X-VCS-Branch: master Date: Mon, 8 Oct 2012 18:17:44 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 5cb4e703-9481-47a4-a87e-6da1289b86e7 X-Archives-Hash: 96ef726982b07aed09dc0d94c6a39c27 commit: 73ea706cae59fef5aebcb71ac63c898b07915d1f Author: Dominick Grift gmail com> AuthorDate: Mon Oct 8 08:08:32 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Oct 8 18:09:53 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73ea706c Changes to the gnome policy module Ported from Fedora with changes Left out Fedora config_usr_t because thats for KDE Lets out gstreamer_home_t because thats not gnome specific Lets out cache, config and data_home_t because that is not specific and should probably go to the user domain Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/gnome.fc | 12 +- policy/modules/contrib/gnome.if | 583 +++++++++++++++++++++++++++++++++++---- policy/modules/contrib/gnome.te | 92 +++++- 3 files changed, 620 insertions(+), 67 deletions(-) diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc index 9471434..81700b8 100644 --- a/policy/modules/contrib/gnome.fc +++ b/policy/modules/contrib/gnome.fc @@ -1,9 +1,15 @@ HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_xdg_config_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) +HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) +HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) + +/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) +/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if index 67340ea..3d570d6 100644 --- a/policy/modules/contrib/gnome.if +++ b/policy/modules/contrib/gnome.if @@ -2,49 +2,143 @@ ############################################################ ## -## Role access for gnome +## Role access for gnome. (Deprecated) ## ## ## -## Role allowed access +## Role allowed access. ## ## ## ## -## User domain for the role +## User domain for the role. ## ## # interface(`gnome_role',` + refpolicywarn(`$0'($*) has been deprecated, use gnome_role_gconfd() instead.') + gnome_role_gconfd($1, $2) +') + +######################################## +## +## Role access for gconfd. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`gnome_role_gconfd',` gen_require(` - type gconfd_t, gconfd_exec_t; - type gconf_tmp_t; + attribute_role gconfd_roles; + type gconfd_t, gconfd_exec_t, gconf_tmp_t; type gconf_home_t; ') - role $1 types gconfd_t; + ######################################## + # + # Declarations + # + + roleattribute $1 gconfd_roles; + + ######################################## + # + # Policy + # - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; - allow gconfd_t $2:unix_stream_socket connectto; + domtrans_pattern($2, gconfd_exec_t, gconfd_t) - manage_dirs_pattern($2, gconf_home_t, gconf_home_t) - manage_files_pattern($2, gconf_home_t, gconf_home_t) + allow $2 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($2, gconf_home_t, dir, ".gconf") + userdom_user_home_dir_filetrans($2, gconf_home_t, dir, ".gconfd") + allow $2 gconfd_t:process { ptrace signal_perms }; ps_process_pattern($2, gconfd_t) +') + +####################################### +## +## The role template for gnome keyringd. +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_role_template_gkeyringd',` + gen_require(` + attribute gnomedomain, gkeyringd_domain; + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; + ') + + ######################################## + # + # Declarations + # + + type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; + userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t) + domain_user_exemption_target($1_gkeyringd_t) + + role $2 types $1_gkeyringd_t; + + ######################################## + # + # Policy + # + + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) + + allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; + allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; + + userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") + userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") + userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private") + + gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") + + allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; - #gnome_stream_connect_gconf_template($1, $2) - read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) - allow $2 gconfd_t:unix_stream_socket connectto; + ps_process_pattern($3, $1_gkeyringd_t) + allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; - gnome_manage_config($2) + corecmd_bin_domtrans($1_gkeyringd_t, $3) + corecmd_shell_domtrans($1_gkeyringd_t, $3) + + gnome_stream_connect_gkeyringd($1, $3) + + optional_policy(` + dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + + gnome_dbus_chat_gkeyringd($1, $3) + ') ') ######################################## ## -## Execute gconf programs in -## in the caller domain. +## Execute gconf in the caller domain. ## ## ## @@ -57,20 +151,21 @@ interface(`gnome_exec_gconf',` type gconfd_exec_t; ') + corecmd_search_bin($1) can_exec($1, gconfd_exec_t) ') ######################################## ## -## Read gconf config files. +## Read gconf configuration files. ## -## +## ## ## Domain allowed access. ## ## # -template(`gnome_read_gconf_config',` +interface(`gnome_read_gconf_config',` gen_require(` type gconf_etc_t; ') @@ -82,7 +177,8 @@ template(`gnome_read_gconf_config',` ####################################### ## -## Create, read, write, and delete gconf config files. +## Create, read, write, and delete +## gconf configuration files. ## ## ## @@ -101,9 +197,10 @@ interface(`gnome_manage_gconf_config',` ######################################## ## -## gconf connection template. +## Connect to gconf using a unix +## domain stream socket. ## -## +## ## ## Domain allowed access. ## @@ -114,8 +211,8 @@ interface(`gnome_stream_connect_gconf',` type gconfd_t, gconf_tmp_t; ') - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; + files_search_tmp($1) + stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t) ') ######################################## @@ -124,7 +221,7 @@ interface(`gnome_stream_connect_gconf',` ## ## ## -## Domain allowed access. +## Domain allowed to transition. ## ## # @@ -133,12 +230,32 @@ interface(`gnome_domtrans_gconfd',` type gconfd_t, gconfd_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, gconfd_exec_t, gconfd_t) ') ######################################## ## -## Set attributes of Gnome config dirs. +## Create generic gnome home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_create_generic_home_dirs',` + gen_require(` + type gnome_home_t; + ') + + allow $1 gnome_home_t:dir create_dir_perms; +') + +######################################## +## +## Set attributes of generic gnome +## user home directories. (Deprecated) ## ## ## @@ -147,62 +264,432 @@ interface(`gnome_domtrans_gconfd',` ## # interface(`gnome_setattr_config_dirs',` + refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.') + gnome_setattr_generic_home_dirs($1) +') + +######################################## +## +## Set attributes of generic gnome +## user home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_setattr_generic_home_dirs',` gen_require(` type gnome_home_t; - type gnome_xdg_config_t; ') + userdom_search_user_home_dirs($1) setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) - setattr_dirs_pattern($1, gnome_xdg_config_t, gnome_xdg_config_t) - files_search_home($1) ') ######################################## ## -## Read gnome homedir content (.config) +## Read generic gnome user home content. (Deprecated) ## -## +## ## ## Domain allowed access. ## ## # template(`gnome_read_config',` + refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.') + gnome_read_generic_home_content($1) +') + +######################################## +## +## Read generic gnome home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_read_generic_home_content',` gen_require(` type gnome_home_t; - type gnome_xdg_config_t; ') - list_dirs_pattern($1, gnome_home_t, gnome_home_t) - read_files_pattern($1, gnome_home_t, gnome_home_t) - read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) - - list_dirs_pattern($1, gnome_xdg_config_t, gnome_xdg_config_t) - read_files_pattern($1, gnome_xdg_config_t, gnome_xdg_config_t) - read_lnk_files_pattern($1, gnome_xdg_config_t, gnome_xdg_config_t) + userdom_search_user_home_dirs($1) + allow $1 gnome_home_t:dir list_dir_perms; + allow $1 gnome_home_t:file read_file_perms; + allow $1 gnome_home_t:fifo_file read_fifo_file_perms; + allow $1 gnome_home_t:lnk_file read_lnk_file_perms; + allow $1 gnome_home_t:sock_file read_sock_file_perms; ') ######################################## ## -## manage gnome homedir content (.config) +## Create, read, write, and delete +## generic gnome user home content. (Deprecated) ## -## +## ## ## Domain allowed access. ## ## # interface(`gnome_manage_config',` + refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.') + gnome_manage_generic_home_content($1) +') + +######################################## +## +## Create, read, write, and