---
policy/modules/system/authlogin.fc | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index bb11be5..c0ee2e3 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -47,6 +47,5 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
--
2.7.3
These are the types for /run/user, analogous to /home's home_root_t and
home_dir_t.
---
policy/modules/system/userdomain.fc | 5 +++++
policy/modules/system/userdomain.te | 20 ++++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..634d29d 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,3 +2,8 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+
+/var/run/user -d gen_context(system_u:object_r:user_runtime_root_t,s0)
+/var/run/user/[^/]+ -d gen_context(system_u:object_r:user_runtime_dir_t,s0)
+/var/run/user/%{USERID} -d gen_context(system_u:object_r:user_runtime_dir_t,s0)
+/var/run/user/%{USERID}/.+ <<none>>
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 2a36851..c613553 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,3 +93,23 @@ userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
+type user_runtime_root_t;
+fs_associate_tmpfs(user_runtime_root_t)
+files_type(user_runtime_root_t)
+files_mountpoint(user_runtime_root_t)
+files_associate_tmp(user_runtime_root_t)
+files_poly(user_runtime_root_t)
+files_poly_member(user_runtime_root_t)
+files_poly_parent(user_runtime_root_t)
+ubac_constrained(user_runtime_root_t)
+
+type user_runtime_dir_t;
+fs_associate_tmpfs(user_runtime_dir_t)
+files_type(user_runtime_dir_t)
+files_mountpoint(user_runtime_dir_t)
+files_associate_tmp(user_runtime_dir_t)
+files_poly(user_runtime_dir_t)
+files_poly_member(user_runtime_dir_t)
+files_poly_parent(user_runtime_dir_t)
+ubac_constrained(user_runtime_dir_t)
--
2.7.3
---
policy/modules/system/userdomain.if | 51 +++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d604147..2528ee3 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -318,6 +318,7 @@ interface(`userdom_exec_user_tmp_files',`
exec_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
#######################################
@@ -2327,6 +2328,7 @@ interface(`userdom_write_user_tmp_sockets',`
allow $1 user_tmp_t:sock_file write_sock_file_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2345,7 +2347,9 @@ interface(`userdom_list_user_tmp',`
')
allow $1 user_tmp_t:dir list_dir_perms;
+ allow $1 user_runtime_dir_t:dir list_dir_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2404,6 +2408,7 @@ interface(`userdom_read_user_tmp_files',`
read_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2462,6 +2467,7 @@ interface(`userdom_rw_user_tmp_files',`
allow $1 user_tmp_t:dir list_dir_perms;
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2501,6 +2507,7 @@ interface(`userdom_read_user_tmp_symlinks',`
read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2521,6 +2528,7 @@ interface(`userdom_manage_user_tmp_dirs',`
manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2541,6 +2549,7 @@ interface(`userdom_manage_user_tmp_files',`
manage_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2561,6 +2570,7 @@ interface(`userdom_manage_user_tmp_symlinks',`
manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2581,6 +2591,7 @@ interface(`userdom_manage_user_tmp_pipes',`
manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2601,6 +2612,7 @@ interface(`userdom_manage_user_tmp_sockets',`
manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2637,6 +2649,7 @@ interface(`userdom_user_tmp_filetrans',`
filetrans_pattern($1, user_tmp_t, $2, $3, $4)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2691,6 +2704,44 @@ interface(`userdom_read_user_tmpfs_files',`
########################################
## <summary>
+## Search users runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_user_runtime',`
+ gen_require(`
+ type user_runtime_dir_t;
+ ')
+
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ userdom_search_user_runtime_root_dirs($1)
+')
+
+########################################
+## <summary>
+## Search user runtime root directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
