From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 12 Jul 2010 14:09:13 -0400
Subject: [refpolicy] [ userdom_user_tmp_content patch 1/1] Create
 userdom_user_tmp_content,
 and replace existing user tmp content type declarations by it.
In-Reply-To: <20100709143453.GA9716@localhost.localdomain>
References: <20100709143453.GA9716@localhost.localdomain>
Message-ID: <4C3B5A49.6030004@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/09/10 10:34, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 f294491... b1aeb7c... M	policy/modules/apps/evolution.te
> :100644 100644 ac4f509... cea5c8c... M	policy/modules/apps/games.te
> :100644 100644 4bebd9d... de7eac9... M	policy/modules/apps/gnome.te
> :100644 100644 4525c37... c6f1fe2... M	policy/modules/apps/gpg.te
> :100644 100644 66beb80... 29c9f53... M	policy/modules/apps/irc.te
> :100644 100644 726e853... 143a522... M	policy/modules/apps/java.te
> :100644 100644 ebcd681... 3fb62e4... M	policy/modules/apps/mozilla.te
> :100644 100644 690589e... 892057b... M	policy/modules/apps/podsleuth.te
> :100644 100644 320df26... 55e29cb... M	policy/modules/apps/screen.if
> :100644 100644 8c65cc6... a92649b... M	policy/modules/apps/screen.te
> :100644 100644 d736572... 10d6692... M	policy/modules/apps/tvtime.te
> :100644 100644 2df1343... 62960c0... M	policy/modules/apps/uml.te
> :100644 100644 1f803bb... 5bc77b4... M	policy/modules/apps/vmware.te
> :100644 100644 8af45db... 2835bec... M	policy/modules/apps/wine.te
> :100644 100644 31bbf17... ca29f80... M	policy/modules/apps/wireshark.te
> :100644 100644 215b86b... 1d6ddf2... M	policy/modules/services/bluetooth.te
> :100644 100644 44caccc... 80c88c1... M	policy/modules/services/cron.if
> :100644 100644 d76131b... 054d8b3... M	policy/modules/services/dbus.if
> :100644 100644 b738e94... 319e41e... M	policy/modules/services/dbus.te
> :100644 100644 93c14ca... a2c91f2... M	policy/modules/services/lpd.te
> :100644 100644 c57356a... 9d3ef86... M	policy/modules/services/mta.if
> :100644 100644 64268e4... b1111b2... M	policy/modules/services/mta.te
> :100644 100644 cd683f9... 2b30c50... M	policy/modules/services/pyzor.te
> :100644 100644 e4ecbbd... ab30865... M	policy/modules/services/razor.te
> :100644 100644 b6a8919... 6847a9b... M	policy/modules/services/spamassassin.te
> :100644 100644 567592d... ef3f32d... M	policy/modules/services/ssh.if
> :100644 100644 2dad3c8... 512834a... M	policy/modules/services/ssh.te
> :100644 100644 d2b2626... f51b828... M	policy/modules/services/xserver.te
> :100644 100644 a3135e6... 7d83ec3... M	policy/modules/system/userdomain.if
> :100644 100644 69b2e0f... 5dcefd4... M	policy/modules/system/userdomain.te
>   policy/modules/apps/evolution.te        |   13 +++++--------
>   policy/modules/apps/games.te            |    3 +--
>   policy/modules/apps/gnome.te            |    3 +--
>   policy/modules/apps/gpg.te              |    6 ++----
>   policy/modules/apps/irc.te              |    2 +-
>   policy/modules/apps/java.te             |    3 +--
>   policy/modules/apps/mozilla.te          |    3 +--
>   policy/modules/apps/podsleuth.te        |    3 +--
>   policy/modules/apps/screen.if           |    2 ++
>   policy/modules/apps/screen.te           |    2 --
>   policy/modules/apps/tvtime.te           |    3 +--
>   policy/modules/apps/uml.te              |    3 +--
>   policy/modules/apps/vmware.te           |    7 +++----
>   policy/modules/apps/wine.te             |    3 +--
>   policy/modules/apps/wireshark.te        |    3 +--
>   policy/modules/services/bluetooth.te    |    3 +--
>   policy/modules/services/cron.if         |    2 +-
>   policy/modules/services/dbus.if         |    2 ++
>   policy/modules/services/dbus.te         |    2 --
>   policy/modules/services/lpd.te          |    3 +--
>   policy/modules/services/mta.if          |    3 ++-
>   policy/modules/services/mta.te          |    2 --
>   policy/modules/services/pyzor.te        |    3 +--
