From: domg472@gmail.com (Dominick Grift) Date: Fri, 9 Jul 2010 16:34:58 +0200 Subject: [refpolicy] [ userdom_user_tmp_content patch 1/1] Create userdom_user_tmp_content, and replace existing user tmp content type declarations by it. Message-ID: <20100709143453.GA9716@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift --- :100644 100644 f294491... b1aeb7c... M policy/modules/apps/evolution.te :100644 100644 ac4f509... cea5c8c... M policy/modules/apps/games.te :100644 100644 4bebd9d... de7eac9... M policy/modules/apps/gnome.te :100644 100644 4525c37... c6f1fe2... M policy/modules/apps/gpg.te :100644 100644 66beb80... 29c9f53... M policy/modules/apps/irc.te :100644 100644 726e853... 143a522... M policy/modules/apps/java.te :100644 100644 ebcd681... 3fb62e4... M policy/modules/apps/mozilla.te :100644 100644 690589e... 892057b... M policy/modules/apps/podsleuth.te :100644 100644 320df26... 55e29cb... M policy/modules/apps/screen.if :100644 100644 8c65cc6... a92649b... M policy/modules/apps/screen.te :100644 100644 d736572... 10d6692... M policy/modules/apps/tvtime.te :100644 100644 2df1343... 62960c0... M policy/modules/apps/uml.te :100644 100644 1f803bb... 5bc77b4... M policy/modules/apps/vmware.te :100644 100644 8af45db... 2835bec... M policy/modules/apps/wine.te :100644 100644 31bbf17... ca29f80... M policy/modules/apps/wireshark.te :100644 100644 215b86b... 1d6ddf2... M policy/modules/services/bluetooth.te :100644 100644 44caccc... 80c88c1... M policy/modules/services/cron.if :100644 100644 d76131b... 054d8b3... M policy/modules/services/dbus.if :100644 100644 b738e94... 319e41e... M policy/modules/services/dbus.te :100644 100644 93c14ca... a2c91f2... M policy/modules/services/lpd.te :100644 100644 c57356a... 9d3ef86... M policy/modules/services/mta.if :100644 100644 64268e4... b1111b2... M policy/modules/services/mta.te :100644 100644 cd683f9... 2b30c50... M policy/modules/services/pyzor.te :100644 100644 e4ecbbd... ab30865... M policy/modules/services/razor.te :100644 100644 b6a8919... 6847a9b... M policy/modules/services/spamassassin.te :100644 100644 567592d... ef3f32d... M policy/modules/services/ssh.if :100644 100644 2dad3c8... 512834a... M policy/modules/services/ssh.te :100644 100644 d2b2626... f51b828... M policy/modules/services/xserver.te :100644 100644 a3135e6... 7d83ec3... M policy/modules/system/userdomain.if :100644 100644 69b2e0f... 5dcefd4... M policy/modules/system/userdomain.te policy/modules/apps/evolution.te | 13 +++++-------- policy/modules/apps/games.te | 3 +-- policy/modules/apps/gnome.te | 3 +-- policy/modules/apps/gpg.te | 6 ++---- policy/modules/apps/irc.te | 2 +- policy/modules/apps/java.te | 3 +-- policy/modules/apps/mozilla.te | 3 +-- policy/modules/apps/podsleuth.te | 3 +-- policy/modules/apps/screen.if | 2 ++ policy/modules/apps/screen.te | 2 -- policy/modules/apps/tvtime.te | 3 +-- policy/modules/apps/uml.te | 3 +-- policy/modules/apps/vmware.te | 7 +++---- policy/modules/apps/wine.te | 3 +-- policy/modules/apps/wireshark.te | 3 +-- policy/modules/services/bluetooth.te | 3 +-- policy/modules/services/cron.if | 2 +- policy/modules/services/dbus.if | 2 ++ policy/modules/services/dbus.te | 2 -- policy/modules/services/lpd.te | 3 +-- policy/modules/services/mta.if | 3 ++- policy/modules/services/mta.te | 2 -- policy/modules/services/pyzor.te | 3 +-- policy/modules/services/razor.te | 3 +-- policy/modules/services/spamassassin.te | 6 ++---- policy/modules/services/ssh.if | 2 ++ policy/modules/services/ssh.te | 2 -- policy/modules/services/xserver.te | 6 ++---- policy/modules/system/userdomain.if | 24 ++++++++++++++++++++++++ policy/modules/system/userdomain.te | 1 + 30 files changed, 62 insertions(+), 61 deletions(-) diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index f294491..b1aeb7c 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -28,8 +28,7 @@ ubac_constrained(evolution_alarm_tmpfs_t) type evolution_alarm_orbit_tmp_t; typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; -files_tmp_file(evolution_alarm_orbit_tmp_t) -ubac_constrained(evolution_alarm_orbit_tmp_t) +userdom_user_tmp_content(evolution_alarm_t, evolution_alarm_orbit_tmp_t) type evolution_exchange_t; type evolution_exchange_exec_t; @@ -47,9 +46,9 @@ ubac_constrained(evolution_exchange_tmpfs_t) type evolution_exchange_tmp_t; typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; -files_tmp_file(evolution_exchange_tmp_t) -ubac_constrained(evolution_exchange_tmp_t) +userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t) +# Cannot have two types of the same domain be a files_poly_member_tmp() type evolution_exchange_orbit_tmp_t; typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; @@ -64,8 +63,7 @@ userdom_user_home_content(evolution_home_t) type evolution_orbit_tmp_t; typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; -files_tmp_file(evolution_orbit_tmp_t) -ubac_constrained(evolution_orbit_tmp_t) +userdom_user_tmp_content(evolution_t, evolution_orbit_tmp_t) type