From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 27 May 2016 10:23:41 -0400
Subject: [refpolicy] [PATCH 3/4] userdomain: user_tmp requires searching
 /run/user
In-Reply-To: <1464330186-19174-3-git-send-email-jason@perfinion.com>
References: <1464330186-19174-1-git-send-email-jason@perfinion.com>
	<1464330186-19174-3-git-send-email-jason@perfinion.com>
Message-ID: <eeb99ca3-b775-414b-30d5-b7c5430eed7f@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 5/27/2016 2:23 AM, Jason Zaman wrote:
> ---
>  policy/modules/system/userdomain.if | 60 +++++++++++++++++++++++++++++--------
>  1 file changed, 48 insertions(+), 12 deletions(-)
> 
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index d604147..54c63b0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -313,11 +313,14 @@ interface(`userdom_manage_tmp_role',`
>  #
>  interface(`userdom_exec_user_tmp_files',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	exec_files_pattern($1, user_tmp_t, user_tmp_t)
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')

Since this repeats a bunch below, why not add a
userdom_search_user_runtime() which allows the search on the two dir types?


>  #######################################
> @@ -2322,11 +2325,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
>  #
>  interface(`userdom_write_user_tmp_sockets',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	allow $1 user_tmp_t:sock_file write_sock_file_perms;
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2341,11 +2347,14 @@ interface(`userdom_write_user_tmp_sockets',`
>  #
>  interface(`userdom_list_user_tmp',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	allow $1 user_tmp_t:dir list_dir_perms;
> +	allow $1 user_runtime_dir_t:dir list_dir_perms;
>  	files_search_tmp($1)
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2398,12 +2407,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
>  #
>  interface(`userdom_read_user_tmp_files',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	read_files_pattern($1, user_tmp_t, user_tmp_t)
>  	allow $1 user_tmp_t:dir list_dir_perms;
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2456,12 +2468,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
>  #
>  interface(`userdom_rw_user_tmp_files',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	allow $1 user_tmp_t:dir list_dir_perms;
>  	rw_files_pattern($1, user_tmp_t, user_tmp_t)
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2495,12 +2510,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',`
>  #
>  interface(`userdom_read_user_tmp_symlinks',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
>  	allow $1 user_tmp_t:dir list_dir_perms;
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2516,11 +2534,14 @@ interface(`userdom_read_user_tmp_symlinks',`
>  #
>  interface(`userdom_manage_user_tmp_dirs',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2536,11 +2557,14 @@ interface(`userdom_manage_user_tmp_dirs',`
>  #
>  interface(`userdom_manage_user_tmp_files',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	manage_files_pattern($1, user_tmp_t, user_tmp_t)
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2556,11 +2580,14 @@ interface(`userdom_manage_user_tmp_files',`
>  #
>  interface(`userdom_manage_user_tmp_symlinks',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2576,11 +2603,14 @@ interface(`userdom_manage_user_tmp_symlinks',`
>  #
>  interface(`userdom_manage_user_tmp_pipes',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2596,11 +2626,14 @@ interface(`userdom_manage_user_tmp_pipes',`
>  #
>  interface(`userdom_manage_user_tmp_sockets',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> @@ -2632,11 +2665,14 @@ interface(`userdom_manage_user_tmp_sockets',`
>  #
>  interface(`userdom_user_tmp_filetrans',`
>  	gen_require(`
> -		type user_tmp_t;
> +		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
>  	')
>  
>  	filetrans_pattern($1, user_tmp_t, $2, $3, $4)
>  	files_search_tmp($1)
> +	allow $1 user_runtime_dir_t:dir search_dir_perms;
> +	allow $1 user_runtime_root_t:dir search_dir_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com