## Read and write user tmpfs files.
## </summary>
## <param name="domain">
--
2.7.3
---
policy/modules/system/userdomain.if | 206 ++++++++++++++++++++++++++++++++++++
1 file changed, 206 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2528ee3..d6296a8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -298,6 +298,7 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
')
#######################################
@@ -2742,6 +2743,211 @@ interface(`userdom_search_user_runtime_root_dirs',`
########################################
## <summary>
+## Create, read, write, and delete user
+## runtime root dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir manage_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## runtime dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_dir_t;
+ ')
+
+ allow $1 user_runtime_dir_t:dir manage_dir_perms;
+ userdom_search_user_runtime_root_dirs($1)
+')
+
+########################################
+## <summary>
+## Mount a filesystem on user runtime dir
+## directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_mounton_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_dir_t;
+ ')
+
+ allow $1 user_runtime_dir_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Relabel to user runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelto_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_dir_t;
+ ')
+
+ allow $1 user_runtime_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+## Create objects in the pid directory
+## with an automatic type transition to
+## the user runtime root type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in a user runtime
+## directory with an automatic type
+## transition to a specified private
+## type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+ userdom_search_user_runtime_root_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user runtime directory
+## with an automatic type transition to
+## the user temporary type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in the user runtime root
+## directory with an automatic type transition
+## to the user runtime dir type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_root_filetrans_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_root_t, user_runtime_dir_t, $2, $3)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
## Read and write user tmpfs files.
## </summary>
## <param name="domain">
--
2.7.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/27/2016 10:35 PM, Jason Zaman wrote:
> These are the types for /run/user, analogous to /home's home_root_t
> and home_dir_t. --- policy/modules/system/userdomain.fc | 5 +++++
> policy/modules/system/userdomain.te | 20 ++++++++++++++++++++ 2
> files changed, 25 insertions(+)
>
> diff --git a/policy/modules/system/userdomain.fc
> b/policy/modules/system/userdomain.fc index db75976..634d29d
> 100644 --- a/policy/modules/system/userdomain.fc +++
> b/policy/modules/system/userdomain.fc @@ -2,3 +2,8 @@ HOME_DIR -d
> gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
> HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
>
> /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +
> +/var/run/user -d
> gen_context(system_u:object_r:user_runtime_root_t,s0)
> +/var/run/user/[^/]+ -d
> gen_context(system_u:object_r:user_runtime_dir_t,s0)
The above is probably a bad idea. because only /run/user/$UID should
be considered user_runtime_dir_t dirs. Plus there will unlikely be
anything but /run/user/$UID.
> +/var/run/user/%{USERID} -d
> gen_context(system_u:object_r:user_runtime_dir_t,s0)
> +/var/run/user/%{USERID}/.+ <<none>> diff --git
> a/policy/modules/system/userdomain.te
> b/policy/modules/system/userdomain.te index 2a36851..c613553
> 100644 --- a/policy/modules/system/userdomain.te +++
> b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@
> userdom_user_home_content(user_tmpfs_t) type user_tty_device_t
> alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t
> auditadm_tty_device_t unconfined_tty_device_t };
> dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) +
> +type user_runtime_root_t;
> +fs_associate_tmpfs(user_runtime_root_t)
> +files_type(user_runtime_root_t)
> +files_mountpoint(user_runtime_root_t)
> +files_associate_tmp(user_runtime_root_t)
> +files_poly(user_runtime_root_t)
> +files_poly_member(user_runtime_root_t)
> +files_poly_parent(user_runtime_root_t)
