Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 f294491... b1aeb7c... M policy/modules/apps/evolution.te
:100644 100644 ac4f509... cea5c8c... M policy/modules/apps/games.te
:100644 100644 4bebd9d... de7eac9... M policy/modules/apps/gnome.te
:100644 100644 4525c37... c6f1fe2... M policy/modules/apps/gpg.te
:100644 100644 66beb80... 29c9f53... M policy/modules/apps/irc.te
:100644 100644 726e853... 143a522... M policy/modules/apps/java.te
:100644 100644 ebcd681... 3fb62e4... M policy/modules/apps/mozilla.te
:100644 100644 690589e... 892057b... M policy/modules/apps/podsleuth.te
:100644 100644 320df26... 55e29cb... M policy/modules/apps/screen.if
:100644 100644 8c65cc6... a92649b... M policy/modules/apps/screen.te
:100644 100644 d736572... 10d6692... M policy/modules/apps/tvtime.te
:100644 100644 2df1343... 62960c0... M policy/modules/apps/uml.te
:100644 100644 1f803bb... 5bc77b4... M policy/modules/apps/vmware.te
:100644 100644 8af45db... 2835bec... M policy/modules/apps/wine.te
:100644 100644 31bbf17... ca29f80... M policy/modules/apps/wireshark.te
:100644 100644 215b86b... 1d6ddf2... M policy/modules/services/bluetooth.te
:100644 100644 44caccc... 80c88c1... M policy/modules/services/cron.if
:100644 100644 d76131b... 054d8b3... M policy/modules/services/dbus.if
:100644 100644 b738e94... 319e41e... M policy/modules/services/dbus.te
:100644 100644 93c14ca... a2c91f2... M policy/modules/services/lpd.te
:100644 100644 c57356a... 9d3ef86... M policy/modules/services/mta.if
:100644 100644 64268e4... b1111b2... M policy/modules/services/mta.te
:100644 100644 cd683f9... 2b30c50... M policy/modules/services/pyzor.te
:100644 100644 e4ecbbd... ab30865... M policy/modules/services/razor.te
:100644 100644 b6a8919... 6847a9b... M policy/modules/services/spamassassin.te
:100644 100644 567592d... ef3f32d... M policy/modules/services/ssh.if
:100644 100644 2dad3c8... 512834a... M policy/modules/services/ssh.te
:100644 100644 d2b2626... f51b828... M policy/modules/services/xserver.te
:100644 100644 a3135e6... 7d83ec3... M policy/modules/system/userdomain.if
:100644 100644 69b2e0f... 5dcefd4... M policy/modules/system/userdomain.te
policy/modules/apps/evolution.te | 13 +++++--------
policy/modules/apps/games.te | 3 +--
policy/modules/apps/gnome.te | 3 +--
policy/modules/apps/gpg.te | 6 ++----
policy/modules/apps/irc.te | 2 +-
policy/modules/apps/java.te | 3 +--
policy/modules/apps/mozilla.te | 3 +--
policy/modules/apps/podsleuth.te | 3 +--
policy/modules/apps/screen.if | 2 ++
policy/modules/apps/screen.te | 2 --
policy/modules/apps/tvtime.te | 3 +--
policy/modules/apps/uml.te | 3 +--
policy/modules/apps/vmware.te | 7 +++----
policy/modules/apps/wine.te | 3 +--
policy/modules/apps/wireshark.te | 3 +--
policy/modules/services/bluetooth.te | 3 +--
policy/modules/services/cron.if | 2 +-
policy/modules/services/dbus.if | 2 ++
policy/modules/services/dbus.te | 2 --
policy/modules/services/lpd.te | 3 +--
policy/modules/services/mta.if | 3 ++-
policy/modules/services/mta.te | 2 --
policy/modules/services/pyzor.te | 3 +--
policy/modules/services/razor.te | 3 +--
policy/modules/services/spamassassin.te | 6 ++----
policy/modules/services/ssh.if | 2 ++
policy/modules/services/ssh.te | 2 --
policy/modules/services/xserver.te | 6 ++----
policy/modules/system/userdomain.if | 24 ++++++++++++++++++++++++
policy/modules/system/userdomain.te | 1 +
30 files changed, 62 insertions(+), 61 deletions(-)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index f294491..b1aeb7c 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -28,8 +28,7 @@ ubac_constrained(evolution_alarm_tmpfs_t)
type evolution_alarm_orbit_tmp_t;
typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
-files_tmp_file(evolution_alarm_orbit_tmp_t)
-ubac_constrained(evolution_alarm_orbit_tmp_t)
+userdom_user_tmp_content(evolution_alarm_t, evolution_alarm_orbit_tmp_t)
type evolution_exchange_t;
type evolution_exchange_exec_t;
@@ -47,9 +46,9 @@ ubac_constrained(evolution_exchange_tmpfs_t)
type evolution_exchange_tmp_t;
typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
-files_tmp_file(evolution_exchange_tmp_t)
-ubac_constrained(evolution_exchange_tmp_t)
+userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t)
+# Cannot have two types of the same domain be a files_poly_member_tmp()
type evolution_exchange_orbit_tmp_t;
typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
@@ -64,8 +63,7 @@ userdom_user_home_content(evolution_home_t)
type evolution_orbit_tmp_t;
typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
-files_tmp_file(evolution_orbit_tmp_t)
-ubac_constrained(evolution_orbit_tmp_t)
+userdom_user_tmp_content(evolution_t, evolution_orbit_tmp_t)
type evolution_server_t;
type evolution_server_exec_t;
@@ -77,8 +75,7 @@ ubac_constrained(evolution_server_t)
type evolution_server_orbit_tmp_t;
typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
-files_tmp_file(evolution_server_orbit_tmp_t)
-ubac_constrained(evolution_server_orbit_tmp_t)
+userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t)
