LinuxLists.cc - [refpolicy] [PATCH 1/33] userdomain: main user data confidentiality patch

2017-04-20 01:00:01

Subject: [refpolicy] [PATCH 1/33] userdomain: main user data confidentiality patch

This is the main patch to curb on userdomain file read and/or write
permissions for all daemons and applications that are currently
allowed such permissions indiscriminately.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior (where possible, its name starts with the module name and
ends with "_enable_home_dirs").

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/userdomain.fc | 4
policy/modules/system/userdomain.if | 459 +++++++++++++++++++++++++++++++++++-
policy/modules/system/userdomain.te | 12
3 files changed, 464 insertions(+), 11 deletions(-)

diff -pru refpolicy-git-19042017-orig/policy/modules/system/userdomain.fc refpolicy-git-19042017-userdomain/policy/modules/system/userdomain.fc
--- refpolicy-git-19042017-orig/policy/modules/system/userdomain.fc 2017-03-29 17:57:54.572386420 +0200
+++ refpolicy-git-19042017-userdomain/policy/modules/system/userdomain.fc 2017-04-20 01:28:48.751431118 +0200
@@ -1,6 +1,10 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:user_cache_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:user_config_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:user_data_t,s0)
HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0)
+HOME_DIR/Downloads gen_context(system_u:object_r:user_downloads_t,s0)

/tmp/gconfd-%{USERNAME} -d gen_context(system_u:object_r:user_tmp_t,s0)

diff -pru refpolicy-git-19042017-orig/policy/modules/system/userdomain.if refpolicy-git-19042017-userdomain/policy/modules/system/userdomain.if
--- refpolicy-git-19042017-orig/policy/modules/system/userdomain.if 2017-04-19 14:05:08.613804337 +0200
+++ refpolicy-git-19042017-userdomain/policy/modules/system/userdomain.if 2017-04-20 01:28:48.756431117 +0200
@@ -255,8 +255,15 @@ interface(`userdom_manage_home_role',`
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };

+ userdom_manage_user_cache($2)
userdom_manage_user_certs($2)
- userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
+ userdom_manage_user_config($2)
+ userdom_manage_user_data($2)
+ userdom_manage_user_downloads($2)
+ userdom_user_home_dir_filetrans_user_cache($2, dir, ".cache")
+ userdom_user_home_dir_filetrans_user_certs($2, dir, ".pki")
+ userdom_user_home_dir_filetrans_user_config($2, dir, ".config")
+ userdom_user_home_dir_filetrans_user_data($2, dir, ".local")

tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($2)
@@ -884,6 +891,8 @@ template(`userdom_login_user_template',
libs_exec_lib_files($1_t)

logging_dontaudit_getattr_all_logs($1_t)
+ logging_send_audit_msgs($1_t)
+ logging_send_syslog_msg($1_t)

miscfiles_read_man_pages($1_t)
# for running TeX programs
@@ -2104,14 +2113,6 @@ interface(`userdom_exec_user_home_conten

files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1)
- ')
')

########################################
@@ -2155,7 +2156,8 @@ interface(`userdom_manage_user_home_cont

########################################
## <summary>
-## Do not audit attempts to create, read, write, and delete directories
+## Do not audit attempts to create,
+## read, write, and delete directories
## in a user home subdirectory.
## </summary>
## <param name="domain">
@@ -2172,6 +2174,27 @@ interface(`userdom_dontaudit_manage_user
dontaudit $1 user_home_t:dir manage_dir_perms;
')

+#######################################
+## <summary>
+## Do not audit attempts to
+## create, read, write, and delete
+## files in a user home
+## subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:dir manage_dir_perms;
+')
+
########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -2347,6 +2370,134 @@ interface(`userdom_user_home_content_fil
files_search_home($1)
')

