secureblue · PhysicsIsAwesome · Apr 18, 2026 · Apr 18, 2026
@@ -95,12 +95,15 @@ template(`trivalent_role_template',`
 #
 interface(`trivalent_filetrans_home_content',`
 	gen_require(`
+		type trivalent_data_home_t;
+		type trivalent_home_cdm_lib_t;
 		type trivalent_home_t;
 	')
 
 	optional_policy(`
 		gnome_config_filetrans($1, trivalent_home_t, dir, "trivalent")
 		gnome_cache_filetrans($1, trivalent_home_t, dir, "trivalent")
+		gnome_data_filetrans($1, trivalent_data_home_t, file)
 		filetrans_pattern($1, trivalent_home_t, trivalent_home_cdm_lib_t, file, "libwidevinecdm.so")
 	')
 ')
@@ -4,6 +4,30 @@ policy_module(trivalent, 1.0.0)
 #
 # SPDX-License-Identifier: Apache-2.0 OR MIT
 
+gen_require(`
+	attribute gnome_home_type;
+	attribute userdomain;
+	class dbus acquire_svc;
+	type audio_home_t;
+	type chrome_sandbox_home_t;
+	type data_home_t;
+	type device_t;
+	type dosfs_t;
+	type fonts_cache_t;
+	type http_port_t;
+	type http_cache_port_t;
+	type howl_port_t;
+	type ld_so_cache_t;
+	type null_device_t;
+	type root_t;
+	type pki_ca_port_t;
+	type nsfs_t;
+	type tmp_t;
+	type tmpfs_t;
+	type user_home_t;
+	type xserver_misc_device_t;
+')
+
 ########################################
 #
 # Declarations
@@ -55,34 +79,14 @@ userdom_user_home_content(trivalent_home_cdm_lib_t)
 type trivalent_script_exec_t;
 application_executable_file(trivalent_script_exec_t)
 
+type trivalent_data_home_t, gnome_home_type;
+userdom_user_home_content(trivalent_data_home_t)
 
 ##############################
 #
 # Local policy
 #
 
-gen_require(`
-	attribute userdomain;
-	class dbus acquire_svc;
-	type audio_home_t;
-	type chrome_sandbox_home_t;
-	type device_t;
-	type dosfs_t;
-	type fonts_cache_t;
-	type http_port_t;
-	type http_cache_port_t;
-	type howl_port_t;
-	type ld_so_cache_t;
-	type null_device_t;
-	type root_t;
-	type pki_ca_port_t;
-	type nsfs_t;
-	type tmp_t;
-	type tmpfs_t;
-	type user_home_t;
-	type xserver_misc_device_t;
-')
-
 trivalent_filetrans_home_content(userdomain)
 trivalent_filetrans_home_content(trivalent_domain)
 trivalent_filetrans_home_content(trivalent_script_domain)
@@ -113,7 +117,8 @@ allow trivalent_domain trivalent_home_t:file { manage_file_perms map };
 allow trivalent_domain trivalent_home_t:lnk_file { manage_lnk_file_perms };
 allow trivalent_domain self:netlink_route_socket { nlmsg_read nlmsg_write };
 manage_files_pattern(trivalent_domain, trivalent_home_t, trivalent_home_cdm_lib_t)
-
+manage_files_pattern(trivalent_domain, data_home_t, trivalent_data_home_t)
+create_dirs_pattern(trivalent_domain, data_home_t, data_home_t)
 
 # not covered by interfaces
 allow trivalent_domain fonts_cache_t:dir mounton;
@@ -257,7 +262,6 @@ gnome_manage_generic_cache_files(trivalent_domain)
 gnome_manage_generic_cache_sockets(trivalent_domain)
 gnome_manage_home_config(trivalent_domain)
 gnome_manage_home_config_dirs(trivalent_domain)
-gnome_manage_data(trivalent_domain)
 gnome_manage_generic_home_files(trivalent_domain)
 gnome_manage_generic_home_dirs(trivalent_domain)
 gnome_map_generic_data_home_files(trivalent_domain)