From: jason@perfinion.com (Jason Zaman)
Date: Fri, 27 May 2016 14:23:06 +0800
Subject: [refpolicy] [PATCH 4/4] userdomain: filetrans interfaces for
user_runtime
In-Reply-To: <1464330186-19174-1-git-send-email-jason@perfinion.com>
References: <1464330186-19174-1-git-send-email-jason@perfinion.com>
Message-ID: <1464330186-19174-4-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
---
policy/modules/system/userdomain.if | 99 +++++++++++++++++++++++++++++++++++++
1 file changed, 99 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 54c63b0..453bfd9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -298,6 +298,7 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
')
#######################################
@@ -2727,6 +2728,104 @@ interface(`userdom_read_user_tmpfs_files',`
########################################
##
+## Create objects in the pid directory
+## with an automatic type transition to
+## the user runtime root type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+##
+## Create objects in a user runtime
+## directory with an automatic type
+## transition to a specified private
+## type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+##
+## Create objects in the user runtime directory
+## with an automatic type transition to
+## the user temporary type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+##
## Read and write user tmpfs files.
##
##
--
2.7.3