diff options
| -rw-r--r-- | Makefile | 8 | ||||
| -rw-r--r-- | doc/gentoo_tunables.xml | 56 | ||||
| -rw-r--r-- | policy/modules/system/userdomain.if | 12 |
3 files changed, 65 insertions, 11 deletions
@@ -119,11 +119,13 @@ docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if e ifndef LOCAL_ROOT polxml = $(docs)/policy.xml tunxml = $(docs)/global_tunables.xml +gentooxml = $(docs)/gentoo_tunables.xml boolxml = $(docs)/global_booleans.xml htmldir = $(docs)/html else polxml = $(LOCAL_ROOT)/doc/policy.xml tunxml = $(LOCAL_ROOT)/doc/global_tunables.xml +gentooxml = $(LOCAL_ROOT)/doc/gentoo_tunables.xml boolxml = $(LOCAL_ROOT)/doc/global_booleans.xml htmldir = $(LOCAL_ROOT)/doc/html endif @@ -419,7 +421,7 @@ $(tunxml): $(globaltun) $(boolxml): $(globalbool) $(verbose) $(genxml) -w -b $< > $@ -$(polxml): $(layerxml) $(tunxml) $(boolxml) +$(polxml): $(layerxml) $(tunxml) $(boolxml) $(gentooxml) @echo "Creating $(@F)" @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml)) @test -d $(tmpdir) || mkdir -p $(tmpdir) @@ -427,7 +429,7 @@ $(polxml): $(layerxml) $(tunxml) $(boolxml) $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@ $(verbose) echo '<policy>' >> $@ $(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done - $(verbose) cat $(tunxml) $(boolxml) >> $@ + $(verbose) cat $(tunxml) $(boolxml) $(gentooxml) >> $@ $(verbose) echo '</policy>' >> $@ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \ $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\ @@ -507,7 +509,7 @@ $(appdir)/%: $(appconf)/% # # Install policy headers # -install-headers: $(layerxml) $(tunxml) $(boolxml) +install-headers: $(layerxml) $(tunxml) $(boolxml) $(gentooxml) @mkdir -p $(headerdir) @echo "Installing $(NAME) policy headers." $(verbose) $(INSTALL) -m 644 $^ $(headerdir) diff --git a/doc/gentoo_tunables.xml b/doc/gentoo_tunables.xml new file mode 100644 index 000000000..ad262200e --- /dev/null +++ b/doc/gentoo_tunables.xml @@ -0,0 +1,56 @@ +<tunable name="mozilla_read_generic_user_content" dftval="true"> +<desc> +<p> +Allow mozilla to read generic user content (i.e. content that is not specific to an application). +</p> +</desc> +</tunable> +<tunable name="mozilla_read_all_user_content" dftval="false"> +<desc> +<p> +Allow mozilla to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). +</p> +</desc> +</tunable> +<tunable name="mozilla_manage_generic_user_content" dftval="false"> +<desc> +<p> +Allow mozilla to manage generic user content (i.e. content that is not specific to an application). +</p> +</desc> +</tunable> +<tunable name="mozilla_manage_all_user_content" dftval="false"> +<desc> +<p> +Allow mozilla to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). +</p> +</desc> +</tunable> +<tunable name="chromium_read_generic_user_content" dftval="true"> +<desc> +<p> +Allow chromium to read generic user content (i.e. content that is not specific to an application). +</p> +</desc> +</tunable> +<tunable name="chromium_read_all_user_content" dftval="false"> +<desc> +<p> +Allow chromium to read all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). +</p> +</desc> +</tunable> +<tunable name="chromium_manage_generic_user_content" dftval="false"> +<desc> +<p> +Allow chromium to manage generic user content (i.e. content that is not specific to an application). +</p> +</desc> +</tunable> +<tunable name="chromium_manage_all_user_content" dftval="false"> +<desc> +<p> +Allow chromium to manage all user content (including content that is specific to an application, such as the configuration files of other applications in the users home directory). +</p> +</desc> +</tunable> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 760bab7c2..d8d000b6d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3480,32 +3480,28 @@ template(`userdom_user_content_access_template',` ## <desc> ## <p> - ## Allow the application to read generic user home content + ## Please update doc/gentoo_tunables.xml. ## </p> ## </desc> gen_tunable(`$1_read_generic_user_content', true) ## <desc> ## <p> - ## Allow the application to read all user home content. This - ## includes content that is labeled as home content of another - ## application. + ## Please update doc/gentoo_tunables.xml. ## </p> ## </desc> gen_tunable(`$1_read_all_user_content', false) ## <desc> ## <p> - ## Allow the application to manage generic user home content + ## Please update doc/gentoo_tunables.xml. ## </p> ## </desc> gen_tunable(`$1_manage_generic_user_content', false) ## <desc> ## <p> - ## Allow the application to manage all user home content. This - ## includes content that is labeled as home content of another - ## application. + ## Please update doc/gentoo_tunables.xml. ## </p> ## </desc> gen_tunable(`$1_manage_all_user_content', false) |