[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/xdg/, policy/modules/contrib/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/xdg/, policy/modules/contrib/

[Sven Vermeulen]

commit:     96c7629be07f84b999f38c125668e64dd51072dd
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 26 19:22:45 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 26 19:22:45 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=96c7629b

Update on browsers, attempt to support additional xdg types

---
 policy/modules/contrib/chromium.te                 |    2 +
 policy/modules/contrib/mozilla.te                  |    2 +-
 policy/modules/contrib/xdg.autogen                 |    4 +
 policy/modules/contrib/xdg.if                      |  402 ++++++++++----------
 policy/modules/contrib/xdg.te                      |   16 +
 .../contrib/xdg/xdg_cache_home_content.part        |   20 +
 .../contrib/xdg/xdg_cache_home_filetrans.part      |   37 ++
 .../contrib/xdg/xdg_config_home_content.part       |   20 +
 .../contrib/xdg/xdg_config_home_filetrans.part     |   37 ++
 .../modules/contrib/xdg/xdg_data_home_content.part |   20 +
 .../contrib/xdg/xdg_data_home_filetrans.part       |   37 ++
 ..._manage_generic_cache_home_content_content.part |   24 ++
 .../xdg_manage_generic_config_home_content.part    |   24 ++
 .../xdg/xdg_manage_generic_data_home_content.part  |   24 ++
 .../xdg_manage_generic_runtime_home_content.part   |   24 ++
 .../contrib/xdg/xdg_read_all_cache_home_files.part |   20 +
 .../xdg/xdg_read_all_config_home_files.part        |   20 +
 .../contrib/xdg/xdg_read_all_data_home_files.part  |   20 +
 .../xdg/xdg_read_all_runtime_home_files.part       |   20 +
 .../xdg/xdg_read_generic_cache_home_files.part     |   21 +
 .../xdg/xdg_read_generic_config_home_files.part    |   21 +
 .../xdg/xdg_read_generic_data_home_files.part      |   21 +
 .../xdg/xdg_read_generic_runtime_home_files.part   |   21 +
 ...relabel_generic_cache_home_content_content.part |   24 ++
 .../xdg_relabel_generic_config_home_content.part   |   24 ++
 .../xdg/xdg_relabel_generic_data_home_content.part |   24 ++
 .../xdg_relabel_generic_runtime_home_content.part  |   24 ++
 .../contrib/xdg/xdg_runtime_home_content.part      |   20 +
 .../contrib/xdg/xdg_runtime_home_filetrans.part    |   37 ++
 29 files changed, 808 insertions(+), 202 deletions(-)

diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index a0a6c7a..1542fd6 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -129,7 +129,9 @@ fs_dontaudit_getattr_xattr_fs(chromium_t)
 
 getty_dontaudit_use_fds(chromium_t)
 
+miscfiles_read_all_certs(chromium_t)
 miscfiles_read_localization(chromium_t)
+miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss")
 
 sysnet_dns_name_resolve(chromium_t) 
 

diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 29fec77..5a9c493 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -435,7 +435,7 @@ userdom_read_user_home_content_files(mozilla_plugin_t)
 userdom_read_user_home_content_symlinks(mozilla_plugin_t)
 
 
-xserver_user_x_domain_template(mozilla_plugin_t, mozilla_plugin_t, mozilla_plugin_tmpfs_t)
+xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t)
 
 tunable_policy(`allow_execmem',`
 	allow mozilla_plugin_t self:process { execmem execstack };

diff --git a/policy/modules/contrib/xdg.autogen b/policy/modules/contrib/xdg.autogen
new file mode 100644
index 0000000..073e71c
--- /dev/null
+++ b/policy/modules/contrib/xdg.autogen
@@ -0,0 +1,4 @@
+MODULE=xdg
+SUBDOMAINS=
+DESCRIPTION=XDG Desktop Standard locations
+

diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 264cb41..e88bd1c 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -1,199 +1,132 @@
-## <summary>Policy for xdg desktop standard</summary>
-
-########################################
 ## <summary>
-##	Mark the selected type as an xdg_data_home_type
+##	XDG Desktop Standard locations
 ## </summary>
-## <param name="type">
-##	<summary>
-##	Type to give the xdg_data_home_type attribute to
-##	</summary>
-## </param>
-#
-interface(`xdg_data_home_content',`
-	gen_require(`
-		attribute xdg_data_home_type;
-	')
-
-	typeattribute $1 xdg_data_home_type;
 