>   policy/modules/services/razor.te        |    3 +--
>   policy/modules/services/spamassassin.te |    6 ++----
>   policy/modules/services/ssh.if          |    2 ++
>   policy/modules/services/ssh.te          |    2 --
>   policy/modules/services/xserver.te      |    6 ++----
>   policy/modules/system/userdomain.if     |   24 ++++++++++++++++++++++++
>   policy/modules/system/userdomain.te     |    1 +
>   30 files changed, 62 insertions(+), 61 deletions(-)
>
> diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
> index f294491..b1aeb7c 100644
> --- a/policy/modules/apps/evolution.te
> +++ b/policy/modules/apps/evolution.te
> @@ -28,8 +28,7 @@ ubac_constrained(evolution_alarm_tmpfs_t)
>   type evolution_alarm_orbit_tmp_t;
>   typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
>   typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
> -files_tmp_file(evolution_alarm_orbit_tmp_t)
> -ubac_constrained(evolution_alarm_orbit_tmp_t)
> +userdom_user_tmp_content(evolution_alarm_t, evolution_alarm_orbit_tmp_t)
>
>   type evolution_exchange_t;
>   type evolution_exchange_exec_t;
> @@ -47,9 +46,9 @@ ubac_constrained(evolution_exchange_tmpfs_t)
>   type evolution_exchange_tmp_t;
>   typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
>   typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
> -files_tmp_file(evolution_exchange_tmp_t)
> -ubac_constrained(evolution_exchange_tmp_t)
> +userdom_user_tmp_content(evolution_exchange_t, evolution_exchange_tmp_t)
>
> +# Cannot have two types of the same domain be a files_poly_member_tmp()
>   type evolution_exchange_orbit_tmp_t;
>   typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
>   typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
> @@ -64,8 +63,7 @@ userdom_user_home_content(evolution_home_t)
>   type evolution_orbit_tmp_t;
>   typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
>   typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
> -files_tmp_file(evolution_orbit_tmp_t)
> -ubac_constrained(evolution_orbit_tmp_t)
> +userdom_user_tmp_content(evolution_t, evolution_orbit_tmp_t)
>
>   type evolution_server_t;
>   type evolution_server_exec_t;
> @@ -77,8 +75,7 @@ ubac_constrained(evolution_server_t)
>   type evolution_server_orbit_tmp_t;
>   typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
>   typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
> -files_tmp_file(evolution_server_orbit_tmp_t)
> -ubac_constrained(evolution_server_orbit_tmp_t)
> +userdom_user_tmp_content(evolution_server_t, evolution_server_orbit_tmp_t)
>
>   type evolution_tmpfs_t;
>   typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
> diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
> index ac4f509..cea5c8c 100644
> --- a/policy/modules/apps/games.te
> +++ b/policy/modules/apps/games.te
> @@ -35,8 +35,7 @@ files_pid_file(games_srv_var_run_t)
>   type games_tmp_t;
>   typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
>   typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
> -files_tmp_file(games_tmp_t)
> -ubac_constrained(games_tmp_t)
> +userdom_user_tmp_content(games_t, games_tmp_t)
>
>   type games_tmpfs_t;
>   typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
> diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
> index 4bebd9d..de7eac9 100644
> --- a/policy/modules/apps/gnome.te
> +++ b/policy/modules/apps/gnome.te
> @@ -18,8 +18,7 @@ userdom_user_home_content(gconf_home_t)
>   type gconf_tmp_t;
>   typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
>   typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
> -files_tmp_file(gconf_tmp_t)
> -ubac_constrained(gconf_tmp_t)
> +userdom_user_tmp_content(gconfd_t, gconf_tmp_t)
>
>   type gconfd_t, gnomedomain;
>   type gconfd_exec_t;
> diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
> index 4525c37..c6f1fe2 100644
> --- a/policy/modules/apps/gpg.te
> +++ b/policy/modules/apps/gpg.te
> @@ -31,8 +31,7 @@ ubac_constrained(gpg_agent_t)
>   type gpg_agent_tmp_t;
