## policy for thumb
########################################
##
## Transition to thumb.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`thumb_domtrans',`
gen_require(`
type thumb_t, thumb_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, thumb_exec_t, thumb_t)
')
########################################
##
## Execute thumb in the thumb domain, and
## allow the specified role the thumb domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed the thumb domain.
##
##
#
interface(`thumb_run',`
gen_require(`
type thumb_t;
')
thumb_domtrans($1)
role $2 types thumb_t;
allow $1 thumb_t:process signal_perms;
dontaudit thumb_t $1:dir list_dir_perms;
dontaudit thumb_t $1:file read_file_perms;
')
########################################
##
## Role access for thumb
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
interface(`thumb_role',`
gen_require(`
type thumb_t;
class dbus send_msg;
')
role $1 types thumb_t;
thumb_domtrans($2)
ps_process_pattern($2, thumb_t)
allow $2 thumb_t:process signal;
allow thumb_t $2:unix_stream_socket connectto;
allow $2 thumb_t:dbus send_msg;
allow thumb_t $2:dbus send_msg;
thumb_filetrans_home_content($2)
')
########################################
##
## Send and receive messages from
## thumb over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`thumb_dbus_chat',`
gen_require(`
type thumb_t;
class dbus send_msg;
')
allow $1 thumb_t:dbus send_msg;
allow thumb_t $1:dbus send_msg;
')
########################################
##
## Create thumb content in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
interface(`thumb_filetrans_home_content',`
gen_require(`
type thumb_home_t;
')
userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
')