-	userdom_user_home_content($1)
-')
 
 ########################################
 ## <summary>
-##	Create objects in an xdg_data_home directory
-##	with an automatic type transition to
-##	a specified private type.
+##	Mark the selected type as an xdg_cache_home_type
 ## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private_type">
-##	<summary>
-##	The type of the object to create.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
+## <param name="type">
 ##	<summary>
-##	Optional name of the file or directory created
+##	Type to give the xdg_cache_home_type attribute to
 ##	</summary>
 ## </param>
 #
-interface(`xdg_data_home_filetrans',`
+interface(`xdg_cache_home_content',`
 	gen_require(`
-		type xdg_data_home_t;
+		attribute xdg_cache_home_type;
 	')
 
-	userdom_search_user_home_dirs($1)
+	typeattribute $1 xdg_cache_home_type;
 
-	filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
+	userdom_user_home_content($1)
 ')
 
 ########################################
 ## <summary>
-##	Mark the selected type as an xdg_cache_home_type
+##	Mark the selected type as an xdg_config_home_type
 ## </summary>
 ## <param name="type">
 ##	<summary>
-##	Type to give the xdg_cache_home_type attribute to
+##	Type to give the xdg_config_home_type attribute to
 ##	</summary>
 ## </param>
 #
-interface(`xdg_cache_home_content',`
+interface(`xdg_config_home_content',`
 	gen_require(`
-		attribute xdg_cache_home_type;
+		attribute xdg_config_home_type;
 	')
 
-	typeattribute $1 xdg_cache_home_type;
+	typeattribute $1 xdg_config_home_type;
 
 	userdom_user_home_content($1)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in an xdg_cache_home directory
-##	with an automatic type transition to
-##	a specified private type.
+##	Mark the selected type as an xdg_data_home_type
 ## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private_type">
-##	<summary>
-##	The type of the object to create.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
+## <param name="type">
 ##	<summary>
-##	Name of the file or directory created
+##	Type to give the xdg_data_home_type attribute to
 ##	</summary>
 ## </param>
 #
-interface(`xdg_cache_home_filetrans',`
+interface(`xdg_data_home_content',`
 	gen_require(`
-		type xdg_cache_home_t;
+		attribute xdg_data_home_type;
 	')
 
-	userdom_search_user_home_dirs($1)
+	typeattribute $1 xdg_data_home_type;
 
-	filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
+	userdom_user_home_content($1)
 ')
 
 ########################################
 ## <summary>
-##	Mark the selected type as an xdg_config_home_type
+##	Mark the selected type as an xdg_runtime_home_type
 ## </summary>
 ## <param name="type">
 ##	<summary>
-##	Type to give the xdg_config_home_type attribute to
+##	Type to give the xdg_runtime_home_type attribute to
 ##	</summary>
 ## </param>
 #
-interface(`xdg_config_home_content',`
+interface(`xdg_runtime_home_content',`
 	gen_require(`
-		attribute xdg_config_home_type;
+		attribute xdg_runtime_home_type;
 	')
 
-	typeattribute $1 xdg_config_home_type;
+	typeattribute $1 xdg_runtime_home_type;
 
 	userdom_user_home_content($1)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in an xdg_config_home directory
-##	with an automatic type transition to
-##	a specified private type.
+##	Read the xdg cache home files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private_type">
-##	<summary>
-##	The type of the object to create.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
-##	<summary>
-##	Name of the file or directory created
-##	</summary>
-## </param>
 #
-interface(`xdg_config_home_filetrans',`
+interface(`xdg_read_generic_cache_home_files',`
 	gen_require(`
-		type xdg_config_home_t;
+		type xdg_cache_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
+	read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
 
-	filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Mark the selected type as an xdg_runtime_home_type
+##	Read all xdg_cache_home_type files
 ## </summary>
-## <param name="type">
+## <param name="domain">
 ##	<summary>
-##	Type to give the xdg_runtime_home_type attribute to
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`xdg_runtime_home_content',`
+interface(`xdg_read_all_cache_home_files',`
 	gen_require(`
-		attribute xdg_runtime_home_type;
+		attribute xdg_cache_home_type;
 	')
 
-	typeattribute $1 xdg_runtime_home_type;
+	read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
 