type evolution_tmpfs_t;
typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index ac4f509..cea5c8c 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -35,8 +35,7 @@ files_pid_file(games_srv_var_run_t)
type games_tmp_t;
typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
-files_tmp_file(games_tmp_t)
-ubac_constrained(games_tmp_t)
+userdom_user_tmp_content(games_t, games_tmp_t)
type games_tmpfs_t;
typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 4bebd9d..de7eac9 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -18,8 +18,7 @@ userdom_user_home_content(gconf_home_t)
type gconf_tmp_t;
typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
-files_tmp_file(gconf_tmp_t)
-ubac_constrained(gconf_tmp_t)
+userdom_user_tmp_content(gconfd_t, gconf_tmp_t)
type gconfd_t, gnomedomain;
type gconfd_exec_t;
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 4525c37..c6f1fe2 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -31,8 +31,7 @@ ubac_constrained(gpg_agent_t)
type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
-files_tmp_file(gpg_agent_tmp_t)
-ubac_constrained(gpg_agent_tmp_t)
+userdom_user_tmp_content(gpg_agent_t, gpg_agent_tmp_t)
type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
@@ -55,8 +54,7 @@ application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
type gpg_pinentry_tmp_t;
-files_tmp_file(gpg_pinentry_tmp_t)
-ubac_constrained(gpg_pinentry_tmp_t)
+userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t)
type gpg_pinentry_tmpfs_t;
files_tmpfs_file(gpg_pinentry_tmpfs_t)
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80..29c9f53 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -20,7 +20,7 @@ userdom_user_home_content(irc_home_t)
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+userdom_user_tmp_content(irc_t, irc_tmp_t)
########################################
#
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 726e853..143a522 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -21,10 +21,9 @@ typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
role system_r types java_t;
type java_tmp_t;
-files_tmp_file(java_tmp_t)
-ubac_constrained(java_tmp_t)
typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
+userdom_user_tmp_content(java_t, java_tmp_t)
type java_tmpfs_t;
ubac_constrained(java_tmpfs_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index ebcd681..3fb62e4 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -30,8 +30,7 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
-files_tmpfs_file(mozilla_tmpfs_t)
-ubac_constrained(mozilla_tmpfs_t)
+userdom_user_tmp_content(mozilla_t, mozilla_tmpfs_t)
########################################
#
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index 690589e..892057b 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -15,8 +15,7 @@ files_type(podsleuth_cache_t)
ubac_constrained(podsleuth_cache_t)
type podsleuth_tmp_t;
-files_tmp_file(podsleuth_tmp_t)
-ubac_constrained(podsleuth_tmp_t)
+userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t)
type podsleuth_tmpfs_t;
files_tmpfs_file(podsleuth_tmpfs_t)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 320df26..55e29cb 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -38,6 +38,8 @@ template(`screen_role_template',`
ubac_constrained($1_screen_t)
role $2 types $1_screen_t;
+ userdom_user_tmp_content($1_screen_t, screen_tmp_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 8c65cc6..a92649b 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -16,8 +16,6 @@ userdom_user_home_content(screen_home_t)
type screen_tmp_t;
typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
-files_tmp_file(screen_tmp_t)
-ubac_constrained(screen_tmp_t)
type screen_var_run_t;
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index d736572..10d6692 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -20,8 +20,7 @@ userdom_user_home_content(tvtime_home_t)
type tvtime_tmp_t;
typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
-files_tmp_file(tvtime_tmp_t)
-ubac_constrained(tvtime_tmp_t)
+userdom_user_tmp_content(tvtime_t, tvtime_tmp_t)
type tvtime_tmpfs_t;
typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 2df1343..62960c0 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -25,8 +25,7 @@ userdom_user_home_content(uml_rw_t)
type uml_tmp_t;
typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
-files_tmp_file(uml_tmp_t)
-ubac_constrained(uml_tmp_t)
+userdom_user_tmp_content(uml_t, uml_tmp_t)
type uml_tmpfs_t;
typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 1f803bb..5bc77b4 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -31,15 +31,15 @@ init_daemon_domain(vmware_host_t, vmware_host_exec_t)
type vmware_host_pid_t alias vmware_var_run_t;
files_pid_file(vmware_host_pid_t)
+# If vmware_host_t is a system service then why does this have to be ubac constrained?
type vmware_host_tmp_t;
files_tmp_file(vmware_host_tmp_t)
-ubac_constrained(vmware_host_tmp_t)
+# If vmware_host_t is a system service then why does this have to be ubac constrained?
