[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Thu, 22 May 2014 09:54:10 -0700 

commit:     8f3ac480c34bff1c605ba8f4a71bc484dccd8b9d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon May 19 20:44:44 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 22 16:52:42 2014 +0000
URL:        
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8f3ac480

Gnome Keyring policies

Gnome keyring communicates with other programs via a socket in
~/.cache/. This patch creates gnome_xdg_*_home_t labels and lets
gnome keyring manage them

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/contrib/gnome.fc |  5 +++++
 policy/modules/contrib/gnome.te | 24 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 209314b..9bc2c50 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -15,3 +15,8 @@ HOME_DIR/\.gnome2_private(/.*)?       
gen_context(system_u:object_r:gnome_home_t,s0)
 /usr/bin/mate-keyring-daemon   --      
gen_context(system_u:object_r:gkeyringd_exec_t,s0)
 /usr/lib/[^/]*/gconf/gconfd-2  --      
gen_context(system_u:object_r:gconfd_exec_t,s0)
 /usr/libexec/gconfd-2  --      gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+
+ifdef(`distro_gentoo',`
+HOME_DIR/\.cache/keyring-.*    
gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
+')

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 5dd3498..98cd996 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -141,9 +141,33 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
+       type gnome_xdg_cache_home_t;
        type gnome_xdg_config_t; # Fase out
        type gnome_xdg_config_home_t;
+       type gnome_xdg_data_home_t;
 
+       xdg_cache_home_content(gnome_xdg_cache_home_t)
        xdg_config_home_content(gnome_xdg_config_t)
        xdg_config_home_content(gnome_xdg_config_home_t)
+       xdg_data_home_content(gnome_xdg_data_home_t)
+
+       ##
+       ## Keyring
+       ##
+
+       # When gnome-keyring creates a .cache/keyring-.... make sure it is 
gnome_xdg_cache_home_t
+       xdg_cache_home_filetrans(gkeyringd_domain, gnome_xdg_cache_home_t, dir)
+       # Same for ~/.config and ~/.local stuff
+       xdg_config_home_filetrans(gkeyringd_domain, gnome_xdg_config_home_t, 
dir)
+       xdg_data_home_filetrans(gkeyringd_domain, gnome_xdg_data_home_t, dir)
+
+       allow gkeyringd_domain gnome_xdg_cache_home_t:file manage_file_perms;
+       allow gkeyringd_domain gnome_xdg_cache_home_t:sock_file 
manage_sock_file_perms;
+       manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_home_t, 
gnome_xdg_cache_home_t)
+
+       allow gkeyringd_domain gnome_xdg_config_home_t:file manage_file_perms;
+       manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_home_t, 
gnome_xdg_config_home_t)
+
+       allow gkeyringd_domain gnome_xdg_data_home_t:file manage_file_perms;
+       manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_home_t, 
gnome_xdg_data_home_t)
 ')

Reply via email to