> +ubac_constrained(user_runtime_root_t) + +type user_runtime_dir_t;
> +fs_associate_tmpfs(user_runtime_dir_t)
> +files_type(user_runtime_dir_t)
> +files_mountpoint(user_runtime_dir_t)
> +files_associate_tmp(user_runtime_dir_t)
> +files_poly(user_runtime_dir_t)
> +files_poly_member(user_runtime_dir_t)
> +files_poly_parent(user_runtime_dir_t)
> +ubac_constrained(user_runtime_dir_t)
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJXSXDlAAoJECV0jlU3+Udp8SgL/38pPw0rayEQNT4bRt/0jj57
9s8BYE3bkAI4fqTqEww3MN86/bFsDIFURWJgcUj4v/HgvguQWgODHxEMJaWIJGTA
HN5VOoeA7yWF4aYcbC85vqpEItBO5Ngb4jGsSzFkguXm4m77hY+iWGOJSMcemET5
a1X7ej9TFlg75Amp39S9KmqxDi89E4ZL+po/rN/FkWmrw2CCBxQF3WnYREXOkNO/
8Ga0ijkfxyZbgr6wgkSiR0XVJE2hZu5+OYJtAazNyLSkoyaHDlG6pQIkg3YtPMaV
vlfy7Gsjp97P9Gfgg04qJLLepUzJRTa+BpZ/TL+jU1EOdUKb1YoMbnqPhnAeBXoD
TFC8xcpwBgodFsWzAAFAPpZSViB0/XN+Wa2Y2+yLf8dp/cpsH+JboskVup6/bNoY
e64obHr2zbXKzlil76a0Z7Au3paYFnaip+8tyFWyV8SaM3gBZHbJV/i3I4bOLOyP
c5QKOPEKikcPEz+HoKGG93cAcmvSVczxxCdm0WgA9g==
=HYBn
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/27/2016 10:35 PM, Jason Zaman wrote:
> --- policy/modules/system/userdomain.if | 51
> +++++++++++++++++++++++++++++++++++++ 1 file changed, 51
> insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if
> b/policy/modules/system/userdomain.if index d604147..2528ee3
> 100644 --- a/policy/modules/system/userdomain.if +++
> b/policy/modules/system/userdomain.if @@ -318,6 +318,7 @@
> interface(`userdom_exec_user_tmp_files',`
>
> exec_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ####################################### @@ -2327,6 +2328,7 @@
> interface(`userdom_write_user_tmp_sockets',`
>
> allow $1 user_tmp_t:sock_file write_sock_file_perms;
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2345,7 +2347,9 @@
> interface(`userdom_list_user_tmp',` ')
>
> allow $1 user_tmp_t:dir list_dir_perms; + allow $1
> user_runtime_dir_t:dir list_dir_perms; files_search_tmp($1) +
> userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2404,6 +2408,7 @@
> interface(`userdom_read_user_tmp_files',` read_files_pattern($1,
> user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms;
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2462,6 +2467,7 @@
> interface(`userdom_rw_user_tmp_files',` allow $1 user_tmp_t:dir
> list_dir_perms; rw_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2501,6 +2507,7 @@
> interface(`userdom_read_user_tmp_symlinks',`
> read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) allow $1
> user_tmp_t:dir list_dir_perms; files_search_tmp($1) +
> userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2521,6 +2528,7 @@
> interface(`userdom_manage_user_tmp_dirs',`
>
> manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2541,6 +2549,7 @@
> interface(`userdom_manage_user_tmp_files',`
>
> manage_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2561,6 +2570,7 @@
> interface(`userdom_manage_user_tmp_symlinks',`
>
> manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2581,6 +2591,7 @@
> interface(`userdom_manage_user_tmp_pipes',`
>
> manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2601,6 +2612,7 @@
> interface(`userdom_manage_user_tmp_sockets',`
>
> manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2637,6 +2649,7 @@
> interface(`userdom_user_tmp_filetrans',`
>
> filetrans_pattern($1, user_tmp_t, $2, $3, $4) files_search_tmp($1)
> + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2691,6 +2704,44 @@
> interface(`userdom_read_user_tmpfs_files',`
>
> ######################################## ## <summary> +## Search
> users runtime directories. +## </summary> +## <param
> name="domain"> +## <summary> +## Domain allowed access. +##
> </summary> +## </param> +#
> +interface(`userdom_search_user_runtime',` + gen_require(` + type
> user_runtime_dir_t; + ') + + allow $1 user_runtime_dir_t:dir
> search_dir_perms; + userdom_search_user_runtime_root_dirs($1) +')
> + +######################################## +## <summary> +##
> Search user runtime root directories. +## </summary> +## <param
> name="domain"> +## <summary> +## Domain allowed access. +##
> </summary> +## </param> +#
> +interface(`userdom_search_user_runtime_root_dirs',`
This should instead be called "userdom_search_user_runtime_root". One
can only search "dirs". Not only does it makes more sense but also for
consistency with other "search" interfaces that do it this way.