type vmware_log_t;
typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
logging_log_file(vmware_log_t)
-ubac_constrained(vmware_log_t)
type vmware_pid_t;
typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
@@ -54,8 +54,7 @@ files_type(vmware_sys_conf_t)
type vmware_tmp_t;
typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
-files_tmp_file(vmware_tmp_t)
-ubac_constrained(vmware_tmp_t)
+userdom_user_tmp_content(vmware_t, vmware_tmp_t)
type vmware_tmpfs_t;
typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db..2835bec 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -12,8 +12,7 @@ ubac_constrained(wine_t)
role system_r types wine_t;
type wine_tmp_t;
-files_tmp_file(wine_tmp_t)
-ubac_constrained(wine_tmp_t)
+userdom_user_tmp_content(wine_t, wine_tmp_t)
########################################
#
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 31bbf17..ca29f80 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -20,8 +20,7 @@ userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
-files_tmp_file(wireshark_tmp_t)
-ubac_constrained(wireshark_tmp_t)
+userdom_user_tmp_content(wireshark_t, wireshark_tmp_t)
type wireshark_tmpfs_t;
typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 215b86b..1d6ddf2 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -24,8 +24,7 @@ ubac_constrained(bluetooth_helper_t)
type bluetooth_helper_tmp_t;
typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t };
typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t };
-files_tmp_file(bluetooth_helper_tmp_t)
-ubac_constrained(bluetooth_helper_tmp_t)
+userdom_user_tmp_content(bluetooth_helper_t, bluetooth_helper_tmp_t)
type bluetooth_helper_tmpfs_t;
typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 44caccc..80c88c1 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -22,7 +22,7 @@ template(`cron_common_crontab_template',`
ubac_constrained($1_t)
type $1_tmp_t;
- files_tmp_file($1_tmp_t)
+ userdom_user_tmp_content($1_t, $1_tmp_t)
##############################
#
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index d76131b..054d8b3 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -57,6 +57,8 @@ template(`dbus_role_template',`
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
+ userdom_user_tmp_content($1_dbusd_t, session_dbusd_tmp_t)
+
##############################
#
# Local policy
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b738e94..319e41e 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -22,8 +22,6 @@ typealias dbusd_exec_t alias system_dbusd_exec_t;
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
-files_tmp_file(session_dbusd_tmp_t)
-ubac_constrained(session_dbusd_tmp_t)
type system_dbusd_t;
init_system_domain(system_dbusd_t, dbusd_exec_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 93c14ca..a2c91f2 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -40,8 +40,7 @@ ubac_constrained(lpr_t)
type lpr_tmp_t;
typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
-files_tmp_file(lpr_tmp_t)
-ubac_constrained(lpr_tmp_t)
+userdom_user_tmp_content(lpr_t, lpr_tmp_t)
# Type for spool files.
type print_spool_t;
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index c57356a..9d3ef86 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -52,9 +52,10 @@ template(`mta_base_mail_template',`
type $1_mail_t, user_mail_domain;
application_domain($1_mail_t, sendmail_exec_t)
+ ubac_constrained($1_mail_t)
type $1_mail_tmp_t;
- files_tmp_file($1_mail_tmp_t)
+ userdom_user_tmp_content($1_mail_t, $1_mail_tmp_t)
##############################
#
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 64268e4..b1111b2 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -40,8 +40,6 @@ typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
-ubac_constrained(user_mail_t)
-ubac_constrained(user_mail_tmp_t)
########################################
#
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index cd683f9..2b30c50 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -24,8 +24,7 @@ userdom_user_home_content(pyzor_home_t)
type pyzor_tmp_t;
typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
-files_tmp_file(pyzor_tmp_t)
-ubac_constrained(pyzor_tmp_t)
+userdom_user_tmp_content(pyzor_t, pyzor_tmp_t)
type pyzor_var_lib_t;
typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index e4ecbbd..ab30865 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -22,8 +22,7 @@ logging_log_file(razor_log_t)
type razor_tmp_t;
typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-files_tmp_file(razor_tmp_t)
-ubac_constrained(razor_tmp_t)
+userdom_user_tmp_content(razor_t, razor_tmp_t)
type razor_var_lib_t;
files_type(razor_var_lib_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index b6a8919..6847a9b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -34,8 +34,7 @@ userdom_user_home_content(spamassassin_home_t)
type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-files_tmp_file(spamassassin_tmp_t)
-ubac_constrained(spamassassin_tmp_t)
+userdom_user_tmp_content(spamassassin_t, spamassassin_tmp_t)
type spamc_t;
type spamc_exec_t;
@@ -47,8 +46,7 @@ ubac_constrained(spamc_t)
type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-files_tmp_file(spamc_tmp_t)
-ubac_constrained(spamc_tmp_t)
+userdom_user_tmp_content(spamc_t, spamc_tmp_t)
type spamd_t;
type spamd_exec_t;
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 567592d..ef3f32d 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -313,6 +313,8 @@ template(`ssh_role_template',`
ubac_constrained($1_ssh_agent_t)
role $2 types $1_ssh_agent_t;
+ userdom_user_tmp_content($1_ssh_agent_t, ssh_agent_tmp_t)
+
##############################
#
# Local policy
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..512834a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -57,8 +57,6 @@ corecmd_executable_file(ssh_agent_exec_t)
type ssh_agent_tmp_t;
typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
-files_tmp_file(ssh_agent_tmp_t)
-ubac_constrained(ssh_agent_tmp_t)
type ssh_keysign_t;
type ssh_keysign_exec_t;
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index d2b2626..f51b828 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -148,8 +148,7 @@ userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
-files_tmp_file(xauth_tmp_t)
-ubac_constrained(xauth_tmp_t)
+userdom_user_tmp_content(xauth_t, xauth_tmp_t)
# this is not actually a device, its a pipe
type xconsole_device_t;
@@ -199,8 +198,7 @@ ubac_constrained(xserver_t)
type xserver_tmp_t;
typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-files_tmp_file(xserver_tmp_t)
-ubac_constrained(xserver_tmp_t)
+userdom_user_tmp_content(xserver_t, xserver_tmp_t)
type xserver_tmpfs_t;
typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index a3135e6..7d83ec3 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1286,6 +1286,30 @@ interface(`userdom_user_home_content',`
########################################
## <summary>
+## Make the specified type usable user
+## temporary content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain using the user temporary
+## content.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Type to be used for user temporary
+## content.
