Remove policy where user domains are implicitly allowed to manage/relabel userdom user content. Also fix some issues. files_poly_member_tmp is causing conflict in both java and evolution module. because they have two tmp types.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 1cb204c... 0402a98... M policy/modules/apps/evolution.if
:100644 100644 f6c312b... 5643eda... M policy/modules/apps/evolution.te
:100644 100644 c9b90d3... 89c2390... M policy/modules/apps/gift.if
:100644 100644 9601de0... 3790011... M policy/modules/apps/gnome.if
:100644 100644 793cde7... 8db8526... M policy/modules/apps/gpg.if
:100644 100644 344a5b3... 836b886... M policy/modules/apps/mozilla.if
:100644 100644 c7ad0f5... 6afbd09... M policy/modules/apps/mplayer.if
:100644 100644 9ebb373... 0f70007... M policy/modules/apps/pulseaudio.if
:100644 100644 c2cc18d... e93e39b... M policy/modules/apps/thunderbird.if
:100644 100644 8d89f21... c5adfa3... M policy/modules/apps/tvtime.if
:100644 100644 d2ab7cb... f91f075... M policy/modules/apps/uml.if
:100644 100644 a7c27a5... c7a970c... M policy/modules/apps/wireshark.if
:100644 100644 30754e4... f009614... M policy/modules/roles/staff.te
:100644 100644 794e06f... e40cab1... M policy/modules/roles/sysadm.te
:100644 100644 d5d5042... 4ed9204... M policy/modules/roles/unprivuser.te
:100644 100644 57feb5a... f0fdcf1... M policy/modules/services/apache.if
:100644 100644 3745b62... 1a96e6e... M policy/modules/services/pyzor.if
:100644 100644 cd683f9... 2b30c50... M policy/modules/services/pyzor.te
:100644 100644 f4a355f... b980564... M policy/modules/services/razor.if
:100644 100644 e4ecbbd... 43a5de5... M policy/modules/services/razor.te
:100644 100644 3945628... 6717e75... M policy/modules/services/spamassassin.if
:100644 100644 b6a8919... 6847a9b... M policy/modules/services/spamassassin.te
:100644 100644 567592d... ccc6bb2... M policy/modules/services/ssh.if
:100644 100644 5d3b416... 9559ee1... M policy/modules/services/ssh.te
:100644 100644 8633a6a... 8b70b1b... M policy/modules/services/xserver.if
:100644 100644 d2b2626... 5dfdcb7... M policy/modules/services/xserver.te
policy/modules/apps/evolution.if | 10 +------
policy/modules/apps/evolution.te | 5 +++-
policy/modules/apps/gift.if | 9 ------
policy/modules/apps/gnome.if | 2 -
policy/modules/apps/gpg.if | 10 -------
policy/modules/apps/mozilla.if | 14 +++-------
policy/modules/apps/mplayer.if | 9 ------
policy/modules/apps/pulseaudio.if | 2 +-
policy/modules/apps/thunderbird.if | 9 ------
policy/modules/apps/tvtime.if | 9 ------
policy/modules/apps/uml.if | 28 +------------------
policy/modules/apps/wireshark.if | 9 ------
policy/modules/roles/staff.te | 5 ---
policy/modules/roles/sysadm.te | 5 ---
policy/modules/roles/unprivuser.te | 5 ---
policy/modules/services/apache.if | 27 ------------------
policy/modules/services/pyzor.if | 1 -
policy/modules/services/pyzor.te | 3 +-
policy/modules/services/razor.if | 9 +-----
policy/modules/services/razor.te | 11 +++----
policy/modules/services/spamassassin.if | 10 +------
policy/modules/services/spamassassin.te | 6 +---
policy/modules/services/ssh.if | 18 +++---------
policy/modules/services/ssh.te | 6 +---
policy/modules/services/xserver.if | 46 +------------------------------
policy/modules/services/xserver.te | 9 ++----
26 files changed, 31 insertions(+), 246 deletions(-)
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 1cb204c..0402a98 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -17,10 +17,9 @@
#
interface(`evolution_role',`
gen_require(`
- type evolution_t, evolution_exec_t, evolution_home_t;
+ type evolution_t, evolution_exec_t;
type evolution_alarm_t, evolution_alarm_exec_t;
type evolution_exchange_t, evolution_exchange_exec_t;
- type evolution_exchange_orbit_tmp_t;
type evolution_server_t, evolution_server_exec_t;
type evolution_webcal_t, evolution_webcal_exec_t;
')
@@ -49,17 +48,10 @@ interface(`evolution_role',`
allow $2 evolution_t:process noatsecure;
allow $2 evolution_t:process signal_perms;
- # Access .evolution
- allow $2 evolution_home_t:dir manage_dir_perms;
- allow $2 evolution_home_t:file manage_file_perms;
- allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
- allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
allow evolution_exchange_t $2:unix_stream_socket connectto;
# Clock applet talks to exchange (FIXME: Needs policy)
allow $2 evolution_exchange_t:unix_stream_socket connectto;
- allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
')
########################################
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index f6c312b..5643eda 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -49,7 +49,10 @@ userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t)
type evolution_exchange_orbit_tmp_t;
typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
-userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_orbit_tmp_t)
+# This conflict with evolution_exchange_tmp_t (probably files_poly_member_tmp). Seems like a bit of overkill to use a seperate type for sockets in /tmp/orbit-)
+# userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_orbit_tmp_t)
+files_tmp_file(evolution_exchange_orbit_tmp_t)
+ubac_constrained(evolution_exchange_orbit_tmp_t)
type evolution_home_t;
typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
