I create policy for vino server today. I tested it a few times and it works. You can either use it by enabling remote desktop or via empathy. It requires many patches etc though. I attached what i think is related. I might have missed some. Its also on my git repository ( i maintain it there ) git clone git://82.197.205.60/selinux-modules.git You will have to some vnc tube ports (vnc_port_t) there is a comment about it in vino.te.
HOME_DIR/\.local/share/vino(/.*)? gen_context(system_u:object_r:vino_server_data_home_t, s0) /usr/libexec/vino-server -- gen_context(system_u:object_r:vino_server_exec_t, s0)
HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:tp_mission_control_home_t, s0) HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:tp_mission_control_home_t, s0) /usr/libexec/mission-control-5 -- gen_context(system_u:object_r:tp_mission_control_exec_t, s0) /usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:tp_butterfly_exec_t, s0) /usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:tp_gabble_exec_t, s0) /usr/libexec/telepathy-haze -- gen_context(system_u:object_r:tp_haze_exec_t, s0) /usr/libexec/telepathy-idle -- gen_context(system_u:object_r:tp_idle_exec_t, s0) /usr/libexec/telepathy-salut -- gen_context(system_u:object_r:tp_salut_exec_t, s0) /usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:tp_sofiasip_exec_t, s0) /usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:tp_stream_engine_exec_t, s0)
## <summary>Telepathy framework.</summary>
## <desc>
## <p>
## The Telepathy project is building a unified framework
## for many different kinds of real-time communications.
## It uses the D-Bus messaging system to provide a simple
## interface for client applications, allowing them to
## quickly take advantage of Telepathys benefits.
## </p>
## <p>
## Mission Control, or MC, is a Telepathy component
## providing a way for "end-user" applications to abstract
## some of the details of connection managers, to provide
## a simple way to manipulate a bunch of connection
## managers at once, and to remove the need to have in each
## program the account definitions and credentials.
## </p>
## </desc>
#######################################
## <summary>
## The role template for the Telepathy module.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`telepathy_role_template', `
gen_require(`
attribute tp_domains;
type tp_butterfly_t, tp_gabble_t, tp_haze_t;
type tp_idle_t, tp_mission_control_t, tp_salut_t;
type tp_sofiasip_t, tp_stream_engine_t;
type tp_butterfly_exec_t, tp_gabble_exec_t, tp_haze_exec_t;
type tp_idle_exec_t, tp_mission_control_exec_t, tp_salut_exec_t;
type tp_sofiasip_exec_t, tp_stream_engine_exec_t;
type tp_butterfly_tmp_t, tp_haze_tmp_t;
type tp_salut_tmp_t;
')
########################################
#
# Telepathy global shared declarations.
#
########################################
#
# Telepathy Butterfly shared declarations.
#
dbus_session_domain($1, tp_butterfly_t, tp_butterfly_exec_t)
role $2 types tp_butterfly_t;
########################################
#
# Telepathy Gabble shared declarations.
#
dbus_session_domain($1, tp_gabble_t, tp_gabble_exec_t)
role $2 types tp_gabble_t;
########################################
#
# Telepathy Haze shared declarations.
#
dbus_session_domain($1, tp_haze_t, tp_haze_exec_t)
role $2 types tp_haze_t;
########################################
#
# Telepathy Idle shared declarations.
#
dbus_session_domain($1, tp_idle_t, tp_idle_exec_t)
role $2 types tp_idle_t;
########################################
#
# Telepathy Mission-Control shared declarations.
#
dbus_session_domain($1, tp_mission_control_t, tp_mission_control_exec_t)
role $2 types tp_mission_control_t;
########################################
#
# Telepathy Salut shared declarations.
#
dbus_session_domain($1, tp_salut_t, tp_salut_exec_t)
role $2 types tp_salut_t;
########################################
#
# Telepathy Sofiasip shared declarations.
#
dbus_session_domain($1, tp_sofiasip_t, tp_sofiasip_exec_t)
role $2 types tp_sofiasip_t;
