From: jason@perfinion.com (Jason Zaman) Date: Fri, 27 May 2016 14:23:04 +0800 Subject: [refpolicy] [PATCH 2/4] userdomain: Introduce types for /run/user In-Reply-To: <1464330186-19174-1-git-send-email-jason@perfinion.com> References: <1464330186-19174-1-git-send-email-jason@perfinion.com> Message-ID: <1464330186-19174-2-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com These are the types for /run/user, analogous to /home's home_root_t and home_dir_t. --- policy/modules/system/userdomain.fc | 4 ++++ policy/modules/system/userdomain.te | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db75976..30708ca 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -2,3 +2,7 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) + +/var/run/user -d gen_context(system_u:object_r:user_runtime_root_t,s0) +/var/run/user/%{USERID} -d gen_context(system_u:object_r:user_runtime_dir_t,s0) +/var/run/user/%{USERID}/.+ <> diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 2a36851..c613553 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -93,3 +93,23 @@ userdom_user_home_content(user_tmpfs_t) type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + +type user_runtime_root_t; +fs_associate_tmpfs(user_runtime_root_t) +files_type(user_runtime_root_t) +files_mountpoint(user_runtime_root_t) +files_associate_tmp(user_runtime_root_t) +files_poly(user_runtime_root_t) +files_poly_member(user_runtime_root_t) +files_poly_parent(user_runtime_root_t) +ubac_constrained(user_runtime_root_t) + +type user_runtime_dir_t; +fs_associate_tmpfs(user_runtime_dir_t) +files_type(user_runtime_dir_t) +files_mountpoint(user_runtime_dir_t) +files_associate_tmp(user_runtime_dir_t) +files_poly(user_runtime_dir_t) +files_poly_member(user_runtime_dir_t) +files_poly_parent(user_runtime_dir_t) +ubac_constrained(user_runtime_dir_t) -- 2.7.3