+#######################################
+## <summary>
+## Create objects in a directory located
+## in a user home directory with an
+## automatic type transition to
+## the user cache type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cache',`
+ gen_require(`
+ type user_home_dir_t, user_cache_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_cache_t, $2, $3)
+ files_search_home($1)
+')
+
+#####################################
+## <summary>
+## Create objects in a directory located
+## in a user home directory with an
+## automatic type transition to
+## the user certificate type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_certs',`
+ gen_require(`
+ type user_home_dir_t, user_cert_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_cert_t, $2, $3)
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Create objects in a directory located
+## in a user home directory with an
+## automatic type transition to
+## the user config type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_config',`
+ gen_require(`
+ type user_home_dir_t, user_config_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_config_t, $2, $3)
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Create objects in a directory located
+## in a user home directory with an
+## automatic type transition to
+## the user data type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_data',`
+ gen_require(`
+ type user_home_dir_t, user_data_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_data_t, $2, $3)
+ files_search_home($1)
+')
+
########################################
## <summary>
## Create objects in a user home directory
@@ -2378,6 +2529,163 @@ interface(`userdom_user_home_dir_filetra
files_search_home($1)
')

+######################################
+## <summary>
+## Create objects in a directory located
+## in a user cache directory with an
+## automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_cache_filetrans',`
+ gen_require(`
+ type user_cache_t;
+ ')
+
+ filetrans_pattern($1, user_cache_t, $2, $3, $4)
+ allow $1 user_cache_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+#######################################
+## <summary>
+## Create objects in a directory located
+## in a user config directory with an
+## automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_config_filetrans',`
+ gen_require(`
+ type user_config_t;
+ ')
+
+ filetrans_pattern($1, user_config_t, $2, $3, $4)
+ allow $1 user_config_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Create objects in a directory located
+## in a user data directory with an
+## automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_data_filetrans',`
+ gen_require(`
+ type user_data_t;
+ ')
+
+ filetrans_pattern($1, user_data_t, $2, $3, $4)
+ allow $1 user_data_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Do not audit attempts to manage
+## the user cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_cache',`
+ gen_require(`
+ type user_cache_t;
+ ')
+
+ dontaudit $1 user_cache_t:dir manage_dir_perms;
+ dontaudit $1 user_cache_t:file manage_file_perms;
+ dontaudit $1 user_cache_t:lnk_file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Manage user cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_cache',`
+ gen_require(`
+ type user_cache_t;
+ ')
+
+ manage_dirs_pattern($1, user_cache_t, user_cache_t)
+ manage_files_pattern($1, user_cache_t, user_cache_t)
+ manage_lnk_files_pattern($1, user_cache_t, user_cache_t)
+ files_search_home($1)
+')
+
########################################
## <summary>
## Read user SSL certificates.
@@ -2400,7 +2708,7 @@ interface(`userdom_read_user_certs',`
files_search_home($1)
')

-########################################
+#######################################
## <summary>
## Do not audit attempts to manage
## the user SSL certificates.
@@ -2443,6 +2751,135 @@ interface(`userdom_manage_user_certs',`
files_search_home($1)
')