> + gen_require(` + type user_runtime_root_t; + ') + + allow $1
> user_runtime_root_t:dir search_dir_perms; + files_search_pids($1)
> +') + +######################################## +## <summary> ##
> Read and write user tmpfs files. ## </summary> ## <param
> name="domain">
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJXSXGcAAoJECV0jlU3+UdptNoMALEqxDurjGnLBsGhwvvkbpn7
M9Y/OzF+AtUE+7kiih2ibdNOiKhvlw9vX/XQRqRo/O0d9kxfvcF1YotmAVMoQLyR
dp2FiFg12zYv5QWTB24a4zauB/rGBZnffONNlcWxYMaNm/tpmatVxyCdWqm2UdB3
ZcKdGhlxqfJXPUdu0Kslb8T/xxR1eV9jlPZ35DRmHPUYHRTeKvEGoWcAZOFSIcLM
8pxXrkT0X41COeL+z4DRbCnYSZYBfznddOcX06dCGAqUy0XofQ9c5sC9Ls66JjqF
Fr46b1mLQrOBKf1lLSM3IsEFVWEXDBJqoa46W4i1L0ChiK8Q9qGNEXBi2fc9G8i8
jZBEBGMle71hwNBQo1n3955Vv6mBGq828rMvLL3+JXlpo2r/ZjW4Yh/IQj7h4/Fm
lkrmo5MUJKAKbBcpj8+j4JhfYUd9Za9Cnjd01GRdUgYiWwtlnCw48ssj7I9GY6Ri
jndVVg8FtnSzp0bCnqnkfolvxua/attsUHeeyr056g==
=RNbR
-----END PGP SIGNATURE-----
On Sat, May 28, 2016 at 12:20:26PM +0200, Dominick Grift wrote:
> On 05/27/2016 10:35 PM, Jason Zaman wrote:
> > These are the types for /run/user, analogous to /home's home_root_t
> > and home_dir_t. --- policy/modules/system/userdomain.fc | 5 +++++
> > policy/modules/system/userdomain.te | 20 ++++++++++++++++++++ 2
> > files changed, 25 insertions(+)
> >
> > diff --git a/policy/modules/system/userdomain.fc
> > b/policy/modules/system/userdomain.fc index db75976..634d29d
> > 100644 --- a/policy/modules/system/userdomain.fc +++
> > b/policy/modules/system/userdomain.fc @@ -2,3 +2,8 @@ HOME_DIR -d
> > gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
> > HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
> >
> > /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +
> > +/var/run/user -d
> > gen_context(system_u:object_r:user_runtime_root_t,s0)
> > +/var/run/user/[^/]+ -d
> > gen_context(system_u:object_r:user_runtime_dir_t,s0)
>
> The above is probably a bad idea. because only /run/user/$UID should
> be considered user_runtime_dir_t dirs. Plus there will unlikely be
> anything but /run/user/$UID.
I would normally agree. The reason I added this was because the
%{USERID} part depends on the genhomedircon stuff I added recently which
most people do not have yet. Adding this for now should bridge the gap.
The genhomedircon fallback for USERID is [0-9]+ so these two fcontexts
will not conflict either.
-- Jason
>
> > +/var/run/user/%{USERID} -d
> > gen_context(system_u:object_r:user_runtime_dir_t,s0)
> > +/var/run/user/%{USERID}/.+ <<none>> diff --git
> > a/policy/modules/system/userdomain.te
> > b/policy/modules/system/userdomain.te index 2a36851..c613553
> > 100644 --- a/policy/modules/system/userdomain.te +++
> > b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@
> > userdom_user_home_content(user_tmpfs_t) type user_tty_device_t
> > alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t
> > auditadm_tty_device_t unconfined_tty_device_t };
> > dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) +
> > +type user_runtime_root_t;
> > +fs_associate_tmpfs(user_runtime_root_t)
> > +files_type(user_runtime_root_t)
> > +files_mountpoint(user_runtime_root_t)
> > +files_associate_tmp(user_runtime_root_t)
> > +files_poly(user_runtime_root_t)
> > +files_poly_member(user_runtime_root_t)
> > +files_poly_parent(user_runtime_root_t)
> > +ubac_constrained(user_runtime_root_t) + +type user_runtime_dir_t;
> > +fs_associate_tmpfs(user_runtime_dir_t)
> > +files_type(user_runtime_dir_t)
> > +files_mountpoint(user_runtime_dir_t)
> > +files_associate_tmp(user_runtime_dir_t)
> > +files_poly(user_runtime_dir_t)
> > +files_poly_member(user_runtime_dir_t)
> > +files_poly_parent(user_runtime_dir_t)
> > +ubac_constrained(user_runtime_dir_t)
> >
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/28/2016 12:29 PM, Jason Zaman wrote:
> On Sat, May 28, 2016 at 12:20:26PM +0200, Dominick Grift wrote:
>> On 05/27/2016 10:35 PM, Jason Zaman wrote:
>>> These are the types for /run/user, analogous to /home's
>>> home_root_t and home_dir_t. ---
>>> policy/modules/system/userdomain.fc | 5 +++++
>>> policy/modules/system/userdomain.te | 20 ++++++++++++++++++++
>>> 2 files changed, 25 insertions(+)
>>>
>>> diff --git a/policy/modules/system/userdomain.fc
>>> b/policy/modules/system/userdomain.fc index db75976..634d29d
>>> 100644 --- a/policy/modules/system/userdomain.fc +++
>>> b/policy/modules/system/userdomain.fc @@ -2,3 +2,8 @@ HOME_DIR
>>> -d
>>> gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
>>> HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
>>>
>>> /tmp/gconfd-USER -d
>>> gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user
>>> -d gen_context(system_u:object_r:user_runtime_root_t,s0)
>>> +/var/run/user/[^/]+ -d
>>> gen_context(system_u:object_r:user_runtime_dir_t,s0)
>>
>> The above is probably a bad idea. because only /run/user/$UID
>> should be considered user_runtime_dir_t dirs. Plus there will
>> unlikely be anything but /run/user/$UID.