index c9b90d3..89c2390 100644
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@@ -19,7 +19,6 @@ interface(`gift_role',`
gen_require(`
type gift_t, gift_exec_t;
type giftd_t, giftd_exec_t;
- type gift_home_t;
')
role $1 types { gift_t giftd_t };
@@ -28,14 +27,6 @@ interface(`gift_role',`
domtrans_pattern($2, gift_exec_t, gift_t)
domtrans_pattern($2, giftd_exec_t, giftd_t)
- # user managed content
- manage_dirs_pattern($2, gift_home_t, gift_home_t)
- manage_files_pattern($2, gift_home_t, gift_home_t)
- manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
- relabel_dirs_pattern($2, gift_home_t, gift_home_t)
- relabel_files_pattern($2, gift_home_t, gift_home_t)
- relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
-
# Allow the user domain to signal/ps.
ps_process_pattern($2, { gift_t giftd_t })
allow $2 { gift_t giftd_t }:process signal_perms;
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 9601de0..3790011 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -18,7 +18,6 @@
interface(`gnome_role',`
gen_require(`
type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
')
role $1 types gconfd_t;
@@ -31,7 +30,6 @@ interface(`gnome_role',`
ps_process_pattern($2, gconfd_t)
#gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
allow $2 gconfd_t:unix_stream_socket connectto;
')
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 793cde7..8db8526 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -19,9 +19,7 @@ interface(`gpg_role',`
gen_require(`
type gpg_t, gpg_exec_t;
type gpg_agent_t, gpg_agent_exec_t;
- type gpg_agent_tmp_t;
type gpg_helper_t, gpg_pinentry_t;
- type gpg_pinentry_tmp_t;
')
role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
@@ -43,17 +41,9 @@ interface(`gpg_role',`
# Allow the user shell to signal the gpg-agent program.
allow $2 gpg_agent_t:process { signal sigkill };
- manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
- manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
- manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
- files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
-
# Transition from the user domain to the agent domain.
domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
- manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
- relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
-
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 344a5b3..836b886 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -17,7 +17,7 @@
#
interface(`mozilla_role',`
gen_require(`
- type mozilla_t, mozilla_exec_t, mozilla_home_t;
+ type mozilla_t, mozilla_exec_t;
')
role $1 types mozilla_t;
@@ -38,15 +38,9 @@ interface(`mozilla_role',`
allow $2 mozilla_t:shm { unix_read unix_write };
allow $2 mozilla_t:unix_stream_socket connectto;
- # X access, Home files
- manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
- manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
- manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
- relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
- relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
- relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
-
- mozilla_dbus_chat($2)
+ optional_policy(`
+ mozilla_dbus_chat($2)
+ ')
optional_policy(`
pulseaudio_role($1, mozilla_t)
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index c7ad0f5..6afbd09 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -19,7 +19,6 @@ interface(`mplayer_role',`
gen_require(`
type mencoder_t, mencoder_exec_t;
type mplayer_t, mplayer_exec_t;
- type mplayer_home_t;
')
role $1 types { mencoder_t mplayer_t };
@@ -31,14 +30,6 @@ interface(`mplayer_role',`
ps_process_pattern($2, mencoder_t)
allow $2 mencoder_t:process signal_perms;
- # Home access
- manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
- manage_files_pattern($2, mplayer_home_t, mplayer_home_t)
- manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
- relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
- relabel_files_pattern($2, mplayer_home_t, mplayer_home_t)
- relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
-
# domain transition
domtrans_pattern($2, mplayer_exec_t, mplayer_t)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 9ebb373..0f70007 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -17,7 +17,7 @@
#
interface(`pulseaudio_role',`
gen_require(`
- type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
+ type pulseaudio_t, pulseaudio_exec_t;
class dbus { acquire_svc send_msg };
')
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index c2cc18d..e93e39b 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -18,7 +18,6 @@
interface(`thunderbird_role',`
gen_require(`
type thunderbird_t, thunderbird_exec_t;
- type thunderbird_home_t, thunderbird_tmpfs_t;
')
role $1 types thunderbird_t;
@@ -34,14 +33,6 @@ interface(`thunderbird_role',`
# allow ps to show thunderbird and allow the user to kill it
ps_process_pattern($2, thunderbird_t)
allow $2 thunderbird_t:process signal;
-
- # Access ~/.thunderbird
- manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
- manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
- manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
- relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
- relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
- relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