+## </summary>
+## </param>
+#
+interface(`userdom_user_tmp_content',`
+ files_tmp_file($2)
+ files_poly_member_tmp($1, $2)
+ ubac_constrained($2)
+')
+
+########################################
+## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 69b2e0f..5dcefd4 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -87,6 +87,7 @@ ubac_constrained(user_devpts_t)
type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
+# Consider removing this
userdom_user_home_content(user_tmp_t)
type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
--
1.7.1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100709/cbbb6a6e/attachment.bin
On 07/09/10 10:34, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 f294491... b1aeb7c... M policy/modules/apps/evolution.te
> :100644 100644 ac4f509... cea5c8c... M policy/modules/apps/games.te
> :100644 100644 4bebd9d... de7eac9... M policy/modules/apps/gnome.te
> :100644 100644 4525c37... c6f1fe2... M policy/modules/apps/gpg.te
> :100644 100644 66beb80... 29c9f53... M policy/modules/apps/irc.te
> :100644 100644 726e853... 143a522... M policy/modules/apps/java.te
> :100644 100644 ebcd681... 3fb62e4... M policy/modules/apps/mozilla.te
> :100644 100644 690589e... 892057b... M policy/modules/apps/podsleuth.te
> :100644 100644 320df26... 55e29cb... M policy/modules/apps/screen.if
> :100644 100644 8c65cc6... a92649b... M policy/modules/apps/screen.te
> :100644 100644 d736572... 10d6692... M policy/modules/apps/tvtime.te
> :100644 100644 2df1343... 62960c0... M policy/modules/apps/uml.te
> :100644 100644 1f803bb... 5bc77b4... M policy/modules/apps/vmware.te
> :100644 100644 8af45db... 2835bec... M policy/modules/apps/wine.te
> :100644 100644 31bbf17... ca29f80... M policy/modules/apps/wireshark.te
> :100644 100644 215b86b... 1d6ddf2... M policy/modules/services/bluetooth.te
> :100644 100644 44caccc... 80c88c1... M policy/modules/services/cron.if
> :100644 100644 d76131b... 054d8b3... M policy/modules/services/dbus.if
> :100644 100644 b738e94... 319e41e... M policy/modules/services/dbus.te
> :100644 100644 93c14ca... a2c91f2... M policy/modules/services/lpd.te
> :100644 100644 c57356a... 9d3ef86... M policy/modules/services/mta.if
> :100644 100644 64268e4... b1111b2... M policy/modules/services/mta.te
> :100644 100644 cd683f9... 2b30c50... M policy/modules/services/pyzor.te
> :100644 100644 e4ecbbd... ab30865... M policy/modules/services/razor.te
> :100644 100644 b6a8919... 6847a9b... M policy/modules/services/spamassassin.te
> :100644 100644 567592d... ef3f32d... M policy/modules/services/ssh.if
> :100644 100644 2dad3c8... 512834a... M policy/modules/services/ssh.te
> :100644 100644 d2b2626... f51b828... M policy/modules/services/xserver.te
> :100644 100644 a3135e6... 7d83ec3... M policy/modules/system/userdomain.if
> :100644 100644 69b2e0f... 5dcefd4... M policy/modules/system/userdomain.te
> policy/modules/apps/evolution.te | 13 +++++--------
> policy/modules/apps/games.te | 3 +--
> policy/modules/apps/gnome.te | 3 +--
> policy/modules/apps/gpg.te | 6 ++----
> policy/modules/apps/irc.te | 2 +-
> policy/modules/apps/java.te | 3 +--
> policy/modules/apps/mozilla.te | 3 +--
> policy/modules/apps/podsleuth.te | 3 +--
> policy/modules/apps/screen.if | 2 ++
> policy/modules/apps/screen.te | 2 --
> policy/modules/apps/tvtime.te | 3 +--
> policy/modules/apps/uml.te | 3 +--
> policy/modules/apps/vmware.te | 7 +++----
> policy/modules/apps/wine.te | 3 +--
> policy/modules/apps/wireshark.te | 3 +--
> policy/modules/services/bluetooth.te | 3 +--
> policy/modules/services/cron.if | 2 +-
> policy/modules/services/dbus.if | 2 ++
> policy/modules/services/dbus.te | 2 --
> policy/modules/services/lpd.te | 3 +--
> policy/modules/services/mta.if | 3 ++-
> policy/modules/services/mta.te | 2 --
> policy/modules/services/pyzor.te | 3 +--
> policy/modules/services/razor.te | 3 +--
> policy/modules/services/spamassassin.te | 6 ++----
> policy/modules/services/ssh.if | 2 ++
> policy/modules/services/ssh.te | 2 --
> policy/modules/services/xserver.te | 6 ++----
> policy/modules/system/userdomain.if | 24 ++++++++++++++++++++++++
> policy/modules/system/userdomain.te | 1 +
> 30 files changed, 62 insertions(+), 61 deletions(-)
>
> diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
> index f294491..b1aeb7c 100644
> --- a/policy/modules/apps/evolution.te
