Attachment 928755 Details for Bug 1122013 – Policy file for ThinLinc

Policy file for ThinLinc

thinlinc.te.in (text/plain), 4.68 KB, created by Pierre Ossman on 2014-08-20 10:39:04 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Pierre Ossman

Created: 2014-08-20 10:39:04 UTC

Size: 4.68 KB

patch

obsolete

># Copyright 2002-2014 Cendio AB.
># For more information, see http://www.cendio.com
>
>policy_module(thinlinc, @VERSION@);
>
>########################################
>#
># Declarations
>#
>
>type thinlinc_var_run_t;
>files_pid_file(thinlinc_var_run_t)
>
>type thinlinc_agent_exec_t;
>corecmd_executable_file(thinlinc_agent_exec_t)
>type thinlinc_agent_t;
>init_daemon_domain(thinlinc_agent_t, thinlinc_agent_exec_t)
>
>type thinlinc_master_exec_t;
>corecmd_executable_file(thinlinc_master_exec_t)
>type thinlinc_master_t;
>init_daemon_domain(thinlinc_master_t, thinlinc_master_exec_t)
>
>type thinlinc_master_var_run_t;
>files_pid_file(thinlinc_master_var_run_t)
>
>type thinlinc_webaccess_exec_t;
>corecmd_executable_file(thinlinc_webaccess_exec_t)
>type thinlinc_webaccess_t;
>init_daemon_domain(thinlinc_webaccess_t, thinlinc_webaccess_exec_t)
>
>type thinlinc_webaccess_var_run_t;
>files_pid_file(thinlinc_webaccess_var_run_t)
>
>type thinlinc_webadm_exec_t;
>corecmd_executable_file(thinlinc_webadm_exec_t)
>type thinlinc_webadm_t;
>init_daemon_domain(thinlinc_webadm_t, thinlinc_webadm_exec_t)
>
>type thinlinc_session_exec_t;
>corecmd_executable_file(thinlinc_session_exec_t)
>type thinlinc_session_t;
>domain_type(thinlinc_session_t)
>domain_entry_file(thinlinc_session_t, thinlinc_session_exec_t)
>auth_login_pgm_domain(thinlinc_session_t)
>
>type thinlinc_session_root_t;
>files_type(thinlinc_session_root_t)
>
>type thinlinc_user_dir_t;
>files_type(thinlinc_user_dir_t)
>
>type thinlinc_user_t;
>files_type(thinlinc_user_t)
>ubac_constrained(thinlinc_user_t)
>
>##############################
>#
># agent local policy
>#
>
># The agent has yet to be properly confined
>unconfined_domain(thinlinc_agent_t)
>
>##############################
>#
># master local policy
>#
>
>thinlinc_manage_pids(thinlinc_master_t, thinlinc_master_var_run_t, dir)
>manage_sock_files_pattern(thinlinc_master_t, thinlinc_master_var_run_t, thinlinc_master_var_run_t)
>
># The master has yet to be properly confined
>unconfined_domain(thinlinc_master_t)
>
>##############################
>#
># tlwebaccess local policy
>#
>
>thinlinc_manage_pids(thinlinc_webaccess_t, thinlinc_webaccess_var_run_t, dir)
>manage_sock_files_pattern(thinlinc_webaccess_t, thinlinc_webaccess_var_run_t, thinlinc_webaccess_var_run_t)
>
># tlwebaccess has yet to be properly confined
>unconfined_domain(thinlinc_webaccess_t)
>
>##############################
>#
># tlwebadm local policy
>#
>
># tlwebadm has yet to be properly confined
>unconfined_domain(thinlinc_webadm_t)
>
>##############################
>#
># tl-session local policy
>#
>
>domtrans_pattern(thinlinc_agent_t, thinlinc_session_exec_t, thinlinc_session_t)
>
>auth_write_login_records(thinlinc_session_t)
>
>userdom_spec_domtrans_all_users(thinlinc_session_t)
>userdom_signal_all_users(thinlinc_session_t)
>
>allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid };
>allow thinlinc_session_t self:process { getcap setsched setexec };
>allow thinlinc_session_t self:fifo_file rw_fifo_file_perms;
>
>miscfiles_read_localization(thinlinc_session_t)
>
>kernel_read_kernel_sysctls(thinlinc_session_t)
>
>logging_append_all_logs(thinlinc_session_t)
>
>filetrans_pattern(thinlinc_session_t, thinlinc_session_root_t, thinlinc_user_dir_t, dir)
>manage_dirs_pattern(thinlinc_session_t, thinlinc_session_root_t, thinlinc_user_dir_t)
>
>filetrans_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_t, dir)
>manage_dirs_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_t)
>
>manage_lnk_files_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_dir_t)
>
>mcs_process_set_categories(thinlinc_session_t)
>mcs_killall(thinlinc_session_t)
>
># FIXME: Debug
>#permissive thinlinc_session_t;
>
>##############################
>#
># Allow access to our Xauthority file
>#
>
>require {
>	type xauth_t;
>	type xauth_home_t;
>}
>
>allow xauth_t thinlinc_session_root_t:dir search_dir_perms;
>allow xauth_t thinlinc_user_dir_t:dir search_dir_perms;
>
>filetrans_pattern(xauth_t, thinlinc_user_t, xauth_home_t, file)
>manage_files_pattern(xauth_t, thinlinc_user_t, xauth_home_t)
>
># Newer systems use the file name based approach instead to
># reduce the number of domain contexts. Only try to do this if
># it looks like one of those systems though.
>ifdef(`xserver_filetrans_home_content',`
>	filetrans_pattern(userdomain, thinlinc_user_t, xauth_home_t, file, "Xauthority")
>	filetrans_pattern(userdomain, thinlinc_user_t, xauth_home_t, file, "Xauthority-l")
>	filetrans_pattern(userdomain, thinlinc_user_t, xauth_home_t, file, "Xauthority-c")
>	filetrans_pattern(userdomain, thinlinc_user_t, xauth_home_t, file, "Xauthority-n")
>	manage_files_pattern(userdomain, thinlinc_user_t, xauth_home_t)
>')
>
>##############################
>#
># File contexts that we use in thinlinc.fc
>#
>
>require {
>	type httpd_log_t;
>	type httpd_sys_content_t;
>	type httpd_sys_script_exec_t;
>}

Actions: View

Attachments on bug 1122013: 928755