From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH/RFC v3] Introduce xdg types
Date: Thu, 13 Oct 2011 16:06:14 +0200 [thread overview]
Message-ID: <20111013140614.GA3116@siphos.be> (raw)
With some delay (busy days at work), the XDG module with the feedback from
Dominick integrated. Changes since v2 include
- Rename of interfaces to be more in lign with naming conventions
- Use of userdom_search_... instead of userdom_list_...
- Add the lnk_file and fifo_file classes in the xdg_manage_* interfaces
- Drop the xdg_admin interface
- Add a few TODOs that need to be written when named file transitions are
supported (didn't want to include it as comments since M4 doesn't like
that)
Wkr,
Sven Vermeulen
+++
The XDG Base Directory specification is an open specification for
dealing with user data in a desktop environment. It is published on
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
and in use by many applications.
In this patch, we introduce the xdg-specific types and give the standard
interfaces for dealing with these types. We also provide a typeattribute
for each of the xdg-specific locations, allowing applications that
create files therein to mark these files as the appropriate xdg type.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
xdg.fc | 8 +
xdg.if | 577 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
xdg.te | 26 +++
3 files changed, 611 insertions(+), 0 deletions(-)
create mode 100644 xdg.fc
create mode 100644 xdg.if
create mode 100644 xdg.te
diff --git a/xdg.fc b/xdg.fc
new file mode 100644
index 0000000..49a52d9
--- /dev/null
+++ b/xdg.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0)
+
+#
+# /run
+#
+/run/user/USER(/.*)? gen_context(system_u:object_r:xdg_runtime_home_t,s0)
diff --git a/xdg.if b/xdg.if
new file mode 100644
index 0000000..36e0425
--- /dev/null
+++ b/xdg.if
@@ -0,0 +1,577 @@
+## <summary>Policy for xdg desktop standard</summary>
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_data_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_data_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_data_home_content',`
+ gen_require(`
+ attribute xdg_data_home_type;
+ ')
+
+ typeattribute $1 xdg_data_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_data_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`xdg_data_home_spec_filetrans',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ filetrans_pattern($1, xdg_data_home_t, $2, $3)
+
+ userdom_search_user_home_dirs($1)
+')
+
+# TODO Introduce xdg_data_home_filetrans when named file transitions are supported
+# to support a filetrans from user_home_dir_t to xdg_data_home_t (~/.local)
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_cache_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_cache_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_cache_home_content',`
+ gen_require(`
+ attribute xdg_cache_home_type;
+ ')
+
+ typeattribute $1 xdg_cache_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_cache_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`xdg_cache_home_spec_filetrans',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ filetrans_pattern($1, xdg_cache_home_t, $2, $3)
+
+ userdom_search_user_home_dirs($1)
+')
+
+# TODO Introduce xdg_cache_home_filetrans when named file transitions are supported
+# to support a filetrans from user_home_dir_t to xdg_cache_home_t (~/.cache)
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_config_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_config_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_config_home_content',`
+ gen_require(`
+ attribute xdg_config_home_type;
+ ')
+
+ typeattribute $1 xdg_config_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_config_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`xdg_config_home_spec_filetrans',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ filetrans_pattern($1, xdg_config_home_t, $2, $3)
+
+ userdom_search_user_home_dirs($1)
+')
+
+# TODO Introduce xdg_config_home_filetrans when named file transitions are supported
+# to support a filetrans from user_home_dir_t to xdg_config_home_t (~/.config)
+
+#
+########################################
+## <summary>
+## Mark the selected type as an xdg_runtime_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_runtime_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_runtime_home_content',`
+ gen_require(`
+ attribute xdg_runtime_home_type;
+ ')
+
+ typeattribute $1 xdg_runtime_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_runtime_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`xdg_runtime_home_spec_filetrans',`
+ gen_require(`
+ type xdg_runtime_home_t;
+ ')
+
+ filetrans_pattern($1, xdg_runtime_home_t, $2, $3)
+
+ files_search_pids($1)
+')
+
+# TODO Introduce xdg_runtime_home_filetrans (if applicable) when named file transitions are supported
+# to support a filetrans from whatever /run/user is to xdg_config_home_t
+
+########################################
+## <summary>
+## Read the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_generic_cache_home_files',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_cache_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_cache_home_files',`
+ gen_require(`
+ attribute xdg_cache_home_type;
+ ')
+
+ read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_generic_cache_home_content',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+
+########################################
+## <summary>
+## Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_generic_cache_home_content',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_generic_config_home_files',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_config_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_config_home_files',`
+ gen_require(`
+ attribute xdg_config_home_type;
+ ')
+
+ read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_generic_config_home_content',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+
+########################################
+## <summary>
+## Manage the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_generic_config_home_content',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_generic_data_home_files',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_data_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_data_home_files',`
+ gen_require(`
+ attribute xdg_data_home_type;
+ ')
+
+ read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_generic_data_home_content',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Manage the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_generic_data_home_content',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg runtime home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_generic_runtime_home_files',`
+ gen_require(`
+ type xdg_runtime_home_t;
+ ')
+
+ read_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_runtime_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_runtime_home_files',`
+ gen_require(`
+ attribute xdg_runtime_home_type;
+ ')
+
+ read_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg runtime home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_generic_runtime_home_content',`
+ gen_require(`
+ type xdg_runtime_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Manage the xdg runtime home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_generic_runtime_home_content',`
+ gen_require(`
+ type xdg_runtime_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+ files_search_pids($1)
+')
+
diff --git a/xdg.te b/xdg.te
new file mode 100644
index 0000000..f9088b4
--- /dev/null
+++ b/xdg.te
@@ -0,0 +1,26 @@
+policy_module(xdg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute xdg_data_home_type;
+
+attribute xdg_config_home_type;
+
+attribute xdg_cache_home_type;
+
+attribute xdg_runtime_home_type;
+
+type xdg_data_home_t;
+xdg_data_home_content(xdg_data_home_t)
+
+type xdg_config_home_t;
+xdg_config_home_content(xdg_config_home_t)
+
+type xdg_cache_home_t;
+xdg_cache_home_content(xdg_cache_home_t)
+
+type xdg_runtime_home_t;
+xdg_runtime_home_content(xdg_runtime_home_t)
--
1.7.3.4
next reply other threads:[~2011-10-13 14:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-13 14:06 Sven Vermeulen [this message]
2011-11-13 20:33 ` [refpolicy] [PATCH/RFC v3] Introduce xdg types Sven Vermeulen
2011-11-14 20:35 ` Christopher J. PeBenito
2011-11-15 7:33 ` Sven Vermeulen
2011-11-15 14:23 ` Christopher J. PeBenito
2012-05-01 7:31 ` Sven Vermeulen
2012-05-10 13:57 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111013140614.GA3116@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.