> +++ b/policy/modules/apps/evolution.te
> @@ -28,8 +28,7 @@ ubac_constrained(evolution_alarm_tmpfs_t)
> type evolution_alarm_orbit_tmp_t;
> typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
> typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
> -files_tmp_file(evolution_alarm_orbit_tmp_t)
> -ubac_constrained(evolution_alarm_orbit_tmp_t)
> +userdom_user_tmp_content(evolution_alarm_t, evolution_alarm_orbit_tmp_t)
>
> type evolution_exchange_t;
> type evolution_exchange_exec_t;
> @@ -47,9 +46,9 @@ ubac_constrained(evolution_exchange_tmpfs_t)
> type evolution_exchange_tmp_t;
> typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
> typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
> -files_tmp_file(evolution_exchange_tmp_t)
> -ubac_constrained(evolution_exchange_tmp_t)
> +userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t)
>
> +# Cannot have two types of the same domain be a files_poly_member_tmp()
> type evolution_exchange_orbit_tmp_t;
> typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
> typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
> @@ -64,8 +63,7 @@ userdom_user_home_content(evolution_home_t)
> type evolution_orbit_tmp_t;
> typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
> typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
> -files_tmp_file(evolution_orbit_tmp_t)
> -ubac_constrained(evolution_orbit_tmp_t)
> +userdom_user_tmp_content(evolution_t, evolution_orbit_tmp_t)
>
> type evolution_server_t;
> type evolution_server_exec_t;
> @@ -77,8 +75,7 @@ ubac_constrained(evolution_server_t)
> type evolution_server_orbit_tmp_t;
> typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
> typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
> -files_tmp_file(evolution_server_orbit_tmp_t)
> -ubac_constrained(evolution_server_orbit_tmp_t)
> +userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t)
>
> type evolution_tmpfs_t;
> typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
> diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
> index ac4f509..cea5c8c 100644
> --- a/policy/modules/apps/games.te
> +++ b/policy/modules/apps/games.te
> @@ -35,8 +35,7 @@ files_pid_file(games_srv_var_run_t)
> type games_tmp_t;
> typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
> typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
> -files_tmp_file(games_tmp_t)
> -ubac_constrained(games_tmp_t)
> +userdom_user_tmp_content(games_t, games_tmp_t)
>
> type games_tmpfs_t;
> typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
> diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
> index 4bebd9d..de7eac9 100644
> --- a/policy/modules/apps/gnome.te
> +++ b/policy/modules/apps/gnome.te
> @@ -18,8 +18,7 @@ userdom_user_home_content(gconf_home_t)
> type gconf_tmp_t;
> typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
> typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
> -files_tmp_file(gconf_tmp_t)
> -ubac_constrained(gconf_tmp_t)
> +userdom_user_tmp_content(gconfd_t, gconf_tmp_t)
>
> type gconfd_t, gnomedomain;
> type gconfd_exec_t;
> diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
> index 4525c37..c6f1fe2 100644
> --- a/policy/modules/apps/gpg.te
> +++ b/policy/modules/apps/gpg.te
> @@ -31,8 +31,7 @@ ubac_constrained(gpg_agent_t)
> type gpg_agent_tmp_t;
> typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
> typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
> -files_tmp_file(gpg_agent_tmp_t)
> -ubac_constrained(gpg_agent_tmp_t)
> +userdom_user_tmp_content(gpg_agent_t, gpg_agent_tmp_t)
>
> type gpg_secret_t;
> typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
> @@ -55,8 +54,7 @@ application_domain(gpg_pinentry_t, pinentry_exec_t)
> ubac_constrained(gpg_pinentry_t)
>
> type gpg_pinentry_tmp_t;
> -files_tmp_file(gpg_pinentry_tmp_t)
> -ubac_constrained(gpg_pinentry_tmp_t)
> +userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t)
>
> type gpg_pinentry_tmpfs_t;
> files_tmpfs_file(gpg_pinentry_tmpfs_t)
> diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
> index 66beb80..29c9f53 100644
> --- a/policy/modules/apps/irc.te
> +++ b/policy/modules/apps/irc.te
> @@ -20,7 +20,7 @@ userdom_user_home_content(irc_home_t)
> type irc_tmp_t;
> typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
> typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