>
> I would normally agree. The reason I added this was because the
> %{USERID} part depends on the genhomedircon stuff I added recently
> which most people do not have yet. Adding this for now should
> bridge the gap. The genhomedircon fallback for USERID is [0-9]+ so
> these two fcontexts will not conflict either.
Good point.
>
> -- Jason
>>
>>> +/var/run/user/%{USERID} -d
>>> gen_context(system_u:object_r:user_runtime_dir_t,s0)
>>> +/var/run/user/%{USERID}/.+ <<none>> diff --git
>>> a/policy/modules/system/userdomain.te
>>> b/policy/modules/system/userdomain.te index 2a36851..c613553
>>> 100644 --- a/policy/modules/system/userdomain.te +++
>>> b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@
>>> userdom_user_home_content(user_tmpfs_t) type user_tty_device_t
>>> alias { staff_tty_device_t sysadm_tty_device_t
>>> secadm_tty_device_t auditadm_tty_device_t
>>> unconfined_tty_device_t }; dev_node(user_tty_device_t)
>>> ubac_constrained(user_tty_device_t) + +type
>>> user_runtime_root_t; +fs_associate_tmpfs(user_runtime_root_t)
>>> +files_type(user_runtime_root_t)
>>> +files_mountpoint(user_runtime_root_t)
>>> +files_associate_tmp(user_runtime_root_t)
>>> +files_poly(user_runtime_root_t)
>>> +files_poly_member(user_runtime_root_t)
>>> +files_poly_parent(user_runtime_root_t)
>>> +ubac_constrained(user_runtime_root_t) + +type
>>> user_runtime_dir_t; +fs_associate_tmpfs(user_runtime_dir_t)
>>> +files_type(user_runtime_dir_t)
>>> +files_mountpoint(user_runtime_dir_t)
>>> +files_associate_tmp(user_runtime_dir_t)
>>> +files_poly(user_runtime_dir_t)
>>> +files_poly_member(user_runtime_dir_t)
>>> +files_poly_parent(user_runtime_dir_t)
>>> +ubac_constrained(user_runtime_dir_t)
>>>
>>
>>
>> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D
>> 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B0
2
>>
>>
Dominick Grift
>> _______________________________________________ refpolicy mailing
>> list refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJXSXNQAAoJECV0jlU3+UdpRb4MAKDzU4OXLmVjBBjOoayAUJu2
69RFeo3x7WSMiULp3w+XdJYUaK0LMWn6fOVpgdDtKvEHeFRtVIA8VL8ZtiNIpmOK
RdHLW+bfQQQJPe+rZkBXvGoRu3ypmUwr9PJ1Zc4xNuW5qaTfFJQhQFEjGbJB0UMA
FMG/KbzDP0vbfgmbuc4x4dL8Sz0K9daN4F0bEeqawkwcrir9xZvUX66/Fol7M42S
7MD+U8hHdR0CM91sFnE3GvPUmV7/T5aWYairnKogw5o8XjZebE9/PzvksxjVgv+G
raczWJcPN716iXvoXH5pUAOyS6lwFeRSMAApfHlm9/ixixql7iZ05ZTDVuZ9uYhP
nHMk694HGo6Q6QWt5e7c0cDEDO3FjAz9IYfmb9f44/v4MZ9IBONgVsO1CS8s8yHX
oB51sbhtTkFB3DDGOAXdMkHzrKECEHXkZvMJStZadFvItcJdSCjdsJc0Y4G9H1Jz
aYX4KxjKhh+I8Jm8GXEMF4ckeNIpF0fD1u3LM9acVA==
=O58K
-----END PGP SIGNATURE-----
On Sat, May 28, 2016 at 12:30:45PM +0200, Dominick Grift wrote:
> On 05/28/2016 12:29 PM, Jason Zaman wrote:
> > On Sat, May 28, 2016 at 12:20:26PM +0200, Dominick Grift wrote:
> >> On 05/27/2016 10:35 PM, Jason Zaman wrote:
> >>> These are the types for /run/user, analogous to /home's
> >>> home_root_t and home_dir_t. ---
> >>> policy/modules/system/userdomain.fc | 5 +++++
> >>> policy/modules/system/userdomain.te | 20 ++++++++++++++++++++