+######################################
+## <summary>
+## Do not audit attempts to manage
+## the user configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_config',`
+ gen_require(`
+ type user_config_t;
+ ')
+
+ dontaudit $1 user_config_t:dir manage_dir_perms;
+ dontaudit $1 user_config_t:file manage_file_perms;
+ dontaudit $1 user_config_t:lnk_file manage_file_perms;
+')
+
+######################################
+## <summary>
+## Manage user configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_config',`
+ gen_require(`
+ type user_config_t;
+ ')
+
+ manage_dirs_pattern($1, user_config_t, user_config_t)
+ manage_files_pattern($1, user_config_t, user_config_t)
+ manage_lnk_files_pattern($1, user_config_t, user_config_t)
+ files_search_home($1)
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to manage
+## the user data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_data',`
+ gen_require(`
+ type user_data_t;
+ ')
+
+ dontaudit $1 user_data_t:dir manage_dir_perms;
+ dontaudit $1 user_data_t:file manage_file_perms;
+ dontaudit $1 user_data_t:lnk_file manage_file_perms;
+')
+
+#######################################
+## <summary>
+## Manage user data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_data',`
+ gen_require(`
+ type user_data_t;
+ ')
+
+ manage_dirs_pattern($1, user_data_t, user_data_t)
+ manage_files_pattern($1, user_data_t, user_data_t)
+ manage_lnk_files_pattern($1, user_data_t, user_data_t)
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Do not audit attempts to manage
+## the user downloaded files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_downloads',`
+ gen_require(`
+ type user_downloads_t;
+ ')
+
+ dontaudit $1 user_downloads_t:dir manage_dir_perms;
+ dontaudit $1 user_downloads_t:file manage_file_perms;
+ dontaudit $1 user_downloads_t:lnk_file manage_file_perms;
+')
+
+######################################
+## <summary>
+## Manage user downloaded files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_downloads',`
+ gen_require(`
+ type user_downloads_t;
+ ')
+
+ manage_dirs_pattern($1, user_downloads_t, user_downloads_t)
+ manage_files_pattern($1, user_downloads_t, user_downloads_t)
+ manage_lnk_files_pattern($1, user_downloads_t, user_downloads_t)
+ files_search_home($1)
+')
+
########################################
## <summary>
## Write to user temporary named sockets.
diff -pru refpolicy-git-19042017-orig/policy/modules/system/userdomain.te refpolicy-git-19042017-userdomain/policy/modules/system/userdomain.te
--- refpolicy-git-19042017-orig/policy/modules/system/userdomain.te 2017-04-19 14:05:08.613804337 +0200
+++ refpolicy-git-19042017-userdomain/policy/modules/system/userdomain.te 2017-04-20 01:28:48.758431117 +0200
@@ -93,14 +93,26 @@ files_associate_tmp(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)

+type user_cache_t;
+userdom_user_home_content(user_cache_t)
+
type user_cert_t;
userdom_user_home_content(user_cert_t)

+type user_config_t;
+userdom_user_home_content(user_config_t)
+
+type user_data_t;
+userdom_user_home_content(user_data_t)
+
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
dev_node(user_devpts_t)
files_type(user_devpts_t)
ubac_constrained(user_devpts_t)

+type user_downloads_t;
+userdom_user_home_content(user_downloads_t)
+
type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)

2017-04-20 14:19:16

by guido

[permalink] [raw]

Subject: [refpolicy] [PATCH v2 1/33] userdomain: main user data confidentiality patch

This is the main patch to curb on userdomain file read and/or write
permissions for all daemons and applications that are currently
allowed such permissions indiscriminately.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior (where possible, its name starts with the module name and
ends with "_enable_home_dirs").

This second version simply removes unrelated bits that slipped in.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/userdomain.fc | 4
policy/modules/system/userdomain.if | 457 +++++++++++++++++++++++++++++++++++-
policy/modules/system/userdomain.te | 12
3 files changed, 462 insertions(+), 11 deletions(-)

diff -pru a/policy/modules/system/userdomain.fc b-userdomain/policy/modules/system/userdomain.fc
--- a/policy/modules/system/userdomain.fc 2017-03-29 17:57:54.572386420 +0200
+++ b-userdomain/policy/modules/system/userdomain.fc 2017-04-20 01:28:48.751431118 +0200
@@ -1,6 +1,10 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:user_cache_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:user_config_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:user_data_t,s0)
HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0)
+HOME_DIR/Downloads gen_context(system_u:object_r:user_downloads_t,s0)

/tmp/gconfd-%{USERNAME} -d gen_context(system_u:object_r:user_tmp_t,s0)

diff -pru a/policy/modules/system/userdomain.if b-userdomain/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if 2017-04-19 14:05:08.613804337 +0200
+++ b-userdomain/policy/modules/system/userdomain.if 2017-04-20 01:28:48.756431117 +0200
@@ -255,8 +255,15 @@ interface(`userdom_manage_home_role',`
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };

+ userdom_manage_user_cache($2)
userdom_manage_user_certs($2)
- userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
+ userdom_manage_user_config($2)
+ userdom_manage_user_data($2)
+ userdom_manage_user_downloads($2)
+ userdom_user_home_dir_filetrans_user_cache($2, dir, ".cache")
+ userdom_user_home_dir_filetrans_user_certs($2, dir, ".pki")
+ userdom_user_home_dir_filetrans_user_config($2, dir, ".config")
+ userdom_user_home_dir_filetrans_user_data($2, dir, ".local")

tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($2)
@@ -2104,14 +2113,6 @@ interface(`userdom_exec_user_home_conten

files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1)
- ')
')

########################################
@@ -2155,7 +2156,8 @@ interface(`userdom_manage_user_home_cont

########################################
## <summary>
-## Do not audit attempts to create, read, write, and delete directories
+## Do not audit attempts to create,
+## read, write, and delete directories
## in a user home subdirectory.
## </summary>
## <param name="domain">
@@ -2172,6 +2174,27 @@ interface(`userdom_dontaudit_manage_user
dontaudit $1 user_home_t:dir manage_dir_perms;
')

+#######################################
+## <summary>
+## Do not audit attempts to
+## create, read, write, and delete
+## files in a user home
+## subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:dir manage_dir_perms;
+')
+
########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -2347,6 +2370,134 @@ interface(`userdom_user_home_content_fil
files_search_home($1)
')

+#######################################
+## <summary>
+## Create objects in a directory located
+## in a user home directory with an
+## automatic type transition to
+## the user cache type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cache',`
+ gen_require(`
+ type user_home_dir_t, user_cache_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_cache_t, $2, $3)
+ files_search_home($1)
+')
+
+#####################################
+## <summary>
+## Create objects in a directory located
+## in a user home directory with an
+## automatic type transition to
+## the user certificate type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_certs',`
+ gen_require(`
+ type user_home_dir_t, user_cert_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_cert_t, $2, $3)
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Create objects in a directory located
+## in a user home directory with an
+## automatic type transition to
+## the user config type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_config',`
+ gen_require(`
+ type user_home_dir_t, user_config_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_config_t, $2, $3)
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Create objects in a directory located
+## in a user home directory with an
+## automatic type transition to
+## the user data type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_data',`
+ gen_require(`
+ type user_home_dir_t, user_data_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_data_t, $2, $3)
+ files_search_home($1)
+')
+
########################################
## <summary>
## Create objects in a user home directory
@@ -2378,6 +2529,163 @@ interface(`userdom_user_home_dir_filetra
files_search_home($1)
')

+######################################
+## <summary>
+## Create objects in a directory located
+## in a user cache directory with an
+## automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_cache_filetrans',`
+ gen_require(`
+ type user_cache_t;
+ ')
+
+ filetrans_pattern($1, user_cache_t, $2, $3, $4)
+ allow $1 user_cache_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+#######################################
+## <summary>
+## Create objects in a directory located
+## in a user config directory with an
+## automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_config_filetrans',`
+ gen_require(`
+ type user_config_t;
+ ')
+
+ filetrans_pattern($1, user_config_t, $2, $3, $4)
+ allow $1 user_config_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Create objects in a directory located
+## in a user data directory with an
+## automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_data_filetrans',`
+ gen_require(`
+ type user_data_t;
+ ')
+
+ filetrans_pattern($1, user_data_t, $2, $3, $4)
+ allow $1 user_data_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Do not audit attempts to manage
+## the user cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_cache',`
+ gen_require(`
+ type user_cache_t;
+ ')
+
+ dontaudit $1 user_cache_t:dir manage_dir_perms;
+ dontaudit $1 user_cache_t:file manage_file_perms;
+ dontaudit $1 user_cache_t:lnk_file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Manage user cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_cache',`
+ gen_require(`
+ type user_cache_t;
+ ')
+
+ manage_dirs_pattern($1, user_cache_t, user_cache_t)
+ manage_files_pattern($1, user_cache_t, user_cache_t)
+ manage_lnk_files_pattern($1, user_cache_t, user_cache_t)
+ files_search_home($1)
+')
+
########################################
## <summary>
## Read user SSL certificates.
@@ -2400,7 +2708,7 @@ interface(`userdom_read_user_certs',`
files_search_home($1)
')