> -userdom_user_home_content(irc_tmp_t)
> +userdom_user_tmp_content(irc_t, irc_tmp_t)
>
> ########################################
> #
> diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
> index 726e853..143a522 100644
> --- a/policy/modules/apps/java.te
> +++ b/policy/modules/apps/java.te
> @@ -21,10 +21,9 @@ typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
> role system_r types java_t;
>
> type java_tmp_t;
> -files_tmp_file(java_tmp_t)
> -ubac_constrained(java_tmp_t)
> typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
> typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
> +userdom_user_tmp_content(java_t, java_tmp_t)
>
> type java_tmpfs_t;
> ubac_constrained(java_tmpfs_t)
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index ebcd681..3fb62e4 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -30,8 +30,7 @@ userdom_user_home_content(mozilla_home_t)
> type mozilla_tmpfs_t;
> typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
> typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
> -files_tmpfs_file(mozilla_tmpfs_t)
> -ubac_constrained(mozilla_tmpfs_t)
> +userdom_user_tmp_content(mozilla_t, mozilla_tmpfs_t)
>
> ########################################
> #
> diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
> index 690589e..892057b 100644
> --- a/policy/modules/apps/podsleuth.te
> +++ b/policy/modules/apps/podsleuth.te
> @@ -15,8 +15,7 @@ files_type(podsleuth_cache_t)
> ubac_constrained(podsleuth_cache_t)
>
> type podsleuth_tmp_t;
> -files_tmp_file(podsleuth_tmp_t)
> -ubac_constrained(podsleuth_tmp_t)
> +userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t)
>
> type podsleuth_tmpfs_t;
> files_tmpfs_file(podsleuth_tmpfs_t)
> diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
> index 320df26..55e29cb 100644
> --- a/policy/modules/apps/screen.if
> +++ b/policy/modules/apps/screen.if
> @@ -38,6 +38,8 @@ template(`screen_role_template',`
> ubac_constrained($1_screen_t)
> role $2 types $1_screen_t;
>
> + userdom_user_tmp_content($1_screen_t, screen_tmp_t)
> +
> ########################################
> #
> # Local policy
> diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
> index 8c65cc6..a92649b 100644
> --- a/policy/modules/apps/screen.te
> +++ b/policy/modules/apps/screen.te
> @@ -16,8 +16,6 @@ userdom_user_home_content(screen_home_t)
> type screen_tmp_t;
> typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
> typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
> -files_tmp_file(screen_tmp_t)
> -ubac_constrained(screen_tmp_t)
>
> type screen_var_run_t;
> typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
> diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
> index d736572..10d6692 100644
> --- a/policy/modules/apps/tvtime.te
> +++ b/policy/modules/apps/tvtime.te
> @@ -20,8 +20,7 @@ userdom_user_home_content(tvtime_home_t)
> type tvtime_tmp_t;
> typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
> typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
> -files_tmp_file(tvtime_tmp_t)
> -ubac_constrained(tvtime_tmp_t)
> +userdom_user_tmp_content(tvtime_t, tvtime_tmp_t)
>
> type tvtime_tmpfs_t;
> typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
> diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
> index 2df1343..62960c0 100644
> --- a/policy/modules/apps/uml.te
> +++ b/policy/modules/apps/uml.te
> @@ -25,8 +25,7 @@ userdom_user_home_content(uml_rw_t)
> type uml_tmp_t;
> typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
> typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
> -files_tmp_file(uml_tmp_t)
> -ubac_constrained(uml_tmp_t)
> +userdom_user_tmp_content(uml_t, uml_tmp_t)
>
> type uml_tmpfs_t;
> typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
> diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
> index 1f803bb..5bc77b4 100644
> --- a/policy/modules/apps/vmware.te
> +++ b/policy/modules/apps/vmware.te
> @@ -31,15 +31,15 @@ init_daemon_domain(vmware_host_t, vmware_host_exec_t)
> type vmware_host_pid_t alias vmware_var_run_t;
> files_pid_file(vmware_host_pid_t)
>
> +# If vmware_host_t is a system service then why does this have to be ubac constrained?
> type vmware_host_tmp_t;
> files_tmp_file(vmware_host_tmp_t)
> -ubac_constrained(vmware_host_tmp_t)
>
> +# If vmware_host_t is a system service then why does this have to be ubac constrained?
