From: jason@perfinion.com (Jason Zaman) Date: Sat, 28 May 2016 04:35:26 +0800 Subject: [refpolicy] [PATCH v3 4/4] userdomain: introduce interfaces for user runtime In-Reply-To: <1464381326-24198-1-git-send-email-jason@perfinion.com> References: <1464381326-24198-1-git-send-email-jason@perfinion.com> Message-ID: <1464381326-24198-4-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com --- policy/modules/system/userdomain.if | 206 ++++++++++++++++++++++++++++++++++++ 1 file changed, 206 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 2528ee3..d6296a8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -298,6 +298,7 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file }) ') ####################################### @@ -2742,6 +2743,211 @@ interface(`userdom_search_user_runtime_root_dirs',` ######################################## ## +## Create, read, write, and delete user +## runtime root dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_runtime_root_dirs',` + gen_require(` + type user_runtime_root_t; + ') + + allow $1 user_runtime_root_t:dir manage_dir_perms; + files_search_pids($1) +') + +######################################## +## +## Create, read, write, and delete user +## runtime dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_runtime_dirs',` + gen_require(` + type user_runtime_dir_t; + ') + + allow $1 user_runtime_dir_t:dir manage_dir_perms; + userdom_search_user_runtime_root_dirs($1) +') + +######################################## +## +## Mount a filesystem on user runtime dir +## directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_mounton_user_runtime_dirs',` + gen_require(` + type user_runtime_dir_t; + ') + + allow $1 user_runtime_dir_t:dir mounton; +') + +######################################## +## +## Relabel to user runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabelto_user_runtime_dirs',` + gen_require(` + type user_runtime_dir_t; + ') + + allow $1 user_runtime_dir_t:dir relabelto; +') + +######################################## +## +## Create objects in the pid directory +## with an automatic type transition to +## the user runtime root type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_pid_filetrans_user_runtime_root',` + gen_require(` + type user_runtime_root_t; + ') + + files_pid_filetrans($1, user_runtime_root_t, $2, $3) +') + +######################################## +## +## Create objects in a user runtime +## directory with an automatic type +## transition to a specified private +## type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_runtime_dir_filetrans',` + gen_require(` + type user_runtime_root_t, user_runtime_dir_t; + ') + + filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4) + userdom_search_user_runtime_root_dirs($1) +') + +######################################## +## +## Create objects in the user runtime directory +## with an automatic type transition to +## the user temporary type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_runtime_dir_filetrans_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3) +') + +######################################## +## +## Create objects in the user runtime root +## directory with an automatic type transition +## to the user runtime dir type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_runtime_root_filetrans_user_runtime_dirs',` + gen_require(` + type user_runtime_root_t, user_runtime_dir_t; + ') + + filetrans_pattern($1, user_runtime_root_t, user_runtime_dir_t, $2, $3) + files_search_pids($1) +') + +######################################## +## ## Read and write user tmpfs files. ## ## -- 2.7.3