diff options
author | Chris PeBenito <cpebenito@tresys.com> | 2009-09-16 08:38:58 -0400 |
---|---|---|
committer | Chris PeBenito <cpebenito@tresys.com> | 2009-09-16 08:38:58 -0400 |
commit | 21b1d1096fbcc97438898b8e75e35e015e6bbda6 (patch) | |
tree | a4bcf33c18a3530ba72ca55c173b82e4ed22787d | |
parent | ed70158a3936aa04b225d824f863f90ced3b7414 (diff) |
add gnomeclock from dan.
-rw-r--r-- | Changelog | 1 | ||||
-rw-r--r-- | policy/modules/services/gnomeclock.fc | 2 | ||||
-rw-r--r-- | policy/modules/services/gnomeclock.if | 65 | ||||
-rw-r--r-- | policy/modules/services/gnomeclock.te | 47 |
4 files changed, 115 insertions, 0 deletions
@@ -11,6 +11,7 @@ - Added modules: abrt (Dan Walsh) gitosis (Miroslav Grepl) + gnomeclock (Dan Walsh) hddtemp (Dan Walsh) kdump (Dan Walsh) modemmanager(Dan Walsh) diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc new file mode 100644 index 00000000..462de63b --- /dev/null +++ b/policy/modules/services/gnomeclock.fc @@ -0,0 +1,2 @@ +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if new file mode 100644 index 00000000..716006b9 --- /dev/null +++ b/policy/modules/services/gnomeclock.if @@ -0,0 +1,65 @@ +## <summary>Gnome clock handler for setting the time.</summary> + +######################################## +## <summary> +## Execute a domain transition to run gnomeclock. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gnomeclock_domtrans',` + gen_require(` + type gnomeclock_t, gnomeclock_exec_t; + ') + + domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) +') + +######################################## +## <summary> +## Execute gnomeclock in the gnomeclock domain, and +## allow the specified role the gnomeclock domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the gnomeclock domain. +## </summary> +## </param> +# +interface(`gnomeclock_run',` + gen_require(` + type gnomeclock_t; + ') + + gnomeclock_domtrans($1) + role $2 types gnomeclock_t; +') + +######################################## +## <summary> +## Send and receive messages from +## gnomeclock over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnomeclock_dbus_chat',` + gen_require(` + type gnomeclock_t; + class dbus send_msg; + ') + + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te new file mode 100644 index 00000000..0837f97e --- /dev/null +++ b/policy/modules/services/gnomeclock.te @@ -0,0 +1,47 @@ + +policy_module(gnomeclock, 1.0.0) + +######################################## +# +# Declarations +# + +type gnomeclock_t; +type gnomeclock_exec_t; +dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + +######################################## +# +# gnomeclock local policy +# + +allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; +allow gnomeclock_t self:process { getattr getsched }; +allow gnomeclock_t self:fifo_file rw_fifo_file_perms; +allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; + +corecmd_exec_bin(gnomeclock_t) + +files_read_etc_files(gnomeclock_t) +files_read_usr_files(gnomeclock_t) + +auth_use_nsswitch(gnomeclock_t) + +clock_domtrans(gnomeclock_t) + +miscfiles_read_localization(gnomeclock_t) +miscfiles_manage_localization(gnomeclock_t) +miscfiles_etc_filetrans_localization(gnomeclock_t) + +userdom_read_all_users_state(gnomeclock_t) + +optional_policy(` + consolekit_dbus_chat(gnomeclock_t) +') + +optional_policy(` + policykit_dbus_chat(gnomeclock_t) + policykit_domtrans_auth(gnomeclock_t) + policykit_read_lib(gnomeclock_t) + policykit_read_reload(gnomeclock_t) +') |