forked from OwlCyberDefense/refpolicy-contrib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopenoffice.if
134 lines (118 loc) · 2.54 KB
/
openoffice.if
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
## <summary>Openoffice suite.</summary>
############################################################
## <summary>
## Role access for openoffice.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
#
interface(`ooffice_role',`
gen_require(`
attribute_role ooffice_roles;
type ooffice_t, ooffice_exec_t;
')
roleattribute $1 ooffice_roles;
allow ooffice_t $2:unix_stream_socket connectto;
domtrans_pattern($2, ooffice_exec_t, ooffice_t)
allow $2 ooffice_t:process { ptrace signal_perms };
ps_process_pattern($2, ooffice_t)
optional_policy(`
ooffice_dbus_chat($2)
')
')
########################################
## <summary>
## Run openoffice in its own domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`ooffice_domtrans',`
gen_require(`
type ooffice_t, ooffice_exec_t;
')
domtrans_pattern($1, ooffice_exec_t, ooffice_t)
')
########################################
## <summary>
## Do not audit attempts to execute
## files in temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`ooffice_dontaudit_exec_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
dontaudit $1 ooffice_tmp_t:file exec_file_perms;
')
########################################
## <summary>
## Read and write temporary
## openoffice files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ooffice_rw_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
#######################################
## <summary>
## Send and receive dbus messages
## from and to the openoffice
## domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ooffice_dbus_chat',`
gen_require(`
type ooffice_t;
class dbus send_msg;
')
allow $1 ooffice_t:dbus send_msg;
allow ooffice_t $1:dbus send_msg;
')
########################################
## <summary>
## Connect to openoffice using a
## unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ooffice_stream_connect',`
gen_require(`
type ooffice_t, ooffice_tmp_t;
')
files_search_tmp($1)
stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t)
')