########################################
#
# Telepathy Stream-Engine shared declarations.
#
dbus_session_domain($1, tp_stream_engine_t, tp_stream_engine_exec_t)
role $2 types tp_stream_engine_t;
########################################
#
# Telepathy global shared policy.
#
allow $3 tp_domains:process { ptrace signal_perms };
ps_process_pattern($3, tp_domains)
optional_policy(`
telepathy_dbus_chat($3)
')
########################################
#
# Telepathy Butterfly shared policy.
#
domtrans_pattern($3, tp_butterfly_exec_t, tp_butterfly_t)
manage_files_pattern($3, tp_butterfly_tmp_t, tp_butterfly_tmp_t)
relabel_files_pattern($3, tp_butterfly_tmp_t, tp_butterfly_tmp_t)
libs_run_ldconfig(tp_butterfly_t, $2)
########################################
#
# Telepathy Gabble shared policy.
#
domtrans_pattern($3, tp_gabble_exec_t, tp_gabble_t)
########################################
#
# Telepathy Haze shared policy.
#
domtrans_pattern($3, tp_haze_exec_t, tp_haze_t)
########################################
#
# Telepathy Idle shared policy.
#
domtrans_pattern($3, tp_idle_exec_t, tp_idle_t)
########################################
#
# Telepathy Mission-Control shared policy.
#
domtrans_pattern($3, tp_mission_control_exec_t, tp_mission_control_t)
########################################
#
# Telepathy Salut shared policy.
#
domtrans_pattern($3, tp_salut_exec_t, tp_salut_t)
manage_sock_files_pattern($3, tp_salut_tmp_t, tp_salut_tmp_t)
relabel_sock_files_pattern($3, tp_salut_tmp_t, tp_salut_tmp_t)
telepathy_salut_stream_connect($3)
########################################
#
# Telepathy Sofiasip shared policy.
#
domtrans_pattern($3, tp_sofiasip_exec_t, tp_sofiasip_t)
########################################
#
# Telepathy Stream-Engine shared policy.
#
domtrans_pattern($3, tp_stream_engine_exec_t, tp_stream_engine_t)
')
########################################
## <summary>
## Send DBus messages to and from
## all Telepathy domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_dbus_chat', `
gen_require(`
attribute tp_domains;
class dbus send_msg;
')
allow $1 tp_domains:dbus send_msg;
allow tp_domains $1:dbus send_msg;
')
########################################
## <summary>
## Send DBus messages to and from
## Telepathy Gabble.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_gabble_dbus_chat', `
gen_require(`
type tp_gabble_t;
class dbus send_msg;
')
allow $1 tp_gabble_t:dbus send_msg;
allow tp_gabble_t $1:dbus send_msg;
')
########################################
## <summary>
## Read and write Telepathy Butterfly
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_butterfly_rw_tmp_files', `
gen_require(`
type tp_butterfly_tmp_t;
')
allow $1 tp_butterfly_tmp_t:file rw_file_perms;
files_search_tmp($1)
')
########################################
## <summary>
## Stream connect to Telepathy Salut
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_salut_stream_connect', `
gen_require(`
type tp_salut_t, tp_salut_tmp_t;
')
stream_connect_pattern($1, tp_salut_tmp_t, tp_salut_tmp_t, tp_salut_t)
')
policy_module(telepathy, 1.0.0)
########################################
#
# Telepathy global personal declarations.
#
attribute tp_domains;
########################################
#
# Telepathy Butterfly personal declarations.
#
type tp_butterfly_t, tp_domains;
type tp_butterfly_exec_t;
application_domain(tp_butterfly_t, tp_butterfly_exec_t)
ubac_constrained(tp_butterfly_t)
type tp_butterfly_tmp_t;
files_tmp_file(tp_butterfly_tmp_t)
ubac_constrained(tp_butterfly_tmp_t)
########################################
#
# Telepathy Gabble personal declarations.
#
type tp_gabble_t, tp_domains;
type tp_gabble_exec_t;
application_domain(tp_gabble_t, tp_gabble_exec_t)
ubac_constrained(tp_gabble_t)