>   typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
>   typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
> -files_tmp_file(gpg_agent_tmp_t)
> -ubac_constrained(gpg_agent_tmp_t)
> +userdom_user_tmp_content(gpg_agent_t, gpg_agent_tmp_t)
>
>   type gpg_secret_t;
>   typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
> @@ -55,8 +54,7 @@ application_domain(gpg_pinentry_t, pinentry_exec_t)
>   ubac_constrained(gpg_pinentry_t)
>
>   type gpg_pinentry_tmp_t;
> -files_tmp_file(gpg_pinentry_tmp_t)
> -ubac_constrained(gpg_pinentry_tmp_t)
> +userdom_user_tmp_content(gpg_pinentry_t, gpg_pinentry_tmp_t)
>
>   type gpg_pinentry_tmpfs_t;
>   files_tmpfs_file(gpg_pinentry_tmpfs_t)
> diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
> index 66beb80..29c9f53 100644
> --- a/policy/modules/apps/irc.te
> +++ b/policy/modules/apps/irc.te
> @@ -20,7 +20,7 @@ userdom_user_home_content(irc_home_t)
>   type irc_tmp_t;
>   typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
>   typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
> -userdom_user_home_content(irc_tmp_t)
> +userdom_user_tmp_content(irc_t, irc_tmp_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
> index 726e853..143a522 100644
> --- a/policy/modules/apps/java.te
> +++ b/policy/modules/apps/java.te
> @@ -21,10 +21,9 @@ typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
>   role system_r types java_t;
>
>   type java_tmp_t;
> -files_tmp_file(java_tmp_t)
> -ubac_constrained(java_tmp_t)
>   typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
>   typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
> +userdom_user_tmp_content(java_t, java_tmp_t)
>
>   type java_tmpfs_t;
>   ubac_constrained(java_tmpfs_t)
> diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
> index ebcd681..3fb62e4 100644
> --- a/policy/modules/apps/mozilla.te
> +++ b/policy/modules/apps/mozilla.te
> @@ -30,8 +30,7 @@ userdom_user_home_content(mozilla_home_t)
>   type mozilla_tmpfs_t;
>   typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
>   typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
> -files_tmpfs_file(mozilla_tmpfs_t)
> -ubac_constrained(mozilla_tmpfs_t)
> +userdom_user_tmp_content(mozilla_t, mozilla_tmpfs_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
> index 690589e..892057b 100644
> --- a/policy/modules/apps/podsleuth.te
> +++ b/policy/modules/apps/podsleuth.te
> @@ -15,8 +15,7 @@ files_type(podsleuth_cache_t)
>   ubac_constrained(podsleuth_cache_t)
>
>   type podsleuth_tmp_t;
> -files_tmp_file(podsleuth_tmp_t)
> -ubac_constrained(podsleuth_tmp_t)
> +userdom_user_tmp_content(podsleuth_t, podsleuth_tmp_t)
>
>   type podsleuth_tmpfs_t;
>   files_tmpfs_file(podsleuth_tmpfs_t)
> diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
> index 320df26..55e29cb 100644
> --- a/policy/modules/apps/screen.if
> +++ b/policy/modules/apps/screen.if
> @@ -38,6 +38,8 @@ template(`screen_role_template',`
>   	ubac_constrained($1_screen_t)
>   	role $2 types $1_screen_t;
>
> +	userdom_user_tmp_content($1_screen_t, screen_tmp_t)
> +
>   	########################################
>   	#
>   	# Local policy
> diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
> index 8c65cc6..a92649b 100644
> --- a/policy/modules/apps/screen.te
> +++ b/policy/modules/apps/screen.te
> @@ -16,8 +16,6 @@ userdom_user_home_content(screen_home_t)
>   type screen_tmp_t;
>   typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
>   typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
> -files_tmp_file(screen_tmp_t)
> -ubac_constrained(screen_tmp_t)
>
>   type screen_var_run_t;
>   typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
> diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
> index d736572..10d6692 100644
> --- a/policy/modules/apps/tvtime.te
> +++ b/policy/modules/apps/tvtime.te
> @@ -20,8 +20,7 @@ userdom_user_home_content(tvtime_home_t)
>   type tvtime_tmp_t;
>   typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
