From: jason@perfinion.com (Jason Zaman) Date: Fri, 27 May 2016 14:23:05 +0800 Subject: [refpolicy] [PATCH 3/4] userdomain: user_tmp requires searching /run/user In-Reply-To: <1464330186-19174-1-git-send-email-jason@perfinion.com> References: <1464330186-19174-1-git-send-email-jason@perfinion.com> Message-ID: <1464330186-19174-3-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com --- policy/modules/system/userdomain.if | 60 +++++++++++++++++++++++++++++-------- 1 file changed, 48 insertions(+), 12 deletions(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index d604147..54c63b0 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -313,11 +313,14 @@ interface(`userdom_manage_tmp_role',` # interface(`userdom_exec_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') exec_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ####################################### @@ -2322,11 +2325,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',` # interface(`userdom_write_user_tmp_sockets',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') allow $1 user_tmp_t:sock_file write_sock_file_perms; files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2341,11 +2347,14 @@ interface(`userdom_write_user_tmp_sockets',` # interface(`userdom_list_user_tmp',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') allow $1 user_tmp_t:dir list_dir_perms; + allow $1 user_runtime_dir_t:dir list_dir_perms; files_search_tmp($1) + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2398,12 +2407,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') read_files_pattern($1, user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2456,12 +2468,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',` # interface(`userdom_rw_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') allow $1 user_tmp_t:dir list_dir_perms; rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2495,12 +2510,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',` # interface(`userdom_read_user_tmp_symlinks',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2516,11 +2534,14 @@ interface(`userdom_read_user_tmp_symlinks',` # interface(`userdom_manage_user_tmp_dirs',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_dirs_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2536,11 +2557,14 @@ interface(`userdom_manage_user_tmp_dirs',` # interface(`userdom_manage_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2556,11 +2580,14 @@ interface(`userdom_manage_user_tmp_files',` # interface(`userdom_manage_user_tmp_symlinks',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2576,11 +2603,14 @@ interface(`userdom_manage_user_tmp_symlinks',` # interface(`userdom_manage_user_tmp_pipes',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2596,11 +2626,14 @@ interface(`userdom_manage_user_tmp_pipes',` # interface(`userdom_manage_user_tmp_sockets',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## @@ -2632,11 +2665,14 @@ interface(`userdom_manage_user_tmp_sockets',` # interface(`userdom_user_tmp_filetrans',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') filetrans_pattern($1, user_tmp_t, $2, $3, $4) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ######################################## -- 2.7.3