########################################
#
# Telepathy Haze personal declarations.
#
type tp_haze_t, tp_domains;
type tp_haze_exec_t;
application_domain(tp_haze_t, tp_haze_exec_t)
ubac_constrained(tp_haze_t)
type tp_haze_tmp_t;
files_tmp_file(tp_haze_tmp_t)
ubac_constrained(tp_haze_tmp_t)
########################################
#
# Telepathy Idle personal declarations.
#
type tp_idle_t, tp_domains;
type tp_idle_exec_t;
application_domain(tp_idle_t, tp_idle_exec_t)
ubac_constrained(tp_idle_t)
########################################
#
# Telepathy Mission-Control personal declarations.
#
type tp_mission_control_t, tp_domains;
type tp_mission_control_exec_t;
application_domain(tp_mission_control_t, tp_mission_control_exec_t)
ubac_constrained(tp_mission_control_t)
type tp_mission_control_home_t;
userdom_user_home_content(tp_mission_control_home_t)
########################################
#
# Telepathy Salut personal declarations.
#
type tp_salut_t, tp_domains;
type tp_salut_exec_t;
application_domain(tp_salut_t, tp_salut_exec_t)
ubac_constrained(tp_salut_t)
type tp_salut_tmp_t;
files_tmp_file(tp_salut_tmp_t)
ubac_constrained(tp_salut_tmp_t)
########################################
#
# Telepathy Sofiasip personal declarations.
#
type tp_sofiasip_t, tp_domains;
type tp_sofiasip_exec_t;
application_domain(tp_sofiasip_t, tp_sofiasip_exec_t)
ubac_constrained(tp_sofiasip_t)
########################################
#
# Telepathy Stream-Engine personal declarations.
#
type tp_stream_engine_t, tp_domains;
type tp_stream_engine_exec_t;
application_domain(tp_stream_engine_t, tp_stream_engine_exec_t)
ubac_constrained(tp_stream_engine_t)
########################################
#
# Telepathy global personal policy.
#
allow tp_domains self:process { getsched signal };
allow tp_domains self:fifo_file rw_fifo_file_perms;
corenet_all_recvfrom_netlabel(tp_domains)
corenet_all_recvfrom_unlabeled(tp_domains)
corenet_tcp_bind_generic_node(tp_domains)
corenet_tcp_sendrecv_generic_if(tp_domains)
corenet_tcp_sendrecv_generic_node(tp_domains)
fs_search_auto_mountpoints(tp_domains)
miscfiles_read_localization(tp_domains)
# This interface seems too coarse. We do not want to search user_tmp_t dirs
# or write sock_files user_tmp_t. We just want :unix_stream_socket connectto;
# Besides even if we wanted to, we could not, because this interface does not
# facilitate files_search_tmp which appears to be a bug.
userdom_stream_connect(tp_domains)
userdom_use_user_terminals(tp_domains)
optional_policy(`
nis_use_ypbind(tp_domains)
')
optional_policy(`
nscd_read_pid(tp_domains)
')
optional_policy(`
telepathy_dbus_chat(tp_domains)
')
optional_policy(`
# These are dontaudited.
xserver_rw_xdm_pipes(tp_domains)
')
########################################
#
# Telepathy Butterfly personal policy.
#
allow tp_butterfly_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_butterfly_t self:tcp_socket create_socket_perms;
allow tp_butterfly_t self:udp_socket create_socket_perms;
allow tp_butterfly_t self:unix_dgram_socket { write create connect };
manage_files_pattern(tp_butterfly_t, tp_butterfly_tmp_t, tp_butterfly_tmp_t)
exec_files_pattern(tp_butterfly_t, tp_butterfly_tmp_t, tp_butterfly_tmp_t)
files_tmp_filetrans(tp_butterfly_t, tp_butterfly_tmp_t, file)
corenet_sendrecv_http_client_packets(tp_butterfly_t)
corenet_sendrecv_msnp_client_packets(tp_butterfly_t)
corenet_tcp_connect_http_port(tp_butterfly_t)
corenet_tcp_connect_msnp_port(tp_butterfly_t)