-	userdom_user_home_content($1)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in an xdg_runtime_home directory
+##	Create objects in an xdg_cache_home directory
 ##	with an automatic type transition to
 ##	a specified private type.
 ## </summary>
@@ -218,19 +151,19 @@ interface(`xdg_runtime_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`xdg_runtime_home_filetrans',`
+interface(`xdg_cache_home_filetrans',`
 	gen_require(`
-		type xdg_runtime_home_t;
+		type xdg_cache_home_t;
 	')
 
-	files_search_pids($1)
+	userdom_search_user_home_dirs($1)
 
-	filetrans_pattern($1, xdg_runtime_home_t, $2, $3)
+	filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	Read the xdg cache home files
+##	Manage the xdg cache home files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -238,34 +171,17 @@ interface(`xdg_runtime_home_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`xdg_read_generic_cache_home_files',`
+interface(`xdg_manage_generic_cache_home_content',`
 	gen_require(`
-		type xdg_cache_home_t;	
+		type xdg_cache_home_t;
 	')
 
-	read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-
-	userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
-##	Read all xdg_cache_home_type files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_read_all_cache_home_files',`
-	gen_require(`
-		attribute xdg_cache_home_type;
-	')
+	manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
 
-	read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
-	
 	userdom_search_user_home_dirs($1)
 ')
 
@@ -281,7 +197,7 @@ interface(`xdg_read_all_cache_home_files',`
 #
 interface(`xdg_relabel_generic_cache_home_content',`
 	gen_require(`
-		type xdg_cache_home_t;	
+		type xdg_cache_home_t;
 	')
 
 	relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
@@ -289,32 +205,7 @@ interface(`xdg_relabel_generic_cache_home_content',`
 	relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
 	relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
 	relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	
-	userdom_search_user_home_dirs($1)
-')
-
 
-########################################
-## <summary>
-##	Manage the xdg cache home files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_manage_generic_cache_home_content',`
-	gen_require(`
-		type xdg_cache_home_t;	
-	')
-
-	manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	
 	userdom_search_user_home_dirs($1)
 ')
 
@@ -330,12 +221,12 @@ interface(`xdg_manage_generic_cache_home_content',`
 #
 interface(`xdg_read_generic_config_home_files',`
 	gen_require(`
-		type xdg_config_home_t;	
+		type xdg_config_home_t;
 	')
 
 	read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
 	list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	
+
 	userdom_search_user_home_dirs($1)
 ')
 
@@ -355,34 +246,46 @@ interface(`xdg_read_all_config_home_files',`
 	')
 
 	read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
-	
+
 	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Allow relabeling the xdg config home files
+##	Create objects in an xdg_config_home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the file or directory created
+##	</summary>
+## </param>
 #
-interface(`xdg_relabel_generic_config_home_content',`
+interface(`xdg_config_home_filetrans',`
 	gen_require(`
-		type xdg_config_home_t;	
+		type xdg_config_home_t;
 	')
 
-	relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	
 	userdom_search_user_home_dirs($1)
-')
 
+	filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
+')
 
 ########################################
 ## <summary>
@@ -396,7 +299,7 @@ interface(`xdg_relabel_generic_config_home_content',`
 #
 interface(`xdg_manage_generic_config_home_content',`
 	gen_require(`
-		type xdg_config_home_t;	
+		type xdg_config_home_t;
 	')
 
 	manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
@@ -404,7 +307,31 @@ interface(`xdg_manage_generic_config_home_content',`
 	manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
 	manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
 	manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	
+
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Allow relabeling the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
 	userdom_search_user_home_dirs($1)
 ')
 
@@ -420,12 +347,12 @@ interface(`xdg_manage_generic_config_home_content',`
 #
 interface(`xdg_read_generic_data_home_files',`
 	gen_require(`
-		type xdg_data_home_t;	
+		type xdg_data_home_t;
 	')
 
 	read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
 	list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	
+
 	userdom_search_user_home_dirs($1)
 ')
 
@@ -445,32 +372,45 @@ interface(`xdg_read_all_data_home_files',`
 	')
 
 	read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
-	
+
 	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Allow relabeling the xdg data home files
+##	Create objects in an xdg_data_home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Optional name of the file or directory created
+##	</summary>
+## </param>
 #
-interface(`xdg_relabel_generic_data_home_content',`
+interface(`xdg_data_home_filetrans',`
 	gen_require(`
-		type xdg_data_home_t;	
+		type xdg_data_home_t;
 	')
 
-	relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	
 	userdom_search_user_home_dirs($1)
+
+	filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
 ')
 