evolution_server_t; type evolution_server_exec_t; @@ -77,8 +75,7 @@ ubac_constrained(evolution_server_t) type evolution_server_orbit_tmp_t; typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; -files_tmp_file(evolution_server_orbit_tmp_t) -ubac_constrained(evolution_server_orbit_tmp_t) +userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t) type evolution_tmpfs_t; typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index ac4f509..cea5c8c 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -35,8 +35,7 @@ files_pid_file(games_srv_var_run_t) type games_tmp_t; typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t }; typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t }; -files_tmp_file(games_tmp_t) -ubac_constrained(games_tmp_t) +userdom_user_tmp_content(games_t, games_tmp_t) type games_tmpfs_t; typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t }; diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 4bebd9d..de7eac9 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -18,8 +18,7 @@ userdom_user_home_content(gconf_home_t) type gconf_tmp_t; typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; -files_tmp_file(gconf_tmp_t) -ubac_constrained(gconf_tmp_t) +userdom_user_tmp_content(gconfd_t, gconf_tmp_t) type gconfd_t, gnomedomain; type gconfd_exec_t; diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 4525c37..c6f1fe2 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -31,8 +31,7 @@ ubac_constrained(gpg_agent_t) type gpg_agent_tmp_t; typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; -files_tmp_file(gpg_agent_tmp_t) -ubac_constrained(gpg_agent_tmp_t) +userdom_user_tmp_content(gpg_agent_t, gpg_agent_tmp_t) type gpg_secret_t; typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; @@ -55,8 +54,7 @@ application_domain(gpg_pinentry_t, pinentry_exec_t) ubac_constrained(gpg_pinentry_t) type gpg_pinentry_tmp_t; -files_tmp_file(gpg_pinentry_tmp_t) -ubac_constrained(gpg_pinentry_tmp_t) +userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t) type gpg_pinentry_tmpfs_t; files_tmpfs_file(gpg_pinentry_tmpfs_t) diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te index 66beb80..29c9f53 100644 --- a/policy/modules/apps/irc.te +++ b/policy/modules/apps/irc.te @@ -20,7 +20,7 @@ userdom_user_home_content(irc_home_t) type irc_tmp_t; typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; -userdom_user_home_content(irc_tmp_t) +userdom_user_tmp_content(irc_t, irc_tmp_t) ######################################## # diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index 726e853..143a522 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -21,10 +21,9 @@ typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; role system_r types java_t; type java_tmp_t; -files_tmp_file(java_tmp_t) -ubac_constrained(java_tmp_t) typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t }; typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }; +userdom_user_tmp_content(java_t, java_tmp_t) type java_tmpfs_t; ubac_constrained(java_tmpfs_t) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index ebcd681..3fb62e4 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -30,8 +30,7 @@ userdom_user_home_content(mozilla_home_t) type mozilla_tmpfs_t; typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; -files_tmpfs_file(mozilla_tmpfs_t) -ubac_constrained(mozilla_tmpfs_t) +userdom_user_tmp_content(mozilla_t, mozilla_tmpfs_t) ######################################## # diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te index 690589e..892057b 100644 --- a/policy/modules/apps/podsleuth.te +++ b/policy/modules/apps/podsleuth.te @@ -15,8 +15,7 @@ files_type(podsleuth_cache_t) ubac_constrained(podsleuth_cache_t) type podsleuth_tmp_t; -files_tmp_file(podsleuth_tmp_t) -ubac_constrained(podsleuth_tmp_t) +userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t) type podsleuth_tmpfs_t; files_tmpfs_file(podsleuth_tmpfs_t) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if index 320df26..55e29cb 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -38,6 +38,8 @@ template(`screen_role_template',` ubac_constrained($1_screen_t) role $2 types $1_screen_t; + userdom_user_tmp_content($1_screen_t, screen_tmp_t) + ######################################## # # Local policy diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te index 8c65cc6..a92649b 100644 --- a/policy/modules/apps/screen.te +++ b/policy/modules/apps/screen.te @@ -16,8 +16,6 @@ userdom_user_home_content(screen_home_t) type screen_tmp_t; typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; -files_tmp_file(screen_tmp_t) -ubac_constrained(screen_tmp_t) type screen_var_run_t; typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te index d736572..10d6692 100644 --- a/policy/modules/apps/tvtime.te +++ b/policy/modules/apps/tvtime.te @@ -20,8 +20,7 @@ userdom_user_home_content(tvtime_home_t) type tvtime_tmp_t; typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t }; typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t }; -files_tmp_file(tvtime_tmp_t) -ubac_constrained(tvtime_tmp_t) +userdom_user_tmp_content(tvtime_t, tvtime_tmp_t) type tvtime_tmpfs_t; typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t }; diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index 2df1343..62960c0 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -25,8 +25,7 @@ userdom_user_home_content(uml_rw_t) type uml_tmp_t; typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t }; -files_tmp_file(uml_tmp_t) -ubac_constrained(uml_tmp_t) +userdom_user_tmp_content(uml_t, uml_tmp_t) type uml_tmpfs_t; typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t }; diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index 1f803bb..5bc77b4 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -31,15 +31,15 @@ init_daemon_domain(vmware_host_t, vmware_host_exec_t) type vmware_host_pid_t alias vmware_var_run_t; files_pid_file(vmware_host_pid_t) +# If vmware_host_t is a system service then why does this have to be ubac constrained? type vmware_host_tmp_t; files_tmp_file(vmware_host_tmp_t) -ubac_constrained(vmware_host_tmp_t) +# If vmware_host_t is a system service then why does this have to be ubac constrained? type vmware_log_t; typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t }; logging_log_file(vmware_log_t) -ubac_constrained(vmware_log_t) type vmware_pid_t; typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t }; @@ -54,8 +54,7 @@ files_type(vmware_sys_conf_t) type vmware_tmp_t; typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t }; -files_tmp_file(vmware_tmp_t) -ubac_constrained(vmware_tmp_t) +userdom_user_tmp_content(vmware_t, vmware_tmp_t) type vmware_tmpfs_t; typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t }; diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 8af45db..2835bec 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -12,8 +12,7 @@ ubac_constrained(wine_t) role system_r types wine_t; type wine_tmp_t; -files_tmp_file(wine_tmp_t) -ubac_constrained(wine_tmp_t) +userdom_user_tmp_content(wine_t, wine_tmp_t) ######################################## # diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te index 31bbf17..ca29f80 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -20,8 +20,7 @@ userdom_user_home_content(wireshark_home_t) type wireshark_tmp_t; typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t }; typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t }; -files_tmp_file(wireshark_tmp_t) -ubac_constrained(wireshark_tmp_t) +userdom_user_tmp_content(wireshark_t, wireshark_tmp_t) type wireshark_tmpfs_t; typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t }; diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 215b86b..1d6ddf2 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -24,8 +24,7 @@ ubac_constrained(bluetooth_helper_t) type bluetooth_helper_tmp_t; typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t }; typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t }; -files_tmp_file(bluetooth_helper_tmp_t) -ubac_constrained(bluetooth_helper_tmp_t) +userdom_user_tmp_content(bluetooth_helper_t, bluetooth_helper_tmp_t) type bluetooth_helper_tmpfs_t; typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t }; diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 44caccc..80c88c1 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -22,7 +22,7 @@ template(`cron_common_crontab_template',` ubac_constrained($1_t) type $1_tmp_t; - files_tmp_file($1_tmp_t) + userdom_user_tmp_content($1_t, $1_tmp_t) ############################## # diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index d76131b..054d8b3 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -57,6 +57,8 @@ template(`dbus_role_template',` ubac_constrained($1_dbusd_t) role $2 types $1_dbusd_t; + userdom_user_tmp_content($1_dbusd_t, session_dbusd_tmp_t) + ############################## # # Local policy diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index b738e94..319e41e 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -22,8 +22,6 @@ typealias dbusd_exec_t alias system_dbusd_exec_t; type session_dbusd_tmp_t; typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; -files_tmp_file(session_dbusd_tmp_t) -ubac_constrained(session_dbusd_tmp_t) type system_dbusd_t; init_system_domain(system_dbusd_t, dbusd_exec_t) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 93c14ca..a2c91f2 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -40,8 +40,7 @@ ubac_constrained(lpr_t) type lpr_tmp_t; typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t }; typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t }; -files_tmp_file(lpr_tmp_t) -ubac_constrained(lpr_tmp_t) +userdom_user_tmp_content(lpr_t, lpr_tmp_t) # Type for spool files. type