> >>> 2 files changed, 25 insertions(+)
> >>>
> >>> diff --git a/policy/modules/system/userdomain.fc
> >>> b/policy/modules/system/userdomain.fc index db75976..634d29d
> >>> 100644 --- a/policy/modules/system/userdomain.fc +++
> >>> b/policy/modules/system/userdomain.fc @@ -2,3 +2,8 @@ HOME_DIR
> >>> -d
> >>> gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
> >>> HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
> >>>
> >>> /tmp/gconfd-USER -d
> >>> gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user
> >>> -d gen_context(system_u:object_r:user_runtime_root_t,s0)
> >>> +/var/run/user/[^/]+ -d
> >>> gen_context(system_u:object_r:user_runtime_dir_t,s0)
> >>
> >> The above is probably a bad idea. because only /run/user/$UID
> >> should be considered user_runtime_dir_t dirs. Plus there will
> >> unlikely be anything but /run/user/$UID.
> >
> > I would normally agree. The reason I added this was because the
> > %{USERID} part depends on the genhomedircon stuff I added recently
> > which most people do not have yet. Adding this for now should
> > bridge the gap. The genhomedircon fallback for USERID is [0-9]+ so
> > these two fcontexts will not conflict either.
>
> Good point.
Although it seems I forgot to add a fallback for <<none>> tho.
>
> >
> > -- Jason
> >>
> >>> +/var/run/user/%{USERID} -d
> >>> gen_context(system_u:object_r:user_runtime_dir_t,s0)
> >>> +/var/run/user/%{USERID}/.+ <<none>> diff --git
> >>> a/policy/modules/system/userdomain.te
> >>> b/policy/modules/system/userdomain.te index 2a36851..c613553
> >>> 100644 --- a/policy/modules/system/userdomain.te +++
> >>> b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@
> >>> userdom_user_home_content(user_tmpfs_t) type user_tty_device_t
> >>> alias { staff_tty_device_t sysadm_tty_device_t
> >>> secadm_tty_device_t auditadm_tty_device_t
> >>> unconfined_tty_device_t }; dev_node(user_tty_device_t)
> >>> ubac_constrained(user_tty_device_t) + +type
> >>> user_runtime_root_t; +fs_associate_tmpfs(user_runtime_root_t)
> >>> +files_type(user_runtime_root_t)
> >>> +files_mountpoint(user_runtime_root_t)
> >>> +files_associate_tmp(user_runtime_root_t)
> >>> +files_poly(user_runtime_root_t)
> >>> +files_poly_member(user_runtime_root_t)
> >>> +files_poly_parent(user_runtime_root_t)
> >>> +ubac_constrained(user_runtime_root_t) + +type
> >>> user_runtime_dir_t; +fs_associate_tmpfs(user_runtime_dir_t)
> >>> +files_type(user_runtime_dir_t)
> >>> +files_mountpoint(user_runtime_dir_t)
> >>> +files_associate_tmp(user_runtime_dir_t)
> >>> +files_poly(user_runtime_dir_t)
> >>> +files_poly_member(user_runtime_dir_t)
> >>> +files_poly_parent(user_runtime_dir_t)
> >>> +ubac_constrained(user_runtime_dir_t)
> >>>
> >>
> >>
> >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D
> >> 2C7B 6B02
> >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B0
> 2
> >>
> >>
> Dominick Grift
> >> _______________________________________________ refpolicy mailing
> >> list refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift