From: jason@perfinion.com (Jason Zaman)
Date: Sat, 28 May 2016 00:57:33 +0800
Subject: [refpolicy] [PATCH 4/4 v2] userdomain: introduce interfaces for
user runtime
In-Reply-To: <1464330186-19174-4-git-send-email-jason@perfinion.com>
References: <1464330186-19174-4-git-send-email-jason@perfinion.com>
Message-ID: <1464368253-16518-1-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
---
policy/modules/system/userdomain.if | 139 ++++++++++++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index a1367a4..cf6e0ec 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -298,6 +298,7 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
')
#######################################
@@ -2724,6 +2725,144 @@ interface(`userdom_search_user_runtime',`
########################################
##
+## Create, read, write, and delete user
+## runtime root dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_manage_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ manage_dirs_pattern($1, user_runtime_root_t, user_runtime_root_t)
+ files_search_pids($1)
+')
+
+########################################
+##
+## Mount a filesystem on user runtime root
+## directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_mounton_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir { search_dir_perms mounton };
+ files_search_pids($1)
+')
+
+########################################
+##
+## Create objects in the pid directory
+## with an automatic type transition to
+## the user runtime root type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+##
+## Create objects in a user runtime
+## directory with an automatic type
+## transition to a specified private
+## type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+##
+## Create objects in the user runtime directory
+## with an automatic type transition to
+## the user temporary type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+##
## Read and write user tmpfs files.
##
##
--
2.7.3