Declare attribute user_tmpfs_type in the user domain.
Create userdom_user_tmpfs_content which includes:
- attribute user_tmpfs_type;
- files_tmpfs_file.
- ubac_constrained.
Replace user_tmpfs_t declaration to use userdom_user_tmpfs_content.
Replace user tmpfs content declaration in various modules to use userdom_user_tmpfs_content()
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 2542c34... f6c312b... M policy/modules/apps/evolution.te
:100644 100644 cea5c8c... 45c59f2... M policy/modules/apps/games.te
:100644 100644 5bb9e30... 31546b7... M policy/modules/apps/gift.te
:100644 100644 c6f1fe2... 78bfb13... M policy/modules/apps/gpg.te
:100644 100644 dd0737c... aa8fa03... M policy/modules/apps/java.te
:100644 100644 ebcd681... ec10781... M policy/modules/apps/mozilla.te
:100644 100644 82c4a54... 4f4e249... M policy/modules/apps/mplayer.te
:100644 100644 892057b... f05e641... M policy/modules/apps/podsleuth.te
:100644 100644 6f08115... 58a924e... M policy/modules/apps/thunderbird.te
:100644 100644 10d6692... 76b0605... M policy/modules/apps/tvtime.te
:100644 100644 62960c0... 05d8159... M policy/modules/apps/uml.te
:100644 100644 b74bf4d... cbaf379... M policy/modules/apps/vmware.te
:100644 100644 ca29f80... 40f24a7... M policy/modules/apps/wireshark.te
:100644 100644 1bdeb16... 3695f3c... M policy/modules/apps/xscreensaver.te
:100644 100644 7aec719... 728d1fa... M policy/modules/system/userdomain.if
:100644 100644 e990ead... 164c166... M policy/modules/system/userdomain.te
policy/modules/apps/evolution.te | 12 ++++--------
policy/modules/apps/games.te | 3 +--
policy/modules/apps/gift.te | 3 +--
policy/modules/apps/gpg.te | 3 +--
policy/modules/apps/java.te | 3 +--
policy/modules/apps/mozilla.te | 3 +--
policy/modules/apps/mplayer.te | 3 +--
policy/modules/apps/podsleuth.te | 3 +--
policy/modules/apps/thunderbird.te | 3 +--
policy/modules/apps/tvtime.te | 3 +--
policy/modules/apps/uml.te | 3 +--
policy/modules/apps/vmware.te | 3 +--
policy/modules/apps/wireshark.te | 3 +--
policy/modules/apps/xscreensaver.te | 3 +--
policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
policy/modules/system/userdomain.te | 3 ++-
16 files changed, 42 insertions(+), 35 deletions(-)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 2542c34..f6c312b 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -22,8 +22,7 @@ ubac_constrained(evolution_alarm_t)
type evolution_alarm_tmpfs_t;
typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
-files_tmpfs_file(evolution_alarm_tmpfs_t)
-ubac_constrained(evolution_alarm_tmpfs_t)
+userdom_user_tmpfs_content(evolution_alarm_tmpfs_t)
type evolution_alarm_orbit_tmp_t;
typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
@@ -40,8 +39,7 @@ ubac_constrained(evolution_exchange_t)
type evolution_exchange_tmpfs_t;
typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
-files_tmpfs_file(evolution_exchange_tmpfs_t)
-ubac_constrained(evolution_exchange_tmpfs_t)
+userdom_user_tmpfs_content(evolution_exchange_tmpfs_t)
type evolution_exchange_tmp_t;
typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
@@ -78,8 +76,7 @@ userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t)
type evolution_tmpfs_t;
typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
-files_tmpfs_file(evolution_tmpfs_t)
-ubac_constrained(evolution_tmpfs_t)
+userdom_user_tmpfs_content(evolution_tmpfs_t)
type evolution_webcal_t;
type evolution_webcal_exec_t;
@@ -91,8 +88,7 @@ ubac_constrained(evolution_webcal_t)
type evolution_webcal_tmpfs_t;
typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
-files_tmpfs_file(evolution_webcal_tmpfs_t)
-ubac_constrained(evolution_webcal_tmpfs_t)
+userdom_user_tmpfs_content(evolution_webcal_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index cea5c8c..45c59f2 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -40,8 +40,7 @@ userdom_user_tmp_content(games_t, games_tmp_t)
type games_tmpfs_t;
typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
-files_tmpfs_file(games_tmpfs_t)
-ubac_constrained(games_tmpfs_t)
+userdom_user_tmpfs_content(games_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index 5bb9e30..31546b7 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -20,8 +20,7 @@ userdom_user_home_content(gift_home_t)
type gift_tmpfs_t;
typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
-files_tmpfs_file(gift_tmpfs_t)
-ubac_constrained(gift_tmpfs_t)
+userdom_user_tmpfs_content(gift_tmpfs_t)
type giftd_t;
type giftd_exec_t;
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index c6f1fe2..78bfb13 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -57,8 +57,7 @@ type gpg_pinentry_tmp_t;
userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t)
type gpg_pinentry_tmpfs_t;
-files_tmpfs_file(gpg_pinentry_tmpfs_t)
-ubac_constrained(gpg_pinentry_tmpfs_t)
+userdom_user_tmpfs_content(gpg_pinentry_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index dd0737c..aa8fa03 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -28,10 +28,9 @@ typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm
typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
type java_tmpfs_t;
-ubac_constrained(java_tmpfs_t)