> type vmware_log_t;
> typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
> typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
> logging_log_file(vmware_log_t)
> -ubac_constrained(vmware_log_t)
>
> type vmware_pid_t;
> typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
> @@ -54,8 +54,7 @@ files_type(vmware_sys_conf_t)
> type vmware_tmp_t;
> typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
> typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
> -files_tmp_file(vmware_tmp_t)
> -ubac_constrained(vmware_tmp_t)
> +userdom_user_tmp_content(vmware_t, vmware_tmp_t)
>
> type vmware_tmpfs_t;
> typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
> diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
> index 8af45db..2835bec 100644
> --- a/policy/modules/apps/wine.te
> +++ b/policy/modules/apps/wine.te
> @@ -12,8 +12,7 @@ ubac_constrained(wine_t)
> role system_r types wine_t;
>
> type wine_tmp_t;
> -files_tmp_file(wine_tmp_t)
> -ubac_constrained(wine_tmp_t)
> +userdom_user_tmp_content(wine_t, wine_tmp_t)
>
> ########################################
> #
> diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
> index 31bbf17..ca29f80 100644
> --- a/policy/modules/apps/wireshark.te
> +++ b/policy/modules/apps/wireshark.te
> @@ -20,8 +20,7 @@ userdom_user_home_content(wireshark_home_t)
> type wireshark_tmp_t;
> typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
> typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
> -files_tmp_file(wireshark_tmp_t)
> -ubac_constrained(wireshark_tmp_t)
> +userdom_user_tmp_content(wireshark_t, wireshark_tmp_t)
>
> type wireshark_tmpfs_t;
> typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
> index 215b86b..1d6ddf2 100644
> --- a/policy/modules/services/bluetooth.te
> +++ b/policy/modules/services/bluetooth.te
> @@ -24,8 +24,7 @@ ubac_constrained(bluetooth_helper_t)
> type bluetooth_helper_tmp_t;
> typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t };
> typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t };
> -files_tmp_file(bluetooth_helper_tmp_t)
> -ubac_constrained(bluetooth_helper_tmp_t)
> +userdom_user_tmp_content(bluetooth_helper_t, bluetooth_helper_tmp_t)
>
> type bluetooth_helper_tmpfs_t;
> typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
> diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
> index 44caccc..80c88c1 100644
> --- a/policy/modules/services/cron.if
> +++ b/policy/modules/services/cron.if
> @@ -22,7 +22,7 @@ template(`cron_common_crontab_template',`
> ubac_constrained($1_t)
>
> type $1_tmp_t;
> - files_tmp_file($1_tmp_t)
> + userdom_user_tmp_content($1_t, $1_tmp_t)
>
> ##############################
> #
> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
> index d76131b..054d8b3 100644
> --- a/policy/modules/services/dbus.if
> +++ b/policy/modules/services/dbus.if
> @@ -57,6 +57,8 @@ template(`dbus_role_template',`
> ubac_constrained($1_dbusd_t)
> role $2 types $1_dbusd_t;
>
> + userdom_user_tmp_content($1_dbusd_t, session_dbusd_tmp_t)
> +
> ##############################
> #
> # Local policy
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index b738e94..319e41e 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -22,8 +22,6 @@ typealias dbusd_exec_t alias system_dbusd_exec_t;
> type session_dbusd_tmp_t;
> typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
> typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
> -files_tmp_file(session_dbusd_tmp_t)
> -ubac_constrained(session_dbusd_tmp_t)
>
> type system_dbusd_t;
> init_system_domain(system_dbusd_t, dbusd_exec_t)
> diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
> index 93c14ca..a2c91f2 100644
> --- a/policy/modules/services/lpd.te
> +++ b/policy/modules/services/lpd.te
> @@ -40,8 +40,7 @@ ubac_constrained(lpr_t)
> type lpr_tmp_t;
> typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
> typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
> -files_tmp_file(lpr_tmp_t)
> -ubac_constrained(lpr_tmp_t)
> +userdom_user_tmp_content(lpr_t, lpr_tmp_t)
>
> # Type for spool files.
> type print_spool_t;
> diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
> index c57356a..9d3ef86 100644
> --- a/policy/modules/services/mta.if
> +++ b/policy/modules/services/mta.if
> @@ -52,9 +52,10 @@ template(`mta_base_mail_template',`
>
> type $1_mail_t, user_mail_domain;
> application_domain($1_mail_t, sendmail_exec_t)
> + ubac_constrained($1_mail_t)
>
> type $1_mail_tmp_t;
> - files_tmp_file($1_mail_tmp_t)
> + userdom_user_tmp_content($1_mail_t, $1_mail_tmp_t)
>
> ##############################
> #
> diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
> index 64268e4..b1111b2 100644
> --- a/policy/modules/services/mta.te
> +++ b/policy/modules/services/mta.te
> @@ -40,8 +40,6 @@ typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
> typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
> typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
> typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
> -ubac_constrained(user_mail_t)
> -ubac_constrained(user_mail_tmp_t)
>
> ########################################
> #
> diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
> index cd683f9..2b30c50 100644
> --- a/policy/modules/services/pyzor.te
> +++ b/policy/modules/services/pyzor.te
> @@ -24,8 +24,7 @@ userdom_user_home_content(pyzor_home_t)
> type pyzor_tmp_t;
> typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
> typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
> -files_tmp_file(pyzor_tmp_t)
> -ubac_constrained(pyzor_tmp_t)
> +userdom_user_tmp_content(pyzor_t, pyzor_tmp_t)
>
> type pyzor_var_lib_t;
> typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
> diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
> index e4ecbbd..ab30865 100644
> --- a/policy/modules/services/razor.te
> +++ b/policy/modules/services/razor.te
> @@ -22,8 +22,7 @@ logging_log_file(razor_log_t)
> type razor_tmp_t;
> typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
> typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
> -files_tmp_file(razor_tmp_t)
> -ubac_constrained(razor_tmp_t)
> +userdom_user_tmp_content(razor_t, razor_tmp_t)
>
> type razor_var_lib_t;
