From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (unknown [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 316DA1393E9 for ; Thu, 22 May 2014 16:53:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 908D9E0A9C; Thu, 22 May 2014 16:53:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DA19BE0A95 for ; Thu, 22 May 2014 16:53:36 +0000 (UTC) Received: from spoonbill.gentoo.org (unknown [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id F0F4B33FDE3 for ; Thu, 22 May 2014 16:53:35 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 733131818D for ; Thu, 22 May 2014 16:53:34 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1400777562.8f3ac480c34bff1c605ba8f4a71bc484dccd8b9d.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/gnome.fc policy/modules/contrib/gnome.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 8f3ac480c34bff1c605ba8f4a71bc484dccd8b9d X-VCS-Branch: master Date: Thu, 22 May 2014 16:53:34 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: cc4d6d18-e036-4daf-8ec6-2aeea4edc764 X-Archives-Hash: 5040784274a346c1fb6536ea08bf4574 commit: 8f3ac480c34bff1c605ba8f4a71bc484dccd8b9d Author: Jason Zaman perfinion com> AuthorDate: Mon May 19 20:44:44 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Thu May 22 16:52:42 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8f3ac480 Gnome Keyring policies Gnome keyring communicates with other programs via a socket in ~/.cache/. This patch creates gnome_xdg_*_home_t labels and lets gnome keyring manage them Signed-off-by: Jason Zaman perfinion.com> --- policy/modules/contrib/gnome.fc | 5 +++++ policy/modules/contrib/gnome.te | 24 ++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc index 209314b..9bc2c50 100644 --- a/policy/modules/contrib/gnome.fc +++ b/policy/modules/contrib/gnome.fc @@ -15,3 +15,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + + +ifdef(`distro_gentoo',` +HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0) +') diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te index 5dd3498..98cd996 100644 --- a/policy/modules/contrib/gnome.te +++ b/policy/modules/contrib/gnome.te @@ -141,9 +141,33 @@ optional_policy(` ') ifdef(`distro_gentoo',` + type gnome_xdg_cache_home_t; type gnome_xdg_config_t; # Fase out type gnome_xdg_config_home_t; + type gnome_xdg_data_home_t; + xdg_cache_home_content(gnome_xdg_cache_home_t) xdg_config_home_content(gnome_xdg_config_t) xdg_config_home_content(gnome_xdg_config_home_t) + xdg_data_home_content(gnome_xdg_data_home_t) + + ## + ## Keyring + ## + + # When gnome-keyring creates a .cache/keyring-.... make sure it is gnome_xdg_cache_home_t + xdg_cache_home_filetrans(gkeyringd_domain, gnome_xdg_cache_home_t, dir) + # Same for ~/.config and ~/.local stuff + xdg_config_home_filetrans(gkeyringd_domain, gnome_xdg_config_home_t, dir) + xdg_data_home_filetrans(gkeyringd_domain, gnome_xdg_data_home_t, dir) + + allow gkeyringd_domain gnome_xdg_cache_home_t:file manage_file_perms; + allow gkeyringd_domain gnome_xdg_cache_home_t:sock_file manage_sock_file_perms; + manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_home_t, gnome_xdg_cache_home_t) + + allow gkeyringd_domain gnome_xdg_config_home_t:file manage_file_perms; + manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_home_t, gnome_xdg_config_home_t) + + allow gkeyringd_domain gnome_xdg_data_home_t:file manage_file_perms; + manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_home_t, gnome_xdg_data_home_t) ')