Gecko [ 122.154.134.11 ]

Name	Size	Permission
ada.if	836 B	-rw-r--r--
authbind.if	487 B	-rw-r--r--
awstats.if	976 B	-rw-r--r--
calamaris.if	498 B	-rw-r--r--
cdrecord.if	747 B	-rw-r--r--
chrome.if	2.96 KB	-rw-r--r--
cpufreqselector.if	59 B	-rw-r--r--
ethereal.if	2.11 KB	-rw-r--r--
evolution.if	3.85 KB	-rw-r--r--
execmem.if	2.68 KB	-rw-r--r--
firewallgui.if	449 B	-rw-r--r--
games.if	1020 B	-rw-r--r--
gift.if	1.08 KB	-rw-r--r--
gitosis.if	1.76 KB	-rw-r--r--
gnome.if	11.33 KB	-rw-r--r--
gpg.if	4.44 KB	-rw-r--r--
irc.if	1.4 KB	-rw-r--r--
java.if	4.46 KB	-rw-r--r--
kdumpgui.if	50 B	-rw-r--r--
livecd.if	2.3 KB	-rw-r--r--
loadkeys.if	1.34 KB	-rw-r--r--
lockdev.if	709 B	-rw-r--r--
mediawiki.if	999 B	-rw-r--r--
mono.if	2.85 KB	-rw-r--r--
mozilla.if	8.52 KB	-rw-r--r--
mplayer.if	2.94 KB	-rw-r--r--
namespace.if	1010 B	-rw-r--r--
nsplugin.if	10.4 KB	-rw-r--r--
openoffice.if	2.74 KB	-rw-r--r--
podsleuth.if	986 B	-rw-r--r--
ptchown.if	929 B	-rw-r--r--
pulseaudio.if	5.88 KB	-rw-r--r--
qemu.if	7.19 KB	-rw-r--r--
rssh.if	1.54 KB	-rw-r--r--
sambagui.if	50 B	-rw-r--r--
sandbox.if	8.02 KB	-rw-r--r--
screen.if	5.5 KB	-rw-r--r--
seunshare.if	1.26 KB	-rw-r--r--
slocate.if	875 B	-rw-r--r--
telepathy.if	4.57 KB	-rw-r--r--
thunderbird.if	1.72 KB	-rw-r--r--
tvtime.if	1.02 KB	-rw-r--r--
uml.if	2.94 KB	-rw-r--r--
userhelper.if	8.11 KB	-rw-r--r--
usernetctl.if	1.22 KB	-rw-r--r--
vmware.if	1.97 KB	-rw-r--r--
webalizer.if	958 B	-rw-r--r--
wine.if	3.6 KB	-rw-r--r--
wireshark.if	1.36 KB	-rw-r--r--
wm.if	1.98 KB	-rw-r--r--
xscreensaver.if	633 B	-rw-r--r--
yam.if	1.22 KB	-rw-r--r--

Code Editor : sandbox.if

## <summary>policy for sandbox</summary>

########################################
## <summary>
##	Execute sandbox in the sandbox domain, and
##	allow the specified role the sandbox domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the sandbox domain.
##	</summary>
## </param>
#
interface(`sandbox_transition',`
	gen_require(`
		type sandbox_xserver_t;
		type sandbox_file_t;
		attribute sandbox_domain;
		attribute sandbox_x_domain;
		attribute sandbox_tmpfs_type;
	')

allow $1 sandbox_domain:process transition;
	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
	role $2 types sandbox_domain;
	allow sandbox_domain $1:process { sigchld signull };
	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;

allow $1 sandbox_x_domain:process { signal_perms transition };
	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
	allow sandbox_x_domain $1:process { sigchld signull };
	dontaudit sandbox_domain $1:process signal;
	role $2 types sandbox_x_domain;
	role $2 types sandbox_xserver_t;
	allow $1 sandbox_xserver_t:process signal_perms;
	dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
	dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
	dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
	allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
	allow sandbox_x_domain sandbox_x_domain:process signal;
	# Dontaudit leaked file descriptors
	dontaudit sandbox_x_domain $1:fifo_file { read write };
	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
	dontaudit sandbox_x_domain $1:process { signal sigkill };
	
	allow $1 sandbox_tmpfs_type:file manage_file_perms;
	dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;

can_exec($1, sandbox_file_t)
	allow $1 sandbox_file_t:filesystem getattr;
	manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
	manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
	relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
	relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
	relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
	relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
	relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
')

gen_require(`
		attribute sandbox_domain;
		type sandbox_file_t;
		attribute sandbox_type;
	')
	type $1_t, sandbox_domain, sandbox_type;

application_type($1_t)

mls_rangetrans_target($1_t)
	mcs_untrusted_proc($1_t)
')