>   typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
> -files_tmp_file(tvtime_tmp_t)
> -ubac_constrained(tvtime_tmp_t)
> +userdom_user_tmp_content(tvtime_t, tvtime_tmp_t)
>
>   type tvtime_tmpfs_t;
>   typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
> diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
> index 2df1343..62960c0 100644
> --- a/policy/modules/apps/uml.te
> +++ b/policy/modules/apps/uml.te
> @@ -25,8 +25,7 @@ userdom_user_home_content(uml_rw_t)
>   type uml_tmp_t;
>   typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
>   typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
> -files_tmp_file(uml_tmp_t)
> -ubac_constrained(uml_tmp_t)
> +userdom_user_tmp_content(uml_t, uml_tmp_t)
>
>   type uml_tmpfs_t;
>   typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
> diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
> index 1f803bb..5bc77b4 100644
> --- a/policy/modules/apps/vmware.te
> +++ b/policy/modules/apps/vmware.te
> @@ -31,15 +31,15 @@ init_daemon_domain(vmware_host_t, vmware_host_exec_t)
>   type vmware_host_pid_t alias vmware_var_run_t;
>   files_pid_file(vmware_host_pid_t)
>
> +# If vmware_host_t is a system service then why does this have to be ubac constrained?
>   type vmware_host_tmp_t;
>   files_tmp_file(vmware_host_tmp_t)
> -ubac_constrained(vmware_host_tmp_t)
>
> +# If vmware_host_t is a system service then why does this have to be ubac constrained?
>   type vmware_log_t;
>   typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
>   typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
>   logging_log_file(vmware_log_t)
> -ubac_constrained(vmware_log_t)
>
>   type vmware_pid_t;
>   typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
> @@ -54,8 +54,7 @@ files_type(vmware_sys_conf_t)
>   type vmware_tmp_t;
>   typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
>   typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
> -files_tmp_file(vmware_tmp_t)
> -ubac_constrained(vmware_tmp_t)
> +userdom_user_tmp_content(vmware_t, vmware_tmp_t)
>
>   type vmware_tmpfs_t;
>   typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
> diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
> index 8af45db..2835bec 100644
> --- a/policy/modules/apps/wine.te
> +++ b/policy/modules/apps/wine.te
> @@ -12,8 +12,7 @@ ubac_constrained(wine_t)
>   role system_r types wine_t;
>
>   type wine_tmp_t;
> -files_tmp_file(wine_tmp_t)
> -ubac_constrained(wine_tmp_t)
> +userdom_user_tmp_content(wine_t, wine_tmp_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
> index 31bbf17..ca29f80 100644
> --- a/policy/modules/apps/wireshark.te
> +++ b/policy/modules/apps/wireshark.te
> @@ -20,8 +20,7 @@ userdom_user_home_content(wireshark_home_t)
>   type wireshark_tmp_t;
>   typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
>   typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
> -files_tmp_file(wireshark_tmp_t)
> -ubac_constrained(wireshark_tmp_t)
> +userdom_user_tmp_content(wireshark_t, wireshark_tmp_t)
>
>   type wireshark_tmpfs_t;
>   typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
> index 215b86b..1d6ddf2 100644
> --- a/policy/modules/services/bluetooth.te
> +++ b/policy/modules/services/bluetooth.te
> @@ -24,8 +24,7 @@ ubac_constrained(bluetooth_helper_t)
>   type bluetooth_helper_tmp_t;
>   typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t };
>   typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t };
> -files_tmp_file(bluetooth_helper_tmp_t)
> -ubac_constrained(bluetooth_helper_tmp_t)
> +userdom_user_tmp_content(bluetooth_helper_t, bluetooth_helper_tmp_t)
>
>   type bluetooth_helper_tmpfs_t;
>   typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
> diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
> index 44caccc..80c88c1 100644
> --- a/policy/modules/services/cron.if
> +++ b/policy/modules/services/cron.if
> @@ -22,7 +22,7 @@ template(`cron_common_crontab_template',`
>   	ubac_constrained($1_t)
