commit: b409b946fb32c75fe125b956e526988cccbe6d08
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 05:35:36 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Oct 26 08:16:57 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b409b946
gnome: add gkeyring rules and fcontext
policy/modules/contrib/gnome.fc | 2 ++
policy/modules/contrib/gnome.if | 2 ++
policy/modules/contrib/gnome.te | 4 +++-
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index ce12193..f31230e 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -18,6 +18,7 @@ HOME_DIR/orcexec\..*
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 --
gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/var/run/user/%{USERID}/keyring(/.*)?
gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
/var/run/user/[^/]*/orcexec\..* --
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/var/run/user/%{USERID}/orcexec\..* --
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
@@ -25,4 +26,5 @@ ifdef(`distro_gentoo',`
HOME_DIR/\.config/dconf(/.*)?
gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
HOME_DIR/\.cache/dconf(/.*)?
gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
HOME_DIR/\.cache/keyring-.*
gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)?
gen_context(system_u:object_r:gnome_xdg_data_home_t,s0)
')
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 190fa16..b08670b 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -778,6 +778,7 @@ interface(`gnome_stream_connect_gkeyringd',`
')
files_search_tmp($2)
+ userdom_search_user_runtime($2)
stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
$1_gkeyringd_t)
')
@@ -799,6 +800,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
')
files_search_tmp($1)
+ userdom_search_user_runtime($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
gkeyringd_domain)
')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 5a6f728..a874924 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain,
gnome_keyring_home_t, dir, "keyrings")
manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t,
gnome_keyring_tmp_t)
files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
-kernel_read_system_state(gkeyringd_domain)
kernel_read_crypto_sysctls(gkeyringd_domain)
+kernel_read_kernel_sysctls(gkeyringd_domain)
+kernel_read_system_state(gkeyringd_domain)
dev_read_rand(gkeyringd_domain)
dev_read_sysfs(gkeyringd_domain)
