From: domg472@gmail.com (Dominick Grift) Date: Thu, 8 Jul 2010 17:44:46 +0200 Subject: [refpolicy] [ Simplify user content patch 7/7] Various clean ups and fixes. Message-ID: <20100708154442.GA6898@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Remove policy where user domains are implicitly allowed to manage/relabel userdom user content. Also fix some issues. files_poly_member_tmp is causing conflict in both java and evolution module. because they have two tmp types. Signed-off-by: Dominick Grift --- :100644 100644 1cb204c... 0402a98... M policy/modules/apps/evolution.if :100644 100644 f6c312b... 5643eda... M policy/modules/apps/evolution.te :100644 100644 c9b90d3... 89c2390... M policy/modules/apps/gift.if :100644 100644 9601de0... 3790011... M policy/modules/apps/gnome.if :100644 100644 793cde7... 8db8526... M policy/modules/apps/gpg.if :100644 100644 344a5b3... 836b886... M policy/modules/apps/mozilla.if :100644 100644 c7ad0f5... 6afbd09... M policy/modules/apps/mplayer.if :100644 100644 9ebb373... 0f70007... M policy/modules/apps/pulseaudio.if :100644 100644 c2cc18d... e93e39b... M policy/modules/apps/thunderbird.if :100644 100644 8d89f21... c5adfa3... M policy/modules/apps/tvtime.if :100644 100644 d2ab7cb... f91f075... M policy/modules/apps/uml.if :100644 100644 a7c27a5... c7a970c... M policy/modules/apps/wireshark.if :100644 100644 30754e4... f009614... M policy/modules/roles/staff.te :100644 100644 794e06f... e40cab1... M policy/modules/roles/sysadm.te :100644 100644 d5d5042... 4ed9204... M policy/modules/roles/unprivuser.te :100644 100644 57feb5a... f0fdcf1... M policy/modules/services/apache.if :100644 100644 3745b62... 1a96e6e... M policy/modules/services/pyzor.if :100644 100644 cd683f9... 2b30c50... M policy/modules/services/pyzor.te :100644 100644 f4a355f... b980564... M policy/modules/services/razor.if :100644 100644 e4ecbbd... 43a5de5... M policy/modules/services/razor.te :100644 100644 3945628... 6717e75... M policy/modules/services/spamassassin.if :100644 100644 b6a8919... 6847a9b... M policy/modules/services/spamassassin.te :100644 100644 567592d... ccc6bb2... M policy/modules/services/ssh.if :100644 100644 5d3b416... 9559ee1... M policy/modules/services/ssh.te :100644 100644 8633a6a... 8b70b1b... M policy/modules/services/xserver.if :100644 100644 d2b2626... 5dfdcb7... M policy/modules/services/xserver.te policy/modules/apps/evolution.if | 10 +------ policy/modules/apps/evolution.te | 5 +++- policy/modules/apps/gift.if | 9 ------ policy/modules/apps/gnome.if | 2 - policy/modules/apps/gpg.if | 10 ------- policy/modules/apps/mozilla.if | 14 +++------- policy/modules/apps/mplayer.if | 9 ------ policy/modules/apps/pulseaudio.if | 2 +- policy/modules/apps/thunderbird.if | 9 ------ policy/modules/apps/tvtime.if | 9 ------ policy/modules/apps/uml.if | 28 +------------------ policy/modules/apps/wireshark.if | 9 ------ policy/modules/roles/staff.te | 5 --- policy/modules/roles/sysadm.te | 5 --- policy/modules/roles/unprivuser.te | 5 --- policy/modules/services/apache.if | 27 ------------------ policy/modules/services/pyzor.if | 1 - policy/modules/services/pyzor.te | 3 +- policy/modules/services/razor.if | 9 +----- policy/modules/services/razor.te | 11 +++---- policy/modules/services/spamassassin.if | 10 +------ policy/modules/services/spamassassin.te | 6 +--- policy/modules/services/ssh.if | 18 +++--------- policy/modules/services/ssh.te | 6 +--- policy/modules/services/xserver.if | 46 +------------------------------ policy/modules/services/xserver.te | 9 ++---- 26 files changed, 31 insertions(+), 246 deletions(-) diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index 1cb204c..0402a98 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -17,10 +17,9 @@ # interface(`evolution_role',` gen_require(` - type evolution_t, evolution_exec_t, evolution_home_t; + type evolution_t, evolution_exec_t; type evolution_alarm_t, evolution_alarm_exec_t; type evolution_exchange_t, evolution_exchange_exec_t; - type evolution_exchange_orbit_tmp_t; type evolution_server_t, evolution_server_exec_t; type evolution_webcal_t, evolution_webcal_exec_t; ') @@ -49,17 +48,10 @@ interface(`evolution_role',` allow $2 evolution_t:process noatsecure; allow $2 evolution_t:process signal_perms; - # Access .evolution - allow $2 evolution_home_t:dir manage_dir_perms; - allow $2 evolution_home_t:file manage_file_perms; - allow $2 evolution_home_t:lnk_file manage_lnk_file_perms; - allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - allow evolution_exchange_t $2:unix_stream_socket connectto; # Clock applet talks to exchange (FIXME: Needs policy) allow $2 evolution_exchange_t:unix_stream_socket connectto; - allow $2 evolution_exchange_orbit_tmp_t:sock_file write; ') ######################################## diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index f6c312b..5643eda 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -49,7 +49,10 @@ userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t) type evolution_exchange_orbit_tmp_t; typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; -userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_orbit_tmp_t) +# This conflict with evolution_exchange_tmp_t (probably files_poly_member_tmp). Seems like a bit of overkill to use a seperate type for sockets in /tmp/orbit-) +# userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_orbit_tmp_t) +files_tmp_file(evolution_exchange_orbit_tmp_t) +ubac_constrained(evolution_exchange_orbit_tmp_t) type evolution_home_t; typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if index c9b90d3..89c2390 100644 --- a/policy/modules/apps/gift.if +++ b/policy/modules/apps/gift.if @@ -19,7 +19,6 @@ interface(`gift_role',` gen_require(` type gift_t, gift_exec_t; type giftd_t, giftd_exec_t; - type gift_home_t; ') role $1 types { gift_t giftd_t }; @@ -28,14 +27,6 @@ interface(`gift_role',` domtrans_pattern($2, gift_exec_t, gift_t) domtrans_pattern($2, giftd_exec_t, giftd_t) - # user managed content - manage_dirs_pattern($2, gift_home_t, gift_home_t) - manage_files_pattern($2, gift_home_t, gift_home_t) - manage_lnk_files_pattern($2, gift_home_t, gift_home_t) - relabel_dirs_pattern($2, gift_home_t, gift_home_t) - relabel_files_pattern($2, gift_home_t, gift_home_t) - relabel_lnk_files_pattern($2, gift_home_t, gift_home_t) - # Allow the user domain to signal/ps. ps_process_pattern($2, { gift_t giftd_t }) allow $2 { gift_t giftd_t }:process signal_perms; diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index 9601de0..3790011 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -18,7 +18,6 @@ interface(`gnome_role',` gen_require(` type gconfd_t, gconfd_exec_t; - type gconf_tmp_t; ') role $1 types gconfd_t; @@ -31,7 +30,6 @@ interface(`gnome_role',` ps_process_pattern($2, gconfd_t) #gnome_stream_connect_gconf_template($1, $2) - read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) allow $2 gconfd_t:unix_stream_socket connectto; ') diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if index 793cde7..8db8526 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if @@ -19,9 +19,7 @@ interface(`gpg_role',` gen_require(` type gpg_t, gpg_exec_t; type gpg_agent_t, gpg_agent_exec_t; - type gpg_agent_tmp_t; type gpg_helper_t, gpg_pinentry_t; - type gpg_pinentry_tmp_t; ') role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; @@ -43,17 +41,9 @@ interface(`gpg_role',` # Allow the user shell to signal the gpg-agent program. allow $2 gpg_agent_t:process { signal sigkill }; - manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - # Transition from the user domain to the agent domain. domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) - manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) - relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) - optional_policy(` gpg_pinentry_dbus_chat($2) ') diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 344a5b3..836b886 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -17,7 +17,7 @@ # interface(`mozilla_role',` gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; + type mozilla_t, mozilla_exec_t; ') role $1 types mozilla_t; @@ -38,15 +38,9 @@ interface(`mozilla_role',` allow $2 mozilla_t:shm { unix_read unix_write }; allow $2 mozilla_t:unix_stream_socket connectto; - # X access, Home files - manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) - manage_files_pattern($2, mozilla_home_t, mozilla_home_t) - manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - - mozilla_dbus_chat($2) + optional_policy(` + mozilla_dbus_chat($2) + ') optional_policy(` pulseaudio_role($1, mozilla_t) diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index c7ad0f5..6afbd09 100644 --- a/policy/modules/apps/mplayer.if +++ b/policy/modules/apps/mplayer.if @@ -19,7 +19,6 @@ interface(`mplayer_role',` gen_require(` type mencoder_t, mencoder_exec_t; type mplayer_t, mplayer_exec_t; - type mplayer_home_t; ') role $1 types { mencoder_t mplayer_t }; @@ -31,14 +30,6 @@ interface(`mplayer_role',` ps_process_pattern($2, mencoder_t) allow $2 mencoder_t:process signal_perms; - # Home access - manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t) - manage_files_pattern($2, mplayer_home_t, mplayer_home_t) - manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) - relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t) - relabel_files_pattern($2, mplayer_home_t, mplayer_home_t) - relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) - # domain transition domtrans_pattern($2, mplayer_exec_t, mplayer_t) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index 9ebb373..0f70007 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -17,7 +17,7 @@ # interface(`pulseaudio_role',` gen_require(` - type pulseaudio_t, pulseaudio_exec_t, print_spool_t; + type pulseaudio_t, pulseaudio_exec_t; class dbus { acquire_svc send_msg }; ') diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if index c2cc18d..e93e39b 100644 --- a/policy/modules/apps/thunderbird.if +++ b/policy/modules/apps/thunderbird.if @@ -18,7 +18,6 @@ interface(`thunderbird_role',` gen_require(` type thunderbird_t, thunderbird_exec_t; - type thunderbird_home_t, thunderbird_tmpfs_t; ') role $1 types thunderbird_t; @@ -34,14 +33,6 @@ interface(`thunderbird_role',` # allow ps to show thunderbird and allow the user to kill it ps_process_pattern($2, thunderbird_t) allow $2 thunderbird_t:process signal; - - # Access ~/.thunderbird - manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) - manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t) - manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) - relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) - relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t) - relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) ') ######################################## diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if index 8d89f21..c5adfa3 100644 --- a/policy/modules/apps/tvtime.if +++ b/policy/modules/apps/tvtime.if @@ -18,7 +18,6 @@ interface(`tvtime_role',` gen_require(` type tvtime_t, tvtime_exec_t; - type tvtime_home_t, tvtime_tmpfs_t; ') role $1 types tvtime_t; @@ -26,14 +25,6 @@ interface(`tvtime_role',` # Type transition domtrans_pattern($2, tvtime_exec_t, tvtime_t) - # X access, Home files - manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t) - manage_files_pattern($2, tvtime_home_t, tvtime_home_t) - manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) - relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t) - relabel_files_pattern($2, tvtime_home_t, tvtime_home_t) - relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) - # Allow the user domain to signal/ps. ps_process_pattern($2, tvtime_t) allow $2 tvtime_t:process signal_perms; diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index d2ab7cb..f91f075 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -18,8 +18,7 @@ interface(`uml_role',` gen_require(` type uml_t, uml_exec_t; - type uml_ro_t, uml_rw_t, uml_tmp_t; - type uml_devpts_t, uml_tmpfs_t; + type uml_ro_t, uml_rw_t, uml_devpts_t; ') role $1 types uml_t; @@ -34,31 +33,6 @@ interface(`uml_role',` # allow ps, ptrace, signal ps_process_pattern($2, uml_t) allow $2 uml_t:process { ptrace signal_perms }; - - allow $2 uml_ro_t:dir list_dir_perms; - read_files_pattern($2, uml_ro_t, uml_ro_t) - read_lnk_files_pattern($2, uml_ro_t, uml_ro_t) - - manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - - manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - - manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t) - manage_files_pattern($2, uml_tmp_t, uml_tmp_t) - manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t) - manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t) ') ######################################## diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if index a7c27a5..c7a970c 100644 --- a/policy/modules/apps/wireshark.if +++ b/policy/modules/apps/wireshark.if @@ -18,8 +18,6 @@ interface(`wireshark_role',` gen_require(` type wireshark_t, wireshark_exec_t; - type wireshark_home_t, wireshark_tmp_t; - type wireshark_tmpfs_t; ') role $1 types wireshark_t; @@ -27,13 +25,6 @@ interface(`wireshark_role',` domain_auto_trans($2, wireshark_exec_t, wireshark_t) allow wireshark_t $2:fd use; allow wireshark_t $2:process sigchld; - - manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t) - manage_files_pattern($2, wireshark_home_t, wireshark_home_t) - manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) - relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t) - relabel_files_pattern($2, wireshark_home_t, wireshark_home_t) - relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) ') ######################################## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 30754e4..f009614 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -91,11 +91,6 @@ optional_policy(` ') optional_policy(` - oident_manage_user_content(staff_t) - oident_relabel_user_content(staff_t) -') - -optional_policy(` postgresql_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 794e06f..e40cab1 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -284,11 +284,6 @@ optional_policy(` ') optional_policy(` - oident_manage_user_content(sysadm_t) - oident_relabel_user_content(sysadm_t) -') - -optional_policy(` pcmcia_run_cardctl(sysadm_t, sysadm_r) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index d5d5042..4ed9204 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -85,11 +85,6 @@ optional_policy(` ') optional_policy(` - oident_manage_user_content(user_t) - oident_relabel_user_content(user_t) -') - -optional_policy(` postgresql_role(user_r, user_t) ') diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 57feb5a..f0fdcf1 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -211,38 +211,11 @@ template(`apache_content_template',` interface(`apache_role',` gen_require(` attribute httpdcontent; - type httpd_user_content_t, httpd_user_htaccess_t; type httpd_user_script_t, httpd_user_script_exec_t; - type httpd_user_ra_content_t, httpd_user_rw_content_t; ') role $1 types httpd_user_script_t; - allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; - - allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; - - manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - - manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - - manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index 3745b62..1a96e6e 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -18,7 +18,6 @@ interface(`pyzor_role',` gen_require(` type pyzor_t, pyzor_exec_t; - type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; ') role $1 types pyzor_t; diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index cd683f9..2b30c50 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -24,8 +24,7 @@ userdom_user_home_content(pyzor_home_t) type pyzor_tmp_t; typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; -files_tmp_file(pyzor_tmp_t) -ubac_constrained(pyzor_tmp_t) +userdom_user_tmp_content(pyzor_t, pyzor_tmp_t) type pyzor_var_lib_t; typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index f4a355f..b980564 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -120,7 +120,7 @@ template(`razor_common_domain_template',` # interface(`razor_role',` gen_require(` - type razor_t, razor_exec_t, razor_home_t; + type razor_t, razor_exec_t; ') role $1 types razor_t; @@ -131,13 +131,6 @@ interface(`razor_role',` # allow ps to show razor and allow the user to kill it ps_process_pattern($2, razor_t) allow $2 razor_t:process signal; - - manage_dirs_pattern($2, razor_home_t, razor_home_t) - manage_files_pattern($2, razor_home_t, razor_home_t) - manage_lnk_files_pattern($2, razor_home_t, razor_home_t) - relabel_dirs_pattern($2, razor_home_t, razor_home_t) - relabel_files_pattern($2, razor_home_t, razor_home_t) - relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) ') ######################################## diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te index e4ecbbd..43a5de5 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te @@ -19,12 +19,6 @@ userdom_user_home_content(razor_home_t) type razor_log_t; logging_log_file(razor_log_t) -type razor_tmp_t; -typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -files_tmp_file(razor_tmp_t) -ubac_constrained(razor_tmp_t) - type razor_var_lib_t; files_type(razor_var_lib_t) @@ -34,6 +28,11 @@ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; typealias razor_t alias { auditadm_razor_t secadm_razor_t }; ubac_constrained(razor_t) +type razor_tmp_t; +typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; +typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; +userdom_user_tmp_content(razor_t, razor_tmp_t) + razor_common_domain_template(system_razor) role system_r types system_razor_t; diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 3945628..6717e75 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -17,9 +17,8 @@ # interface(`spamassassin_role',` gen_require(` - type spamc_t, spamc_exec_t, spamc_tmp_t; + type spamc_t, spamc_exec_t; type spamassassin_t, spamassassin_exec_t; - type spamassassin_home_t, spamassassin_tmp_t; ') role $1 types { spamc_t spamassassin_t }; @@ -29,13 +28,6 @@ interface(`spamassassin_role',` domtrans_pattern($2, spamc_exec_t, spamc_t) ps_process_pattern($2, spamc_t) - - manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) - manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) - relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) ') ######################################## diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index b6a8919..6847a9b 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -34,8 +34,7 @@ userdom_user_home_content(spamassassin_home_t) type spamassassin_tmp_t; typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -files_tmp_file(spamassassin_tmp_t) -ubac_constrained(spamassassin_tmp_t) +userdom_user_tmp_content(spamassassin_t, spamassassin_tmp_t) type spamc_t; type spamc_exec_t; @@ -47,8 +46,7 @@ ubac_constrained(spamc_t) type spamc_tmp_t; typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -files_tmp_file(spamc_tmp_t) -ubac_constrained(spamc_tmp_t) +userdom_user_tmp_content(spamc_t, spamc_tmp_t) type spamd_t; type spamd_exec_t; diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 567592d..ccc6bb2 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -45,10 +45,11 @@ template(`ssh_basic_client_template',` type $1_ssh_t; application_domain($1_ssh_t, ssh_exec_t) + ubac_constrained($1_ssh_t) role $3 types $1_ssh_t; type $1_ssh_home_t; - files_type($1_ssh_home_t) + userdom_user_home_content($1_ssh_home_t) typealias $1_ssh_home_t alias $1_home_ssh_t; ############################## @@ -92,11 +93,6 @@ template(`ssh_basic_client_template',` # allow ps to show ssh ps_process_pattern($2, $1_ssh_t) - # user can manage the keys and config - manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - # ssh client can manage the keys and config manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) @@ -294,10 +290,8 @@ template(`ssh_server_template', ` template(`ssh_role_template',` gen_require(` attribute ssh_server, ssh_agent_type; - - type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; - type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; - type ssh_agent_tmp_t; + type ssh_t, ssh_exec_t, ssh_agent_tmp_t; + type ssh_agent_exec_t, ssh_keysign_t; ') ############################## @@ -333,10 +327,6 @@ template(`ssh_role_template',` allow ssh_t $3:unix_stream_socket rw_socket_perms; allow ssh_t $3:unix_stream_socket connectto; - # user can manage the keys and config - manage_files_pattern($3, ssh_home_t, ssh_home_t) - manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) - manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) ############################## diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 