 ########################################
@@ -485,7 +425,7 @@ interface(`xdg_relabel_generic_data_home_content',`
 #
 interface(`xdg_manage_generic_data_home_content',`
 	gen_require(`
-		type xdg_data_home_t;	
+		type xdg_data_home_t;
 	')
 
 	manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
@@ -493,7 +433,31 @@ interface(`xdg_manage_generic_data_home_content',`
 	manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
 	manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
 	manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	
+
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Allow relabeling the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
 	userdom_search_user_home_dirs($1)
 ')
 
@@ -509,7 +473,7 @@ interface(`xdg_manage_generic_data_home_content',`
 #
 interface(`xdg_read_generic_runtime_home_files',`
 	gen_require(`
-		type xdg_runtime_home_t;	
+		type xdg_runtime_home_t;
 	')
 
 	read_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
@@ -540,26 +504,39 @@ interface(`xdg_read_all_runtime_home_files',`
 
 ########################################
 ## <summary>
-##	Allow relabeling the xdg runtime home files
+##	Create objects in an xdg_runtime_home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the file or directory created
+##	</summary>
+## </param>
 #
-interface(`xdg_relabel_generic_runtime_home_content',`
+interface(`xdg_runtime_home_filetrans',`
 	gen_require(`
-		type xdg_runtime_home_t;	
+		type xdg_runtime_home_t;
 	')
 
-	relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-
 	files_search_pids($1)
+
+	filetrans_pattern($1, xdg_runtime_home_t, $2, $3)
 ')
 
 ########################################
@@ -574,7 +551,7 @@ interface(`xdg_relabel_generic_runtime_home_content',`
 #
 interface(`xdg_manage_generic_runtime_home_content',`
 	gen_require(`
-		type xdg_runtime_home_t;	
+		type xdg_runtime_home_t;
 	')
 
 	manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
@@ -586,3 +563,26 @@ interface(`xdg_manage_generic_runtime_home_content',`
 	files_search_pids($1)
 ')
 
+########################################
+## <summary>
+##	Allow relabeling the xdg runtime home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_runtime_home_content',`
+	gen_require(`
+		type xdg_runtime_home_t;
+	')
+
+	relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+	files_search_pids($1)
+')

diff --git a/policy/modules/contrib/xdg.te b/policy/modules/contrib/xdg.te
index f9088b4..00348bb 100644
--- a/policy/modules/contrib/xdg.te
+++ b/policy/modules/contrib/xdg.te
@@ -24,3 +24,19 @@ xdg_cache_home_content(xdg_cache_home_t)
 
 type xdg_runtime_home_t;
 xdg_runtime_home_content(xdg_runtime_home_t)
+
+# Various user location types (see ~/.config/user-dirs.dirs)
+type xdg_downloads_user_home_t; # customizable
+userdom_user_home_content(xdg_downloads_user_home_t)
+
+type xdg_documents_user_home_t; # customizable
+userdom_user_home_content(xdg_documents_user_home_t)
+
+type xdg_music_user_home_t; # customizable
+userdom_user_home_content(xdg_documents_user_home_t)
+
+type xdg_pictures_user_home_t; # customizable
+userdom_user_home_content(xdg_pictures_user_home_t)
+
+type xdg_videos_user_home_t; # customizable
+userdom_user_home_content(xdg_videos_user_home_t)

diff --git a/policy/modules/contrib/xdg/xdg_cache_home_content.part b/policy/modules/contrib/xdg/xdg_cache_home_content.part
new file mode 100644
index 0000000..b7d8996
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_cache_home_content.part
@@ -0,0 +1,20 @@
+
+########################################
+## <summary>
+##	Mark the selected type as an xdg_cache_home_type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to give the xdg_cache_home_type attribute to
+##	</summary>
+## </param>
+#
+interface(`xdg_cache_home_content',`
+	gen_require(`
+		attribute xdg_cache_home_type;
+	')
+
+	typeattribute $1 xdg_cache_home_type;
+
+	userdom_user_home_content($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_cache_home_filetrans.part b/policy/modules/contrib/xdg/xdg_cache_home_filetrans.part
new file mode 100644
index 0000000..752431f
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_cache_home_filetrans.part
@@ -0,0 +1,37 @@
+
+########################################
+## <summary>
+##	Create objects in an xdg_cache_home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the file or directory created
+##	</summary>
+## </param>
+#
+interface(`xdg_cache_home_filetrans',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+
+	filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
+')