# uname.
corecmd_exec_bin(tp_butterfly_t)
corecmd_exec_shell(tp_butterfly_t)
corecmd_read_bin_symlinks(tp_butterfly_t)
dev_read_urand(tp_butterfly_t)
files_read_etc_files(tp_butterfly_t)
kernel_read_system_state(tp_butterfly_t)
logging_send_syslog_msg(tp_butterfly_t)
sysnet_read_config(tp_butterfly_t)
optional_policy(`
abrt_read_config(tp_butterfly_t)
')
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(tp_butterfly_t)
')
optional_policy(`
gnome_read_gconf_home_files(tp_butterfly_t)
')
########################################
#
# Telepathy Gabble personal policy.
#
allow tp_gabble_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_gabble_t self:tcp_socket create_socket_perms;
allow tp_gabble_t self:udp_socket create_socket_perms;
allow tp_gabble_t self:unix_dgram_socket { write read create getattr sendto };
corenet_sendrecv_jabber_client_client_packets(tp_gabble_t)
corenet_tcp_connect_jabber_client_port(tp_gabble_t)
corenet_sendrecv_http_client_packets(tp_gabble_t)
corenet_tcp_connect_http_port(tp_gabble_t)
corenet_sendrecv_vnc_client_packets(tp_gabble_t)
corenet_tcp_connect_vnc_port(tp_gabble_t)
dev_read_rand(tp_gabble_t)
dev_read_urand(tp_gabble_t)
files_read_etc_files(tp_gabble_t)
miscfiles_read_certs(tp_gabble_t)
sysnet_read_config(tp_gabble_t)
optional_policy(`
dbus_system_bus_client(tp_gabble_t)
')
########################################
#
# Telepathy Haze personal policy.
#
# There are two Telepathy connection managers that support MSN:
# Butterfly, which is an MSN-specific CM built on pymsn, and Haze,
# which uses libpurple.
# Prior to libpurple 2.5.0, Haze's MSN support was rudimentary, but
# libpurple 2.5.0 and newer reduce the gap between Haze and Butterfly considerably.
# Still, you will probably have a better experience if you use Butterfly.
# semanage fcontext -a -t tp_butterfly_exec_t /usr/libexec/telepathy-haze.
########################################
#
# Telepathy Idle personal policy.
#
allow tp_idle_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_idle_t self:tcp_socket create_socket_perms;
allow tp_idle_t self:udp_socket create_socket_perms;
corenet_sendrecv_ircd_client_packets(tp_idle_t)
corenet_tcp_connect_ircd_port(tp_idle_t)
files_read_etc_files(tp_idle_t)
sysnet_read_config(tp_idle_t)
########################################
#
# Telepathy Mission-Control personal policy.
#
manage_dirs_pattern(tp_mission_control_t, tp_mission_control_home_t, tp_mission_control_home_t)
manage_files_pattern(tp_mission_control_t, tp_mission_control_home_t, tp_mission_control_home_t)
userdom_user_home_dir_filetrans(tp_mission_control_t, tp_mission_control_home_t, { dir file })
userdom_search_user_home_dirs(tp_mission_control_t)
# ~/.cache/.mc_connections.
optional_policy(`
manage_files_pattern(tp_mission_control_t, tp_mission_control_home_t, tp_mission_control_home_t)
gnome_config_filetrans(tp_mission_control_t, tp_mission_control_home_t, file)
')
files_read_etc_files(tp_mission_control_t)
files_read_usr_files(tp_mission_control_t)
# It tries to setattr to ~/.cache (700), which is none of its business.
# For now audit attempts because it may need similar permission for legit purposes.
# userdom_dontaudit_setattr_user_home_content_dirs(tp_mission_control_t)
tunable_policy(`use_nfs_home_dirs', `
fs_manage_nfs_dirs(tp_mission_control_t)
fs_manage_nfs_files(tp_mission_control_t)
')
tunable_policy(`use_samba_home_dirs', `
fs_manage_cifs_dirs(tp_mission_control_t)
fs_manage_cifs_files(tp_mission_control_t)
')
optional_policy(`
gnome_read_gconf_home_files(tp_mission_control_t)
')
