Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/apps/openoffice.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/apps/openoffice.if')
-rw-r--r--policy/modules/apps/openoffice.if134
1 files changed, 134 insertions, 0 deletions
diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
new file mode 100644
index 00000000..5580aaf7
--- /dev/null
+++ b/policy/modules/apps/openoffice.if
@@ -0,0 +1,134 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ allow ooffice_t $2:unix_stream_socket connectto;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+
+ optional_policy(`
+ ooffice_dbus_chat($2)
+ ')
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ooffice_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write temporary
+## openoffice files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_rw_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+')
+
+#######################################
+## <summary>
+## Send and receive dbus messages
+## from and to the openoffice
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_dbus_chat',`
+ gen_require(`
+ type ooffice_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ooffice_t:dbus send_msg;
+ allow ooffice_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to openoffice using a
+## unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_stream_connect',`
+ gen_require(`
+ type ooffice_t, ooffice_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t)
+')