########################################
## <summary>
##	Creates types and rules for a basic
##	sandbox process domain.
## </summary>
## <param name="prefix">
##	<summary>
##	Prefix for the domain.
##	</summary>
## </param>
#
template(`sandbox_x_domain_template',`
	gen_require(`
		type xserver_exec_t, sandbox_devpts_t;
		type sandbox_xserver_t;
		type sandbox_exec_t;
		attribute sandbox_domain, sandbox_x_domain;
		attribute sandbox_tmpfs_type;
		attribute sandbox_type;
	')

type $1_t, sandbox_x_domain, sandbox_type;
	application_type($1_t)
	mcs_untrusted_proc($1_t)

# window manager
	miscfiles_setattr_fonts_cache_dirs($1_t)
	allow $1_t self:capability setuid;

type $1_client_t, sandbox_x_domain;
	application_type($1_client_t)
	mcs_untrusted_proc($1_t)

type $1_client_tmpfs_t, sandbox_tmpfs_type;
	files_tmpfs_file($1_client_tmpfs_t)

manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
	manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
	fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
	fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
	# Pulseaudio tmpfs files with different MCS labels
	dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
	dontaudit $1_t $1_client_tmpfs_t:file { read write };
	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };

domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
	allow $1_t sandbox_xserver_t:process signal_perms;

domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
	domain_entry_file($1_client_t,  sandbox_exec_t)

# Random tmpfs_t that gets created when you run X. 
	fs_rw_tmpfs_files($1_t)

ps_process_pattern(sandbox_xserver_t, $1_client_t)
	ps_process_pattern(sandbox_xserver_t, $1_t)
	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
	allow $1_client_t $1_t:unix_stream_socket connectto;
	allow $1_t $1_client_t:unix_stream_socket connectto;
')

########################################
## <summary>
##	allow domain to read, 
##	write sandbox_xserver tmp files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_rw_xserver_tmpfs_files',`
	gen_require(`
		type sandbox_xserver_tmpfs_t;
	')

allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
')

########################################
## <summary>
##	allow domain to read
##	sandbox tmpfs files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_read_tmpfs_files',`
	gen_require(`
		attribute sandbox_tmpfs_type;
	')

allow $1 sandbox_tmpfs_type:file read_file_perms;
')

########################################
## <summary>
##	allow domain to manage
##	sandbox tmpfs files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_manage_tmpfs_files',`
	gen_require(`
		attribute sandbox_tmpfs_type;
	')

allow $1 sandbox_tmpfs_type:file manage_file_perms;
')

########################################
## <summary>
##	Delete sandbox files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_delete_files',`
	gen_require(`
		type sandbox_file_t;
	')

delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
')

########################################
## <summary>
##	Delete sandbox sock files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_delete_sock_files',`
	gen_require(`
		type sandbox_file_t;
	')

delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
')

########################################
## <summary>
##	Allow domain to  set the attributes
##	of the sandbox directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_setattr_dirs',`
	gen_require(`
		type sandbox_file_t;
	')

allow $1 sandbox_file_t:dir setattr;
')

########################################
## <summary>
##	allow domain to delete sandbox files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_delete_dirs',`
	gen_require(`
		type sandbox_file_t;
	')

delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
')

########################################
## <summary>
##	allow domain to list sandbox dirs
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`sandbox_list',`
	gen_require(`
		type sandbox_file_t;
	')

allow $1 sandbox_file_t:dir list_dir_perms;
')

#######################################
## <summary>
##  Read and write a sandbox domain pty.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`sandbox_use_ptys',`
    gen_require(`
        type sandbox_devpts_t;
    ')

allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
')

${this.title}

Code Editor : sandbox.if