-########################################
+#######################################
## <summary>
## Do not audit attempts to manage
## the user SSL certificates.
@@ -2443,6 +2751,135 @@ interface(`userdom_manage_user_certs',`
files_search_home($1)
')

+######################################
+## <summary>
+## Do not audit attempts to manage
+## the user configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_config',`
+ gen_require(`
+ type user_config_t;
+ ')
+
+ dontaudit $1 user_config_t:dir manage_dir_perms;
+ dontaudit $1 user_config_t:file manage_file_perms;
+ dontaudit $1 user_config_t:lnk_file manage_file_perms;
+')
+
+######################################
+## <summary>
+## Manage user configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_config',`
+ gen_require(`
+ type user_config_t;
+ ')
+
+ manage_dirs_pattern($1, user_config_t, user_config_t)
+ manage_files_pattern($1, user_config_t, user_config_t)
+ manage_lnk_files_pattern($1, user_config_t, user_config_t)
+ files_search_home($1)
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to manage
+## the user data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_data',`
+ gen_require(`
+ type user_data_t;
+ ')
+
+ dontaudit $1 user_data_t:dir manage_dir_perms;
+ dontaudit $1 user_data_t:file manage_file_perms;
+ dontaudit $1 user_data_t:lnk_file manage_file_perms;
+')
+
+#######################################
+## <summary>
+## Manage user data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_data',`
+ gen_require(`
+ type user_data_t;
+ ')
+
+ manage_dirs_pattern($1, user_data_t, user_data_t)
+ manage_files_pattern($1, user_data_t, user_data_t)
+ manage_lnk_files_pattern($1, user_data_t, user_data_t)
+ files_search_home($1)
+')
+
+######################################
+## <summary>
+## Do not audit attempts to manage
+## the user downloaded files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_downloads',`
+ gen_require(`
+ type user_downloads_t;
+ ')
+
+ dontaudit $1 user_downloads_t:dir manage_dir_perms;
+ dontaudit $1 user_downloads_t:file manage_file_perms;
+ dontaudit $1 user_downloads_t:lnk_file manage_file_perms;
+')
+
+######################################
+## <summary>
+## Manage user downloaded files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_downloads',`
+ gen_require(`
+ type user_downloads_t;
+ ')
+
+ manage_dirs_pattern($1, user_downloads_t, user_downloads_t)
+ manage_files_pattern($1, user_downloads_t, user_downloads_t)
+ manage_lnk_files_pattern($1, user_downloads_t, user_downloads_t)
+ files_search_home($1)
+')
+
########################################
## <summary>
## Write to user temporary named sockets.
diff -pru a/policy/modules/system/userdomain.te b-userdomain/policy/modules/system/userdomain.te
--- a/policy/modules/system/userdomain.te 2017-04-19 14:05:08.613804337 +0200
+++ b-userdomain/policy/modules/system/userdomain.te 2017-04-20 01:28:48.758431117 +0200
@@ -93,14 +93,26 @@ files_associate_tmp(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)

+type user_cache_t;
+userdom_user_home_content(user_cache_t)
+
type user_cert_t;
userdom_user_home_content(user_cert_t)

+type user_config_t;
+userdom_user_home_content(user_config_t)
+
+type user_data_t;
+userdom_user_home_content(user_data_t)
+
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
dev_node(user_devpts_t)
files_type(user_devpts_t)
ubac_constrained(user_devpts_t)

+type user_downloads_t;
+userdom_user_home_content(user_downloads_t)
+
type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)