diff --git a/policy/modules/contrib/xdg/xdg_config_home_content.part b/policy/modules/contrib/xdg/xdg_config_home_content.part
new file mode 100644
index 0000000..83664e5
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_config_home_content.part
@@ -0,0 +1,20 @@
+
+########################################
+## <summary>
+##	Mark the selected type as an xdg_config_home_type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to give the xdg_config_home_type attribute to
+##	</summary>
+## </param>
+#
+interface(`xdg_config_home_content',`
+	gen_require(`
+		attribute xdg_config_home_type;
+	')
+
+	typeattribute $1 xdg_config_home_type;
+
+	userdom_user_home_content($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_config_home_filetrans.part b/policy/modules/contrib/xdg/xdg_config_home_filetrans.part
new file mode 100644
index 0000000..91da7b8
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_config_home_filetrans.part
@@ -0,0 +1,37 @@
+
+########################################
+## <summary>
+##	Create objects in an xdg_config_home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the file or directory created
+##	</summary>
+## </param>
+#
+interface(`xdg_config_home_filetrans',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+
+	filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
+')

diff --git a/policy/modules/contrib/xdg/xdg_data_home_content.part b/policy/modules/contrib/xdg/xdg_data_home_content.part
new file mode 100644
index 0000000..a9f13e7
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_data_home_content.part
@@ -0,0 +1,20 @@
+
+########################################
+## <summary>
+##	Mark the selected type as an xdg_data_home_type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to give the xdg_data_home_type attribute to
+##	</summary>
+## </param>
+#
+interface(`xdg_data_home_content',`
+	gen_require(`
+		attribute xdg_data_home_type;
+	')
+
+	typeattribute $1 xdg_data_home_type;
+
+	userdom_user_home_content($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_data_home_filetrans.part b/policy/modules/contrib/xdg/xdg_data_home_filetrans.part
new file mode 100644
index 0000000..39d9e82
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_data_home_filetrans.part
@@ -0,0 +1,37 @@
+
+########################################
+## <summary>
+##	Create objects in an xdg_data_home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Optional name of the file or directory created
+##	</summary>
+## </param>
+#
+interface(`xdg_data_home_filetrans',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+
+	filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
+')

