From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 27 May 2016 10:23:41 -0400 Subject: [refpolicy] [PATCH 3/4] userdomain: user_tmp requires searching /run/user In-Reply-To: <1464330186-19174-3-git-send-email-jason@perfinion.com> References: <1464330186-19174-1-git-send-email-jason@perfinion.com> <1464330186-19174-3-git-send-email-jason@perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 5/27/2016 2:23 AM, Jason Zaman wrote: > --- > policy/modules/system/userdomain.if | 60 +++++++++++++++++++++++++++++-------- > 1 file changed, 48 insertions(+), 12 deletions(-) > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index d604147..54c63b0 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -313,11 +313,14 @@ interface(`userdom_manage_tmp_role',` > # > interface(`userdom_exec_user_tmp_files',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > exec_files_pattern($1, user_tmp_t, user_tmp_t) > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') Since this repeats a bunch below, why not add a userdom_search_user_runtime() which allows the search on the two dir types? > ####################################### > @@ -2322,11 +2325,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',` > # > interface(`userdom_write_user_tmp_sockets',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > allow $1 user_tmp_t:sock_file write_sock_file_perms; > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2341,11 +2347,14 @@ interface(`userdom_write_user_tmp_sockets',` > # > interface(`userdom_list_user_tmp',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > allow $1 user_tmp_t:dir list_dir_perms; > + allow $1 user_runtime_dir_t:dir list_dir_perms; > files_search_tmp($1) > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2398,12 +2407,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` > # > interface(`userdom_read_user_tmp_files',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > read_files_pattern($1, user_tmp_t, user_tmp_t) > allow $1 user_tmp_t:dir list_dir_perms; > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2456,12 +2468,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',` > # > interface(`userdom_rw_user_tmp_files',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > allow $1 user_tmp_t:dir list_dir_perms; > rw_files_pattern($1, user_tmp_t, user_tmp_t) > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2495,12 +2510,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',` > # > interface(`userdom_read_user_tmp_symlinks',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) > allow $1 user_tmp_t:dir list_dir_perms; > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2516,11 +2534,14 @@ interface(`userdom_read_user_tmp_symlinks',` > # > interface(`userdom_manage_user_tmp_dirs',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > manage_dirs_pattern($1, user_tmp_t, user_tmp_t) > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2536,11 +2557,14 @@ interface(`userdom_manage_user_tmp_dirs',` > # > interface(`userdom_manage_user_tmp_files',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > manage_files_pattern($1, user_tmp_t, user_tmp_t) > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2556,11 +2580,14 @@ interface(`userdom_manage_user_tmp_files',` > # > interface(`userdom_manage_user_tmp_symlinks',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2576,11 +2603,14 @@ interface(`userdom_manage_user_tmp_symlinks',` > # > interface(`userdom_manage_user_tmp_pipes',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2596,11 +2626,14 @@ interface(`userdom_manage_user_tmp_pipes',` > # > interface(`userdom_manage_user_tmp_sockets',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > @@ -2632,11 +2665,14 @@ interface(`userdom_manage_user_tmp_sockets',` > # > interface(`userdom_user_tmp_filetrans',` > gen_require(` > - type user_tmp_t; > + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; > ') > > filetrans_pattern($1, user_tmp_t, $2, $3, $4) > files_search_tmp($1) > + allow $1 user_runtime_dir_t:dir search_dir_perms; > + allow $1 user_runtime_root_t:dir search_dir_perms; > + files_search_pids($1) > ') > > ######################################## > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com