delete +## generic gnome home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_manage_generic_home_content',` + gen_require(` + type gnome_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gnome_home_t:dir manage_dir_perms; + allow $1 gnome_home_t:file manage_file_perms; + allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; + allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; + allow $1 gnome_home_t:sock_file manage_sock_file_perms; +') + +######################################## +## +## Search generic gnome home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_search_generic_home',` + gen_require(` + type gnome_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gnome_home_t:dir search_dir_perms; +') + +######################################## +## +## Create objects in gnome user home +## directories with a private type. +## +## +## +## Domain allowed access. +## +## +## +## +## Private file type. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_home_filetrans',` + gen_require(` + type gnome_home_t; + ') + + userdom_search_user_home_dirs($1) + filetrans_pattern($1, gnome_home_t, $2, $3, $4) +') + +######################################## +## +## Create generic gconf home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_create_generic_gconf_home_dirs',` + gen_require(` + type gconf_home_t; + ') + + allow $1 gconf_home_t:dir create_dir_perms; +') + +######################################## +## +## Read generic gconf home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_read_generic_gconf_home_content',` + gen_require(` + type gconf_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gconf_home_t:dir list_dir_perms; + allow $1 gconf_home_t:file read_file_perms; + allow $1 gconf_home_t:fifo_file read_fifo_file_perms; + allow $1 gconf_home_t:lnk_file read_lnk_file_perms; + allow $1 gconf_home_t:sock_file read_sock_file_perms; +') + +######################################## +## +## Create, read, write, and delete +## generic gconf home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_manage_generic_gconf_home_content',` + gen_require(` + type gconf_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gconf_home_t:dir manage_dir_perms; + allow $1 gconf_home_t:file manage_file_perms; + allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; + allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; + allow $1 gconf_home_t:sock_file manage_sock_file_perms; +') + +######################################## +## +## Search generic gconf home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_search_generic_gconf_home',` + gen_require(` + type gconf_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 gconf_home_t:dir search_dir_perms; +') + +######################################## +## +## Create objects in user home +## directories with the generic gconf +## home type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_home_filetrans_gconf_home',` + gen_require(` + type gconf_home_t; + ') + + userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) +') + +######################################## +## +## Create objects in user home +## directories with the generic gnome +## home type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_home_filetrans_gnome_home',` gen_require(` type gnome_home_t; - type gnome_xdg_config_t; ') - manage_dirs_pattern($1, gnome_home_t, gnome_home_t) - manage_files_pattern($1, gnome_home_t, gnome_home_t) + userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) +') - manage_dirs_pattern($1, gnome_xdg_config_t, gnome_xdg_config_t) - manage_files_pattern($1, gnome_xdg_config_t, gnome_xdg_config_t) +######################################## +## +## Create objects in gnome gconf home +## directories with a private type. +## +## +## +## Domain allowed access. +## +## +## +## +## Private file type. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_gconf_home_filetrans',` + gen_require(` + type gconf_home_t; + ') userdom_search_user_home_dirs($1) + filetrans_pattern($1, gconf_home_t, $2, $3, $4) +') + +######################################## +## +## Send and receive messages from +## gnome keyring daemon over dbus. +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_gkeyringd',` + gen_require(` + type $1_gkeyringd_t; + class dbus send_msg; + ') + + allow $2 $1_gkeyringd_t:dbus send_msg; + allow $1_gkeyringd_t $2:dbus send_msg; +') + +######################################## +## +## Send and receive messages from all +## gnome keyring daemon