')
########################################
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index 8d89f21..c5adfa3 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -18,7 +18,6 @@
interface(`tvtime_role',`
gen_require(`
type tvtime_t, tvtime_exec_t;
- type tvtime_home_t, tvtime_tmpfs_t;
')
role $1 types tvtime_t;
@@ -26,14 +25,6 @@ interface(`tvtime_role',`
# Type transition
domtrans_pattern($2, tvtime_exec_t, tvtime_t)
- # X access, Home files
- manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
- manage_files_pattern($2, tvtime_home_t, tvtime_home_t)
- manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
- relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
- relabel_files_pattern($2, tvtime_home_t, tvtime_home_t)
- relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
-
# Allow the user domain to signal/ps.
ps_process_pattern($2, tvtime_t)
allow $2 tvtime_t:process signal_perms;
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index d2ab7cb..f91f075 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -18,8 +18,7 @@
interface(`uml_role',`
gen_require(`
type uml_t, uml_exec_t;
- type uml_ro_t, uml_rw_t, uml_tmp_t;
- type uml_devpts_t, uml_tmpfs_t;
+ type uml_ro_t, uml_rw_t, uml_devpts_t;
')
role $1 types uml_t;
@@ -34,31 +33,6 @@ interface(`uml_role',`
# allow ps, ptrace, signal
ps_process_pattern($2, uml_t)
allow $2 uml_t:process { ptrace signal_perms };
-
- allow $2 uml_ro_t:dir list_dir_perms;
- read_files_pattern($2, uml_ro_t, uml_ro_t)
- read_lnk_files_pattern($2, uml_ro_t, uml_ro_t)
-
- manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
- manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
- manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
- manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
- manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
- relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
- relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
- relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
- relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
- relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
-
- manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
- manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
- relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
- relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
-
- manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t)
- manage_files_pattern($2, uml_tmp_t, uml_tmp_t)
- manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t)
- manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t)
')
########################################
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
index a7c27a5..c7a970c 100644
--- a/policy/modules/apps/wireshark.if
+++ b/policy/modules/apps/wireshark.if
@@ -18,8 +18,6 @@
interface(`wireshark_role',`
gen_require(`
type wireshark_t, wireshark_exec_t;
- type wireshark_home_t, wireshark_tmp_t;
- type wireshark_tmpfs_t;
')
role $1 types wireshark_t;
@@ -27,13 +25,6 @@ interface(`wireshark_role',`
domain_auto_trans($2, wireshark_exec_t, wireshark_t)
allow wireshark_t $2:fd use;
allow wireshark_t $2:process sigchld;
-
- manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
- manage_files_pattern($2, wireshark_home_t, wireshark_home_t)
- manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
- relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
- relabel_files_pattern($2, wireshark_home_t, wireshark_home_t)
- relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
')
########################################
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 30754e4..f009614 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -91,11 +91,6 @@ optional_policy(`
')
optional_policy(`
- oident_manage_user_content(staff_t)
- oident_relabel_user_content(staff_t)
-')
-
-optional_policy(`
postgresql_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 794e06f..e40cab1 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -284,11 +284,6 @@ optional_policy(`
')
optional_policy(`
- oident_manage_user_content(sysadm_t)
- oident_relabel_user_content(sysadm_t)
-')
-
-optional_policy(`
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index d5d5042..4ed9204 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -85,11 +85,6 @@ optional_policy(`
')
optional_policy(`
- oident_manage_user_content(user_t)
- oident_relabel_user_content(user_t)
-')
-
-optional_policy(`
postgresql_role(user_r, user_t)
')
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 57feb5a..f0fdcf1 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -211,38 +211,11 @@ template(`apache_content_template',`
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
- type httpd_user_content_t, httpd_user_htaccess_t;
type httpd_user_script_t, httpd_user_script_exec_t;
- type httpd_user_ra_content_t, httpd_user_rw_content_t;
')
role $1 types httpd_user_script_t;
- allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
-
- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
-
- manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
- manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
- manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
- relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
- relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
- relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-
- manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
- manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
- manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
- relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
- relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
- relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-
- manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
- manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
- manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
- relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
- relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
- relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index 3745b62..1a96e6e 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -18,7 +18,6 @@
interface(`pyzor_role',`
gen_require(`
type pyzor_t, pyzor_exec_t;
- type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
')
role $1 types pyzor_t;
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index cd683f9..2b30c50 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -24,8 +24,7 @@ userdom_user_home_content(pyzor_home_t)
type pyzor_tmp_t;
typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
-files_tmp_file(pyzor_tmp_t)
-ubac_constrained(pyzor_tmp_t)
+userdom_user_tmp_content(pyzor_t, pyzor_tmp_t)
type pyzor_var_lib_t;
typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index f4a355f..b980564 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -120,7 +120,7 @@ template(`razor_common_domain_template',`
#
interface(`razor_role',`
gen_require(`
- type razor_t, razor_exec_t, razor_home_t;
+ type razor_t, razor_exec_t;
')
role $1 types razor_t;
@@ -131,13 +131,6 @@ interface(`razor_role',`
# allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
allow $2 razor_t:process signal;
-
- manage_dirs_pattern($2, razor_home_t, razor_home_t)
- manage_files_pattern($2, razor_home_t, razor_home_t)
- manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
- relabel_dirs_pattern($2, razor_home_t, razor_home_t)
- relabel_files_pattern($2, razor_home_t, razor_home_t)
- relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
')
########################################
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index e4ecbbd..43a5de5 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -19,12 +19,6 @@ userdom_user_home_content(razor_home_t)
type razor_log_t;
logging_log_file(razor_log_t)
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-files_tmp_file(razor_tmp_t)
-ubac_constrained(razor_tmp_t)
-
type razor_var_lib_t;
files_type(razor_var_lib_t)
@@ -34,6 +28,11 @@ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
typealias razor_t alias { auditadm_razor_t secadm_razor_t };
ubac_constrained(razor_t)
+type razor_tmp_t;
+typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+userdom_user_tmp_content(razor_t, razor_tmp_t)
+
razor_common_domain_template(system_razor)
role system_r types system_razor_t;
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 3945628..6717e75 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -17,9 +17,8 @@
#
interface(`spamassassin_role',`
gen_require(`
- type spamc_t, spamc_exec_t, spamc_tmp_t;
+ type spamc_t, spamc_exec_t;
type spamassassin_t, spamassassin_exec_t;
- type spamassassin_home_t, spamassassin_tmp_t;
')
role $1 types { spamc_t spamassassin_t };
@@ -29,13 +28,6 @@ interface(`spamassassin_role',`
domtrans_pattern($2, spamc_exec_t, spamc_t)
ps_process_pattern($2, spamc_t)
-
- manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
- manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
- manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
- relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
- relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
- relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
')
########################################
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index b6a8919..6847a9b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -34,8 +34,7 @@ userdom_user_home_content(spamassassin_home_t)
type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-files_tmp_file(spamassassin_tmp_t)
-ubac_constrained(spamassassin_tmp_t)
+userdom_user_tmp_content(spamassassin_t, spamassassin_tmp_t)
type spamc_t;
type spamc_exec_t;
@@ -47,8 +46,7 @@ ubac_constrained(spamc_t)
type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-files_tmp_file(spamc_tmp_t)
-ubac_constrained(spamc_tmp_t)
+userdom_user_tmp_content(spamc_t, spamc_tmp_t)
type spamd_t;
type spamd_exec_t;
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 567592d..ccc6bb2 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -45,10 +45,11 @@ template(`ssh_basic_client_template',`
type $1_ssh_t;
application_domain($1_ssh_t, ssh_exec_t)
+ ubac_constrained($1_ssh_t)
role $3 types $1_ssh_t;
type $1_ssh_home_t;
- files_type($1_ssh_home_t)
+ userdom_user_home_content($1_ssh_home_t)
typealias $1_ssh_home_t alias $1_home_ssh_t;
##############################
@@ -92,11 +93,6 @@ template(`ssh_basic_client_template',`
# allow ps to show ssh
ps_process_pattern($2, $1_ssh_t)
- # user can manage the keys and config
- manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
- manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
- manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-
# ssh client can manage the keys and config
manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
@@ -294,10 +290,8 @@ template(`ssh_server_template', `
template(`ssh_role_template',`
gen_require(`
attribute ssh_server, ssh_agent_type;
-
- type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
- type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
- type ssh_agent_tmp_t;
+ type ssh_t, ssh_exec_t, ssh_agent_tmp_t;
+ type ssh_agent_exec_t, ssh_keysign_t;
')
##############################
@@ -333,10 +327,6 @@ template(`ssh_role_template',`
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
- # user can manage the keys and config
- manage_files_pattern($3, ssh_home_t, ssh_home_t)
- manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
- manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
##############################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5d3b416..9559ee1 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -57,8 +57,7 @@ corecmd_executable_file(ssh_agent_exec_t)
type ssh_agent_tmp_t;
typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
-files_tmp_file(ssh_agent_tmp_t)
-ubac_constrained(ssh_agent_tmp_t)
+userdom_user_tmp_content(ssh_agent_type, ssh_agent_tmp_t)
type ssh_keysign_t;
type ssh_keysign_exec_t;
@@ -70,8 +69,7 @@ ubac_constrained(ssh_keysign_t)
type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
-files_tmpfs_file(ssh_tmpfs_t)
-ubac_constrained(ssh_tmpfs_t)
+userdom_user_tmpfs_content(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 8633a6a..8b70b1b 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -35,15 +35,6 @@ interface(`xserver_restricted_role',`
allow xserver_t $2:shm rw_shm_perms;
- allow $2 user_fonts_t:dir list_dir_perms;
- allow $2 user_fonts_t:file read_file_perms;
-
- allow $2 user_fonts_config_t:dir list_dir_perms;
- allow $2 user_fonts_config_t:file read_file_perms;
-
- manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
files_search_tmp($2)
@@ -66,8 +57,6 @@ interface(`xserver_restricted_role',`
ps_process_pattern($2, xauth_t)
allow $2 xserver_t:process signal;
- allow $2 xauth_home_t:file read_file_perms;
-
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -77,10 +66,6 @@ interface(`xserver_restricted_role',`
# Client read xserver shm
allow $2 xserver_t:fd use;
- allow $2 xserver_tmpfs_t:file read_file_perms;
-
- # Read /tmp/.X0-lock
- allow $2 xserver_tmp_t:file { getattr read };
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
@@ -110,7 +95,6 @@ interface(`xserver_restricted_role',`
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
- allow $2 xserver_tmpfs_t:file rw_file_perms;
')
')
@@ -132,37 +116,13 @@ interface(`xserver_restricted_role',`
#
interface(`xserver_role',`
gen_require(`
- type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ type xserver_t;
')
xserver_restricted_role($1, $2)
# Communicate via System V shared memory.
allow $2 xserver_t:shm rw_shm_perms;
- allow $2 xserver_tmpfs_t:file rw_file_perms;
-
- allow $2 iceauth_home_t:file manage_file_perms;
- allow $2 iceauth_home_t:file { relabelfrom relabelto };
-
- allow $2 xauth_home_t:file manage_file_perms;
- allow $2 xauth_home_t:file { relabelfrom relabelto };
-
- manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
- manage_files_pattern($2, user_fonts_t, user_fonts_t)
- relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
- relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-
- manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
- relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
- relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-
- manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
- manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
- relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
- relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
')
#######################################
@@ -196,13 +156,9 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xserver_t:process signal;
- # Read /tmp/.X0-lock
- allow $1 xserver_tmp_t:file { getattr read };
-
# Client read xserver shm
allow $1 xserver_t:fd use;
allow $1 xserver_t:shm r_shm_perms;
- allow $1 xserver_tmpfs_t:file read_file_perms;
')
#######################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index d2b2626..5dfdcb7 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -148,8 +148,7 @@ userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
-files_tmp_file(xauth_tmp_t)
-ubac_constrained(xauth_tmp_t)
+userdom_user_tmp_content(xauth_t, xauth_tmp_t)
# this is not actually a device, its a pipe
type xconsole_device_t;
@@ -199,14 +198,12 @@ ubac_constrained(xserver_t)
type xserver_tmp_t;
typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-files_tmp_file(xserver_tmp_t)
-ubac_constrained(xserver_tmp_t)
+userdom_user_tmp_content(xserver_t, xserver_tmp_t)
type xserver_tmpfs_t;
typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
-files_tmpfs_file(xserver_tmpfs_t)
-ubac_constrained(xserver_tmpfs_t)
+userdom_user_tmpfs_content(xserver_tmpfs_t)
type xsession_exec_t;
corecmd_executable_file(xsession_exec_t)
--
1.7.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/a081714f/attachment-0001.bin