diff --git a/policy/modules/contrib/xdg/xdg_manage_generic_cache_home_content_content.part b/policy/modules/contrib/xdg/xdg_manage_generic_cache_home_content_content.part
new file mode 100644
index 0000000..0b80736
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_manage_generic_cache_home_content_content.part
@@ -0,0 +1,24 @@
+
+########################################
+## <summary>
+##	Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_manage_generic_config_home_content.part b/policy/modules/contrib/xdg/xdg_manage_generic_config_home_content.part
new file mode 100644
index 0000000..05253dc
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_manage_generic_config_home_content.part
@@ -0,0 +1,24 @@
+
+########################################
+## <summary>
+##	Manage the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_manage_generic_data_home_content.part b/policy/modules/contrib/xdg/xdg_manage_generic_data_home_content.part
new file mode 100644
index 0000000..540fb30
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_manage_generic_data_home_content.part
@@ -0,0 +1,24 @@
+
+########################################
+## <summary>
+##	Manage the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_manage_generic_runtime_home_content.part b/policy/modules/contrib/xdg/xdg_manage_generic_runtime_home_content.part
new file mode 100644
index 0000000..0b2ea5f
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_manage_generic_runtime_home_content.part
@@ -0,0 +1,24 @@
+
+########################################
+## <summary>
+##	Manage the xdg runtime home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_generic_runtime_home_content',`
+	gen_require(`
+		type xdg_runtime_home_t;
+	')
+
+	manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+	files_search_pids($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_read_all_cache_home_files.part b/policy/modules/contrib/xdg/xdg_read_all_cache_home_files.part
new file mode 100644
index 0000000..a9c6523
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_read_all_cache_home_files.part
@@ -0,0 +1,20 @@
+
+########################################
+## <summary>
+##	Read all xdg_cache_home_type files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_all_cache_home_files',`
+	gen_require(`
+		attribute xdg_cache_home_type;
+	')
+
+	read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_read_all_config_home_files.part b/policy/modules/contrib/xdg/xdg_read_all_config_home_files.part
new file mode 100644
index 0000000..ae678b6
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_read_all_config_home_files.part
@@ -0,0 +1,20 @@
+
+########################################
+## <summary>
+##	Read all xdg_config_home_type files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_all_config_home_files',`
+	gen_require(`
+		attribute xdg_config_home_type;
+	')
+
+	read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_read_all_data_home_files.part b/policy/modules/contrib/xdg/xdg_read_all_data_home_files.part
new file mode 100644
index 0000000..3cfaf56
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_read_all_data_home_files.part
@@ -0,0 +1,20 @@
+
+########################################
+## <summary>
+##	Read all xdg_data_home_type files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_all_data_home_files',`
+	gen_require(`
+		attribute xdg_data_home_type;
+	')
+
+	read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_read_all_runtime_home_files.part b/policy/modules/contrib/xdg/xdg_read_all_runtime_home_files.part
new file mode 100644
index 0000000..14802cd
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_read_all_runtime_home_files.part
@@ -0,0 +1,20 @@
+
+########################################
+## <summary>
+##	Read all xdg_runtime_home_type files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_all_runtime_home_files',`
+	gen_require(`
+		attribute xdg_runtime_home_type;
+	')
+
+	read_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+
+	files_search_pids($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_read_generic_cache_home_files.part b/policy/modules/contrib/xdg/xdg_read_generic_cache_home_files.part
new file mode 100644
index 0000000..74c76d8
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_read_generic_cache_home_files.part
@@ -0,0 +1,21 @@
+
+########################################
+## <summary>
+##	Read the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_cache_home_files',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_read_generic_config_home_files.part b/policy/modules/contrib/xdg/xdg_read_generic_config_home_files.part
new file mode 100644
index 0000000..1087a5f
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_read_generic_config_home_files.part
@@ -0,0 +1,21 @@
+
+########################################
+## <summary>
+##	Read the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_config_home_files',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_read_generic_data_home_files.part b/policy/modules/contrib/xdg/xdg_read_generic_data_home_files.part
new file mode 100644
index 0000000..82870a1
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_read_generic_data_home_files.part
@@ -0,0 +1,21 @@
+
+########################################
+## <summary>
+##	Read the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_data_home_files',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_read_generic_runtime_home_files.part b/policy/modules/contrib/xdg/xdg_read_generic_runtime_home_files.part
new file mode 100644
index 0000000..6c21442
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_read_generic_runtime_home_files.part
@@ -0,0 +1,21 @@
+
+########################################
+## <summary>
+##	Read the xdg runtime home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_read_generic_runtime_home_files',`
+	gen_require(`
+		type xdg_runtime_home_t;
+	')
+
+	read_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	list_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+	files_search_pids($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_relabel_generic_cache_home_content_content.part b/policy/modules/contrib/xdg/xdg_relabel_generic_cache_home_content_content.part
new file mode 100644
index 0000000..acb1896
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_relabel_generic_cache_home_content_content.part
@@ -0,0 +1,24 @@
+
+########################################
+## <summary>
+##	Allow relabeling the xdg cache home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+	relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_relabel_generic_config_home_content.part b/policy/modules/contrib/xdg/xdg_relabel_generic_config_home_content.part
new file mode 100644
index 0000000..304b69b
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_relabel_generic_config_home_content.part
@@ -0,0 +1,24 @@
+
+########################################
+## <summary>
+##	Allow relabeling the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+	relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_relabel_generic_data_home_content.part b/policy/modules/contrib/xdg/xdg_relabel_generic_data_home_content.part
new file mode 100644
index 0000000..05b86b5
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_relabel_generic_data_home_content.part
@@ -0,0 +1,24 @@
+
+########################################
+## <summary>
+##	Allow relabeling the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+	relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+	userdom_search_user_home_dirs($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_relabel_generic_runtime_home_content.part b/policy/modules/contrib/xdg/xdg_relabel_generic_runtime_home_content.part
new file mode 100644
index 0000000..56eeb0d
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_relabel_generic_runtime_home_content.part
@@ -0,0 +1,24 @@
+
+########################################
+## <summary>
+##	Allow relabeling the xdg runtime home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_relabel_generic_runtime_home_content',`
+	gen_require(`
+		type xdg_runtime_home_t;
+	')
+
+	relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+	files_search_pids($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_runtime_home_content.part b/policy/modules/contrib/xdg/xdg_runtime_home_content.part
new file mode 100644
index 0000000..2497920
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_runtime_home_content.part
@@ -0,0 +1,20 @@
+
+########################################
+## <summary>
+##	Mark the selected type as an xdg_runtime_home_type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to give the xdg_runtime_home_type attribute to
+##	</summary>
+## </param>
+#
+interface(`xdg_runtime_home_content',`
+	gen_require(`
+		attribute xdg_runtime_home_type;
+	')
+
+	typeattribute $1 xdg_runtime_home_type;
+
+	userdom_user_home_content($1)
+')