print_spool_t; diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index c57356a..9d3ef86 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -52,9 +52,10 @@ template(`mta_base_mail_template',` type $1_mail_t, user_mail_domain; application_domain($1_mail_t, sendmail_exec_t) + ubac_constrained($1_mail_t) type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) + userdom_user_tmp_content($1_mail_t, $1_mail_tmp_t) ############################## # diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 64268e4..b1111b2 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -40,8 +40,6 @@ typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; -ubac_constrained(user_mail_t) -ubac_constrained(user_mail_tmp_t) ######################################## # diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index cd683f9..2b30c50 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -24,8 +24,7 @@ userdom_user_home_content(pyzor_home_t) type pyzor_tmp_t; typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; -files_tmp_file(pyzor_tmp_t) -ubac_constrained(pyzor_tmp_t) +userdom_user_tmp_content(pyzor_t, pyzor_tmp_t) type pyzor_var_lib_t; typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te index e4ecbbd..ab30865 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te @@ -22,8 +22,7 @@ logging_log_file(razor_log_t) type razor_tmp_t; typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -files_tmp_file(razor_tmp_t) -ubac_constrained(razor_tmp_t) +userdom_user_tmp_content(razor_t, razor_tmp_t) type razor_var_lib_t; files_type(razor_var_lib_t) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index b6a8919..6847a9b 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -34,8 +34,7 @@ userdom_user_home_content(spamassassin_home_t) type spamassassin_tmp_t; typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -files_tmp_file(spamassassin_tmp_t) -ubac_constrained(spamassassin_tmp_t) +userdom_user_tmp_content(spamassassin_t, spamassassin_tmp_t) type spamc_t; type spamc_exec_t; @@ -47,8 +46,7 @@ ubac_constrained(spamc_t) type spamc_tmp_t; typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -files_tmp_file(spamc_tmp_t) -ubac_constrained(spamc_tmp_t) +userdom_user_tmp_content(spamc_t, spamc_tmp_t) type spamd_t; type spamd_exec_t; diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 567592d..ef3f32d 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -313,6 +313,8 @@ template(`ssh_role_template',` ubac_constrained($1_ssh_agent_t) role $2 types $1_ssh_agent_t; + userdom_user_tmp_content($1_ssh_agent_t, ssh_agent_tmp_t) + ############################## # # Local policy diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 2dad3c8..512834a 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -57,8 +57,6 @@ corecmd_executable_file(ssh_agent_exec_t) type ssh_agent_tmp_t; typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t }; typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t }; -files_tmp_file(ssh_agent_tmp_t) -ubac_constrained(ssh_agent_tmp_t) type ssh_keysign_t; type ssh_keysign_exec_t; diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index d2b2626..f51b828 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -148,8 +148,7 @@ userdom_user_home_content(xauth_home_t) type xauth_tmp_t; typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; -files_tmp_file(xauth_tmp_t) -ubac_constrained(xauth_tmp_t) +userdom_user_tmp_content(xauth_t, xauth_tmp_t) # this is not actually a device, its a pipe type xconsole_device_t; @@ -199,8 +198,7 @@ ubac_constrained(xserver_t) type xserver_tmp_t; typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -files_tmp_file(xserver_tmp_t) -ubac_constrained(xserver_tmp_t) +userdom_user_tmp_content(xserver_t, xserver_tmp_t) type xserver_tmpfs_t; typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index a3135e6..7d83ec3 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1286,6 +1286,30 @@ interface(`userdom_user_home_content',` ######################################## ## +## Make the specified type usable user +## temporary content. +## +## +## +## Domain using the user temporary +## content. +## +## +## +## +## Type to be used for user temporary +## content. +## +## +# +interface(`userdom_user_tmp_content',` + files_tmp_file($2) + files_poly_member_tmp($1, $2) + ubac_constrained($2) +') + +######################################## +## ## Allow domain to attach to TUN devices created by administrative users. ## ## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 69b2e0f..5dcefd4 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -87,6 +87,7 @@ ubac_constrained(user_devpts_t) type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; files_tmp_file(user_tmp_t) +# Consider removing this userdom_user_home_content(user_tmp_t) type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; -- 1.7.1.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100709/cbbb6a6e/attachment.bin