5d3b416..9559ee1 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -57,8 +57,7 @@ corecmd_executable_file(ssh_agent_exec_t) type ssh_agent_tmp_t; typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t }; typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t }; -files_tmp_file(ssh_agent_tmp_t) -ubac_constrained(ssh_agent_tmp_t) +userdom_user_tmp_content(ssh_agent_type, ssh_agent_tmp_t) type ssh_keysign_t; type ssh_keysign_exec_t; @@ -70,8 +69,7 @@ ubac_constrained(ssh_keysign_t) type ssh_tmpfs_t; typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; -files_tmpfs_file(ssh_tmpfs_t) -ubac_constrained(ssh_tmpfs_t) +userdom_user_tmpfs_content(ssh_tmpfs_t) type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 8633a6a..8b70b1b 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -35,15 +35,6 @@ interface(`xserver_restricted_role',` allow xserver_t $2:shm rw_shm_perms; - allow $2 user_fonts_t:dir list_dir_perms; - allow $2 user_fonts_t:file read_file_perms; - - allow $2 user_fonts_config_t:dir list_dir_perms; - allow $2 user_fonts_config_t:file read_file_perms; - - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) files_search_tmp($2) @@ -66,8 +57,6 @@ interface(`xserver_restricted_role',` ps_process_pattern($2, xauth_t) allow $2 xserver_t:process signal; - allow $2 xauth_home_t:file read_file_perms; - # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; @@ -77,10 +66,6 @@ interface(`xserver_restricted_role',` # Client read xserver shm allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - - # Read /tmp/.X0-lock - allow $2 xserver_tmp_t:file { getattr read }; dev_rw_xserver_misc($2) dev_rw_power_management($2) @@ -110,7 +95,6 @@ interface(`xserver_restricted_role',` # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; ') ') @@ -132,37 +116,13 @@ interface(`xserver_restricted_role',` # interface(`xserver_role',` gen_require(` - type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; + type xserver_t; ') xserver_restricted_role($1, $2) # Communicate via System V shared memory. allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - - allow $2 iceauth_home_t:file manage_file_perms; - allow $2 iceauth_home_t:file { relabelfrom relabelto }; - - allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; - - manage_dirs_pattern($2, user_fonts_t, user_fonts_t) - manage_files_pattern($2, user_fonts_t, user_fonts_t) - relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) - relabel_files_pattern($2, user_fonts_t, user_fonts_t) - - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - - manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - ') ####################################### @@ -196,13 +156,9 @@ interface(`xserver_ro_session',` allow $1 xserver_t:unix_stream_socket connectto; allow $1 xserver_t:process signal; - # Read /tmp/.X0-lock - allow $1 xserver_tmp_t:file { getattr read }; - # Client read xserver shm allow $1 xserver_t:fd use; allow $1 xserver_t:shm r_shm_perms; - allow $1 xserver_tmpfs_t:file read_file_perms; ') ####################################### diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index d2b2626..5dfdcb7 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -148,8 +148,7 @@ userdom_user_home_content(xauth_home_t) type xauth_tmp_t; typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; -files_tmp_file(xauth_tmp_t) -ubac_constrained(xauth_tmp_t) +userdom_user_tmp_content(xauth_t, xauth_tmp_t) # this is not actually a device, its a pipe type xconsole_device_t; @@ -199,14 +198,12 @@ ubac_constrained(xserver_t) type xserver_tmp_t; typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -files_tmp_file(xserver_tmp_t) -ubac_constrained(xserver_tmp_t) +userdom_user_tmp_content(xserver_t, xserver_tmp_t) type xserver_tmpfs_t; typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t }; -files_tmpfs_file(xserver_tmpfs_t) -ubac_constrained(xserver_tmpfs_t) +userdom_user_tmpfs_content(xserver_tmpfs_t) type xsession_exec_t; corecmd_executable_file(xsession_exec_t) -- 1.7.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/a081714f/attachment-0001.bin