diff --git a/policy/modules/contrib/xdg/xdg_runtime_home_filetrans.part b/policy/modules/contrib/xdg/xdg_runtime_home_filetrans.part
new file mode 100644
index 0000000..60d979b
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_runtime_home_filetrans.part
@@ -0,0 +1,37 @@
+
+########################################
+## <summary>
+##	Create objects in an xdg_runtime_home directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the file or directory created
+##	</summary>
+## </param>
+#
+interface(`xdg_runtime_home_filetrans',`
+	gen_require(`
+		type xdg_runtime_home_t;
+	')
+
+	files_search_pids($1)
+
+	filetrans_pattern($1, xdg_runtime_home_t, $2, $3)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/xdg/, policy/modules/contrib/

[Sven Vermeulen]

commit:     3ee9a47aee1b93fee336d9fe0b93fd1e27ca1971
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Jul 27 10:14:48 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Jul 27 10:14:48 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3ee9a47a

Use attribute for all_runtime_home

---
 policy/modules/contrib/xdg.if                      |   12 +++++-----
 .../contrib/xdg/xdg_manage_all_runtime_home.part   |   12 +++++-----
 ..._manage_generic_cache_home_content_content.part |   24 --------------------
 .../xdg_manage_generic_config_home_content.part    |   24 --------------------
 .../xdg/xdg_manage_generic_data_home_content.part  |   24 --------------------
 .../xdg_manage_generic_runtime_home_content.part   |   24 --------------------
 ...relabel_generic_cache_home_content_content.part |   24 --------------------
 .../xdg_relabel_generic_config_home_content.part   |   24 --------------------
 .../xdg/xdg_relabel_generic_data_home_content.part |   24 --------------------
 .../xdg_relabel_generic_runtime_home_content.part  |   24 --------------------
 10 files changed, 12 insertions(+), 204 deletions(-)

diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index d9621cc..923b957 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -737,14 +737,14 @@ interface(`xdg_manage_generic_runtime_home',`
 #
 interface(`xdg_manage_all_runtime_home',`
 	gen_require(`
-		attribute xdg_runtime_home_t;
+		attribute xdg_runtime_home_type;
 	')
 
-	manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_dirs_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+	manage_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+	manage_lnk_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+	manage_fifo_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+	manage_sock_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
 
 	files_search_pids($1)
 ')

diff --git a/policy/modules/contrib/xdg/xdg_manage_all_runtime_home.part b/policy/modules/contrib/xdg/xdg_manage_all_runtime_home.part
index c42ca6e..39cc849 100644
--- a/policy/modules/contrib/xdg/xdg_manage_all_runtime_home.part
+++ b/policy/modules/contrib/xdg/xdg_manage_all_runtime_home.part
@@ -11,14 +11,14 @@
 #
 interface(`xdg_manage_all_runtime_home',`
 	gen_require(`
-		attribute xdg_runtime_home_t;
+		attribute xdg_runtime_home_type;
 	')
 
-	manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+	manage_dirs_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+	manage_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+	manage_lnk_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+	manage_fifo_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+	manage_sock_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
 
 	files_search_pids($1)
 ')

diff --git a/policy/modules/contrib/xdg/xdg_manage_generic_cache_home_content_content.part b/policy/modules/contrib/xdg/xdg_manage_generic_cache_home_content_content.part
deleted file mode 100644
index 0b80736..0000000
--- a/policy/modules/contrib/xdg/xdg_manage_generic_cache_home_content_content.part
+++ /dev/null
@@ -1,24 +0,0 @@
-
-########################################
-## <summary>
-##	Manage the xdg cache home files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_manage_generic_cache_home_content',`
-	gen_require(`
-		type xdg_cache_home_t;
-	')
-
-	manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-
-	userdom_search_user_home_dirs($1)
-')