>
>   	type $1_tmp_t;
> -	files_tmp_file($1_tmp_t)
> +	userdom_user_tmp_content($1_t, $1_tmp_t)
>
>   	##############################
>   	#
> diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
> index d76131b..054d8b3 100644
> --- a/policy/modules/services/dbus.if
> +++ b/policy/modules/services/dbus.if
> @@ -57,6 +57,8 @@ template(`dbus_role_template',`
>   	ubac_constrained($1_dbusd_t)
>   	role $2 types $1_dbusd_t;
>
> +	userdom_user_tmp_content($1_dbusd_t, session_dbusd_tmp_t)
> +
>   	##############################
>   	#
>   	# Local policy
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index b738e94..319e41e 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -22,8 +22,6 @@ typealias dbusd_exec_t alias system_dbusd_exec_t;
>   type session_dbusd_tmp_t;
>   typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
>   typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
> -files_tmp_file(session_dbusd_tmp_t)
> -ubac_constrained(session_dbusd_tmp_t)
>
>   type system_dbusd_t;
>   init_system_domain(system_dbusd_t, dbusd_exec_t)
> diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
> index 93c14ca..a2c91f2 100644
> --- a/policy/modules/services/lpd.te
> +++ b/policy/modules/services/lpd.te
> @@ -40,8 +40,7 @@ ubac_constrained(lpr_t)
>   type lpr_tmp_t;
>   typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
>   typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
> -files_tmp_file(lpr_tmp_t)
> -ubac_constrained(lpr_tmp_t)
> +userdom_user_tmp_content(lpr_t, lpr_tmp_t)
>
>   # Type for spool files.
>   type print_spool_t;
> diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
> index c57356a..9d3ef86 100644
> --- a/policy/modules/services/mta.if
> +++ b/policy/modules/services/mta.if
> @@ -52,9 +52,10 @@ template(`mta_base_mail_template',`
>
>   	type $1_mail_t, user_mail_domain;
>   	application_domain($1_mail_t, sendmail_exec_t)
> +	ubac_constrained($1_mail_t)
>
>   	type $1_mail_tmp_t;
> -	files_tmp_file($1_mail_tmp_t)
> +	userdom_user_tmp_content($1_mail_t, $1_mail_tmp_t)
>
>   	##############################
>   	#
> diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
> index 64268e4..b1111b2 100644
> --- a/policy/modules/services/mta.te
> +++ b/policy/modules/services/mta.te
> @@ -40,8 +40,6 @@ typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
>   typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
>   typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
>   typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
> -ubac_constrained(user_mail_t)
> -ubac_constrained(user_mail_tmp_t)
>
>   ########################################
>   #
> diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
> index cd683f9..2b30c50 100644
> --- a/policy/modules/services/pyzor.te
> +++ b/policy/modules/services/pyzor.te
> @@ -24,8 +24,7 @@ userdom_user_home_content(pyzor_home_t)
>   type pyzor_tmp_t;
>   typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
>   typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
> -files_tmp_file(pyzor_tmp_t)
> -ubac_constrained(pyzor_tmp_t)
> +userdom_user_tmp_content(pyzor_t, pyzor_tmp_t)
>
>   type pyzor_var_lib_t;
>   typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
> diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
> index e4ecbbd..ab30865 100644
> --- a/policy/modules/services/razor.te
> +++ b/policy/modules/services/razor.te
> @@ -22,8 +22,7 @@ logging_log_file(razor_log_t)
>   type razor_tmp_t;
>   typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
>   typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
> -files_tmp_file(razor_tmp_t)
> -ubac_constrained(razor_tmp_t)
> +userdom_user_tmp_content(razor_t, razor_tmp_t)
>
>   type razor_var_lib_t;
>   files_type(razor_var_lib_t)
> diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
> index b6a8919..6847a9b 100644
> --- a/policy/modules/services/spamassassin.te
> +++ b/policy/modules/services/spamassassin.te
