LinuxLists.cc - [refpolicy] [PATCH 1/4] authlogin: remove fcontext for /var/run/user

2016-06-01 16:08:53

Subject: [refpolicy] [PATCH 1/4] authlogin: remove fcontext for /var/run/user

---
policy/modules/system/authlogin.fc | 1 -
1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index bb11be5..c0ee2e3 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -47,6 +47,5 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
--
2.7.3

2016-06-01 16:08:54

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/4] userdomain: Introduce types for /run/user

These are the types for /run/user, analogous to /home's home_root_t and
home_dir_t.
---
policy/modules/system/userdomain.fc | 7 +++++++
policy/modules/system/userdomain.te | 15 +++++++++++++++
2 files changed, 22 insertions(+)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..0ec8d11 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,3 +2,10 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)

/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+
+/var/run/user -d gen_context(system_u:object_r:user_runtime_root_t,s0)
+/var/run/user/[^/]+ -d gen_context(system_u:object_r:user_runtime_t,s0)
+/var/run/user/[^/]+/.+ -d <<none>>
+# new genhomedircon required for these patterns
+/var/run/user/%{USERID} -d gen_context(system_u:object_r:user_runtime_t,s0)
+/var/run/user/%{USERID}/.+ <<none>>
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 2a36851..8def7fd 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,3 +93,18 @@ userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
+type user_runtime_root_t;
+fs_associate_tmpfs(user_runtime_root_t)
+files_mountpoint(user_runtime_root_t)
+files_poly_parent(user_runtime_root_t)
+
+type user_runtime_t;
+fs_associate_tmpfs(user_runtime_t)
+files_type(user_runtime_t)
+files_mountpoint(user_runtime_t)
+files_associate_tmp(user_runtime_t)
+files_poly(user_runtime_t)
+files_poly_member(user_runtime_t)
+files_poly_parent(user_runtime_t)
+ubac_constrained(user_runtime_t)
--
2.7.3

2016-06-01 16:08:55

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 3/4] userdomain: user_tmp requires searching /run/user

---
policy/modules/system/userdomain.if | 51 +++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d604147..7910984 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -318,6 +318,7 @@ interface(`userdom_exec_user_tmp_files',`

exec_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

#######################################
@@ -2327,6 +2328,7 @@ interface(`userdom_write_user_tmp_sockets',`

allow $1 user_tmp_t:sock_file write_sock_file_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2345,7 +2347,9 @@ interface(`userdom_list_user_tmp',`
')

allow $1 user_tmp_t:dir list_dir_perms;
+ allow $1 user_runtime_t:dir list_dir_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2404,6 +2408,7 @@ interface(`userdom_read_user_tmp_files',`
read_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2462,6 +2467,7 @@ interface(`userdom_rw_user_tmp_files',`
allow $1 user_tmp_t:dir list_dir_perms;
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2501,6 +2507,7 @@ interface(`userdom_read_user_tmp_symlinks',`
read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2521,6 +2528,7 @@ interface(`userdom_manage_user_tmp_dirs',`

manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2541,6 +2549,7 @@ interface(`userdom_manage_user_tmp_files',`

manage_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2561,6 +2570,7 @@ interface(`userdom_manage_user_tmp_symlinks',`

manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2581,6 +2591,7 @@ interface(`userdom_manage_user_tmp_pipes',`

manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2601,6 +2612,7 @@ interface(`userdom_manage_user_tmp_sockets',`

manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2637,6 +2649,7 @@ interface(`userdom_user_tmp_filetrans',`

filetrans_pattern($1, user_tmp_t, $2, $3, $4)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')

########################################
@@ -2691,6 +2704,44 @@ interface(`userdom_read_user_tmpfs_files',`

########################################
## <summary>
+## Search users runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_user_runtime',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ allow $1 user_runtime_t:dir search_dir_perms;
+ userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+## Search user runtime root directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
## Read and write user tmpfs files.
## </summary>
## <param name="domain">
--
2.7.3

2016-06-01 16:08:56

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 4/4] userdomain: introduce interfaces for user runtime

---
policy/modules/system/userdomain.if | 206 ++++++++++++++++++++++++++++++++++++
1 file changed, 206 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7910984..4fde5d8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -298,6 +298,7 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ userdom_user_runtime_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
')

#######################################
@@ -2742,6 +2743,211 @@ interface(`userdom_search_user_runtime_root',`

########################################
## <summary>
+## Create, read, write, and delete user
+## runtime root dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir manage_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## runtime dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ allow $1 user_runtime_t:dir manage_dir_perms;
+ userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+## Mount a filesystem on user runtime dir
+## directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_mounton_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ allow $1 user_runtime_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Relabel to user runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelto_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ allow $1 user_runtime_t:dir relabelto;
+')
+
+########################################
+## <summary>
+## Create objects in the pid directory
+## with an automatic type transition to
+## the user runtime root type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in a user runtime
+## directory with an automatic type
+## transition to a specified private
+## type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_filetrans',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_t, $2, $3, $4)
+ userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user runtime directory
+## with an automatic type transition to
+## the user temporary type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in the user runtime root
+## directory with an automatic type transition
+## to the user runtime dir type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_root_filetrans_user_runtime',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_root_t, user_runtime_t, $2, $3)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
## Read and write user tmpfs files.
## </summary>
## <param name="domain">
--
2.7.3

2016-06-01 17:36:51

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/4] authlogin: remove fcontext for /var/run/user

On 6/1/2016 12:08 PM, Jason Zaman wrote:
> ---
> policy/modules/system/authlogin.fc | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
> index bb11be5..c0ee2e3 100644
> --- a/policy/modules/system/authlogin.fc
> +++ b/policy/modules/system/authlogin.fc
> @@ -47,6 +47,5 @@ ifdef(`distro_gentoo', `
> /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
> /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
> /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)

This whole set is merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com