From: aranea@aixah.de (Luis Ressel)
Date: Mon, 11 Sep 2017 08:40:51 +0200
Subject: [refpolicy] [PATCH 2/4] userdomain: Add various interfaces granting
the map permission
In-Reply-To: <20170911064053.6831-1-aranea@aixah.de>
References: <20170911064053.6831-1-aranea@aixah.de>
Message-ID: <20170911064053.6831-2-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
---
policy/modules/system/userdomain.if | 54 +++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 06783cfe..78e821eb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1891,6 +1891,24 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
dontaudit $1 user_home_t:file setattr_file_perms;
')
+########################################
+##
+## Map user home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_map_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file map;
+')
+
########################################
##
## Mmap user home files.
@@ -2516,6 +2534,24 @@ interface(`userdom_read_user_tmp_files',`
userdom_search_user_runtime($1)
')
+########################################
+##
+## Map user temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_map_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file map;
+')
+
########################################
##
## Do not audit attempts to read users
@@ -2787,6 +2823,24 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
+########################################
+##
+## Map user tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_map_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file map;
+')
+
########################################
##
## Read user tmpfs files.
--
2.14.1