########################################
#
# Telepathy Salut personal policy.
#
allow tp_salut_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_salut_t self:tcp_socket { create_socket_perms accept listen };
allow tp_salut_t self:udp_socket create_socket_perms;
manage_sock_files_pattern(tp_salut_t, tp_salut_tmp_t, tp_salut_tmp_t)
files_tmp_filetrans(tp_salut_t, tp_salut_tmp_t, sock_file)
corenet_sendrecv_presence_server_packets(tp_salut_t)
corenet_tcp_bind_presence_port(tp_salut_t)
corenet_tcp_connect_presence_port(tp_salut_t)
# Needs to connect to (port_t) 50176:tcp (does not seem to be a random port) for file transfers.
dev_read_urand(tp_salut_t)
files_read_etc_files(tp_salut_t)
sysnet_read_config(tp_salut_t)
optional_policy(`
avahi_dbus_chat(tp_salut_t)
')
optional_policy(`
dbus_system_bus_client(tp_salut_t)
')
########################################
#
# Telepathy Sofiasip personal policy.
#
allow tp_sofiasip_t self:netlink_route_socket create_netlink_socket_perms;
allow tp_sofiasip_t self:rawip_socket { create_socket_perms listen };
allow tp_sofiasip_t self:tcp_socket { create_socket_perms listen };
allow tp_sofiasip_t self:udp_socket create_socket_perms;
corenet_sendrecv_sip_client_packets(tp_sofiasip_t)
corenet_tcp_connect_sip_port(tp_sofiasip_t)
corenet_raw_bind_generic_node(tp_sofiasip_t)
corenet_udp_bind_generic_node(tp_sofiasip_t)
dev_read_urand(tp_sofiasip_t)
kernel_request_load_module(tp_sofiasip_t)
sysnet_read_config(tp_sofiasip_t)
########################################
#
# Telepathy Stream-Engine personal policy.
#
## <summary>Vino. The Remote Desktop Project. Take 2.</summary>
## <desc>
## <p>
## The primary goal of Vino was originally to provide a
## mechanism by which system administrators could remotely
## connect to a desktop machine and resolve basic problems
## for users.
## </p>
## </desc>
########################################
## <summary>
## Role access for Vino.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
#
interface(`vino_role', `
gen_require(`
type vino_server_t, vino_server_exec_t;
')
########################################
#
# Vino server shared declarations.
#
dbus_session_domain($1, vino_server_t, vino_server_exec_t)
role $2 types vino_server_t;
########################################
#
# Vino server shared policy.
#
domtrans_pattern($3, vino_server_exec_t, vino_server_t)
allow $3 vino_server_t:process { ptrace signal_perms };
ps_process_pattern($3, vino_server_t)
vino_server_dbus_chat($3)
vino_server_read_tmpfs_files($3)
vino_server_stream_connect($3)
')
########################################
## <summary>
## Send DBus messages to and from
## Vino server.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`vino_server_dbus_chat', `
gen_require(`
type vino_server_t;
class dbus send_msg;
')
allow $1 vino_server_t:dbus send_msg;
allow vino_server_t $1:dbus send_msg;
')
########################################
## <summary>
## Stream connect to Vino server.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`vino_server_stream_connect', `
gen_require(`
type vino_server_t, vino_server_tmp_t;
')
stream_connect_pattern($1, vino_server_tmp_t, vino_server_tmp_t, vino_server_t)
')
########################################
## <summary>
## Stream connect to Vino server.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`vino_server_read_tmpfs_files', `
gen_require(`
type vino_server_tmpfs_t;
')
allow $1 vino_server_tmpfs_t:file { read_file_perms unlink };
')
policy_module(vino, 1.0.0)
