* [refpolicy] [PATCH 0/4] Introduce XDG type definition
@ 2011-10-03 19:46 Sven Vermeulen
2011-10-03 19:46 ` [refpolicy] [PATCH 1/4] Introduce xdg types Sven Vermeulen
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Sven Vermeulen @ 2011-10-03 19:46 UTC (permalink / raw)
To: refpolicy
This patchset introduces a new module called "xdg".
The purpose of this module is to support the XDG locations as mentioned in
the XDG Base Directory Specification [1] by introducing three types
(xdg_data_home_t, xdg_config_home_t and xdg_cache_home_t) with the related
interfaces for dealing with those types.
I opted to keep this as a separate module, rather than integrate it in an
existing domain, most notably userdomain. The main reason I have is that XDG
is targeting desktops more than servers, whereas userdomain is part of the
base policy and as such available on all (server + desktop). If this is
wrong of me, just tell me which module to use and I'll send an updated
patchset.
[1] http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 5+ messages in thread* [refpolicy] [PATCH 1/4] Introduce xdg types 2011-10-03 19:46 [refpolicy] [PATCH 0/4] Introduce XDG type definition Sven Vermeulen @ 2011-10-03 19:46 ` Sven Vermeulen 2011-10-03 19:47 ` [refpolicy] [PATCH 2/4] Allow the dbusd_t domains to read xdg data Sven Vermeulen ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: Sven Vermeulen @ 2011-10-03 19:46 UTC (permalink / raw) To: refpolicy The XDG Base Directory specification is an open specification for dealing with user data in a desktop environment. It is published on http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html and in use by many applications. In this patch, we introduce the xdg-specific types and give the standard interfaces for dealing with these types. I opted for a separate module instead of userdomain since it is targeting desktop users more than servers. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- xdg.fc | 3 + xdg.if | 143 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xdg.te | 15 +++++++ 3 files changed, 161 insertions(+), 0 deletions(-) create mode 100644 xdg.fc create mode 100644 xdg.if create mode 100644 xdg.te diff --git a/xdg.fc b/xdg.fc new file mode 100644 index 0000000..44dc42e --- /dev/null +++ b/xdg.fc @@ -0,0 +1,3 @@ +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0) +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0) diff --git a/xdg.if b/xdg.if new file mode 100644 index 0000000..23930df --- /dev/null +++ b/xdg.if @@ -0,0 +1,143 @@ +## <summary>Policy for xdg desktop standard</summary> + +####################################### +## <summary> +## Allow the userdomain full administrative rights on the xdg_* locations +## </summary> +## <param name="userdomain"> +## <summary> +## The user domain +## </summary> +## </param> +## <rolebase/> +# +interface(`xdg_admin',` + gen_require(` + type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t; + ') + + # full control over the xdg_* directories + admin_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + admin_pattern($1, xdg_config_home_t, xdg_config_home_t) + admin_pattern($1, xdg_data_home_t, xdg_data_home_t) +') + +######################################## +## <summary> +## Manage the xdg cache home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_manage_cache_home',` + gen_require(` + type xdg_cache_home_t; + ') + + manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) +') + +######################################## +## <summary> +## Read the xdg cache home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_cache_home',` + gen_require(` + type xdg_cache_home_t; + type user_home_dir_t; + ') + + list_dirs_pattern($1, user_home_dir_t, xdg_cache_home_t) + read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) +') + +######################################## +## <summary> +## Manage the xdg config home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_manage_config_home',` + gen_require(` + type xdg_config_home_t; + ') + + manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) +') + +######################################## +## <summary> +## Read the xdg config home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_config_home',` + gen_require(` + type xdg_config_home_t; + type user_home_dir_t; + ') + + list_dirs_pattern($1, user_home_dir_t, xdg_config_home_t) + read_files_pattern($1, xdg_config_home_t, xdg_config_home_t) +') + +######################################## +## <summary> +## Manage the xdg data home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_manage_data_home',` + gen_require(` + type xdg_data_home_t; + ') + + manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) +') + +######################################## +## <summary> +## Read the xdg data