> files_type(razor_var_lib_t)
> diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
> index b6a8919..6847a9b 100644
> --- a/policy/modules/services/spamassassin.te
> +++ b/policy/modules/services/spamassassin.te
> @@ -34,8 +34,7 @@ userdom_user_home_content(spamassassin_home_t)
> type spamassassin_tmp_t;
> typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
> typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
> -files_tmp_file(spamassassin_tmp_t)
> -ubac_constrained(spamassassin_tmp_t)
> +userdom_user_tmp_content(spamassassin_t, spamassassin_tmp_t)
>
> type spamc_t;
> type spamc_exec_t;
> @@ -47,8 +46,7 @@ ubac_constrained(spamc_t)
> type spamc_tmp_t;
> typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
> typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
> -files_tmp_file(spamc_tmp_t)
> -ubac_constrained(spamc_tmp_t)
> +userdom_user_tmp_content(spamc_t, spamc_tmp_t)
>
> type spamd_t;
> type spamd_exec_t;
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index 567592d..ef3f32d 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -313,6 +313,8 @@ template(`ssh_role_template',`
> ubac_constrained($1_ssh_agent_t)
> role $2 types $1_ssh_agent_t;
>
> + userdom_user_tmp_content($1_ssh_agent_t, ssh_agent_tmp_t)
> +
> ##############################
> #
> # Local policy
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 2dad3c8..512834a 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -57,8 +57,6 @@ corecmd_executable_file(ssh_agent_exec_t)
> type ssh_agent_tmp_t;
> typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
> typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
> -files_tmp_file(ssh_agent_tmp_t)
> -ubac_constrained(ssh_agent_tmp_t)
>
> type ssh_keysign_t;
> type ssh_keysign_exec_t;
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index d2b2626..f51b828 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -148,8 +148,7 @@ userdom_user_home_content(xauth_home_t)
> type xauth_tmp_t;
> typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
> typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
> -files_tmp_file(xauth_tmp_t)
> -ubac_constrained(xauth_tmp_t)
> +userdom_user_tmp_content(xauth_t, xauth_tmp_t)
>
> # this is not actually a device, its a pipe
> type xconsole_device_t;
> @@ -199,8 +198,7 @@ ubac_constrained(xserver_t)
> type xserver_tmp_t;
> typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
> typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
> -files_tmp_file(xserver_tmp_t)
> -ubac_constrained(xserver_tmp_t)
> +userdom_user_tmp_content(xserver_t, xserver_tmp_t)
>
> type xserver_tmpfs_t;
> typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index a3135e6..7d83ec3 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1286,6 +1286,30 @@ interface(`userdom_user_home_content',`
>
> ########################################
> ##<summary>
> +## Make the specified type usable user
> +## temporary content.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain using the user temporary
> +## content.
> +## </summary>
> +##</param>
> +##<param name="file_type">
> +## <summary>
> +## Type to be used for user temporary
> +## content.
> +## </summary>
> +##</param>
> +#
> +interface(`userdom_user_tmp_content',`
> + files_tmp_file($2)
> + files_poly_member_tmp($1, $2)
> + ubac_constrained($2)
> +')
Why do we have files_poly_member_tmp()? I didn't see any places where
it was removed above.
> +########################################
> +##<summary>
> ## Allow domain to attach to TUN devices created by administrative users.
> ##</summary>
> ##<param name="domain">
> diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
> index 69b2e0f..5dcefd4 100644
> --- a/policy/modules/system/userdomain.te
> +++ b/policy/modules/system/userdomain.te
> @@ -87,6 +87,7 @@ ubac_constrained(user_devpts_t)
> type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
> typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
> files_tmp_file(user_tmp_t)
> +# Consider removing this
> userdom_user_home_content(user_tmp_t)
>
> type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/12/2010 08:09 PM, Christopher J. PeBenito wrote:
<snip>
>>
>> ########################################
>> ##<summary>
>> +## Make the specified type usable user
>> +## temporary content.
>> +##</summary>
>> +##<param name="domain">
>> +## <summary>
>> +## Domain using the user temporary
>> +## content.
>> +## </summary>
>> +##</param>
>> +##<param name="file_type">
>> +## <summary>
>> +## Type to be used for user temporary
>> +## content.
>> +## </summary>
>> +##</param>
>> +#
>> +interface(`userdom_user_tmp_content',`
>> + files_tmp_file($2)
>> + files_poly_member_tmp($1, $2)
>> + ubac_constrained($2)
>> +')
>
> Why do we have files_poly_member_tmp()? I didn't see any places where
> it was removed above.
I guess there aren't any in refpolicy (except userdom_manage_tmp_role).
Does that mean there should not be any?
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100712/28e5ab75/attachment.bin
On 07/12/10 15:26, Dominick Grift wrote:
> On 07/12/2010 08:09 PM, Christopher J. PeBenito wrote:
> <snip>
>>>
>>> ########################################
>>> ##<summary>
>>> +## Make the specified type usable user
>>> +## temporary content.
>>> +##</summary>
>>> +##<param name="domain">
>>> +##<summary>
>>> +## Domain using the user temporary
>>> +## content.
>>> +##</summary>
>>> +##</param>
>>> +##<param name="file_type">
>>> +##<summary>
>>> +## Type to be used for user temporary
>>> +## content.
>>> +##</summary>
>>> +##</param>
>>> +#
>>> +interface(`userdom_user_tmp_content',`
>>> + files_tmp_file($2)
>>> + files_poly_member_tmp($1, $2)
>>> + ubac_constrained($2)
>>> +')
>>
>> Why do we have files_poly_member_tmp()? I didn't see any places where
>> it was removed above.
>
> I guess there aren't any in refpolicy (except userdom_manage_tmp_role).
> Does that mean there should not be any?
Since we're just starting this change, I'd like not to add anything yet.
So since the files_poly_member_tmp() isn't used commonly it shouldn't
be added to userdom_user_tmp_content().
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com