From: jason@perfinion.com (Jason Zaman)
Date: Sat, 28 May 2016 04:35:26 +0800
Subject: [refpolicy] [PATCH v3 4/4] userdomain: introduce interfaces for
user runtime
In-Reply-To: <1464381326-24198-1-git-send-email-jason@perfinion.com>
References: <1464381326-24198-1-git-send-email-jason@perfinion.com>
Message-ID: <1464381326-24198-4-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
---
policy/modules/system/userdomain.if | 206 ++++++++++++++++++++++++++++++++++++
1 file changed, 206 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2528ee3..d6296a8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -298,6 +298,7 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
')
#######################################
@@ -2742,6 +2743,211 @@ interface(`userdom_search_user_runtime_root_dirs',`
########################################
##
+## Create, read, write, and delete user
+## runtime root dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_manage_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir manage_dir_perms;
+ files_search_pids($1)
+')
+
+########################################
+##
+## Create, read, write, and delete user
+## runtime dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_manage_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_dir_t;
+ ')
+
+ allow $1 user_runtime_dir_t:dir manage_dir_perms;
+ userdom_search_user_runtime_root_dirs($1)
+')
+
+########################################
+##
+## Mount a filesystem on user runtime dir
+## directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_mounton_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_dir_t;
+ ')
+
+ allow $1 user_runtime_dir_t:dir mounton;
+')
+
+########################################
+##
+## Relabel to user runtime directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_relabelto_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_dir_t;
+ ')
+
+ allow $1 user_runtime_dir_t:dir relabelto;
+')
+
+########################################
+##
+## Create objects in the pid directory
+## with an automatic type transition to
+## the user runtime root type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+##
+## Create objects in a user runtime
+## directory with an automatic type
+## transition to a specified private
+## type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+ userdom_search_user_runtime_root_dirs($1)
+')
+
+########################################
+##
+## Create objects in the user runtime directory
+## with an automatic type transition to
+## the user temporary type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+##
+## Create objects in the user runtime root
+## directory with an automatic type transition
+## to the user runtime dir type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_root_filetrans_user_runtime_dirs',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_root_t, user_runtime_dir_t, $2, $3)
+ files_search_pids($1)
+')
+
+########################################
+##
## Read and write user tmpfs files.
##
##
--
2.7.3