From: dsugar@tresys.com (David Sugar)
Date: Fri, 8 Dec 2017 13:01:34 +0000
Subject: [refpolicy] [PATCH 1/3] Make an attribute for objects in
	/run/user/%(UID)/*
Message-ID: <CO1PR15MB1032C24D5E70352E622EC148B9300@CO1PR15MB1032.namprd15.prod.outlook.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Setup attribute user_runtime_content_type in userdomain for files in /run/user/%(UID)/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/userdomain.if | 126 ++++++++++++++++++++++++++++++++++--
 policy/modules/system/userdomain.te |   4 ++
 2 files changed, 125 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b2105d12..aae6545e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2933,6 +2933,28 @@ interface(`userdom_relabel_user_tmpfs_files',`
 
 ########################################
 ## <summary>
+##	Make the specified type usable in 
+##	the directory /run/user/$(UID)/.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a file in the
+##	user_runtime_content_dir_t.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_content',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	typeattribute $1 user_runtime_content_type;
+	files_type($1)
+	ubac_constrained($1)
+')
+
+########################################
+## <summary>
 ##	Search users runtime directories.
 ## </summary>
 ## <param name="domain">
@@ -2943,10 +2965,10 @@ interface(`userdom_relabel_user_tmpfs_files',`
 #
 interface(`userdom_search_user_runtime',`
 	gen_require(`
-		type user_runtime_t;
+		attribute user_runtime_content_type;
 	')
 
-	allow $1 user_runtime_t:dir search_dir_perms;
+	allow $1 user_runtime_content_type:dir search_dir_perms;
 	userdom_search_user_runtime_root($1)
 ')
 
@@ -3084,6 +3106,43 @@ interface(`userdom_relabelfrom_user_runtime_dirs',`
 
 ########################################
 ## <summary>
+##	List user runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_user_runtime',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
+##	delete user runtime directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_user_runtime_dirs',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
+')
+
+########################################
+## <summary>
 ##	delete user runtime files
 ## </summary>
 ## <param name="domain">
@@ -3094,11 +3153,68 @@ interface(`userdom_relabelfrom_user_runtime_dirs',`
 #
 interface(`userdom_delete_user_runtime_files',`
 	gen_require(`
-		type user_runtime_t;
+		attribute user_runtime_content_type;
 	')
 
-	allow $1 user_runtime_t:dir list_dir_perms;
-	allow $1 user_runtime_t:file unlink;
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	delete user runtime symlink files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_user_runtime_link_files',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	delete user runtime fifo files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_user_runtime_pipes',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	delete user runtime socket files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_user_runtime_sock_files',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:file delete_sock_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 8abd6dbe..021bd981 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -75,6 +75,9 @@ attribute unpriv_userdomain;
 
 attribute user_home_content_type;
 
+# dirs/files/etc created in /run/user/$(UID)/
+attribute user_runtime_content_type;
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
@@ -128,3 +131,4 @@ files_poly(user_runtime_t)
 files_poly_member(user_runtime_t)
 files_poly_parent(user_runtime_t)
 ubac_constrained(user_runtime_t)
+userdom_user_runtime_content(user_runtime_t)
-- 
2.13.6