100 lines
3.5 KiB
Plaintext
100 lines
3.5 KiB
Plaintext
policy_module(feffe, 1.0)
|
|
|
|
|
|
gen_require(`
|
|
attribute file_type;
|
|
attribute userdomain;
|
|
|
|
type devicekit_disk_t;
|
|
type etc_t;
|
|
|
|
type mozilla_t;
|
|
type xdg_cache_t;
|
|
type fs_t;
|
|
')
|
|
|
|
dontaudit userdomain file_type:file watch;
|
|
dontaudit userdomain file_type:dir watch;
|
|
dontaudit devicekit_disk_t etc_t:dir watch;
|
|
dontaudit mozilla_t xdg_cache_t:file { read write };
|
|
dontaudit mozilla_t fs_t:filesystem quotaget;
|
|
|
|
gen_tunable(feffe_cron_sync_to_home, false)
|
|
tunable_policy(`feffe_cron_sync_to_home',`
|
|
gen_require(`
|
|
type system_cronjob_t;
|
|
')
|
|
|
|
xdg_read_config_files(system_cronjob_t)
|
|
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
|
|
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
|
|
corenet_tcp_connect_http_port(system_cronjob_t)
|
|
corenet_sendrecv_http_client_packets(system_cronjob_t)
|
|
miscfiles_read_generic_certs(system_cronjob_t)
|
|
userdom_manage_user_home_content_dirs(system_cronjob_t)
|
|
userdom_manage_user_home_content_files(system_cronjob_t)
|
|
allow system_cronjob_t user_home_t:dir { relabelfrom relabelto };
|
|
allow system_cronjob_t user_home_t:file { relabelfrom relabelto };
|
|
')
|
|
|
|
|
|
gen_tunable(feffe_use_xdm, false)
|
|
tunable_policy(`feffe_use_xdm',`
|
|
gen_require(`
|
|
type system_dbusd_t;
|
|
type user_dbusd_t;
|
|
type file_context_t;
|
|
type kmsg_device_t;
|
|
type init_var_run_t;
|
|
')
|
|
dev_rw_dri(userdomain)
|
|
read_files_pattern(system_dbusd_t, file_context_t, file_context_t)
|
|
allow system_dbusd_t kmsg_device_t:chr_file {open write};
|
|
allow user_dbusd_t self:process getcap;
|
|
allow system_dbusd_t file_context_t:file map;
|
|
allow system_dbusd_t self:process setfscreate;
|
|
manage_dirs_pattern(system_dbusd_t, init_var_run_t, init_var_run_t)
|
|
read_files_pattern(system_dbusd_t, init_var_run_t, init_var_run_t)
|
|
fs_manage_cgroup_dirs(system_dbusd_t)
|
|
fs_manage_cgroup_files(system_dbusd_t)
|
|
allow system_dbusd_t self:netlink_kobject_uevent_socket {create setopt bind getattr read};
|
|
')
|
|
|
|
gen_tunable(feffe_xscreensaver_gl, false)
|
|
tunable_policy(`feffe_xscreensaver_gl',`
|
|
gen_require(`
|
|
attribute non_security_file_type;
|
|
attribute user_home_content_type;
|
|
|
|
type xscreensaver_t;
|
|
type xscreensaver_helper_exec_t;
|
|
type xscreensaver_helper_t;
|
|
type xdm_t;
|
|
type lib_t;
|
|
type tmpfs_t;
|
|
type bin_t;
|
|
type xserver_t;
|
|
')
|
|
list_dirs_pattern(xscreensaver_helper_t, user_home_content_type, user_home_content_type)
|
|
read_files_pattern(xscreensaver_helper_t, user_home_content_type, user_home_content_type)
|
|
dev_rw_dri(xscreensaver_helper_t)
|
|
dev_rw_dri(xscreensaver_t)
|
|
allow xscreensaver_helper_t xdm_t:fd use;
|
|
allow xscreensaver_helper_t xserver_t:fd use;
|
|
exec_files_pattern(xscreensaver_t, lib_t, lib_t)
|
|
dev_read_sysfs(xscreensaver_t)
|
|
xserver_rw_mesa_shader_cache(xscreensaver_t)
|
|
xserver_rw_mesa_shader_cache(xscreensaver_helper_t)
|
|
manage_files_pattern(xscreensaver_t, tmpfs_t, tmpfs_t)
|
|
allow xscreensaver_t tmpfs_t:file map;
|
|
search_dirs_pattern(xscreensaver_helper_t, bin_t, bin_t)
|
|
exec_files_pattern(xscreensaver_helper_t, xscreensaver_helper_exec_t, xscreensaver_helper_exec_t)
|
|
exec_files_pattern(xscreensaver_helper_t, bin_t, bin_t)
|
|
allow xscreensaver_helper_t self:unix_stream_socket { create getattr connect write read shutdown };
|
|
xdg_manage_cache(xscreensaver_helper_t)
|
|
|
|
dontaudit xscreensaver_helper_t non_security_file_type:filesystem getattr;
|
|
dontaudit xscreensaver_helper_t non_security_file_type:dir { getattr search };
|
|
dontaudit xscreensaver_helper_t non_security_file_type:{fifo_file file} {getattr read map};
|
|
')
|