########################################
#
# Vino server personal declarations.
#
type vino_server_t;
type vino_server_exec_t;
application_domain(vino_server_t, vino_server_exec_t)
ubac_constrained(vino_server_t)
type vino_server_data_home_t;
userdom_user_home_content(vino_server_data_home_t)
type vino_server_tmp_t;
files_tmp_file(vino_server_tmp_t)
ubac_constrained(vino_server_tmp_t)
type vino_server_tmpfs_t;
files_tmpfs_file(vino_server_tmpfs_t)
ubac_constrained(vino_server_tmpfs_t)
#tcp:26570-26575
########################################
#
# Vino server personal policy.
#
allow vino_server_t self:process { getsched signal signull };
allow vino_server_t self:fifo_file rw_fifo_file_perms;
allow vino_server_t self:netlink_route_socket create_netlink_socket_perms;
allow vino_server_t self:shm create_shm_perms;
allow vino_server_t self:tcp_socket create_stream_socket_perms;
allow vino_server_t self:udp_socket create_stream_socket_perms;
allow vino_server_t self:unix_dgram_socket create_socket_perms;
allow vino_server_t self:unix_stream_socket create_socket_perms;
# ~/.local/share/vino/vino-server.lock.
optional_policy(`
manage_dirs_pattern(vino_server_t, vino_server_data_home_t, vino_server_data_home_t)
manage_files_pattern(vino_server_t, vino_server_data_home_t, vino_server_data_home_t)
gnome_data_filetrans(vino_server_t, vino_server_data_home_t, { dir file })
')
manage_sock_files_pattern(vino_server_t, vino_server_tmp_t, vino_server_tmp_t)
files_tmp_filetrans(vino_server_t, vino_server_tmp_t, sock_file)
manage_files_pattern(vino_server_t, vino_server_tmpfs_t, vino_server_tmpfs_t)
fs_tmpfs_filetrans(vino_server_t, vino_server_tmpfs_t, file)
corenet_all_recvfrom_netlabel(vino_server_t)
corenet_all_recvfrom_unlabeled(vino_server_t)
corenet_sendrecv_http_client_packets(vino_server_t)
corenet_sendrecv_vnc_server_packets(vino_server_t)
corenet_tcp_bind_generic_node(vino_server_t)
corenet_tcp_bind_vnc_port(vino_server_t)
corenet_tcp_connect_http_port(vino_server_t)
corenet_tcp_sendrecv_generic_if(vino_server_t)
corenet_tcp_sendrecv_generic_node(vino_server_t)
corenet_tcp_sendrecv_generic_port(vino_server_t)
# /usr/bin/vino-preferences
corecmd_exec_bin(vino_server_t)
dev_read_urand(vino_server_t)
# /etc/nsswitch.conf
files_read_etc_files(vino_server_t)
files_read_usr_files(vino_server_t)
fs_getattr_tmpfs(vino_server_t)
fs_search_auto_mountpoints(vino_server_t)
kernel_read_network_state(vino_server_t)
miscfiles_read_localization(vino_server_t)
sysnet_read_config(vino_server_t)
# We need a non-generic type for ~/.icons
userdom_dontaudit_read_user_home_content_files(vino_server_t)
userdom_stream_connect(vino_server_t)
userdom_use_user_terminals(vino_server_t)
userdom_read_user_tmpfs_files(vino_server_t)
# Bug: user pulseaudio files need open,read and unlink:
allow vino_server_t user_tmpfs_t:file unlink;
userdom_signull_unpriv_users(vino_server_t)
# This sucks: we need a type for orbit-$USER so that we can do a gnome_orbit_filetrans()
# avc: denied { create } for pid=5641 comm="vino-server" name="linc-1609-0-1586984db4146"
# scontext=staff_u:staff_r:vino_server_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=sock_file
userdom_manage_user_tmp_sockets(vino_server_t)
