From: dsugar@tresys.com (David Sugar) Date: Fri, 8 Dec 2017 13:01:34 +0000 Subject: [refpolicy] [PATCH 1/3] Make an attribute for objects in /run/user/%(UID)/* Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Setup attribute user_runtime_content_type in userdomain for files in /run/user/%(UID)/* interfaces to associate this attribute with types and interfaces to delete types with this attribute. Signed-off-by: Dave Sugar --- policy/modules/system/userdomain.if | 126 ++++++++++++++++++++++++++++++++++-- policy/modules/system/userdomain.te | 4 ++ 2 files changed, 125 insertions(+), 5 deletions(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index b2105d12..aae6545e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2933,6 +2933,28 @@ interface(`userdom_relabel_user_tmpfs_files',` ######################################## ## +## Make the specified type usable in +## the directory /run/user/$(UID)/. +## +## +## +## Type to be used as a file in the +## user_runtime_content_dir_t. +## +## +# +interface(`userdom_user_runtime_content',` + gen_require(` + attribute user_runtime_content_type; + ') + + typeattribute $1 user_runtime_content_type; + files_type($1) + ubac_constrained($1) +') + +######################################## +## ## Search users runtime directories. ## ## @@ -2943,10 +2965,10 @@ interface(`userdom_relabel_user_tmpfs_files',` # interface(`userdom_search_user_runtime',` gen_require(` - type user_runtime_t; + attribute user_runtime_content_type; ') - allow $1 user_runtime_t:dir search_dir_perms; + allow $1 user_runtime_content_type:dir search_dir_perms; userdom_search_user_runtime_root($1) ') @@ -3084,6 +3106,43 @@ interface(`userdom_relabelfrom_user_runtime_dirs',` ######################################## ## +## List user runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_list_user_runtime',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + userdom_search_user_runtime($1) +') + +######################################## +## +## delete user runtime directories +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_runtime_dirs',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms }; +') + +######################################## +## ## delete user runtime files ## ## @@ -3094,11 +3153,68 @@ interface(`userdom_relabelfrom_user_runtime_dirs',` # interface(`userdom_delete_user_runtime_files',` gen_require(` - type user_runtime_t; + attribute user_runtime_content_type; ') - allow $1 user_runtime_t:dir list_dir_perms; - allow $1 user_runtime_t:file unlink; + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:file delete_file_perms; +') + +######################################## +## +## delete user runtime symlink files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_runtime_link_files',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms; +') + +######################################## +## +## delete user runtime fifo files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_runtime_pipes',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms; +') + +######################################## +## +## delete user runtime socket files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_runtime_sock_files',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:file delete_sock_file_perms; ') ######################################## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 8abd6dbe..021bd981 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -75,6 +75,9 @@ attribute unpriv_userdomain; attribute user_home_content_type; +# dirs/files/etc created in /run/user/$(UID)/ +attribute user_runtime_content_type; + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) @@ -128,3 +131,4 @@ files_poly(user_runtime_t) files_poly_member(user_runtime_t) files_poly_parent(user_runtime_t) ubac_constrained(user_runtime_t) +userdom_user_runtime_content(user_runtime_t) -- 2.13.6