Declare attribute user_home_type for userdom_user_home_content.
Modify userdom_user_home_content() to include:
- files_poly_member
- attribute user_home_type
Remove redundant files_poly_member() calls in the various modules.
Remove userdom_user_home_content calls for user_tmp_t, user_tmpfs_t: its not userdom_user_home_content but userdom_user_tmp_content and userdom_user_tmpfs_content respectively.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 db570f6... f294491... M policy/modules/apps/evolution.te
:100644 100644 4204eec... 5bb9e30... M policy/modules/apps/gift.te
:100644 100644 62631ec... ebcd681... M policy/modules/apps/mozilla.te
:100644 100644 da32014... 82c4a54... M policy/modules/apps/mplayer.te
:100644 100644 c4e581e... 6f08115... M policy/modules/apps/thunderbird.te
:100644 100644 acc7244... d736572... M policy/modules/apps/tvtime.te
:100644 100644 3c43106... 31bbf17... M policy/modules/apps/wireshark.te
:100644 100644 7629cf8... e4ecbbd... M policy/modules/services/razor.te
:100644 100644 438dab7... b6a8919... M policy/modules/services/spamassassin.te
:100644 100644 2dad3c8... 5d3b416... M policy/modules/services/ssh.te
:100644 100644 4566008... d2b2626... M policy/modules/services/xserver.te
:100644 100644 c7c83c4... d5cf579... M policy/modules/system/userdomain.if
:100644 100644 69b2e0f... 11bba0d... M policy/modules/system/userdomain.te
policy/modules/apps/evolution.te | 1 -
policy/modules/apps/gift.te | 1 -
policy/modules/apps/mozilla.te | 1 -
policy/modules/apps/mplayer.te | 1 -
policy/modules/apps/thunderbird.te | 1 -
policy/modules/apps/tvtime.te | 1 -
policy/modules/apps/wireshark.te | 1 -
policy/modules/services/razor.te | 1 -
policy/modules/services/spamassassin.te | 1 -
policy/modules/services/ssh.te | 1 -
policy/modules/services/xserver.te | 2 --
policy/modules/system/userdomain.if | 4 ++++
policy/modules/system/userdomain.te | 7 +++----
13 files changed, 7 insertions(+), 16 deletions(-)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index db570f6..f294491 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -59,7 +59,6 @@ ubac_constrained(evolution_exchange_orbit_tmp_t)
type evolution_home_t;
typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
-files_poly_member(evolution_home_t)
userdom_user_home_content(evolution_home_t)
type evolution_orbit_tmp_t;
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index 4204eec..5bb9e30 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -15,7 +15,6 @@ ubac_constrained(gift_t)
type gift_home_t;
typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
-files_poly_member(gift_home_t)
userdom_user_home_content(gift_home_t)
type gift_tmpfs_t;
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 62631ec..ebcd681 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,7 +25,6 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-files_poly_member(mozilla_home_t)
userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index da32014..82c4a54 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -32,7 +32,6 @@ files_config_file(mplayer_etc_t)
type mplayer_home_t;
typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
-files_poly_member(mplayer_home_t)
userdom_user_home_content(mplayer_home_t)
type mplayer_tmpfs_t;
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index c4e581e..6f08115 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -15,7 +15,6 @@ ubac_constrained(thunderbird_t)
type thunderbird_home_t;
typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
-files_poly_member(thunderbird_home_t)
userdom_user_home_content(thunderbird_home_t)
type thunderbird_tmpfs_t;
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index acc7244..d736572 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -16,7 +16,6 @@ type tvtime_home_t alias tvtime_rw_t;
typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
userdom_user_home_content(tvtime_home_t)
-files_poly_member(tvtime_home_t)
type tvtime_tmp_t;
typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 3c43106..31bbf17 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -15,7 +15,6 @@ ubac_constrained(wireshark_t)
type wireshark_home_t;
typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
-files_poly_member(wireshark_home_t)
userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 7629cf8..e4ecbbd 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -14,7 +14,6 @@ files_config_file(razor_etc_t)
type razor_home_t;
typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-files_poly_member(razor_home_t)
userdom_user_home_content(razor_home_t)
type razor_log_t;
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 438dab7..b6a8919 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -30,7 +30,6 @@ type spamassassin_home_t;
typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
userdom_user_home_content(spamassassin_home_t)
-files_poly_member(spamassassin_home_t)
type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..5d3b416 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -76,7 +76,6 @@ ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
-files_type(ssh_home_t)
userdom_user_home_content(ssh_home_t)
##############################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4566008..d2b2626 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -131,7 +131,6 @@ ubac_constrained(iceauth_t)
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
-files_poly_member(iceauth_home_t)
userdom_user_home_content(iceauth_home_t)
type xauth_t;
@@ -144,7 +143,6 @@ ubac_constrained(xauth_t)
type xauth_home_t;
typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
-files_poly_member(xauth_home_t)
userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c7c83c4..d5cf579 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1275,12 +1275,16 @@ template(`userdom_security_admin_template',`
#
interface(`userdom_user_home_content',`
gen_require(`
+ attribute user_home_type;
type user_home_t;
')
allow $1 user_home_t:filesystem associate;
files_type($1)
ubac_constrained($1)
+
+ files_poly_member($1)
+ typeattribute $1 user_home_type;
')
########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 69b2e0f..11bba0d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -59,6 +59,9 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
+# Attributes for various classes of user content.
+attribute user_home_type
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
@@ -74,10 +77,8 @@ typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-files_poly_member(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)
-ubac_constrained(user_home_t)
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
dev_node(user_devpts_t)
@@ -87,11 +88,9 @@ ubac_constrained(user_devpts_t)
type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
-userdom_user_home_content(user_tmp_t)
type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
files_tmpfs_file(user_tmpfs_t)
-userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
--
1.7.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/2b072828/attachment-0001.bin