home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_data_home',` + gen_require(` + type xdg_data_home_t; + type user_home_dir_t; + type user_home_t; + ') + + search_dirs_pattern($1, user_home_dir_t, user_home_t) + list_dirs_pattern($1, user_home_t, xdg_data_home_t) + read_files_pattern($1, xdg_data_home_t, xdg_data_home_t) +') + diff --git a/xdg.te b/xdg.te new file mode 100644 index 0000000..3b9b0d9 --- /dev/null +++ b/xdg.te @@ -0,0 +1,15 @@ +policy_module(xdg, 1.0.0) + +######################################## +# +# Declarations +# +type xdg_data_home_t; +userdom_user_home_content(xdg_data_home_t) + +type xdg_config_home_t; +userdom_user_home_content(xdg_config_home_t) + +type xdg_cache_home_t; +userdom_user_home_content(xdg_cache_home_t) + -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 2/4] Allow the dbusd_t domains to read xdg data 2011-10-03 19:46 [refpolicy] [PATCH 0/4] Introduce XDG type definition Sven Vermeulen 2011-10-03 19:46 ` [refpolicy] [PATCH 1/4] Introduce xdg types Sven Vermeulen @ 2011-10-03 19:47 ` Sven Vermeulen 2011-10-03 19:47 ` [refpolicy] [PATCH 3/4] Allow mozilla " Sven Vermeulen 2011-10-03 19:48 ` [refpolicy] [PATCH 4/4] Allow users to manage their xdg_* locations Sven Vermeulen 3 siblings, 0 replies; 5+ messages in thread From: Sven Vermeulen @ 2011-10-03 19:47 UTC (permalink / raw) To: refpolicy The dbus domains currently hold userdom_read_user_home_content_files, partially due to it requiring the xdg data (xdg_data_home_t). Grant xdg_read_data_home to the dbus domain keeps this. From first looks of it, other xdg locations are not needed by dbus. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- dbus.if | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/dbus.if b/dbus.if index 1a1becd..f963ea8 100644 --- a/dbus.if +++ b/dbus.if @@ -160,6 +160,10 @@ template(`dbus_role_template',` ') optional_policy(` + xdg_read_data_home($1_dbus_t) + ') + + optional_policy(` xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) ') -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 3/4] Allow mozilla to read xdg data 2011-10-03 19:46 [refpolicy] [PATCH 0/4] Introduce XDG type definition Sven Vermeulen 2011-10-03 19:46 ` [refpolicy] [PATCH 1/4] Introduce xdg types Sven Vermeulen 2011-10-03 19:47 ` [refpolicy] [PATCH 2/4] Allow the dbusd_t domains to read xdg data Sven Vermeulen @ 2011-10-03 19:47 ` Sven Vermeulen 2011-10-03 19:48 ` [refpolicy] [PATCH 4/4] Allow users to manage their xdg_* locations Sven Vermeulen 3 siblings, 0 replies; 5+ messages in thread From: Sven Vermeulen @ 2011-10-03 19:47 UTC (permalink / raw) To: refpolicy Mozilla (firefox) reads in xdg data, for instance for the MIME handling (associating MIME types with applications) as mentioned in ~/.local/share/applications Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- mozilla.te | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/mozilla.te b/mozilla.te index b9ea50f..dc784ef 100644 --- a/mozilla.te +++ b/mozilla.te @@ -296,6 +296,10 @@ optional_policy(` thunderbird_domtrans(mozilla_t) ') +optional_policy(` + xdg_read_data_home(mozilla_t) +') + ######################################## # # mozilla_plugin local policy -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 4/4] Allow users to manage their xdg_* locations 2011-10-03 19:46 [refpolicy] [PATCH 0/4] Introduce XDG type definition Sven Vermeulen ` (2 preceding siblings ...) 2011-10-03 19:47 ` [refpolicy] [PATCH 3/4] Allow mozilla " Sven Vermeulen @ 2011-10-03 19:48 ` Sven Vermeulen 3 siblings, 0 replies; 5+ messages in thread From: Sven Vermeulen @ 2011-10-03 19:48 UTC (permalink / raw) To: refpolicy The xdg locations as defined under the xdg module are all within a users' HOMEDIR. We allow the user to administer his xdg_* files. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/system/userdomain.if | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index c6d3cc8..f7f7d44 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -267,6 +267,10 @@ interface(`userdom_manage_home_role',` fs_dontaudit_manage_cifs_dirs($2) fs_dontaudit_manage_cifs_files($2) ') + + optional_policy(` + xdg_admin($2) + ') ') ####################################### -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-10-03 19:48 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-10-03 19:46 [refpolicy] [PATCH 0/4] Introduce XDG type definition Sven Vermeulen 2011-10-03 19:46 ` [refpolicy] [PATCH 1/4] Introduce xdg types Sven Vermeulen 2011-10-03 19:47 ` [refpolicy] [PATCH 2/4] Allow the dbusd_t domains to read xdg data Sven Vermeulen 2011-10-03 19:47 ` [refpolicy] [PATCH 3/4] Allow mozilla " Sven Vermeulen 2011-10-03 19:48 ` [refpolicy] [PATCH 4/4] Allow users to manage their xdg_* locations Sven Vermeulen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.