over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_all_gkeyringd',` + gen_require(` + attribute gkeyringd_domain; + class dbus send_msg; + ') + + allow $1 gkeyringd_domain:dbus send_msg; + allow gkeyringd_domain $1:dbus send_msg; +') + +######################################## +## +## Connect to gnome keyring daemon +## with a unix stream socket. +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_stream_connect_gkeyringd',` + gen_require(` + type $1_gkeyringd_t, gnome_keyring_tmp_t; + ') + + files_search_tmp($2) + stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) +') + +######################################## +## +## Connect to all gnome keyring daemon +## with a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_stream_connect_all_gkeyringd',` + gen_require(` + attribute gkeyringd_domain; + type gnome_keyring_tmp_t; + ') + + files_search_tmp($1) + stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ') diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te index 1346180..9c4d0e9 100644 --- a/policy/modules/contrib/gnome.te +++ b/policy/modules/contrib/gnome.te @@ -1,11 +1,13 @@ -policy_module(gnome, 2.2.0) +policy_module(gnome, 2.2.1) ############################## # # Declarations # +attribute gkeyringd_domain; attribute gnomedomain; +attribute_role gconfd_roles; type gconf_etc_t; files_config_file(gconf_etc_t) @@ -27,6 +29,7 @@ type gconfd_exec_t; typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) +role gconfd_roles types gconfd_t; type gnome_home_t; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; @@ -37,13 +40,47 @@ userdom_user_home_content(gnome_home_t) type gnome_xdg_config_t; xdg_config_home_content(gnome_xdg_config_t) +type gkeyringd_exec_t; +application_executable_file(gkeyringd_exec_t) + +type gnome_keyring_home_t; +userdom_user_home_content(gnome_keyring_home_t) + +type gnome_keyring_tmp_t; +userdom_user_tmp_file(gnome_keyring_tmp_t) + ############################## # -# Local Policy +# Common local Policy # -allow gconfd_t self:process getsched; -allow gconfd_t self:fifo_file rw_fifo_file_perms; +allow gnomedomain self:process { getsched signal }; +allow gnomedomain self:fifo_file rw_fifo_file_perms; + +dev_read_urand(gnomedomain) + +domain_use_interactive_fds(gnomedomain) + +files_read_etc_files(gnomedomain) + +miscfiles_read_localization(gnomedomain) + +logging_send_syslog_msg(gnomedomain) + +userdom_use_user_terminals(gnomedomain) + +optional_policy(` + xserver_rw_xdm_pipes(gnomedomain) + xserver_use_xdm_fds(gnomedomain) +') + +############################## +# +# Conf daemon local Policy +# + +allow gconfd_t gconf_etc_t:dir list_dir_perms; +read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) @@ -53,26 +90,49 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) -allow gconfd_t gconf_etc_t:dir list_dir_perms; -read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) +userdom_manage_user_tmp_dirs(gconfd_t) +userdom_tmp_filetrans_user_tmp(gconfd_t, dir) -dev_read_urand(gconfd_t) +optional_policy(` + nscd_dontaudit_search_pid(gconfd_t) +') -files_read_etc_files(gconfd_t) +############################## +# +# Keyring-daemon local policy +# -miscfiles_read_localization(gconfd_t) +allow gkeyringd_domain self:capability ipc_lock; +allow gkeyringd_domain self:process { getcap setcap }; +allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; -logging_send_syslog_msg(gconfd_t) +allow gkeyringd_domain gnome_home_t:dir create_dir_perms; +gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2") -userdom_manage_user_tmp_sockets(gconfd_t) -userdom_manage_user_tmp_dirs(gconfd_t) -userdom_tmp_filetrans_user_tmp(gconfd_t, dir) +manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) +manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) +gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings") + +manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) +manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) +files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) + +kernel_read_system_state(gkeyringd_domain) +kernel_read_crypto_sysctls(gkeyringd_domain) + +dev_read_rand(gkeyringd_domain) +dev_read_sysfs(gkeyringd_domain) + +files_read_usr_files(gkeyringd_domain) + +fs_getattr_all_fs(gkeyringd_domain) + +selinux_getattr_fs(gkeyringd_domain) optional_policy(` - nscd_dontaudit_search_pid(gconfd_t) + ssh_read_user_home_files(gkeyringd_domain) ') optional_policy(` - xserver_use_xdm_fds(gconfd_t) - xserver_rw_xdm_pipes(gconfd_t) + telepathy_mission_control_read_state(gkeyringd_domain) ')