-files_tmpfs_file(java_tmpfs_t)
typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+userdom_user_tmpfs_content(java_tmpfs_t)
type unconfined_java_t;
init_system_domain(unconfined_java_t, java_exec_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index ebcd681..ec10781 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -30,8 +30,7 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
-files_tmpfs_file(mozilla_tmpfs_t)
-ubac_constrained(mozilla_tmpfs_t)
+userdom_user_tmpfs_content(mozilla_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 82c4a54..4f4e249 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -37,8 +37,7 @@ userdom_user_home_content(mplayer_home_t)
type mplayer_tmpfs_t;
typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
-files_tmpfs_file(mplayer_tmpfs_t)
-ubac_constrained(mplayer_tmpfs_t)
+userdom_user_tmpfs_content(mplayer_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index 892057b..f05e641 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -18,8 +18,7 @@ type podsleuth_tmp_t;
userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t)
type podsleuth_tmpfs_t;
-files_tmpfs_file(podsleuth_tmpfs_t)
-ubac_constrained(podsleuth_tmpfs_t)
+userdom_user_tmpfs_content(podsleuth_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 6f08115..58a924e 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -20,8 +20,7 @@ userdom_user_home_content(thunderbird_home_t)
type thunderbird_tmpfs_t;
typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t };
typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
-files_tmpfs_file(thunderbird_tmpfs_t)
-ubac_constrained(thunderbird_tmpfs_t)
+userdom_user_tmpfs_content(thunderbird_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 10d6692..76b0605 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -25,8 +25,7 @@ userdom_user_tmp_content(tvtime_t, tvtime_tmp_t)
type tvtime_tmpfs_t;
typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t };
-files_tmpfs_file(tvtime_tmpfs_t)
-ubac_constrained(tvtime_tmpfs_t)
+userdom_user_tmpfs_content(tvtime_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 62960c0..05d8159 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -30,8 +30,7 @@ userdom_user_tmp_content(uml_t, uml_tmp_t)
type uml_tmpfs_t;
typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t };
-files_tmpfs_file(uml_tmpfs_t)
-ubac_constrained(uml_tmpfs_t)
+userdom_user_tmpfs_content(uml_tmpfs_t)
type uml_devpts_t;
typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t };
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index b74bf4d..cbaf379 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -55,8 +55,7 @@ userdom_user_tmp_content(vmware_t, vmware_tmp_t)
type vmware_tmpfs_t;
typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
-files_tmpfs_file(vmware_tmpfs_t)
-ubac_constrained(vmware_tmpfs_t)
+userdom_user_tmpfs_content(vmware_tmpfs_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index ca29f80..40f24a7 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -25,8 +25,7 @@ userdom_user_tmp_content(wireshark_t, wireshark_tmp_t)
type wireshark_tmpfs_t;
typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t };
-files_tmpfs_file(wireshark_tmpfs_t)
-ubac_constrained(wireshark_tmpfs_t)
+userdom_user_tmpfs_content(wireshark_tmpfs_t)
##############################
#
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
index 1bdeb16..3695f3c 100644
--- a/policy/modules/apps/xscreensaver.te
+++ b/policy/modules/apps/xscreensaver.te
@@ -11,8 +11,7 @@ application_domain(xscreensaver_t, xscreensaver_exec_t)
ubac_constrained(xscreensaver_t)
type xscreensaver_tmpfs_t;
-files_tmpfs_file(xscreensaver_tmpfs_t)
-ubac_constrained(xscreensaver_tmpfs_t)
+userdom_user_tmpfs_content(xscreensaver_tmpfs_t)
########################################
#
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7aec719..728d1fa 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1327,6 +1327,29 @@ interface(`userdom_user_tmp_content',`
########################################
## <summary>
+## Make the specified type usable user
+## shared memory content.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as user shared
+## memory content.
+## </summary>
+## </param>
+#
+interface(`userdom_user_tmpfs_content',`
+ gen_require(`
+ attribute user_tmpfs_type;
+ ')
+
+ typeattribute $1 user_tmpfs_type;
+
+ files_tmpfs_file($1)
+ ubac_constrained($1)
+')
+
+########################################
+## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e990ead..164c166 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -62,6 +62,7 @@ attribute untrusted_content_tmp_type;
# Attributes for various classes of user content.
attribute user_home_type;
attribute user_tmp_type;
+attribute user_tmpfs_type;
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
@@ -91,7 +92,7 @@ typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_cont
userdom_user_tmp_content(userdomain, user_tmp_t)
type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
-files_tmpfs_file(user_tmpfs_t)
+userdom_user_tmpfs_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
--
1.7.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/266406e3/attachment-0001.bin