From: dominick.grift@gmail.com (Dominick Grift) Date: Sat, 9 Nov 2013 10:45:04 +0100 Subject: [refpolicy] [PATCH 23/39] Initial local_home_t implementation In-Reply-To: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> Message-ID: <1383990320-3340-23-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This was discussed on the maillist. It was decided to make this part of the user domain since Python also uses local_home_t This is part of implementation of X Desktop Group specification support Signed-off-by: Dominick Grift --- policy/modules/system/userdomain.fc | 1 + policy/modules/system/userdomain.if | 190 ++++++++++++++++++++++++++++++++---- policy/modules/system/userdomain.te | 3 + 3 files changed, 175 insertions(+), 19 deletions(-) diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db75976..ec5c90a 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -1,4 +1,5 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:local_home_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 06d8db1..189f786 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -147,7 +147,7 @@ template(`userdom_base_user_template',` # interface(`userdom_ro_home_role',` gen_require(` - type user_home_t, user_home_dir_t; + type user_home_t, user_home_dir_t, local_home_t; ') ############################## @@ -159,12 +159,12 @@ interface(`userdom_ro_home_role',` # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; - allow $2 user_home_t:dir list_dir_perms; - allow $2 user_home_t:file entrypoint; - read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) + allow $2 { local_home_t user_home_t }:dir list_dir_perms; + allow $2 ( local_home_t user_home_t }:file entrypoint; + read_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t }) + read_lnk_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t }) + read_fifo_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t }) + read_sock_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t }) files_list_home($2) tunable_policy(`use_nfs_home_dirs',` @@ -218,7 +218,7 @@ interface(`userdom_ro_home_role',` # interface(`userdom_manage_home_role',` gen_require(` - type user_home_t, user_home_dir_t; + type user_home_t, user_home_dir_t, local_home_t; ') ############################## @@ -229,18 +229,19 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory - allow $2 user_home_t:file entrypoint; - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + allow $2 { local_home_t user_home_t }:file entrypoint; + manage_dirs_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) + manage_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) + manage_lnk_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) + manage_sock_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) + manage_fifo_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) + relabel_dirs_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) + relabel_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) + relabel_lnk_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) + relabel_sock_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) + relabel_fifo_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t }) filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + filetrans_pattern($2, user_home_t, local_home_t, dir, ".local") files_list_home($2) # cjp: this should probably be removed: @@ -2200,6 +2201,157 @@ interface(`userdom_manage_user_home_content_sockets',` ######################################## ## +## Create generic local home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_create_generic_local_home_dirs',` + gen_require(` + type local_home_t; + ') + + allow $1 local_home_t:dir create_dir_perms; +') + +######################################## +## +## Read generic local home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_generic_local_home_content',` + gen_require(` + type local_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 local_home_t:dir list_dir_perms; + allow $1 local_home_t:file read_file_perms; + allow $1 local_home_t:fifo_file read_fifo_file_perms; + allow $1 local_home_t:lnk_file read_lnk_file_perms; + allow $1 local_home_t:sock_file read_sock_file_perms; +') + +######################################## +## +## Create, read, write, and delete +## generic local home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_generic_local_home_content',` + gen_require(` + type local_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 local_home_t:dir manage_dir_perms; + allow $1 local_home_t:file manage_file_perms; + allow $1 local_home_t:fifo_file manage_fifo_file_perms; + allow $1 local_home_t:lnk_file manage_lnk_file_perms; + allow $1 local_home_t:sock_file manage_sock_file_perms; +') + +######################################## +## +## Search generic local home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_search_generic_local_home',` + gen_require(` + type local_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 local_home_t:dir search_dir_perms; +') + +######################################## +## +## Create specified objects in generic +## local home directories with an automatic +## type transition to a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_local_home_filetrans',` + gen_require(` + type local_home_t; + ') + + filetrans_pattern($1, local_home_t, $2, $3, $4) + userdom_search_user_home_content($1) +') + +######################################## +## +## Create specified objects in generic user +## home content directories with an automatic +## type transition to the generic local +## home file type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_home_content_filetrans_local_home',` + gen_require(` + type user_home_t, local_home_t; + ') + + userdom_user_home_content_filetrans($1, local_home_t, $2, $3) +') + +######################################## +## ## Create objects in a user home directory ## with an automatic type transition to ## a specified private type. diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index f4ac38d..d657ea7 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -58,6 +58,9 @@ attribute unpriv_userdomain; attribute user_home_content_type; +type local_home_t; +userdom_user_home_content(local_home_t) + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -- 1.8.3.1