diff --git a/policy/modules/contrib/xdg/xdg_manage_generic_config_home_content.part b/policy/modules/contrib/xdg/xdg_manage_generic_config_home_content.part
deleted file mode 100644
index 05253dc..0000000
--- a/policy/modules/contrib/xdg/xdg_manage_generic_config_home_content.part
+++ /dev/null
@@ -1,24 +0,0 @@
-
-########################################
-## <summary>
-##	Manage the xdg config home files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_manage_generic_config_home_content',`
-	gen_require(`
-		type xdg_config_home_t;
-	')
-
-	manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-
-	userdom_search_user_home_dirs($1)
-')

diff --git a/policy/modules/contrib/xdg/xdg_manage_generic_data_home_content.part b/policy/modules/contrib/xdg/xdg_manage_generic_data_home_content.part
deleted file mode 100644
index 540fb30..0000000
--- a/policy/modules/contrib/xdg/xdg_manage_generic_data_home_content.part
+++ /dev/null
@@ -1,24 +0,0 @@
-
-########################################
-## <summary>
-##	Manage the xdg data home files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_manage_generic_data_home_content',`
-	gen_require(`
-		type xdg_data_home_t;
-	')
-
-	manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-
-	userdom_search_user_home_dirs($1)
-')

diff --git a/policy/modules/contrib/xdg/xdg_manage_generic_runtime_home_content.part b/policy/modules/contrib/xdg/xdg_manage_generic_runtime_home_content.part
deleted file mode 100644
index 0b2ea5f..0000000
--- a/policy/modules/contrib/xdg/xdg_manage_generic_runtime_home_content.part
+++ /dev/null
@@ -1,24 +0,0 @@
-
-########################################
-## <summary>
-##	Manage the xdg runtime home files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_manage_generic_runtime_home_content',`
-	gen_require(`
-		type xdg_runtime_home_t;
-	')
-
-	manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-
-	files_search_pids($1)
-')

diff --git a/policy/modules/contrib/xdg/xdg_relabel_generic_cache_home_content_content.part b/policy/modules/contrib/xdg/xdg_relabel_generic_cache_home_content_content.part
deleted file mode 100644
index acb1896..0000000
--- a/policy/modules/contrib/xdg/xdg_relabel_generic_cache_home_content_content.part
+++ /dev/null
@@ -1,24 +0,0 @@
-
-########################################
-## <summary>
-##	Allow relabeling the xdg cache home files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_relabel_generic_cache_home_content',`
-	gen_require(`
-		type xdg_cache_home_t;
-	')
-
-	relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-	relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
-
-	userdom_search_user_home_dirs($1)
-')

diff --git a/policy/modules/contrib/xdg/xdg_relabel_generic_config_home_content.part b/policy/modules/contrib/xdg/xdg_relabel_generic_config_home_content.part
deleted file mode 100644
index 304b69b..0000000
--- a/policy/modules/contrib/xdg/xdg_relabel_generic_config_home_content.part
+++ /dev/null
@@ -1,24 +0,0 @@
-
-########################################
-## <summary>
-##	Allow relabeling the xdg config home files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_relabel_generic_config_home_content',`
-	gen_require(`
-		type xdg_config_home_t;
-	')
-
-	relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-	relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
-
-	userdom_search_user_home_dirs($1)
-')

diff --git a/policy/modules/contrib/xdg/xdg_relabel_generic_data_home_content.part b/policy/modules/contrib/xdg/xdg_relabel_generic_data_home_content.part
deleted file mode 100644
index 05b86b5..0000000
--- a/policy/modules/contrib/xdg/xdg_relabel_generic_data_home_content.part
+++ /dev/null
@@ -1,24 +0,0 @@
-
-########################################
-## <summary>
-##	Allow relabeling the xdg data home files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_relabel_generic_data_home_content',`
-	gen_require(`
-		type xdg_data_home_t;
-	')
-
-	relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-	relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
-
-	userdom_search_user_home_dirs($1)
-')

diff --git a/policy/modules/contrib/xdg/xdg_relabel_generic_runtime_home_content.part b/policy/modules/contrib/xdg/xdg_relabel_generic_runtime_home_content.part
deleted file mode 100644
index 56eeb0d..0000000
--- a/policy/modules/contrib/xdg/xdg_relabel_generic_runtime_home_content.part
+++ /dev/null
@@ -1,24 +0,0 @@
-
-########################################
-## <summary>
-##	Allow relabeling the xdg runtime home files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xdg_relabel_generic_runtime_home_content',`
-	gen_require(`
-		type xdg_runtime_home_t;
-	')
-
-	relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-	relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
-
-	files_search_pids($1)
-')