---
policy/modules/system/authlogin.fc | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index bb11be5..c0ee2e3 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -47,6 +47,5 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
--
2.7.3
These are the types for /run/user, analogous to /home's home_root_t and
home_dir_t.
---
policy/modules/system/userdomain.fc | 4 ++++
policy/modules/system/userdomain.te | 20 ++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..30708ca 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,3 +2,7 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+
+/var/run/user -d gen_context(system_u:object_r:user_runtime_root_t,s0)
+/var/run/user/%{USERID} -d gen_context(system_u:object_r:user_runtime_dir_t,s0)
+/var/run/user/%{USERID}/.+ <<none>>
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 2a36851..c613553 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,3 +93,23 @@ userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
+type user_runtime_root_t;
+fs_associate_tmpfs(user_runtime_root_t)
+files_type(user_runtime_root_t)
+files_mountpoint(user_runtime_root_t)
+files_associate_tmp(user_runtime_root_t)
+files_poly(user_runtime_root_t)
+files_poly_member(user_runtime_root_t)
+files_poly_parent(user_runtime_root_t)
+ubac_constrained(user_runtime_root_t)
+
+type user_runtime_dir_t;
+fs_associate_tmpfs(user_runtime_dir_t)
+files_type(user_runtime_dir_t)
+files_mountpoint(user_runtime_dir_t)
+files_associate_tmp(user_runtime_dir_t)
+files_poly(user_runtime_dir_t)
+files_poly_member(user_runtime_dir_t)
+files_poly_parent(user_runtime_dir_t)
+ubac_constrained(user_runtime_dir_t)
--
2.7.3
---
policy/modules/system/userdomain.if | 60 +++++++++++++++++++++++++++++--------
1 file changed, 48 insertions(+), 12 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d604147..54c63b0 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -313,11 +313,14 @@ interface(`userdom_manage_tmp_role',`
#
interface(`userdom_exec_user_tmp_files',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
#######################################
@@ -2322,11 +2325,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
#
interface(`userdom_write_user_tmp_sockets',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
allow $1 user_tmp_t:sock_file write_sock_file_perms;
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2341,11 +2347,14 @@ interface(`userdom_write_user_tmp_sockets',`
#
interface(`userdom_list_user_tmp',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
allow $1 user_tmp_t:dir list_dir_perms;
+ allow $1 user_runtime_dir_t:dir list_dir_perms;
files_search_tmp($1)
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2398,12 +2407,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
read_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2456,12 +2468,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
#
interface(`userdom_rw_user_tmp_files',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
allow $1 user_tmp_t:dir list_dir_perms;
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2495,12 +2510,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',`
#
interface(`userdom_read_user_tmp_symlinks',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2516,11 +2534,14 @@ interface(`userdom_read_user_tmp_symlinks',`
#
interface(`userdom_manage_user_tmp_dirs',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2536,11 +2557,14 @@ interface(`userdom_manage_user_tmp_dirs',`
#
interface(`userdom_manage_user_tmp_files',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
manage_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2556,11 +2580,14 @@ interface(`userdom_manage_user_tmp_files',`
#
interface(`userdom_manage_user_tmp_symlinks',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2576,11 +2603,14 @@ interface(`userdom_manage_user_tmp_symlinks',`
#
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2596,11 +2626,14 @@ interface(`userdom_manage_user_tmp_pipes',`
#
interface(`userdom_manage_user_tmp_sockets',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
@@ -2632,11 +2665,14 @@ interface(`userdom_manage_user_tmp_sockets',`
#
interface(`userdom_user_tmp_filetrans',`
gen_require(`
- type user_tmp_t;
+ type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
')
filetrans_pattern($1, user_tmp_t, $2, $3, $4)
files_search_tmp($1)
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
')
########################################
--
2.7.3
---
policy/modules/system/userdomain.if | 99 +++++++++++++++++++++++++++++++++++++
1 file changed, 99 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 54c63b0..453bfd9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -298,6 +298,7 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
')
#######################################
@@ -2727,6 +2728,104 @@ interface(`userdom_read_user_tmpfs_files',`
########################################
## <summary>
+## Create objects in the pid directory
+## with an automatic type transition to
+## the user runtime root type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in a user runtime
+## directory with an automatic type
+## transition to a specified private
+## type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user runtime directory
+## with an automatic type transition to
+## the user temporary type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read and write user tmpfs files.
## </summary>
## <param name="domain">
--
2.7.3
On 5/27/2016 2:23 AM, Jason Zaman wrote:
> ---
> policy/modules/system/userdomain.if | 60 +++++++++++++++++++++++++++++--------
> 1 file changed, 48 insertions(+), 12 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d604147..54c63b0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -313,11 +313,14 @@ interface(`userdom_manage_tmp_role',`
> #
> interface(`userdom_exec_user_tmp_files',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> exec_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
Since this repeats a bunch below, why not add a
userdom_search_user_runtime() which allows the search on the two dir types?