# orbit-$USER dir.
userdom_setattr_user_tmp_dirs(vino_server_t)
tunable_policy(`use_nfs_home_dirs', `
fs_manage_nfs_dirs(vino_server_t)
fs_manage_nfs_files(vino_server_t)
fs_manage_nfs_named_sockets(vino_server_t)
')
tunable_policy(`use_samba_home_dirs', `
fs_manage_cifs_dirs(vino_server_t)
fs_manage_cifs_files(vino_server_t)
fs_manage_cifs_named_sockets(vino_server_t)
')
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(vino_server_t)
')
optional_policy(`
dbus_system_bus_client(vino_server_t)
')
optional_policy(`
gnome_rw_generic_cache(vino_server_t)
')
optional_policy(`
nis_use_ypbind(vino_server_t)
')
optional_policy(`
pulseaudio_stream_connect(vino_server_t)
pulseaudio_signull(vino_server_t)
pulseaudio_rw_home_files(vino_server_t)
')
optional_policy(`
telepathy_gabble_dbus_chat(vino_server_t)
')
optional_policy(`
xserver_user_x_domain_template(vino_server, vino_server_t, vino_server_tmpfs_t)
')
## <summary>Desktop messaging bus</summary> ######################################## ## <summary> ## Allow a application domain to be started ## by the session dbus ## </summary> ## <param name="role_prefix"> ## <summary> ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Type to be used as a domain. ## </summary> ## </param> ## <param name="entry_point"> ## <summary> ## Type of the program to be used as an ## entry point to this domain. ## </summary> ## </param> # interface(`dbus_session_domain', ` gen_require(` type $1_dbusd_t; ') domtrans_pattern($1_dbusd_t, $3, $2) dbus_session_bus_client($2) dbus_connect_session_bus($2) optional_policy(` # If unconfined_t wants to start a dbus_session_domain. # unconfined_dbusd_t should get implemented for F13. # Can just remove this when it is. unconfined_dbus_connect($2) ') ')
## <summary>Basic filesystem types and interfaces.</summary> ######################################## ## <summary> ## Read all tmpfs files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`files_read_all_tmpfs_files', ` gen_require(` attribute tmpfsfile; ') read_files_pattern($1, tmpfsfile, tmpfsfile) fs_search_tmpfs($1) ')
## <summary>Patch to gnome module</summary>
## <desc>
## <p>
## This will allow tp_mission-control_t to create files
## with type tp_mission-control_home_t in ~/.cache.
## </p>
## </desc>
########################################
## <summary>
## Create objects in a Gnome home directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`gnome_config_filetrans', `
gen_require(`
type config_home_t;
')
filetrans_pattern($1, config_home_t, $2, $3)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in a Gnome home directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`gnome_data_filetrans', `
gen_require(`
type data_home_t;
')
filetrans_pattern($1, data_home_t, $2, $3)
gnome_search_gconf($1)
')
########################################
## <summary>
## search gconf homedir (.local)
## </summary>
## <param name="user_domain">
## <summary>
## The type of the domain.
## </summary>
## </param>
#
interface(`gnome_search_gconf',`
gen_require(`
type gconf_home_t;
')
allow $1 gconf_home_t:dir search_dir_perms;
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## manage generic cache home files (.cache)
## </summary>
## <param name="user_domain">
## <summary>
## The type of the domain.
## </summary>
## </param>
#
interface(`gnome_rw_generic_cache',`
gen_require(`
type cache_home_t;
')
rw_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
')
## <summary></summary> ######################################## ## <summary> ## Set attributes of Gnome home dirs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`gnome_setattr_home_dirs', ` gen_require(` type gnome_home_t; ') setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) files_search_home($1) ')
## <summary>Pulse Audio.</summary> ######################################## ## <summary> ## Send signull signals to pulseaudio ## processes. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`pulseaudio_signull', ` gen_require(` type pulseaudio_t; ') allow $1 pulseaudio_t:process signull; ') ######################################## ## <summary> ## Read and write Pulse Audio files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`pulseaudio_rw_home_files', ` gen_require(` type pulseaudio_home_t; ') allow $1 pulseaudio_home_t:file rw_file_perms; ')
## <summary>User Domains.</summary> ######################################## ## <summary> ## Set attributes of user temporary directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`userdom_setattr_user_tmp_dirs', ` gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir setattr; files_search_tmp($1) ')
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