> @@ -34,8 +34,7 @@ userdom_user_home_content(spamassassin_home_t)
>   type spamassassin_tmp_t;
>   typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
>   typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
> -files_tmp_file(spamassassin_tmp_t)
> -ubac_constrained(spamassassin_tmp_t)
> +userdom_user_tmp_content(spamassassin_t, spamassassin_tmp_t)
>
>   type spamc_t;
>   type spamc_exec_t;
> @@ -47,8 +46,7 @@ ubac_constrained(spamc_t)
>   type spamc_tmp_t;
>   typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
>   typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
> -files_tmp_file(spamc_tmp_t)
> -ubac_constrained(spamc_tmp_t)
> +userdom_user_tmp_content(spamc_t, spamc_tmp_t)
>
>   type spamd_t;
>   type spamd_exec_t;
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index 567592d..ef3f32d 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -313,6 +313,8 @@ template(`ssh_role_template',`
>   	ubac_constrained($1_ssh_agent_t)
>   	role $2 types $1_ssh_agent_t;
>
> +	userdom_user_tmp_content($1_ssh_agent_t, ssh_agent_tmp_t)
> +
>   	##############################
>   	#
>   	# Local policy
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 2dad3c8..512834a 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -57,8 +57,6 @@ corecmd_executable_file(ssh_agent_exec_t)
>   type ssh_agent_tmp_t;
>   typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
>   typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
> -files_tmp_file(ssh_agent_tmp_t)
> -ubac_constrained(ssh_agent_tmp_t)
>
>   type ssh_keysign_t;
>   type ssh_keysign_exec_t;
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index d2b2626..f51b828 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -148,8 +148,7 @@ userdom_user_home_content(xauth_home_t)
>   type xauth_tmp_t;
>   typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
>   typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
> -files_tmp_file(xauth_tmp_t)
> -ubac_constrained(xauth_tmp_t)
> +userdom_user_tmp_content(xauth_t, xauth_tmp_t)
>
>   # this is not actually a device, its a pipe
>   type xconsole_device_t;
> @@ -199,8 +198,7 @@ ubac_constrained(xserver_t)
>   type xserver_tmp_t;
>   typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
>   typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
> -files_tmp_file(xserver_tmp_t)
> -ubac_constrained(xserver_tmp_t)
> +userdom_user_tmp_content(xserver_t, xserver_tmp_t)
>
>   type xserver_tmpfs_t;
>   typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index a3135e6..7d83ec3 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1286,6 +1286,30 @@ interface(`userdom_user_home_content',`
>
>   ########################################
>   ##<summary>
> +##	Make the specified type usable user
> +##	temporary content.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain using the user temporary
> +##	content.
> +##	</summary>
> +##</param>
> +##<param name="file_type">
> +##	<summary>
> +##	Type to be used for user temporary
> +##	content.
> +##	</summary>
> +##</param>
> +#
> +interface(`userdom_user_tmp_content',`
> +	files_tmp_file($2)
> +	files_poly_member_tmp($1, $2)
> +	ubac_constrained($2)
> +')

Why do we have files_poly_member_tmp()?  I didn't see any places where 
it was removed above.

> +########################################
> +##<summary>
>   ##	Allow domain to attach to TUN devices created by administrative users.
>   ##</summary>
>   ##<param name="domain">
> diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
> index 69b2e0f..5dcefd4 100644
> --- a/policy/modules/system/userdomain.te
> +++ b/policy/modules/system/userdomain.te
> @@ -87,6 +87,7 @@ ubac_constrained(user_devpts_t)
>   type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
>   typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
>   files_tmp_file(user_tmp_t)
> +# Consider removing this
>   userdom_user_home_content(user_tmp_t)
>
>   type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com