> #######################################
> @@ -2322,11 +2325,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
> #
> interface(`userdom_write_user_tmp_sockets',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> allow $1 user_tmp_t:sock_file write_sock_file_perms;
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2341,11 +2347,14 @@ interface(`userdom_write_user_tmp_sockets',`
> #
> interface(`userdom_list_user_tmp',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> allow $1 user_tmp_t:dir list_dir_perms;
> + allow $1 user_runtime_dir_t:dir list_dir_perms;
> files_search_tmp($1)
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2398,12 +2407,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
> #
> interface(`userdom_read_user_tmp_files',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> read_files_pattern($1, user_tmp_t, user_tmp_t)
> allow $1 user_tmp_t:dir list_dir_perms;
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2456,12 +2468,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
> #
> interface(`userdom_rw_user_tmp_files',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> allow $1 user_tmp_t:dir list_dir_perms;
> rw_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2495,12 +2510,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',`
> #
> interface(`userdom_read_user_tmp_symlinks',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
> allow $1 user_tmp_t:dir list_dir_perms;
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2516,11 +2534,14 @@ interface(`userdom_read_user_tmp_symlinks',`
> #
> interface(`userdom_manage_user_tmp_dirs',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2536,11 +2557,14 @@ interface(`userdom_manage_user_tmp_dirs',`
> #
> interface(`userdom_manage_user_tmp_files',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> manage_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2556,11 +2580,14 @@ interface(`userdom_manage_user_tmp_files',`
> #
> interface(`userdom_manage_user_tmp_symlinks',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2576,11 +2603,14 @@ interface(`userdom_manage_user_tmp_symlinks',`
> #
> interface(`userdom_manage_user_tmp_pipes',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2596,11 +2626,14 @@ interface(`userdom_manage_user_tmp_pipes',`
> #
> interface(`userdom_manage_user_tmp_sockets',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> @@ -2632,11 +2665,14 @@ interface(`userdom_manage_user_tmp_sockets',`
> #
> interface(`userdom_user_tmp_filetrans',`
> gen_require(`
> - type user_tmp_t;
> + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> ')
>
> filetrans_pattern($1, user_tmp_t, $2, $3, $4)
> files_search_tmp($1)
> + allow $1 user_runtime_dir_t:dir search_dir_perms;
> + allow $1 user_runtime_root_t:dir search_dir_perms;
> + files_search_pids($1)
> ')
>
> ########################################
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Fri, May 27, 2016 at 10:23:41AM -0400, Christopher J. PeBenito wrote:
> On 5/27/2016 2:23 AM, Jason Zaman wrote:
> > ---
> > policy/modules/system/userdomain.if | 60 +++++++++++++++++++++++++++++--------
> > 1 file changed, 48 insertions(+), 12 deletions(-)
> >
> > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> > index d604147..54c63b0 100644
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -313,11 +313,14 @@ interface(`userdom_manage_tmp_role',`
> > #
> > interface(`userdom_exec_user_tmp_files',`
> > gen_require(`
> > - type user_tmp_t;
> > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
> > ')
> >
> > exec_files_pattern($1, user_tmp_t, user_tmp_t)
> > files_search_tmp($1)
> > + allow $1 user_runtime_dir_t:dir search_dir_perms;
> > + allow $1 user_runtime_root_t:dir search_dir_perms;
> > + files_search_pids($1)
> > ')
>
> Since this repeats a bunch below, why not add a
> userdom_search_user_runtime() which allows the search on the two dir types?
Yeah, I thought of that, i'll re-send this patch. I originally thought
this way was preferred since a ton of other policies do it explicitly.
-- Jason
---
policy/modules/system/userdomain.if | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d604147..a1367a4 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -318,6 +318,7 @@ interface(`userdom_exec_user_tmp_files',`
exec_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
#######################################
@@ -2327,6 +2328,7 @@ interface(`userdom_write_user_tmp_sockets',`
allow $1 user_tmp_t:sock_file write_sock_file_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2345,7 +2347,9 @@ interface(`userdom_list_user_tmp',`
')
allow $1 user_tmp_t:dir list_dir_perms;
+ allow $1 user_runtime_dir_t:dir list_dir_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2404,6 +2408,7 @@ interface(`userdom_read_user_tmp_files',`
read_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2462,6 +2467,7 @@ interface(`userdom_rw_user_tmp_files',`
allow $1 user_tmp_t:dir list_dir_perms;
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2501,6 +2507,7 @@ interface(`userdom_read_user_tmp_symlinks',`
read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2521,6 +2528,7 @@ interface(`userdom_manage_user_tmp_dirs',`
manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2541,6 +2549,7 @@ interface(`userdom_manage_user_tmp_files',`
manage_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2561,6 +2570,7 @@ interface(`userdom_manage_user_tmp_symlinks',`
manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2581,6 +2591,7 @@ interface(`userdom_manage_user_tmp_pipes',`
manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2601,6 +2612,7 @@ interface(`userdom_manage_user_tmp_sockets',`
manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2637,6 +2649,7 @@ interface(`userdom_user_tmp_filetrans',`
filetrans_pattern($1, user_tmp_t, $2, $3, $4)
files_search_tmp($1)
+ userdom_search_user_runtime($1)
')
########################################
@@ -2691,6 +2704,26 @@ interface(`userdom_read_user_tmpfs_files',`
########################################
## <summary>
+## Search users runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_user_runtime',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ allow $1 user_runtime_dir_t:dir search_dir_perms;
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
## Read and write user tmpfs files.
## </summary>
## <param name="domain">
--
2.7.3
---
policy/modules/system/userdomain.if | 139 ++++++++++++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index a1367a4..cf6e0ec 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -298,6 +298,7 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
')
#######################################
@@ -2724,6 +2725,144 @@ interface(`userdom_search_user_runtime',`
########################################
## <summary>
+## Create, read, write, and delete user
+## runtime root dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ manage_dirs_pattern($1, user_runtime_root_t, user_runtime_root_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Mount a filesystem on user runtime root
+## directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_mounton_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir { search_dir_perms mounton };
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Create objects in the pid directory
+## with an automatic type transition to
+## the user runtime root type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in a user runtime
+## directory with an automatic type
+## transition to a specified private
+## type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user runtime directory
+## with an automatic type transition to
+## the user temporary type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read and write user tmpfs files.
## </summary>
## <param name="domain">
--
2.7.3